81c557682968ec0676b3f3d06c33da872b77cb3e9aed930cd02adfcfb850aede

Analysis

max time kernel
132s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 00:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71d7e03f4f1f9ef7e874c88044f42480_NEIKI.exe
Size

56KB
MD5

71d7e03f4f1f9ef7e874c88044f42480
SHA1

3365c235f2725fb7b3646528849fd3765697de17
SHA256

81c557682968ec0676b3f3d06c33da872b77cb3e9aed930cd02adfcfb850aede
SHA512

9c2084e3ed82ef54cb1bf15067694e6c60a24e6ac0da77129a6778b8e23a0cc3c727ce06fa0ef9551c8e15a01af9e555a3c2ec5bbdc8a53376dbbd6be96c5d33
SSDEEP

1536:+4hmOLFzHmwQM2FOM5b24saJrOKttDWh:iOLBGwQM2QM5b24sS7fDWh

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfjmgdlf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbanme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Emjjgbjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmocba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbioei32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjcclf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iinlemia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpgkkioa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifhiib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	71d7e03f4f1f9ef7e874c88044f42480_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eofinnkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjcclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmmhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iapjlk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fomonm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjfihc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eofinnkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmmfmbhn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfachc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmmhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ficgacna.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpenfjad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eoifcnid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fflaff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfljmdjc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfhqbe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipabjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe

Executes dropped EXE 64 IoCs

pid	Process
1988	Ebploj32.exe
3616	Ejgdpg32.exe
1696	Eleplc32.exe
1660	Ecphimfb.exe
1904	Efneehef.exe
3980	Ehlaaddj.exe
1976	Eofinnkf.exe
2752	Ebeejijj.exe
4940	Emjjgbjp.exe
2996	Eoifcnid.exe
1600	Ffbnph32.exe
4460	Fmmfmbhn.exe
752	Fokbim32.exe
3144	Fbioei32.exe
3092	Ficgacna.exe
868	Fmocba32.exe
3848	Fomonm32.exe
664	Fbllkh32.exe
2904	Fjcclf32.exe
1772	Fmapha32.exe
4576	Fmclmabe.exe
3860	Fobiilai.exe
4112	Fflaff32.exe
212	Fodeolof.exe
3136	Gfnnlffc.exe
3292	Gmhfhp32.exe
3588	Gogbdl32.exe
4436	Gbenqg32.exe
1892	Gjlfbd32.exe
4548	Goiojk32.exe
4612	Gpnhekgl.exe
4592	Gcidfi32.exe
1700	Gfhqbe32.exe
4644	Gppekj32.exe
1592	Hfjmgdlf.exe
3500	Hjfihc32.exe
2692	Hpbaqj32.exe
2208	Hbanme32.exe
4272	Hfljmdjc.exe
4036	Hikfip32.exe
1472	Hpenfjad.exe
4936	Hbckbepg.exe
4332	Himcoo32.exe
3124	Hpgkkioa.exe
2900	Hfachc32.exe
312	Hippdo32.exe
3432	Hpihai32.exe
64	Hcedaheh.exe
4308	Hjolnb32.exe
4488	Hmmhjm32.exe
4492	Haidklda.exe
1216	Ibjqcd32.exe
1556	Impepm32.exe
1812	Ipnalhii.exe
4892	Ifhiib32.exe
3796	Ijdeiaio.exe
2728	Ipqnahgf.exe
3104	Ibojncfj.exe
3300	Ijfboafl.exe
5036	Iapjlk32.exe
3512	Ipckgh32.exe
1508	Iabgaklg.exe
3748	Ibccic32.exe
1332	Ijkljp32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ndninjfg.dll	Jagqlj32.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Ldkojb32.exe	Lalcng32.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Kdhbec32.exe	Kajfig32.exe
File created	C:\Windows\SysWOW64\Kibpam32.dll	Fmapha32.exe
File created	C:\Windows\SysWOW64\Gmhfhp32.exe	Gfnnlffc.exe
File created	C:\Windows\SysWOW64\Hpgkkioa.exe	Himcoo32.exe
File created	C:\Windows\SysWOW64\Jcpkbc32.dll	Kphmie32.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Ebploj32.exe	71d7e03f4f1f9ef7e874c88044f42480_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\Fobiilai.exe	Fmclmabe.exe
File created	C:\Windows\SysWOW64\Lgabcngj.dll	Hfjmgdlf.exe
File opened for modification	C:\Windows\SysWOW64\Hippdo32.exe	Hfachc32.exe
File opened for modification	C:\Windows\SysWOW64\Jpjqhgol.exe	Jagqlj32.exe
File created	C:\Windows\SysWOW64\Ecppdbpl.dll	Jangmibi.exe
File created	C:\Windows\SysWOW64\Mkeebhjc.dll	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Gjoceo32.dll	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Lcglnp32.dll	Fflaff32.exe
File opened for modification	C:\Windows\SysWOW64\Ijdeiaio.exe	Ifhiib32.exe
File created	C:\Windows\SysWOW64\Gbledndp.dll	Iinlemia.exe
File opened for modification	C:\Windows\SysWOW64\Kagichjo.exe	Kipabjil.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Hpenfjad.exe	Hikfip32.exe
File created	C:\Windows\SysWOW64\Kpccnefa.exe	Kmegbjgn.exe
File created	C:\Windows\SysWOW64\Goiojk32.exe	Gjlfbd32.exe
File opened for modification	C:\Windows\SysWOW64\Ipnalhii.exe	Impepm32.exe
File opened for modification	C:\Windows\SysWOW64\Ipqnahgf.exe	Ijdeiaio.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Inomojol.dll	Eofinnkf.exe
File created	C:\Windows\SysWOW64\Gpnhekgl.exe	Goiojk32.exe
File created	C:\Windows\SysWOW64\Ibadbaha.dll	Hippdo32.exe
File created	C:\Windows\SysWOW64\Jfhbppbc.exe	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Qknpkqim.dll	Jfhbppbc.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Jpckhigh.dll	Gfnnlffc.exe
File created	C:\Windows\SysWOW64\Ijdeiaio.exe	Ifhiib32.exe
File created	C:\Windows\SysWOW64\Iinlemia.exe	Ijkljp32.exe
File created	C:\Windows\SysWOW64\Jdkind32.dll	Jfaloa32.exe
File created	C:\Windows\SysWOW64\Jaimbj32.exe	Jmnaakne.exe
File created	C:\Windows\SysWOW64\Dbcjkf32.dll	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Ghiqbiae.dll	Kdffocib.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Eleplc32.exe	Ejgdpg32.exe
File created	C:\Windows\SysWOW64\Lpacnb32.dll	Goiojk32.exe
File opened for modification	C:\Windows\SysWOW64\Hjfihc32.exe	Hfjmgdlf.exe
File opened for modification	C:\Windows\SysWOW64\Kmegbjgn.exe	Jkfkfohj.exe
File created	C:\Windows\SysWOW64\Lmmcfa32.dll	Kpccnefa.exe
File opened for modification	C:\Windows\SysWOW64\Nggqoj32.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Lpcioj32.dll	Gppekj32.exe
File created	C:\Windows\SysWOW64\Ehbccoaj.dll	Hpenfjad.exe
File opened for modification	C:\Windows\SysWOW64\Jbhmdbnp.exe	Jpjqhgol.exe
File opened for modification	C:\Windows\SysWOW64\Lkgdml32.exe	Lcpllo32.exe
File opened for modification	C:\Windows\SysWOW64\Eleplc32.exe	Ejgdpg32.exe
File created	C:\Windows\SysWOW64\Fmocba32.exe	Ficgacna.exe
File created	C:\Windows\SysWOW64\Kbmfdgkm.dll	Kknafn32.exe
File created	C:\Windows\SysWOW64\Hpbjkl32.dll	Fobiilai.exe
File created	C:\Windows\SysWOW64\Pmcglkid.dll	Fodeolof.exe
File created	C:\Windows\SysWOW64\Nphqml32.dll	Kmegbjgn.exe
File created	C:\Windows\SysWOW64\Gfhqbe32.exe	Gcidfi32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6668	6476	WerFault.exe	253

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmclmabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojjgcdm.dll"	Gbenqg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfjmgdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmmfmbhn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gddfpk32.dll"	Fomonm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fobiilai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmpfpdoi.dll"	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpjljp32.dll"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	71d7e03f4f1f9ef7e874c88044f42480_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	71d7e03f4f1f9ef7e874c88044f42480_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbllkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fflaff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldooifgl.dll"	Hpbaqj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ficgacna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mepgghma.dll"	Gmhfhp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Emjjgbjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilaidmmo.dll"	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbenqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejgdpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdhoohmo.dll"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcod32.dll"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hikfip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ehlaaddj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anjekdho.dll"	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkbkamnl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4776 wrote to memory of 1988	4776	71d7e03f4f1f9ef7e874c88044f42480_NEIKI.exe	85
PID 4776 wrote to memory of 1988	4776	71d7e03f4f1f9ef7e874c88044f42480_NEIKI.exe	85
PID 4776 wrote to memory of 1988	4776	71d7e03f4f1f9ef7e874c88044f42480_NEIKI.exe	85
PID 1988 wrote to memory of 3616	1988	Ebploj32.exe	86
PID 1988 wrote to memory of 3616	1988	Ebploj32.exe	86
PID 1988 wrote to memory of 3616	1988	Ebploj32.exe	86
PID 3616 wrote to memory of 1696	3616	Ejgdpg32.exe	87
PID 3616 wrote to memory of 1696	3616	Ejgdpg32.exe	87
PID 3616 wrote to memory of 1696	3616	Ejgdpg32.exe	87
PID 1696 wrote to memory of 1660	1696	Eleplc32.exe	88
PID 1696 wrote to memory of 1660	1696	Eleplc32.exe	88
PID 1696 wrote to memory of 1660	1696	Eleplc32.exe	88
PID 1660 wrote to memory of 1904	1660	Ecphimfb.exe	89
PID 1660 wrote to memory of 1904	1660	Ecphimfb.exe	89
PID 1660 wrote to memory of 1904	1660	Ecphimfb.exe	89
PID 1904 wrote to memory of 3980	1904	Efneehef.exe	90
PID 1904 wrote to memory of 3980	1904	Efneehef.exe	90
PID 1904 wrote to memory of 3980	1904	Efneehef.exe	90
PID 3980 wrote to memory of 1976	3980	Ehlaaddj.exe	91
PID 3980 wrote to memory of 1976	3980	Ehlaaddj.exe	91
PID 3980 wrote to memory of 1976	3980	Ehlaaddj.exe	91
PID 1976 wrote to memory of 2752	1976	Eofinnkf.exe	92
PID 1976 wrote to memory of 2752	1976	Eofinnkf.exe	92
PID 1976 wrote to memory of 2752	1976	Eofinnkf.exe	92
PID 2752 wrote to memory of 4940	2752	Ebeejijj.exe	93
PID 2752 wrote to memory of 4940	2752	Ebeejijj.exe	93
PID 2752 wrote to memory of 4940	2752	Ebeejijj.exe	93
PID 4940 wrote to memory of 2996	4940	Emjjgbjp.exe	94
PID 4940 wrote to memory of 2996	4940	Emjjgbjp.exe	94
PID 4940 wrote to memory of 2996	4940	Emjjgbjp.exe	94
PID 2996 wrote to memory of 1600	2996	Eoifcnid.exe	95
PID 2996 wrote to memory of 1600	2996	Eoifcnid.exe	95
PID 2996 wrote to memory of 1600	2996	Eoifcnid.exe	95
PID 1600 wrote to memory of 4460	1600	Ffbnph32.exe	96
PID 1600 wrote to memory of 4460	1600	Ffbnph32.exe	96
PID 1600 wrote to memory of 4460	1600	Ffbnph32.exe	96
PID 4460 wrote to memory of 752	4460	Fmmfmbhn.exe	97
PID 4460 wrote to memory of 752	4460	Fmmfmbhn.exe	97
PID 4460 wrote to memory of 752	4460	Fmmfmbhn.exe	97
PID 752 wrote to memory of 3144	752	Fokbim32.exe	98
PID 752 wrote to memory of 3144	752	Fokbim32.exe	98
PID 752 wrote to memory of 3144	752	Fokbim32.exe	98
PID 3144 wrote to memory of 3092	3144	Fbioei32.exe	99
PID 3144 wrote to memory of 3092	3144	Fbioei32.exe	99
PID 3144 wrote to memory of 3092	3144	Fbioei32.exe	99
PID 3092 wrote to memory of 868	3092	Ficgacna.exe	100
PID 3092 wrote to memory of 868	3092	Ficgacna.exe	100
PID 3092 wrote to memory of 868	3092	Ficgacna.exe	100
PID 868 wrote to memory of 3848	868	Fmocba32.exe	101
PID 868 wrote to memory of 3848	868	Fmocba32.exe	101
PID 868 wrote to memory of 3848	868	Fmocba32.exe	101
PID 3848 wrote to memory of 664	3848	Fomonm32.exe	102
PID 3848 wrote to memory of 664	3848	Fomonm32.exe	102
PID 3848 wrote to memory of 664	3848	Fomonm32.exe	102
PID 664 wrote to memory of 2904	664	Fbllkh32.exe	103
PID 664 wrote to memory of 2904	664	Fbllkh32.exe	103
PID 664 wrote to memory of 2904	664	Fbllkh32.exe	103
PID 2904 wrote to memory of 1772	2904	Fjcclf32.exe	105
PID 2904 wrote to memory of 1772	2904	Fjcclf32.exe	105
PID 2904 wrote to memory of 1772	2904	Fjcclf32.exe	105
PID 1772 wrote to memory of 4576	1772	Fmapha32.exe	106
PID 1772 wrote to memory of 4576	1772	Fmapha32.exe	106
PID 1772 wrote to memory of 4576	1772	Fmapha32.exe	106
PID 4576 wrote to memory of 3860	4576	Fmclmabe.exe	107

C:\Users\Admin\AppData\Local\Temp\71d7e03f4f1f9ef7e874c88044f42480_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\71d7e03f4f1f9ef7e874c88044f42480_NEIKI.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4776
- C:\Windows\SysWOW64\Ebploj32.exe
  C:\Windows\system32\Ebploj32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Windows\SysWOW64\Ejgdpg32.exe
    C:\Windows\system32\Ejgdpg32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3616
  - - C:\Windows\SysWOW64\Eleplc32.exe
      C:\Windows\system32\Eleplc32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1696
    - - C:\Windows\SysWOW64\Ecphimfb.exe
        
        C:\Windows\system32\Ecphimfb.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1660
      - C:\Windows\SysWOW64\Efneehef.exe
        
        C:\Windows\system32\Efneehef.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3980
        
        C:\Windows\SysWOW64\Eofinnkf.exe
        
        C:\Windows\system32\Eofinnkf.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\SysWOW64\Ebeejijj.exe
        
        C:\Windows\system32\Ebeejijj.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3144
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3092
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3848
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:664
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3860
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4112
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:212
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3136
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3292
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3588
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1892
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4548
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        32⤵
        Executes dropped EXE
        
        PID:4612
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4592
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1700
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4644
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3500
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2692
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2208
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4272
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4036
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1472
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4936
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4332
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3124
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2900
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:312
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        48⤵
        Executes dropped EXE
        
        PID:3432
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:64
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        50⤵
        Executes dropped EXE
        
        PID:4308
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4488
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        52⤵
        Executes dropped EXE
        
        PID:4492
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1216
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1556
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        55⤵
        Executes dropped EXE
        
        PID:1812
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4892
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3796
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        58⤵
        Executes dropped EXE
        
        PID:2728
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        59⤵
        Executes dropped EXE
        
        PID:3104
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3300
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5036
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3512
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1508
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3748
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1332
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1052
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        67⤵
        Modifies registry class
        
        PID:4960
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        68⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        70⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        71⤵
        Drops file in System32 directory
        
        PID:964
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4092
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        73⤵
        Modifies registry class
        
        PID:3340
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        74⤵
        Modifies registry class
        
        PID:4068
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1796
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3128
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        77⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        78⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4388
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        80⤵
        Modifies registry class
        
        PID:4532
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        81⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        82⤵
        Modifies registry class
        
        PID:3896
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        83⤵
        Drops file in System32 directory
        
        PID:1936
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1208
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        86⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        87⤵
        Drops file in System32 directory
        
        PID:5216
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5264
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        89⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        90⤵
        Drops file in System32 directory
        
        PID:5352
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        91⤵
        Drops file in System32 directory
        
        PID:5396
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        92⤵
        Drops file in System32 directory
        
        PID:5444
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        93⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        94⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5584
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        96⤵
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5672
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        98⤵
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        99⤵
        Drops file in System32 directory
        
        PID:5760
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        100⤵
        Drops file in System32 directory
        
        PID:5800
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5848
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        102⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        103⤵
        Drops file in System32 directory
        
        PID:5936
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5980
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        105⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        106⤵
        Drops file in System32 directory
        
        PID:6068
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        107⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        108⤵
        Modifies registry class
        
        PID:4784
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        109⤵
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        110⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        111⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        113⤵
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        114⤵
        Modifies registry class
        
        PID:5652
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        115⤵
        Drops file in System32 directory
        
        PID:5744
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5872
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5932
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        118⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        119⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5292
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5324
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        122⤵
        Drops file in System32 directory
        
        PID:5580
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        123⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        124⤵
        Modifies registry class
        
        PID:5836
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6064
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        126⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5380
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        128⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        129⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5124
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        131⤵
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        132⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        133⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        134⤵
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6076
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        136⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        137⤵
        Drops file in System32 directory
        
        PID:6192
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6236
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        139⤵
        Drops file in System32 directory
        
        PID:6280
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6324
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6368
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        142⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        143⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6496
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6540
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        146⤵
        Drops file in System32 directory
        
        PID:6584
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        147⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        148⤵
        Modifies registry class
        
        PID:6676
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        149⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        150⤵
        Modifies registry class
        
        PID:6768
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        151⤵
        Modifies registry class
        
        PID:6812
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        152⤵
        
        PID:6856
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        153⤵
        Modifies registry class
        
        PID:6900
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        154⤵
        Drops file in System32 directory
        
        PID:6936
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6980
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        156⤵
        
        PID:7032
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        157⤵
        Drops file in System32 directory
        
        PID:7076
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        158⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        159⤵
        Modifies registry class
        
        PID:7164
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        160⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        161⤵
        Drops file in System32 directory
        
        PID:6264
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        162⤵
        Drops file in System32 directory
        
        PID:6344
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6396
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        164⤵
        
        PID:6476
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6476 -s 408
        165⤵
        Program crash
        
        PID:6668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 6476 -ip 6476
1⤵
PID:6624

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:6936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ebeejijj.exe

Filesize
56KB

MD5
73cc0e4f483412cc2e4e96a41efc5cbe

SHA1
0de55de8fc3d1bd0535b08fd154501175fda0369

SHA256
6bb2aaed8318f090780555d9c260a5cbc5d60d447695086e7074d952a21a07fc

SHA512
1461b80232687f8759f7b7d3bf2cbbe7ec9855f7cab2a7d1501f898b139fd15db0568088970ab70d886063bcafbfabe0700c4c0db82baa92f2af5ce423c8557d

Download Submit
C:\Windows\SysWOW64\Ebploj32.exe

Filesize
56KB

MD5
ef05062bc9da3dafc9c60c1c64541441

SHA1
ea54b6b130675b2fb822b9d83b4f1fa9fac3ce6b

SHA256
f98368cdc9378947310a03761cb23f44dbea7cedfee541f6bbc08763f0c39dc4

SHA512
2d2c7f8b87097bf1620eb22e25d7d50731a3018fb31c03744981d48c2036c68eacae7f3943912c29a141adc1706c0c2cdaace2ce1fd6281d95e83f1db34077f4

Download Submit
C:\Windows\SysWOW64\Ecphimfb.exe

Filesize
56KB

MD5
b9e670200a74153063d09f0560e5b41a

SHA1
5efe6daf22ffd20c7e6bad4ff5da5163f8268b81

SHA256
1280f27d6c9982758b7d0a5edd9a910aec301eaa6da00588b2ddd617245b3766

SHA512
bc9e6309089ee1b4c5c8f4aaeccb39bd69304b5afd51c2b9733cb424677830017cd38c83214749c4bd6d73ce0625b8aad740bb67989db5d4b58a693677ab376f

Download Submit
C:\Windows\SysWOW64\Efneehef.exe

Filesize
56KB

MD5
aa5835411954b3a9fad5e60bae1bbd27

SHA1
0d71e9561173dfbedc10a34739ec8e56fb205c82

SHA256
792cbdb7b3b389f27056177b20078da43ad4d648a2ff651c72b2754ebd755298

SHA512
a6d2e7d967bcc5cae5945ff31ad3f3acccd1da22955960a37df95e56ce49dcd9669bc94e118783aeca4b11db02f4e30baefd82cbb76fc2d424083ce55011c0bd

Download Submit
C:\Windows\SysWOW64\Ehlaaddj.exe

Filesize
56KB

MD5
136474f0bff48d011e514a3842b8c290

SHA1
6b4c66c4f730683f88fdceb6ab1f1c90ff620926

SHA256
f36dc0c61149cf169c07389f0732621561b395e4cc8936e02a584fc2762e37e7

SHA512
2bd1d719a03d77cbc9e4cfb0ee4101ea199114cb106f2f81dc31402ca9cf4d129c3ac2bf7ccb53e009ab8fa0342060583ef09e7a0aa45cde773273bce6357ca6

Download Submit
C:\Windows\SysWOW64\Ejgdpg32.exe

Filesize
56KB

MD5
e85c389a348ee2ac14ad5aad2672ddfd

SHA1
b17619de0e00ef561e52cb3fdb7725c385594bc9

SHA256
7a8d6bf5e4999585f8ebe0a9011b2c43863e2cf329135b1111ba80f097efc7bf

SHA512
c50e9637f5fd89675fb6602481f5fa2c9eb8eff882ef7c09f0b59d61f652196beccde9f7ccba490801b4daed7f50dee45c4b05f82a676ab6b2a8835b4647a5e9

Download Submit
C:\Windows\SysWOW64\Eleplc32.exe

Filesize
56KB

MD5
1377fa2b5685cde20929faf276767e1e

SHA1
7bba9dae1a0dba39910d88f0eb0d52dbeadfc268

SHA256
996f7b30f69a055c9b984055a14a57dffed1d5c3a898b8e4b0b1b93a94f5dabc

SHA512
3d51caa68dc35d413a658f599c19fb07df995afb00c88b007987fc6499d1396301029de096bcc4a3183824c8dc0b4af8aba6d7505c167343dd38d36c7bfec574

Download Submit
C:\Windows\SysWOW64\Emjjgbjp.exe

Filesize
56KB

MD5
09e373169dd4225c38f9e9704aa91f91

SHA1
b91bb37555d16294ff4e66fab78dfaf39896317f

SHA256
f105051df63e02d105bf2b9c1a4d6601250ca5c8e11b4b59624ce22a6ae5de9c

SHA512
0a401a815bec1c52ef9e836664d0babe5eb0b76e319028f0af3f769b3c49ff3bba270c87f8ac36f8377db93e85c5acab99a6b848efc58faaed1b33b6a0c088f0

Download Submit
C:\Windows\SysWOW64\Eofinnkf.exe

Filesize
56KB

MD5
9f2178ffe7cbb6cef01e4e2ba6675449

SHA1
751ea6ed5e59520a4579d987517d65fb86bdc1ab

SHA256
b479791a8ba605a7df37cfd186b01917d3a0b2c1105101d7c58bada24911df9e

SHA512
76ee516b1fd7f330009d9bd51838adf3588320b0113b67e357da2ab46cb5af988d630ab785b477652dd96ff1296856d740d5731c7aa47293a8c63b0479c983ac

Download Submit
C:\Windows\SysWOW64\Eoifcnid.exe

Filesize
56KB

MD5
f95ee347b228d7755af4e6e37bc59fa0

SHA1
83ffc9cd9634488cdac44e399f4451dc93be2cd0

SHA256
759689943fcb6378734ca0dd0a84805a851bfc861619b721da20acab469eb169

SHA512
4744220037d506ff2732050f56ef6b7a684ad5cabc80ecc167f5a0d5fb411e8ed7f2c9fd22bf83b56f0345fe3ebec4426e230b270f2bf28b00dfe12066b60b18

Download Submit
C:\Windows\SysWOW64\Fbioei32.exe

Filesize
56KB

MD5
836bd9b97e019105ad353ea8cd30b4ba

SHA1
7d2508fe583b56cd9302cc2dd3fe40b28f2088ce

SHA256
5eb8e050486364a6ce34eb11ca6b1a496c8d3f37bb9be12763b3715fdac5352f

SHA512
62a678fad18e9a4dedf326f2f36fba9faa4580829fe3354b210c2150d9bb940b5c8101259520550f3236e89d153215ee31b31604e315a0bb9c1e0406ac97b91f

Download Submit
C:\Windows\SysWOW64\Fbllkh32.exe

Filesize
56KB

MD5
fda7a79e8ef2da69c1c3898640d6a1a7

SHA1
eddbd4f7d1f054ae311a78e957551a092c75fb8b

SHA256
f401b2e11679635f949cbca67321f5addf9fd55d46c1dddf43113471f73c385b

SHA512
4b362d31bb23cc964eca67aee9e146f8d29197539fe8b3167da4ca2d2d0ceb75f83c0f38275ae54e2d24f2bd7906f783d9956ba01eea9e1c8abc483609f1ec22

Download Submit
C:\Windows\SysWOW64\Ffbnph32.exe

Filesize
56KB

MD5
4f43e2d74e693374819cd2f736b69928

SHA1
787190bb2e36160e759f287117e74cdad691c764

SHA256
5dd153dfa5f4e90c62282e4d6976c41a206c789b1750731ad5ebbcd1690ebabb

SHA512
4bfac046d06ca5d8dad4d4f29b11fc9af379b55f08252f2bcad76a85b96b72c3e916ce08f574692a674a8f6953e6471cce6abb8384cc080b812866dd1ceb1be2

Download Submit
C:\Windows\SysWOW64\Fflaff32.exe

Filesize
56KB

MD5
4fa317fe9b82411e6014ecf95c2cecdc

SHA1
f341804637465cdfe0bf8773b0874d3fdb058383

SHA256
83cc6109ac56254e52b4bfaf6928103721ee2f89c1040b3ff5dd0cf0c5168adc

SHA512
5aefef787b647b9da8db460a4c4a5719d6bfabfd6a7cd65073739200e705767f287d85f5051e2cf526a9ba0505e16d50d642b1876b784cbf91e5c9c2a1c6eddd

Download Submit
C:\Windows\SysWOW64\Ficgacna.exe

Filesize
56KB

MD5
0407695124c6aaff7b487b5c4b612694

SHA1
f76c202afb3c28dddbda4d1fa4850420412b63a4

SHA256
a3ef53da6802f99052ae9eb045345c4dd792e0be5725d7274ee2c7d9e345797d

SHA512
2e64f973f8e45fd16a8b24b448ce072ae78a65aa719aea9c62ac9c4f5da2b14d3321ce5c93a3a055b4170291e2ffd800b1e6190287e695885903ea89d8a651cb

Download Submit
C:\Windows\SysWOW64\Fjcclf32.exe

Filesize
56KB

MD5
fc4c39cebb88fd94fe86775173f62c88

SHA1
0e807b69d848d05eebee371eb71c2061db8d0169

SHA256
e46406774b81b755af7a82ae2b4feca4d56576cab16f0b0964deae9bf192160b

SHA512
88fcd01119c5c3088e9dd2560b2f997562966325d6cc815da47c771eeef4a90bc9c2725d810c3f7c394b5c267e35dda5ce430387542bf301cc1cae4de26c8fed

Download Submit
C:\Windows\SysWOW64\Fmapha32.exe

Filesize
56KB

MD5
77f330f744e66cf0ca881caade312344

SHA1
736770479b1725c685f26466191d6643a442dad7

SHA256
0c2f3930bb821b1c77c2c684e69d34a82d7140f9ca2d0208e855963c46763984

SHA512
4dcb77bf2cfab980611c07b2cd8404e8671cbb464a0419a97424ea9ae770c7700a35701b4d9ed2d345a01f11aceffdba505af5be1f45161c5d564e507e4de0dc

Download Submit
C:\Windows\SysWOW64\Fmclmabe.exe

Filesize
56KB

MD5
a3aee5f4aeb3a54141c8c40bc397c0cd

SHA1
4d762edcba434add04ec4f470970292c98444175

SHA256
c8a78fd0b39da3aabe9d2a11379591f7f05ae57c1165ead5eb0a028012e5f70e

SHA512
9bc8d61bc3eaae24b6eeef13e140866f4d76a8802b9c14fa1729ce2faeb2b256a253944055d01417f68c71e6dd2848d85611c0e8711e08a2b1ec0def82dd930f

Download Submit
C:\Windows\SysWOW64\Fmmfmbhn.exe

Filesize
56KB

MD5
2a0f7921af6baee6c34427beb4dec698

SHA1
6438a2e0f975c9f6814e1d25aafd00b1972e89b9

SHA256
cd721b885760f1d0030536e2a0344517ac6b8e72d76f127ccfaacfea1bc253aa

SHA512
e53531a666c6a058bddd03da10f23319401debe0abd427e8698e41f48f4670e15439650084f8e4fd139af462500b298e8570f0e8962f2810691d8858ff05af60

Download Submit
C:\Windows\SysWOW64\Fmocba32.exe

Filesize
56KB

MD5
15dbc3be0a837bdfea17458c4f7c5262

SHA1
0752187d409b08e331d5e25e1707a1da28bf72ba

SHA256
af3841b73cbaa3664c810c3b90c2796a707fba4c8620977b305d6f8b9c5303b4

SHA512
14b9ec7527064e9af4b64bedd2b62d1fd357e515e2e8c41ca797d7da7f11144a2af4c8d166fa3f7f21d9e8a88f377fde05d9eb23f0e49c8a66eac715df36fa7c

Download Submit
C:\Windows\SysWOW64\Fobiilai.exe

Filesize
56KB

MD5
1bfa6f4926563af7894cc12a5f4d0b8e

SHA1
85ed1f9bc52874e6917dbead70c473fadfc69a9b

SHA256
eceea021f68fec7cbbb4e5c13f94980ddbcc3bff6f23c2a1f68497a27a34ce49

SHA512
6c93a0ccc6525f3ee5ce73c9f00cd66ca2d266bad416c4f95f8608a11f94eaa2534b3f2054c59c3c1b9ba84a1dbea64f4fa47f2a1948d436cc095f91f90d73dd

Download Submit
C:\Windows\SysWOW64\Fodeolof.exe

Filesize
56KB

MD5
a9e82d796297c32342639b2f09e08868

SHA1
e18494f3311d3922ae795e4c59f398a2db0a4d34

SHA256
b84deb529f08e4ec10928e54936981480b06b3f59dd7b6145e641533ac1b7482

SHA512
b536e3ea921dd296a9b638b0aaddbeeef6ee2d8f8ecba63c4c1a4c038ed40c4a7618adbce7a59d4ad08297f4baec9c7b3e7ea9fa25281fc26ee87030e0012d92

Download Submit
C:\Windows\SysWOW64\Fokbim32.exe

Filesize
56KB

MD5
c81d35455e35d653abd137e208d79303

SHA1
0be9e90073d809f8a053bb096a6d4cd7b45794f8

SHA256
9c731520acceba30b822b6cddb171032b2916eb52da96237b8aaa65c6b5696d5

SHA512
39695642d84989fbae2e658c4eba8ada4221b220208145557fdc3dbf796cff7d384250396849fc8d5054cb8e5ce264d3bbee869eb3708436e395263e4a108f57

Download Submit
C:\Windows\SysWOW64\Fomonm32.exe

Filesize
56KB

MD5
1bce1ea99097bd83564f742ec4177326

SHA1
66f51542d1b1d42172227e214589bc91e12fcd0c

SHA256
c4fbe201c8cf9e511149d062489b7de820d368fc02d8fe370dc2790cf47f80ed

SHA512
50a09d7eb75e6d589ad9e4cec6c2d13fcbd92c4e4c1729e5e31c7a3fbc9f590daac9ab8d87a835d77f6ba62ea73b1a6c09498e5e96b46b5ef0014c839c212185

Download Submit
C:\Windows\SysWOW64\Gbenqg32.exe

Filesize
56KB

MD5
142b716c74f338d03061f6a472aa02b7

SHA1
9b11bcc0c0340e471b35d7847066ae8d4d364a0a

SHA256
fd094cccdbba4079e080ed2d3b855989ba61d58579e52c8417e96c826bcc3564

SHA512
22b99988af940f8ab0aaef499064d6362c591872ae956002c912a11a2b757a3665fa52f1afc24451d9909d22a7401d4a5f7a30df79306c0afbd14248c294635b

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
56KB

MD5
8d9dcae40e218d2ff408909df78a0114

SHA1
882acb508e4021920435ad84f23f5680b157e003

SHA256
74ac3e40ea835fb1cc23c36184b0986660c8218ba9f9b2d0b3fe37604b737160

SHA512
b94376f7e4362cafb6fed8bad82b787d4f8e5a2947774518456150a2428070bcb9d3a1d1a366435f4f2e54ad42d7a767f82d2d892302ee43f2e19edd38c6cb8d

Download Submit
C:\Windows\SysWOW64\Gfnnlffc.exe

Filesize
56KB

MD5
7dfdbea108c643229be95a0891ff8f65

SHA1
6f382ea506986c08599c7bb66a2bc00d83148828

SHA256
be53a924e705004c2ea3c631c820cbe5b9f3d8bf28bcbaf1000d4754a03b1a43

SHA512
3c79e00635d748dd97bf6d9c42af5ee1984b1f960bca86fb3ae40f113f586647c245286cb77941033b6f5e8e2106e2573c56e98e82b45d85d9271a1c150047b3

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
56KB

MD5
61d08ed0c422fe583f4c39c1cc3c83a5

SHA1
682abe2b452b9d73cd0c2ad49d350840f4f372d1

SHA256
97468863f2e541122c521238b3f2bfc4d2e6e76ca9ba8737e9a2ca364a02b7bc

SHA512
9f2f74b06984b950d7c13ae504b108d4d8eb1f6dcfb20d35d7faf38c78929e39f83ad18b172efe1df6441f44c678e35e60117fac07b70be72bec181c0e1ce8ab

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe

Filesize
56KB

MD5
52d4bb4ac9a2fdcfd119cfa0050dbccb

SHA1
f218088ff4c43dced19dfcc022ae1fdc5a3c5e84

SHA256
52d4754af363c5a0cf11f75ae773b826c174fb0d32facd50e3041ea07208ea56

SHA512
d465e71c69a44f9857df1fdc96fad66cadb05316c744336e3380eab269d30f7797bfe011895adfc95f9283af2627dd3ac2342f87d38717845694c647c2ac8b25

Download Submit
C:\Windows\SysWOW64\Gogbdl32.exe

Filesize
56KB

MD5
a3289994b4dac4aa66a5e8d02406a640

SHA1
3dbfc6d74fd53dcd1dd3a4379ff59fa36b481eaf

SHA256
b60e787fe86040ade84b969e5a2f200776026b3036ffd815e9224592542650bf

SHA512
22f7853a70701e7b13fa1afdc401224bb939fe0b420dd6034af792336dc559a8d215782cfb0007a4eacc61eb9f4e16d3bd6ac559fff360a5f0e4890015a7520b

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
56KB

MD5
720934853327d6fb0cd40428855d1eaa

SHA1
d68f324db77bb3aaa4a609094bc521f959e92871

SHA256
0f0471c6d4ba964f0b9afcd5d0a40ef2b96718451b6d63b947918fc592faaf25

SHA512
4a6c0de6e0b2e20678f1e0d65dba1c8de61cddcb367d8d3448097431ac06fb3b924b9abb44b48d6f33c92c66397ab417b1bd38726c7baaccba82e1f689b2273f

Download Submit
C:\Windows\SysWOW64\Gpnhekgl.exe

Filesize
56KB

MD5
35111eba46fa67a33fcbfedcc6e6f33c

SHA1
b7a3a575400f92bd613cab77d361d3524878dce9

SHA256
f6880d4cd30787df70408e811df48510d15cd0bb63edfce99a288e4ba574af2d

SHA512
638ccf47c3b9bff28b6618baafd5f0d73c750876a4915b0b4f5b0456b0f6db9ed95dd0cf473186a5349167f38a979c86d334f348f2ddd7bb56d9f2daf326d8bd

Download Submit
C:\Windows\SysWOW64\Hpenfjad.exe

Filesize
56KB

MD5
0c46d15f08b60c1d0084cddb048ca116

SHA1
9575db3c24cefe9c34d34aca399a2a91b38673b8

SHA256
b07cfcdf8079f257d9db9df56a70c8b991a6b1df33b2c7d98a1394261d23c327

SHA512
b702d9581da1ab3c65417769c22a815694b23bfec3594b2b470398f7649eb3028a7245e49919ccfd893a13c7c9810c9f52ffe262a68e68695fb3bbfbad49dc8a

Download Submit
C:\Windows\SysWOW64\Jfhbppbc.exe

Filesize
56KB

MD5
551d06db771122431a216d8e52797319

SHA1
c7f6eaa3e743f4b6cdc9de499725233c32862e24

SHA256
83bb2731e95cc2e7526215217d0795ac29c8f3c8075c2d6cd7465c94c1b1136c

SHA512
a8454d73ca3bc48ec8607d935d6566627af133b0b23a2161e7cbb96f5b46dedcd8f1fec3421a28f5d326067f0cf98625157ea3e3690deaa0f26d0a10a3d0dab8

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
56KB

MD5
777e8758582814fbf2ef1c84ba421ad4

SHA1
1456db8057781dbc705b32daeca0e12aa82b28a4

SHA256
b12c1f5798102459d4d7c17d48e57021697d104e4a4817e8702a5c57a4b1a4a4

SHA512
41eaace1c6d57f7b6eba5c9fe29a0bc74f49118bdf4ac5b0970689a3ea652a88ef0b7845d83f01185eedb16e7efbdc152d4d8a308f0542e7c3b624a74a4267a7

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
56KB

MD5
b07629a480ceebedd103fe627af848b0

SHA1
382aabcd86b04815839ba9022e95434e000d2610

SHA256
692a90f434ed06678ef46897214568ca3b97854eb9c42258f0014f58e61309a1

SHA512
6159a2ec74ecea9a8ccdf367a4d3f2ae8e7a91a77feb79a74930ecb86f09690aa423166f4191608ade89dc27d9463d935e2eb835ec0b1e83cace80ba79487957

Download Submit
C:\Windows\SysWOW64\Kpccnefa.exe

Filesize
56KB

MD5
c611be4af77ca55560315f6ca942326e

SHA1
673efeb298a6730f54df1871bbf32709594f7280

SHA256
9bf4345b2ef2d58987bbdcfacbeb1f152c09afc9fa7a36f6af37c11d0a7ece15

SHA512
61fd434ad704051b38c9a7525211655d179b92ab1558b53f80de9529a1507bb482dae5247aa935019fd24a7996eab58be51f0527a201e5f1392277327b0725d7

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
56KB

MD5
019583a4471b386200eae64a3f168c77

SHA1
d331d322db35a88225a0022734b98d1eaa823d7a

SHA256
839f2f3b2afedc246911deae57923951def19d7805c6078078450ef39e6fec5b

SHA512
12c9edcbff66c45b87f110b7624171c35614c3ab51816939f58d91d6aca09be07e5cc97dc50192168e334432cba71aedd2f027f6104ed567b7a24c9870e0242f

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
56KB

MD5
e9cbe6ddfe691e99f142f666f7416064

SHA1
af126008a99b4705698643aa29729862b2055a32

SHA256
aa99e54ec8382831daabb50f5b4ba1a948f888204ee411e7086ad11a24477c72

SHA512
4cf81667cb7ac3cf3c06f5403fbd7c798cd7444fd4e8a8322f45fdf1e2221318bbe251a1ecee04aaaa400ec32f97f2dde0216babc074e64c39c11dd33f57b294

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
56KB

MD5
1aa5d3af5e8618b358fdc6a54f537125

SHA1
4869d8bc1b8fcb8a1b09a160dfc508df6215c936

SHA256
132681c1752673fd50a920840190234fea4e5f0aeae624443e65152d20fa442a

SHA512
f68c55977c62864eb3cf392aa9e0acdfef670bc599eda5ca2af3bef00fdddf5c35e973bf588cd2dcfc2fee9b61c8a4a3c7632aed05f1c2d9845fff174c3f2b5d

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
56KB

MD5
8d472d627b76b9dec1f994b26eca278e

SHA1
4ef65b3463a58e59881a829fab39ef9d2734d001

SHA256
4ce6ee181b30a7736fbb1168d2d677e0ad0f65b8d34d4763690a1662335c13ba

SHA512
a59166ad1e0a777833aedb4be33bd009cc6d8faab64c0cbd946e9824964837574b09839add514812e422cdd75a27e2dc504d3ab358a71c240a292497880e4122

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
56KB

MD5
6754a9d25251d2a894298e91a3dcf36f

SHA1
f9f43eb2fbaed57ec35effef6cd9cee76e88d792

SHA256
fec46ac1504e8d689765ee78e9a071ae08f6a5eee368ad204225bbc7ce952879

SHA512
6d011197af54375b6021aed3f3187acc8fbb0571b75f80d74f1252fbcfd41e81f4c17be7bcb8969dd82e6f3a0f0097ba9fd7ba87d8c0b0e7c0f75f74e6c057ea

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
56KB

MD5
450a99aabaae94a6966782e34433477b

SHA1
e27f3ece8c08e3df8cc36ee302547603ec1a9483

SHA256
2d715903772e28cc9f6909bc42eb24fa2d4b1ffe87d6dd7b260aff0efc4288f5

SHA512
5c53a30f49f3e6574079eb10d8cee3f60f356d3c7e3bf747ac9a50d4a0893e3583a98c540ac19174bf7459a510fcda6f2077894e65ac667e01b784fe25c7de15

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
56KB

MD5
9b6cd548cd51af6003088dfbb50ffde5

SHA1
a515fc877ca52ba49ef607519ccbe29b64cf22d8

SHA256
b6c3224dc740ee8f1009bf8c5e339cafad05ce658b795818e66fbc4c30dfdf04

SHA512
e192698c56c526ffcde16d3677f6d99e80e2959809097725857e20ef0c908e53666d34a7fc4619203d870a17db5b5102ddde2bcb0257175f41a1909152801143

Download Submit
memory/64-381-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/64-453-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/212-295-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/212-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/312-368-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/312-435-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/664-245-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/664-154-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/752-113-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/868-140-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1216-408-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1472-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1472-401-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1556-415-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1592-360-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1592-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1600-179-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1600-91-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1660-37-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1660-117-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1696-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1696-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1700-282-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1700-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1772-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1772-171-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1812-422-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1892-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1892-324-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1904-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1904-130-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1976-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1976-149-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1988-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1988-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2208-318-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2692-308-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2692-374-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2728-443-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2752-153-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2752-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2900-432-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2900-361-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2904-165-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2904-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2996-81-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2996-170-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3092-131-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3124-421-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3124-354-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3136-220-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3144-206-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3144-118-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3292-227-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3432-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3432-375-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3500-302-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3500-367-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3588-235-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3616-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3616-99-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3796-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3848-150-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3860-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3860-189-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3980-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3980-139-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4036-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4036-397-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4112-288-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4112-198-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4272-325-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4308-387-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4332-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4332-414-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4436-246-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4460-100-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4460-188-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4488-398-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4492-405-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4548-257-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4548-327-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4576-180-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4576-278-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4592-279-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4612-271-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4644-353-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4644-289-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4776-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4776-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4776-5-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4892-433-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4936-407-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4936-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4940-74-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4940-164-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6180-1170-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/7164-1169-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads