3914ab7d991b4189a1e3a486763646f90bd60b3e43b3211c3a07760cadfc1d1b

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 12:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fdd842c33498ce288d6ae4f1cde1d387_NEIKI.exe
Size

276KB
MD5

fdd842c33498ce288d6ae4f1cde1d387
SHA1

91a8ea4e1b46a3764d5efcc0462b858ce4a04d87
SHA256

3914ab7d991b4189a1e3a486763646f90bd60b3e43b3211c3a07760cadfc1d1b
SHA512

657171f59874f51e839ba0540286f77b21dcc73a07818e59a1df6cff020650425fb69fa3bb12bbdb7390c39b0b32cd97287ec1e05bae96aa5dc0503d4f02a0d1
SSDEEP

6144:eUJrTvwB4ygFMCdZMGXF5ahdt3rM8d7TtLa:jTaavXFWtJ9O

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiffen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idofhfmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haidklda.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Idofhfmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqmhbpba.exe

Executes dropped EXE 64 IoCs

pid	Process
4540	Haidklda.exe
3608	Icgqggce.exe
3432	Ipnalhii.exe
1400	Ifhiib32.exe
1168	Iiffen32.exe
4484	Iannfk32.exe
2240	Ibojncfj.exe
2296	Ijfboafl.exe
4824	Idofhfmm.exe
2496	Ibagcc32.exe
768	Ijhodq32.exe
468	Imgkql32.exe
1340	Ipegmg32.exe
5116	Ibccic32.exe
2244	Ijkljp32.exe
1392	Imihfl32.exe
3516	Jbfpobpb.exe
404	Jjmhppqd.exe
3872	Jmkdlkph.exe
840	Jpjqhgol.exe
4808	Jfdida32.exe
2408	Jibeql32.exe
2960	Jaimbj32.exe
4816	Jbkjjblm.exe
3120	Jmpngk32.exe
1576	Jpojcf32.exe
4288	Jfhbppbc.exe
3428	Jangmibi.exe
5096	Jdmcidam.exe
4360	Jfkoeppq.exe
4604	Jkfkfohj.exe
3812	Kmegbjgn.exe
1752	Kdopod32.exe
1852	Kkihknfg.exe
1616	Kmgdgjek.exe
692	Kacphh32.exe
4500	Kdaldd32.exe
2284	Kgphpo32.exe
4868	Kmjqmi32.exe
2784	Kphmie32.exe
452	Kdcijcke.exe
4512	Kknafn32.exe
1364	Kmlnbi32.exe
1012	Kagichjo.exe
2596	Kdffocib.exe
4220	Kgdbkohf.exe
3956	Kkpnlm32.exe
2652	Kmnjhioc.exe
1968	Kdhbec32.exe
3356	Kgfoan32.exe
224	Liekmj32.exe
3672	Lmqgnhmp.exe
2820	Lpocjdld.exe
4328	Lgikfn32.exe
2796	Lkdggmlj.exe
1572	Lmccchkn.exe
1544	Lpappc32.exe
4944	Lcpllo32.exe
2964	Lgkhlnbn.exe
1568	Lkgdml32.exe
1964	Lijdhiaa.exe
1192	Laalifad.exe
3992	Lpcmec32.exe
1164	Lcbiao32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Plilol32.dll	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Haidklda.exe	fdd842c33498ce288d6ae4f1cde1d387_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Jbfpobpb.exe	Imihfl32.exe
File created	C:\Windows\SysWOW64\Baefid32.dll	Laalifad.exe
File created	C:\Windows\SysWOW64\Kkihknfg.exe	Kdopod32.exe
File created	C:\Windows\SysWOW64\Kmnjhioc.exe	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Lgikfn32.exe	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Laefdf32.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Maohkd32.exe
File created	C:\Windows\SysWOW64\Ijfboafl.exe	Ibojncfj.exe
File created	C:\Windows\SysWOW64\Ipegmg32.exe	Imgkql32.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Kphmie32.exe	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Lpappc32.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Hjobcj32.dll	Jbfpobpb.exe
File opened for modification	C:\Windows\SysWOW64\Jfdida32.exe	Jpjqhgol.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Akihmf32.dll	Kagichjo.exe
File created	C:\Windows\SysWOW64\Lkgdml32.exe	Lgkhlnbn.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Jmpngk32.exe	Jbkjjblm.exe
File opened for modification	C:\Windows\SysWOW64\Lcpllo32.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Lgkhlnbn.exe	Lcpllo32.exe
File opened for modification	C:\Windows\SysWOW64\Lcdegnep.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Ecppdbpl.dll	Jangmibi.exe
File opened for modification	C:\Windows\SysWOW64\Lpcmec32.exe	Laalifad.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Jibeql32.exe	Jfdida32.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Gkillp32.dll	Ifhiib32.exe
File created	C:\Windows\SysWOW64\Kmjqmi32.exe	Kgphpo32.exe
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Mnapdf32.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Kkpnlm32.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Liekmj32.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Ipnalhii.exe	Icgqggce.exe
File created	C:\Windows\SysWOW64\Mfpoqooh.dll	Jdmcidam.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Ibojncfj.exe	Iannfk32.exe
File created	C:\Windows\SysWOW64\Jmpngk32.exe	Jbkjjblm.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mgekbljc.exe

Program crash 1 IoCs

pid	pid_target	Process
6064	2728	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Liekmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Haidklda.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Imgkql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jfdida32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdemcacc.dll"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Icgqggce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jfdida32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iljnde32.dll"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkeebhjc.dll"	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqnhjk32.dll"	Icgqggce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqncfneo.dll"	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmebabl.dll"	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnckcnhb.dll"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkqpjidj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 4540	2660	fdd842c33498ce288d6ae4f1cde1d387_NEIKI.exe	82
PID 2660 wrote to memory of 4540	2660	fdd842c33498ce288d6ae4f1cde1d387_NEIKI.exe	82
PID 2660 wrote to memory of 4540	2660	fdd842c33498ce288d6ae4f1cde1d387_NEIKI.exe	82
PID 4540 wrote to memory of 3608	4540	Haidklda.exe	83
PID 4540 wrote to memory of 3608	4540	Haidklda.exe	83
PID 4540 wrote to memory of 3608	4540	Haidklda.exe	83
PID 3608 wrote to memory of 3432	3608	Icgqggce.exe	84
PID 3608 wrote to memory of 3432	3608	Icgqggce.exe	84
PID 3608 wrote to memory of 3432	3608	Icgqggce.exe	84
PID 3432 wrote to memory of 1400	3432	Ipnalhii.exe	85
PID 3432 wrote to memory of 1400	3432	Ipnalhii.exe	85
PID 3432 wrote to memory of 1400	3432	Ipnalhii.exe	85
PID 1400 wrote to memory of 1168	1400	Ifhiib32.exe	86
PID 1400 wrote to memory of 1168	1400	Ifhiib32.exe	86
PID 1400 wrote to memory of 1168	1400	Ifhiib32.exe	86
PID 1168 wrote to memory of 4484	1168	Iiffen32.exe	87
PID 1168 wrote to memory of 4484	1168	Iiffen32.exe	87
PID 1168 wrote to memory of 4484	1168	Iiffen32.exe	87
PID 4484 wrote to memory of 2240	4484	Iannfk32.exe	88
PID 4484 wrote to memory of 2240	4484	Iannfk32.exe	88
PID 4484 wrote to memory of 2240	4484	Iannfk32.exe	88
PID 2240 wrote to memory of 2296	2240	Ibojncfj.exe	89
PID 2240 wrote to memory of 2296	2240	Ibojncfj.exe	89
PID 2240 wrote to memory of 2296	2240	Ibojncfj.exe	89
PID 2296 wrote to memory of 4824	2296	Ijfboafl.exe	91
PID 2296 wrote to memory of 4824	2296	Ijfboafl.exe	91
PID 2296 wrote to memory of 4824	2296	Ijfboafl.exe	91
PID 4824 wrote to memory of 2496	4824	Idofhfmm.exe	92
PID 4824 wrote to memory of 2496	4824	Idofhfmm.exe	92
PID 4824 wrote to memory of 2496	4824	Idofhfmm.exe	92
PID 2496 wrote to memory of 768	2496	Ibagcc32.exe	93
PID 2496 wrote to memory of 768	2496	Ibagcc32.exe	93
PID 2496 wrote to memory of 768	2496	Ibagcc32.exe	93
PID 768 wrote to memory of 468	768	Ijhodq32.exe	94
PID 768 wrote to memory of 468	768	Ijhodq32.exe	94
PID 768 wrote to memory of 468	768	Ijhodq32.exe	94
PID 468 wrote to memory of 1340	468	Imgkql32.exe	96
PID 468 wrote to memory of 1340	468	Imgkql32.exe	96
PID 468 wrote to memory of 1340	468	Imgkql32.exe	96
PID 1340 wrote to memory of 5116	1340	Ipegmg32.exe	97
PID 1340 wrote to memory of 5116	1340	Ipegmg32.exe	97
PID 1340 wrote to memory of 5116	1340	Ipegmg32.exe	97
PID 5116 wrote to memory of 2244	5116	Ibccic32.exe	98
PID 5116 wrote to memory of 2244	5116	Ibccic32.exe	98
PID 5116 wrote to memory of 2244	5116	Ibccic32.exe	98
PID 2244 wrote to memory of 1392	2244	Ijkljp32.exe	99
PID 2244 wrote to memory of 1392	2244	Ijkljp32.exe	99
PID 2244 wrote to memory of 1392	2244	Ijkljp32.exe	99
PID 1392 wrote to memory of 3516	1392	Imihfl32.exe	100
PID 1392 wrote to memory of 3516	1392	Imihfl32.exe	100
PID 1392 wrote to memory of 3516	1392	Imihfl32.exe	100
PID 3516 wrote to memory of 404	3516	Jbfpobpb.exe	101
PID 3516 wrote to memory of 404	3516	Jbfpobpb.exe	101
PID 3516 wrote to memory of 404	3516	Jbfpobpb.exe	101
PID 404 wrote to memory of 3872	404	Jjmhppqd.exe	102
PID 404 wrote to memory of 3872	404	Jjmhppqd.exe	102
PID 404 wrote to memory of 3872	404	Jjmhppqd.exe	102
PID 3872 wrote to memory of 840	3872	Jmkdlkph.exe	103
PID 3872 wrote to memory of 840	3872	Jmkdlkph.exe	103
PID 3872 wrote to memory of 840	3872	Jmkdlkph.exe	103
PID 840 wrote to memory of 4808	840	Jpjqhgol.exe	104
PID 840 wrote to memory of 4808	840	Jpjqhgol.exe	104
PID 840 wrote to memory of 4808	840	Jpjqhgol.exe	104
PID 4808 wrote to memory of 2408	4808	Jfdida32.exe	105

C:\Users\Admin\AppData\Local\Temp\fdd842c33498ce288d6ae4f1cde1d387_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\fdd842c33498ce288d6ae4f1cde1d387_NEIKI.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Windows\SysWOW64\Haidklda.exe
  C:\Windows\system32\Haidklda.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4540
- - C:\Windows\SysWOW64\Icgqggce.exe
    C:\Windows\system32\Icgqggce.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3608
  - - C:\Windows\SysWOW64\Ipnalhii.exe
      C:\Windows\system32\Ipnalhii.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3432
    - - C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1400
      - C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1168
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:468
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3516
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3872
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:840
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        23⤵
        Executes dropped EXE
        
        PID:2408
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2960
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4816
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3120
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1576
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4288
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3428
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5096
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4360
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3812
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1752
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1852
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        36⤵
        Executes dropped EXE
        
        PID:1616
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:692
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4500
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2284
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2784
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        42⤵
        Executes dropped EXE
        
        PID:452
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4512
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1364
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1012
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        46⤵
        Executes dropped EXE
        
        PID:2596
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4220
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3956
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2652
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3356
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3672
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2820
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4328
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2796
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1572
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1544
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        61⤵
        Executes dropped EXE
        
        PID:1568
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1964
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1192
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        64⤵
        Executes dropped EXE
        
        PID:3992
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1164
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4340
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        67⤵
        Drops file in System32 directory
        
        PID:1260
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        68⤵
        Modifies registry class
        
        PID:1772
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5044
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        70⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        71⤵
        Modifies registry class
        
        PID:1780
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        72⤵
        Drops file in System32 directory
        
        PID:2028
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        73⤵
        Modifies registry class
        
        PID:536
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        74⤵
        Drops file in System32 directory
        
        PID:4032
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4700
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:972
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1304
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4632
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2144
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2476
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        81⤵
        Drops file in System32 directory
        
        PID:3944
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3988
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        83⤵
        Modifies registry class
        
        PID:1668
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2416
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        85⤵
        Drops file in System32 directory
        
        PID:3436
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        86⤵
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5176
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5216
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        89⤵
        Drops file in System32 directory
        
        PID:5272
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5320
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5356
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        92⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        94⤵
        Drops file in System32 directory
        
        PID:5484
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5572
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        97⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5656
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5704
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        102⤵
        Drops file in System32 directory
        
        PID:5864
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        103⤵
        Drops file in System32 directory
        
        PID:5904
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5944
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        105⤵
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        106⤵
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        107⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        108⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6132
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5200
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5312
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2044
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        112⤵
        Modifies registry class
        
        PID:5424
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        113⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        115⤵
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5644
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5728
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        118⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        119⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        120⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 412
        121⤵
        Program crash
        
        PID:6064

C:\Windows\system32\BackgroundTaskHost.exe
"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
1⤵
PID:4944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2728 -ip 2728
1⤵
PID:5224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gkillp32.dll

Filesize
7KB

MD5
a85de51aa1877c9377d2dfb487a495dc

SHA1
fea77c6847f96be625bc366022fff36b5e9079b0

SHA256
70d2e783a0bb4ee6d9577e5bbd5544482db253cacd4a9dea9a41b6cf03c0f3b2

SHA512
98c51a86dce7fd2ed7c51c0f2145ee46bca4ef8e40f690deae12c0f319734f417042c1a7485413fb949c36684349cc2eb419b3f011ee6db5686e177bd503171f

Download Submit
C:\Windows\SysWOW64\Haidklda.exe

Filesize
276KB

MD5
d1104ab85214d84a1ae41c4d75faf6b8

SHA1
777099359b443104950639838a2c3517ec1d65ba

SHA256
792a384d52650b97e938089057e70c120eeeacd83f3215910f64d9204a4a3930

SHA512
4ff6370f0b20508fdceae597c4f3a108d2648bb83478d824a2b01f10543612925a9a9970c55270ce422c66353ca6f0c50860d90e7e5c1e18c04f355b98d34de8

Download Submit
C:\Windows\SysWOW64\Iannfk32.exe

Filesize
276KB

MD5
6cf614150f7d59ac3c0f22d42fd890c7

SHA1
0ce86be0a54de6a53097a043bea2eeff306b6f90

SHA256
058343a8cbed620e36d01c5e27dcdae36b7e4252dcc0ed0aec801b897ea244b2

SHA512
aa3ce62b22c3302183151239f3e41213387003441cb1540641ab81ab035e49f1df3411e842947068485f5673f696d75c5c5ef74df93dc4849c2cb3de7b4b799b

Download Submit
C:\Windows\SysWOW64\Ibagcc32.exe

Filesize
276KB

MD5
a7b75a2b9cf3532a24efd1887cd65dce

SHA1
182d97090153b864b5312059933ff8d4db93bac6

SHA256
6a0bedad01980f80a206369779f340b90baf4e0246f7337d3cd1f7c0b7607307

SHA512
dd8a9a6917fe26231bedf05e6922f12f5132494b827a29add53990017118eb7e01a57dcb5851beb65c0e510167ce3b4b233164a2cc9d2ca031e72b06c23451de

Download Submit
C:\Windows\SysWOW64\Ibccic32.exe

Filesize
276KB

MD5
7cc1919bda386d4294121aa62aa64fbb

SHA1
efb259b0d1c6b1e869c2f241d79d3fb73093b137

SHA256
5505ea335724ab69604b1da8ffdce84919fa1787edc3c7aac828b29678703acc

SHA512
5bfd8906ba880c54fea191b2dca1c53defe0a644acbf1af3ea2ef3b1010ded13a0699e15ca9dddb067acaab2c77c0fcaad74bb071fa1b741b52fa9ce5035a12e

Download Submit
C:\Windows\SysWOW64\Ibojncfj.exe

Filesize
276KB

MD5
8c48c4e882d0bd72ff4f7345cabdd2bf

SHA1
fb29fd85e7570651391c4d208061ea123da2f76c

SHA256
48a4980cb61a5e2e9d6163ccddbb8a873d707165645b96bb7c09b922ad2e97d2

SHA512
2e834b78c426a6063f2d6de0e1dfa0a8d999f69b6d0e7709c9c7a3098d288effe8030b0cf18cb9ca9bd334073c0a18c967054680ee58734458f85d1e2aa2a700

Download Submit
C:\Windows\SysWOW64\Icgqggce.exe

Filesize
276KB

MD5
b2ad7afc9222a9988d09f63b34721d7c

SHA1
8328e442e6c5313d0f149af85a1c7c00a2dd19db

SHA256
e2650e7b91d497e703e5bceb4c7d77b7de6bf7892c4a0a95ee52265d84b53402

SHA512
42e1e606fba7b77e0aee64d6119ee2d5794623c20e2dc44fa720fd1bd21a2137804830f08544967f337532fefda5631a55f4df2c027a17490f5588903bb34a77

Download Submit
C:\Windows\SysWOW64\Idofhfmm.exe

Filesize
276KB

MD5
359e3d3c3554824585f96ce9a1712221

SHA1
ae68f36fd6c5619999ac68d51dca17531cdeefda

SHA256
b8b111ad0b3c6e5cc80f806b4b74d268692b2a4b5334a1fe38c0604a1b0046ea

SHA512
1ef0d1996cdd65dccde325deb324308e8008f390a2237cb3284741b8ea94c18b208f2f0ea6365ba13f220bfce807a49cb7a05d59255012470c829951325e548b

Download Submit
C:\Windows\SysWOW64\Ifhiib32.exe

Filesize
276KB

MD5
0cb8f8a2819f71c65dbae2ddc6caf74d

SHA1
7ba6ed313468083a280cfbc40c16313e1999fac7

SHA256
685a6f0dee0c5bdc99ae3b6e1653bd27d0586c3263acec8a28c224a173d295c2

SHA512
fa8acb59610a2a7b07054204a4683fbd67cf75e1c6c477a6ec1b3fe21b42925432525c688b4273f8f6b64d195190be5908bb9d533013c392e2de615b2f6abf27

Download Submit
C:\Windows\SysWOW64\Iiffen32.exe

Filesize
276KB

MD5
37a9d4bc4fadb30bb77d690d77962267

SHA1
15465f5f9f995f15d1a5d5c4cdbdc471c1997770

SHA256
795fe17918ab6265c4a9b19d4b403331af0ee2004772217050714df219fe0d25

SHA512
1b4c325e375dfc7ec76eca0d7ddf339e362e5f211c8a6638100ae1a100b91653ccca246bd1884821ec548a7b8810dfbe421361985c0aa87476a172becee45eb2

Download Submit
C:\Windows\SysWOW64\Ijfboafl.exe

Filesize
276KB

MD5
e5aeca65983c855e4b8919cc3dc49a0b

SHA1
ae172fe3d20580a85637a86a240f29de724f04ae

SHA256
b847218cf59501912d2674d280f44aaf974118b1cb87936342fd0cba635bf118

SHA512
7241f05092ddd09afd8855660295902c49524cc652e630cedc95410de9adc6a6b9eb638c4bd11b4406c4e6c525f20d7a35d14942dfafbe935195da17ecb05401

Download Submit
C:\Windows\SysWOW64\Ijhodq32.exe

Filesize
276KB

MD5
fdacd8722566b8282381e5d4f613bf5d

SHA1
94359b1a1db722262357618d6a17b51484c8ec80

SHA256
8ce83a67a47a903c055dac2c774e0a4fb4d59a836190e74944b2a7e642d37c6a

SHA512
8747933c3febba16a39425864b700e5145808d26e2ce0460704e971d23db2a22ed7bdc1bf61449667287db96a035283c6a23086a3f4ea2cc2859230ebba77b2c

Download Submit
C:\Windows\SysWOW64\Ijkljp32.exe

Filesize
276KB

MD5
815070ae27900d2a201ede3e2e831ecd

SHA1
d357eee3ab9c88caa8ef386964fd5cb6e656e7df

SHA256
e946097c53425f646685caf04ed6f5cda52c0fe717f5f2d2c13adeb5c3e81603

SHA512
cdcdf58cf11c11be2cce4ceb9f4d681fd6ffe1e67aac4e740cbe0e9552855760a4e096b04425b34f068197cb817ec3bdd9ce2d637a57b67b6f8b5ffe8b9c603c

Download Submit
C:\Windows\SysWOW64\Imgkql32.exe

Filesize
276KB

MD5
012ea35742e6b0a1d93aa80fe3cd0914

SHA1
012db81dc2a4ebb16506465ec3832bf09f1058dc

SHA256
a46232756a60957ec798c9105b6031e7fb9b0ae95b33e7fd8a4242802238a56d

SHA512
8951cae60151683e946b36c59465424eb0fea9759219114ff86c1cb133dd2ef60653a2133cb21e7d4e5d0417be807d354e6f2479deb3bf6651469000e032f8f9

Download Submit
C:\Windows\SysWOW64\Imihfl32.exe

Filesize
276KB

MD5
2896a8955e7eb68c73ba9672fb5c3060

SHA1
25c45359c7eb26781975601454e1ba7902538415

SHA256
fc8d76d163e2a64f31ac0cb5ef63f61423e3728a700ef214eb8dec3b5c2eb672

SHA512
be4223a28f57babe16ed1e534c28792267d31859d06e0eaeb9c9bc15cfcffc5863c75a62a6f95490093304a73921041e3cc2136f6d62d4d73d6aaa3a8a6c1206

Download Submit
C:\Windows\SysWOW64\Ipegmg32.exe

Filesize
276KB

MD5
bb6d52f6cbc5afd338e377c08b99f7cd

SHA1
ab22c76586753434da0bad824e7a257e2781183b

SHA256
2d9d61abb2ad7ea9f3d4a5255c2f8aaab6a5dbb3f854b8855b28d4b171f93ffa

SHA512
9928df380eb42f7a6f03bff9a25735630951b748c6bddafcf07c2b58d07450dc69f63f2a023345b68b7b6d2515b90a1692380294cb07816df4f8d311a887b013

Download Submit
C:\Windows\SysWOW64\Ipnalhii.exe

Filesize
276KB

MD5
189b0252bd931602b7af9a8adc68ef44

SHA1
9bce2b28778bd19fb53e9b5874b5789500bfbc6b

SHA256
4e7977f64d1e8eabb316a7f11c66c31cc4c51445264873a6c843e1904f970153

SHA512
1b4f5dbef6c9b4e8bd1da336d3fa9cd4fa51e7c2c4c531a041393e833f7e35ff8c3b27592fe2188a423e433c3d5a028f7016fe3de65247ee4c526921762f3e3a

Download Submit
C:\Windows\SysWOW64\Jaimbj32.exe

Filesize
276KB

MD5
4cd23fcd3c121c3704a8ec9ac45758bc

SHA1
1e084a892d12bdc16ebb7b3fe283cd374d732368

SHA256
f19eaab1ca307b0bda1cb5ef29bb77cfe81ce9249a43f26a1828ddd235940574

SHA512
72cc1af44c81ca1c0f1829a4bf584a4680a504c2ad9965974d852fbc1619f61ad0c751e530edbf8b27678eaf867088fb775cea69f524b22bdf1cb45be5a079f2

Download Submit
C:\Windows\SysWOW64\Jangmibi.exe

Filesize
276KB

MD5
f648efbb4a056c9363d94b83a345ed8e

SHA1
7a7bae0a528ba34988aa1434370de2530533dff7

SHA256
10ab11ede1277df8a7d43735d90c16238ba9da89e41b65db797ccbedde85fdc2

SHA512
598531a58ad914630c7df8efcd6104fcc05df1303abb9f2e745892b91ceef64e24a458624b694370259375c00104ff8fd25869aa4ac94154e20683059584001f

Download Submit
C:\Windows\SysWOW64\Jbfpobpb.exe

Filesize
276KB

MD5
2821494b62e1309ea60d11164fb0e80c

SHA1
40a34b264571dd31d75694a0258248817b93f6af

SHA256
33d1a07a10d00c449ef38d38cc156c0d24d814390f393e1238ebd8838e338749

SHA512
1e78c387fef52f173c495846c50a6b269d3be8d770071952e32c8f7a38d6f1f322bb84bde2a32f760bad1cc7d9526a22ff2fa39d60f357d1bf31fd0c028bf71c

Download Submit
C:\Windows\SysWOW64\Jbkjjblm.exe

Filesize
276KB

MD5
c7e499734856816ca3a9eb2d8477292d

SHA1
9918bed161d11610a6bbf0c86a0d3edbfc3b3e1c

SHA256
337744e38f7c0276bada12ffa6aae68397f1f08c5e19a6b8ae2de427e1d012e5

SHA512
ee74a7f1dccde6352f7a0c273d4fe26fc6f13fda2950fb902a18ac874463c9b88321a31f67c12326b603323e9ddbbdd5bd52251b4c35e4aac604eba958b69dfa

Download Submit
C:\Windows\SysWOW64\Jdmcidam.exe

Filesize
276KB

MD5
db18cfff64b0bea5be39fe0c4ef9b34b

SHA1
c5dbdbe69a73af693858d155cd8abcc2904198d3

SHA256
7073b09cfdc4744f740d2d054bea92a7242151e6cebd102da3be9223ddcb49ed

SHA512
a02c3e71bc21fd34ccc01d087bea1a83d64743ee13650e72ec1b92ebcdca86d8704d2e46cc0f0a588030bf60163fa9c4348c8d8e7f1f69727ad0af14a4555112

Download Submit
C:\Windows\SysWOW64\Jfdida32.exe

Filesize
276KB

MD5
51b639333a2e561c3320a53375c6e057

SHA1
51b61105be248be915d6fc961daec0a75c332d67

SHA256
0dd37cf8ba0abb13b79a523e0a514a713d7c65bd28558c2f5bc938e41759d87a

SHA512
34fa5502054bd5fea8848c5235eb44f74a3a385437999a7f76f0d22f46fcb37c4aecf65da9e94c3ff0888a4b977a3dd37edb95764ede3f5b96ddfcd2ab4390ef

Download Submit
C:\Windows\SysWOW64\Jfhbppbc.exe

Filesize
276KB

MD5
cc34e9c4d32068e077aa2fe7727c5c58

SHA1
93102625d8f408f134b8f919684bfa879a779b77

SHA256
17dcf32938415388b8f340c4b263c210fb31799a0b6fcec1bc1f373e970ef6b8

SHA512
717bfda12a5d62aff0b5891f0aa29ca8104edabb1221e849a64067a9831b6271d1dc3d442a0f2fb006c8b2e0462ce8acc3ab9cd1ab9d593b0950a226d2844942

Download Submit
C:\Windows\SysWOW64\Jfkoeppq.exe

Filesize
276KB

MD5
03e846a0bc0bc57ab4a72b61648596b4

SHA1
b2a323e6b71c46ff145e82be7a397ac25f572277

SHA256
cde2ad8c087644b466968223874ade4e717b8fa4a635bc9d7db4a44570443660

SHA512
a8ea6d50ab1110ee8cad70e8445e8172ef0dbd38489d81d7d67a3475f0ffbb4ed0747d499e454a5ab08913d8f715e7a853952708328899ff6c6f30f9a5fe9afe

Download Submit
C:\Windows\SysWOW64\Jibeql32.exe

Filesize
276KB

MD5
67a1aa04325cf488f7a03bd90ae0935e

SHA1
a8a0b1094e96a1a2bfc6c5467fb270dd365f15ac

SHA256
478d9e532893e75ccf532af3174e59b2aab5c0250f78d8d6177a06d6e20f6208

SHA512
0b24d3f6b54983b71bb15038c9456f1fd7891f81136bebf5f063cca28a910c59c68cfaf2cba85d5c6735a3bd28f01cb6b615595a75dd306d44e5ff63a36a1d50

Download Submit
C:\Windows\SysWOW64\Jjmhppqd.exe

Filesize
276KB

MD5
c2401ec4038fef29ab54b0acc1db5898

SHA1
8162560700795eb7b0abb681a0fd68a7a3dc5cd5

SHA256
668766a61b8793916bb3b58509ec874ce937824e361311fcb9779c72c0c8af9d

SHA512
91c79f1b185d15683ff6a36df5be6f6023eb5cb95c7fd8ab093841cca750f2f8e2c721857bd398d3b9e44b86f5982b8583a5dfcb6bbbe0ebae5a0df59baa3ff5

Download Submit
C:\Windows\SysWOW64\Jkfkfohj.exe

Filesize
276KB

MD5
d5c68031efc5d4817bcd8419c22d77d1

SHA1
87f9c8023bf86e31e2e7d47e88fb29aa81930450

SHA256
dc0ae32bae6166888b6b7436b2465dace1c866d8665abddf194daed882d3a3d6

SHA512
b9cacce25eddb85119de52d4e20aaede966976084302582779be1efff6bc461d89615ec9fc9723a64b9b4e3db4d24c57e1bc0e08a471dc5f196e50edf64fec0d

Download Submit
C:\Windows\SysWOW64\Jmkdlkph.exe

Filesize
276KB

MD5
27e594abcc9a077bc39544553f69af8e

SHA1
6cc3efbb13b3cc6a97f427330f81f6b56f013a76

SHA256
fd3cee5818e36e59848c04aacc759060f74e285c99f56a352cc03ecec1dbd4ca

SHA512
40bc19ecb45604290c3b64ceff471f9c80ebd36d59cf30bb16c7add6d3fa7207a69b3f68510184ba91302de2e4d8efb6ac32c269c9d01f124c84de597d0da80b

Download Submit
C:\Windows\SysWOW64\Jmpngk32.exe

Filesize
276KB

MD5
499e35199c11b8b537a3633f3448d2df

SHA1
f88b8879503a7ccf8446195f1714065106809417

SHA256
ed56150e6bab92e014f9139d14f34a5c36c99448889f2c39f233e771599a7c17

SHA512
2d6edd62448632ba355e3ff4f5280560e69cbed60bd8b0b4ac7f82df9ece73088799fcb229e6be09aa83e43d2172220977a30d23123a7a4e8c49baa21ea15bf6

Download Submit
C:\Windows\SysWOW64\Jpjqhgol.exe

Filesize
276KB

MD5
ac27447bd90651afe6da90bfdb881346

SHA1
5860ac15535f5ca7d184b60f4974c31dabe37019

SHA256
32e97651e421253bbe5c99436ccd83ac30d6a750c3e6a5c82fc193c869466a88

SHA512
b6b41e7cc41edac3cf360479bd144cc86d4215693f5807946a06b60296346a04de0e68ae54361d5c3407798af666a54236d1cf75ad651b89cc772297ffdb57dc

Download Submit
C:\Windows\SysWOW64\Jpojcf32.exe

Filesize
276KB

MD5
debb16700a62bb93da9e79869cb39793

SHA1
c26a3a1723f1665534ee09d9941923650ac40d64

SHA256
315fa40f0dc54f835ea8c094522b6d35e8790da5e50e37f49473bf555b1fb18a

SHA512
1f83cc097ea95ed9367163a5437a99fcbe85b1735cc27817f3f4ddcd35c5ce7c4ebc5db39b3115fc66e7e50a691ef683fdfdd3b6cc9706d7f5b01e5096f14cfa

Download Submit
C:\Windows\SysWOW64\Jpojcf32.exe

Filesize
276KB

MD5
32e9781f218201e5b7a86a36c5935fc8

SHA1
d06c030fc60d15aa99637dc9e77a34cb34ad1553

SHA256
002c54b6fc683b56c03c84ddb7d85d97b508dd11a84ec7f08d696138c76035bb

SHA512
3f7b56a9f0d09f9f1bd08dc1ee16ed20752729e0861f3d302e4bf438a0a53a1397f251e5baef500d68ecf39426248bf3d66071e34c0c9c67171734ecbd7f0ec2

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
276KB

MD5
d6d47ead2bd9fa5fa3e49c26d505ca32

SHA1
eca58a385bffa7ddc493dbb2af7fedff1fc8677f

SHA256
c82f000293f2fc0c8ef8b662ad0b4ec031cb0083a8c9a8f0b8d437d070c728a3

SHA512
0791b650d0fc236fa58cef328d7e39b05916760b0f32c2d470abea3ffc971dfabaf670f8724de3c930bf1cbe72be1ec04939c3217d9c2c0606caa58ec38a551e

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
276KB

MD5
b5026eec27e13286e22ec79199da69cf

SHA1
9b84a5087fd2fa29d9b0e23731d9411d41b19abf

SHA256
3d93a4f36bd93b2d929c899fcb64b8bd4cc5a47549e4d20884fc61c4c4c088a8

SHA512
d59750746f081c1e66b0faacb19587092d7b7646407a74b132569164cdc016e9a97bb8aafcebbf3088c4399af6566081a41a85cdd4d0fecab059c3cb4813cfe4

Download Submit
C:\Windows\SysWOW64\Kmegbjgn.exe

Filesize
276KB

MD5
66af30a18cfc49017e85844b9b4497ea

SHA1
6ef1e5c950b1d819e84f7adb4718108506f25329

SHA256
082302a2c58219abe79826f6c3d7cc74c311c234e0fbcb62c34977fe91e0a789

SHA512
ade7815e9a267d1d8e6fbb7a0a9ce958a75f8181831642e63baa569b10c8dc4b471618fb8343982d71a4de824a022fbb636bf4c5d7de720fc1bc7516c26df765

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
276KB

MD5
a0542491d0a6c737732286a7a5aa4426

SHA1
92d3e983aa916e27b3ad6fd6154ad1bad4f2894e

SHA256
8be339d74fcb5b5371a8126c08adf4811afeff2745327603d92a7afbbd195840

SHA512
ec3a0882b15ce15f3d1aad3033b30eebb68be478fc09abcc4c1236e2899eaa848e9559cbaac59eacd07215186b9b5bb28ec47360dc11f30d2cb10cf4929dcde6

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
276KB

MD5
75deb35b503949410d23944c9b7ea857

SHA1
d0fe555272a1bb58ddee80de2f8ac0d1aa93c287

SHA256
80bc003c09ec759609f7a2f115535b6bd99dd682859dc9d19a201f38260108c9

SHA512
cd1037ef619726f1a475fbf27ed562a16eb05eb4ad7c997eb1f3ea7c0884dd8adb7c1e5ca129b5b704ec8f4a30c796120e11141e4e983b31923fbb35fe1927e6

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
276KB

MD5
e6b4accffecf5df996ff7b7a7f976fdf

SHA1
fb24b2c51e23f4b32f1dc6e0beb2e55462f9771c

SHA256
a798ffdaf23ebfdf0020d9e7988d84390d65ae274ade4d2bf333c9498dba5640

SHA512
1987c5e275624ca75075337dfc6ce4ed95981ded0756597d746b960a7ba2fc387fd23ce92fdbf3e9130e38da4a95e083c70fa23245667695be1722cd11548798

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
276KB

MD5
c76fca04c3870e68c9ef1557277a05ba

SHA1
85cbc7766c4e6626162d68ca5f3622b601c6dcb4

SHA256
035f0e5d5ef23040fe00c9f93d63e49e876ad67bfff36af5fec422ff39576739

SHA512
d556306a88cceda7fd341f904566c7a14b91d4b1659f4ce82c89d8bceed1e2be30d27dd20735bcb62f266ad7c5e45d562c3b4a80eec98691d514a79bce1588d3

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
276KB

MD5
f5ae2730d9579cae64ac22f6b8671567

SHA1
7ba60ea887833e5e5fe8fc25e93125f06d4eb4cc

SHA256
af2cf2bcb9cfce44a8147c4f2a901e590a4ca6e3f4c98a22c6286b737e868fb7

SHA512
1872bd22f7254f8dec42df7fca3263882381538e46e7254ec6483ba074e93d1ec5c5c1b0532a40d79743ced3465d005eb30606d17d7fed7dc27c0b01684951f9

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
276KB

MD5
1b23bc1aed3f72c64294650cf0749b79

SHA1
324a758c8bafb4be7973b00f1086b163b82fabc6

SHA256
ee0275df69d27d5683fa107d1f525d6b7e9083e78d5324eea2b9dd2647e4ea5f

SHA512
4d1a6bd49e8927500fdb851b663b87e0521fdeede36f004e750a4000f83cf112a97d27316737b5d0d49178054248e0f88ee0a2b6a84f51538867b2e31af54667

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
276KB

MD5
16b1d830392e1d3c9baa4e9c03de54aa

SHA1
d29eea7c9880c2a5b030db2bdc71f3f28164ff80

SHA256
dc51cbfc2c627a465c815855e0bcd34e7717f839310b9749c452c38a1ed29917

SHA512
59054e96cfda8499034749e0d5f5d93e7830f5c4d34d16194b5b71171a5a13790563b2be433381da04a751ad0da72fb8281ac7f094b314f2df5608a4b7495bcc

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
276KB

MD5
69d62f410aac1fa6158919b1f480ee7a

SHA1
a795c09f497a63a78ce04f1fae65ce8935b5bc54

SHA256
187110cda4e44e368329ac3fddd0026e02cbbe97d35b9fe0ef8f5f369084532c

SHA512
2c9bdebebf5351a449c30c114d295cb5de588b6c72d3931932c624576009ba34e75e8553f7d3632f2bc642d4804a3871887c2d19b601375c612ae498c598336b

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
276KB

MD5
abd96848f22c81ef9f25d90e076462ab

SHA1
23923b57d144427d4d69fe761bc8409ad57f22c0

SHA256
c09724cf4764d1d1f37d80c721d419b1acad30d4ad9ba72ab087629e2e97d398

SHA512
eecf091572273634d6ae600465bb757eb2566ee2907fba0264b0eb564dc6a75982d904274ab399e47ed883f7755360dd99352371ecbf846f9f9ab018544cb6fc

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
276KB

MD5
fd972abae63b3e2db359444654a98e20

SHA1
755e68eb78d3e23d6ee0e024365377788073958b

SHA256
d25bc5afd7d72e5ad7a0b14b876c4881fca949be68dfc008dbfa3cdc02e0507c

SHA512
dbed257cd27c07474ee5958953411880907a1e54afe947d1b89e10cba128fee0e0fc623594c3e5be922b2d2841b48a2db051032a5616f211cd24894784f627ef

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
276KB

MD5
2ac725e7941573e807a2be223dc8a0bb

SHA1
821b4e6a61d99a8f24cab292bd5de9ccc49e992f

SHA256
6dc1b822b17f7dc234968d6059f3ad66396a6d84ba8146a75f278ef077033dc0

SHA512
ed05c15b90a655d47cae542e4e0595cd493bda10d8b90f83db02789fd8e9eaaa74c2e849f7470eb124dcc658abfe622e9b063bde5e86af809ed1b8a00f808c4c

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
276KB

MD5
7219ab1e97d25c691678d3beee48cc75

SHA1
265ae2422b709d3c7ce673c58e142061429d3e42

SHA256
8f6bde6a3985834633c330034d5167ca9b96487570ddc2ac95703cea3d1a60a8

SHA512
ad1c4239751ad8065cf2b03edfc828a49cb6b97ee2c8d464c229a7c2f873d657e04ecce9c9181b27c401eb6465d39fd0b2180aa97941110b5168f6ee9c47e468

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
276KB

MD5
d118962b59544320ca8c8aaa62282ba4

SHA1
6a2c12988e3453b790a8e0f7a8fe92452036c67e

SHA256
03fd28252dd4c8f90df8cce9ca22eafbc9ff96ebb4ae717c423f97588e177aa8

SHA512
f62da2aefa1d74a4734d2387c54db08513bb6479a09bed8400f81cab49cd545abdcf6c5c67e3ad07870866c7097dfaaac2a78f9283c6a7f9a3be25ba57456182

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
276KB

MD5
754d359b0a3e72655af594c3770d3f8f

SHA1
0e5f880d92e86640b310904729f278580456d838

SHA256
5dfde252d4376c5810f58b2cfc23548d949171348c2837af3101f88967ec4062

SHA512
66168080579225e6e3b15fbefe07bf2652bf6e2f1213315443daccc2dad159b1c5e6d752afd6318612f2e4729de9fab7ca92f46d83a8fdeb65ce143ebe27c501

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
276KB

MD5
96390bc9899752cea5d79c0904a182ee

SHA1
bc1f13c0842e43848cd4579444f3b526b29c29e2

SHA256
8bc3dd41487234d3a3eee1746f2c5ec29d4404392e4e7117e0f92be9aebb464e

SHA512
8b7e2cc2691dc351fb704eaf137721b11dbef233514e760de456329aa42493eac46a554751e1d1fde5ea554ff28e53ce5366e501bee803a7ec1fbbcde88a6d3c

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
276KB

MD5
6141b7f4f474cf651f65e00b35a9b06d

SHA1
b98e95ee3a3ece176a0a53b1b8841e9a62443aca

SHA256
a64c80c6b74514e2d6974c105d506f4c272228ef1911b12c84b6bfe364647d2a

SHA512
d5c0efc9261b57a9752b8ffd81c1be566357b363d0ea1f11d8d886abc717f9b418f50967c0e8d282f20b9ad5dbcf7ac0f92496df0985624ecbfe62bf81f049f4

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
276KB

MD5
c953284f78795ec32e50cebf7c2e5bf5

SHA1
c6ae2648ab3320558c1cc8ae05269387fbeaab27

SHA256
58bcbdf20e1f5a2d05a3bc8c70c681e10c620302259d7231cece2ea2591929c3

SHA512
12b79045e1075015cf5c5bea87bdb37c357ec101934285acfbb6fc23c388739e11954f162da08005547f66c09ffc9f7fedb0e041f1c56d211b598460a3217ba4

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
276KB

MD5
27d2fbeef07abe21c7b33cfbf7d20a9e

SHA1
97bb5fff823eef5a0c3e534b201c4df181e09c4c

SHA256
3819706a9ff3c7d2eb88e49e6846559085679505538f88af5dbdc26a6b8bcd98

SHA512
85bb30d63269ae15e118d8663d6f5fe094dd5a6aedc4f7d86ded560f57fe199ef6434025022e10d92860bc408816ab32b469f69e4047332a5bc5e241ed7af77e

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
276KB

MD5
f3da6355876eff8f0d95f8b4abbbef3a

SHA1
0be56fa31b8a3666ffbef7bfe2f564e5080cd809

SHA256
da78615970e32fd97f9ff93a20662b54267185f256f769af8987d1b7a888e0a7

SHA512
56ee1b6fd94801b9f23145455002ba439c38eb863d296f4f556e398a47cfdd75b6874875df5a0e2d623b24a182876a2bd1f87554b50cbd5b911c37e3409542f1

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
276KB

MD5
c1f96565db3a23bd9e9004fff368ad66

SHA1
ffb1352175eeaa7d14522782c7cd2191cf68ccad

SHA256
2e69797cca59aa87f2b44e855805e182c7060c720e47f41073225fd512f3a916

SHA512
034c58b77bc02820009ac74741a369d679626a9bbefec0e5e578f228b988712865c5a0b37d2988b95b903227f5b3a3abcb90f0b36c73c94c83c8b98987d9bbee

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
276KB

MD5
1001d36164b8370becded2f798cab81f

SHA1
5e2de8948b7586c8d82f2df409632d953fd1749d

SHA256
8ff949d91604889a192c1855395e44b2bcf1be447a0d6c8ce8866b113e18f9fc

SHA512
8d86fa354bb3dc42c35ee52f4cf80cd4d82e93d109d181297cf907a126fca82d29ad32ecf7d30c5e77f7ef832598f7061fdc324f815072103bf3d48b456bdeb4

Download Submit
memory/224-374-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/404-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/452-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/468-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/536-501-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/692-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/768-92-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/840-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/972-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1012-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1164-452-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1168-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1192-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1260-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1304-524-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1340-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1364-326-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1392-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1400-572-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1400-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1544-410-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1568-429-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1572-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1576-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1616-278-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1668-563-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1752-266-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1772-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1780-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1852-272-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1964-434-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1968-363-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2028-491-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2044-819-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2144-532-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2240-592-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2240-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2244-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2284-294-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2296-599-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2296-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2408-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2416-566-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2476-542-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2496-84-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2596-336-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2652-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2660-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2660-544-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2784-309-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2796-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2820-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2960-189-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2964-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3120-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3356-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3428-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3432-565-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3432-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3436-573-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3516-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3608-558-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3608-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3672-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3812-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3872-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3944-545-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3956-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3988-556-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3992-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4028-482-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4032-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4220-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4288-220-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4328-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4340-458-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4360-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4484-585-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4484-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4500-290-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4512-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4540-555-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4540-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4604-252-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4632-531-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4700-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4808-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4816-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4824-76-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4868-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4944-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5044-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5044-880-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5096-236-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5116-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5132-579-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5176-590-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5216-593-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5356-847-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5484-842-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6072-825-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads