feaa195939c9550bf0e8c3cc4a2f13fff7a42fccdcea40268ea6c7ffd5f545fe

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 03:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b67340848e10b2ea188fc085d86428c0_NEIKI.exe
Size

74KB
MD5

b67340848e10b2ea188fc085d86428c0
SHA1

c0a7767f2accb7a7d68250a259e720b5cf113703
SHA256

feaa195939c9550bf0e8c3cc4a2f13fff7a42fccdcea40268ea6c7ffd5f545fe
SHA512

5ff3353369f49e4a755ac2a83b4a67c84f57f2aec2a54bbf1f7bca1a23d173252a0ec81530cb5d73c5fa0429e727a2da74fc7240c37858500e6d72945c6400a7
SSDEEP

1536:0XSlwJ9ZmR7BxsOUEAKa7y03nrz62FemD1Wdqx0rEv:0XS0ZmRd+OUEw3f62FtDYdqxGG

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcnnaikp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbanme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jagqlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efneehef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ffbnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehlaaddj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fobiilai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcqjfh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcekkjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hjhfnccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hccglh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fodeolof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbcakg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Idacmfkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcidfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Icjmmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gifmnpnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifmcdblq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fobiilai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gcekkjcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kipabjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hmfbjnbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Efneehef.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndghmo32.exe

Executes dropped EXE 64 IoCs

pid	Process
4124	Efneehef.exe
3124	Ehlaaddj.exe
4592	Eofinnkf.exe
4156	Ebeejijj.exe
3576	Ejlmkgkl.exe
4184	Emjjgbjp.exe
2064	Ecdbdl32.exe
3396	Ffbnph32.exe
2024	Fhajlc32.exe
2328	Fqhbmqqg.exe
1380	Fbioei32.exe
1528	Fjqgff32.exe
4044	Fmocba32.exe
5068	Fomonm32.exe
3896	Ffggkgmk.exe
2360	Fifdgblo.exe
3724	Fqmlhpla.exe
3028	Fckhdk32.exe
116	Ffjdqg32.exe
888	Fmclmabe.exe
3652	Fobiilai.exe
3904	Fbqefhpm.exe
1028	Fmficqpc.exe
2512	Fodeolof.exe
376	Gbcakg32.exe
3512	Gjjjle32.exe
3676	Gmhfhp32.exe
3552	Gcbnejem.exe
60	Gfqjafdq.exe
988	Giofnacd.exe
4216	Goiojk32.exe
4392	Gcekkjcj.exe
3644	Gjocgdkg.exe
1752	Gmmocpjk.exe
2084	Gpklpkio.exe
2184	Gbjhlfhb.exe
3852	Gfedle32.exe
1808	Gidphq32.exe
1560	Gmoliohh.exe
5060	Gcidfi32.exe
3384	Gfhqbe32.exe
3668	Gifmnpnl.exe
5104	Gmaioo32.exe
3128	Gppekj32.exe
3088	Hfjmgdlf.exe
4896	Hihicplj.exe
4076	Hapaemll.exe
4744	Hcnnaikp.exe
3752	Hbanme32.exe
3096	Hjhfnccl.exe
1040	Hmfbjnbp.exe
4804	Habnjm32.exe
4284	Hcqjfh32.exe
2068	Hfofbd32.exe
2772	Hmioonpn.exe
1624	Hadkpm32.exe
5032	Hccglh32.exe
4416	Hbeghene.exe
2308	Hippdo32.exe
3996	Haggelfd.exe
3068	Hbhdmd32.exe
4816	Hfcpncdk.exe
4300	Hmmhjm32.exe
3460	Ibjqcd32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jdmcidam.exe	Jangmibi.exe
File created	C:\Windows\SysWOW64\Kkdeek32.dll	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Jifkeoll.dll	Lpocjdld.exe
File opened for modification	C:\Windows\SysWOW64\Hbhdmd32.exe	Haggelfd.exe
File created	C:\Windows\SysWOW64\Pglanoaq.dll	Iakaql32.exe
File opened for modification	C:\Windows\SysWOW64\Lpappc32.exe	Laopdgcg.exe
File opened for modification	C:\Windows\SysWOW64\Hcqjfh32.exe	Habnjm32.exe
File opened for modification	C:\Windows\SysWOW64\Iinlemia.exe	Ifopiajn.exe
File opened for modification	C:\Windows\SysWOW64\Jfaloa32.exe	Jpgdbg32.exe
File created	C:\Windows\SysWOW64\Jpojcf32.exe	Jaljgidl.exe
File opened for modification	C:\Windows\SysWOW64\Gfhqbe32.exe	Gcidfi32.exe
File created	C:\Windows\SysWOW64\Mngoghpn.dll	Gmaioo32.exe
File opened for modification	C:\Windows\SysWOW64\Jidbflcj.exe	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Kibpam32.dll	Ffjdqg32.exe
File opened for modification	C:\Windows\SysWOW64\Impepm32.exe	Ijaida32.exe
File created	C:\Windows\SysWOW64\Jkdnpo32.exe	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Jfkoeppq.exe	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Iljnde32.dll	Jkfkfohj.exe
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Laciofpa.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Klfbpcko.dll	b67340848e10b2ea188fc085d86428c0_NEIKI.exe
File created	C:\Windows\SysWOW64\Bofjdo32.dll	Ffbnph32.exe
File created	C:\Windows\SysWOW64\Oijnep32.dll	Ecdbdl32.exe
File created	C:\Windows\SysWOW64\Iannfk32.exe	Iiffen32.exe
File created	C:\Windows\SysWOW64\Nkbkiioa.dll	Efneehef.exe
File created	C:\Windows\SysWOW64\Eofinnkf.exe	Ehlaaddj.exe
File opened for modification	C:\Windows\SysWOW64\Lkgdml32.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Hndnbj32.dll	Fmocba32.exe
File created	C:\Windows\SysWOW64\Iakaql32.exe	Impepm32.exe
File opened for modification	C:\Windows\SysWOW64\Jfkoeppq.exe	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Fbqefhpm.exe	Fobiilai.exe
File created	C:\Windows\SysWOW64\Hihicplj.exe	Hfjmgdlf.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Imdnklfp.exe	Ijfboafl.exe
File created	C:\Windows\SysWOW64\Eplmgmol.dll	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Fjqgff32.exe	Fbioei32.exe
File opened for modification	C:\Windows\SysWOW64\Hbeghene.exe	Hccglh32.exe
File created	C:\Windows\SysWOW64\Peeafpaf.dll	Gcbnejem.exe
File opened for modification	C:\Windows\SysWOW64\Iiffen32.exe	Ifhiib32.exe
File created	C:\Windows\SysWOW64\Kbmebabl.dll	Iiffen32.exe
File opened for modification	C:\Windows\SysWOW64\Imgkql32.exe	Ifmcdblq.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Ehlaaddj.exe	Efneehef.exe
File created	C:\Windows\SysWOW64\Dmnlpfhd.dll	Fomonm32.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Jmnaakne.exe	Jfdida32.exe
File opened for modification	C:\Windows\SysWOW64\Jpojcf32.exe	Jaljgidl.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Mcplce32.dll	Ffggkgmk.exe
File opened for modification	C:\Windows\SysWOW64\Fbqefhpm.exe	Fobiilai.exe
File created	C:\Windows\SysWOW64\Eeandl32.dll	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Qgenhgdd.dll	Fodeolof.exe
File created	C:\Windows\SysWOW64\Qknpkqim.dll	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Geekfi32.dll	Hmioonpn.exe
File created	C:\Windows\SysWOW64\Ijaida32.exe	Ibjqcd32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7004	6808	WerFault.exe	271

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gmaioo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iannfk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fbioei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Giofnacd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichhhi32.dll"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfhlfk32.dll"	Fifdgblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phogofep.dll"	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgblndm.dll"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipagf32.dll"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fobiilai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hfjmgdlf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hcnnaikp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Goiojk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gjocgdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbkmec32.dll"	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnnj32.dll"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fagmapfi.dll"	Ebeejijj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bofjdo32.dll"	Ffbnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hapaemll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hmioonpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geekfi32.dll"	Hmioonpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdgpjm32.dll"	Hmmhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpqnnk32.dll"	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adakia32.dll"	Hfjmgdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fckhdk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ifopiajn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fckhdk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fobiilai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gcbnejem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlmpolji.dll"	Hbhdmd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fmficqpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fifdgblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecppdbpl.dll"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fjqgff32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fodeolof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hadkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kagichjo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 4124	2780	b67340848e10b2ea188fc085d86428c0_NEIKI.exe	83
PID 2780 wrote to memory of 4124	2780	b67340848e10b2ea188fc085d86428c0_NEIKI.exe	83
PID 2780 wrote to memory of 4124	2780	b67340848e10b2ea188fc085d86428c0_NEIKI.exe	83
PID 4124 wrote to memory of 3124	4124	Efneehef.exe	84
PID 4124 wrote to memory of 3124	4124	Efneehef.exe	84
PID 4124 wrote to memory of 3124	4124	Efneehef.exe	84
PID 3124 wrote to memory of 4592	3124	Ehlaaddj.exe	85
PID 3124 wrote to memory of 4592	3124	Ehlaaddj.exe	85
PID 3124 wrote to memory of 4592	3124	Ehlaaddj.exe	85
PID 4592 wrote to memory of 4156	4592	Eofinnkf.exe	86
PID 4592 wrote to memory of 4156	4592	Eofinnkf.exe	86
PID 4592 wrote to memory of 4156	4592	Eofinnkf.exe	86
PID 4156 wrote to memory of 3576	4156	Ebeejijj.exe	87
PID 4156 wrote to memory of 3576	4156	Ebeejijj.exe	87
PID 4156 wrote to memory of 3576	4156	Ebeejijj.exe	87
PID 3576 wrote to memory of 4184	3576	Ejlmkgkl.exe	88
PID 3576 wrote to memory of 4184	3576	Ejlmkgkl.exe	88
PID 3576 wrote to memory of 4184	3576	Ejlmkgkl.exe	88
PID 4184 wrote to memory of 2064	4184	Emjjgbjp.exe	89
PID 4184 wrote to memory of 2064	4184	Emjjgbjp.exe	89
PID 4184 wrote to memory of 2064	4184	Emjjgbjp.exe	89
PID 2064 wrote to memory of 3396	2064	Ecdbdl32.exe	90
PID 2064 wrote to memory of 3396	2064	Ecdbdl32.exe	90
PID 2064 wrote to memory of 3396	2064	Ecdbdl32.exe	90
PID 3396 wrote to memory of 2024	3396	Ffbnph32.exe	91
PID 3396 wrote to memory of 2024	3396	Ffbnph32.exe	91
PID 3396 wrote to memory of 2024	3396	Ffbnph32.exe	91
PID 2024 wrote to memory of 2328	2024	Fhajlc32.exe	92
PID 2024 wrote to memory of 2328	2024	Fhajlc32.exe	92
PID 2024 wrote to memory of 2328	2024	Fhajlc32.exe	92
PID 2328 wrote to memory of 1380	2328	Fqhbmqqg.exe	93
PID 2328 wrote to memory of 1380	2328	Fqhbmqqg.exe	93
PID 2328 wrote to memory of 1380	2328	Fqhbmqqg.exe	93
PID 1380 wrote to memory of 1528	1380	Fbioei32.exe	94
PID 1380 wrote to memory of 1528	1380	Fbioei32.exe	94
PID 1380 wrote to memory of 1528	1380	Fbioei32.exe	94
PID 1528 wrote to memory of 4044	1528	Fjqgff32.exe	95
PID 1528 wrote to memory of 4044	1528	Fjqgff32.exe	95
PID 1528 wrote to memory of 4044	1528	Fjqgff32.exe	95
PID 4044 wrote to memory of 5068	4044	Fmocba32.exe	96
PID 4044 wrote to memory of 5068	4044	Fmocba32.exe	96
PID 4044 wrote to memory of 5068	4044	Fmocba32.exe	96
PID 5068 wrote to memory of 3896	5068	Fomonm32.exe	97
PID 5068 wrote to memory of 3896	5068	Fomonm32.exe	97
PID 5068 wrote to memory of 3896	5068	Fomonm32.exe	97
PID 3896 wrote to memory of 2360	3896	Ffggkgmk.exe	98
PID 3896 wrote to memory of 2360	3896	Ffggkgmk.exe	98
PID 3896 wrote to memory of 2360	3896	Ffggkgmk.exe	98
PID 2360 wrote to memory of 3724	2360	Fifdgblo.exe	100
PID 2360 wrote to memory of 3724	2360	Fifdgblo.exe	100
PID 2360 wrote to memory of 3724	2360	Fifdgblo.exe	100
PID 3724 wrote to memory of 3028	3724	Fqmlhpla.exe	101
PID 3724 wrote to memory of 3028	3724	Fqmlhpla.exe	101
PID 3724 wrote to memory of 3028	3724	Fqmlhpla.exe	101
PID 3028 wrote to memory of 116	3028	Fckhdk32.exe	102
PID 3028 wrote to memory of 116	3028	Fckhdk32.exe	102
PID 3028 wrote to memory of 116	3028	Fckhdk32.exe	102
PID 116 wrote to memory of 888	116	Ffjdqg32.exe	103
PID 116 wrote to memory of 888	116	Ffjdqg32.exe	103
PID 116 wrote to memory of 888	116	Ffjdqg32.exe	103
PID 888 wrote to memory of 3652	888	Fmclmabe.exe	104
PID 888 wrote to memory of 3652	888	Fmclmabe.exe	104
PID 888 wrote to memory of 3652	888	Fmclmabe.exe	104
PID 3652 wrote to memory of 3904	3652	Fobiilai.exe	105

C:\Users\Admin\AppData\Local\Temp\b67340848e10b2ea188fc085d86428c0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\b67340848e10b2ea188fc085d86428c0_NEIKI.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Windows\SysWOW64\Efneehef.exe
  C:\Windows\system32\Efneehef.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4124
- - C:\Windows\SysWOW64\Ehlaaddj.exe
    C:\Windows\system32\Ehlaaddj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3124
  - - C:\Windows\SysWOW64\Eofinnkf.exe
      C:\Windows\system32\Eofinnkf.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4592
    - - C:\Windows\SysWOW64\Ebeejijj.exe
        
        C:\Windows\system32\Ebeejijj.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4156
      - C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4184
        
        C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3396
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4044
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3896
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3724
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:888
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3652
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        23⤵
        Executes dropped EXE
        
        PID:3904
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1028
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2512
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:376
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        27⤵
        Executes dropped EXE
        
        PID:3512
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        28⤵
        Executes dropped EXE
        
        PID:3676
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3552
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        30⤵
        Executes dropped EXE
        
        PID:60
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:988
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4216
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4392
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3644
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1752
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        36⤵
        Executes dropped EXE
        
        PID:2084
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        37⤵
        Executes dropped EXE
        
        PID:2184
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        38⤵
        Executes dropped EXE
        
        PID:3852
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        39⤵
        Executes dropped EXE
        
        PID:1808
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        40⤵
        Executes dropped EXE
        
        PID:1560
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5060
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        42⤵
        Executes dropped EXE
        
        PID:3384
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        45⤵
        Executes dropped EXE
        
        PID:3128
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3088
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        47⤵
        Executes dropped EXE
        
        PID:4896
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4076
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4744
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3752
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3096
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1040
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4804
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4284
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        55⤵
        Executes dropped EXE
        
        PID:2068
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5032
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        59⤵
        Executes dropped EXE
        
        PID:4416
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2308
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3996
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3068
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        63⤵
        Executes dropped EXE
        
        PID:4816
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4300
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3460
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        66⤵
        Drops file in System32 directory
        
        PID:2404
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:516
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        68⤵
        Drops file in System32 directory
        
        PID:3556
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3044
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        70⤵
        Drops file in System32 directory
        
        PID:2636
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1496
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        72⤵
        Modifies registry class
        
        PID:4928
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        73⤵
        Modifies registry class
        
        PID:4988
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        74⤵
        Drops file in System32 directory
        
        PID:4068
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:684
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4412
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2860
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1228
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:64
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        80⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        81⤵
        
        PID:316
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2056
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        83⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        84⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5052
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        86⤵
        Drops file in System32 directory
        
        PID:2700
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        87⤵
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        88⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5224
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        90⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        92⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        93⤵
        Drops file in System32 directory
        
        PID:5400
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        94⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5492
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        97⤵
        Drops file in System32 directory
        
        PID:5584
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        98⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5672
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        100⤵
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        101⤵
        Drops file in System32 directory
        
        PID:5764
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5808
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        103⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5896
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        105⤵
        Modifies registry class
        
        PID:5940
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        106⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        107⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        108⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        109⤵
        Modifies registry class
        
        PID:6128
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        110⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        111⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5284
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5340
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5436
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5580
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        117⤵
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5804
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        119⤵
        Modifies registry class
        
        PID:5860
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        120⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        121⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        122⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        123⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        124⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5472
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        126⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        127⤵
        Drops file in System32 directory
        
        PID:5832
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        128⤵
        Modifies registry class
        
        PID:6048
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        129⤵
        Drops file in System32 directory
        
        PID:5192
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        130⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5680
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        132⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5128
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        134⤵
        Drops file in System32 directory
        
        PID:5572
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6004
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        136⤵
        Drops file in System32 directory
        
        PID:5800
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        137⤵
        Drops file in System32 directory
        
        PID:5484
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        138⤵
        Drops file in System32 directory
        
        PID:6124
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        139⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        140⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        141⤵
        Modifies registry class
        
        PID:6252
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6288
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6336
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        144⤵
        Drops file in System32 directory
        
        PID:6372
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        145⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        146⤵
        
        PID:6468
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        147⤵
        Modifies registry class
        
        PID:6508
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        148⤵
        Modifies registry class
        
        PID:6544
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        149⤵
        Modifies registry class
        
        PID:6588
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6628
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6668
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        152⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6756
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        154⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6840
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        156⤵
        
        PID:6888
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        157⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6936
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        158⤵
        
        PID:6984
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        159⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7072
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7112
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7160
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        163⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        164⤵
        Drops file in System32 directory
        
        PID:6268
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6328
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6404
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        167⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        168⤵
        Modifies registry class
        
        PID:6540
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        169⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        170⤵
        Drops file in System32 directory
        
        PID:6696
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6740
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6820
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6884
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        174⤵
        Modifies registry class
        
        PID:6960
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7040
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7108
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        177⤵
        Drops file in System32 directory
        
        PID:6148
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        178⤵
        Drops file in System32 directory
        
        PID:6236
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        179⤵
        Modifies registry class
        
        PID:6380
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        180⤵
        
        PID:6464
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6596
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        182⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        183⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6808 -s 412
        184⤵
        Program crash
        
        PID:7004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 6808 -ip 6808
1⤵
PID:6976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ebeejijj.exe

Filesize
74KB

MD5
ba34f18bcdf371ed46b2f0ae6d32471e

SHA1
b09fdf771f2c24b5bf3be73603dfc74acb6bcb5b

SHA256
2ace5f1ff3879b378633c13f0340b26192b98c9db74d5d67c84ed483d2d4bb6d

SHA512
950d55f8bcfbce570ff706ab31508dcea4e3622917907781529194f7efa737cd8608c958902828ca58e9170678613e6c0018ff59a485a64dcb82dec6bf1c2596

Download Submit
C:\Windows\SysWOW64\Ecdbdl32.exe

Filesize
74KB

MD5
0ca8b4a3eeb566a46bcdacd41fb7fefe

SHA1
0f4622b2f84c2a2102d7bdde28349374da2385b7

SHA256
0c572c62812480d28726cde783d12342ede8a424c42c4d2d8c1f6c70bc1b97e2

SHA512
3d9f53569ceddd3bb975b62e4a73d3f6d58a1ca3122bf3c96e7734d7dd396a726da649907c860bdd5621cae24e415fb1f263cdc1d03840c4e8da172d819b6f7e

Download Submit
C:\Windows\SysWOW64\Efneehef.exe

Filesize
74KB

MD5
8827fd02fed031ed15aed7a5ce7706b8

SHA1
ddd6064f18735ad2e110ef13d7dc339338a28b1f

SHA256
b19be358a08ae08c434065302e5cf1313cc3984ab30af762e5ec9640b2233d4d

SHA512
8bd412cbdef9e2cc7e9e50a0c0527331e28396115a3362bcbec76b3c5a7eb4aebae5b3b4c12492983c8ef56734e904c35d39690b3c374d4b6366a203684bbdcb

Download Submit
C:\Windows\SysWOW64\Ehlaaddj.exe

Filesize
74KB

MD5
f42515a2e161733c7747fccd4f11e7d0

SHA1
473464a025564a2f4a0a286d25e10800ccccfc04

SHA256
e313a5da722eb79a2c336f8359c8e6f86d73207f7ad581dd2df1dd896b3bd267

SHA512
72c7ee871fd21afc75a8355c75d5187fa5cde6544cdc38a22d738b91e71c044821f0fb1655159940285e7e076ea22eeff2d4a5b859d46fdbf6209217aeacb5cc

Download Submit
C:\Windows\SysWOW64\Ejlmkgkl.exe

Filesize
74KB

MD5
8f35cc24cc2e8b6b9d707587d3b514fd

SHA1
2d357208d4bae72b070539a2562aa6aa1892d097

SHA256
90bcb6598efd69da5a5a90ee1009189365211a9d1d42ee698518bbd80287397a

SHA512
11ee85698f0972f21db830225c6e60996d4513a4738cd7a4af3921aa7698b31c7ae42c14932ab2855399b3e530a8149cf5f8af33d65276b061a27b17475efa4e

Download Submit
C:\Windows\SysWOW64\Emjjgbjp.exe

Filesize
74KB

MD5
b5d08afff194f838ea02f45b06454445

SHA1
0b19bdfd7f499e26131735e0b98f9e04dfd850e6

SHA256
75fb1fbfd80d24b6df049874f0b922fb17f48358a592f17ac607191b156a3202

SHA512
923769f504a1e9002c4aeb64e477ed82894c276a6946b02f0dc290a30b60b4538cf69ef019e20a1535e44260d473c3115fdb8d50d97a81e0bfc33c41073eca54

Download Submit
C:\Windows\SysWOW64\Eofinnkf.exe

Filesize
74KB

MD5
9e323c604453da3de3891bfdb2a4325e

SHA1
739892554b5c564149c8e15b48125643dc21fbd9

SHA256
e0c9737328db28202e5fd60ecb1b38179093a1d8a8f38fb12abf78a6a6df8896

SHA512
680a783d4868866906b0dd3c23683eb2fc5ab94833b29cf9bad35d8c56a012a7d20417005d4a1c22e985b2f1486fa799a3d95ea96c8b71f34f29c1fb41204459

Download Submit
C:\Windows\SysWOW64\Fagmapfi.dll

Filesize
7KB

MD5
49760aae74fa3c5a894f067ac3bbef9d

SHA1
a14869e7b79ba8240f99c423ca426bdefad1ee43

SHA256
9450d20a9ce08ed82d62c1af4f4ff7e673596fb5aff335f39890dc5a2d26a689

SHA512
9a4509f58fa7642b030263652fe4e4fdd9a5fe827083286ada783d2fa3b52b34595393037872f1c6b3c57fb6da1ca1b6db264a2f156d84fadcda3e7ac1d38d2b

Download Submit
C:\Windows\SysWOW64\Fbioei32.exe

Filesize
74KB

MD5
83e7cbf06861bc56ecfbf900212d1351

SHA1
1647db1c50b8b4e5fbc51e4d2fb68d5064f66c2b

SHA256
555bda58626b8ba449da760ff2874c46eb9b24e91420923adc73ddff46fd965b

SHA512
2bfd1e45dcd638b7f05b5c4aeb9a1166330ab5cd9c039a724d203b06597e9afa1e711350e43937a0babe970aa2924c9a8dcc14d1f6bb333a32d8030d9bde0a24

Download Submit
C:\Windows\SysWOW64\Fbqefhpm.exe

Filesize
74KB

MD5
2ff74fc8e5be5f9db2bfc6b9fe97dec0

SHA1
2a77f30dc105f4c5e91189a7fc4b875601fad568

SHA256
0b354461cd27a0e33f0d6daaed665890138c3b37c2ec4ca30f1f9d19156318ac

SHA512
b85813d463d424cb6c4c8c3773a75ecc33eef022a637fac2563f40c76cd76cc63f4461c19dc89fcb06650ee01586c8300279e6ab5c23a1e2d8a058ec2c0c5188

Download Submit
C:\Windows\SysWOW64\Fckhdk32.exe

Filesize
74KB

MD5
6fa3523a562038bf050fbd5e75468d46

SHA1
e19a2fe57745eb18aedc250296d01f4ca528f03c

SHA256
9f33d1500d10b38e4d238883e691a4d11ef59d733a4196b024f077a1e2f771ea

SHA512
2599164d7246935b5eb3299d2d27354f5599f1a690e4d400880528a3d550f5ead63d6174e63b7615fa0d342421f40afaa970f7bcb636aa5b04f387d1362c7415

Download Submit
C:\Windows\SysWOW64\Ffbnph32.exe

Filesize
74KB

MD5
85d80c8660e12dd2d4395cf75687b5a7

SHA1
4bfe0e786d46f1d60e788450c3e11dd5a9c71d0e

SHA256
f043cd059870082812a5fe325269124d5cc1d2850ced3c884e5bb4914d5b18de

SHA512
4307f19dfc959679af949b5fe9867518af89aa1a8456108cf52239f3c7fd495be932e31e8a019a8cb828eb1b42715846797618ecb6119a72a58a67dfbdaab4e9

Download Submit
C:\Windows\SysWOW64\Ffggkgmk.exe

Filesize
74KB

MD5
715d2512c2c599f35ae996320620dd9e

SHA1
9d46194afb3b0d8cde95c1012e3ed68861f86f78

SHA256
23d47f50406c290df4619cc280d14201793ce7df62f0ea254b8884d6b98f4b93

SHA512
9c71ba7df122e0b9021d3a7b1e0f1b93646e91793c1d85dc1948aedf7388597a8a47429dc592166a3141b43fff57e7e96ba1e2fcfa3a9f11c6bd370e6ef20002

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
74KB

MD5
c5f53a49938ca4c2ebe79c5c0bc3174e

SHA1
8ab41310b3745aa819f51acc8988902a5185fe68

SHA256
4cca0f96e5dd58f5a7df509b736123a4221a401f2c0df2429e566382493f8fb4

SHA512
9018c75df2eefb0775350e3a8a50f79f0ab702b6953184b50e05c899471efd044c0452b3d97a91b9b27dc6f94278b0c466d2c645c243ad3e914e85846949ac96

Download Submit
C:\Windows\SysWOW64\Fhajlc32.exe

Filesize
74KB

MD5
18a7e78c3cf094062f6bd4e47d68cc54

SHA1
b291c07a74c1cb2732f05fa5f5da184e2a259f73

SHA256
0c7d1c6d1e3a4fe5da4cef881fc7a8780958c9fcfc0d375c707b79a154364f44

SHA512
72a1b5f95b1a88bd590068b9da6b2f20fda1ac1171ac3d6a690534778b3239903e738390a6293a4206a4d8fc2d2a3060add4732e8ca3af846450d5bdd038eceb

Download Submit
C:\Windows\SysWOW64\Fifdgblo.exe

Filesize
74KB

MD5
ef26db89c7e0e6a7af6e2f88da6b986c

SHA1
574948918d1bfda6e58c0a388c5e27545b69ecf3

SHA256
ea39d65d1a76826fb8cfa29d38c3b3dfe392d123076b087059ecc13f98527e5d

SHA512
b7db17a7ad1870b6754719e525a038b66f6b68900c1d0c9f89031d069700ff688eeaae921b3dde8b0c02f4f300f43c702950c95a4e3f59c54972152e10325686

Download Submit
C:\Windows\SysWOW64\Fjqgff32.exe

Filesize
74KB

MD5
b5bb92ef9de902a9e8a31cde0e04b0c0

SHA1
c67da930cddda0f5e7595e321af8ad1891b80a75

SHA256
17d9bf7ec63ff4e5f37e677fe6e883f7cbaad55a9253691c159108fe36927c0a

SHA512
fa9889f4f00fa39b9b17c81a44a353aa2b6b6e3d176d731b03602f5f201c0728c512cec23dfe5c8d98325d994b1d83aa71a73f1fc94d449fd2d4a7c6b806b29c

Download Submit
C:\Windows\SysWOW64\Fmclmabe.exe

Filesize
74KB

MD5
a24727663f7f9fc3b1f1697dfec574e9

SHA1
9a5246ff9e90719850f0c2e1cdd2264ec209543d

SHA256
1bb7f11e0a4d563d26337f5dff077f9abd2c93cab7bd50d02309271d61df6bc4

SHA512
9c073c78d1b17f333e3060e2467d0601b77990a05d82956caa5bfe492e91daf9badbd299d2724fdf588858f71b2c2e227d39051e0b4f94d1a13eff34099e7ad3

Download Submit
C:\Windows\SysWOW64\Fmficqpc.exe

Filesize
74KB

MD5
6add64af4ef13c9f0aedd6faeab3a2ba

SHA1
d04f0bb1208d4fed95d5e4c31fd4fce7ee6bec66

SHA256
902faa95b444d768365164aefbf38deb6ad4a719e2cb219cdbc8d45eaf99cc74

SHA512
08df790c954b69f764297023030e47142976b30d6df8100c441fc1cac8af0e94540ebfefa3f46a611674f386ee3c19a31ef0b390af68eec7fc4155d833666099

Download Submit
C:\Windows\SysWOW64\Fmocba32.exe

Filesize
74KB

MD5
d0f9943ba6f036d83750c74689f7fb57

SHA1
bf0109ae79efea92f049211190561f0daa1c7747

SHA256
fffa88ca5700b5c10e790debf4e9566635fe4f440a097ab633c40db851eff72d

SHA512
e47acdeac608485461256bd08a08c43a030bba15229b6eda6edcf54c2008defa6d0cd8266a03ef5ef32c250711bf1429295cc719339e5e819dbb8e0291a409c9

Download Submit
C:\Windows\SysWOW64\Fobiilai.exe

Filesize
74KB

MD5
b226a40328b48e48903e117a79111ff7

SHA1
138fac3004154d2bebaf80a9cee87b55a171226b

SHA256
cc6d2e67aded094c3ffeb22878471d584a675ad0a2576cac93f21d7b092f0198

SHA512
d6694dd9dcaf1f4214c3d6e12f967a7eb98c819ed45d325349adfad5dab3496f025afb9b8ed83375dce78d29f387feab4b5caad2ff121a8064be5064ebb1990f

Download Submit
C:\Windows\SysWOW64\Fodeolof.exe

Filesize
74KB

MD5
d31333e1742824906ba04b236c6413eb

SHA1
954f92872b8128a824860906b59270a818fb2ae5

SHA256
c12048704c56bf266107e518676710349b3dfa4ce521161a70b1fc157751fa42

SHA512
2f9ed1ad3799c20776ee27bc31dd5fc689d86463d941f841b5e998f0fd7efe35f4ad64cf5bd55539bc11d1a78ddcc24f3312abfb2757ea1603a6b5f211ca48c3

Download Submit
C:\Windows\SysWOW64\Fomonm32.exe

Filesize
74KB

MD5
00fc5f399b960bbc1ad17e72cd41e573

SHA1
65d864b107b9c837c30f1dbd682fe6ebd2f164bd

SHA256
499adf5d9d5a916f25f60c3ce4b8680b55346f53a657a2354e1d527072edf059

SHA512
f36ed2824c0a577fbf32577c0c5bf69fefc9211cff161cb977f81175f030d757a076c9c07f9798ae94f05c58b6132f0bfe39aea9623c8f63476a0512552403ba

Download Submit
C:\Windows\SysWOW64\Fqhbmqqg.exe

Filesize
74KB

MD5
52901fa1b652d7efb6c2588e5d77717c

SHA1
a816d04387136b8d0f555e6265552b5030a824eb

SHA256
938b6a00f395f568a21137f78e0f63fc71022384f24644d57b9334352e0da522

SHA512
7888d149139f2f88e4ce0e7d70ee5897c5e811174975390671b4285067875936b85fc3118959c37972498a457a008045ac78198b385e29be75131087eab90e0b

Download Submit
C:\Windows\SysWOW64\Fqmlhpla.exe

Filesize
74KB

MD5
ceaa7cbd1d580baa2a6693c48e6ed32c

SHA1
e274bd67d581593f8382eb0882c2959db118e72a

SHA256
9787d4f006b7ef1ab2d8d0f4b9464a9f60790e6afea608e4a9334d8141349fcd

SHA512
77ae62e64d7a1dfdd36a08bfec53c2bccc2e3e570edfb1e78fd19dafbbe199ca601bc3d65b2beb4b169cb8605396c44ebcf7d096f4dbaeb9b3f7ea6b49c31501

Download Submit
C:\Windows\SysWOW64\Gbcakg32.exe

Filesize
74KB

MD5
29634c49a7f19122c3084aec3be2824e

SHA1
a654e5014e3678626b3aa982c7ae9200a99b9388

SHA256
42cad7c21f2d57984af2c54059abef7d50f491de710b13f87b6e22ffdc821460

SHA512
54c978687047501f407ccd2a3231201e58fa69aa8afed62d1098f5dd91fb3752aca074c6a654440c6e32800d688de00fc38d576fdfb2ee5c8bc5050da8dc8428

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
74KB

MD5
7f548b878a3327a2aa8b0d4e790d31d4

SHA1
d7e0244c012fe9c0b6a7229e50c1f95620f5020f

SHA256
d44b915456c2f6e68720dccd82d2eedcf86dda8f34f9863d444b807b1803b76b

SHA512
ee7ba89ce4626ad7c478ed25b6a15d6b56e65f06652a7f7ef85e428795bb6051a392b2cada697eefa2c0b57a58f0713be0cda2907a192056d70b2463538bef09

Download Submit
C:\Windows\SysWOW64\Gcekkjcj.exe

Filesize
74KB

MD5
5fc379d7a9598e11c7bfedcf14f4959c

SHA1
14a4e75611195d37bd30763f8366f35930f263b5

SHA256
1acaf327757cb6f4f51ac087b03ac593e78f0f9717b16b4fe8bc83053f5731b9

SHA512
13aa7730b07bdad09a6aa2d339c716488fd0f100ad19020e3eabc9bff04d36ee8a26b2dbe1d70fe98de129b45173b06a4ad79ac1cb2a94d3e2a3086fba938036

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
64KB

MD5
f024100777d2d8b1a91d1bfdb9f9c0b4

SHA1
67f77f923f2a5160470e3b9cde9534ff91773840

SHA256
547b63b9941e105e94e33cc58f66a0f3316650c7fb3b1d360bdecc8fee05d71e

SHA512
b4ce8d59c93d3f78d00cadb7bb4c89e3b4adb6280c40bb7fd76a3b0f3fa46d6065890bce4ca198b81af3a71fe59797d1b4f76c1f12562691b2d6fad981f655a9

Download Submit
C:\Windows\SysWOW64\Gfqjafdq.exe

Filesize
74KB

MD5
3fbcf5fb18008bfd953634b0a0c9b3dc

SHA1
64854022d4a622a4798ef63a50da636198fb272a

SHA256
58e08d18c6cd9134ddd4b3eb4cd32b4434e229d629db7ca3bd8c6a4e5f99b580

SHA512
3fdba612429c188d016a5fff634607394edbbe4606710934e906d263eaf74967c06c3dd9a09c0d6de3242f387685798e8cd6fa26f7cecd8f8af25a7db3e5e0ec

Download Submit
C:\Windows\SysWOW64\Giofnacd.exe

Filesize
74KB

MD5
2af9c1d6e57b43cea0adff7732b4e963

SHA1
178d0911895cf1df35abae5b97be715abc1a030f

SHA256
bff3af8a177a8b6f2546abac1bef8a93a9002b720febc3ad02edff5790f0953e

SHA512
1459f3a8b576cc59dc7c90f90925e2505c85add2591bb550d804bc7028276b7df8afecbc4d95e8b30eba6b9687ba61a106ee7770125a32eecf8116becbe9d3e7

Download Submit
C:\Windows\SysWOW64\Gjjjle32.exe

Filesize
74KB

MD5
317a4ac2ba0453d92ab94eb5706ae22f

SHA1
7a3f807fc038537475ccf2527dab323cf48cb763

SHA256
d42b361123adca5789e61220791960f1eefb96e942ec596f660e6de6a0a94ad9

SHA512
8efca9a98f59593ecfe2ea33f74400c603773347397c5f1f235b907bf13a8f6c0239ee60da619d9b8da4efd622e547b7db688f8b179fdfd3734535502f2c893e

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
74KB

MD5
ced8f260037b339bd2887767bfb5df39

SHA1
7600cd659060d269e9785cb5486eb37da64947b4

SHA256
f1e422336a97d8babc7389d35d2776aad36741c6b482ce00c13561c3c9a7cc83

SHA512
f946b639a6a000f1911172f582b65034376164061b489647878c8ae0d00eb734726490f67dbe76ced15c461b0bcb11d7e9e39ef04eb51b6f789f634a610c67e9

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe

Filesize
74KB

MD5
56f615da90afa6b3c772e252d9ceda55

SHA1
2974156d93f393ee5ab20c67e05951f4c403ed03

SHA256
777760c62ee2e988ee1e17dd3d47b0c757c9ae81e1db2e8c12a8026248e35147

SHA512
2aba410014e41281d678ca254f41a5ec789f036c39a45c74379e4ca28014c1dda66dc7282514699d27d537255d1fccb16e2fdb8f338c31d6eb52d5727f1c679b

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
74KB

MD5
88f05c3df268c1af6ae7a4e826193064

SHA1
a8754a43c578e5a2a64d8f11c5fc7f535751b533

SHA256
4f2ee80ce13f561ff50c55457a9c281d74db579c8dddea95b3fed07ea4b6fcfa

SHA512
90a1519957adf78e4bf15e0905e896c87649fc8e24be142497f1a575d58f867113996e6e303a76ada8b140e1b82d46e317d8482483cc59c3f5b380d2eba4ad5b

Download Submit
C:\Windows\SysWOW64\Jangmibi.exe

Filesize
74KB

MD5
03d41164a33d4a7ade5951509a576907

SHA1
c975b336b304b4ffcf8fc3e6ec2aa7f2279a6e73

SHA256
22b5ea861ee2f3ef7930107f57b0c967b01be7854faf7e6811e05873deb6c547

SHA512
41339568d7f43a1f9010909629896c796989877e5016653a345480356fe59f116e679a2fcca767c4751dcf28006f9a043cb3b4459f1237fa74c77acf08353226

Download Submit
C:\Windows\SysWOW64\Jplmmfmi.exe

Filesize
74KB

MD5
cf12fcf3799b8da9776860d0aea6e154

SHA1
43637b9b31d5386d9a36018e7ef71feef8b40dd7

SHA256
47c09158b895d6b04c1aa6f298b5f6be4b9c6e266732f3ece10f85a2b78596bc

SHA512
64b5f7a66186da0a4d5feb20880135900183f9befad11b45d1027009486822859f130db066830d56fc6fd8d3216a9603fd883ef57d401d564346502ea2bc6d29

Download Submit
C:\Windows\SysWOW64\Kajfig32.exe

Filesize
74KB

MD5
4608081ab3c3da7727fb9260ca1ab0da

SHA1
b8df87a65137d4ada1e505bd86cd07a0fd4c6ca3

SHA256
3b363f4539c23e8f49478b695c3bf2071b7dc7933e06ef1914a7fcf6db818f34

SHA512
080497517bea8031c9846244fe32a7575aeca8e1cea9819c5f0a758de82e6ff6041f91c0e9eaf622da43f75e91f4509f1921440800813ef8a8229a1f7bc8d2a0

Download Submit
C:\Windows\SysWOW64\Kipabjil.exe

Filesize
74KB

MD5
8c603134761ad3c0d070c60ebbcdc57b

SHA1
aa1251e53347882e33b47a2a5b6916cec5951c36

SHA256
50c84cad37567647072d4ad26a4699deb841138640e25886b599f6d02aa60947

SHA512
0e7fdef2d95d5b0820bd7057f3e592ecaf939f9b3e051022fef435c1768cb1f84d1f4e4e623f528e9c0941ffe70f6005bd4a825d277fa26c0bc1ac0fea01971a

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
74KB

MD5
2a7ac2e6aaea5fa198cbcf8947d2b2c6

SHA1
263c91482e4a5214d7e231a3247c02764f854a8f

SHA256
ae565227ef21536a6df2ed120d75d00d81d4a49ea5b531a39a043640ca000a2c

SHA512
673a24d237f0432aa155024f1507daea9bf7e656bd483408f6bb676eb13abb1b1d34b05144ded3737ed91782a8b4cd728362ae88609c1897e1d7eb1b6241237f

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
74KB

MD5
a4671e7249326ced852d266b04cfd6b4

SHA1
4490e5380ee9205ef7ff33a9bd61c05172e73aaa

SHA256
64c1dc5d86d4966787a88a66ed315ebc2d743745e2d9284aa2d183e2aa0d35be

SHA512
049199adb6ce6da269992a549366705dc43e3a7c2866a329a10dee6dec5a018a38742b6d00c3e92b41f5918b5d664af487ce6a569a7dd141188daffad4945aa6

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
74KB

MD5
2c4b1e1db6cc2eb345c9d58583b9bfb0

SHA1
caf073001563afba563fdd4a855111936e65b524

SHA256
81257b7c068df0f8d511bbdaa4fdcb25b26a5230e7501b4cf32067e7e22718de

SHA512
4f604b8efcbf1b2a8e549ebd069b8b2c98c6077e977d88d670352e5779fdae122d63941189f552f8362af2856eea485a5f3a952ffdcd55c773e2f86bc3e2df4f

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
74KB

MD5
c3896de3ea48d3c7f89c7355bed55699

SHA1
c1d57f96d4ea6e7c829299b5e73d48ea7dccb516

SHA256
ebe4c598ea56e6f7b0cfa05f49f271634490fa52fbce537a989c086125544ae1

SHA512
a98b757707a86350c9830d99456cfb90dfe7a5947b23f635776077dc9926afbc914b70bd5f71b4d8af4aa45eab68b163bf33d5e66895208182da6aca4f31cf2c

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
74KB

MD5
5b318158445d9cd9b402bd4a0b93b3e1

SHA1
9dd11f046400757583b40b7fc106b9a7dfa2f7f7

SHA256
f283e8198ef4d6dae8fb97f526140930c69e9e598cd273db2f372733c7847958

SHA512
3717a6f2063509423ee3e9b9f66f09416dfc1fa562c097b7b93db720bd788de7a9f12a5b891dd1d030f7e1bb241d10cafdc7ea15bafae6062eab81f610a0f9fd

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
74KB

MD5
fb6579ba2f8d07496449d63bbaeb7272

SHA1
4afb11226373da769445b445e6f99bfd29d97287

SHA256
c82de1b7fc873b1985f7b6f9a8ff83011d7eac0f7002efe6b601bf947766a560

SHA512
a6024544930dd014d75369205cd170832a7ef32f958478fe3bf8d20cfd542c71faa28a805d7bcd6baa1fc7f3f793b9b0491607767a83efd6b8a9ee7bfdb26551

Download Submit
memory/60-236-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/64-532-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/116-152-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/316-545-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/376-200-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/516-469-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/684-508-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/888-160-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/988-240-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1028-184-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1040-370-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1228-526-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1380-87-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1496-487-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1528-96-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1560-298-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1624-404-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1752-272-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1808-292-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2024-72-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2056-551-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2064-56-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2064-592-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2068-388-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2084-278-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2184-285-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2308-421-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2328-80-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2360-128-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2404-459-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2512-192-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2636-483-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2700-580-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2772-398-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2780-543-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2780-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2860-520-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3028-144-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3044-476-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3068-430-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3088-334-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3096-364-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3108-544-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3124-557-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3124-16-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3128-328-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3384-310-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3396-599-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3396-64-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3460-448-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3508-570-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3512-208-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3552-223-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3556-471-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3576-578-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3576-39-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3644-267-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3652-168-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3668-316-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3676-215-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3724-136-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3752-363-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3852-291-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3896-120-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3904-176-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3996-424-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4044-104-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4068-502-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4076-346-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4124-12-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4156-571-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4156-34-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4184-579-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4184-48-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4216-248-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4284-382-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4300-442-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4392-255-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4412-514-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4416-412-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4592-24-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4592-564-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4660-558-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4744-356-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4804-376-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4816-440-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4896-340-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4928-494-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4988-500-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5032-410-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5052-572-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5060-308-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5068-112-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5104-327-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5132-586-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5180-593-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads