28abd29d1e7bdb277e89b4767a84558f07f556eb2b91bd806a3f6737715ad105

Analysis

max time kernel
133s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 01:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4db2eb25cb5244a23db179b517948600_NeikiAnalytics.exe
Size

87KB
MD5

4db2eb25cb5244a23db179b517948600
SHA1

16a44a903ba7e50530d3c286591b8761534dde92
SHA256

28abd29d1e7bdb277e89b4767a84558f07f556eb2b91bd806a3f6737715ad105
SHA512

d3e704a61b8ffaff3b16b2491f165a3739cc69436d9925c8c72b687cd3fd2def598e70525f18125b4823dcf9e449da49dbccab5124b4b99942dd95e53fb02612
SSDEEP

1536:00ZH2BLRZ3n+z90Bj7VSrwWnomj6RQ4mRSRBDNrR0RVe7R6R8RPD2zx:0yWBLE90dvIz6ePAnDlmbGcGFDex

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jfdida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jfaloa32.exe

Executes dropped EXE 64 IoCs

pid	Process
3332	Ijkljp32.exe
2268	Imihfl32.exe
2040	Jpgdbg32.exe
4868	Jdcpcf32.exe
4920	Jfaloa32.exe
2584	Jjmhppqd.exe
4088	Jmkdlkph.exe
2560	Jpjqhgol.exe
1208	Jdemhe32.exe
4392	Jbhmdbnp.exe
1800	Jfdida32.exe
1540	Jjpeepnb.exe
2896	Jmnaakne.exe
516	Jaimbj32.exe
4804	Jplmmfmi.exe
3292	Jbkjjblm.exe
4168	Jfffjqdf.exe
5076	Jjbako32.exe
2296	Jidbflcj.exe
4792	Jdjfcecp.exe
776	Jfhbppbc.exe
4632	Jkdnpo32.exe
4812	Jmbklj32.exe
4524	Jpaghf32.exe
3488	Jdmcidam.exe
860	Jfkoeppq.exe
1720	Jiikak32.exe
1548	Kmegbjgn.exe
4428	Kpccnefa.exe
3612	Kdopod32.exe
3752	Kgmlkp32.exe
4056	Kilhgk32.exe
3872	Kacphh32.exe
2852	Kpepcedo.exe
2228	Kbdmpqcb.exe
4064	Kkkdan32.exe
4940	Kaemnhla.exe
4880	Kphmie32.exe
5080	Kbfiep32.exe
3668	Kgbefoji.exe
3052	Kknafn32.exe
1636	Kipabjil.exe
2904	Kagichjo.exe
728	Kpjjod32.exe
4132	Kdffocib.exe
3016	Kgdbkohf.exe
3584	Kibnhjgj.exe
3000	Kajfig32.exe
4424	Kpmfddnf.exe
3704	Kckbqpnj.exe
2316	Kkbkamnl.exe
3308	Liekmj32.exe
5004	Liekmj32.exe
700	Lalcng32.exe
1888	Lpocjdld.exe
4436	Lcmofolg.exe
1940	Lgikfn32.exe
4928	Liggbi32.exe
4012	Lmccchkn.exe
3560	Lpappc32.exe
2624	Lcpllo32.exe
1484	Lkgdml32.exe
2384	Lijdhiaa.exe
4492	Lnepih32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lkgdml32.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Jidbflcj.exe	Jjbako32.exe
File created	C:\Windows\SysWOW64\Kphmie32.exe	Kaemnhla.exe
File opened for modification	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Kibnhjgj.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Imppcc32.dll	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Mnnkcb32.dll	Imihfl32.exe
File created	C:\Windows\SysWOW64\Mkeebhjc.dll	Kaemnhla.exe
File opened for modification	C:\Windows\SysWOW64\Lpappc32.exe	Lmccchkn.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Jfffjqdf.exe	Jbkjjblm.exe
File opened for modification	C:\Windows\SysWOW64\Jkdnpo32.exe	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mciobn32.exe
File created	C:\Windows\SysWOW64\Jdmcidam.exe	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Iljnde32.dll	Jiikak32.exe
File created	C:\Windows\SysWOW64\Ndninjfg.dll	Jmkdlkph.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Jpaghf32.exe	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Lcdegnep.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Jplmmfmi.exe	Jaimbj32.exe
File opened for modification	C:\Windows\SysWOW64\Jidbflcj.exe	Jjbako32.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Lijdhiaa.exe	Lkgdml32.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Jfdida32.exe	Jbhmdbnp.exe
File created	C:\Windows\SysWOW64\Qdhoohmo.dll	Jfdida32.exe
File created	C:\Windows\SysWOW64\Kkdeek32.dll	Kgmlkp32.exe
File opened for modification	C:\Windows\SysWOW64\Kkkdan32.exe	Kbdmpqcb.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Bgllgqcp.dll	Jdemhe32.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Laalifad.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Laalifad.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Ljnnch32.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Jjblgaie.dll	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Kajfig32.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Kpepcedo.exe	Kacphh32.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Addjcmqn.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Jdcpcf32.exe	Jpgdbg32.exe
File opened for modification	C:\Windows\SysWOW64\Jpjqhgol.exe	Jmkdlkph.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Kgbefoji.exe	Kbfiep32.exe
File opened for modification	C:\Windows\SysWOW64\Kajfig32.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Jfaloa32.exe	Jdcpcf32.exe
File created	C:\Windows\SysWOW64\Jdjfcecp.exe	Jidbflcj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6100	5584	WerFault.exe	227

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feambf32.dll"	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kphmie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecppdbpl.dll"	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbbjnidp.dll"	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honcnp32.dll"	Jjbako32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anjekdho.dll"	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdmn32.dll"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kipabjil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kajfig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojmmkpmf.dll"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcbnd32.dll"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibimpp32.dll"	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jplifcqp.dll"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imppcc32.dll"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nilhco32.dll"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jiikak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kaemnhla.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 3332	1876	4db2eb25cb5244a23db179b517948600_NeikiAnalytics.exe	85
PID 1876 wrote to memory of 3332	1876	4db2eb25cb5244a23db179b517948600_NeikiAnalytics.exe	85
PID 1876 wrote to memory of 3332	1876	4db2eb25cb5244a23db179b517948600_NeikiAnalytics.exe	85
PID 3332 wrote to memory of 2268	3332	Ijkljp32.exe	87
PID 3332 wrote to memory of 2268	3332	Ijkljp32.exe	87
PID 3332 wrote to memory of 2268	3332	Ijkljp32.exe	87
PID 2268 wrote to memory of 2040	2268	Imihfl32.exe	88
PID 2268 wrote to memory of 2040	2268	Imihfl32.exe	88
PID 2268 wrote to memory of 2040	2268	Imihfl32.exe	88
PID 2040 wrote to memory of 4868	2040	Jpgdbg32.exe	89
PID 2040 wrote to memory of 4868	2040	Jpgdbg32.exe	89
PID 2040 wrote to memory of 4868	2040	Jpgdbg32.exe	89
PID 4868 wrote to memory of 4920	4868	Jdcpcf32.exe	90
PID 4868 wrote to memory of 4920	4868	Jdcpcf32.exe	90
PID 4868 wrote to memory of 4920	4868	Jdcpcf32.exe	90
PID 4920 wrote to memory of 2584	4920	Jfaloa32.exe	91
PID 4920 wrote to memory of 2584	4920	Jfaloa32.exe	91
PID 4920 wrote to memory of 2584	4920	Jfaloa32.exe	91
PID 2584 wrote to memory of 4088	2584	Jjmhppqd.exe	92
PID 2584 wrote to memory of 4088	2584	Jjmhppqd.exe	92
PID 2584 wrote to memory of 4088	2584	Jjmhppqd.exe	92
PID 4088 wrote to memory of 2560	4088	Jmkdlkph.exe	93
PID 4088 wrote to memory of 2560	4088	Jmkdlkph.exe	93
PID 4088 wrote to memory of 2560	4088	Jmkdlkph.exe	93
PID 2560 wrote to memory of 1208	2560	Jpjqhgol.exe	94
PID 2560 wrote to memory of 1208	2560	Jpjqhgol.exe	94
PID 2560 wrote to memory of 1208	2560	Jpjqhgol.exe	94
PID 1208 wrote to memory of 4392	1208	Jdemhe32.exe	95
PID 1208 wrote to memory of 4392	1208	Jdemhe32.exe	95
PID 1208 wrote to memory of 4392	1208	Jdemhe32.exe	95
PID 4392 wrote to memory of 1800	4392	Jbhmdbnp.exe	96
PID 4392 wrote to memory of 1800	4392	Jbhmdbnp.exe	96
PID 4392 wrote to memory of 1800	4392	Jbhmdbnp.exe	96
PID 1800 wrote to memory of 1540	1800	Jfdida32.exe	97
PID 1800 wrote to memory of 1540	1800	Jfdida32.exe	97
PID 1800 wrote to memory of 1540	1800	Jfdida32.exe	97
PID 1540 wrote to memory of 2896	1540	Jjpeepnb.exe	98
PID 1540 wrote to memory of 2896	1540	Jjpeepnb.exe	98
PID 1540 wrote to memory of 2896	1540	Jjpeepnb.exe	98
PID 2896 wrote to memory of 516	2896	Jmnaakne.exe	99
PID 2896 wrote to memory of 516	2896	Jmnaakne.exe	99
PID 2896 wrote to memory of 516	2896	Jmnaakne.exe	99
PID 516 wrote to memory of 4804	516	Jaimbj32.exe	100
PID 516 wrote to memory of 4804	516	Jaimbj32.exe	100
PID 516 wrote to memory of 4804	516	Jaimbj32.exe	100
PID 4804 wrote to memory of 3292	4804	Jplmmfmi.exe	101
PID 4804 wrote to memory of 3292	4804	Jplmmfmi.exe	101
PID 4804 wrote to memory of 3292	4804	Jplmmfmi.exe	101
PID 3292 wrote to memory of 4168	3292	Jbkjjblm.exe	102
PID 3292 wrote to memory of 4168	3292	Jbkjjblm.exe	102
PID 3292 wrote to memory of 4168	3292	Jbkjjblm.exe	102
PID 4168 wrote to memory of 5076	4168	Jfffjqdf.exe	103
PID 4168 wrote to memory of 5076	4168	Jfffjqdf.exe	103
PID 4168 wrote to memory of 5076	4168	Jfffjqdf.exe	103
PID 5076 wrote to memory of 2296	5076	Jjbako32.exe	104
PID 5076 wrote to memory of 2296	5076	Jjbako32.exe	104
PID 5076 wrote to memory of 2296	5076	Jjbako32.exe	104
PID 2296 wrote to memory of 4792	2296	Jidbflcj.exe	106
PID 2296 wrote to memory of 4792	2296	Jidbflcj.exe	106
PID 2296 wrote to memory of 4792	2296	Jidbflcj.exe	106
PID 4792 wrote to memory of 776	4792	Jdjfcecp.exe	107
PID 4792 wrote to memory of 776	4792	Jdjfcecp.exe	107
PID 4792 wrote to memory of 776	4792	Jdjfcecp.exe	107
PID 776 wrote to memory of 4632	776	Jfhbppbc.exe	108

C:\Users\Admin\AppData\Local\Temp\4db2eb25cb5244a23db179b517948600_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4db2eb25cb5244a23db179b517948600_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Windows\SysWOW64\Ijkljp32.exe
  C:\Windows\system32\Ijkljp32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3332
- - C:\Windows\SysWOW64\Imihfl32.exe
    C:\Windows\system32\Imihfl32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2268
  - - C:\Windows\SysWOW64\Jpgdbg32.exe
      C:\Windows\system32\Jpgdbg32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2040
    - - C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4868
      - C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4088
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:516
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3292
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4168
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:776
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        23⤵
        Executes dropped EXE
        
        PID:4632
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4812
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4524
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        26⤵
        Executes dropped EXE
        
        PID:3488
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        27⤵
        Executes dropped EXE
        
        PID:860
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        29⤵
        Executes dropped EXE
        
        PID:1548
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        30⤵
        Executes dropped EXE
        
        PID:4428
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        31⤵
        Executes dropped EXE
        
        PID:3612
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3752
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4056
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3872
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2852
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2228
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4064
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4940
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4880
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2904
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        45⤵
        Executes dropped EXE
        
        PID:728
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4132
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3584
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4424
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3704
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2316
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3308
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5004
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        55⤵
        Executes dropped EXE
        
        PID:700
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        56⤵
        Executes dropped EXE
        
        PID:1888
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        58⤵
        Executes dropped EXE
        
        PID:1940
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        59⤵
        Executes dropped EXE
        
        PID:4928
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4012
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        61⤵
        Executes dropped EXE
        
        PID:3560
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2624
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1484
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4492
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4204
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        67⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        68⤵
        Drops file in System32 directory
        
        PID:2464
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3132
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        70⤵
        Modifies registry class
        
        PID:2504
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        71⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        73⤵
        Drops file in System32 directory
        
        PID:4688
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1100
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2148
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        76⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1624
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3152
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        79⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        81⤵
        Modifies registry class
        
        PID:1808
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        82⤵
        Drops file in System32 directory
        
        PID:244
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        83⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        84⤵
        Drops file in System32 directory
        
        PID:464
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        85⤵
        Modifies registry class
        
        PID:2244
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:512
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5132
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5176
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5220
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5268
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5312
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5360
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        94⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        95⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        96⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        97⤵
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5616
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5672
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        101⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        102⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5808
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        104⤵
        Drops file in System32 directory
        
        PID:5852
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        105⤵
        Drops file in System32 directory
        
        PID:5896
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5940
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6028
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6068
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        110⤵
        Modifies registry class
        
        PID:6108
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        111⤵
        Modifies registry class
        
        PID:32
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5436
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        116⤵
        Modifies registry class
        
        PID:1156
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        117⤵
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        118⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        119⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        120⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        121⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        122⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        123⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        124⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        125⤵
        Modifies registry class
        
        PID:6116
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5168
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5256
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1724
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5472
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        130⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        131⤵
        Modifies registry class
        
        PID:5708
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        132⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        133⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5920
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6024
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5792
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        136⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        137⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5892
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        140⤵
        Drops file in System32 directory
        
        PID:6012
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5884
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        142⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5584 -s 420
        143⤵
        Program crash
        
        PID:6100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5584 -ip 5584
1⤵
PID:5556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aajjaf32.dll

Filesize
7KB

MD5
17bb1e871f162beb2d3205f3c80c4ada

SHA1
38e80498ddd50e46e860b209411d2fc60587e90b

SHA256
6961dc7267856640335de68a1f24833c16f7b62adfd1d975e874bf69a763077f

SHA512
e770a59dadb20c86e8e24b5885eb04cf61c045668b872aed0d03b75f79b36a95c6280e5ec80686270d2024473c19951e873e0a10f34e8f474ccb1929431fda16

Download Submit
C:\Windows\SysWOW64\Ijkljp32.exe

Filesize
87KB

MD5
565bc527250dfc9cf6918563747e97c3

SHA1
41a77d41a6d572a09865e5a95f2190e6e572bc5a

SHA256
e290e087a9503819cd91439bd8a8f35b78a57710ec0a3707655991411fa5a472

SHA512
ee25f25d23acc3f3a8f44bacc9589a02309272c192e3e09b497a004f937ff46ea9b3bfedafc0e269d55d386a041a7be45b68b709b2ce9c4cc437c07e74232960

Download Submit
C:\Windows\SysWOW64\Imihfl32.exe

Filesize
87KB

MD5
ded821a14bd715c4ab2cbf3b31567296

SHA1
f2c8d9ad119d21caacf6fdfe4d48a4c2cc1d164f

SHA256
3a84606e75f26ec5eebe2f1ffa8eb4ef168232b37006378c2f37e5a76e0b20c2

SHA512
6b0caaf0193dfe4c494bc8ea857b86c21f119fa90acdef8607656229a4c717314d6aa67383da229218607f9b98011f385cb4aab05c96a2d8b026b923114a59d9

Download Submit
C:\Windows\SysWOW64\Jaimbj32.exe

Filesize
87KB

MD5
0a612af67f924d6bd3b149a134b459cb

SHA1
dabb99f64acf5e911a2f05dd501aa79a0a927d81

SHA256
dd539d1ce68867acfa5d6ba432a6c1594ddb7b903c4723b022baef82372099b1

SHA512
0c37f74dbb84501cfe7f2ea7409d65c97bc2ab528183cfd77d47040a10f43dfe87fe6a5aa9a5095b637fbb7e408ae5791bdfc56f0731cf2eb53e62bc8e7a27ac

Download Submit
C:\Windows\SysWOW64\Jbhmdbnp.exe

Filesize
87KB

MD5
7ce917adfaeb605de8814e9aacc3fa79

SHA1
c7ceaaa1a6cfa336a64fe06cc0418ebac976525a

SHA256
3d81911da3951a4ce3d67ec37dccfa97f7791b56988d51cf68196ec37a663c5d

SHA512
4f52070aabfb81a3df016662bdfdecf8f65a7405feb44646f4331dcbd76e8d351cb1953d01add8fe10688709e050958892f27033c52255f4eaaa40fc02728f1e

Download Submit
C:\Windows\SysWOW64\Jbkjjblm.exe

Filesize
87KB

MD5
a72e74b8e4abd54fd3d8757b15df47b7

SHA1
13929d5368e19ae0283e36247d192a989e307704

SHA256
24b8f4d602cbb4c1e878ad9985603c6ee42b8d4b8d7494baa52e25c119f60685

SHA512
d64d2f98dded0c2b45de0140024c16d4fb6bceaf8c0eb551877ab51310645cef8a51f6916945339facd7dd88b8d1dab03f0d08408d1950e0cb076e26401afdfe

Download Submit
C:\Windows\SysWOW64\Jbkjjblm.exe

Filesize
87KB

MD5
dbb31c4c0480820ad6f619f0fb4c4a2f

SHA1
7236e3489842b29c71084f1a87ef66d678eb2bc5

SHA256
49db6ee88307d0680ab728ff01f7f77e8acd79df3d91ec577973c227336d9929

SHA512
54c71e473c74d0e2e03a513989533c225435e870ba3691501430682d84b6fc72d8e48e0a86ce621ad999b2e989fd552188d0923915e5c1d57a0effd227066635

Download Submit
C:\Windows\SysWOW64\Jdcpcf32.exe

Filesize
87KB

MD5
28c40a209c79962515fd7e41d6680139

SHA1
de91072d2708b50a07d807c9cc92c96c7f773296

SHA256
03198d4d581f13627022d4c6a5974466c1e06dbbe3cc67ff3027a6d04e5a1fe6

SHA512
aeffe8593a852b4e93498f2e7d53550e6fef38928b7f3a21f5578a65515962ead58951b3a96daac89e70c19b93e1155e00b4af7b376f64108661179f8c7734ef

Download Submit
C:\Windows\SysWOW64\Jdemhe32.exe

Filesize
87KB

MD5
5e4911be8c1ac766c131d9a7d939fc86

SHA1
d5e5c62b10bd7b154ece393576ae63575ad298e5

SHA256
5ed340c3654495170c885c7994c0c14ba36f9af33b5904e21d68e7af4da67a0c

SHA512
b1a24059119bc1d3c2b7b3a6b2002c6f3e9268d324115087a8779eb46579e871e3dbc7092fcf96052200b74ea1c09a8ced8786aa249e3fcc58073cf998bd0f41

Download Submit
C:\Windows\SysWOW64\Jdjfcecp.exe

Filesize
87KB

MD5
f432e701e6212f3b2bb77dad49394537

SHA1
f92aa5a753121154a486499b3252a20b246e3405

SHA256
c9b472881991265f6d707cd5100ed3e2992e4fbe83603ae95f4f807bebce84d7

SHA512
290e0287202d6e6071b8926470a9e8336208058f492e77ca24ba61ee61110ae8b72d78057591d4cba73c8d9cf7dc080fc217ce39f1eb709019d476021afd6861

Download Submit
C:\Windows\SysWOW64\Jdmcidam.exe

Filesize
87KB

MD5
c8373a6f3a63769f2d1d4946409820fc

SHA1
2625f94e66760b78e95d0398400af0e0f498a1c3

SHA256
ec1a93d46e5105b74d65a851487c71478b45faf8a7d25386e01b8c66c2312711

SHA512
c0547ec60f9c450d13bc00f89be4359b906af79a9d0782f8caf649757c9f3f37b67c61a9beb6690c260f66426c1b3d420f1015118e74ab39795cbbfe6cd1b2aa

Download Submit
C:\Windows\SysWOW64\Jfaloa32.exe

Filesize
87KB

MD5
a2ce1f0eea94d440b26dcb1d64da679a

SHA1
3e43eb856bb83ca883501506b6ffafd97cd6b013

SHA256
209f3a7f9fb1ef98d6b469891102c6e8df417c48d032894b49530a57377098ca

SHA512
3c8fa1196ca723b71de2c0802500983dfb044c24493feff3a931d7529d2ecb743223cff9cff624b1b0666cdb90df031c2284a806f1745c49ae69cdcc2b2c9d5c

Download Submit
C:\Windows\SysWOW64\Jfdida32.exe

Filesize
87KB

MD5
38aedf34b7bb3d04ce81f6d4b251ab1d

SHA1
b2d9f881fab93916a5922cbd41980e4891563082

SHA256
92fdafcb059f16e571b2a01ba9e321b9ee9b4932d772593a3925c4189dacabd3

SHA512
c67c76ee5849dee5a5c5ad11bbf38ed36f14f847131fe347f4e60a2f52052db41798eccaced4eda06913433373123b74ddf5603a9aab902932c75206c73c8fd9

Download Submit
C:\Windows\SysWOW64\Jfffjqdf.exe

Filesize
87KB

MD5
a9bf17dd7b1b8c080e5f6bf49c8788c3

SHA1
7e95c06da2b1746bbd59b45edf5828ce2da90cc3

SHA256
c6bdce8ffb4c817a6ba7cd7e618658300aac3f37fc8632958170d15c83bfa29d

SHA512
3079a8cd66c3239275e354e41deeefee6f6119f04478f7cae079917a7bed6abb1d5f4afec23b8be8004d4689b52c40c4303df038a32fe1e2e15af040b4883959

Download Submit
C:\Windows\SysWOW64\Jfhbppbc.exe

Filesize
87KB

MD5
a235340c059943d8e795e13910ee5459

SHA1
16c1d2e4578f4dd1ab48a75b7831cf73dca9300e

SHA256
372ed21dba331e4648554844737c14a5ddde8f628420e15821886764eb04ce44

SHA512
82cf69e79d9ccdc9dba2626b8d2bf152d54074b37c4d7a922ea442f8aa69ae6771b552e7ac553f0412bfa946f958f7814c6cecdcb6ccff6dbbeb2845e9736c3a

Download Submit
C:\Windows\SysWOW64\Jfkoeppq.exe

Filesize
87KB

MD5
3dd20ac5c04f661125de541242b657a1

SHA1
521786142e0d0a275addd9abecce0c1645962ec8

SHA256
739e94f7a35d2bc2a66f45ae28041146dba183838b73dde8341fec464735608a

SHA512
4a6d79d3367576a2dc60ea01c2f5d0ad00674da7d6be9da343af37372ddd1bbbb00db59ac34ce0427591f4b83520bd08cc7e34ff53dfd3a46b68620fcc2c8858

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe

Filesize
87KB

MD5
ad94c38f2364958a909a43b9013fb572

SHA1
bd8e9788955f03a009b3d217cd171ebf71fbc4ae

SHA256
2711f4b458448eef671192795b390e4961770fb15bf1f2c87d6dc1bb5a8c0d97

SHA512
c8b84916c0dababea75512de9eb7c9213348d03e743ecf8dbcdd63d451cce951865b2b01e8e9872e0dea3b09e1e02fcd7c9bf7a46a38ec3c5f2ac0ad2df60cb2

Download Submit
C:\Windows\SysWOW64\Jiikak32.exe

Filesize
87KB

MD5
90254427744dc33000305db42883d13c

SHA1
e9f9447b5a6a2f1cd07f792b85755f4b2bc80aa3

SHA256
8c337dacd85d0dfe9f50e76a30edc81f9528e0d9a5d4ee85c6cbe3b4da820b2e

SHA512
e75fd0260c26392c0acd9e8c7dfc71bad36ea0602bbdfe772bfa31259eec39b77b515be93e03ea5ed38c94644b45575823c6026d76463013de62656bc3aafb14

Download Submit
C:\Windows\SysWOW64\Jjbako32.exe

Filesize
87KB

MD5
f8afb40c8de06b8a7d5392c88e3e3c75

SHA1
39f500640b0c0480ce40738aebe171c8ec99176e

SHA256
325de2d1089c5632dc52749999e08b396aa7b19c2e30d97f0922cbea9f1e2d5e

SHA512
a779223162666c54611a0503d7125a8addc79c338704a062d03c5f7429033c46dbd593613cc630fb7e5963da74589a8833957dd539c9b0954ed856da86f0b6ef

Download Submit
C:\Windows\SysWOW64\Jjmhppqd.exe

Filesize
87KB

MD5
652349be3f94fea9121a69ee15d356df

SHA1
aa55d53379a5fa2a565a36613da459b4c1eaba29

SHA256
4ee1258f40bcff924e59df5f7e2aae1dcfab0260720fcacf47f83bc5a3abb39e

SHA512
314e45172b2c9fcfb47e712b4927f335f51bc7a49a5ef70759ca1c32b61876d6f3c77d4545064430c44d641865f4f3cf9d3e1b78c113baef4ed011f629da4b3c

Download Submit
C:\Windows\SysWOW64\Jjpeepnb.exe

Filesize
87KB

MD5
e6e0545bcc702c52ee1a344bd56cb4c7

SHA1
baffd6d88c1964aed7a9eab2458da77ec08107af

SHA256
09612f075ce421c1367979b52ca1e59292dbb93d0b75ae677fe8cfa9b7eeea28

SHA512
17f653d423159a7f35cce3ee52dfbff71ef65da6f5c92323dadde270bfe80ea5abeb9702476ed767be3d712059f2877f9d6ac7a1772f691026444ff061a98bb3

Download Submit
C:\Windows\SysWOW64\Jjpeepnb.exe

Filesize
87KB

MD5
0da211003d228f07219de02187deb556

SHA1
233359a3e641f16e42d3671cfaebbc0cd15da61d

SHA256
d6154b9a7b85922809bdddbd006c0ed5ae78703bae30ffa5803de844aaeaed44

SHA512
9d6743c1601e839bc3a82d862a83df36b4c307b0ac3d352ccd57f30547895fdbad1bccd7053add4254e9eb96357220ad284acb89cb15b415f206d47cd808f7fa

Download Submit
C:\Windows\SysWOW64\Jkdnpo32.exe

Filesize
87KB

MD5
b83607f840b76d4a01c54df604f85d08

SHA1
3d5f2cd3fda9d775ce7b4c6799b386207c63ce75

SHA256
750a733940c1845bd8dc02fe72d5baff707eae98ac6b758845329230d2690457

SHA512
f3eca8b1cb17f4e6d7f454cd278eb69268898fbe377e4f0ddcb222930c95b3ac036903640b676b2f5e71d61b39139cd765a9b5f3645ca4a724ed0020908f85d8

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe

Filesize
87KB

MD5
1959659cc8124dfe5f903f3598c958a1

SHA1
eff8f131122802c434b682e3090a6b7b9427a7f1

SHA256
0bacdf442cab38ca9c41f9d4110ec53df4f6d74b1bd454316c451d4b323cae9a

SHA512
e845a4f3945cf4bd9ea426c27b40244e8a87b5e8edd06cc33e9db17eb4e6349e7869126b9c2a517b1fd7b8554f440629005e0d7434afbbdd38761e21dae1b5f7

Download Submit
C:\Windows\SysWOW64\Jmkdlkph.exe

Filesize
87KB

MD5
5cf0beb030a7135448fc2ab8dfde586d

SHA1
72c9a2be176afa9beb7cf0ff2b9bc6e2b0f40880

SHA256
15e93df35d828155e79ee604ca28570d7e94319373b180e8923402420ca396c8

SHA512
96b833c1ca5616b530773ac7c65cec584ab35ac0e598f2cf2b935f02005533a0085b0cd9a94e82acd3ce7cda069a8e62ba470b15846dd92c0ed386660bcce642

Download Submit
C:\Windows\SysWOW64\Jmnaakne.exe

Filesize
87KB

MD5
9a9513bb9eb8433a5711664a09cdb023

SHA1
faf0d6536f3cbd430011b3c58be8ef0b15659bd6

SHA256
6e824278f0339404dc96762cda2398b0dd4e7bfe2c3d089695b7539e2d4d8999

SHA512
f666b2f44e019f1b834f4622250c62524ab885c3479023ca557bf4e4a1bd476ebdd4028bc0cf869d99e3dd22898a06db32f27874caeec153658017ace74c2ef2

Download Submit
C:\Windows\SysWOW64\Jpaghf32.exe

Filesize
87KB

MD5
6f3584d99ab6290389e17bfacecacef1

SHA1
23bb2fdfb84f47545b16a2865c8781da45ff7821

SHA256
e670e5c4b03fcee129d2473de5e1d5c8a40da4ea5f83e688f5599ea9915fa8e1

SHA512
8acd3dda60a6a2c3574e2f0239952ebfc9f8cf055ed0aaef438a1e346301ce6161bb960f9d9c3071878e6d4c075c207db33e992c8f4412daa347b22af4b22338

Download Submit
C:\Windows\SysWOW64\Jpgdbg32.exe

Filesize
87KB

MD5
02457a19451f6b59ed4716f539f29095

SHA1
2e5895d83a8835ba37e6af5247a4ebe7cf218163

SHA256
da795804dcf4401f850cde4d4a2d1ae6a1766c72380578b10d7c233b81775361

SHA512
1dd1981d98a291a01797ff873ae448a5f351577e05256f9d19dffed287f10c5be3267cacc959ad628581d690b9c29b954b5d6f9dd05970d54eabed9f6a67796c

Download Submit
C:\Windows\SysWOW64\Jpjqhgol.exe

Filesize
87KB

MD5
7acc099aac2f706185ca5fc8c3efe449

SHA1
9e308a667d41de2b46f75bcb970299a85d28a066

SHA256
ad67bfb9ec47727b3ec4fca3f0e56efe3cae50a697bed176631cd5da8ff470df

SHA512
4e6e948e55bbf73a96b37790703a1a01be827ea455efe58ec20a462e5687e34e0c67fbb14c9f79c7d980c45c5e570395d42c0367d368e3295fde00655214b888

Download Submit
C:\Windows\SysWOW64\Jplmmfmi.exe

Filesize
87KB

MD5
59d2cb0359bdb899468cee98e93e4bdd

SHA1
d2f4b1bfdf7a8accd1daaa7ed63441ca9181c184

SHA256
7375d5de6d7d24a3e20cc7ff2608c4d2a719eb8afd7abffc476b626d1c627c48

SHA512
73205adc663afc5b0c8cbb8694356a13caf2f0d519fa2e8a430e4d15156c659838a72043ffb3ea15068062cc3a25ba3dd1a1e5146673195b74aaa7e942b4afe1

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
87KB

MD5
032a8ea5050577dfa2c714b9b42062e6

SHA1
94b6905b96b9272896552389143b3e040fbf1a28

SHA256
0344542512b2c1b33a6da5644964c7487cbd30623dd4846a0f486eed2843af0e

SHA512
76215c9d6cb699dfaf5d70f0e5b8d09e75b9f5576ccfda398b189a4b87240c3c84cdfecfbc4e9db5ae107fe9bf06a294cc2c08108b9370b2619b65ab1a170e07

Download Submit
C:\Windows\SysWOW64\Kdopod32.exe

Filesize
87KB

MD5
b2de96171537162ba3ff5f895360c01d

SHA1
ff1ecbcda8c5c92f17d70f840ef62f3ee9c09b8f

SHA256
d23407daef838f2ea0d9b281640f316850f97dcc5c2a884088074658a0250c4d

SHA512
6304dee7ebb6acedc184d244cc601801faa96f0a4cfefccc17ea570a37e83bd7112419f40a2d426b7c482e927b81007cc3fb6e3eee5ab75a83c4620d8d155aab

Download Submit
C:\Windows\SysWOW64\Kgmlkp32.exe

Filesize
87KB

MD5
e323e09f37d3309c95e1c3960e4ba054

SHA1
7a0b449ff60656a90ac0c020313d47e7cdc46f04

SHA256
cf5904acf9d24edefef945eeb37ec491d022ca6e069c84f295a2acf46071b48b

SHA512
8413ce4775421889cad1760c5e448f4efabde2ebd3f51bf588ca44d31e0214c0a23fba31d5a0f7a8903b115a6035c94f3ecab3aa16e475ab17fb01429e4c471a

Download Submit
C:\Windows\SysWOW64\Kilhgk32.exe

Filesize
87KB

MD5
b6261618e94c9a1da1d147504501b353

SHA1
a8d244ad375a9841ea585110ea9abed02bac49fe

SHA256
01d6dea68b117482c85fc7f45a53dd2f456171edb2a64addc8f8ded815835c8c

SHA512
bf63afdf7c0c3863012271a2c2c97befb2d58c1eae555265d0541b787542d6b642cf74981e57f7ef821c9d4c9919b182a2c832e697303a3cf9792462343aafa5

Download Submit
C:\Windows\SysWOW64\Kkkdan32.exe

Filesize
87KB

MD5
56a03685b4c618506598d75563c2168c

SHA1
4c480caee73131a084ba69accd69c3e418777fad

SHA256
2ae36f8f730c1e87de2c841985d852e51d3a06cfde6a56b7d2509eecf81cc4a7

SHA512
9772e664e6452b60bf15f018ad95048f7b74da142a781d98d38ab68e0da4b34c5d3bd28ec8c86e4cde4ec41bcf8e66bec48cbb0068ef2adf5101a1766f227235

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
87KB

MD5
ef9932ccfc928bfa9186b47b5ea0892d

SHA1
0a3ca9318ee41c2761bcfe1b2614c281f1ed4445

SHA256
7293e66a276f2373fea7b1664b401318cbb7bd67dcce2b5feac7a09905f626b4

SHA512
a86d574643160d2e3beec42365dd327db7c2e16e104a051c65a08e9f06c17c131ebf91953347508cf66660d7efdb6d45cb0eed6954cf4c19774575c7ed03327a

Download Submit
C:\Windows\SysWOW64\Kmegbjgn.exe

Filesize
87KB

MD5
c9dd74f997888855c584f1322c5f2d62

SHA1
c6c1c65f866c4e81304038dbe37993dec2b7678b

SHA256
ad813eb4a61358ccf30657cdc81305db3c1a0f8d4625934abc385f50b6f2bbaf

SHA512
71b37728337eb3241b0959f9317e5821524f95e834aa2f7c5969e6fae2d584955ca9a60f9506181725bfcb19b275920f35f01e2e496d9e6e6fedf38d74342049

Download Submit
C:\Windows\SysWOW64\Kpccnefa.exe

Filesize
87KB

MD5
cf476f5420863628ed7e0fa1e7470ad7

SHA1
d6f57fec56a779eb4eeccb7de1642e5a66388320

SHA256
b03e5835f8d46c07ef2ca4e73266f8b9624bc601bb8cbe5f28b410972a9e7d5d

SHA512
a6b343c6e6945ee4ff73b233b9bab6d6a9854fe2d8ea2b5343c0edd9faf34f78fec60b4157c8ccdd359adda9dfbb43cbda72652bc211332ca52ccad09d512ba9

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
87KB

MD5
b60e5bf6f78a6f16e13ccf8280d670e5

SHA1
8a3dcc5f2d1e07f226e1b01df913855550f0cbde

SHA256
3d58c94a2b689342994088d9552c98c1f08a49a7855f333637be5045d0e70eb1

SHA512
de14372ae23731f64a895085cd134f98b5195b0058ce9736c3ada9a01db08901352f44365c5a7e74a8b523a3bf3616b7808068b3817f692063adc1b3adfcb65a

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
87KB

MD5
a3faee3b10b00b7c345b3e77fdfc08fc

SHA1
d26b0ba5b63f616a792d3ec8cb567c9f687572c6

SHA256
52fc2a06c609e2354400e4b2b9e617460724d1bed998c1dd6a47199db2a9afed

SHA512
2e0ed254f8eba8c078a7308ff511ebfb54ebf08d08099f9bc53242404acbcdb33dc6dd311840743153140432f2573c0031b1d3e15165efe9ccf89394c172dc9a

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
87KB

MD5
8632d3eff34a46fd36778f352c48f36e

SHA1
fadfd2429fae9b40b64500239f1a76ffa50464cc

SHA256
34e0eacdeb1db79577c9a159375837594335eb9b0780310774bf9a1f3a4479cc

SHA512
2acc43f8aa8154243863b74856cb0cdd2dd308963eac921b07e2ab52e01308a2ec77fbd7cc611cbbb790e11efbdcec0eba16bdc437d3b35860bb51fd4cccb4d0

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe

Filesize
87KB

MD5
688f2849ede6cb897cdb9da149850912

SHA1
c71d84f0fe196118fdc4e929867162bf3288be8e

SHA256
164a09e895c38ffa5b0f063ccd599416ac6c11d5c09b00a16471e9dc8bff184a

SHA512
9ef22b950165d628142f89c5205ad9de81128cef34faea3a0c5d99266d0bb248b8041407439b7239ca4147d220a52378c6bd62346e8a0616fe360eb905355ee8

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
87KB

MD5
60b58ad8ef2504b744e9a82bf7dab213

SHA1
895ce76127d51bfb1e394d7e824d84635e035641

SHA256
7c7119ed76ce301e6a04fe0d84f582b5c1e99275890d1bf4b0e69603f2bbeb15

SHA512
44a2cf2b44c6aabe7c4e10f6a7f0c2e116f3d298edc259396a443719b02313bfc2849b9036dbbda675e1c4a2d9bb20f8daa980ef494eb98d37c5ef077df0fcab

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
87KB

MD5
252cf9fecaa62907ec991fb0d8372a60

SHA1
9ac4049010cd8e677b0e53b5f2bfa8799cb88239

SHA256
0ee64532465a8259b821aa7ef0eaab8094727ff52ca6d768b8b90cd6bf0d556e

SHA512
47f751136b7120bbb3bb40f7a2f602743faaa2ccc95ff3d3bc8631b4cb344ecd75bda593e73f3bf8605814897644cee45e4506d4307f4eb2b3c3752a8b8e0461

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
87KB

MD5
f44c333a0c7205fa87a51409ac70cc04

SHA1
482ae5c4b5fe4b71d6bf4e2df51e697b5bfeae85

SHA256
2433d9d5b9fec89978a63c6460bf151a1b7d7faac6aebccc8ac46a42db4e61f6

SHA512
37cecb0062dcc3dc80a41c7f343c366bd5ee3077bd566fb77346be8f57ebfbc6bd98a974cd276ee7e8bb0a5309938abcf862d0495a51229e57133ecca5333bb9

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
87KB

MD5
d4bb972a5f18fb758e116177dad9bae6

SHA1
e00038d46bdfd070c7aea63566646e2c4b1c9a4e

SHA256
9e065d7e21ef0d713eeb955b63994a14db535747d0c08f715f33c5c36a476d31

SHA512
434445ff0321e3509ed2feab520d68c7a853eea56d64b056927301465a6804c502c739e75d3a9b2495ce59af108d235f67866907b871e7efe36d6ad7563ea00a

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
87KB

MD5
e4095f4e8370b4cf5472a505ee736983

SHA1
0bae04bdc381a4747e9a67bafb5f3db757b3e834

SHA256
6fe710e5a816d4dffbbd0dffc2ed291846c4d90534b56adb9b8afa2b2d3f0c6a

SHA512
8dd10c88964b642a6f906b896fab7133d25aae5115e80fee8b094b0a6d93d429865c6a61ad9c45f8b7d7a0e869d61aa0133e360389a513764f39fd31ec578579

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
87KB

MD5
e7b89b527296feb1e1b364bd58e15734

SHA1
2ec7bf05bde7f779c5e096a06f6c329dd6af54f5

SHA256
2106e3c1876dc80cb53e125c06be4f1b7693b97f4b129a76fdabeb13b995a761

SHA512
dbba43f5f22218ecb23c0838e2a0b2b4a1d25c1f75f72cc3de95e298bbc0418d58de3110b23a506e1650d4edf2249335a55675304f73f066575a3e5c7957dfb8

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
87KB

MD5
d3c96c43571b57f1cf3fb1fd7e8a3316

SHA1
f9efc108449a0f17dd777c6a22f8da157d90083e

SHA256
7d12c8b471a23e22cef9db4d28fa04f96ad292dec62b86987a2772bbfd82ae93

SHA512
836a7546b5f4e8a32f46909c829f40ecbcc7a951089835b4464ea30b55bb0aebf38f6c9b636898efce3c10589aecd4d5b26dca1af876bbd1e83464a3f2ee21d3

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
87KB

MD5
dd1582d747f733f996b6149d66eab79c

SHA1
920af80eaadbb1f0fe067e179b9e3f327b947c38

SHA256
f52211fd03d6df6a769b8c0f9a7180d996d58a354eee2b10b5cfa4dc162566b7

SHA512
563ad08f677edd1ddf53ee4b5651d6f55bfb9e83b2abc83042803184194e114ea4cc37b3e2e6d91c5f7e8b2165a6ca0dfb58f00dbb8f34272a7ea91c44afe39c

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
87KB

MD5
0d0052891bd2400e33610f468239bef1

SHA1
c2556361102238245a968c0fe7e087d159857381

SHA256
d12b9a56be900469fec4eb0e00f3089457854290489fe0723a89a4f4acc41452

SHA512
b188dfee0648e64f80dc1cac189d416974e7736681081a5636c019c39af9ed4ae4da5099f49c30e92663a5c7722a3df661a71fa8669945ec673d233a9a2cf880

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
87KB

MD5
995b2a6df595047c35a97d80dcd96f8e

SHA1
c1494eeb062010b711244acc3f20d51703b05f13

SHA256
e7c19ef7bde4a31809de13f78b4db1f4cd7583e33eb3bc1f283bc193b07f3607

SHA512
9027e71730e97823c8b93a4657307579dbc40e24a1ff76f3cf13577af3a854c60cdf46c2abbf496859cbd717111eba860f50a52c3583c78fde7a4b0e42bdab31

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
87KB

MD5
6fdaba629b66e0138461a0e46a4b6575

SHA1
dba4d02abc7a7829b3be078c7f7d6a694d1c08b9

SHA256
a0535c483bf53e56e3b2af9836a0690916699ff430edf6f42cc1a2fa69ab4834

SHA512
c19390b333221516291a86153ca5299832e3c63ce2de124385126a7128c6ad3ec6bf254cb0349d8b7d81577b6fe88a0b9da070d069de65de2be5f0bf9b6a1fe7

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
87KB

MD5
93120a1dee1f9926831d53c904e8dcf0

SHA1
d50eb617c12f4f9bebf9f6900f26a5f6b8e0fdda

SHA256
d84893f87a38d261b4d1ab6eb4ec8d578e8ec7b9a3e0485abf8c16da1a3d4504

SHA512
f6bc5259ef0c4218accbc914d92eb9e13e9edc01683efe84cbcb3d5027fa2d0302e0d50c582dbde7f3f2cd97c05cba00668a3fe306590b7778cd0a7b951bb0a1

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
87KB

MD5
6cd33a9219b3a934e6679d9c09f9cf3c

SHA1
ccca856f342651e29de8577e695cbf6dec34e743

SHA256
fd185279014453fec509330dcef4cd203d6ffe5d2032f5cb9edc2bd12736d7bf

SHA512
541e7f024b2ac6d5ed40752fbcc0b98eb96aeb5608d66e5440ab47eec64896f939514bcb0950b2f284fca86c75a78bddc0e963e6d08fafbfada1e8c355d2050b

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
87KB

MD5
9b770761437a92371f3c8a8ad541e582

SHA1
763c68a294d4992d8f2fe4381043ab870bd5391c

SHA256
c0195972e065b93ee40580aafcd6080f9743f08af110a2031af0ede353edd4da

SHA512
44364ee587f0e11c10fefbe351f32e7c6f40b43ea636930e52af0f8fbdd80e7c8625f8d6ad3ccb41fe77fb60e605f076e4230da68dd7e61a0e3a9abfec81cac2

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
87KB

MD5
59e0b4069cf8b099670117536b20f0e9

SHA1
53b6eecc134b0529ffdca2834482daa5f48bcd37

SHA256
0a29993b34bd8eab545150fb80303a426d326859a4e2da13c02f78763599c79c

SHA512
6acfeb7503329a0272c317c7d91d8eff5156b452653213ee3f1214cf58ca520b3a06c0349aebd462781fb309e540717285f0662f3a37d24ff3f0cf2167172bc9

Download Submit
memory/516-119-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/700-415-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/728-359-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/776-263-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/776-176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/860-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1208-158-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1208-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1540-98-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1540-184-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1548-237-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1548-312-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1636-406-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1636-341-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1720-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1720-229-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1800-175-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1800-90-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1876-85-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1876-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1888-422-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1940-436-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2040-29-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2228-298-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2268-20-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2296-245-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2296-162-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2316-403-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2560-140-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2560-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2584-131-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2584-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2852-358-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2852-286-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2896-193-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2896-105-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2904-408-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2904-347-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3000-446-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3000-381-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3016-367-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3016-428-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3052-338-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3292-132-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3292-223-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3308-407-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3332-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3332-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3488-297-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3488-211-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3584-374-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3584-435-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3612-254-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3612-330-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3668-331-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3704-393-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3752-337-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3752-265-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3872-284-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4012-450-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4056-340-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4056-273-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4064-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4064-366-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4088-139-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4088-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4132-421-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4132-360-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4168-228-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4168-142-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4392-87-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4424-387-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4424-449-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4428-246-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4428-323-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4436-432-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4524-206-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4632-272-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4632-189-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4792-167-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4792-253-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4804-210-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4804-123-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4812-283-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4812-194-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4868-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4868-118-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4880-380-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4880-313-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4920-45-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4928-448-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4940-310-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4940-373-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5004-413-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5076-155-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5080-324-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads