9ec7c37122dc475e556e4b2efdd36448cf64d98306658671505107c19c174a4b

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 23:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21272cc2c79ae2d469bc2a57caaca090_NeikiAnalytics.exe
Size

109KB
MD5

21272cc2c79ae2d469bc2a57caaca090
SHA1

bf5b05f4f4799579eecbec8a9a000f63308ecb26
SHA256

9ec7c37122dc475e556e4b2efdd36448cf64d98306658671505107c19c174a4b
SHA512

501a829cb6b8d1e6d3bc5a5dd9e5567f9b580d5d809e3d0a80bace6d3e404f2884341924b7fbc3f0a32e2c5261e09bdb94d0ae7d9a230761df3db6a024a1cea4
SSDEEP

3072:5vVKrErL34BUeq8fo3PXl9Z7S/yCsKh2EzZA/z:NYrEQB3qgo35e/yCthvUz

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjbako32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Icljbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	21272cc2c79ae2d469bc2a57caaca090_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifjfnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipckgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmkdlkph.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe

Executes dropped EXE 64 IoCs

pid	Process
3696	Icljbg32.exe
4944	Ifjfnb32.exe
2800	Ijfboafl.exe
2952	Imdnklfp.exe
2100	Iapjlk32.exe
4072	Ipckgh32.exe
2872	Idofhfmm.exe
2300	Ifmcdblq.exe
3804	Ijhodq32.exe
4000	Imgkql32.exe
2384	Ipegmg32.exe
4796	Idacmfkj.exe
4684	Ijkljp32.exe
3932	Imihfl32.exe
2324	Jaedgjjd.exe
408	Jdcpcf32.exe
4896	Jfaloa32.exe
3512	Jjmhppqd.exe
3944	Jmkdlkph.exe
2676	Jpjqhgol.exe
772	Jdemhe32.exe
1712	Jibeql32.exe
5068	Jplmmfmi.exe
860	Jdhine32.exe
2296	Jjbako32.exe
452	Jidbflcj.exe
2288	Jaljgidl.exe
4932	Jbmfoa32.exe
640	Jfhbppbc.exe
4584	Jmbklj32.exe
3452	Jpaghf32.exe
4976	Jkfkfohj.exe
1580	Kmegbjgn.exe
2108	Kpccnefa.exe
2760	Kbapjafe.exe
4060	Kkihknfg.exe
5100	Kilhgk32.exe
4376	Kmgdgjek.exe
936	Kpepcedo.exe
3756	Kdaldd32.exe
828	Kgphpo32.exe
2140	Kkkdan32.exe
3740	Kinemkko.exe
1268	Kaemnhla.exe
4320	Kdcijcke.exe
4820	Kbfiep32.exe
3292	Kknafn32.exe
3484	Kmlnbi32.exe
3652	Kagichjo.exe
2944	Kpjjod32.exe
4508	Kcifkp32.exe
4908	Kgdbkohf.exe
3976	Kibnhjgj.exe
3480	Kajfig32.exe
5004	Kdhbec32.exe
3280	Kckbqpnj.exe
2360	Kkbkamnl.exe
3196	Lmqgnhmp.exe
2396	Lalcng32.exe
4408	Lpocjdld.exe
4028	Lcmofolg.exe
4120	Lgikfn32.exe
2276	Lkdggmlj.exe
4472	Liggbi32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	Kckbqpnj.exe
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	Lijdhiaa.exe
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	Laalifad.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Idofhfmm.exe	Ipckgh32.exe
File created	C:\Windows\SysWOW64\Akanejnd.dll	Kknafn32.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mnocof32.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Kilhgk32.exe	Kkihknfg.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Ppaaagol.dll	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Ogijli32.dll	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Kgdbkohf.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Kdcijcke.exe	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Aaqnkb32.dll	Icljbg32.exe
File created	C:\Windows\SysWOW64\Lmmcfa32.dll	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Kpjjod32.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Lbhnnj32.dll	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mglack32.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Jeiooj32.dll	Jaljgidl.exe
File opened for modification	C:\Windows\SysWOW64\Kpjjod32.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Jcpkbc32.dll	Kaemnhla.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Bpqnnk32.dll	Ipegmg32.exe
File opened for modification	C:\Windows\SysWOW64\Kdcijcke.exe	Kaemnhla.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Ifmcdblq.exe	Idofhfmm.exe
File created	C:\Windows\SysWOW64\Ghmfdf32.dll	Jplmmfmi.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Jaedgjjd.exe	Imihfl32.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Kkbkamnl.exe	Kckbqpnj.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Nphqml32.dll	Kmegbjgn.exe
File created	C:\Windows\SysWOW64\Kajfig32.exe	Kibnhjgj.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Jdemhe32.exe	Jpjqhgol.exe
File created	C:\Windows\SysWOW64\Nqjfoc32.dll	Kdaldd32.exe
File opened for modification	C:\Windows\SysWOW64\Kbapjafe.exe	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Kmlnbi32.exe	Kknafn32.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Kckbqpnj.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Plilol32.dll	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Jfaloa32.exe	Jdcpcf32.exe
File created	C:\Windows\SysWOW64\Jpaghf32.exe	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Offdjb32.dll	Lpocjdld.exe
File opened for modification	C:\Windows\SysWOW64\Lgikfn32.exe	Lcmofolg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
388	5720	WerFault.exe	226

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	21272cc2c79ae2d469bc2a57caaca090_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qekdppan.dll"	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclgpkgk.dll"	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfkkgo32.dll"	Idacmfkj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhikhod.dll"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	21272cc2c79ae2d469bc2a57caaca090_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghiqbiae.dll"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpjljp32.dll"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joamagmq.dll"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ijkljp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	21272cc2c79ae2d469bc2a57caaca090_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphqml32.dll"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1576 wrote to memory of 3696	1576	21272cc2c79ae2d469bc2a57caaca090_NeikiAnalytics.exe	83
PID 1576 wrote to memory of 3696	1576	21272cc2c79ae2d469bc2a57caaca090_NeikiAnalytics.exe	83
PID 1576 wrote to memory of 3696	1576	21272cc2c79ae2d469bc2a57caaca090_NeikiAnalytics.exe	83
PID 3696 wrote to memory of 4944	3696	Icljbg32.exe	84
PID 3696 wrote to memory of 4944	3696	Icljbg32.exe	84
PID 3696 wrote to memory of 4944	3696	Icljbg32.exe	84
PID 4944 wrote to memory of 2800	4944	Ifjfnb32.exe	85
PID 4944 wrote to memory of 2800	4944	Ifjfnb32.exe	85
PID 4944 wrote to memory of 2800	4944	Ifjfnb32.exe	85
PID 2800 wrote to memory of 2952	2800	Ijfboafl.exe	86
PID 2800 wrote to memory of 2952	2800	Ijfboafl.exe	86
PID 2800 wrote to memory of 2952	2800	Ijfboafl.exe	86
PID 2952 wrote to memory of 2100	2952	Imdnklfp.exe	87
PID 2952 wrote to memory of 2100	2952	Imdnklfp.exe	87
PID 2952 wrote to memory of 2100	2952	Imdnklfp.exe	87
PID 2100 wrote to memory of 4072	2100	Iapjlk32.exe	88
PID 2100 wrote to memory of 4072	2100	Iapjlk32.exe	88
PID 2100 wrote to memory of 4072	2100	Iapjlk32.exe	88
PID 4072 wrote to memory of 2872	4072	Ipckgh32.exe	89
PID 4072 wrote to memory of 2872	4072	Ipckgh32.exe	89
PID 4072 wrote to memory of 2872	4072	Ipckgh32.exe	89
PID 2872 wrote to memory of 2300	2872	Idofhfmm.exe	90
PID 2872 wrote to memory of 2300	2872	Idofhfmm.exe	90
PID 2872 wrote to memory of 2300	2872	Idofhfmm.exe	90
PID 2300 wrote to memory of 3804	2300	Ifmcdblq.exe	92
PID 2300 wrote to memory of 3804	2300	Ifmcdblq.exe	92
PID 2300 wrote to memory of 3804	2300	Ifmcdblq.exe	92
PID 3804 wrote to memory of 4000	3804	Ijhodq32.exe	93
PID 3804 wrote to memory of 4000	3804	Ijhodq32.exe	93
PID 3804 wrote to memory of 4000	3804	Ijhodq32.exe	93
PID 4000 wrote to memory of 2384	4000	Imgkql32.exe	94
PID 4000 wrote to memory of 2384	4000	Imgkql32.exe	94
PID 4000 wrote to memory of 2384	4000	Imgkql32.exe	94
PID 2384 wrote to memory of 4796	2384	Ipegmg32.exe	95
PID 2384 wrote to memory of 4796	2384	Ipegmg32.exe	95
PID 2384 wrote to memory of 4796	2384	Ipegmg32.exe	95
PID 4796 wrote to memory of 4684	4796	Idacmfkj.exe	97
PID 4796 wrote to memory of 4684	4796	Idacmfkj.exe	97
PID 4796 wrote to memory of 4684	4796	Idacmfkj.exe	97
PID 4684 wrote to memory of 3932	4684	Ijkljp32.exe	98
PID 4684 wrote to memory of 3932	4684	Ijkljp32.exe	98
PID 4684 wrote to memory of 3932	4684	Ijkljp32.exe	98
PID 3932 wrote to memory of 2324	3932	Imihfl32.exe	99
PID 3932 wrote to memory of 2324	3932	Imihfl32.exe	99
PID 3932 wrote to memory of 2324	3932	Imihfl32.exe	99
PID 2324 wrote to memory of 408	2324	Jaedgjjd.exe	100
PID 2324 wrote to memory of 408	2324	Jaedgjjd.exe	100
PID 2324 wrote to memory of 408	2324	Jaedgjjd.exe	100
PID 408 wrote to memory of 4896	408	Jdcpcf32.exe	101
PID 408 wrote to memory of 4896	408	Jdcpcf32.exe	101
PID 408 wrote to memory of 4896	408	Jdcpcf32.exe	101
PID 4896 wrote to memory of 3512	4896	Jfaloa32.exe	103
PID 4896 wrote to memory of 3512	4896	Jfaloa32.exe	103
PID 4896 wrote to memory of 3512	4896	Jfaloa32.exe	103
PID 3512 wrote to memory of 3944	3512	Jjmhppqd.exe	104
PID 3512 wrote to memory of 3944	3512	Jjmhppqd.exe	104
PID 3512 wrote to memory of 3944	3512	Jjmhppqd.exe	104
PID 3944 wrote to memory of 2676	3944	Jmkdlkph.exe	105
PID 3944 wrote to memory of 2676	3944	Jmkdlkph.exe	105
PID 3944 wrote to memory of 2676	3944	Jmkdlkph.exe	105
PID 2676 wrote to memory of 772	2676	Jpjqhgol.exe	106
PID 2676 wrote to memory of 772	2676	Jpjqhgol.exe	106
PID 2676 wrote to memory of 772	2676	Jpjqhgol.exe	106
PID 772 wrote to memory of 1712	772	Jdemhe32.exe	107

C:\Users\Admin\AppData\Local\Temp\21272cc2c79ae2d469bc2a57caaca090_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\21272cc2c79ae2d469bc2a57caaca090_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Windows\SysWOW64\Icljbg32.exe
  C:\Windows\system32\Icljbg32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3696
- - C:\Windows\SysWOW64\Ifjfnb32.exe
    C:\Windows\system32\Ifjfnb32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4944
  - - C:\Windows\SysWOW64\Ijfboafl.exe
      C:\Windows\system32\Ijfboafl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2800
    - - C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2952
      - C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4072
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3804
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4000
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3932
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:408
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1712
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5068
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        25⤵
        Executes dropped EXE
        
        PID:860
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:452
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2288
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4932
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3452
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4976
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2108
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2760
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4060
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        38⤵
        Executes dropped EXE
        
        PID:5100
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4376
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:936
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3756
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:828
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2140
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3740
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1268
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4320
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4820
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3292
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        49⤵
        Executes dropped EXE
        
        PID:3484
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3652
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4508
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4908
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3976
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        55⤵
        Executes dropped EXE
        
        PID:3480
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5004
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3280
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        58⤵
        Executes dropped EXE
        
        PID:2360
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3196
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        60⤵
        Executes dropped EXE
        
        PID:2396
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4408
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4028
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4120
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        64⤵
        Executes dropped EXE
        
        PID:2276
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        65⤵
        Executes dropped EXE
        
        PID:4472
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        66⤵
        Modifies registry class
        
        PID:1152
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        67⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        68⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5096
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        70⤵
        Drops file in System32 directory
        
        PID:4912
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:688
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        72⤵
        Modifies registry class
        
        PID:1044
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        73⤵
        Drops file in System32 directory
        
        PID:4936
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4968
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        75⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1040
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1644
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        78⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        79⤵
        Modifies registry class
        
        PID:3040
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        80⤵
        Drops file in System32 directory
        
        PID:2756
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1452
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        82⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3308
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3864
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        85⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        86⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2980
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1300
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:760
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3288
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        91⤵
        Drops file in System32 directory
        
        PID:1748
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2220
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3260
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4372
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        95⤵
        
        PID:652
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3596
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        98⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        99⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        101⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        103⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5484
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        106⤵
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        107⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        108⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5660
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5700
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        111⤵
        Drops file in System32 directory
        
        PID:5744
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5784
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        113⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        114⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        116⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        117⤵
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6048
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6132
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        121⤵
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5236
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        124⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        125⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5468
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        127⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5608
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5684
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        130⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5816
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5904
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        133⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        134⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        135⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5152
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        136⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        137⤵
        Drops file in System32 directory
        
        PID:5340
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        138⤵
        Drops file in System32 directory
        
        PID:5436
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        139⤵
        Drops file in System32 directory
        
        PID:5560
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        140⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5720 -s 412
        141⤵
        Program crash
        
        PID:388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5720 -ip 5720
1⤵
PID:5852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dakcla32.dll

Filesize
7KB

MD5
c88823d112bd5abd4de0731bb90ea142

SHA1
4c6e34ac16136810213c18c99da4251a05ff7d44

SHA256
ec265f6b32822875b1c5b66d66f772822b71ce35062722af0b576df0ee18d277

SHA512
a97d0838136bc0a6e60cca639990c5cebd9040aa91d834d64a724f09fb5cb3dea33f2147320a3aefaaf99def4a9ea88e5bc8686214507adfd3b52d4c005d3173

Download Submit
C:\Windows\SysWOW64\Iapjlk32.exe

Filesize
109KB

MD5
7e9161d321f49960a3266eec2991993d

SHA1
534526c161123db81fefe2d037d672d815747730

SHA256
6e161a229ba228ae05ea2bfc6424e9c133fb390e22a2c1610f135a7f761679f5

SHA512
9f3b7c38ff5279ac73f5600abaa27920a5491e65d976762afe5abb91056bbed43e3a90ecdd36c1a5b9630c05e1e2fce3ba595e25ebb4d27e993689d398d75302

Download Submit
C:\Windows\SysWOW64\Icljbg32.exe

Filesize
109KB

MD5
3dd7d5c480c037665f52f5aa1b278862

SHA1
45eaf0ad77e4d4d53816ab58142f729f5bc1acf1

SHA256
60979aa595a29ccdd1f6051ab140c4df4de94a5f5c38055a7350d92eb639cd6c

SHA512
544fd545659f0f7b19ebb244c0537862e9e02f84b727018cc75f0e5788fd96d5a3cfa5ec70ccd6055b5240a0c41bd72951fad9b92ad8d958c5b247596f353fe3

Download Submit
C:\Windows\SysWOW64\Idacmfkj.exe

Filesize
109KB

MD5
e414b64bd966e278849895dc491e3d06

SHA1
0adda6481b4daf4268b60d2d77ec7d08c3d5ea5b

SHA256
3ff10e83e3bba54c04e774215ee92f480cb659f8a265c0bf71bbff8018246622

SHA512
496bec0b0d8250580ec8e21ad599e33945858b9ee8e363375ea1bff57a3b983354571a239cbfb0e4aecf90c83c1653725e2818c4e4c71aae34ff76cc504eb7f8

Download Submit
C:\Windows\SysWOW64\Idofhfmm.exe

Filesize
109KB

MD5
3ee52a900596f4e47662ef9b4212f9e6

SHA1
9697bd6ef8309a3aab5d11c865749d9a24e650f5

SHA256
d1f22285316ec1e449b948d634dba864d6d15834ecd9fb79c6f8aec1e23ca886

SHA512
1bc6df15ca024414cb4d6b785af2afd51857114c049836b7594b79178c4a3a27c015a46a70bdd6b87ca9697bcb044104ad8faaa6110a5e54ac2b229e74770345

Download Submit
C:\Windows\SysWOW64\Ifjfnb32.exe

Filesize
109KB

MD5
9201cac7e8a49e6c4c22ad127e43738e

SHA1
604958f0fd4b613b665e67788934fe5694c799a4

SHA256
fa35e262d6872414dcacfa8652e8964d72d65345dd5298f0b4b4ceac74963938

SHA512
f0ca62c0402876cb338a3adb0c9535cc7d004f049d0c55ddb62830896ceeac7eaaa8382c0671804b8b61c08e63a44f76fc85ccd434f3bbc1a260addc5425c195

Download Submit
C:\Windows\SysWOW64\Ifmcdblq.exe

Filesize
109KB

MD5
275309a32a9a029a3952ba180f6181c6

SHA1
071ccef0cc47e8ce0263b47f2f146553bb714a25

SHA256
94e6a77fd1e582367065adb2e4894b29269601901d65bc938c68220274c80403

SHA512
76932758e9a59dfc143a5b4f0b94b84c3932831ba72fe928ab6d7a8e4b9466c91968ace3bb45924764ac0f4345203df7fdb2b4449e08cab84f11b2585eaea2c4

Download Submit
C:\Windows\SysWOW64\Ijfboafl.exe

Filesize
109KB

MD5
4dd9ae2feb8e52e61608709a64a5dea3

SHA1
b29e6c151d2429206788938fa9f97b21dc12c5a4

SHA256
dc09fbf3f5e2600c565871cab2af7db6432c4e0a42207be5e15b875a19236b50

SHA512
c0a7cb5fc21ad56d9661b0e8a0bd887a0e25a2d8fc949f00664a65c08cf6dc8f6593c2b640a2dec751836df2edca3204247e91cbe2e90e77719c2be682f9f785

Download Submit
C:\Windows\SysWOW64\Ijhodq32.exe

Filesize
109KB

MD5
f63d808db5eab7ca145f077ecece7738

SHA1
c201567ee69bcc215a7646ecaa01aaf5b66f5ad8

SHA256
6a2ef827416abccc8f43bde36a34de43dea0eb8eac07edc52179b6d23c1601b4

SHA512
e9ae29242c8be75b17ede2d22dbf1f469d2660c6d14bae0bee8dc62bff9f669e3467770a85216e53ed986e0d3ccafec123684dbd360baee48877496d61292fd4

Download Submit
C:\Windows\SysWOW64\Ijhodq32.exe

Filesize
109KB

MD5
4f5fbb6209f7f23ec0ae73a2e9114bd0

SHA1
5953f93aa9a1ddd10b6be5e842e93f577b99ef4d

SHA256
ff9cbd499ea19a7ba4d1ff17f836e3c7a5f6de0ef558befda6128b626795a910

SHA512
8f42df33284d781c1bdf457d547d4d7528d9b40c782ea91e42cfacb81df6cc842305bb53d60136f6bde906f5188c71a0d71d203049a626e209a2b65294ef620e

Download Submit
C:\Windows\SysWOW64\Ijkljp32.exe

Filesize
109KB

MD5
5e2663d74effb02e7f3b86b16294d00e

SHA1
cf413158c8c7598d19707e5ebbadcedaa443aa1f

SHA256
0896f1cc7ad9845bad651b55b74f05c84429cc9e990e2924c0250f61c41b8a1f

SHA512
766f2500572d67329b3920c6cbc491195d2e2ee23d0f4cbf77657830ca55e48efa8cb39abec6de3471a31bce07c2559d7d734a463c45b1876275536f3168d7bd

Download Submit
C:\Windows\SysWOW64\Imdnklfp.exe

Filesize
109KB

MD5
5869f2faff5050bc402bb65cd7742af7

SHA1
3e0bf17e1f1a017fcd80b0cc62f1c5a6d22a0faf

SHA256
f475ecaea04fe97b51a8d1a2becb8cf8bd84193849a29a9ab2ccbbdb740ba088

SHA512
8fa1ffec98a8d3700fa5f289a5ba0d1775cef0bdb3607e61c194e04d40e49c1396a51094fd28b9128f076a0f22ca40631150a0af29af44d748bfbd8415f41a77

Download Submit
C:\Windows\SysWOW64\Imgkql32.exe

Filesize
109KB

MD5
db719d98ab29a0d2830f2586bf86492c

SHA1
2eb85921d5f66ba2d94ae00dd46b2511b7378c53

SHA256
f0a7588b8b7847059891f53a6f75450ad9a40657b77bab946f76d5a096feadc3

SHA512
42df870d5a3a5a47a2d1d43f5a78780d2bb8614aba966dd9ef5e385c61c219e235673c997bfb5f88aafa8ce701f94ae37e940a92d3a441fe703cf7a100cad2f4

Download Submit
C:\Windows\SysWOW64\Imihfl32.exe

Filesize
109KB

MD5
a094844496ce3fb3229b682525f18982

SHA1
2be11fd7a091a735473ff1072eb009c681a61bdd

SHA256
f5126769e2bb0f910ea3a5bbba919fb5447b2cb3edc5e39a699bbc325dbbf558

SHA512
3d234eb3f8265d790a758c4b9656e925193dd43d99650e9766a9f04a706a595b0070458a166432ef8ff45348a397a9d5dccbcd4470b3f30a2cdb2ec5ea512245

Download Submit
C:\Windows\SysWOW64\Imihfl32.exe

Filesize
109KB

MD5
7cc80895371099d05e55f2d187bc4908

SHA1
d57597faf7c697112b1c7046a9c3386ebc7bb7af

SHA256
dedc11b12c1bc0142f1030fae4679d4292b143b7ab27aaaa0e398432ef939e6b

SHA512
d7bae61d71f64aed59a2a689ac1eda760cafb711a1228414a25ae08796c384f64e119e43c937330a330c942c2f41285a9f2890bf3ab320062ad9f731b0ab1384

Download Submit
C:\Windows\SysWOW64\Ipckgh32.exe

Filesize
109KB

MD5
8ea593494b523a2bad52c30f8c465c6b

SHA1
bcff2230a69cc093ba952aa2fffc0c574f2cba44

SHA256
ab4d0dfa28fd4fcaee36ebf07c51d546cc4f03e8e864e1271931a6cea984727f

SHA512
220f4cbecb603fad6369bec775feb05bf5fb05ce61955271ce26eca19706a8ea61e75a23af21a8b374cafaf20181acd4b4e284a812edd58dc0e464f9f199391e

Download Submit
C:\Windows\SysWOW64\Ipegmg32.exe

Filesize
109KB

MD5
4a2bd9ff8227ef8dc4a93dac7992fe0a

SHA1
52a7ee8844033b8f1b39520b8ca4101b9fc26c8b

SHA256
ea057ca409b17cf5484bdb6dd06e72fe63586138fab00d56d42946705880f119

SHA512
70d5d6bd99e13cd688b50315e041f4da659bd74deff383046753d132698203cfa86d8cf6311e2078a1d9dca90184053b88e0727c826e80b8086355aa60aa8648

Download Submit
C:\Windows\SysWOW64\Jaedgjjd.exe

Filesize
109KB

MD5
d42aa2208d964eb661b5d98b99e49757

SHA1
70d5f45c1bdbd4285c4c3a1f76615976be42d099

SHA256
9eed5dd59d1cfe7529c7cb153ef11be9b09046886761e004b36c94ddc864d5de

SHA512
1e17f1d3c9f964fc566c273304e80f699fbfa543fbdaf88765fa428f7a081ccb1ecb36779f4326e3e152e768bf376d312692dad473f710bc5a1eb251409f914b

Download Submit
C:\Windows\SysWOW64\Jaljgidl.exe

Filesize
109KB

MD5
b60649aae64c54d95709d3769915d2f1

SHA1
4e6ae068cd1f43dfac728bbee17590c33959ec48

SHA256
6fa9b3bb68ce7358763fe651bad39e9effae671114d92f227e8ce76e28828eb3

SHA512
68ac149f906be96d52336aba20fd8676ca03da07a3be37bc8aea7c6d1870901871967ba0a3855791e46bee4da401979a3369726918f122055c137052b5564097

Download Submit
C:\Windows\SysWOW64\Jbmfoa32.exe

Filesize
109KB

MD5
980c96496f105cb9cd3514d6068748bf

SHA1
393e66e0f678495a1372c5dd5c41f9121430e6ab

SHA256
12bede756525fda00c432c340b065908101e1ac62e223a7b4dac9a2e5f686e0c

SHA512
3332791cd3cfb4147abf7de6b3a8d31d88677868d23d0f5f66d187df5deff8adf2b3c174c9e0e81d2adba6e1d473b3fdad13f7b7f16fb3e06fa3e52fd1c22335

Download Submit
C:\Windows\SysWOW64\Jdcpcf32.exe

Filesize
109KB

MD5
247b5548aeb0691195e4b28050f695ae

SHA1
702e09f5f1aeea058d6079620d86684ec98bf4fd

SHA256
3182ef228a62aa68d7456d24d51821f8a2e49fcb3d135a129020060e7acb9248

SHA512
3bde0966da0bdd2d96bbbd587e8ceb0c6669a2eb51a041e24d684ecad1ed5977c11c3992c4dd0e3acc3179befd2f23c3f83e8077c70bf5c2946eb3142a8e86da

Download Submit
C:\Windows\SysWOW64\Jdemhe32.exe

Filesize
109KB

MD5
ce48f9859f9a2535454c4d88c8cb1506

SHA1
3fef18b0601edf148fd2fcd7cf6a38acc57eb832

SHA256
f92987926304e3955af5b00eb747a20b466d583a347f94c935cfad373bb1333e

SHA512
6743eedb1ee5dcf2b40aeadb4c3f81a67c4827e7519154ea1f1ed0244e3940dd38ded5135895365347ec4de13d456c365e7e015f3adb9c0580b2b7aa3b9c374f

Download Submit
C:\Windows\SysWOW64\Jdemhe32.exe

Filesize
109KB

MD5
e9d4b67656fa50851dc56b11e6dff568

SHA1
6a80d10b14f9a433fd8f94eab5d1f4e07fe312a0

SHA256
e891ce3e7f42c9c304313ec9d7bfa6b92d943cd3dcc87e6cf30ce16284d1d6d0

SHA512
0c690dc4250d1dc9d666d8bd7d1e3758765b132e61fda30bc3750223bb1add7833cafef10767b99fb1b6658e5ffd12a780363e6deccb60bfaf9f998a5d71e0af

Download Submit
C:\Windows\SysWOW64\Jdhine32.exe

Filesize
109KB

MD5
8867f45bd8398fc3aaf04e0d7fabd760

SHA1
84b8b37fe5ae582d586a9da5158ad783affc292d

SHA256
37ab631d320ab5e7559f28e5b00f795e1011a2760da1e90d61b7c8b48ef28868

SHA512
4251804618b65307f02b74928d1c7967aaf13404fb9389d401b97441c940b36c172142030639b91f6fcceabcc9612f03dc5fafcc4828cb7dbd52d5a3192a6cb4

Download Submit
C:\Windows\SysWOW64\Jfaloa32.exe

Filesize
109KB

MD5
b8965db91e9eac57aab04a7a84be7726

SHA1
51336a01b1c13b721159c5f0ce3351bb5817bbbf

SHA256
b2cd544a99d016104e1479663215f6d5d66603c347ce4aa77900b9c0e2eb7261

SHA512
6fbffb9aecc4298868750aac0b959b2db7305f53641e9ccfda5b66f7d336919e3ed5eedee7c176c3790728bd7f3d0cf47cf0c309cb44fefc3d229d3c13b99737

Download Submit
C:\Windows\SysWOW64\Jfaloa32.exe

Filesize
109KB

MD5
1a14b884655863d8ba5a58ac24514edc

SHA1
c9d2d4b24bec80a0eef244f3f306349d776dad16

SHA256
cd0b7e4a62993c9f48ef4a83fa15feb4dc6bc965bb2ed32b6f95d588fb019443

SHA512
2f36b53b30fb2f3b30a36e378016a56bf553fdd22475a3a616388a7517488772446e6a3a62b4998c489f287bfa84e522231c50bc61e4da0fff1624c08b6fbe01

Download Submit
C:\Windows\SysWOW64\Jfhbppbc.exe

Filesize
109KB

MD5
7a1efbfe2efe957389c8044188ca0908

SHA1
46f62053340760d6d553e76a26c9133ea0c6f6d8

SHA256
b87cdd1fbf0e7fbefba2b3644b770ef2ef6b18ae597501e70fb37d3a4f5eb416

SHA512
43bdad2d60ac568240b37ea317b7a6f3bcd0548347e09b791b40799ba1bc1be9d8d0d057571ec5ef7720cceac4d069f79223d69afc1bf4cdaf47efb55f2e92bb

Download Submit
C:\Windows\SysWOW64\Jibeql32.exe

Filesize
109KB

MD5
3f13b43cf2ede934ebc9b0623c12f092

SHA1
a0b8f9756e0653f5ff5281c39d53836cc1dad0a6

SHA256
f2e4fb297dc34b192f407105d2d33f63a5d30ff2c119a93ef6d7ee7ff0b86387

SHA512
3ff36527b59e2ba8f8e561f817fa039d6c9e33a21f8d08a19f3534a5480cf50af545a0cb094f48d6487b5904f057a0b8dfb59747066adf72cdd007775dc773d2

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe

Filesize
109KB

MD5
748b280706c4ceb44bfcd9ba14774ff6

SHA1
d52bc7f1022ea94e863b9b319216db416cc29555

SHA256
62855d681499a614a0ef3adc4830cbddee96dde17f253480ef5f183e63182510

SHA512
10be13b3b178cc4371f6ee8cfb9177e9db8f78db2fd558e53c3fb42b10e6972e8880eb25826bb1bc9d198c99c5b8f3c74dc198920f689e068af20298fd298a51

Download Submit
C:\Windows\SysWOW64\Jjbako32.exe

Filesize
109KB

MD5
07bffe3918131c9434ad236d271716fc

SHA1
f0c53ae47db3f4d4030b65610cc73cd40ac3a711

SHA256
97033c98d88931259b193f409f582d5a28450f0cf53bb8dd2ac6e074d233d299

SHA512
2a96f67bb2b9ec331c56c86710af2d87b12b1e946d38d067cc40c7cd8b6ba1cde9ac2d441c4492356d8e637cf79f22caac71a57aa0b2abc720f2fc9d10c63ed4

Download Submit
C:\Windows\SysWOW64\Jjmhppqd.exe

Filesize
109KB

MD5
4acf08b2aaa56e5e9dfea429f8fab127

SHA1
1803c078d57f4fe0e7f2f55695288ad848a1a8fa

SHA256
9c51d8e2e31b257429ee4f6816aafac8ee6109c3511b91bc7fcf5b5e36ae47a2

SHA512
45478a1c85602a4458bf3dcaa18011bd1c56bc3d026d2128745e6abee94c2bd02f95f4edb6b0d2f5bfaf78381fbe44797a99fd667d36b34045dfdb33c1e09872

Download Submit
C:\Windows\SysWOW64\Jkfkfohj.exe

Filesize
109KB

MD5
962940fa6aba8e37ac7cd5869ca76e2c

SHA1
576f392cb15602948bd5d1c93959b760299ad54b

SHA256
410430a5ad767c622bc21e003dcc93713777559ae280e70ec55328434f4f0a77

SHA512
333e3c5f4e99dd271bee88448284bbf6a5cdb1633c1c2a5e3761dff886a1d62a43d067525a38aa76c75ca63d176df1225a1c4bea7119d090d33fad03b0163f65

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe

Filesize
109KB

MD5
98a5c91fe68e49ad069a44bd21fd8620

SHA1
05cf514569ccb57a31063f0fa4fcea51c0106f0b

SHA256
a99fad27fc10e92f3a5b4e1f1a9d384d79611641743c6cb13652371f8982a921

SHA512
56b8f8abfe67917fd84b76b0c14547320f52cf8ef36c7ad04aa7a5d69d0817a1432430a6c485592c2c2be57a2d0d21aa52112933be80853b9877dad7df6e1e41

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe

Filesize
109KB

MD5
495db88085b5cceaaac6be54765d6f55

SHA1
3b4837369709bf9d1f08f4883972667cfc3ac2c8

SHA256
97583dfbd250af11f6838a9f73b58a3d4e7265a6f29e7c33dd2064af63bf6dde

SHA512
bbacddd55bfd7489c4b802ba06d0611e55ac66fc8f565d7e63f5e03dd6b8a8055bd62d83e0cebe12a9e01ace21ec6bad252bbbc3561e7064a5505e385d414379

Download Submit
C:\Windows\SysWOW64\Jmkdlkph.exe

Filesize
109KB

MD5
4e23b0076d5ba4a4c834089b93fc61f4

SHA1
f8d844223f63d824f06440884ef564697b63fde1

SHA256
4351498198d8e288c876fbace1233ada2898660865c31c2da55b542056cbf282

SHA512
16e53a5a5776a40bb6b9c7d34770d78dc7ce8942eacd89d3629b2817d98d45ddc8c9774fcecec4d0afa6de6058d42ef3d5dc3d14c68d9aeab535a00418495250

Download Submit
C:\Windows\SysWOW64\Jpaghf32.exe

Filesize
109KB

MD5
d6a5814286e1cb5dd1ec19d64a254ad7

SHA1
ece1c7fa3f7a4616741e15ca011d60bd1544c95d

SHA256
1abc559103437a0fb68a8a688b8752b54f656764407df8cd10c82e74b4b31749

SHA512
80c930592e5ec1dee3156277ea5e805212164d08c467de818ff1d90cb2b10d70630f5012ef84d47b88bcd6c0c6262e50ef78e9840a392c72979db49f17eca5f9

Download Submit
C:\Windows\SysWOW64\Jpjqhgol.exe

Filesize
109KB

MD5
95025dab967acff597d6e356a481313e

SHA1
dacc79488e5a87eff73c20fed92a6a11484992e6

SHA256
b3f7986d98b70f5673ac54e68258d109f64af65d65ef7d048cc857f38c34dd90

SHA512
984485c7e9c0b453cf5c4478bbd79dc005b9d62480ea22019e4dba593aa71a35c187809568a6fb75d47b54885d2498896c4cc7d4a7b386d5fe90bbc3954dc726

Download Submit
C:\Windows\SysWOW64\Jplmmfmi.exe

Filesize
109KB

MD5
b2ae9d7f571f7370e69547ec4cd78f44

SHA1
83bc2ba3021057821cc0e39b688cbdf194c4f641

SHA256
1613bd823aa518c6dfb0f56f2eb73c39e724cf86c29322b67e82d62d1f58aaad

SHA512
cfb3d5be9bd7647cd7b71643249ad6c4dab67189a3546b639a3c2efbd176cc1f0dfb8c4c2ae48246a5cde27d0349dd9582381326c19a9e008185061896a5bef8

Download Submit
C:\Windows\SysWOW64\Kaemnhla.exe

Filesize
109KB

MD5
303ebe23ddc31d4854dfa9477e0445ba

SHA1
c939fda6ca2d719f2cd2715d05e3f27c38db29ca

SHA256
8598188d28ab86d6dbf459ffc97fba2a7c9d8089306082e0e9c44ded094ec26f

SHA512
d839ebbec4758d84474234e132b57f373932186d0e1e063d0b9d380c1f0b8744ffd2a02cf6a2206b5d9ecfe58583f12b9c1e24221df0cb0c736328c1665be8f0

Download Submit
C:\Windows\SysWOW64\Kajfig32.exe

Filesize
109KB

MD5
5cdcb00c9e03d1e9136fd75e4717732e

SHA1
ee08e08d28ea05091877e0ea7aaa22c508c4494d

SHA256
6deb80c98659ab8807d7ded4a99352abdb37ee078ddf9a9d544e4904e8cf5dcb

SHA512
4a3fddba50e62224c129e7c9f05760ab98f5bef8433df8f27209c818e65be90571c83db09f6dea1645b85d92ee6c08319fb6d1829b32d719aca035279fc68003

Download Submit
C:\Windows\SysWOW64\Kbapjafe.exe

Filesize
109KB

MD5
6d84c993107059a155998209dc41477c

SHA1
d1281b879001724cd39a918f26390d6edde0a400

SHA256
2e1f1ea45db658882b5956a6119cf8560ef170045e5c3bf29f167ca0a142f306

SHA512
3ba1416f03bc9c4f2722f05eda25a76dee30506fb7f40def1d9ed0bbe004e8b23089c37ade33da998eab3ef6babb78e4391a4ce97275eac3b2fc4071725148af

Download Submit
C:\Windows\SysWOW64\Kbfiep32.exe

Filesize
109KB

MD5
34a9db68345fbec111191d9f611148cb

SHA1
4fc9b05f867fabb7fc54b8311bf86961246fb52c

SHA256
2ce58c758c42d0036df7b75736065372d97fbae95d7261f6c6ce960993554fa1

SHA512
1813ecb06c1915b804e8150cdd4d8147df0d86a24661cbb63334e5f6d24b881c1fac5cf1e940e7a991cbef412c5e2d80aaa3def28b21dea797324216ad6e5fd9

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
109KB

MD5
91c7e3c301a9e73041912bcbc727c9c5

SHA1
ad337a5b0d8e94defc419fbf2ceb2b661b16e8ec

SHA256
4ae3a3f6343ddc2100753cdcfc97c14d6412116d11c79455df9429625cb5f9ae

SHA512
b8e4b7b7011da64a6653792c085428d4bd612e71e86c2d30b30cdbe99788522daedf5aeb36b8ea4ce429133d2be8a32f5f9dd708986fef3cb46bd0cc74b946f4

Download Submit
C:\Windows\SysWOW64\Kilhgk32.exe

Filesize
109KB

MD5
ba909aaffd1bc472469cef567d11a694

SHA1
1a484a7dad0c64ecaae2db4d348bb923a7f4d5a1

SHA256
38a3293850636509078d5e74bd6e97a1f1fb500621e3a0b659265347133002af

SHA512
ce4139beb51525b2c63aad29ad2c9435fc9ca3a8037d837a0a46095abfd471455c7c3e54a25dc88cb54a0fcce6b0812a3d374402dd9a630c9b388b746014ed65

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
109KB

MD5
a278ffc23e65f81b5a09ee6121996a7d

SHA1
8316522c9258f5725e5a7ddc4413903ae302dabe

SHA256
9581050d5597a05da67c60db87d341cff411dde6fa78d954bcfd3328472a35a0

SHA512
cf12064bfa4a59f911a5d5533d5bba3498c9ae95b432158051fe60925405ff89f5608606dfa30ce64f13e07a0f1aeecb14e40d3249d9fc15494dbd8d33fb92eb

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
109KB

MD5
fbb04df241c2337b425084ff9ec82a86

SHA1
1cb08f84a0d718a3d81246498f9ba43b2451dd61

SHA256
869084bd2a99bcf777770e0dd75685af176fc11039dcf2fac0684af39a895b55

SHA512
f023b0fce528332cabdca2ce233e37339c69363720de7d37084bf9a2adbb27fbce6c4e0fbb9228243a92252396dc4c6beefdd5dd38f801a3bbfe630c3b3ec4a1

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
109KB

MD5
efc0d0a6cfcd5cfa5d713b92f94dcd7b

SHA1
49375950cb63a93b57ad6ecb1063676dbebbbce2

SHA256
a0fcaaa2cd28c4b2369e67e7abc65fd9f6422f9da6362b0147e14c5e9ae850ff

SHA512
d19c3d9609cf16c03889bac3517105f5a20eab5154d8f3bcba516c9c49727622795024695cdfe83fac2140b44f67c413c9570b756a44534e2d6b4198175ade52

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
109KB

MD5
5d81f5310d1670e45e69b690d512b600

SHA1
cdb9bf7b276d587058d6b390baeef29562f8d269

SHA256
9aaf039dd1dfa054a154a7ac7f900127d2569fcb470af61920fb02681eb060cf

SHA512
7a255453bf618224981c67451551acce1a4fda28cee07a1526f205e005b810dc576c4f863d0451969080a17046464b8550e8ec4136b390fbd1278d9bae48a66d

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
109KB

MD5
2462b6cb124f2e698932cbe3d9758810

SHA1
a3b94baf719912938005b14c16f2167f6b4979e7

SHA256
27f3c1356679de1a174e8a7a2c2ee0805f6a876801b65705e35702e7daf75687

SHA512
0ea468f5755d107288153816750294e553457a2ca8d9150c4aae9799897c8f324002fa691c9136611d22cd5ee4139c78bc6f150febedf1bb3fbb4caec1c463ce

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
109KB

MD5
f8152080dc1a89e872500a41089cdbb2

SHA1
f845b130b9a21626ee0e1ddaa8ca3bb9912d5c9f

SHA256
428f4e433b5902f2ae90330efaeda98093c25f25e22ff246b5c81f8781b3016c

SHA512
6f453ad2553865f0848430cfaee57275975895e4c7fd9e52298f773518ff5e8dc9762d9af0e18764383892892fe49af72f3da6179f6684953952203f88528ec5

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
109KB

MD5
a558d4ea6cb2449253826d2ed3cb29c2

SHA1
7ac256e48340699a379e92c7bcbf0d4bc41cb10d

SHA256
61e4ba98fb3dd037c11c549887fcfa7185dbb7d44d233b8f80293eb8be50151b

SHA512
f7eb0caef8a952769f7a0c744c718a270acc501580b9eecee56e5fe96b5453fcaef0078d4572876f56f48c66f86b5c2668f0792bb99da98d8ee12bc2f875d93c

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
109KB

MD5
d4ccc6991f9843459262f243ea300904

SHA1
411d6c171ad468948b89cf69207bbd43a2781502

SHA256
b62927df88d859042ea440b6f00bbfae555f7e7ee8545aa1246060bb8b516f61

SHA512
7824115b10985edc90e07649faa5b267c06c750d1e025dc143f2af51993cd3f2e736c1e6bd8b2b32b60ec0b72246c26d30c7235c4507112bc82968c971bd9bdf

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
109KB

MD5
65046692a536d707db01aa9e4e468dfa

SHA1
2ec2332e059e8ef36d277e079396f1da9d37d3ad

SHA256
f9b7c5a868acada02ffb3c979ecc18dd125357f11879eac2f7cf7b0fa0450786

SHA512
63492b4871de90e5fe553199fe65cd159bd9750cf76a2614ce812605dde6329bc4d02b976379223339de16a562892b126378ad463fd672ed336fb54d53ec628f

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
109KB

MD5
f1527a34258d2dddc684e7c57bd9d936

SHA1
49c8c8ff49d452b1b16a5a489a898990f580230f

SHA256
184d6d1dfc1fc1d9cf35e5e0993473b232cff63ffa5e7f9c50b2c073f8d85f3e

SHA512
512fb07dae50c5e4ff94bbe28b000080905bd933921845a3dbc66ccf093d2ca4863b12e61708be7373a557287ae234b48b490eea0533804da742b2cc20c26886

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
109KB

MD5
37c2da72826f4ceae904a7438dc9c79a

SHA1
840e11cf75dae1aa9bb767cb14572ac4964c15bc

SHA256
1ea08d5dd504932e1cb9065e1f67407ee7a139fd744ed025f91aeb6bd0dcdd64

SHA512
edb900c3f97256a739d7cdca1e4a9c72427ebc3446a19702fd0a223e182ca0b9ea7bff692c5b20abd72d8e2ad07137b116855293da7b9905ed6d74a15b5b5764

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
109KB

MD5
6d8f7889c64d8374410a79e7c0246634

SHA1
f28f67c7e42f4dbd32917e1ed31b4ea73f392b97

SHA256
4da505b7779cd8cfb525b4fc978886d10554adc46e5250c3833fa52318c2f7c2

SHA512
d17c46afd05037f9ff752050f4390fee017e1214f9ec96e2131a6a4d1c337db73b16ec41af792db8f0b0a46fd758c3b077fb4d8e3a5a5194519e22eafe164b91

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
109KB

MD5
2a23195f0e402d12975fe79aa03221a9

SHA1
61f3484e50275be7082242da09321f38cf874e52

SHA256
3fc159d599398ad016220af5c5e11b39274d9a623b4a72697c0f82a27e249b37

SHA512
83c98d07ab34f3e8b7c2c67cbefe7f28b4fbd1ebd263c464d13224fd7968f64a25717984716da43a7f3f5d3701f64e39b4bdd11e75b66645c35300a37e346c31

Download Submit
memory/408-229-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/408-133-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/452-303-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/452-226-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/640-328-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/640-249-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/772-178-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/772-266-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/828-409-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/828-339-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/860-209-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/860-289-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/936-330-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1268-429-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1268-364-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1576-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1576-80-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1580-283-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1580-352-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1712-187-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1712-274-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2100-39-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2100-129-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2108-290-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2108-359-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2140-350-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2288-230-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2288-314-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2296-300-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2296-214-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2300-157-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2300-64-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2324-130-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2384-90-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2384-186-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2676-256-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2676-169-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2760-301-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2800-107-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2800-24-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2872-142-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2872-56-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2944-399-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2952-116-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2952-32-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3292-379-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3452-338-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3452-267-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3480-430-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3484-386-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3512-158-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3652-397-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3696-8-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3696-89-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3740-418-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3740-353-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3756-332-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3756-398-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3804-167-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3804-74-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3932-117-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3932-212-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3944-159-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3944-248-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3976-419-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4000-81-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4000-176-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4060-372-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4060-304-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4072-53-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4320-436-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4320-366-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4376-318-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4376-385-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4508-411-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4584-331-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4584-257-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4684-108-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4684-204-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4796-99-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4796-195-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4820-443-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4820-374-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4896-239-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4896-143-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4908-416-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4932-240-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4932-317-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4944-98-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4944-20-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4976-349-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4976-275-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5004-437-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5068-197-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5068-282-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5100-315-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads