deefc16d27276fa597176bf6af526aa67c6340b3734840cb5e89ea84c9447cda

Analysis

max time kernel
136s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 02:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d69e140e8d823951025aed654ec6b0a0_NEIKI.exe
Size

197KB
MD5

d69e140e8d823951025aed654ec6b0a0
SHA1

87eb925afe6541c0148fce37131e8ebe550a8c89
SHA256

deefc16d27276fa597176bf6af526aa67c6340b3734840cb5e89ea84c9447cda
SHA512

77cb3d180909b06b7d4b75d4252d64c9991fa1a5c4d5d4eef7f336058cbe4eb5ea6ab8b04f05101ec59508ada429bd4c7cc8dff5755700d14bf4d7a5201aa2ef
SSDEEP

6144:oDR4g4Vg4fQkjxqvak+PH/RARMHGb3fJt4X:iYm4IyxqCfRARR6

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibccic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiikak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifhiib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiikak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iapjlk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jibeql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbefoji.exe

Executes dropped EXE 64 IoCs

pid	Process
4596	Iidipnal.exe
436	Icjmmg32.exe
972	Ifhiib32.exe
432	Iiffen32.exe
4816	Iannfk32.exe
4408	Ipqnahgf.exe
1520	Icljbg32.exe
1960	Ifjfnb32.exe
4736	Imdnklfp.exe
3276	Iapjlk32.exe
3832	Idofhfmm.exe
4784	Ibagcc32.exe
540	Iikopmkd.exe
2940	Iabgaklg.exe
3424	Idacmfkj.exe
3116	Ibccic32.exe
792	Iinlemia.exe
856	Jaedgjjd.exe
4800	Jpgdbg32.exe
1816	Jfaloa32.exe
3456	Jjmhppqd.exe
4236	Jpjqhgol.exe
4044	Jfdida32.exe
864	Jibeql32.exe
2300	Jmnaakne.exe
4040	Jplmmfmi.exe
212	Jdhine32.exe
768	Jfffjqdf.exe
116	Jidbflcj.exe
4028	Jaljgidl.exe
4464	Jfhbppbc.exe
2728	Jkdnpo32.exe
4264	Jmbklj32.exe
2208	Jpaghf32.exe
1900	Jdmcidam.exe
1904	Jfkoeppq.exe
2932	Jiikak32.exe
2184	Kaqcbi32.exe
5024	Kpccnefa.exe
1600	Kgmlkp32.exe
2380	Kilhgk32.exe
4444	Kacphh32.exe
4032	Kpepcedo.exe
2672	Kdaldd32.exe
2848	Kgphpo32.exe
2276	Kkkdan32.exe
4196	Kinemkko.exe
1260	Kaemnhla.exe
4308	Kphmie32.exe
3888	Kbfiep32.exe
3732	Kgbefoji.exe
3292	Kknafn32.exe
3592	Kagichjo.exe
3192	Kdffocib.exe
2588	Kcifkp32.exe
1620	Kgdbkohf.exe
3536	Kibnhjgj.exe
3080	Kmnjhioc.exe
2272	Kajfig32.exe
4680	Kdhbec32.exe
4748	Kgfoan32.exe
3752	Liekmj32.exe
384	Lmqgnhmp.exe
4324	Lpocjdld.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Ifjfnb32.exe	Icljbg32.exe
File opened for modification	C:\Windows\SysWOW64\Jmnaakne.exe	Jibeql32.exe
File created	C:\Windows\SysWOW64\Bdiihjon.dll	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Mlilmlna.dll	Iannfk32.exe
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Laalifad.exe
File created	C:\Windows\SysWOW64\Nggqoj32.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Lijdhiaa.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Jiphogop.dll	Idacmfkj.exe
File opened for modification	C:\Windows\SysWOW64\Jpgdbg32.exe	Jaedgjjd.exe
File opened for modification	C:\Windows\SysWOW64\Jfkoeppq.exe	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Jfaloa32.exe	Jpgdbg32.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Laciofpa.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Ogndib32.dll	Laopdgcg.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Kacphh32.exe	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Jdmcidam.exe	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Mfpoqooh.dll	Jdmcidam.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Ifhiib32.exe	Icjmmg32.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Icjmmg32.exe	Iidipnal.exe
File created	C:\Windows\SysWOW64\Jfhbppbc.exe	Jaljgidl.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Jdhine32.exe	Jplmmfmi.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mglack32.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Majopeii.exe
File created	C:\Windows\SysWOW64\Impoan32.dll	Iikopmkd.exe
File created	C:\Windows\SysWOW64\Jjblgaie.dll	Kilhgk32.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Jflepa32.dll	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Ghiqbiae.dll	Kdffocib.exe
File created	C:\Windows\SysWOW64\Lkdggmlj.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Kgphpo32.exe	Kdaldd32.exe

Program crash 1 IoCs

pid	pid_target	Process
6400	6308	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olmeac32.dll"	Jdhine32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liekmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlilmlna.dll"	Iannfk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeandl32.dll"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcbnd32.dll"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imppcc32.dll"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iabgaklg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nilhco32.dll"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpfihl32.dll"	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	d69e140e8d823951025aed654ec6b0a0_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iikopmkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnckcnhb.dll"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akihmf32.dll"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nacbfdao.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3576 wrote to memory of 4596	3576	d69e140e8d823951025aed654ec6b0a0_NEIKI.exe	83
PID 3576 wrote to memory of 4596	3576	d69e140e8d823951025aed654ec6b0a0_NEIKI.exe	83
PID 3576 wrote to memory of 4596	3576	d69e140e8d823951025aed654ec6b0a0_NEIKI.exe	83
PID 4596 wrote to memory of 436	4596	Iidipnal.exe	84
PID 4596 wrote to memory of 436	4596	Iidipnal.exe	84
PID 4596 wrote to memory of 436	4596	Iidipnal.exe	84
PID 436 wrote to memory of 972	436	Icjmmg32.exe	85
PID 436 wrote to memory of 972	436	Icjmmg32.exe	85
PID 436 wrote to memory of 972	436	Icjmmg32.exe	85
PID 972 wrote to memory of 432	972	Ifhiib32.exe	86
PID 972 wrote to memory of 432	972	Ifhiib32.exe	86
PID 972 wrote to memory of 432	972	Ifhiib32.exe	86
PID 432 wrote to memory of 4816	432	Iiffen32.exe	87
PID 432 wrote to memory of 4816	432	Iiffen32.exe	87
PID 432 wrote to memory of 4816	432	Iiffen32.exe	87
PID 4816 wrote to memory of 4408	4816	Iannfk32.exe	88
PID 4816 wrote to memory of 4408	4816	Iannfk32.exe	88
PID 4816 wrote to memory of 4408	4816	Iannfk32.exe	88
PID 4408 wrote to memory of 1520	4408	Ipqnahgf.exe	89
PID 4408 wrote to memory of 1520	4408	Ipqnahgf.exe	89
PID 4408 wrote to memory of 1520	4408	Ipqnahgf.exe	89
PID 1520 wrote to memory of 1960	1520	Icljbg32.exe	90
PID 1520 wrote to memory of 1960	1520	Icljbg32.exe	90
PID 1520 wrote to memory of 1960	1520	Icljbg32.exe	90
PID 1960 wrote to memory of 4736	1960	Ifjfnb32.exe	91
PID 1960 wrote to memory of 4736	1960	Ifjfnb32.exe	91
PID 1960 wrote to memory of 4736	1960	Ifjfnb32.exe	91
PID 4736 wrote to memory of 3276	4736	Imdnklfp.exe	92
PID 4736 wrote to memory of 3276	4736	Imdnklfp.exe	92
PID 4736 wrote to memory of 3276	4736	Imdnklfp.exe	92
PID 3276 wrote to memory of 3832	3276	Iapjlk32.exe	93
PID 3276 wrote to memory of 3832	3276	Iapjlk32.exe	93
PID 3276 wrote to memory of 3832	3276	Iapjlk32.exe	93
PID 3832 wrote to memory of 4784	3832	Idofhfmm.exe	94
PID 3832 wrote to memory of 4784	3832	Idofhfmm.exe	94
PID 3832 wrote to memory of 4784	3832	Idofhfmm.exe	94
PID 4784 wrote to memory of 540	4784	Ibagcc32.exe	95
PID 4784 wrote to memory of 540	4784	Ibagcc32.exe	95
PID 4784 wrote to memory of 540	4784	Ibagcc32.exe	95
PID 540 wrote to memory of 2940	540	Iikopmkd.exe	96
PID 540 wrote to memory of 2940	540	Iikopmkd.exe	96
PID 540 wrote to memory of 2940	540	Iikopmkd.exe	96
PID 2940 wrote to memory of 3424	2940	Iabgaklg.exe	97
PID 2940 wrote to memory of 3424	2940	Iabgaklg.exe	97
PID 2940 wrote to memory of 3424	2940	Iabgaklg.exe	97
PID 3424 wrote to memory of 3116	3424	Idacmfkj.exe	99
PID 3424 wrote to memory of 3116	3424	Idacmfkj.exe	99
PID 3424 wrote to memory of 3116	3424	Idacmfkj.exe	99
PID 3116 wrote to memory of 792	3116	Ibccic32.exe	100
PID 3116 wrote to memory of 792	3116	Ibccic32.exe	100
PID 3116 wrote to memory of 792	3116	Ibccic32.exe	100
PID 792 wrote to memory of 856	792	Iinlemia.exe	102
PID 792 wrote to memory of 856	792	Iinlemia.exe	102
PID 792 wrote to memory of 856	792	Iinlemia.exe	102
PID 856 wrote to memory of 4800	856	Jaedgjjd.exe	103
PID 856 wrote to memory of 4800	856	Jaedgjjd.exe	103
PID 856 wrote to memory of 4800	856	Jaedgjjd.exe	103
PID 4800 wrote to memory of 1816	4800	Jpgdbg32.exe	105
PID 4800 wrote to memory of 1816	4800	Jpgdbg32.exe	105
PID 4800 wrote to memory of 1816	4800	Jpgdbg32.exe	105
PID 1816 wrote to memory of 3456	1816	Jfaloa32.exe	106
PID 1816 wrote to memory of 3456	1816	Jfaloa32.exe	106
PID 1816 wrote to memory of 3456	1816	Jfaloa32.exe	106
PID 3456 wrote to memory of 4236	3456	Jjmhppqd.exe	107

C:\Users\Admin\AppData\Local\Temp\d69e140e8d823951025aed654ec6b0a0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\d69e140e8d823951025aed654ec6b0a0_NEIKI.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3576
- C:\Windows\SysWOW64\Iidipnal.exe
  C:\Windows\system32\Iidipnal.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4596
- - C:\Windows\SysWOW64\Icjmmg32.exe
    C:\Windows\system32\Icjmmg32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:436
  - - C:\Windows\SysWOW64\Ifhiib32.exe
      C:\Windows\system32\Ifhiib32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:972
    - - C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:432
      - C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4408
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3276
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3832
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3424
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:792
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:856
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4800
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3456
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        23⤵
        Executes dropped EXE
        
        PID:4236
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        24⤵
        Executes dropped EXE
        
        PID:4044
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:864
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        26⤵
        Executes dropped EXE
        
        PID:2300
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4040
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:212
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        29⤵
        Executes dropped EXE
        
        PID:768
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        30⤵
        Executes dropped EXE
        
        PID:116
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4028
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4464
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2728
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4264
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2208
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1900
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1904
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2932
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2184
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5024
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2380
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        43⤵
        Executes dropped EXE
        
        PID:4444
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4032
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2672
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2848
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2276
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4196
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1260
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        50⤵
        Executes dropped EXE
        
        PID:4308
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        51⤵
        Executes dropped EXE
        
        PID:3888
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3732
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3292
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3592
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3192
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2588
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3536
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        59⤵
        Executes dropped EXE
        
        PID:3080
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2272
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4680
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4748
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3752
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        64⤵
        Executes dropped EXE
        
        PID:384
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        65⤵
        Executes dropped EXE
        
        PID:4324
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1916
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        67⤵
        
        PID:552
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1312
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        69⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1332
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4668
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        72⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2604
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2676
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        75⤵
        Drops file in System32 directory
        
        PID:1328
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        76⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        77⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2980
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3448
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        80⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        81⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        82⤵
        
        PID:672
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        83⤵
        Drops file in System32 directory
        
        PID:4608
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        84⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3720
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3616
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2428
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        88⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        89⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        90⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4836
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5152
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5200
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        95⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5312
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        97⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        98⤵
        Drops file in System32 directory
        
        PID:5400
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        99⤵
        Drops file in System32 directory
        
        PID:5444
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5476
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        101⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        102⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        103⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        104⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5644
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        105⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5692
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        106⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        107⤵
        Modifies registry class
        
        PID:5780
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        108⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5856
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5900
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        113⤵
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6088
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        115⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6140
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        116⤵
        Drops file in System32 directory
        
        PID:5172
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        117⤵
        Drops file in System32 directory
        
        PID:5228
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        118⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        119⤵
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        120⤵
        Drops file in System32 directory
        
        PID:5420
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        121⤵
        Modifies registry class
        
        PID:5520
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        123⤵
        Modifies registry class
        
        PID:5652
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5708
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        125⤵
        Modifies registry class
        
        PID:5776
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        126⤵
        Modifies registry class
        
        PID:5840
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5920
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6024
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        129⤵
        Drops file in System32 directory
        
        PID:6104
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        130⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        131⤵
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5308
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        133⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        134⤵
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        135⤵
        Drops file in System32 directory
        
        PID:5680
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        136⤵
        Drops file in System32 directory
        
        PID:5452
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        137⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        138⤵
        Modifies registry class
        
        PID:5984
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        139⤵
        Drops file in System32 directory
        
        PID:5980
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5244
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        141⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5600
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5768
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6004
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        145⤵
        Drops file in System32 directory
        
        PID:5144
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        146⤵
        Drops file in System32 directory
        
        PID:5384
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5676
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        148⤵
        Drops file in System32 directory
        
        PID:5936
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        149⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        150⤵
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        151⤵
        Drops file in System32 directory
        
        PID:5304
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5332
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        153⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3332
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        155⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        156⤵
        Drops file in System32 directory
        
        PID:6228
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        157⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        158⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6308 -s 224
        159⤵
        Program crash
        
        PID:6400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 6308 -ip 6308
1⤵
PID:6376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Iabgaklg.exe

Filesize
197KB

MD5
48bf013fc615d721326f2fc444ab016d

SHA1
c3886d0641d033025d9170ef38f88432ae8f9df5

SHA256
3bcc352cdaa49e5416fec1edf4a12b8ccd0430b784b0f55b6d560d92bbbc2df2

SHA512
a329704c8bfb59e5b115856db54fee768795deeef9c5f3eb56a64a9a06dd30c8a90d26856330593a61740ad118b6d1d99b10b9794c8ab8faef848d23c2dccd29

Download Submit
C:\Windows\SysWOW64\Iannfk32.exe

Filesize
197KB

MD5
5267c7d055d822c226d3f0f9f7258da2

SHA1
546c35506b503c1bf39caa2635db44246c70d987

SHA256
c1ff8b720e80a8c54aae934ff7d4f28c7f20202646b598bd7bd0800d1234eb8e

SHA512
577cf44b04c9b78d48397ae90943cfa746a4b70f36895388fca6c1e5938e61f503918fc25f7dbaad4a1ab3e6228cab1b41549752cb058aaded17dc324a9e844d

Download Submit
C:\Windows\SysWOW64\Iapjlk32.exe

Filesize
197KB

MD5
a0cd6fd27f3e3e848919afc53578f108

SHA1
7515a2b369fa1e2410fcf34ddb9a13ce20369e4d

SHA256
bd05269c9bc9197bbaeb7052bf7ff2e1779b44b0b60a42d92613cf2a1b360420

SHA512
f81874f538e69691f75b8c3802eed8741a3e16e9613713a719eea2dfeba04886098b74a382dd641e5e4377f2e6ec6846557acb172c02760c091814d018e05307

Download Submit
C:\Windows\SysWOW64\Ibagcc32.exe

Filesize
197KB

MD5
5485c01f1c8d8263c795b02972cc2446

SHA1
6c68b4041c316c1e664b6331e463d9b301ece340

SHA256
063cc594aa58d6389f6a89865677cd781602cb56ce4063f5822f8fd49fd9a4e0

SHA512
1cbe5048fdf4197a4eda769c6165db1321307488882e5240330393cdae29cfe6658e8298a3f9e6e548e55a1ca79708e9289864a3d54c5fc234e651cd682da437

Download Submit
C:\Windows\SysWOW64\Ibccic32.exe

Filesize
197KB

MD5
71c0a2244967043ca1e9f3614d1cac5b

SHA1
e8cfdffdd7500ddc8dcfe221c178f3cad0cd309f

SHA256
e5edf7c927f0da7075394dd33ad7798965efd05d9c1000d46d27d5ec27a94228

SHA512
c0fe847084c5a94a21f3f098a285c5fe73cd55400560c14fead267d9ab98d80da861abeb100f8965491dbec4250ddf29a89b41d2eeb181203d9b5b95a9ec8664

Download Submit
C:\Windows\SysWOW64\Icjmmg32.exe

Filesize
197KB

MD5
7844aa8750a9c7ead6b241a7407d7b0c

SHA1
ae462d493ea921055838d5a1b11a8b6f55627515

SHA256
2ba9f0485d63881edb95ee3e4a8666867eb13ef18888f8dc25c8320c0e9982fa

SHA512
030813bb56c48ac1fef842505874cd53a70e8ecf552aeeb7b22babc62a603120afa6c98e12fdf9bcf5d18df9b9e957d3fff7b06bf153c68b92d40c1b29d5668a

Download Submit
C:\Windows\SysWOW64\Icljbg32.exe

Filesize
197KB

MD5
3276a4ac9f916523c98228e423131ddc

SHA1
6124d3703496bb64dca5556261b06e7736f4d72b

SHA256
b7132a2ffd3f37136791b75ade99a2731f9de57880742a4e329a76fc6d32ace5

SHA512
5b3d3c4db151621dad75d73e39e324691c30514630155b2df531d384792f43c21f1c809c9e49c26fc7960519e7b024053733d8ae527b2701c614dc5863b8026c

Download Submit
C:\Windows\SysWOW64\Idacmfkj.exe

Filesize
197KB

MD5
697c969a2939f8ddfc9eab04e57cc698

SHA1
fc05348f1dbc9242aa52ba11540ad0f4a91e290f

SHA256
8656b56a4737d483f20ff987b9e4fe580eca8aa019dfcfd7335f779b86544cb6

SHA512
f25e89c800848325ec63399efa88ea6219d54aaa715991ad547a09936dac40bdd91f66da47aad9a81f0b4580bce1d91314dd7acbd560588dee64fa2e4b2d8f9d

Download Submit
C:\Windows\SysWOW64\Idofhfmm.exe

Filesize
197KB

MD5
0ff85ead26451c146af5fd991240b266

SHA1
2086dec3586d2b97961d93c2c759ecd76df3f09d

SHA256
7bd3c822f58ea1bfbea350abeac6dea12fdca8c5f3145dcb519b9656e2d1dd30

SHA512
de97ee6d23bba72b1e2943b4ed2c7e188c43b681c7baef2e9236ea4445b2cc00484d29c346e92f58989044d822a60e54410d8a511f397d80369d6e27439c24e9

Download Submit
C:\Windows\SysWOW64\Ifhiib32.exe

Filesize
197KB

MD5
23830898db8e519e59c7c5179b64ed17

SHA1
04dc7460902238a7338dff81cf198a0eba0fcc35

SHA256
5174e624cdc2c6b3b9bb717ad2c3a0291375ac96678921976d3adfe97d943793

SHA512
18c73634f2ee9e571236c16f2fab9eca3bfc62ef3cb06f608afe480bfd173d5c625c3b250c606a754cfd72ca3fce8c900a45a89bc0b0bc7ee3a253b0726ce5e8

Download Submit
C:\Windows\SysWOW64\Ifjfnb32.exe

Filesize
197KB

MD5
fc0767e855a3c20932852d33b4282d95

SHA1
bd9213bdb216e3c0a834a387e18d9ae874868fa3

SHA256
bec73370ab33aa6300983c3e055b681349f18e0c806bb17976ad223cf8aa5b4a

SHA512
b27b5dd509aa46a07ef280dbb26c3982565c30bc505f1d48caa6ba0aa691f6ad5bc4871fdb1697260045006f0f49851edc85da610d354463f240ed7a17b98f91

Download Submit
C:\Windows\SysWOW64\Iidipnal.exe

Filesize
197KB

MD5
6c7329409752d80a4374776f029a26e5

SHA1
f47217be8c4286df18498d8d4172a6d9c782fbeb

SHA256
3656153bda00a0a29a923655f52de2d5aac6c09f3d672024910170b52c79719d

SHA512
158271a11835745ece737da9c1892de9b76e89df17d6c952d2c3813e523493977ff4d5c16fcba5dbd9afadb913026f9226ece7e5a63a624a65d42729b713e928

Download Submit
C:\Windows\SysWOW64\Iiffen32.exe

Filesize
197KB

MD5
89e30821d411d1bc98b49f06077e4738

SHA1
a3ab09ac7fe2162fb2da0fe7ffa91fe10f80f4c7

SHA256
93bcb358a9bd3c41115e5737b7708d63e0f6cd1eac4d55ec3a381be439f77ac7

SHA512
51ca2f608005e58afbe079dfc062ece574e47b08eb75c51661bafca1b394455417bf973543f28d4db2f74207907bf69dd9d295b3640c9431d8a0d6dd90ac9f72

Download Submit
C:\Windows\SysWOW64\Iikopmkd.exe

Filesize
197KB

MD5
1762d7f6794d79b9fba6dd3e7fa8812b

SHA1
b5ff34a8a1ee1234be40a5a2871abfe81f82c497

SHA256
892b713de882d0513513ea5d4f523b271884b467b1beb5b52fd00c5a587bbe59

SHA512
297303d9b9fb4fbcdd629f7bc15d5f89f55f63e03ba98d5e62896155ad6bbea1df7172fe2cb50175d6a128c10d1d80397d6461e6d55cfbd1d3dc7e6c7b492962

Download Submit
C:\Windows\SysWOW64\Iinlemia.exe

Filesize
197KB

MD5
e0f09275c2b5a3294e8623ddd28c2dec

SHA1
c914021b8cabe1dbecde932ca323727173137253

SHA256
475c1ba0626e1c9e371367fef9b917dfc3ee1ec12d099b75cc8766ae91121238

SHA512
d1541a984b818ade623f0f9f1bee025017607c47de842a392bfde89056e734123c79d25d4c408651deb6e0ebd6e0cb8f44cf2c5b0595914637dee6bd81aa9704

Download Submit
C:\Windows\SysWOW64\Imdnklfp.exe

Filesize
197KB

MD5
107e2c7391c02f8d2a03d7ff5b828153

SHA1
5a5bf88d4e87347d69be5e587bab6780a42b7fce

SHA256
2667e3056818a8789afb1a7f727e5fa2340b05ec5e8ea4502645e2ddda0f7da8

SHA512
3b9000540d51f8e706126143f22d06f04f0a038a125b38247ea575d1875b091feec5d0656abb9787f2b80d1ac7fae3de77d2cec80ed6cdb2292d442583cba7c0

Download Submit
C:\Windows\SysWOW64\Ipqnahgf.exe

Filesize
197KB

MD5
7d12ce04129182b72026a4272d520206

SHA1
cc3d08cbe5ec54d17b9b984cea2ca40786b85439

SHA256
acce5f3cb9e7926f1583639fc8021f9257a6c580b737143e8d43b6b053968dd2

SHA512
e6d42e95755728881ea5d41e5024190d54a5aef94ff11e22def845887c250b5539438eec135f55067af095dda8be3377674fa933edb23a340fcaf653201541cf

Download Submit
C:\Windows\SysWOW64\Jaljgidl.exe

Filesize
197KB

MD5
1fa53565e27e30f554ee79fb1229cd0f

SHA1
0795effa3666ce9fabbb8b08b5014e722fcbbe46

SHA256
1565f56b814bc6120fd08c2d9312f9111904f90ba549fb48eb138f4d83ec6843

SHA512
7415f5f04ba77b0156713f512186da70dd5de155a3f725a2c97146dcdd2f6d9941c1f0dd641aa41046670c2c0dbcac683afde6b8e067f4cd1e6b013dbfc2d771

Download Submit
C:\Windows\SysWOW64\Jdhine32.exe

Filesize
197KB

MD5
c1d8444c32fea6c5ea106feece52ddf9

SHA1
ffc5bf78afe1da98de18e4d42be900884a8ee3cf

SHA256
7b7e90315e58a8133a9ce40fea5ea0e2e4b412badd4525e9d44a9dff343883cd

SHA512
e7a10b7417d07654c8fb6055da0a28d932a0c2c787a6eecfd95c74a07c3bc06dc8e22402c689d323363a191817c773c54f477714a6498e720bcc2e6a10cd564d

Download Submit
C:\Windows\SysWOW64\Jfaloa32.exe

Filesize
197KB

MD5
e87ff253dd140ce01a6b38de1e1271a7

SHA1
3a76bf462a439d06d5c39cedf43dafc729391731

SHA256
18bce2a9944873d69ee6061987aea94eab3e98b4d258716a4753e240eef2b95a

SHA512
5500dfaae0a1f5c5d4b37f0da404004e0b9087eacb069ca5c60246a62da69cdf941004412cb971b78e54b9c691557affbfb2f643af6e6c8dfc493eabf79e80d6

Download Submit
C:\Windows\SysWOW64\Jfdida32.exe

Filesize
197KB

MD5
28eb0c269c4f54067c435ca71768f655

SHA1
9239c7d0752486f1776f8e1ce621176b5499476c

SHA256
32d4d5a2645064974b09e894290422776abde0cf67963184377068c348ae2fba

SHA512
c937f69cce6332e412509ce4a02ada69db8fa3380dfb6470e50af5310533792c78bb1b6ad7404afacd20d72b6d8d301b3878c64010cbf5ec18b11b83f43d140d

Download Submit
C:\Windows\SysWOW64\Jfffjqdf.exe

Filesize
197KB

MD5
692f143bc59ecd904c25321c3d3592a4

SHA1
c2ab9845b3be46e2996a9de26748f52d8cedc02d

SHA256
7b1052f42f8a1e8da5f4818691438430cf0b2672a5acbf049bec51d67b08fcde

SHA512
09be090cff600774a54c563a456a6e277640938eda517f6fa12cbdf394972765d429c2e18a5c5c1c5087b88fd5527fff4d2a48f8ea96c0d9e5e45d587a6be4b3

Download Submit
C:\Windows\SysWOW64\Jfhbppbc.exe

Filesize
197KB

MD5
b420b0f6d87557372d6c6c198f02a7d9

SHA1
be3e535139b0d28b507dcb0371b52315ee16f46a

SHA256
839f102a50d603d02ea5347868c290e10329d31fdb1eac6400a8d1002195f169

SHA512
9dfe9c05bcb99c6f4b5969d9146ccb3a87de29446b7a7ab585ac9ca387f4cf1e75a95742968a31c14c325809ab517bb3e5b97ba2124d4f04565f40ddeebb6c7b

Download Submit
C:\Windows\SysWOW64\Jibeql32.exe

Filesize
197KB

MD5
e11b47010d3c67b8732e691ca482f3d0

SHA1
5c8608843aff226a5aa636386f4efc00c9b0d3b5

SHA256
c9edc61954a74d2424809169e49217218785baa1394985228f24f620d0685eab

SHA512
e37c59f6dbb738d6779f2ee19ea73e25353a40a89205231c21b10da581f07d5a511e0f151ee25dc1253896893e049c7bda414dcbcb7d645baf47a8488ff39755

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe

Filesize
197KB

MD5
2cc2a4c1ea16470ee2513c69f3ab935f

SHA1
2a5d5762320837a51dd633a2dd398721f0f4f7f1

SHA256
78f672aa092515594397ffd2453d95fc1e3baecc9b041613faedef9d31350f63

SHA512
378fadb0f09a72ca2b5c0807a932d6b0e8f3d9d3bcfd51a75fffeeec01226d4a481fc3dd5abf6599fb7aa91515f9f4239ee58879ea81331b7fb0f3f63183916f

Download Submit
C:\Windows\SysWOW64\Jjmhppqd.exe

Filesize
197KB

MD5
d3f29b8ac73943b95451a0f5e4b79557

SHA1
002be05f4824f00892ef1e048a173cbc29ef6e0f

SHA256
804e614428c4403e1e472fe4b74e1a3a89f5ac8346f6eb5dda47b75319998117

SHA512
8f4f5eef5f568976a981bc385743c2477a21e67df7dd4db49e87d858dbaab81d9da3086cb2b9624f2d90a5be8f76b38baea20ffbf727cae1b74674df54766a7b

Download Submit
C:\Windows\SysWOW64\Jkdnpo32.exe

Filesize
197KB

MD5
129ea53b7265cc9af98e612ef2377040

SHA1
ed528b64bf2651918c2ba540aeec28d96f29f91e

SHA256
824b33f1df3c390035241b4345f8560bee442cdd5f0eafac10ae27477e571dd1

SHA512
6bd0b1a5e57cbc1a5e983f8fca68cc54087aefa2301fdf08315aeef9a5556400b0cf3389af3a75e091e91fe35e68a33ef2d63618a415e8ef416c57f021d9f51b

Download Submit
C:\Windows\SysWOW64\Jmnaakne.exe

Filesize
197KB

MD5
ff2c5fab84377f3a148d476b74a1e8b5

SHA1
44f83c4bad51cb21a72110576b018f8ee3a444f1

SHA256
86e456079345a01a4cf5ea5e53867f341e878f6af73a33df8ba7b149664f71c5

SHA512
fd068112aee06a9f2a7f4a7d02d64266ec9b78354299afea44ad7cf3208f7c2708ec8fc0614bc8c52746582452a7b87c372dd39d1582d1d9917eaea79fb08660

Download Submit
C:\Windows\SysWOW64\Jpgdbg32.exe

Filesize
197KB

MD5
a28a55ea46b637af81b3c8669f667cd6

SHA1
258ab0ec73a96132ebc55ac3b52b5d41b6db30e0

SHA256
1cafd38b0b9091293209f1090db4db5173ebfee0ee64d4842fa8afc1df9c5524

SHA512
33fc700a3c4ccea6dc050ab4c939a9c94c79fe11a49349cec4911a64cbad2138ab853cd3cf71073286ad0fe490b4f715dddbf20a174a4820a01e965e0780714d

Download Submit
C:\Windows\SysWOW64\Jpgdbg32.exe

Filesize
197KB

MD5
4f2d3b0cb0b64fa66dd948d7e3ec8623

SHA1
e46906e2417d3698b5e77719c59af3cff7543503

SHA256
5594348d7a24cb4d9b4761a89dfb81cf3e7ccc3aa35529d221e2ec30af4b8f39

SHA512
c594b8129032af478301795f080ec2499f1af3b45d3e6de4082052b685e4e5f0d4ca185ed5748f86d6b84333248de1bbeb5274750e955803aa401b25f0c2a65c

Download Submit
C:\Windows\SysWOW64\Jpjqhgol.exe

Filesize
197KB

MD5
4b0becaaf31dcdc057bcfef49db1bf42

SHA1
4d637071a53bf4e559c043d6a9c2394b529c6589

SHA256
51229cc150bf6388fd3f18ea3eba8dd7700d2972134ef7cf9bc6adeab49ac9f7

SHA512
8ab4727f4e7cf7025c45e6b78e2c96a48720d28e313745029eaadd8c13f2b5a09eb8049d71f88b3a45dcabfcc4ae072a13a93ac333f6a3a8e1b013f9b20da95f

Download Submit
C:\Windows\SysWOW64\Jplmmfmi.exe

Filesize
197KB

MD5
258f9099fdbd2dea785a873c68491c9d

SHA1
e395fe94dbc37374cc8a8cadce83e0e9b41b4e83

SHA256
024526bf07bc06f5ea4e098b1dabbf08b31915493b48569d0f51fc8565a91300

SHA512
6b8134753700e423073fadcc58369a278b52bda8d9decf03ae37d0c6156db43733343d25668531ad9cbedf805cef50d2b27e1022fcadeef3c864ab432fb62b3a

Download Submit
C:\Windows\SysWOW64\Kacphh32.exe

Filesize
197KB

MD5
a6a4692433613a836bbfe5ba4985e5df

SHA1
eddf4d3d133a208f7a46cd598a3ce65503a453e5

SHA256
8a8dcfb6f9e20d58dd5f90233d8a81b421a1cae006814d1f1e8805ccc533df20

SHA512
fc8a5fb765362ad26a6d15e3387c6757bf2517bec94de71211eff6c5fa44516e068555ccc699b12e5193693e245a1c645690f4e8d1e4ebb6f82532199deafab1

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
197KB

MD5
f6195ee8d91489dba6cd09571839e624

SHA1
87c0eba0d71e9d31e090644594010e9de6ccda7b

SHA256
2a3eb347cc15c4dbc2565e26968effa19f094606d18d98d5889586e5078ba025

SHA512
8b3fc878bb8a2e5059056d13595d7d749f80da99d52dacbc2431f8709eb49348841b8482cc3912749a5b1af35a0f3c604d76ae294226a158aaa4396e6aa28136

Download Submit
C:\Windows\SysWOW64\Kkkdan32.exe

Filesize
197KB

MD5
58333d69ebb05a0a2d978fa661f30db4

SHA1
2d42dcbcb6086583e3cf1cb0440b39cba9479803

SHA256
83844298384dbe5c67885092f542c25edf326398fd7d142a7c4a1156249737b1

SHA512
70232cdf9c9db9414809d3fcb27f846690ccb03b16c765db3f24bcc1d0e24c6256f36f966f66658320cd7c86a2c1a8dab5c436eaa3964d4bcb9dbe96fd7e2e71

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
197KB

MD5
039f0ce3721f3ae939048531096b4fcd

SHA1
a68bdec0207491806e17fc469e189702a3529100

SHA256
6eb7a7f4e0fef710205f4ab41d8e1e51fa9a205bca79b9bfba1515103052e229

SHA512
7c45726fdc51d3e2b4016d4cea4be71a87f78315beeab0c3017a9ff5990431b1998309457fe8e61df7e2f0cdae3d4c24529ce15783870c5c44eb912e4aac5232

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
197KB

MD5
13eee82e21b3f1eb9dc686f591a35c1b

SHA1
317b39f281431bbc25d011918f58ffe9f97090dc

SHA256
7ac959505a93d98329db4e91711d781b53ea834f9970f166e201d2e213cd9bae

SHA512
d51a2e673b70400836192acef0c372cbc393b92e1fd375ac9645c78d0e1be2cbf439265352e7115bd010115b232d5244e79d1afaef34737efd064d6f32948b3a

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
197KB

MD5
80c8b849007eb5a5b4890cd3b0fcc6b6

SHA1
e051f76f43371fb897b5afe16769283501eb399a

SHA256
59f9d0acfb0921fbbca1f5819db76bc6a4d5eeb034713b175ce6953bb9a9a80a

SHA512
074f465d6ef6a23e65888edb1f4b2af7204e6e123267b69fc60cb6c1982c8394bf28764d1b64be9ecf17b9a3ae96d4eb08a18a92a795e9ea6d251d9d1114fceb

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
197KB

MD5
5e75e1e1e4da7ea4f30b954c6ec7e3df

SHA1
11ce325b3babb837d948dc7c8d02aff334d0f015

SHA256
cbb29d069e8ad0b9571558caf6fe01fdad369e920abc5cffc28c5cfb56c52ee0

SHA512
ff4aaca03fb7cc13b06e6519d40db6f6c38b5dbfd69025a636116b0150f71c69bb1322b5f069f088aa7f029f169218fb741402e667823c6dac6eb4150f74ff2b

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
197KB

MD5
f1645b3ca60512cad17c413a5be37fc0

SHA1
3dd0cde780d4ef00e781ccc23f8b036e4fb2fb59

SHA256
827ea604a65010715aa77f6a136af09743581e1ae0a68ba31e2423de73481968

SHA512
643a860563281993aaf5e3d9389b8c9f6231cab7e0605946eeb151a409b4f2d8345d8b68f27d2c714c4c8ba7afe94b511dd78542a0f743849290244b1d704484

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
197KB

MD5
70ce247825a70fd89df0f3e894f243c4

SHA1
37356822963a91d74e47ccd2cb2744f17864ef14

SHA256
29a5f5b64702b9d475f30a3583b8f370dc39c290a8097d4f8133ac3aa5f1086e

SHA512
d0858af0967ab05102face516a6ef2fbdc18cd315f843e7a09a12697ab422f1aecc30093a84dc56a7f58ffb20d58383ca8d4934845526220c7681d65a9b5d729

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
197KB

MD5
65ab90ec0321822d5824f2abe7302251

SHA1
971e7dfebf6ca57f03d45b36b669e349444e8ab8

SHA256
978f8b8e0db7eea395eaba34fc187d4205c66d40425dd056a29d2afae7ef816a

SHA512
c7c6416568e3aa74ed67e1664d041887fbc18b9443f9785f4fb008a30f0c79ac45e29acdb90729277493801ab1925fc431cdb0d3f2467870977ff56a78ac16e3

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
197KB

MD5
a7122f85eb93e8095e53fba2900aa499

SHA1
6c212e4146de60b55ca08e627158437d76387b4c

SHA256
a19220057e35812aa1d0e810658ecfc1eaae1a403abfb88a1d5be2f0b7c7b7f2

SHA512
33625403a9c51b04fbff78ea63847ee4365b2fd21c8a4d88055e013d0f28131127d293dfb0ebd6577b59004e83abc7068caf06a09196fff25df44c2f0dca80d3

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
197KB

MD5
7463796fbf9511c07d34a29d615774fd

SHA1
e5d8b6e88a713eafeb7d84de714577b1c3e99a53

SHA256
9ae796ccb23d9a7478a6447245068a2e9aec0555119b260f5c1f12b873a42bb2

SHA512
7ab4c38d61160fedb5009d37f76ca11b68c574a6e6e54aca99f3ee908d472b47e6fe661d7bc07e8c401e26710fd106e1847ac271530d743ccbd5461e33704bed

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
197KB

MD5
f04a0fb59999bc3529a829c1947333b2

SHA1
5a63a7ccb526574bc71b8b8d680d72ebce3419c1

SHA256
ac6cc2995a905f84087f6454fd9a4af0fb1d7265c2e56e5f1c1f5470586eb921

SHA512
8b7d62dc2f68fbd92589feb268ec8a630a607ebb9203e20eac0a0b9fa8b57cd164ebaeb645959423f5dd632ac9054784ecfa0564fd284cb808de75a9182fd9cf

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
197KB

MD5
d48322c86ff29700a63e4cd0de4ee5e8

SHA1
ac9843f3c247007b6bd7de893117461302a9a88d

SHA256
7c333154ec0c4ab8411c3e127d363fee7e57d6cbd5ccdd989c3ea5f3568d44d4

SHA512
2ef2c1a26e186588cfc7ee65c3279dc2c51cb8620e48052fecaf8fa09869e29c926e6168455b47c0c88b6b9b1f49a69ff131ee6324429b7c247fffb2784524f7

Download Submit
memory/116-252-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/212-308-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/212-230-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/432-33-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/432-128-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/436-21-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/540-106-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/540-198-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/768-312-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/768-239-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/792-142-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/792-229-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/856-238-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/856-150-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/864-208-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/972-25-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/972-114-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1260-379-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1260-450-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1520-57-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1520-149-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1600-330-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1600-396-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1620-433-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1816-173-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1900-293-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1900-359-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1904-303-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1960-65-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1960-159-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2184-313-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2184-378-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2208-286-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2208-352-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2272-454-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2276-371-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2300-212-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2300-292-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2380-401-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2380-333-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2588-431-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2672-353-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2672-419-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2728-278-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2848-360-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2848-430-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2932-310-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2940-207-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2940-116-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3080-451-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3116-224-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3116-134-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3192-420-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3276-89-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3292-407-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3424-129-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3456-178-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3456-263-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3536-440-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3576-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3576-73-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3576-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3592-413-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3732-402-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3832-90-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3832-177-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3888-397-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4028-255-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4028-325-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4032-351-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4040-225-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4044-199-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4196-372-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4196-439-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4236-186-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4236-277-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4264-284-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4264-350-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4308-386-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4308-453-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4408-53-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4444-406-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4444-339-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4464-332-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4464-264-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4596-9-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4596-102-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4736-74-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4736-168-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4784-105-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4800-251-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4800-164-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4816-133-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4816-41-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5024-319-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5024-385-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads