a45f14a2dba6457f54f96026db2eea58cc141264afc74a76d87d9ba71244304c

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2024 23:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66c5feb020e3dc777c67dbd1b4310ed0_NEIKI.exe
Size

67KB
MD5

66c5feb020e3dc777c67dbd1b4310ed0
SHA1

06c0e7729f68bf4fc3dbd23ad266ee4cee393288
SHA256

a45f14a2dba6457f54f96026db2eea58cc141264afc74a76d87d9ba71244304c
SHA512

0f19865dd3fa1fff2d27ee52ad9986da04f4dfa69a4842fb7f4843d1f02e017adffadcc16dd9e08623ea43d6e48f544bd0a45a9109c5d66b5ad386a65a6abe0c
SSDEEP

768:4a+oewOeyQNA+5Vm55NWWQyhS5l6JPX/1H5rFEVErME/feYvn1q/D2ZuAx0GoEki:vtOicNWWQyhhRXsJifTduD4oTxw

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lljklo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omgmeigd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehndnh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koonge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpcapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kjeiodek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Damfao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fooclapd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmbjcljl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qhhpop32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnfmbmbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcdeeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfenglqf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Noblkqca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ookoaokf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jekqmhia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caojpaij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehpadhll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpkknmgd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjgeedch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncpeaoih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Piocecgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgkmgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjjbjd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pffgom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chdialdl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpnakk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kiphjo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amcehdod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Feenjgfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jifecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcapicdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kefiopki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lljklo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aknbkjfh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkgeainn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dakikoom.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqdpgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gijmad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hehdfdek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mogcihaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njgqhicg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncpeaoih.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ockdmmoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ombcji32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahaceo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caojpaij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Joekag32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdpcal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfnhfm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iplkpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lflbkcll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckjknfnh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kefiopki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khgbqkhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ledepn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jebfng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgdpni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lqkqhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opnbae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ombcji32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Feenjgfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Galoohke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	66c5feb020e3dc777c67dbd1b4310ed0_NEIKI.exe

Executes dropped EXE 64 IoCs

pid	Process
1320	Iplkpa32.exe
1412	Jekqmhia.exe
2152	Jgkmgk32.exe
3628	Jpcapp32.exe
224	Jngbjd32.exe
732	Jebfng32.exe
4976	Jedccfqg.exe
3476	Kgdpni32.exe
4556	Kjeiodek.exe
3780	Kjgeedch.exe
712	Kjjbjd32.exe
4436	Kcbfcigf.exe
4628	Lljklo32.exe
3672	Lokdnjkg.exe
1844	Lqkqhm32.exe
3568	Lnoaaaad.exe
3948	Ljeafb32.exe
4744	Lflbkcll.exe
4620	Mcpcdg32.exe
4580	Mogcihaj.exe
4832	Moipoh32.exe
1104	Mmmqhl32.exe
3544	Mfeeabda.exe
5020	Monjjgkb.exe
4016	Nmbjcljl.exe
404	Njfkmphe.exe
3356	Nfohgqlg.exe
3076	Nfaemp32.exe
3852	Nfcabp32.exe
2920	Ocgbld32.exe
968	Opnbae32.exe
4636	Ombcji32.exe
3604	Ofkgcobj.exe
456	Opclldhj.exe
984	Omgmeigd.exe
1980	Pfoann32.exe
2408	Pccahbmn.exe
3428	Pmlfqh32.exe
948	Pmnbfhal.exe
4988	Pffgom32.exe
1508	Ppolhcnm.exe
4348	Pjdpelnc.exe
2364	Qhhpop32.exe
2448	Qjiipk32.exe
4564	Ahmjjoig.exe
4608	Aphnnafb.exe
436	Aknbkjfh.exe
2544	Ahaceo32.exe
3112	Aajhndkb.exe
2728	Adkqoohc.exe
4840	Amcehdod.exe
4496	Bkgeainn.exe
832	Bgnffj32.exe
2572	Bpkdjofm.exe
3388	Bnoddcef.exe
2680	Chdialdl.exe
4020	Conanfli.exe
4588	Chfegk32.exe
2112	Caojpaij.exe
1532	Chiblk32.exe
1496	Cnfkdb32.exe
2016	Cdpcal32.exe
2068	Cpfcfmlp.exe
1592	Cklhcfle.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ngidlo32.dll	Lnoaaaad.exe
File created	C:\Windows\SysWOW64\Jgqjbf32.dll	Mogcihaj.exe
File created	C:\Windows\SysWOW64\Lcccepbd.dll	Aphnnafb.exe
File created	C:\Windows\SysWOW64\Bkgeainn.exe	Amcehdod.exe
File created	C:\Windows\SysWOW64\Ieccbbkn.exe	Iafkld32.exe
File opened for modification	C:\Windows\SysWOW64\Jifecp32.exe	Jpnakk32.exe
File created	C:\Windows\SysWOW64\Likage32.dll	Ockdmmoj.exe
File created	C:\Windows\SysWOW64\Kjjbjd32.exe	Kjgeedch.exe
File created	C:\Windows\SysWOW64\Nfaemp32.exe	Nfohgqlg.exe
File opened for modification	C:\Windows\SysWOW64\Chiblk32.exe	Caojpaij.exe
File created	C:\Windows\SysWOW64\Jebfng32.exe	Jngbjd32.exe
File created	C:\Windows\SysWOW64\Kjeiodek.exe	Kgdpni32.exe
File opened for modification	C:\Windows\SysWOW64\Lflbkcll.exe	Ljeafb32.exe
File opened for modification	C:\Windows\SysWOW64\Hpkknmgd.exe	Hecjke32.exe
File created	C:\Windows\SysWOW64\Mfnhfm32.exe	Modpib32.exe
File created	C:\Windows\SysWOW64\Aemghi32.dll	Mlhqcgnk.exe
File opened for modification	C:\Windows\SysWOW64\Ahmjjoig.exe	Qjiipk32.exe
File created	C:\Windows\SysWOW64\Jimldogg.exe	Joekag32.exe
File created	C:\Windows\SysWOW64\Aphnnafb.exe	Ahmjjoig.exe
File created	C:\Windows\SysWOW64\Conanfli.exe	Chdialdl.exe
File created	C:\Windows\SysWOW64\Ehpadhll.exe	Ehndnh32.exe
File created	C:\Windows\SysWOW64\Nfcabp32.exe	Nfaemp32.exe
File created	C:\Windows\SysWOW64\Feenjgfq.exe	Fnfmbmbi.exe
File created	C:\Windows\SysWOW64\Galoohke.exe	Feenjgfq.exe
File opened for modification	C:\Windows\SysWOW64\Mhoahh32.exe	Mbdiknlb.exe
File created	C:\Windows\SysWOW64\Mdcajc32.dll	Mlljnf32.exe
File opened for modification	C:\Windows\SysWOW64\Lhgkgijg.exe	Lckboblp.exe
File opened for modification	C:\Windows\SysWOW64\Omgmeigd.exe	Opclldhj.exe
File created	C:\Windows\SysWOW64\Dahmfpap.exe	Dddllkbf.exe
File opened for modification	C:\Windows\SysWOW64\Ebdlangb.exe	Eqdpgk32.exe
File created	C:\Windows\SysWOW64\Chbfoaba.dll	Giljfddl.exe
File created	C:\Windows\SysWOW64\Qjiipk32.exe	Qhhpop32.exe
File created	C:\Windows\SysWOW64\Damfao32.exe	Dakikoom.exe
File opened for modification	C:\Windows\SysWOW64\Dahmfpap.exe	Dddllkbf.exe
File created	C:\Windows\SysWOW64\Eecgicmp.dll	Fnfmbmbi.exe
File created	C:\Windows\SysWOW64\Blknem32.dll	Gndick32.exe
File created	C:\Windows\SysWOW64\Ofkgcobj.exe	Ombcji32.exe
File created	C:\Windows\SysWOW64\Qhhpop32.exe	Pjdpelnc.exe
File opened for modification	C:\Windows\SysWOW64\Khgbqkhj.exe	Koonge32.exe
File created	C:\Windows\SysWOW64\Nfgklkoc.exe	Mqjbddpl.exe
File opened for modification	C:\Windows\SysWOW64\Chdialdl.exe	Bnoddcef.exe
File created	C:\Windows\SysWOW64\Kcapicdj.exe	Kcoccc32.exe
File opened for modification	C:\Windows\SysWOW64\Mcdeeq32.exe	Mhoahh32.exe
File opened for modification	C:\Windows\SysWOW64\Nfaemp32.exe	Nfohgqlg.exe
File created	C:\Windows\SysWOW64\Gdmpga32.dll	Ofkgcobj.exe
File created	C:\Windows\SysWOW64\Pffgom32.exe	Pmnbfhal.exe
File created	C:\Windows\SysWOW64\Aajhndkb.exe	Ahaceo32.exe
File created	C:\Windows\SysWOW64\Eqdpgk32.exe	Dndgfpbo.exe
File created	C:\Windows\SysWOW64\Okehmlqi.dll	Mfeeabda.exe
File opened for modification	C:\Windows\SysWOW64\Qjiipk32.exe	Qhhpop32.exe
File opened for modification	C:\Windows\SysWOW64\Dakikoom.exe	Dahmfpap.exe
File opened for modification	C:\Windows\SysWOW64\Pififb32.exe	Piocecgj.exe
File created	C:\Windows\SysWOW64\Ghndhd32.dll	Monjjgkb.exe
File created	C:\Windows\SysWOW64\Ombcji32.exe	Opnbae32.exe
File opened for modification	C:\Windows\SysWOW64\Dddllkbf.exe	Cklhcfle.exe
File created	C:\Windows\SysWOW64\Piocecgj.exe	Opbean32.exe
File created	C:\Windows\SysWOW64\Njfkmphe.exe	Nmbjcljl.exe
File created	C:\Windows\SysWOW64\Oglbla32.dll	Ocgbld32.exe
File opened for modification	C:\Windows\SysWOW64\Bpkdjofm.exe	Bgnffj32.exe
File created	C:\Windows\SysWOW64\Cdpcal32.exe	Cnfkdb32.exe
File created	C:\Windows\SysWOW64\Fallih32.dll	Hecjke32.exe
File opened for modification	C:\Windows\SysWOW64\Jekqmhia.exe	Iplkpa32.exe
File created	C:\Windows\SysWOW64\Nkbjmj32.dll	Kgdpni32.exe
File created	C:\Windows\SysWOW64\Lokdnjkg.exe	Lljklo32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6512	6376	WerFault.exe	227

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgdpni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oglbla32.dll"	Ocgbld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofkgcobj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhhlki32.dll"	Qhhpop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eecgicmp.dll"	Fnfmbmbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgmbbe32.dll"	Ibgdlg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljeafb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mbdiknlb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jgkmgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebdlangb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibgdlg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Modpib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faoiogei.dll"	Mfnhfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dckahb32.dll"	Jedccfqg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnoaaaad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mfeeabda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clmipm32.dll"	Dndgfpbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lckboblp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ockdmmoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcccepbd.dll"	Aphnnafb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdpcal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	66c5feb020e3dc777c67dbd1b4310ed0_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kiphjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ppolhcnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnflfgji.dll"	Conanfli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ihkjno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlgfga32.dll"	Koonge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Piocecgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bohgljdl.dll"	Kjgeedch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpfcfmlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dndgfpbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dahmfpap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpnakk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caojpaij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlhqcgnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgegjnih.dll"	Ombcji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhcmal32.dll"	Modpib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmijpchc.dll"	Ahaceo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iplkpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nofefp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjijkpg.dll"	Dddllkbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lohqnd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mfnhfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnfkdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddllkbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chfegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljbnfleo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jekqmhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kjeiodek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jimldogg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlhqcgnk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlljnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amdcghbo.dll"	Jpcapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jklliiom.dll"	Iafkld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibgdlg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmbjcljl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Omgmeigd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfcabp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gejimf32.dll"	Omopjcjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lielhgaa.dll"	Aajhndkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pninea32.dll"	Mcdeeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfgklkoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngcglo32.dll"	Jifecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qhhpop32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 468 wrote to memory of 1320	468	66c5feb020e3dc777c67dbd1b4310ed0_NEIKI.exe	92
PID 468 wrote to memory of 1320	468	66c5feb020e3dc777c67dbd1b4310ed0_NEIKI.exe	92
PID 468 wrote to memory of 1320	468	66c5feb020e3dc777c67dbd1b4310ed0_NEIKI.exe	92
PID 1320 wrote to memory of 1412	1320	Iplkpa32.exe	93
PID 1320 wrote to memory of 1412	1320	Iplkpa32.exe	93
PID 1320 wrote to memory of 1412	1320	Iplkpa32.exe	93
PID 1412 wrote to memory of 2152	1412	Jekqmhia.exe	94
PID 1412 wrote to memory of 2152	1412	Jekqmhia.exe	94
PID 1412 wrote to memory of 2152	1412	Jekqmhia.exe	94
PID 2152 wrote to memory of 3628	2152	Jgkmgk32.exe	95
PID 2152 wrote to memory of 3628	2152	Jgkmgk32.exe	95
PID 2152 wrote to memory of 3628	2152	Jgkmgk32.exe	95
PID 3628 wrote to memory of 224	3628	Jpcapp32.exe	96
PID 3628 wrote to memory of 224	3628	Jpcapp32.exe	96
PID 3628 wrote to memory of 224	3628	Jpcapp32.exe	96
PID 224 wrote to memory of 732	224	Jngbjd32.exe	97
PID 224 wrote to memory of 732	224	Jngbjd32.exe	97
PID 224 wrote to memory of 732	224	Jngbjd32.exe	97
PID 732 wrote to memory of 4976	732	Jebfng32.exe	98
PID 732 wrote to memory of 4976	732	Jebfng32.exe	98
PID 732 wrote to memory of 4976	732	Jebfng32.exe	98
PID 4976 wrote to memory of 3476	4976	Jedccfqg.exe	99
PID 4976 wrote to memory of 3476	4976	Jedccfqg.exe	99
PID 4976 wrote to memory of 3476	4976	Jedccfqg.exe	99
PID 3476 wrote to memory of 4556	3476	Kgdpni32.exe	100
PID 3476 wrote to memory of 4556	3476	Kgdpni32.exe	100
PID 3476 wrote to memory of 4556	3476	Kgdpni32.exe	100
PID 4556 wrote to memory of 3780	4556	Kjeiodek.exe	101
PID 4556 wrote to memory of 3780	4556	Kjeiodek.exe	101
PID 4556 wrote to memory of 3780	4556	Kjeiodek.exe	101
PID 3780 wrote to memory of 712	3780	Kjgeedch.exe	102
PID 3780 wrote to memory of 712	3780	Kjgeedch.exe	102
PID 3780 wrote to memory of 712	3780	Kjgeedch.exe	102
PID 712 wrote to memory of 4436	712	Kjjbjd32.exe	103
PID 712 wrote to memory of 4436	712	Kjjbjd32.exe	103
PID 712 wrote to memory of 4436	712	Kjjbjd32.exe	103
PID 4436 wrote to memory of 4628	4436	Kcbfcigf.exe	104
PID 4436 wrote to memory of 4628	4436	Kcbfcigf.exe	104
PID 4436 wrote to memory of 4628	4436	Kcbfcigf.exe	104
PID 4628 wrote to memory of 3672	4628	Lljklo32.exe	105
PID 4628 wrote to memory of 3672	4628	Lljklo32.exe	105
PID 4628 wrote to memory of 3672	4628	Lljklo32.exe	105
PID 3672 wrote to memory of 1844	3672	Lokdnjkg.exe	106
PID 3672 wrote to memory of 1844	3672	Lokdnjkg.exe	106
PID 3672 wrote to memory of 1844	3672	Lokdnjkg.exe	106
PID 1844 wrote to memory of 3568	1844	Lqkqhm32.exe	107
PID 1844 wrote to memory of 3568	1844	Lqkqhm32.exe	107
PID 1844 wrote to memory of 3568	1844	Lqkqhm32.exe	107
PID 3568 wrote to memory of 3948	3568	Lnoaaaad.exe	108
PID 3568 wrote to memory of 3948	3568	Lnoaaaad.exe	108
PID 3568 wrote to memory of 3948	3568	Lnoaaaad.exe	108
PID 3948 wrote to memory of 4744	3948	Ljeafb32.exe	109
PID 3948 wrote to memory of 4744	3948	Ljeafb32.exe	109
PID 3948 wrote to memory of 4744	3948	Ljeafb32.exe	109
PID 4744 wrote to memory of 4620	4744	Lflbkcll.exe	110
PID 4744 wrote to memory of 4620	4744	Lflbkcll.exe	110
PID 4744 wrote to memory of 4620	4744	Lflbkcll.exe	110
PID 4620 wrote to memory of 4580	4620	Mcpcdg32.exe	111
PID 4620 wrote to memory of 4580	4620	Mcpcdg32.exe	111
PID 4620 wrote to memory of 4580	4620	Mcpcdg32.exe	111
PID 4580 wrote to memory of 4832	4580	Mogcihaj.exe	112
PID 4580 wrote to memory of 4832	4580	Mogcihaj.exe	112
PID 4580 wrote to memory of 4832	4580	Mogcihaj.exe	112
PID 4832 wrote to memory of 1104	4832	Moipoh32.exe	113

C:\Users\Admin\AppData\Local\Temp\66c5feb020e3dc777c67dbd1b4310ed0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\66c5feb020e3dc777c67dbd1b4310ed0_NEIKI.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:468
- C:\Windows\SysWOW64\Iplkpa32.exe
  C:\Windows\system32\Iplkpa32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1320
- - C:\Windows\SysWOW64\Jekqmhia.exe
    C:\Windows\system32\Jekqmhia.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1412
  - - C:\Windows\SysWOW64\Jgkmgk32.exe
      C:\Windows\system32\Jgkmgk32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2152
    - - C:\Windows\SysWOW64\Jpcapp32.exe
        
        C:\Windows\system32\Jpcapp32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3628
      - C:\Windows\SysWOW64\Jngbjd32.exe
        
        C:\Windows\system32\Jngbjd32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:224
        
        C:\Windows\SysWOW64\Jebfng32.exe
        
        C:\Windows\system32\Jebfng32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:732
        
        C:\Windows\SysWOW64\Jedccfqg.exe
        
        C:\Windows\system32\Jedccfqg.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\SysWOW64\Kgdpni32.exe
        
        C:\Windows\system32\Kgdpni32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3476
        
        C:\Windows\SysWOW64\Kjeiodek.exe
        
        C:\Windows\system32\Kjeiodek.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\SysWOW64\Kjgeedch.exe
        
        C:\Windows\system32\Kjgeedch.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3780
        
        C:\Windows\SysWOW64\Kjjbjd32.exe
        
        C:\Windows\system32\Kjjbjd32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:712
        
        C:\Windows\SysWOW64\Kcbfcigf.exe
        
        C:\Windows\system32\Kcbfcigf.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\SysWOW64\Lljklo32.exe
        
        C:\Windows\system32\Lljklo32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4628
        
        C:\Windows\SysWOW64\Lokdnjkg.exe
        
        C:\Windows\system32\Lokdnjkg.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3672
        
        C:\Windows\SysWOW64\Lqkqhm32.exe
        
        C:\Windows\system32\Lqkqhm32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\SysWOW64\Lnoaaaad.exe
        
        C:\Windows\system32\Lnoaaaad.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3568
        
        C:\Windows\SysWOW64\Ljeafb32.exe
        
        C:\Windows\system32\Ljeafb32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\SysWOW64\Lflbkcll.exe
        
        C:\Windows\system32\Lflbkcll.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4744
        
        C:\Windows\SysWOW64\Mcpcdg32.exe
        
        C:\Windows\system32\Mcpcdg32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4620
        
        C:\Windows\SysWOW64\Mogcihaj.exe
        
        C:\Windows\system32\Mogcihaj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Windows\SysWOW64\Moipoh32.exe
        
        C:\Windows\system32\Moipoh32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\SysWOW64\Mmmqhl32.exe
        
        C:\Windows\system32\Mmmqhl32.exe
        23⤵
        Executes dropped EXE
        
        PID:1104
        
        C:\Windows\SysWOW64\Mfeeabda.exe
        
        C:\Windows\system32\Mfeeabda.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3544
        
        C:\Windows\SysWOW64\Monjjgkb.exe
        
        C:\Windows\system32\Monjjgkb.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5020
        
        C:\Windows\SysWOW64\Nmbjcljl.exe
        
        C:\Windows\system32\Nmbjcljl.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4016
        
        C:\Windows\SysWOW64\Njfkmphe.exe
        
        C:\Windows\system32\Njfkmphe.exe
        27⤵
        Executes dropped EXE
        
        PID:404
        
        C:\Windows\SysWOW64\Nfohgqlg.exe
        
        C:\Windows\system32\Nfohgqlg.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3356
        
        C:\Windows\SysWOW64\Nfaemp32.exe
        
        C:\Windows\system32\Nfaemp32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3076
        
        C:\Windows\SysWOW64\Nfcabp32.exe
        
        C:\Windows\system32\Nfcabp32.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3852
        
        C:\Windows\SysWOW64\Ocgbld32.exe
        
        C:\Windows\system32\Ocgbld32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2920
        
        C:\Windows\SysWOW64\Opnbae32.exe
        
        C:\Windows\system32\Opnbae32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:968
        
        C:\Windows\SysWOW64\Ombcji32.exe
        
        C:\Windows\system32\Ombcji32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4636
        
        C:\Windows\SysWOW64\Ofkgcobj.exe
        
        C:\Windows\system32\Ofkgcobj.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3604
        
        C:\Windows\SysWOW64\Opclldhj.exe
        
        C:\Windows\system32\Opclldhj.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:456
        
        C:\Windows\SysWOW64\Omgmeigd.exe
        
        C:\Windows\system32\Omgmeigd.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:984
        
        C:\Windows\SysWOW64\Pfoann32.exe
        
        C:\Windows\system32\Pfoann32.exe
        37⤵
        Executes dropped EXE
        
        PID:1980
        
        C:\Windows\SysWOW64\Pccahbmn.exe
        
        C:\Windows\system32\Pccahbmn.exe
        38⤵
        Executes dropped EXE
        
        PID:2408
        
        C:\Windows\SysWOW64\Pmlfqh32.exe
        
        C:\Windows\system32\Pmlfqh32.exe
        39⤵
        Executes dropped EXE
        
        PID:3428
        
        C:\Windows\SysWOW64\Pmnbfhal.exe
        
        C:\Windows\system32\Pmnbfhal.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:948
        
        C:\Windows\SysWOW64\Pffgom32.exe
        
        C:\Windows\system32\Pffgom32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4988
        
        C:\Windows\SysWOW64\Ppolhcnm.exe
        
        C:\Windows\system32\Ppolhcnm.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\Pjdpelnc.exe
        
        C:\Windows\system32\Pjdpelnc.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4348
        
        C:\Windows\SysWOW64\Qhhpop32.exe
        
        C:\Windows\system32\Qhhpop32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Qjiipk32.exe
        
        C:\Windows\system32\Qjiipk32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2448
        
        C:\Windows\SysWOW64\Ahmjjoig.exe
        
        C:\Windows\system32\Ahmjjoig.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4564
        
        C:\Windows\SysWOW64\Aphnnafb.exe
        
        C:\Windows\system32\Aphnnafb.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4608
        
        C:\Windows\SysWOW64\Aknbkjfh.exe
        
        C:\Windows\system32\Aknbkjfh.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:436
        
        C:\Windows\SysWOW64\Ahaceo32.exe
        
        C:\Windows\system32\Ahaceo32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2544
        
        C:\Windows\SysWOW64\Aajhndkb.exe
        
        C:\Windows\system32\Aajhndkb.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3112
        
        C:\Windows\SysWOW64\Adkqoohc.exe
        
        C:\Windows\system32\Adkqoohc.exe
        51⤵
        Executes dropped EXE
        
        PID:2728
        
        C:\Windows\SysWOW64\Amcehdod.exe
        
        C:\Windows\system32\Amcehdod.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4840
        
        C:\Windows\SysWOW64\Bkgeainn.exe
        
        C:\Windows\system32\Bkgeainn.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4496
        
        C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:832
        
        C:\Windows\SysWOW64\Bpkdjofm.exe
        
        C:\Windows\system32\Bpkdjofm.exe
        55⤵
        Executes dropped EXE
        
        PID:2572
        
        C:\Windows\SysWOW64\Bnoddcef.exe
        
        C:\Windows\system32\Bnoddcef.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3388
        
        C:\Windows\SysWOW64\Chdialdl.exe
        
        C:\Windows\system32\Chdialdl.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2680
        
        C:\Windows\SysWOW64\Conanfli.exe
        
        C:\Windows\system32\Conanfli.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4020
        
        C:\Windows\SysWOW64\Chfegk32.exe
        
        C:\Windows\system32\Chfegk32.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4588
        
        C:\Windows\SysWOW64\Caojpaij.exe
        
        C:\Windows\system32\Caojpaij.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2112
        
        C:\Windows\SysWOW64\Chiblk32.exe
        
        C:\Windows\system32\Chiblk32.exe
        61⤵
        Executes dropped EXE
        
        PID:1532
        
        C:\Windows\SysWOW64\Cnfkdb32.exe
        
        C:\Windows\system32\Cnfkdb32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1496
        
        C:\Windows\SysWOW64\Cdpcal32.exe
        
        C:\Windows\system32\Cdpcal32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\Ckjknfnh.exe
        
        C:\Windows\system32\Ckjknfnh.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4288
        
        C:\Windows\SysWOW64\Cpfcfmlp.exe
        
        C:\Windows\system32\Cpfcfmlp.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2068
        
        C:\Windows\SysWOW64\Cklhcfle.exe
        
        C:\Windows\system32\Cklhcfle.exe
        66⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1592
        
        C:\Windows\SysWOW64\Dddllkbf.exe
        
        C:\Windows\system32\Dddllkbf.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1252
        
        C:\Windows\SysWOW64\Dahmfpap.exe
        
        C:\Windows\system32\Dahmfpap.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3508
        
        C:\Windows\SysWOW64\Dakikoom.exe
        
        C:\Windows\system32\Dakikoom.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3932
        
        C:\Windows\SysWOW64\Damfao32.exe
        
        C:\Windows\system32\Damfao32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2512
        
        C:\Windows\SysWOW64\Dndgfpbo.exe
        
        C:\Windows\system32\Dndgfpbo.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1164
        
        C:\Windows\SysWOW64\Eqdpgk32.exe
        
        C:\Windows\system32\Eqdpgk32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5016
        
        C:\Windows\SysWOW64\Ebdlangb.exe
        
        C:\Windows\system32\Ebdlangb.exe
        73⤵
        Modifies registry class
        
        PID:1384
        
        C:\Windows\SysWOW64\Ehndnh32.exe
        
        C:\Windows\system32\Ehndnh32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5064
        
        C:\Windows\SysWOW64\Ehpadhll.exe
        
        C:\Windows\system32\Ehpadhll.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4112
        
        C:\Windows\SysWOW64\Fooclapd.exe
        
        C:\Windows\system32\Fooclapd.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:940
        
        C:\Windows\SysWOW64\Fkfcqb32.exe
        
        C:\Windows\system32\Fkfcqb32.exe
        77⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\Fnfmbmbi.exe
        
        C:\Windows\system32\Fnfmbmbi.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3740
        
        C:\Windows\SysWOW64\Feenjgfq.exe
        
        C:\Windows\system32\Feenjgfq.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2768
        
        C:\Windows\SysWOW64\Galoohke.exe
        
        C:\Windows\system32\Galoohke.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5160
        
        C:\Windows\SysWOW64\Gndick32.exe
        
        C:\Windows\system32\Gndick32.exe
        81⤵
        Drops file in System32 directory
        
        PID:5204
        
        C:\Windows\SysWOW64\Gijmad32.exe
        
        C:\Windows\system32\Gijmad32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5248
        
        C:\Windows\SysWOW64\Giljfddl.exe
        
        C:\Windows\system32\Giljfddl.exe
        83⤵
        Drops file in System32 directory
        
        PID:5292
        
        C:\Windows\SysWOW64\Hecjke32.exe
        
        C:\Windows\system32\Hecjke32.exe
        84⤵
        Drops file in System32 directory
        
        PID:5336
        
        C:\Windows\SysWOW64\Hpkknmgd.exe
        
        C:\Windows\system32\Hpkknmgd.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5380
        
        C:\Windows\SysWOW64\Hehdfdek.exe
        
        C:\Windows\system32\Hehdfdek.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5424
        
        C:\Windows\SysWOW64\Hhimhobl.exe
        
        C:\Windows\system32\Hhimhobl.exe
        87⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Ihkjno32.exe
        
        C:\Windows\system32\Ihkjno32.exe
        88⤵
        Modifies registry class
        
        PID:5520
        
        C:\Windows\SysWOW64\Ibqnkh32.exe
        
        C:\Windows\system32\Ibqnkh32.exe
        89⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\Iafkld32.exe
        
        C:\Windows\system32\Iafkld32.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5608
        
        C:\Windows\SysWOW64\Ieccbbkn.exe
        
        C:\Windows\system32\Ieccbbkn.exe
        91⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\Ibgdlg32.exe
        
        C:\Windows\system32\Ibgdlg32.exe
        92⤵
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Jpnakk32.exe
        
        C:\Windows\system32\Jpnakk32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\Jifecp32.exe
        
        C:\Windows\system32\Jifecp32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5836
        
        C:\Windows\SysWOW64\Joekag32.exe
        
        C:\Windows\system32\Joekag32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5880
        
        C:\Windows\SysWOW64\Jimldogg.exe
        
        C:\Windows\system32\Jimldogg.exe
        96⤵
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Kiphjo32.exe
        
        C:\Windows\system32\Kiphjo32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5972
        
        C:\Windows\SysWOW64\Kpiqfima.exe
        
        C:\Windows\system32\Kpiqfima.exe
        98⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\Kefiopki.exe
        
        C:\Windows\system32\Kefiopki.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6060
        
        C:\Windows\SysWOW64\Koonge32.exe
        
        C:\Windows\system32\Koonge32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6120
        
        C:\Windows\SysWOW64\Khgbqkhj.exe
        
        C:\Windows\system32\Khgbqkhj.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5156
        
        C:\Windows\SysWOW64\Kcmfnd32.exe
        
        C:\Windows\system32\Kcmfnd32.exe
        102⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\Khiofk32.exe
        
        C:\Windows\system32\Khiofk32.exe
        103⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Kcoccc32.exe
        
        C:\Windows\system32\Kcoccc32.exe
        104⤵
        Drops file in System32 directory
        
        PID:5392
        
        C:\Windows\SysWOW64\Kcapicdj.exe
        
        C:\Windows\system32\Kcapicdj.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5468
        
        C:\Windows\SysWOW64\Lohqnd32.exe
        
        C:\Windows\system32\Lohqnd32.exe
        106⤵
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Ledepn32.exe
        
        C:\Windows\system32\Ledepn32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5596
        
        C:\Windows\SysWOW64\Ljbnfleo.exe
        
        C:\Windows\system32\Ljbnfleo.exe
        108⤵
        Modifies registry class
        
        PID:5696
        
        C:\Windows\SysWOW64\Lckboblp.exe
        
        C:\Windows\system32\Lckboblp.exe
        109⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Lhgkgijg.exe
        
        C:\Windows\system32\Lhgkgijg.exe
        110⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\Mhjhmhhd.exe
        
        C:\Windows\system32\Mhjhmhhd.exe
        111⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\Modpib32.exe
        
        C:\Windows\system32\Modpib32.exe
        112⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6048
        
        C:\Windows\SysWOW64\Mfnhfm32.exe
        
        C:\Windows\system32\Mfnhfm32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Mlhqcgnk.exe
        
        C:\Windows\system32\Mlhqcgnk.exe
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Mbdiknlb.exe
        
        C:\Windows\system32\Mbdiknlb.exe
        115⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Mhoahh32.exe
        
        C:\Windows\system32\Mhoahh32.exe
        116⤵
        Drops file in System32 directory
        
        PID:5620
        
        C:\Windows\SysWOW64\Mcdeeq32.exe
        
        C:\Windows\system32\Mcdeeq32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5848
        
        C:\Windows\SysWOW64\Mlljnf32.exe
        
        C:\Windows\system32\Mlljnf32.exe
        118⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5968
        
        C:\Windows\SysWOW64\Mfenglqf.exe
        
        C:\Windows\system32\Mfenglqf.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6112
        
        C:\Windows\SysWOW64\Mqjbddpl.exe
        
        C:\Windows\system32\Mqjbddpl.exe
        120⤵
        Drops file in System32 directory
        
        PID:5280
        
        C:\Windows\SysWOW64\Nfgklkoc.exe
        
        C:\Windows\system32\Nfgklkoc.exe
        121⤵
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Nckkfp32.exe
        
        C:\Windows\system32\Nckkfp32.exe
        122⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\Noblkqca.exe
        
        C:\Windows\system32\Noblkqca.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6056
        
        C:\Windows\SysWOW64\Njgqhicg.exe
        
        C:\Windows\system32\Njgqhicg.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5576
        
        C:\Windows\SysWOW64\Ncpeaoih.exe
        
        C:\Windows\system32\Ncpeaoih.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5176
        
        C:\Windows\SysWOW64\Nofefp32.exe
        
        C:\Windows\system32\Nofefp32.exe
        126⤵
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Ookoaokf.exe
        
        C:\Windows\system32\Ookoaokf.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5580
        
        C:\Windows\SysWOW64\Omopjcjp.exe
        
        C:\Windows\system32\Omopjcjp.exe
        128⤵
        Modifies registry class
        
        PID:6156
        
        C:\Windows\SysWOW64\Ofgdcipq.exe
        
        C:\Windows\system32\Ofgdcipq.exe
        129⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\Ockdmmoj.exe
        
        C:\Windows\system32\Ockdmmoj.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6240
        
        C:\Windows\SysWOW64\Opbean32.exe
        
        C:\Windows\system32\Opbean32.exe
        131⤵
        Drops file in System32 directory
        
        PID:6284
        
        C:\Windows\SysWOW64\Piocecgj.exe
        
        C:\Windows\system32\Piocecgj.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6328
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        133⤵
        
        PID:6376
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6376 -s 400
        134⤵
        Program crash
        
        PID:6512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 6376 -ip 6376
1⤵
PID:6464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3916 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
1⤵
PID:6960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Amcehdod.exe

Filesize
67KB

MD5
b4597ab09294f63da8c9b0828299d10b

SHA1
4747547be3ed4a760ba93307f4d4469d29c8de47

SHA256
ee1bfb0b4035c37f87b6c89ecb46324ad3555d182aaa7355adfba5d4deb543b2

SHA512
f1d8a1d43f030656fc1a1b31c964bc323406b78e94c5c8f430440678e6d9b7d7d3973062c8d26fb67516b28ef32535183e6cefb3cade5943fc2ff144450d9971

Download Submit
C:\Windows\SysWOW64\Chiblk32.exe

Filesize
67KB

MD5
68998e974355f5571b2e9ba219c6acc1

SHA1
4ec1f13cce4f44ebdd69b9cd9540cebef504c373

SHA256
9e85794335d610f4a40ff94eb83b48b3ba87d95c366d75c7bb5233d80395e24f

SHA512
89d3c8ea606b8263402e97309c96cdffef81d96070c7b3ea1449b36d4c4870475975930dacbb93fd20c5227f34ed5673c0656714139f063a470a122c96f5a6bf

Download Submit
C:\Windows\SysWOW64\Cklhcfle.exe

Filesize
67KB

MD5
9651bbcb5358c7ec2eced391b73058b2

SHA1
249f4ba925784de6b356998fb04bd42a802b1a04

SHA256
b705060ff7ce61db4e329d9003224116e4012e29b73f178393f1228b1082e9d5

SHA512
b43be92e8077e2e31db0047650d3d5a030b3bf5814ef94c6add3a4d5aaacf0d1a12466e21ff9e60aa3782d14a0c98f418cb88513dfd1d8938505a208dd14c616

Download Submit
C:\Windows\SysWOW64\Conanfli.exe

Filesize
67KB

MD5
4f98212e9b418e1d816f2320c01a18d4

SHA1
ebd9fed4b29512ff93dbd895f2b27ccc3c05af14

SHA256
216caf7142a2f08ece05dfd024149c1089fb88a9b873f00747fca4515eef34e6

SHA512
e9faad4ecb314a0c12bf415b49d31ae6752ac2cd2463c71b45448aa773360b943c94a5989374c3f5b1ea99ed950200e561f138c7ffd21d9c553a15067add5f67

Download Submit
C:\Windows\SysWOW64\Ehndnh32.exe

Filesize
67KB

MD5
51fcdcc9b5098cbc439b0e9f283d2432

SHA1
44b8c75cb104e9faeffacc0be592a1c91a6ffc7b

SHA256
c6d2debcb88773d0ec92d7187ad2bb3651289c2232518901f4d2190c04f478a4

SHA512
dd2c12dc618728c14b0242d6e9ab85e9572561b92ada487dca0727a321a389ca55fd543df8017b9f048fd449a94dfd5c0c464d4dfe6ad290ce791eedf35868ba

Download Submit
C:\Windows\SysWOW64\Fnfmbmbi.exe

Filesize
67KB

MD5
381b25baf19a813cf67afc14b9bc0937

SHA1
63aa8b0129eca86f5bf025e57b405eadf125d297

SHA256
3414e9ef52bd6a0a96a00942475416abe8fce617ca43c94e5194ab6ec8561e89

SHA512
ea22fba3c4eb4f1792f00852565d0eae6157a78479865b7c96c99f37d47cd8ea0f11549fc519231b0ba23f61947d971b21308febce88973aaca0845e498c9a5d

Download Submit
C:\Windows\SysWOW64\Giljfddl.exe

Filesize
67KB

MD5
a3e8c0bad716fa6bfba90407be1ad469

SHA1
c35a497662019cae642f660f32ee579d11d77671

SHA256
b39a758c9e69fff718ef4817c173dc5e716002775a19d6d4cfa83619b0aab9cd

SHA512
d74adae4eb76fb6da4f5dbe69724eec5cd97d8db796bfa474009138ad05e2030adcbf4ff6959b78ffae70673b326095944255955cc29114e84213748291b0411

Download Submit
C:\Windows\SysWOW64\Hehdfdek.exe

Filesize
67KB

MD5
14dbf00728b526765b822e5441739867

SHA1
dcae1278e56281ba5596b089b0b85c75a4bb5603

SHA256
8effe38a490ba2d6b6f53dde4c94133019cca905a0748e904bd15015a07e6c1f

SHA512
8e625476026a53f8ffcfcae47ccaf2c6c7d2a439d7006422443992d8045debc36231ce6c12cb52bff898035b753e357b02d799deeda3092a6f9e0390601389ab

Download Submit
C:\Windows\SysWOW64\Iplkpa32.exe

Filesize
67KB

MD5
d165564e0d4b1bb8cca4caa8a556d19e

SHA1
f6c7249d52114f8444d84429ede622d9c4503066

SHA256
a881dd5e5d54b1c4d3e72471056aa6b4cfadfc865fd5464f73c5bccafcf910e7

SHA512
28bcc2cb762228b9fa6e57943f90cba78bd691e5ebd307b0c4bd3a23b846883d7a5280ee211760e074378afbb42985aff03172b6414812d9cd1c3366f0ebfe09

Download Submit
C:\Windows\SysWOW64\Jebfng32.exe

Filesize
67KB

MD5
ffe27ac08bc6f0d2042ea8bac0ef78d1

SHA1
0e31469698df1e0e1575d33a41da2591b5a0058f

SHA256
b76b6ebeeb087f1e0e94a37d14a4bf6f64490df7ad5effd2876c62b52d9ae06d

SHA512
7b5fe63f140c7f5100ca343ed9d7b2ac25362d16983884556115a52445bf40617250d0ae36588b8032bd29e142bcf1450a2d7e8d8508e625df0e6368736f8f9b

Download Submit
C:\Windows\SysWOW64\Jedccfqg.exe

Filesize
67KB

MD5
de7de93607b28c13ee7e331a4313ab5b

SHA1
c38f87cc589e09e464518db1cf23bf6573ef3810

SHA256
c0753ffb81b8a54e1d4e58339652896d94603e8e4c25b248bd36772dcf790224

SHA512
c9ad66c0b5e9cfba1e6e0ac1e378cd6ad035c2189af4427e654d8a013ee6f2ee10704ac8070af46f15583fcd9a9856af16ca05b7c3c48c15cf960b5148008c56

Download Submit
C:\Windows\SysWOW64\Jekqmhia.exe

Filesize
67KB

MD5
1de4598477412fd9eaad58ccf0fa0c81

SHA1
ceafe1ab26015babec7ffa2a8c88f009df5b3e6a

SHA256
d886f578e32b07a38fd1dcd99081c0ed500c829eea69591d634856600c6e3001

SHA512
0df75b5d99dae932683599274d4136eabccfbce23af61d5d0a5b3e0ddb61f41e9e342914504b6c761286457bb1247800a2f0d3ae8cc97b8c5d4a97ba3a4076ae

Download Submit
C:\Windows\SysWOW64\Jgkmgk32.exe

Filesize
67KB

MD5
26159a4f8631a20e4a410316406db497

SHA1
3b9e93327ff87109a0dc60ffeabe8e6d548fcc7c

SHA256
cd43dc1eaf976b4665ba5eae6fb9f43f75c59a69de46edfa2f419785e5ea3c57

SHA512
efd40e699d4cd89da226555209e79e147f04e99b158a28946c7b5136d72525381d998a8375c7db9caeb251d0a36c197ea68a617895f7ecc91c8583bf3c742ff4

Download Submit
C:\Windows\SysWOW64\Jifecp32.exe

Filesize
67KB

MD5
6e8ac5b9416685b1d750992dace7b262

SHA1
664def9db6d08a45b7198930b5379528e05f8550

SHA256
bc80ea59009d076d0236732ad84dad99be2ebe75d67c4a2d896972296c6fe776

SHA512
d23e93673859ce9a479446c76d2094f794c8ed1e1e67cc3576b159e4b39914aca468d578e1ae222a86b73bd5dc746935ffe0908256fa056e6a81fa62c44cc3ff

Download Submit
C:\Windows\SysWOW64\Jngbjd32.exe

Filesize
67KB

MD5
1cc418263e513059b5d6cea8db9b21b4

SHA1
0224a9333b84e84cbaf28dbcb04b2a1ec04e40a4

SHA256
ecc3fa65e2211c81467e90d408e487be53979bf5d32e50196d8a35805a344393

SHA512
75702fa2c2cddfd35920d528e10f85967c2e88533e0682ae8e16cca727281ea248e75cc93f214339d4792871212cf42a2293787b9362a5b8ae8720484403b7f0

Download Submit
C:\Windows\SysWOW64\Jpcapp32.exe

Filesize
67KB

MD5
c722d53501e12824dba6f09933e046e2

SHA1
282423c70bc58a63e4db47cb57c418cdd3869a67

SHA256
104c035e7e1b63a551c481b5913c6c8036e7d58274d67faeb368fe83a6e16606

SHA512
00184f3b179decb702feeca87d7932e44f95ebaec8dd1084b44dac01d074f9134699ea544cef19731dab7c2b0e5641e54717ecd37fbe55ce05443b7be38ba2e2

Download Submit
C:\Windows\SysWOW64\Kcbfcigf.exe

Filesize
67KB

MD5
4798e0108e11f450c41626042b024d84

SHA1
833eb4ae42b89c8f3f37b7b5cd8766874adcca0a

SHA256
31bfd52c7b088d4c01cb1902cfcd4ce819280e07120a6a1076920c86fa18cac5

SHA512
07028adfdd7ec182645d6c69d18cc4bc83c5e07fa5a99f379da5dafc1880ab4d57176c3f6d8856943e8fb37f16873baf659da5e8f525710d9170c8996fac3636

Download Submit
C:\Windows\SysWOW64\Kgdpni32.exe

Filesize
67KB

MD5
9a9f51d8ff926a76e55ae6352bbcb29d

SHA1
a281a19d2c047b56e37335be5f136418d5b9b3c5

SHA256
c71ca9e9d4d993ad9d88dd52c6c3128ee195c1ffd4b63b68601395fa43477a05

SHA512
f95107a3c501b9e09f85467c7d696b1549f0b8ec715d88cba3d1bb5d93a7e3c6c3662a8a981e6f79fffcde074447628ce8b20dd20b329f3067ada8ad5cbdadc0

Download Submit
C:\Windows\SysWOW64\Khgbqkhj.exe

Filesize
67KB

MD5
1a118807f08413879f4776d93e8d576b

SHA1
6ab2d81e117ed68d57565f4c7f09b393130786ad

SHA256
b5c9199910a24500ba8fcb959798a345ceb0f3a97e495b32f98359cf9aab114f

SHA512
a5bfd6a4cc3c4a5123f809118e8c3fd23547a36e4cb1b404ed710513c700c5b8b57ec1e9dc5c7fe392714f7200f1c33f9c7663edef2d1f5557c30c731236b92f

Download Submit
C:\Windows\SysWOW64\Khiofk32.exe

Filesize
67KB

MD5
f6061f4005c90c532982eaabc822664b

SHA1
d704b6ef8761d84a7a20939cdf232157b9581f8d

SHA256
f1bd1f2751778565a756e44ef4518bf44cad6256c1b071c55df45e34b4fbee1d

SHA512
ed8dd66e371736a10d479791ae713dc85f40e10f99d64e00ed6477887fbef57c2ffbee9d1bb5efc8e2b990549dc016b1d2630c38ab494e176787290137165d8d

Download Submit
C:\Windows\SysWOW64\Kjeiodek.exe

Filesize
67KB

MD5
4a4fdc851d77078a2269c64a86c004c7

SHA1
69a54bb722ccea948206b6e4c6221003bfa640da

SHA256
3d40e64f86e317ddf897bc57d8f394161f59f7976447a185fe84c05a60678fa7

SHA512
6c7c50f243218b24fb98253f53b186dd0681dc41e9f6466dbb82d62781d1c3e1dbba7b31c487e16b803880cd58b8dae357bbd4e874b8a9fdce3f8663535a5ca9

Download Submit
C:\Windows\SysWOW64\Kjgeedch.exe

Filesize
67KB

MD5
ae120d40ad00504012ad0f16b2fa7c50

SHA1
ae83341b7c7804f8937bcd0aeb50c2c752332568

SHA256
877a3392cec2e240a1c95b2658f2aa61ecf79090facfc8af6bc42e420b08f808

SHA512
d07f15acc3eaba03d5a439445ff8556577f4326b1446d4a1ddae3499e93f2125a103c3b499e2da47fe62bb2aac15938b758d1a5cac7b5bd53ca8d9a8c57d771e

Download Submit
C:\Windows\SysWOW64\Kjjbjd32.exe

Filesize
67KB

MD5
a2480c6e174518d2cd0a1c183f1880fa

SHA1
ee86c0a941325a996d9b18311c1c56f10fad512a

SHA256
5424a0f6e48757a88a74d456f01bd491c6a67124e1b2399134ee186a24b04f9c

SHA512
ad45345e43df49bb6083539c1574db6e67550d26e3563339d4fc2277841becedfa46d3e55ced3350067b57386205f1a6224a629e0508ed5b3cdc88172ae7b88e

Download Submit
C:\Windows\SysWOW64\Lflbkcll.exe

Filesize
67KB

MD5
cb8554684ccbd68b08fa11936a050af1

SHA1
146f2fc8ef0434383bab8bd20ea29b0043aaf335

SHA256
b3f47e41b69ac0072e159ccb17ef325a0d266b6fc242df3dd7b5062a822663cc

SHA512
894203dbd53ed02f636b17a975dc9d5e61ac25316e34eecb7ac5136eee7544f719e1e3fb8189feb10cd6e6ff9fa18539b4f37865c1ac1bd978f6bbf1c6571a00

Download Submit
C:\Windows\SysWOW64\Ljeafb32.exe

Filesize
67KB

MD5
3b913555e67d155bdbf7f5a2f206816f

SHA1
b42f71283faddb9107598c621f9a09f929260181

SHA256
afd1ac68ae22c7b848a510d5034e5c99c36749868bc6bbf981ee2d993352c65c

SHA512
efa51718c39da479ab5a564af45a9805ff49f141353a25b505690c284813a2ed53fb50d983cd3ee4c5c17fc378ef6b848e446d75ec79d60c7a81eebe6c528474

Download Submit
C:\Windows\SysWOW64\Lljklo32.exe

Filesize
67KB

MD5
98a3b46dcc5dcae968d0dc0cdc8cbb34

SHA1
a78dcf83b0ab668e7c220b7a28f17366df55d694

SHA256
eadfbd868ae53509f35a08f2eb32e124519194a5925eb47259153c1bd39df453

SHA512
dec7c74f6ae1019286e7fb4f81122a93e551fb274f76532672670cadeb316acb5ccb886f30fef4fdb420845afa155ea4cb54d0f48cdf01936d14bd24983c451f

Download Submit
C:\Windows\SysWOW64\Lnoaaaad.exe

Filesize
67KB

MD5
e665cd106b3810d302f44aee7f9e1e0b

SHA1
a244776b1781289c12d2201185d9cdda03eefa38

SHA256
8a143d3fb2d77b4e15f0f1835473ef9d6883ab87f86882ef0801ab65f48cdc6e

SHA512
5a68d6413fcf45d3bcbfaf69d4bef4b59da6de30c2ab89ff60b127bfa5b9d55f7bd2d00e66f83e73e48c8190abb6200b9089e84eb852caa5404823135dc2b7c6

Download Submit
C:\Windows\SysWOW64\Lohqnd32.exe

Filesize
67KB

MD5
331748e08f5c4485becb55136342a958

SHA1
611d00a3ff38c0bd9dfaa8b0ce9d9dc804417021

SHA256
2ac608809d78727750408f4a7bc75c4aa4832feded1bb8e2d555daea8b34c990

SHA512
42286a08d9ca130d634a7a91cc3e34d46db349f571e71d8207967b634a8d7db45d3e7d09f0cdc56847052dd5b4cd6131c9248443141682fbf72cdea254af8275

Download Submit
C:\Windows\SysWOW64\Lokdnjkg.exe

Filesize
67KB

MD5
33403a845f7789d540795909ace0623f

SHA1
08c71c8ac49db06e580146e33549bc1d50e27f5e

SHA256
4ae865588517ba778cbff6f71cf3301e98f06240c8967b6d9bef40a006163c21

SHA512
157e51286c54ebaacf0237d0f1557a6b9b9aa5b916889cc13ab1509896994e4440800f64eb43d9a0e798caa578b18e33da46b72d8cbc77f4f5aa2d469a7f2a24

Download Submit
C:\Windows\SysWOW64\Lqkqhm32.exe

Filesize
67KB

MD5
177550374ffa2573e001431b12ad1e4f

SHA1
75fd88778ff63cdc0991b7e9381fb45f0a974c0d

SHA256
d084a613fba2048dcc693758fbc1807eb6c6bba1d33b87b99b1ea86d3a35f353

SHA512
61955e15e91160f53cda0ab9f4d2976e8e104162c4551975cc4145efcadab5e5af855b1026c902914adbd1346b6447ab0baf7bfb5b61b58df2f0cb152957dffd

Download Submit
C:\Windows\SysWOW64\Mcpcdg32.exe

Filesize
67KB

MD5
1572a67b883f5080929377b7ef2ac65f

SHA1
fb2d15f95b57bb66a14f43aebc31892bea9be07f

SHA256
b023fe529d76014a9b96af31a4955a3bc9189eeb41a851813f0f2f33148d5ec6

SHA512
169c86e629c3f4dd243ae28c4ed7cb19dd837939b79f844f08626b517630dcd8bde92950388b645def9e27e3e70ede60259ac1d209afc0072ce2722e570c21f0

Download Submit
C:\Windows\SysWOW64\Mhjhmhhd.exe

Filesize
67KB

MD5
b1875bd3576ea930fb4da9c6ece103ed

SHA1
6f14d31c1555dbc3c34f85d384daee7465fc31e9

SHA256
eecb21248cd6e5aa98f16fe7d0c17fffd51b6574d2dd4cbbe5c1c629c5371a45

SHA512
66411a0c5f0c52bc7174cc00b8d86a9ebe8e006d8da77123c7bc45acc181e79a40a868bf75c34b3b34ad5971ae82d833d7dc36f8edca836c03d4f966d06c5a8e

Download Submit
C:\Windows\SysWOW64\Mmmqhl32.exe

Filesize
67KB

MD5
604f24a5cce17e1c2399ff8ae7e1cd50

SHA1
a1595caa11c57f83d669885462fbd2b9bf0f411d

SHA256
2073af0a457e73b6c985fa3aec52b101712bab08a3019466a5c4fd880c7df01a

SHA512
0caf7618c1f1d82e00ebfa43dbff8253f585c23a414be7d52df9d1deffe36a53c090aa5119517594895274d1a93d0e4c7bb9c0611e51e3e0c301bf3ffa18902c

Download Submit
C:\Windows\SysWOW64\Mogcihaj.exe

Filesize
67KB

MD5
f3ade559479690afb85b83f230c36bec

SHA1
0b6901d5ca877cdcc8f875ca14a46a83adf5c415

SHA256
89299e8ab967f5e2415666956eca998d5b99ef33b18ea19c8b0e9b154b3135f4

SHA512
c0961d73ae077abf7fcbeed54d7dcc2e640c9c15ddfb1a54e9ee5cff83818ae35dc4fed552d949eb0b22e8641200db7e2eedb9688427926a69e6aee3352a5579

Download Submit
C:\Windows\SysWOW64\Moipoh32.exe

Filesize
67KB

MD5
e6cc80085f4562dd1f5e60af75f51629

SHA1
c922b3f53eeb143740918c8a062558db89c920d0

SHA256
c2130ac48b1424e6060506521434cecf429348fc8b19410cbe7af74b257d1ce2

SHA512
0a42929b9635c1cc70476e5b1cb49025e937a404c1fb9932d795ac521d3e6e93d4d948e61bf9d1b40d30e0084f5e34afc88a9a176815c22f58ae3591ec1c89d6

Download Submit
C:\Windows\SysWOW64\Monjjgkb.exe

Filesize
67KB

MD5
0e5671e5af98362197c2bff574c07478

SHA1
d547660ccb097cdf9cf629af7a57078dde349597

SHA256
e8dacc174f4c86c9d607d3a9ed9c889d19bc99aeb8ba55103551732fb2451294

SHA512
cd92ef080a87a71260b796e2c90de751113e94e0d0a8d256852d9e1f278ebec3373bfb73118ebbbc20cf4b15090d70ade0e779042bafde1a27d93d92cbca62d1

Download Submit
C:\Windows\SysWOW64\Monjjgkb.exe

Filesize
67KB

MD5
f6a0b4c61303bd0318080bf4226dd783

SHA1
489cadb6a240b28dcfce2870c8ffe4bf14592a7c

SHA256
36c8adc0beae1df2d46271ff4c1dd2c6a2cf47039861b927ba4b51a60a762142

SHA512
561453a66c90d310ef07efe0da02e4ba67be1d3e152b934c0b077f1dcddbc9217f20a76757d2149366699c5b2ae3c7ef84cb515b6e356ffebc0782b30f6d3479

Download Submit
C:\Windows\SysWOW64\Nckkfp32.exe

Filesize
67KB

MD5
a3c3073d50c0a85a0889f6badae7ffbe

SHA1
bf4e7e50087e69d1b3930fd2638b18104c7791dc

SHA256
d2dacd0732d3280a2bbf7c1d28208ee230c2b69ce76fc0737254f31bf3f8fb2c

SHA512
1237bb0ab32ef720896b260a37304d9e30cc8c548496cb38c169f1b7766f625b9702cb3b61fbae84761a0622532d4c0554289129808cd50359c30a55d842fdc8

Download Submit
C:\Windows\SysWOW64\Nfaemp32.exe

Filesize
67KB

MD5
0d7345039d0a7c2b33a148d2a4649842

SHA1
54fb72f227c83ebc1c5fb2d093504c1b0df7a557

SHA256
82f7a7552668faa44e196b7c10b51c00ee2ad51b8d62e9771afb1f294c497f38

SHA512
dc994ab23352cd14eb4f32659c962f69a101fe87dd1d86aadf4d6692cd81e0ae6e3ce8fe88ab47c9b3bb628570ad5b80ed31aeb602483c72d5cb65a2f34e273d

Download Submit
C:\Windows\SysWOW64\Nfcabp32.exe

Filesize
67KB

MD5
172fa59d0207ab56135d2ca9471199c7

SHA1
81ed2046df5615d5397a1f82cddd510e384ba3b9

SHA256
647db64167cf6e52b73d7face1655a4faaa1a839f60faded988fac77e5428dbe

SHA512
d08da793bfa6bf5221822b77772138da52dbfdc1bb7a4e30c94667eb3eecc709c2c46e9d5de50bf1aad597c9ee54b3aba0b39b830f5e2844cdc8100f5d9cefb0

Download Submit
C:\Windows\SysWOW64\Nfohgqlg.exe

Filesize
67KB

MD5
d5512d0b0fdbc218aa19e6bb757d606f

SHA1
280c6ce41a922a8753e40842bc1f4a3c2fe9192f

SHA256
13e7031872221c0dbd3385024f008264d479240d6278cdbcd96c9ef2a286a7be

SHA512
5acbec1db99e44687ddac6cf7246110bc43278b2668af832f46c9c9ce01372c3a1a2aebbdd00a10b3e828087cc8b139e764c02abab8d05e84132b3856e464394

Download Submit
C:\Windows\SysWOW64\Njfkmphe.exe

Filesize
67KB

MD5
afc3dea7047f90bcad1c19a417b71398

SHA1
454e8aa1469be19227946bc3bc4d55aacdf7857b

SHA256
5cd2fac3dd8415582ef94d4d29ddfe7732285259e626720f336ea9313f446097

SHA512
6953b91087d7e2354fcc4a928c94d2e80c1af794b76329b5b6d4f9b67989f511925c60a3d3bcd9ac91443bba43ec3beab6d2b0b4f47abb6c59fa78b1ba3dfce2

Download Submit
C:\Windows\SysWOW64\Nmbjcljl.exe

Filesize
67KB

MD5
ac0d57640ac251a1bc59dec63cee60d4

SHA1
70cd3152500cd6ce6d4b07f68f307822ffb00c12

SHA256
80d9afd6e7bc2d323e4acd67daccf88f707742f35752e94807daacde7f61382d

SHA512
f50da792e31461764664453f99af77c2106ddd7cb77e0ef5b2f2bf4e71323f882d032ebc658710205162dfbb7449e49059a79eb419077e7d03f9d8fd809b04f0

Download Submit
C:\Windows\SysWOW64\Ocgbld32.exe

Filesize
67KB

MD5
0b45bc5abcd25872c1de107144e45a7b

SHA1
e9214a04aab2ec87c1f510952e815cd763680104

SHA256
22fde26581990a0f6f5d9eaa2700ad3bd9f68ae4adb6fa087721f01bb1ee2279

SHA512
0649d5f8006aefeb8d9ce307a618f263527daa099759ba85aaa6da48a0aa0b04d268142b995afbf030654f8e5645451c679dac7eb7cd1b8cb3503270b4ddd757

Download Submit
C:\Windows\SysWOW64\Ombcji32.exe

Filesize
67KB

MD5
a21df67a31a5f9b92ac460147368744d

SHA1
7612378cd12155ccf481d5c9d829d3f67e17f7ca

SHA256
4e9bbd6982d12f141804c3e6cd1b2089442762f79ae339367d0f660133f0594f

SHA512
f729d47dadbcb40008442b12951ad52c9cba97e8010e94e6ee8d636315f5ea0182dcfc18d6eca449b3cd63417635d03ae6eb024b6717cb3d8d83d65af682830c

Download Submit
C:\Windows\SysWOW64\Opnbae32.exe

Filesize
67KB

MD5
b537895ea9288e6919ef9f4ef96e2226

SHA1
c4bc23767305209241685f40763cd2a69645d1b9

SHA256
4e3e6cf09964306189893333825e127776c6198bda55ba05b706c6d36c5b4068

SHA512
83f31f786c449d5cb402e876be4b34dbb259491bcd7dd038b906b4485499ac319f10f3791e0c69ffe9315fab300d9a5e21ab4acd546a0b7c9a0dcad584b9df64

Download Submit
C:\Windows\SysWOW64\Pjdpelnc.exe

Filesize
67KB

MD5
b5660c73c10a0c6e8bda1f35afef2d23

SHA1
41cdbcc35761919c6db5947d8d725a387c11ad75

SHA256
a3a0c0c7da7c33345cd9a42f5c14f8eec5518d846096d52a1b0f7ba1cba99183

SHA512
f01dbdd161bfece175dcf9c9288ec5af9fe98c8ce98d753b8af1d87a6c3452fa0ef8539347f1cf4c287b855253807d25425a5984c691f427929a9773a9a6109a

Download Submit
C:\Windows\SysWOW64\Pmlfqh32.exe

Filesize
67KB

MD5
fa48b977e3dcca190068df6068f38416

SHA1
6898ce3d308fc6d403707ae1e95422432159e726

SHA256
08ae807b89f99c1de3fac200a30cbc879c00e039a1814a152ff42911e35194bf

SHA512
9fed986d01acbc238a851498ddbeff2c693dfa6ff3f0811e6451454bb1fe3fec23f24de0ecea5a092e760d4515f539cddf0321014a96dd506bd40b3cd48db207

Download Submit
memory/224-125-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/224-40-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/404-306-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/404-224-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/436-384-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/456-362-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/456-293-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/468-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/468-79-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/712-178-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/712-90-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/732-133-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/732-48-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/948-328-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/948-397-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/968-270-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/968-341-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/984-369-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/984-300-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1104-189-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1104-278-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1320-89-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1320-8-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1412-15-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1412-97-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1508-411-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1508-342-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1844-214-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1844-126-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1980-307-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1980-376-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2152-24-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2152-106-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2364-356-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2408-383-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2408-314-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2448-363-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2544-391-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2728-405-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2920-334-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2920-260-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3076-243-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3076-320-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3112-398-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3356-313-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3356-233-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3428-321-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3428-390-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3476-63-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3476-151-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3544-285-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3544-197-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3568-223-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3568-134-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3604-286-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3604-355-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3628-31-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3628-115-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3672-117-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3672-205-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3780-169-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3780-80-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3852-327-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3852-252-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3948-232-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3948-144-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4016-299-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4016-215-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4348-349-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4348-418-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4436-188-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4436-99-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4496-419-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4556-71-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4556-160-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4564-370-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4580-259-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4580-170-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4608-377-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4620-250-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4620-161-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4628-108-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4628-196-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4636-279-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4636-348-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4744-152-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4744-241-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4832-268-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4832-179-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4840-412-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4976-142-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4976-55-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4988-335-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4988-404-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5020-292-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5020-206-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads