b887e7738110a356148b0c83fb678a3fae90422d1ca215ce95b89c2d3679e007

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29/06/2024, 19:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b887e7738110a356148b0c83fb678a3fae90422d1ca215ce95b89c2d3679e007_NeikiAnalytics.exe
Size

208KB
MD5

d99dc7ac3840dbba1be002a7f73ef030
SHA1

72006605e36ad8fb4db65b7bd6dd44cc8a0b211f
SHA256

b887e7738110a356148b0c83fb678a3fae90422d1ca215ce95b89c2d3679e007
SHA512

eefce4880ac51cb038a64e166df323aba804898551c47971879522a46b098d540dba708e2445860cf7302154e67389f15eb44d7dfbdb10b0997126c382d77fae
SSDEEP

3072:EbEUAUkROYj6+JB8M6m9jqLsFmsdYXmLlcJVIZen+Vcv2JBwwRBkBnReP2+x7zqV:qAUkROYj6MB8MhjwszeXmr8SeNpgg

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idacmfkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idacmfkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdemhe32.exe

Executes dropped EXE 64 IoCs

pid	Process
1212	Ipqnahgf.exe
3940	Ibojncfj.exe
3816	Ifjfnb32.exe
3580	Imdnklfp.exe
920	Idofhfmm.exe
2380	Ijhodq32.exe
4564	Ipegmg32.exe
5100	Idacmfkj.exe
4320	Ifopiajn.exe
3012	Iinlemia.exe
4480	Jdcpcf32.exe
5040	Jjmhppqd.exe
1996	Jmkdlkph.exe
1728	Jdemhe32.exe
1872	Jbhmdbnp.exe
1648	Jjpeepnb.exe
1864	Jaimbj32.exe
4880	Jdhine32.exe
1804	Jfffjqdf.exe
2528	Jidbflcj.exe
4384	Jaljgidl.exe
1352	Jdjfcecp.exe
4968	Jfhbppbc.exe
4248	Jigollag.exe
4680	Jangmibi.exe
3632	Jbocea32.exe
3076	Jiikak32.exe
2452	Kaqcbi32.exe
592	Kdopod32.exe
4072	Kgmlkp32.exe
3720	Kkihknfg.exe
2560	Kmgdgjek.exe
3424	Kpepcedo.exe
4712	Kdaldd32.exe
2280	Kbdmpqcb.exe
1180	Kkkdan32.exe
464	Kinemkko.exe
2436	Kphmie32.exe
4404	Kbfiep32.exe
4392	Kgbefoji.exe
388	Kipabjil.exe
3924	Kmlnbi32.exe
4348	Kpjjod32.exe
3516	Kdffocib.exe
1136	Kcifkp32.exe
3916	Kgdbkohf.exe
4696	Kmnjhioc.exe
116	Kmnjhioc.exe
2036	Kpmfddnf.exe
5108	Kckbqpnj.exe
2016	Kgfoan32.exe
2868	Liekmj32.exe
1384	Lmqgnhmp.exe
2368	Lpocjdld.exe
3796	Lcmofolg.exe
3728	Lkdggmlj.exe
2020	Lmccchkn.exe
3908	Laopdgcg.exe
1768	Ldmlpbbj.exe
1680	Lcpllo32.exe
4808	Lkgdml32.exe
2456	Lijdhiaa.exe
4408	Laalifad.exe
2960	Lpcmec32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kgmlkp32.exe	Kdopod32.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Bgllgqcp.dll	Jdemhe32.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Ipqnahgf.exe	b887e7738110a356148b0c83fb678a3fae90422d1ca215ce95b89c2d3679e007_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Oimhnoch.dll	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Eeandl32.dll	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Ipegmg32.exe	Ijhodq32.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Njljefql.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Kcifkp32.exe	Kdffocib.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Kmnjhioc.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Kmnjhioc.exe	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Gmlgol32.dll	Jangmibi.exe
File created	C:\Windows\SysWOW64\Kdaldd32.exe	Kpepcedo.exe
File opened for modification	C:\Windows\SysWOW64\Oimhnoch.dll	Kmnjhioc.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Ifjfnb32.exe	Ibojncfj.exe
File opened for modification	C:\Windows\SysWOW64\Jbocea32.exe	Jangmibi.exe
File created	C:\Windows\SysWOW64\Ichhhi32.dll	Jiikak32.exe
File created	C:\Windows\SysWOW64\Cqncfneo.dll	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Jaimbj32.exe	Jjpeepnb.exe
File created	C:\Windows\SysWOW64\Ghmfdf32.dll	Jaimbj32.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Kinemkko.exe	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Kipabjil.exe	Kgbefoji.exe
File opened for modification	C:\Windows\SysWOW64\Liekmj32.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Ijhodq32.exe	Idofhfmm.exe
File created	C:\Windows\SysWOW64\Kkkdan32.exe	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Kgbefoji.exe	Kbfiep32.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File opened for modification	C:\Windows\SysWOW64\Jiikak32.exe	Jbocea32.exe
File created	C:\Windows\SysWOW64\Kkihknfg.exe	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Kpepcedo.exe	Kmgdgjek.exe
File opened for modification	C:\Windows\SysWOW64\Laopdgcg.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5440	5348	WerFault.exe	202

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogjfmfe.dll"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jigollag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdopod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehifigof.dll"	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlilmlna.dll"	b887e7738110a356148b0c83fb678a3fae90422d1ca215ce95b89c2d3679e007_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eddbig32.dll"	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehifldd.dll"	Kdopod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdmn32.dll"	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipmack32.dll"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jiikak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joamagmq.dll"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppaheqp.dll"	Jigollag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghiqbiae.dll"	Kdffocib.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 1212	2112	b887e7738110a356148b0c83fb678a3fae90422d1ca215ce95b89c2d3679e007_NeikiAnalytics.exe	81
PID 2112 wrote to memory of 1212	2112	b887e7738110a356148b0c83fb678a3fae90422d1ca215ce95b89c2d3679e007_NeikiAnalytics.exe	81
PID 2112 wrote to memory of 1212	2112	b887e7738110a356148b0c83fb678a3fae90422d1ca215ce95b89c2d3679e007_NeikiAnalytics.exe	81
PID 1212 wrote to memory of 3940	1212	Ipqnahgf.exe	82
PID 1212 wrote to memory of 3940	1212	Ipqnahgf.exe	82
PID 1212 wrote to memory of 3940	1212	Ipqnahgf.exe	82
PID 3940 wrote to memory of 3816	3940	Ibojncfj.exe	83
PID 3940 wrote to memory of 3816	3940	Ibojncfj.exe	83
PID 3940 wrote to memory of 3816	3940	Ibojncfj.exe	83
PID 3816 wrote to memory of 3580	3816	Ifjfnb32.exe	84
PID 3816 wrote to memory of 3580	3816	Ifjfnb32.exe	84
PID 3816 wrote to memory of 3580	3816	Ifjfnb32.exe	84
PID 3580 wrote to memory of 920	3580	Imdnklfp.exe	85
PID 3580 wrote to memory of 920	3580	Imdnklfp.exe	85
PID 3580 wrote to memory of 920	3580	Imdnklfp.exe	85
PID 920 wrote to memory of 2380	920	Idofhfmm.exe	86
PID 920 wrote to memory of 2380	920	Idofhfmm.exe	86
PID 920 wrote to memory of 2380	920	Idofhfmm.exe	86
PID 2380 wrote to memory of 4564	2380	Ijhodq32.exe	87
PID 2380 wrote to memory of 4564	2380	Ijhodq32.exe	87
PID 2380 wrote to memory of 4564	2380	Ijhodq32.exe	87
PID 4564 wrote to memory of 5100	4564	Ipegmg32.exe	88
PID 4564 wrote to memory of 5100	4564	Ipegmg32.exe	88
PID 4564 wrote to memory of 5100	4564	Ipegmg32.exe	88
PID 5100 wrote to memory of 4320	5100	Idacmfkj.exe	89
PID 5100 wrote to memory of 4320	5100	Idacmfkj.exe	89
PID 5100 wrote to memory of 4320	5100	Idacmfkj.exe	89
PID 4320 wrote to memory of 3012	4320	Ifopiajn.exe	90
PID 4320 wrote to memory of 3012	4320	Ifopiajn.exe	90
PID 4320 wrote to memory of 3012	4320	Ifopiajn.exe	90
PID 3012 wrote to memory of 4480	3012	Iinlemia.exe	91
PID 3012 wrote to memory of 4480	3012	Iinlemia.exe	91
PID 3012 wrote to memory of 4480	3012	Iinlemia.exe	91
PID 4480 wrote to memory of 5040	4480	Jdcpcf32.exe	92
PID 4480 wrote to memory of 5040	4480	Jdcpcf32.exe	92
PID 4480 wrote to memory of 5040	4480	Jdcpcf32.exe	92
PID 5040 wrote to memory of 1996	5040	Jjmhppqd.exe	93
PID 5040 wrote to memory of 1996	5040	Jjmhppqd.exe	93
PID 5040 wrote to memory of 1996	5040	Jjmhppqd.exe	93
PID 1996 wrote to memory of 1728	1996	Jmkdlkph.exe	94
PID 1996 wrote to memory of 1728	1996	Jmkdlkph.exe	94
PID 1996 wrote to memory of 1728	1996	Jmkdlkph.exe	94
PID 1728 wrote to memory of 1872	1728	Jdemhe32.exe	95
PID 1728 wrote to memory of 1872	1728	Jdemhe32.exe	95
PID 1728 wrote to memory of 1872	1728	Jdemhe32.exe	95
PID 1872 wrote to memory of 1648	1872	Jbhmdbnp.exe	96
PID 1872 wrote to memory of 1648	1872	Jbhmdbnp.exe	96
PID 1872 wrote to memory of 1648	1872	Jbhmdbnp.exe	96
PID 1648 wrote to memory of 1864	1648	Jjpeepnb.exe	97
PID 1648 wrote to memory of 1864	1648	Jjpeepnb.exe	97
PID 1648 wrote to memory of 1864	1648	Jjpeepnb.exe	97
PID 1864 wrote to memory of 4880	1864	Jaimbj32.exe	98
PID 1864 wrote to memory of 4880	1864	Jaimbj32.exe	98
PID 1864 wrote to memory of 4880	1864	Jaimbj32.exe	98
PID 4880 wrote to memory of 1804	4880	Jdhine32.exe	99
PID 4880 wrote to memory of 1804	4880	Jdhine32.exe	99
PID 4880 wrote to memory of 1804	4880	Jdhine32.exe	99
PID 1804 wrote to memory of 2528	1804	Jfffjqdf.exe	100
PID 1804 wrote to memory of 2528	1804	Jfffjqdf.exe	100
PID 1804 wrote to memory of 2528	1804	Jfffjqdf.exe	100
PID 2528 wrote to memory of 4384	2528	Jidbflcj.exe	101
PID 2528 wrote to memory of 4384	2528	Jidbflcj.exe	101
PID 2528 wrote to memory of 4384	2528	Jidbflcj.exe	101
PID 4384 wrote to memory of 1352	4384	Jaljgidl.exe	102

C:\Users\Admin\AppData\Local\Temp\b887e7738110a356148b0c83fb678a3fae90422d1ca215ce95b89c2d3679e007_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b887e7738110a356148b0c83fb678a3fae90422d1ca215ce95b89c2d3679e007_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\SysWOW64\Ipqnahgf.exe
  C:\Windows\system32\Ipqnahgf.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1212
- - C:\Windows\SysWOW64\Ibojncfj.exe
    C:\Windows\system32\Ibojncfj.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3940
  - - C:\Windows\SysWOW64\Ifjfnb32.exe
      C:\Windows\system32\Ifjfnb32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3816
    - - C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3580
      - C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:920
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4320
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1352
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        24⤵
        Executes dropped EXE
        
        PID:4968
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4248
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4680
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3632
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3076
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        29⤵
        Executes dropped EXE
        
        PID:2452
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:592
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4072
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3720
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2560
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3424
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4712
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2280
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1180
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        38⤵
        Executes dropped EXE
        
        PID:464
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2436
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4404
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4392
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        42⤵
        Executes dropped EXE
        
        PID:388
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3924
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4348
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3516
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1136
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3916
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4696
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:116
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2036
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5108
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2016
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        53⤵
        Executes dropped EXE
        
        PID:2868
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        54⤵
        Executes dropped EXE
        
        PID:1384
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        56⤵
        Executes dropped EXE
        
        PID:3796
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3728
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3908
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1768
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        61⤵
        Executes dropped EXE
        
        PID:1680
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4808
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        63⤵
        Executes dropped EXE
        
        PID:2456
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4408
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2960
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4160
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        67⤵
        Drops file in System32 directory
        
        PID:4832
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        68⤵
        Drops file in System32 directory
        
        PID:2740
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        70⤵
        Drops file in System32 directory
        
        PID:4524
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        71⤵
        Drops file in System32 directory
        
        PID:1592
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        73⤵
        Drops file in System32 directory
        
        PID:4472
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2204
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        75⤵
        Modifies registry class
        
        PID:3804
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        76⤵
        Drops file in System32 directory
        
        PID:1172
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2816
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        79⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        80⤵
        Modifies registry class
        
        PID:3616
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        81⤵
        Drops file in System32 directory
        
        PID:3488
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        82⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4640
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2752
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        85⤵
        Modifies registry class
        
        PID:4716
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3364
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4212
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1216
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        89⤵
        Drops file in System32 directory
        
        PID:3840
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        90⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        91⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2692
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3972
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        94⤵
        Drops file in System32 directory
        
        PID:2256
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        95⤵
        Drops file in System32 directory
        
        PID:3748
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4308
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4364
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        99⤵
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2724
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        101⤵
        Modifies registry class
        
        PID:1344
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4648
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3336
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3568
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        105⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2052
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3400
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        108⤵
        Modifies registry class
        
        PID:232
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3564
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        110⤵
        Drops file in System32 directory
        
        PID:2260
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        111⤵
        Drops file in System32 directory
        
        PID:1764
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3060
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1516
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        114⤵
        Drops file in System32 directory
        
        PID:4912
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4496
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        116⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4940
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        118⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5176
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5220
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        121⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        122⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        123⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5348 -s 412
        124⤵
        Program crash
        
        PID:5440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5348 -ip 5348
1⤵
PID:5416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ibojncfj.exe

Filesize
208KB

MD5
b87953d9476e254c0339fe52bf7bf108

SHA1
543abc8c3b01e175ce965cec26a079e7d6d6e775

SHA256
3f504c118636908e7d13eba84e01a61cceb0eff89bcbb1e294f4a428af01b986

SHA512
52c117e99aa27d3621c22403067ea365ab5ebdf79fa8d85c7211052f4cc3661f4acb246030487dddddaa34c27182fc3237b927a2cb15e22ca803bd394843558d

Download Submit
C:\Windows\SysWOW64\Idacmfkj.exe

Filesize
208KB

MD5
9601c61c578c1b8c9aaa8c5666361ab9

SHA1
2af11f353ac73e5f9a88b5cf6bee163dba821651

SHA256
17cab7359d71a835e970cda74d00e85a74fe952fdfaca6c4fbe18163edc736c3

SHA512
3501a9be65e05d32b85bc5339ddfa4eb248245be5a49fef42383466426241031ea1175a8d2ab2e9b3e537054b41af2ad03c4f9bfcdfcbb47327eda4277ef8141

Download Submit
C:\Windows\SysWOW64\Idofhfmm.exe

Filesize
208KB

MD5
d6e704a40d472151d5efda2abaf99c47

SHA1
0a291258de1c080add60a82a4c490a57ecaea51d

SHA256
d6c50b632e376707e8789bd19bb73943d19f7e01eba5f4775c13b4f0330bb1e4

SHA512
e68a140be66706ef9093faec343932c5b11cbc52daba9bd2f52d59ada82cb868fd4f522b906ef70574c4639a6c8c87040b9a54bca0b52b1c12c9ba57f8777776

Download Submit
C:\Windows\SysWOW64\Ifjfnb32.exe

Filesize
208KB

MD5
1de29e1538e527e9d110b693224975b7

SHA1
3bc4162c530e6e3b7942a11993ab4a6534c37d99

SHA256
929108213c0b7635345816e34eb31805d50d449c63b640a8c9b8282dace7c725

SHA512
803118f8724aeebcd0d9e7486a15698610ae797985c37fe33019bcd61a6262b8403d70476092860005b7cd7c06b111f9a9dbb0c8c79f27c73383a19c7122f7a0

Download Submit
C:\Windows\SysWOW64\Ifopiajn.exe

Filesize
208KB

MD5
705acf56f208b554bc745adb9b4adda9

SHA1
24cd95f028281110910f5fe26f1555883b86952e

SHA256
fdef231cfd62e4955451316f23bdf274cd041dda7e0be3218b9613c5dd99fb7b

SHA512
819f40db48a90815f004e7426acd62ebb1ba902bc7e64ae61661e3b84b36e90f7d058f2bd9f79801a2e9f347de37388bb320e394aad8fb8a5642cb8059c570be

Download Submit
C:\Windows\SysWOW64\Iinlemia.exe

Filesize
208KB

MD5
a166af82b893ff9375ac9b1ef5f0bdc4

SHA1
03411d680cc1c577a0209247e4f2afd78f658e8a

SHA256
b50b0f956210ac7a956e38b2ff24953acbfcadfd345f5607ff04e53ef510e652

SHA512
2cccfe5ebdf57c872b5a29aa3bbe9820bdeec8c57330d6c0e1fcf602b5577fd49a0db81c775e934df3f7e08ba13e058a91c4148141560219a055ffd018e5704b

Download Submit
C:\Windows\SysWOW64\Ijhodq32.exe

Filesize
208KB

MD5
503e450c989331e479a7fb133ab2ba9f

SHA1
7a79d8968731000e90c2dc2e9f104fdd7937b910

SHA256
43fd68335e809946f1e7e6d571f25480c4343b24d31aef7069352c66bb684c16

SHA512
346572b3618b07a750144532a16cc79c1c438620ece772c4682280d9499cbcfa52f83f47272c426108ce0f9ca78aa667d27aaec3b5e0ea0805b4696309984e0e

Download Submit
C:\Windows\SysWOW64\Imdnklfp.exe

Filesize
208KB

MD5
8b786ece1ff3f00c7ffbd67add337bf7

SHA1
7ce1438f3480bbc02e5dedc3a6dc4d37400a1830

SHA256
8fe03cf6d3d9b89958483a0f9f3e0ad5579024f154120cecf03cdab6ffcf0f74

SHA512
ca8352d290163bcadffeda9382cf30146d0638c22f481fdf5debfecd0e672339bb8019974b3dbebd05df15bf1c610d755195ecac4782c88728d6e41c9cd824b9

Download Submit
C:\Windows\SysWOW64\Ipegmg32.exe

Filesize
208KB

MD5
91f6ac1b47ba65856f9db4af12abeb16

SHA1
94b271522604f1cd1a936d3024c3ebfcdc88ef41

SHA256
ae07a4ad6a52b1a64b9d6e44158d02e94028f9049ba67c80b4e231b44be67fbe

SHA512
8bf52f348a199a545cbc830cc5eb43cbec9850a0becc0dcd47575309be4cf892ef146fc97bc70a3f2c1ad9f56400aa9bfe9b5b17bd303136fecdc3210c4a181c

Download Submit
C:\Windows\SysWOW64\Ipqnahgf.exe

Filesize
208KB

MD5
147c602bd50aa6ab2958383c94bf46a5

SHA1
464c55b26964a261e6596f77466e8e01db658733

SHA256
008e2d386126137d4984b07904e4b6a8be1696152401f939eb61cac64ae4aedf

SHA512
849c4313d97910c6405db1ec84cad7fb1994573620d497882102cad9f30423ec89d01edc3b69d11f8ace24039658298c096e6917bdf4df3ce72955c5e3618194

Download Submit
C:\Windows\SysWOW64\Jaimbj32.exe

Filesize
208KB

MD5
7733eccb30f869575d42d6d2a722d904

SHA1
47c4fd263241d0ef7b910060ac90831e819fef7a

SHA256
017d7e1ca6f3f3e1a7f42e40c56072925da3c44a7368a19823a5d46eeb24af30

SHA512
65e367c06d9e6237c84d02cb22bdaa7647ef03bf0d9d4da81a2e15352b1b0ee7a0a10fdedab988ade71c5d193ead0724ceaa27d22d0f01c40cc3db422d094c17

Download Submit
C:\Windows\SysWOW64\Jaljgidl.exe

Filesize
208KB

MD5
7403276d7cb94f5338e6d738397ba707

SHA1
5b0187ad5043a5bfae69eae663245171b7bd7ab5

SHA256
bd2ff52cc82c9922ddb5d21f6f096b7b70cd644864e741d12f84b1ef18429ed4

SHA512
cb2be1e19c6b20da163a6f814ff416fb563648de3ee29a54740ad7cc3c72fb911d5f9b272a3f0b4f183177208baaffe5357fcc4a3ee590f0246a026121e9adc5

Download Submit
C:\Windows\SysWOW64\Jangmibi.exe

Filesize
208KB

MD5
18865e7234c642104749f11d145b235b

SHA1
5e99325e7be1e919285dadb106006c37a2a4a7db

SHA256
9e3fb239b3fb143a2ec6024ce8be77dbb4cd8acbb4b25b399d5a18d106076465

SHA512
428d5bab6acb0e989087924c559dc7c886791f6008e34ef7f6460e9a3bfb053135af8cd5a3f51128c7b7dc67b7652b52378e325f21f2972234b3790a77adff93

Download Submit
C:\Windows\SysWOW64\Jbhmdbnp.exe

Filesize
208KB

MD5
a5523f4e7f4e46f976361b075bbf9310

SHA1
fe0c30e940fe26f05b726abf22756270be93f444

SHA256
81bc7025f6ef2dec8513243496d59932878dc1d09c0b8b7960df66db9e52bbe9

SHA512
c7531adc4e16d6c3507fa25330f5ab54edfa8626a2f06e084d16b6492ff5cb292f83f0392197374afacc01cdaa42ade52c099ed53f125fc41c19827ac93ac5a8

Download Submit
C:\Windows\SysWOW64\Jbocea32.exe

Filesize
208KB

MD5
6d7ea3d1c998308114854dab72de098e

SHA1
c4d20e9636a3050dd843dcd1494dd6e563b9e80d

SHA256
4e3be18ae817ac9778c020526132d1c0d7055f5dbde730851efd75e1c16f5b63

SHA512
4a8733109c7928edb679b75f54dfebc555815621e1597198c01a56c30da1dd3c27e11f0a441e3486ba9d339c0a535597a6ad035a3eb5cf86c63e1a3be51f0dc0

Download Submit
C:\Windows\SysWOW64\Jdcpcf32.exe

Filesize
208KB

MD5
4596220e6178546fd8650c2d635d14d0

SHA1
5fef315c2644373563c4f6be4ce9dd9bb34fcbcb

SHA256
116ee3ba8f865ac8501874579dc424d8bbf3cfaa52e087cad368b9a87f5103f9

SHA512
faaacf86cd163c97bea4b237f3c39e8dbcb39ab53ef2648d5c8065346ab878c261ddc23184d7e215befbad1a0eb8224e269fab575bf460ee92a931e57222b29e

Download Submit
C:\Windows\SysWOW64\Jdemhe32.exe

Filesize
208KB

MD5
31b4536dcb2843fe56664ecbd90618ae

SHA1
2aa1447810cb9ad9199753fe06340eb76cc7c3ac

SHA256
baa59580f1158bf36362bf220100bc2e55dfac4a194bf1d30d27b40d2653757f

SHA512
589721f5636ca85be2f00d92be74354d653c99a5b2f64e118ce2ba18bd27b61d9a5930c905f48881336a6ed2bb7ddcabc13919a9a8d08876458e45111e0985f2

Download Submit
C:\Windows\SysWOW64\Jdhine32.exe

Filesize
208KB

MD5
651becdde92422dad782eb8279eeda88

SHA1
4fce6516bdf2d87dd9135902133c203402a8bd73

SHA256
f01111e89c5853755c85f1d7e45ae48439e4ec8ca44d9add6178ff8b303b8a7d

SHA512
bc46aad7e73305c026c6a21334db9ccb408b28f2981883a4572a76af7f3cc25534ba7ab49204f40a6bd5da0dba204b5c56c88ccd32da1dc4c0ffe8bfb3983bbe

Download Submit
C:\Windows\SysWOW64\Jdjfcecp.exe

Filesize
208KB

MD5
76e6929adb16c41216d79380fe746327

SHA1
06ae2bb874406624b0bb2bf62b2786e98a08e7dd

SHA256
d53e359750ee7812b6fe9b96fbcb09b0ca7517b5157bdb9bd590cf82cee32dcf

SHA512
133cca9bb46b76d9c8567fb237f8a7468454015e72753847409aa2e318e0a06705d9f53e4c6c5888eeafc5bb9d3ed7e7aa11cf8341db5007b9a73514515ea6d7

Download Submit
C:\Windows\SysWOW64\Jfffjqdf.exe

Filesize
208KB

MD5
e89b14a31969280e990114e0abce1d68

SHA1
a306742e322b36e5907b08f55586e98f2a15b610

SHA256
94db67e188da2c3aefecf64837f66731f7f45630e7ed5697fd960b0197bc062f

SHA512
998fdbec163fc6ef66d685275bae3b4d709e8a02ca35b6248bb965cb5ae6fc88aaa564e74bf89c73b592b7c40d0d1d33a28c6fcb2fc23b637b52de49a6fbe698

Download Submit
C:\Windows\SysWOW64\Jfhbppbc.exe

Filesize
208KB

MD5
aebfa4e267dc4d0cb9ebf45b09dd5398

SHA1
3b424b45ea79c6cf254c49358cec4a0fa0ebe88e

SHA256
5b7d8d30762cae184ae081a91dbd67ecbec8fc75a700819f32c22531c703b04a

SHA512
cbb4adb0625bae8919da36488c0f0d4b31f9016efa797d0ac0474759691d02f985ce7d381d92c04d447289f4e0c0537e727a1fd67f8332d132d264d7c28e6c4b

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe

Filesize
208KB

MD5
df58a4c64a40fde50cdc6673e42f302d

SHA1
1caabfa862971b158dc8945e64538f5dc3885605

SHA256
2b40721fd5fd9b9ef73e608b44a4a247813dff4d1b9044cbeef990d56d8992b7

SHA512
f607fef219ffb22982b0a5aa3ef9fa6a0ccbfefb448f4cf94d6ff29933d2ad02d4071481efe4b6333043b2b6c5efbd0f20154b78f4030ab50f6a108fec11532c

Download Submit
C:\Windows\SysWOW64\Jigollag.exe

Filesize
208KB

MD5
de641d8261dda31622119b447fa40857

SHA1
bf6c8e0ae87472b1110f65b337790ffb84e5b13c

SHA256
2520d49a63fc49b3dbaed4255557986ab7946042b36dd76300031631ba3cf8b1

SHA512
f5e3d4978b8d079b22b4720620d1bde0d3a29eee74c4d2983197cdf471a78681a3a7fcc2ae261006fb63fce390cf50d8acc03c358df9caf7ef45db123e7f844b

Download Submit
C:\Windows\SysWOW64\Jiikak32.exe

Filesize
208KB

MD5
2e8a8cbd2de5ab5c17aba609ed859fb5

SHA1
72005211b5000bb1a4b97d643ddbea027c5cbece

SHA256
898b9fd8cee3595bf3f69925308151f94e8d4199ba699e61f9962682308fecf9

SHA512
50e2d5624cd435dac400f39379788b2fd1250b7026a306a15924183bc2e75dafc8101b31db0ffc13deb6ffa6b3a272dac9389f5991958701399f214095bed3bd

Download Submit
C:\Windows\SysWOW64\Jjmhppqd.exe

Filesize
208KB

MD5
0d7a0733f8fff086a6322c757389b4ee

SHA1
2e09657bb4e5d5e72dd9eea308ba88a53e8b7143

SHA256
7f98d7b164c3394d936c9ea5061e5e050e4e77b4d48206dbf993847dc093a7bf

SHA512
54752a1f7738bddcf34436824aeb05c0df30bf9c959f200274b6f7147bc3099ea7230c5e54145d129307436dbd8891f0bf5c73a0f3a604dec7f0adb151297e61

Download Submit
C:\Windows\SysWOW64\Jjpeepnb.exe

Filesize
208KB

MD5
86799b33a53a04f6fc4d4d23a6fe7694

SHA1
aca3e743d9aad140f36b680c8bcafc2903e6ffba

SHA256
f295205a7ceacb4bf524af770e798d9dee8cea281a16b7091684fb8779252a82

SHA512
78dd06b32d95e7180c502ffe33f6a412d81de7d0c9e2234d40b3dfb109dc73c3f1f013bd29d6bee61d9099671f3dd930e445d3bd9fa5fd20e7a3a83bb078b46f

Download Submit
C:\Windows\SysWOW64\Jmkdlkph.exe

Filesize
208KB

MD5
a74264be374b709e7b6b42f8b462db22

SHA1
97f5650c0684ffe826cbf2aa857f14ea3d38e5e6

SHA256
d8cbce8fc5e968b7405c8d4b68c1af4a2e35bd71114f0a3e974c60acd8ac3140

SHA512
db02e3980209207546fcfb9bdd83599b94064a1625c77865812c271a80796e907557b58cbe4bbc7572e46d0937f33a19948f3f079164233eea35cc0bf6aa7a31

Download Submit
C:\Windows\SysWOW64\Kaqcbi32.exe

Filesize
208KB

MD5
edd1c04587d0fb64fdfcac2df7035526

SHA1
a1e2fb601c2b30eaa62168ff19320874754cdfb5

SHA256
906a7be4af902af49b9e76e66f9aa7c518cc4c912ce01b1fe4eeb868d46e9d7a

SHA512
f43aeff05f20f7236101481c7f4d37c0c0b22c85f8f88f752c993b1dc6212c3620599bdd7e310a6409eb44dbff5dc7be96f9476e4181a731aa0bf6dffd5a8481

Download Submit
C:\Windows\SysWOW64\Kbdmpqcb.exe

Filesize
208KB

MD5
4ed10dfabaa979f681b671f96fc54fbe

SHA1
f38978bf1038b97b04c5bdce1a062b031ae83b58

SHA256
9abd19569dc93ee723bde17788ed98f279290f4729c16b3134704d80b7c1a4ae

SHA512
88242c9b0e6d5b2a123eeeb256c791d62980b0776258b70d545f61aec125b71fe06dab6e7c698e805ccd0061d9f8c1989cb5ce2c7fa6c8e963bce9c7211acfec

Download Submit
C:\Windows\SysWOW64\Kbfiep32.exe

Filesize
208KB

MD5
e67ae32e8a027aa572245ef290ea8381

SHA1
b570ceef23ac6e341103be4f9f8ebadaebf6d822

SHA256
618f7ffe4d4b7cba38a8ef13c27d479630a72e2252c4e67f22781facc42ee1dc

SHA512
2965d0029ffa505d00a092b825bcefe9f2d32ba494b4182cace1eb73b34061203cfb8112e71113cfcad0729381bed4b2b90f240c6ad854d60c8ce8448ad30212

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
208KB

MD5
6b51a0a01f90922f4feb67b7adbdbd19

SHA1
832a0b2fc64e4bd8fe4eda91ca168d90c3a3d41e

SHA256
7ae2ab85a966d3312eeacb105324bab87e391c0a470cd6486ddab26eb283862a

SHA512
87d83b24f3ccc1bd8ae4109835cced7dccbb5535b7995988d847836cab5a9c0464c8db3f79f59ada36f54b0190f864e4377a678d2e63ab1a0f9ab511a576a212

Download Submit
C:\Windows\SysWOW64\Kdopod32.exe

Filesize
208KB

MD5
11f164911f395db7ed608c126dd13094

SHA1
d0f11c31572bae3777d96c3de9e3b80efbeda858

SHA256
d748fc4c6a8ef0b3ad989084af1cb9430d825cf6e59d4399e5bfb9c633a0419c

SHA512
c388bf5b28bb0f311b730c2be25fb9c4648de9363141c8b79c39453a647b3722b2216e026ea607b461a995b7294fe76f748f41b761258c7ec30e615365e9fbdc

Download Submit
C:\Windows\SysWOW64\Kgmlkp32.exe

Filesize
208KB

MD5
4a8105c21c09978678af0c0d798b08a1

SHA1
05def030856450114134ab65fd193c62ccebe32f

SHA256
f248f74847d96831a4bc7e9dbd068b01269adaec8e66d859fd87e7091ffd266b

SHA512
91025a4bc0ff8110ae16d02e8867cb5d2392cff02c28d85d4bcf8cf2134e1a9ca058c6736c92442d40b8ce790d456f649fcd62592ecb46a5f9b0a2112c0aa3a2

Download Submit
C:\Windows\SysWOW64\Kinemkko.exe

Filesize
208KB

MD5
ae1e7f68ee5a3c5e07580cd92b7ffca1

SHA1
c7a467f30c568f8334e9a28b55e9b093575c9e59

SHA256
d66e931915289416872647bf67262d9c0e13678cd783f200b9569fb9d2cfa92f

SHA512
39d55ce0bcb806a8c5305798501287e1681f22890faaeae2c6b56433a64329bc2116cf6efadf5782cf7b6766593f4b9b3060c0efb213a831e15dc78089eb3e37

Download Submit
C:\Windows\SysWOW64\Kkihknfg.exe

Filesize
208KB

MD5
16fe55c12da427677d636f1be4f5f3dd

SHA1
beb693daecd194966d1cedfdfb1b3520bae2a6fb

SHA256
a29a5f49171e8486ba79d5a03444a5699a467bfada335352529a465d951c9647

SHA512
ca8e0ed365a3e3ec1b5536c8149ea3443b187af8c2946c6510b472a681613d6d1c039ac95c9f8450075a97f98a8bb8ecf8fa05c14095f41978e2b2a5cfd1e899

Download Submit
C:\Windows\SysWOW64\Kmgdgjek.exe

Filesize
208KB

MD5
326a766dc3ab996ec09fa7dd21238cd7

SHA1
77922c8b009f42a36f3988e8f8e76dcae37dbf31

SHA256
aa98acab4b7a72a4cbdaec75dba3ec9701b693fe34fa932ff2659566546527d3

SHA512
25ca7548cc1dd77891b4c98ab71a025b68735d2cdc35cb37af1821543b404ac63456518b0b315e0ae0a341669c20233e12d751c8b1a5339de2dfddee05868115

Download Submit
C:\Windows\SysWOW64\Kmnjhioc.exe

Filesize
208KB

MD5
5370c7b283a5970f08d66b84bd2ec35f

SHA1
a226d2d7acec1cf4312a6b8f17a3ee7ece06961e

SHA256
fc36c1d4b048b1a745fda5085b25918433f585f0ef802fbc8cefd1fe61df03a1

SHA512
acdc4307016482cdf579dfffe33af7c1105469102145bc86001e68796355deb59ed192b8baa62a0a19d560503f1f843eeed383c0d911069b50df02e80d0f44c5

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
208KB

MD5
66fc6878cfb4661bf1200364d29a5f98

SHA1
11c1432e9bf16f50ae78fafbcb03fb13402544a8

SHA256
d9a1edeaf7f7b13ba30cd173cc3da941dbf04beadf61efe78d7cbc0237275a6a

SHA512
120230129c3ae96062ddc999ea02e0ee4baf318887a421e4100a75682e0d537184a45c5f90f75f755afb29cd806eba4df7aa7af4cb79a6542d7071277aa901bc

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
208KB

MD5
cec08e2d2c5098058db58a137e3608e3

SHA1
1c433ff64d60df0294e2d2184e4eea0d62001a74

SHA256
68b820a3003ef77421809064045c843665ec7ec2e80c4bc9cf9ad51650b3b6bf

SHA512
24f85c881a3229e0dd0621ffd346a301ea5e894f3482e765fc4b0f93f92a5a3b87c596f00c83bc56b8a8f813839129f400be9120dd0bdfd9a42eceaceb08c9c3

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
208KB

MD5
6eeb8001b9d71e36cc44f4e24f4870d2

SHA1
b0a51e64d060d5366ef4ca5809d52256bc3cfd44

SHA256
56360a5dbc6cff4ef293d7ee7cd4f9703180e760e07223f107007b86b98967a1

SHA512
d231453add2f5f43bfabbef14e2eae0608d2b0fa807cf87213c17a4680926af9321efaac99791d700c245796cd1b9e0b1313393ccfdcef79192a07288e49be11

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
208KB

MD5
223e66e2e0045b39ccd22eac49e75565

SHA1
3c81bc7537fb2b3d1fa76693537aa34df8d20e9e

SHA256
5f5646778ec4b4e90cf855a854a91d2728d0d9ac7e0ed4187fe3cd451a99f1cf

SHA512
a80e51773ef5b4eceb77a4fe4b7dd454d0291917bada99378c5c6914c80df0cf748fbdb24fbbeae42cad8b62fed0cac21cda0fa0f59a1eb2ba91c5d1ac9b396c

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
208KB

MD5
fb91eea336af98f026c4b67c235ecc67

SHA1
8cf718e07ce7fcb832f372e133a38f39530adaa8

SHA256
7c7329c64582537ce75a6c436ac3cea1e5ec2f7ba6b4946dadcbb41125244ab2

SHA512
b94798519532be84df96ffb838415aeaaea7477dbc1ea96e2cf5b3dc011441c3bfc1044e939c8d76877c67dcdc1c4f59697472bb30cf8e8d9d2b2a593c60e674

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
208KB

MD5
90a7d688ab9b39b92a6291445352a8cb

SHA1
4f27780f5e83262a4e4cf3a817751d4688b97e30

SHA256
74a6b1f059e6812fa4c9c3283aef62c91bee46f8c98a4254c84f624bd75d60b4

SHA512
061b95e59ebe750b7452a508facd6a864b7fe9096aca8baad4a1a43687b88a21c1ab05b547dfdf67a58129b3d8e2afc9bb31f36af3e86fb9a93e70dc924b2370

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
208KB

MD5
5f199a66943c055bbee99dedaaedecf2

SHA1
cb50b3d50b8b597aec05a02d01dcdff2a7853297

SHA256
bf061e5909af311c6348c8ec49274570186804192cc53cc1a02853424a77a00f

SHA512
211c365fbd3173badd8bfc6d0e471249f614b962eaca753ab7984d911a996ad495caf20e678a918f7619ece1271b8df4a5798a9dad7fac3035b5608de1ca23aa

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
208KB

MD5
5cb089c6348cf1871393439dc036690f

SHA1
cec67e7afe1d1131c43bb9015c108bb75c1ed8f9

SHA256
9df7daf3227b5d92bbde55dfa5241330b7fe91aae3173a65f3b61085f6511ba9

SHA512
853d1c58bafa2d5d7973a2d8309fecf5d4362ac07f7267d05727c42593ea762f913d47919f66cd2e9646f72d9e44f0751fb825beebb59155ea3149a11c276d7d

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
208KB

MD5
d81a6dd0eb5dd729b873973f7460c37e

SHA1
f5664547075e5bee1e03007c9791d5504ea32387

SHA256
89257c74606c9ac7cf089473febcad5c03cdf67817c1e82f1285688f1e978bb7

SHA512
c16212f21cb40633144fe8b966c683a9e6ffdefe18bb03a4b64ed1b2ea71ea5ef42cf734d5878294e711848ce023af6a3ea629a0f6887ed9264238011a74d1d4

Download Submit
memory/116-349-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/224-473-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/388-311-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/464-291-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/592-232-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/920-580-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/920-40-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1136-339-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1172-515-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1180-281-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1212-13-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1216-592-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1352-177-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1384-379-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1592-486-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1648-129-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1668-548-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1680-421-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1728-113-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1768-415-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1804-157-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1864-137-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1872-121-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1996-109-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2016-367-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2020-407-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2036-355-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2112-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/2112-547-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2112-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2204-501-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2240-523-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2280-275-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2368-385-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2380-48-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2380-587-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2436-293-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2452-225-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2456-434-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2528-161-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2560-258-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2740-463-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2752-561-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2816-517-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2868-373-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2960-449-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3012-81-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3076-217-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3364-574-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3424-263-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3488-546-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3516-333-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3580-573-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3580-33-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3616-535-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3632-209-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3700-534-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3720-249-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3728-397-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3796-395-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3804-505-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3816-566-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3816-29-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3840-597-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3908-409-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3916-341-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3924-317-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3940-21-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4072-245-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4160-451-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4212-581-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4248-192-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4320-73-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4348-323-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4384-169-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4392-305-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4400-487-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4404-304-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4408-439-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4472-493-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4480-89-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4524-475-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4564-594-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4564-57-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4640-554-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4680-201-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4696-348-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4712-269-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4716-567-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4808-431-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4832-457-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4880-145-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4968-185-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5040-97-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5100-65-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5108-365-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads