523bcddb601884765f4b303729d51865864e9a383d3cf7f14ac2442c98c0202c

Analysis

max time kernel
137s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 08:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a517d048ded7ed7a16b67b8e97be5250_NeikiAnalytics.exe
Size

80KB
MD5

a517d048ded7ed7a16b67b8e97be5250
SHA1

0812baeb251ae60c1c43df5745319308f653252e
SHA256

523bcddb601884765f4b303729d51865864e9a383d3cf7f14ac2442c98c0202c
SHA512

ac7dad7c480e353276e8e8ca4da0566636986328b244202d6134e07bcc9d1acf280da077d201611b1bae47f4c555b61f1f4ed7233f9e4f2b70f9215f68104cdb
SSDEEP

1536:pGuEvpg8Qxhw+uIA1IEGxi6gUh2LiaIZTJ+7LhkiB0:pGuEvkeDe9xi26iaMU7ui

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibccic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipckgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe

Executes dropped EXE 64 IoCs

pid	Process
4612	Imdnklfp.exe
3324	Ipckgh32.exe
1164	Ibagcc32.exe
2648	Ijhodq32.exe
2924	Iikopmkd.exe
1484	Imgkql32.exe
2364	Ipegmg32.exe
2464	Ibccic32.exe
3996	Ifopiajn.exe
1844	Iinlemia.exe
856	Jaedgjjd.exe
4076	Jpgdbg32.exe
4232	Jfaloa32.exe
2720	Jiphkm32.exe
4584	Jmkdlkph.exe
4752	Jpjqhgol.exe
1556	Jdemhe32.exe
4240	Jfdida32.exe
2032	Jibeql32.exe
4336	Jaimbj32.exe
5116	Jbkjjblm.exe
4492	Jjbako32.exe
3716	Jaljgidl.exe
1876	Jdjfcecp.exe
4064	Jfhbppbc.exe
1260	Jmbklj32.exe
1384	Jpaghf32.exe
1768	Jdmcidam.exe
4344	Jfkoeppq.exe
1956	Jkfkfohj.exe
1708	Kmegbjgn.exe
1168	Kpccnefa.exe
3904	Kdopod32.exe
5108	Kgmlkp32.exe
4824	Kkihknfg.exe
4632	Kilhgk32.exe
2916	Kacphh32.exe
4840	Kdaldd32.exe
2588	Kbdmpqcb.exe
2256	Kkkdan32.exe
1496	Kaemnhla.exe
1132	Kphmie32.exe
3700	Kgbefoji.exe
2628	Kknafn32.exe
2080	Kmlnbi32.exe
4020	Kpjjod32.exe
3364	Kdffocib.exe
2988	Kcifkp32.exe
3756	Kgdbkohf.exe
3596	Kkpnlm32.exe
2164	Kmnjhioc.exe
4496	Kajfig32.exe
4044	Kdhbec32.exe
2536	Kckbqpnj.exe
2652	Kgfoan32.exe
1256	Liekmj32.exe
1028	Lmqgnhmp.exe
2908	Lalcng32.exe
3064	Lpocjdld.exe
5080	Lcmofolg.exe
4856	Lgikfn32.exe
1092	Liggbi32.exe
2284	Lmccchkn.exe
3440	Laopdgcg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Jiphkm32.exe	Jfaloa32.exe
File created	C:\Windows\SysWOW64\Hehifldd.dll	Kdopod32.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Ibagcc32.exe	Ipckgh32.exe
File created	C:\Windows\SysWOW64\Ipegmg32.exe	Imgkql32.exe
File created	C:\Windows\SysWOW64\Lcdegnep.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Kpjjod32.exe	Kmlnbi32.exe
File opened for modification	C:\Windows\SysWOW64\Jfhbppbc.exe	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Kgbefoji.exe	Kphmie32.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Bclgpkgk.dll	Iikopmkd.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Jchbak32.dll	Lalcng32.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Lbhnnj32.dll	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Jaedgjjd.exe	Iinlemia.exe
File created	C:\Windows\SysWOW64\Ogijli32.dll	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Jaimbj32.exe	Jibeql32.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Imgkql32.exe	Iikopmkd.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Kkpnlm32.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mciobn32.exe
File created	C:\Windows\SysWOW64\Anjekdho.dll	Jdemhe32.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Lcmofolg.exe	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Jbkjjblm.exe	Jaimbj32.exe
File created	C:\Windows\SysWOW64\Mjlcankg.dll	Jpjqhgol.exe
File created	C:\Windows\SysWOW64\Enbofg32.dll	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Kacphh32.exe	Kilhgk32.exe
File opened for modification	C:\Windows\SysWOW64\Liggbi32.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Gcgqhjop.dll	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Iljnde32.dll	Jkfkfohj.exe
File created	C:\Windows\SysWOW64\Kgdbkohf.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Jiphkm32.exe	Jfaloa32.exe
File opened for modification	C:\Windows\SysWOW64\Jpaghf32.exe	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Kgmlkp32.exe	Kdopod32.exe
File created	C:\Windows\SysWOW64\Ibimpp32.dll	Jaimbj32.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Jpjqhgol.exe	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Ojmmkpmf.dll	Kdaldd32.exe
File opened for modification	C:\Windows\SysWOW64\Kknafn32.exe	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Imdnklfp.exe	a517d048ded7ed7a16b67b8e97be5250_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Kcifkp32.exe	Kdffocib.exe
File created	C:\Windows\SysWOW64\Fldggfbc.dll	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Njljefql.exe
File created	C:\Windows\SysWOW64\Ibagcc32.exe	Ipckgh32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5396	6064	WerFault.exe	217

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbak32.dll"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plilol32.dll"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclgpkgk.dll"	Iikopmkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akanejnd.dll"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdkind32.dll"	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qekdppan.dll"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebkdha32.dll"	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lihoogdd.dll"	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehifldd.dll"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	a517d048ded7ed7a16b67b8e97be5250_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 4612	2796	a517d048ded7ed7a16b67b8e97be5250_NeikiAnalytics.exe	85
PID 2796 wrote to memory of 4612	2796	a517d048ded7ed7a16b67b8e97be5250_NeikiAnalytics.exe	85
PID 2796 wrote to memory of 4612	2796	a517d048ded7ed7a16b67b8e97be5250_NeikiAnalytics.exe	85
PID 4612 wrote to memory of 3324	4612	Imdnklfp.exe	86
PID 4612 wrote to memory of 3324	4612	Imdnklfp.exe	86
PID 4612 wrote to memory of 3324	4612	Imdnklfp.exe	86
PID 3324 wrote to memory of 1164	3324	Ipckgh32.exe	87
PID 3324 wrote to memory of 1164	3324	Ipckgh32.exe	87
PID 3324 wrote to memory of 1164	3324	Ipckgh32.exe	87
PID 1164 wrote to memory of 2648	1164	Ibagcc32.exe	88
PID 1164 wrote to memory of 2648	1164	Ibagcc32.exe	88
PID 1164 wrote to memory of 2648	1164	Ibagcc32.exe	88
PID 2648 wrote to memory of 2924	2648	Ijhodq32.exe	89
PID 2648 wrote to memory of 2924	2648	Ijhodq32.exe	89
PID 2648 wrote to memory of 2924	2648	Ijhodq32.exe	89
PID 2924 wrote to memory of 1484	2924	Iikopmkd.exe	90
PID 2924 wrote to memory of 1484	2924	Iikopmkd.exe	90
PID 2924 wrote to memory of 1484	2924	Iikopmkd.exe	90
PID 1484 wrote to memory of 2364	1484	Imgkql32.exe	91
PID 1484 wrote to memory of 2364	1484	Imgkql32.exe	91
PID 1484 wrote to memory of 2364	1484	Imgkql32.exe	91
PID 2364 wrote to memory of 2464	2364	Ipegmg32.exe	92
PID 2364 wrote to memory of 2464	2364	Ipegmg32.exe	92
PID 2364 wrote to memory of 2464	2364	Ipegmg32.exe	92
PID 2464 wrote to memory of 3996	2464	Ibccic32.exe	93
PID 2464 wrote to memory of 3996	2464	Ibccic32.exe	93
PID 2464 wrote to memory of 3996	2464	Ibccic32.exe	93
PID 3996 wrote to memory of 1844	3996	Ifopiajn.exe	94
PID 3996 wrote to memory of 1844	3996	Ifopiajn.exe	94
PID 3996 wrote to memory of 1844	3996	Ifopiajn.exe	94
PID 1844 wrote to memory of 856	1844	Iinlemia.exe	95
PID 1844 wrote to memory of 856	1844	Iinlemia.exe	95
PID 1844 wrote to memory of 856	1844	Iinlemia.exe	95
PID 856 wrote to memory of 4076	856	Jaedgjjd.exe	96
PID 856 wrote to memory of 4076	856	Jaedgjjd.exe	96
PID 856 wrote to memory of 4076	856	Jaedgjjd.exe	96
PID 4076 wrote to memory of 4232	4076	Jpgdbg32.exe	97
PID 4076 wrote to memory of 4232	4076	Jpgdbg32.exe	97
PID 4076 wrote to memory of 4232	4076	Jpgdbg32.exe	97
PID 4232 wrote to memory of 2720	4232	Jfaloa32.exe	99
PID 4232 wrote to memory of 2720	4232	Jfaloa32.exe	99
PID 4232 wrote to memory of 2720	4232	Jfaloa32.exe	99
PID 2720 wrote to memory of 4584	2720	Jiphkm32.exe	100
PID 2720 wrote to memory of 4584	2720	Jiphkm32.exe	100
PID 2720 wrote to memory of 4584	2720	Jiphkm32.exe	100
PID 4584 wrote to memory of 4752	4584	Jmkdlkph.exe	102
PID 4584 wrote to memory of 4752	4584	Jmkdlkph.exe	102
PID 4584 wrote to memory of 4752	4584	Jmkdlkph.exe	102
PID 4752 wrote to memory of 1556	4752	Jpjqhgol.exe	103
PID 4752 wrote to memory of 1556	4752	Jpjqhgol.exe	103
PID 4752 wrote to memory of 1556	4752	Jpjqhgol.exe	103
PID 1556 wrote to memory of 4240	1556	Jdemhe32.exe	104
PID 1556 wrote to memory of 4240	1556	Jdemhe32.exe	104
PID 1556 wrote to memory of 4240	1556	Jdemhe32.exe	104
PID 4240 wrote to memory of 2032	4240	Jfdida32.exe	105
PID 4240 wrote to memory of 2032	4240	Jfdida32.exe	105
PID 4240 wrote to memory of 2032	4240	Jfdida32.exe	105
PID 2032 wrote to memory of 4336	2032	Jibeql32.exe	106
PID 2032 wrote to memory of 4336	2032	Jibeql32.exe	106
PID 2032 wrote to memory of 4336	2032	Jibeql32.exe	106
PID 4336 wrote to memory of 5116	4336	Jaimbj32.exe	107
PID 4336 wrote to memory of 5116	4336	Jaimbj32.exe	107
PID 4336 wrote to memory of 5116	4336	Jaimbj32.exe	107
PID 5116 wrote to memory of 4492	5116	Jbkjjblm.exe	109

C:\Users\Admin\AppData\Local\Temp\a517d048ded7ed7a16b67b8e97be5250_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a517d048ded7ed7a16b67b8e97be5250_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Windows\SysWOW64\Imdnklfp.exe
  C:\Windows\system32\Imdnklfp.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4612
- - C:\Windows\SysWOW64\Ipckgh32.exe
    C:\Windows\system32\Ipckgh32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3324
  - - C:\Windows\SysWOW64\Ibagcc32.exe
      C:\Windows\system32\Ibagcc32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1164
    - - C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2648
      - C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:856
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4232
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4752
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4240
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4492
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3716
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1876
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        26⤵
        Executes dropped EXE
        
        PID:4064
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1260
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        28⤵
        Executes dropped EXE
        
        PID:1384
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1768
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1956
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1708
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1168
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3904
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5108
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        36⤵
        Executes dropped EXE
        
        PID:4824
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4632
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        38⤵
        Executes dropped EXE
        
        PID:2916
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4840
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2588
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2256
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        42⤵
        Executes dropped EXE
        
        PID:1496
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1132
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3700
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2080
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4020
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3364
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2988
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3756
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3596
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2164
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        53⤵
        Executes dropped EXE
        
        PID:4496
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        54⤵
        Executes dropped EXE
        
        PID:4044
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        55⤵
        Executes dropped EXE
        
        PID:2536
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2652
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        57⤵
        Executes dropped EXE
        
        PID:1256
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1028
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3064
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5080
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4856
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1092
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        65⤵
        Executes dropped EXE
        
        PID:3440
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        66⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        67⤵
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        68⤵
        Drops file in System32 directory
        
        PID:940
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        69⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        70⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        71⤵
        Modifies registry class
        
        PID:1488
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5048
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        73⤵
        Drops file in System32 directory
        
        PID:1504
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        76⤵
        Drops file in System32 directory
        
        PID:368
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        78⤵
        Modifies registry class
        
        PID:3112
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5024
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        81⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4224
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        82⤵
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4624
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        84⤵
        Modifies registry class
        
        PID:1172
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1712
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        87⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        88⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        89⤵
        Drops file in System32 directory
        
        PID:1832
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        90⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1312
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        92⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        93⤵
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        94⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5232
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        98⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        99⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        100⤵
        Drops file in System32 directory
        
        PID:5408
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5456
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5500
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5588
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5632
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5684
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        107⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5760
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        109⤵
        Drops file in System32 directory
        
        PID:5808
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5860
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        111⤵
        Drops file in System32 directory
        
        PID:5904
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        112⤵
        Drops file in System32 directory
        
        PID:5948
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5992
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        114⤵
        Drops file in System32 directory
        
        PID:6036
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6080
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6124
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        117⤵
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        118⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        119⤵
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5352
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        121⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        122⤵
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        123⤵
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5620
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5704
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        126⤵
        Drops file in System32 directory
        
        PID:5780
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        128⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        129⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        130⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6064 -s 408
        131⤵
        Program crash
        
        PID:5396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6064 -ip 6064
1⤵
PID:5272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ibagcc32.exe

Filesize
80KB

MD5
13c15d03d510412006bb736335a3de30

SHA1
c1899febec574e26f4fc778c59d50a60357f5ba9

SHA256
01f581acc9def23e2e21c43dafbd834763882c04747f712bc1fceedda5612ba2

SHA512
f35bdefdbf33ac414823ae615e8d2734a53d85fcfe36cf29dccc840b2926627f2c85d36a383eb4cb6461e242351860a3a41072b6e0f4d8b75f806f486aafa7cc

Download Submit
C:\Windows\SysWOW64\Ibccic32.exe

Filesize
80KB

MD5
9b5be5317ae0cd435cc17c5a0e6b2b65

SHA1
cefe00650e2879e9fbf9ab3976e3359f668c0f7d

SHA256
f430622615a3566ad06200c01967dc933542684d03d80d3080f795e8487d6813

SHA512
3f7e3184fbc7d8ef303c9b06ad03a3b5f2819cea351067a3b2bfea282dd35a94b18630f8336e84a03248efeaf3612b292224201feb6a9dafb096a180e9a577d5

Download Submit
C:\Windows\SysWOW64\Ifopiajn.exe

Filesize
80KB

MD5
f9d7c404dd546720c3d292334502de1b

SHA1
a6efa72878eec4ad8ad257f5e5ad5c81070113de

SHA256
f9b9af5487614ea048a24d1a9d3e9cbd2998b5167e7bcfd7a95d6c8001795556

SHA512
b85b55c831021d5886be82248c1efdb4a47e9030903c8dafd185aa31658e70946907f145a5c52ef4b92c06c5bcbcab3ab7df005286c6acf8396ff02bd64f0ed7

Download Submit
C:\Windows\SysWOW64\Iikopmkd.exe

Filesize
80KB

MD5
21635535168112d28016f06bac0861be

SHA1
7834adc45d40ba98041a70127cde854fed6d7418

SHA256
38844a30e89e8ecae47412b13729224c3e0a5c6ab3cbd4c7d1cfb56c979b51cf

SHA512
e170a8fd2a279ea91f85730724fd7188ea7fab925b884c4379a575caab0b58a58df3e0dff19f3ed7b007f178ee9fe2f0f61df0df8bdfe7a9d2073fddddb09fc2

Download Submit
C:\Windows\SysWOW64\Iinlemia.exe

Filesize
80KB

MD5
88780e098ca1f41bbb8aa029df348692

SHA1
9a80439e82ede8f61ab1a528f380d337e82975f2

SHA256
999cc322d7f544359927d8cecfb62e0519432dc6f4150a9232abf036217ae973

SHA512
7e235cf89c0069adaa173e497393b4f18081b2b6ae6048d0d00302a9ae3675b0173359b0b582041260fc1b040b3f9a6eed3781b6ee5faceccf7cdbccdb9c570e

Download Submit
C:\Windows\SysWOW64\Ijhodq32.exe

Filesize
80KB

MD5
4696dfc181153878404fa2bab213d9c4

SHA1
99d826ad11eae71ff1f251e4cb09bf4bd465f721

SHA256
43879a2aed3de6f6160b33a996c83882d7cf59961e69bfec532132042a515dff

SHA512
e63fb7fc68a8c94cab22acf83c5847e1e275e92bccee7ec418fd59545ca60505e665ba0b1dade107b2b04547299c07eef0eda3c54d0b25937a77c93d58716604

Download Submit
C:\Windows\SysWOW64\Imdnklfp.exe

Filesize
80KB

MD5
d7cd62f67cb71bd5354689db3a10b580

SHA1
f450320f24df5dd38397af6a32939b4ad5b5c325

SHA256
8c55be689f4e8984c7cb809c046380d0b1a2fac9dfcff0348b6b1fe0253b8a1d

SHA512
760e299ebf134a1c6e2b1c66e5ae00581254c8902091c368bcd3165032ffbd46a2f9c88802365879e7ce7e239cf145cfef4be1dac470ec2cb38b679a58df05c3

Download Submit
C:\Windows\SysWOW64\Imgkql32.exe

Filesize
80KB

MD5
59835254ff74da78198d681256884c35

SHA1
707346ddae492ad3f76f3eafe6d57c78dd1b498c

SHA256
c15c04a742a6a3385a4337294a2c9a2a6ba4d66ae2c9acbd5100d80492244992

SHA512
00eb23547c03b315c43cd5e591779d181a6cb86aaeffd072a14f8ea5192cc20016199b287ab91abca2834b29e603af92f5c67a8171a75e50053d33a0ffffaac7

Download Submit
C:\Windows\SysWOW64\Ipckgh32.exe

Filesize
80KB

MD5
e5c079517d47d833b55a35a54ebabd19

SHA1
4a4c5e167a18023d715feffbcf989435ad050a83

SHA256
4e6d85ddfff23833e090c91f000478691f861b82b45cd61cc2085b9a444ab309

SHA512
e34051968e48719104b237b6153d8c76cb3924b1c8a42f3363c5ac55da754f679618d6079bb86e0894d8f66bd63faec71acedc4e5343bf70485c45f88bb8b13f

Download Submit
C:\Windows\SysWOW64\Ipegmg32.exe

Filesize
80KB

MD5
df4f26057028569335d79d3503ff94c8

SHA1
d5c8af7e3e4d0e7efa8798a1bebce716abb8a483

SHA256
4b65ce96ec8011716b8e4c79f5bd0e273070af8f4c7d660f91ba6638ae7774bd

SHA512
88a7e7048b526f2ab965cdc3539ec9024cd1ff7e78c2ac7af16f31b7a2e392e3496ffc54677680b394f36de4c111c08bc909cc568c66f60793cae29b9c057f20

Download Submit
C:\Windows\SysWOW64\Jaedgjjd.exe

Filesize
80KB

MD5
c092b838ddb5e8fe3c22b97944e56023

SHA1
ca7028c5c3a03c333c69daef8b8a934ae48526ca

SHA256
eb6db598a549a1c753510724eb0a55edeafc19c5ac3248d71a93639f67a3d76a

SHA512
64da95df6a7b5902b4feb0c4cb68d1eb4d61a207eca230808626c62ec321bdbc0930b8629c0e774f6b7116a484f84dd6922b8c6ca9dc7575a05f3659f25a60be

Download Submit
C:\Windows\SysWOW64\Jaimbj32.exe

Filesize
80KB

MD5
85e82215e661b5392facff22a9e31603

SHA1
853163b1cd2c7b8e33ef5203760767ebf28d795c

SHA256
6377acb2cc9e26b299511bfdfc62051ec0904352ca6b8a6b61db1a605a675cdd

SHA512
2d1f96ec8caab6bb37d70c7c479cd582c7c4ce248545439542b4bd0a0937b52b2882964d27ae7ffa2e9ef6390f5bbcba3a7d7deeb9616afb5d263ee02b48cfb6

Download Submit
C:\Windows\SysWOW64\Jaljgidl.exe

Filesize
80KB

MD5
412b23930c0ccfcc8cf07b03f2c38837

SHA1
987765dee92e302d69002bc73f55ab391fbbd0a4

SHA256
f750b4d0b3c0b26452b7a1f133bfe29c04838c16a81385a0b5306cb81e1cecbf

SHA512
98fb228438310dd16d267b7c225ea5a7c087efc1f16f7625477406ff94d49198f99915d61792aeb8e6a608bb319630cf7b04bbf5c875e65c99987befacc83cab

Download Submit
C:\Windows\SysWOW64\Jbkjjblm.exe

Filesize
80KB

MD5
a99c736a9afcf927fb6d7768859fe4ab

SHA1
e47b303a9bf0aa2860a5145c68162868ec9b6501

SHA256
15f267a577f0784bde2e1d8b7eedb077b5c2ed26b00109f72f7c7151911fa309

SHA512
238c8ca3447c5b37b4faefd6528e521621b48b60a0fcea1be85f81a7977421fd9eb93ba50f773408a82bada02aaf08684dfa4d00fde3a9debc7e9ed1a6457de2

Download Submit
C:\Windows\SysWOW64\Jdemhe32.exe

Filesize
80KB

MD5
1378e7a8a9253fd9c7d1d5ea23cef4ae

SHA1
a5a50e783154c5b2297e65271552be24eb9153a5

SHA256
fbf77e8fa429c35fd9bd07cf7df2170c9ab98de568abcfd6ddb9f231b6cf9bf8

SHA512
a888d748e04cb6aadd9124aeb104d7d93c05df675cd7be7114aaef1abe414603830e393231d432f6ac70e5b61b8095d660cb9b85106999f203895f8d6822b6f2

Download Submit
C:\Windows\SysWOW64\Jdjfcecp.exe

Filesize
80KB

MD5
6f3280034799aea5826224b9a058d4ad

SHA1
74cb446e43447bea6df4b158330a3556f2215f73

SHA256
bd9ac2570c5700c3dd607aa2d0a0574dcb49cc510bfed1616db74edc92622233

SHA512
8be9694cf7aa562d8490d233bdd11ae9d96e72705145a3a1c3adad662a8fab7dc1ca7bf9a34a61d740cae05f48c71dc36152ad7ebd8b2107e109ab880c604063

Download Submit
C:\Windows\SysWOW64\Jdmcidam.exe

Filesize
80KB

MD5
6554525ba25a3a5b1d1701250300506f

SHA1
b253dc52de7136e9c241bd2ccca2d8a5dd8baa05

SHA256
34c7d5d20da43e33ae98aeb43523e7c49acc7524acf74685029393817aeabdfb

SHA512
80bfc2d5882d7b99dc42c454ea3c844a9e6e894a44228533dc33212d09be54d28c4a35fb38bdbd6ea49db9bebd1e8689daf7686ed4d35425368e12c415f7a594

Download Submit
C:\Windows\SysWOW64\Jfaloa32.exe

Filesize
80KB

MD5
46759244858c5763de0333952c227efa

SHA1
986cf9219118aaf60787f793ab99d89c3ab5f180

SHA256
fcb88f54c75f0500fd811034b5c9cebb196357a5b8e1413e2ae67df3c629df44

SHA512
52be01b94c22c46066641a7eec4a90a3715cabcfa0d9420af335798a9569a2b00f11caa7d798d5103a9f124a487398a5308ddba2b4128481c565881234b49be9

Download Submit
C:\Windows\SysWOW64\Jfdida32.exe

Filesize
80KB

MD5
dc1dd96661b45774335f93b924ddf813

SHA1
1ee3041014feab4062fda10d86516f7abfa9a359

SHA256
3fe42a4e0b829623b891840bb4b690a8c212c8819d14e6bff0838923a1771b50

SHA512
dad39d99e28fc5037fa80463e182838ec12caede64793f3d10136095c98ab32e23e874a7cf22c2f2c474891bef5f1dbbacac937277425be08a9a71a1a0bc641d

Download Submit
C:\Windows\SysWOW64\Jfhbppbc.exe

Filesize
80KB

MD5
3ccb13e0da9f9e91f98430c3404b26af

SHA1
618e4bc9323db0fb1aa24632a67770dfde544572

SHA256
f18de9bdd3a5420ab4038b5b3537a49416cc9b169b16fe963808730aa4d53d25

SHA512
cc6b7ef46a9591e9a0f91695b71f932a486690f07a0ff66d6cc10f837cb877b130cf4b9b6c11a9125b4fc91d93218eb4233515c50430feff472c1670c03e0124

Download Submit
C:\Windows\SysWOW64\Jfkoeppq.exe

Filesize
80KB

MD5
da5b6eece7cc8700be9ccd200f5918db

SHA1
9134f35728a18ef0b1f287aae8503d57e51c8314

SHA256
0c213d0447238a4093f7731818ad01a209fd45f171d41337ffeab22f3cac7d2d

SHA512
a5de3feefc53b5d533c9032cdd31209c5041375876dacf6395658931354a0ac4df63fa8114a5d585d34f4066e82835679f66d71869aaca61ab7c2085c1e9fc30

Download Submit
C:\Windows\SysWOW64\Jibeql32.exe

Filesize
80KB

MD5
c3378852f05f7b730b986ffde171e63c

SHA1
1828a8d7311ac80328f5b7be0bedaf021ec74a5b

SHA256
88d86ce25f985bab1bec91b54f88aafb66913013fdb40f38301f3e69c5fc0271

SHA512
ebd267381684ec5df74102bb449a9fb7d2e9b83cd7757d9dcd3af8298904ff0591679685fd5bbbe325115436bdcce904d9386a723c69b86656a099a6c9a9706e

Download Submit
C:\Windows\SysWOW64\Jiphkm32.exe

Filesize
80KB

MD5
f21d90d25ef0ba212861934081ec0901

SHA1
c96979fa1a5bbd3916622f522e30147257eccf88

SHA256
e8ea2feb80fb9d05e8bbd6f34be74e5887bdab97b031c74752debc841e59fa77

SHA512
b71f04f18908eafdd202cdddc039df1c10af6a4dd8bf72664f2c1288f7c1a3716f6ae6c4b55586649f654a82681dcd1bce4e53204ed4e15359a6d8a6f64227bd

Download Submit
C:\Windows\SysWOW64\Jjbako32.exe

Filesize
80KB

MD5
4fe007f204b8db48423d7d193b06aeaf

SHA1
af033a7893eee80a3b71b8fef9c607444bb4ad91

SHA256
d29c1fd32c9ea74f46280953c8a38421700aa2c5117a35046e3bbc64742c3a1f

SHA512
41a90ea07c64d36a030d96f03e86aef38960bbe8bfd1eb9cb08a76df55834d1f1bfbfdd4da5b69c412d9e0b39f16825b415e21c708e44b55f882ffacda054a0b

Download Submit
C:\Windows\SysWOW64\Jkfkfohj.exe

Filesize
80KB

MD5
d1f2a7c077a7fbda4ee95fbb2a46510b

SHA1
f29142ad2c784bec15ca89c9ade1fe331bf2928d

SHA256
426176d4bd467c43f349dc055e9137101d2cdace46a11288e0b5dbed7b469f54

SHA512
ea8711230dbe73a234830d9fb2c42c1b10680ac504bba4e5136ee651179aa1f44bf7b8c1c57e3b46234fda68d71efd24b606621350bf1c63c8ce96f73f33396c

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe

Filesize
80KB

MD5
349578701cada0fe57194cb4a0bb91bc

SHA1
a1e4b5e687e0cac2d5a22d279229bb74e3a7d1a3

SHA256
e07ff14f18e8570b7e7e56a8ed9c8b0a69f05c2376491d1893c7b3b362a8fbc2

SHA512
0273bd25c6b70f8258c8ca08e437e4f12565e0cee420b3d9d5e5717adaa0ee660bcae0adcb902733017ab4d2bc28151739574a546d111aca857ed1bbf082cbc1

Download Submit
C:\Windows\SysWOW64\Jmkdlkph.exe

Filesize
80KB

MD5
bb6e0b95a699a0b1aca28d27f2c06c9a

SHA1
3e581c306632f3bdca6375690d3ef8d7058da0d7

SHA256
1e73024209a937fa6d3c07b7f9243aff8159afa1737dbe19089452131f383d04

SHA512
e1e2531fa588214cd868ee62e2ab1aa866f64ef60df565226069f28cc8879be4330064801114a5c6ab95e7d2bf5623626657cb37bd17e6434f95aecfedb53be7

Download Submit
C:\Windows\SysWOW64\Jpaghf32.exe

Filesize
80KB

MD5
902eec32212fbe1e9cd9fa3534d91d44

SHA1
411d3774dc865aab1675ef4cb5a0ceef2c370cff

SHA256
86816074b5159e06d1548a884bd78a2d3e34c2691b7bea82fba786e4a00fb699

SHA512
31deb0c0e8b3ebd351236cb57b40cc9d75ee56e03111c60babe7ac12f19396b09436111729fff124cad5f4253c97c4318e269ea1288df412b3683b1f47ef30af

Download Submit
C:\Windows\SysWOW64\Jpgdbg32.exe

Filesize
80KB

MD5
9014694210f2e104bdf61299e70144b4

SHA1
b4ca82989f9942334690a31e7e89e76ad8d96dec

SHA256
6e3191a92fea5a16f0416c636ffc11fdfd75769d06bf13daa3b806c90ecf487e

SHA512
00d01c3e923ab3ab218ad67da0c5fb91b7edea7855d700f70fa419a343f5bd5a927a159bc91e2d04b1d2c5fbe3c07276d1c12efbb821f1d2f5609a19d308f544

Download Submit
C:\Windows\SysWOW64\Jpjqhgol.exe

Filesize
80KB

MD5
a55f6be4525f7f98cfbdead91146a76f

SHA1
a8c1164bd2b3e2002c4a0f67f4eeb7b9993772b8

SHA256
185e01660f3f1cf97d64c73c3afc65ae7e1bc2cad56b00d061e968eedd0af333

SHA512
f6bb30a1dd1abc148cd78fde5dca5084a6378f08929b887cdf8328dd8eaf2e3a45b6e376cb96cf1a4a757a4a0e181ed5121d02667d593adcb2242276bc563b16

Download Submit
C:\Windows\SysWOW64\Kacphh32.exe

Filesize
80KB

MD5
bddfb0db657c2ce23f164227c9493900

SHA1
896a9d9e440fd09b09a619ed56ade28271ff3578

SHA256
645f1cab581ca8f07b11191384be605f9d0cadd8a38e79106f2736ca7d692ff1

SHA512
c24ca4b3e65445e2bb6524f0231a6c1ad4c3a3c659bfde26b2dda4dc1561e254687394ed6c004164cbfc74aee65d253dc4abf05490fded2b196af12f126c5477

Download Submit
C:\Windows\SysWOW64\Kmegbjgn.exe

Filesize
80KB

MD5
1ce3080d19de99911abca0d11f92986d

SHA1
c76ef4abd9e31b6b80c6f33b1576dc4f13c8713e

SHA256
9ae1c59a4a04dd2bea12e8a5f1d678f32c1ce2fe2bb29230ed3d30a807baaeef

SHA512
c02395d91e5001698a1ae9f53a2d2891a6a6f94f5cc85a9283a24bb94a8186a79649ba1b9cefd8269ea41429673db5b414bce82d0146a2081672b934ea82b39b

Download Submit
C:\Windows\SysWOW64\Kpccnefa.exe

Filesize
80KB

MD5
2ffa2b1a066407202e9cc7f94d958aea

SHA1
9af9065410e3d68f7397c8db9cc1e06b899bbc6e

SHA256
f99023587f0e5551b031d114a48a2ca7b0bf905295708aaf6b19e61450644d78

SHA512
4c6b2b3dcb7d253dbf68564ca1be0ee15dfd8cd98582b07e359561ed7b230fdfdd69ad413341c975d324854168e87f7579d248b2fcaaf309600fee8c85155f91

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
80KB

MD5
bb03520b39775aa6a5578094d4088bcd

SHA1
a191b3755cae2d5decb8b3f39fe1b3d5f6cf7602

SHA256
58be54166271940d8a35ef4073acc1d1563428a27edf01ced737f13b4016bb61

SHA512
1eb4523a667f27b2b4107954b34b64172b5abbec157128b98556cc7874327e3f1709b0a47ded0846167a31c374ff56900efa8d75ab961f48fad515e3452451df

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
80KB

MD5
18102d2f6c643c523bafaa5740e9f805

SHA1
7a9d552542af62c0bd381307ac19ae2f0c263a42

SHA256
2ee18f36b97f51ed93c3fe1982704920f9d2f3d507fe837204a35ba9fb5bc11e

SHA512
6bc4c22b8d41a2b63908fc95c36842b9534f6bb820b5bf54fe3d6bb068835c6d6fe945ecb68f3fb47b723b1808fb273459515fb4b34d1d6fe9b6ae039f939abc

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
80KB

MD5
d50b44edcccabda0628081c0bfc0fb42

SHA1
0b3470be74179635e8d19d6c5c961877847c2065

SHA256
05679239309e786e137378459ad7181466704db6b9938e8e4a5b547d2cfd055b

SHA512
68e1c1174830b9db25928546741f7e347c3cc4763ef7d42208e0deb8d1771cd03aa819f032157feb537525ba9ca4a93aa61178bc5d1737d983ca76e0a6f4963a

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
80KB

MD5
c02bc76718520f655e3287fa6a8bd102

SHA1
aa7f9de6bf11ec34ee4e08b00d104a0e801bdfcc

SHA256
40faf32646dabd1f67e31bc1bc9bab0445661815f6397ed3e9489c41186bb025

SHA512
bfe76fdefee81e313e7dbe99a3394805848ede01d4d897a3158c83f82cf7ab2606c68544832b98807522a2e5dd2c2bbd45474fa09063e9ade3deff8a29c05215

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
80KB

MD5
846a9eaa58e75d70453be3c61fc42ab3

SHA1
430c65e099b9557c75757807ad105d98633d003b

SHA256
016534df800d5d5161ca0751faddbce4243673110fb8bc97a99b77165031319e

SHA512
ad2d5241fcee7ab3693152eb52c7a2af6d77c911540723a615a3d74d921bc4effc40c98b406782c2d761b72ab9ed1bc33f4277fd53e209d295e20c94ae6b8b15

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
80KB

MD5
a32e05f379ee31c0998a33602ae7db97

SHA1
b6f20de427f360ead231c40387abd946fae1048a

SHA256
3bc4297a5c52160c103becee7c6d29c299a5b5bad8c6770cfdff0a59e1c31b16

SHA512
e2bcfbe701661882498c1bc3ad9d4a99c9618648b81cb59dca42ceec49d66e586dbad22821f5b01afa57823b31af845547922c189300cde1de66defa12df1348

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
80KB

MD5
7147f67eafdd2c1175a6a471ea8b0fae

SHA1
80e70de435deededd8f11507cf0a7d271d7ffd28

SHA256
a43462f3490fc4b6ed935071a59cd6562772f16416a56e06688c70ec389b72c1

SHA512
fa0ea74852fc13921f2e69d26d6d18df700724029727291331afa35e179110bfaa4a0716887cd5cbdfba5143cffb9538ef77c19a9c33ea3feaff5804b2a8d1f2

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
80KB

MD5
55cf903eb39e3330ae52f004ba800a99

SHA1
f4e046ea79b9a7989392b9b32d7c0b8bb545cd3b

SHA256
825aef848b1146219f60cef0d78135f39ef395461d6372cb137206263733b9fa

SHA512
ddb8bee8594d43abb43905d342ebf1e22352fd1dc8e1b1fae9b6310f4be8ff9b737ec84731283c00a71dc1bc2f81057abefedcd49c78601a15e716e5a1bc7159

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
80KB

MD5
1102289ddc6e2f3fb1502908ef2cd4e2

SHA1
6c43024cfb1321fa519e5e539ce001af61a486bc

SHA256
9bebbf3c2867525dc648d5431d018375d73bd7d73d10b917e02c63dd2e55ba16

SHA512
62a6671e5d79090e9c394911efd98ce1a78f3b2bb02fcf915a70a1a7d27a0acf48144dd4fc2d19d2f263c46abf411f41905d8a02f1c22110dece6f55e893606a

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
80KB

MD5
b644e3d3babc2cd373556f59e82534d9

SHA1
82df3cc281f68d034bfb1eb66996c68299404213

SHA256
da4b28bc401a658f4d55d72dd1526f38e40c107d982b82b2a3e3ddee98d23e3a

SHA512
1a0301882ea5cffbb066d86c9793278a2ac15ef600179106db66a9f4e8258fcd0989d9344d671d62e90c5c3f9d64e90bd25ed8c2cfe642f6b9b6c6292b670d09

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
80KB

MD5
04bc72ab0582e7b544aa1c7d78f83c9a

SHA1
3646ef6c8bcc9b3a90fc6c0529fe8091841ad134

SHA256
197bbf91dc4db8ab57008be9f875c02d36995cb3877d030df2b62690c797ec5d

SHA512
78e4a8afc0001d9ede55bc0398a5d12950da6bb1144c405ce3452a2c4832cdedc774094296ef774f50415f544debb2e26ee3e1057e2b2b2ad458d484359086f5

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
80KB

MD5
a824eda607460e8c5528a4760e45309f

SHA1
65304c76a43a9428d4b007d03f44944313e8fc45

SHA256
7f36470d779c7107984f4699b6a0ba40ace60bedd9b90f138632f15d5c3106cf

SHA512
7763d78a910af36d02e06c26268f8e27225a1de3abdde4452be7788277a098bded608f096e2b29007b9ced22a59ea8f24a276e3169927b9a49b72b83b0b393d4

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
80KB

MD5
dd2badcbd7f488ee69d80c9db9c0fcdb

SHA1
55605b275cf6812f70487130d585520ccd593e57

SHA256
1a08f5b0c01e288c7d6bca2898a867a6237491948d93928bd5652e8ee11bc2dd

SHA512
d56ab8541dd3e3811fd4c03407c5c22fc23a7451ce2828be2f928813368b90b1abe6300f6c9a12533ee5eebf53ce5e3a95fcc42f316bc27285319591bc5e10ec

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
80KB

MD5
18dc5555685e01957b1959e8b80fd237

SHA1
cba3d659aa731f5a598c65e339ff97e4286a0667

SHA256
2b78f68f46f545fb300bc226c3c542d73dc72d8c52c4a2d3ac46a1b4aa268a67

SHA512
e0b870e5668bcff372e3536d2a3d924880b73a6b35f61ad7435fa4d8ad669cc081bfce2c204eac8041f493220e81c43f6bd63bd063ef655cfb1d78be293e2d0b

Download Submit
memory/856-94-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1028-441-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1132-413-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1132-345-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1164-116-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1164-24-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1168-276-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1168-344-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1256-436-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1260-306-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1260-222-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1384-231-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1384-313-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1484-138-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1484-49-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1496-342-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1556-144-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1556-230-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1708-341-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1708-267-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1768-320-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1768-240-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1844-170-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1844-82-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1876-293-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1876-206-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1956-262-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1956-330-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2032-162-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2032-247-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2080-368-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2164-406-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2256-331-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2256-395-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2364-143-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2364-57-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2464-152-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2464-64-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2536-421-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2588-393-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2588-324-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2628-431-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2628-358-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2648-40-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2652-432-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2720-205-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2720-117-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2796-81-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2796-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2796-3-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2908-451-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2916-314-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2924-128-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2924-41-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2988-382-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2988-453-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3064-454-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3324-107-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3324-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3364-381-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3596-396-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3700-357-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3716-285-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3716-197-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3756-394-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3904-356-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3904-287-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3996-72-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3996-161-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4020-440-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4020-374-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4044-420-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4064-218-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4076-99-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4076-187-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4232-108-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4232-196-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4240-153-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4240-239-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4336-257-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4336-174-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4344-323-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4344-249-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4492-275-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4492-188-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4496-414-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4584-130-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4612-98-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4612-13-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4632-307-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4752-139-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4824-300-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4840-321-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5108-294-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5116-179-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5116-266-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads