52db0f3f879b2a1936169fc427b9f235ea4034eaa65fd450e42d6e7ceeef9d97

Analysis

max time kernel
143s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 04:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d2ea10c4232a54a1051b79f2663c2cc0_NEIKI.exe
Size

296KB
MD5

d2ea10c4232a54a1051b79f2663c2cc0
SHA1

4776bef5e702936bb200c56745f92e76b9de1719
SHA256

52db0f3f879b2a1936169fc427b9f235ea4034eaa65fd450e42d6e7ceeef9d97
SHA512

539bd7c1931e4d137ef147800fcee65285b880c26d5733ec76a53a29a3da2a6875a6fa3e7d11b7fbc3ffa2c213c1e33051f785c7a2d9445865fe058a25382c56
SSDEEP

3072:TljZhsJzXTFAid8TT80Oj2DARA1+6NhZ6P0c9fpxg6pg:TnhsJLuidCT7NNPKG6g

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d2ea10c4232a54a1051b79f2663c2cc0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpihai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibojncfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipldfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifhiib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ffggkgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gameonno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiikak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmhfhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hikfip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jagqlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijdeiaio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjocgdkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iakaql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hibljoco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffjdqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fijmbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fobiilai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fobiilai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gmhfhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Haidklda.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giofnacd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imdnklfp.exe

Executes dropped EXE 64 IoCs

pid	Process
5064	Ficgacna.exe
700	Fqkocpod.exe
2120	Ffggkgmk.exe
4864	Fjcclf32.exe
4556	Fqmlhpla.exe
796	Fckhdk32.exe
2028	Ffjdqg32.exe
2284	Fmclmabe.exe
3740	Fobiilai.exe
2676	Fflaff32.exe
4940	Fijmbb32.exe
2372	Gcpapkgp.exe
4328	Gbcakg32.exe
4020	Gjjjle32.exe
2860	Gmhfhp32.exe
2024	Gcbnejem.exe
1780	Gjlfbd32.exe
440	Giofnacd.exe
3924	Gbgkfg32.exe
4564	Gjocgdkg.exe
2000	Gmmocpjk.exe
5016	Gbjhlfhb.exe
3356	Gfedle32.exe
416	Gmoliohh.exe
5000	Gpnhekgl.exe
4496	Gbldaffp.exe
396	Gjclbc32.exe
4764	Gameonno.exe
4448	Gppekj32.exe
4212	Hfjmgdlf.exe
316	Hmdedo32.exe
2964	Hcnnaikp.exe
920	Hfljmdjc.exe
456	Hikfip32.exe
3220	Habnjm32.exe
4952	Hpenfjad.exe
5024	Hbckbepg.exe
4524	Hjjbcbqj.exe
4040	Hmioonpn.exe
3616	Hadkpm32.exe
2100	Hccglh32.exe
1148	Hbeghene.exe
4116	Hippdo32.exe
4924	Haggelfd.exe
3548	Hpihai32.exe
1956	Hcedaheh.exe
3864	Hfcpncdk.exe
2384	Hibljoco.exe
1900	Hmmhjm32.exe
4572	Haidklda.exe
848	Ipldfi32.exe
2540	Ijaida32.exe
4220	Iidipnal.exe
868	Iakaql32.exe
4372	Ipnalhii.exe
4144	Ibmmhdhm.exe
4164	Ifhiib32.exe
2468	Ijdeiaio.exe
3116	Imbaemhc.exe
3240	Ipqnahgf.exe
996	Icljbg32.exe
3584	Ibojncfj.exe
400	Ijfboafl.exe
3000	Imdnklfp.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Habnjm32.exe	Hikfip32.exe
File created	C:\Windows\SysWOW64\Ceaklo32.dll	Hippdo32.exe
File created	C:\Windows\SysWOW64\Ggcjqj32.dll	Jdcpcf32.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Kibpam32.dll	Ffjdqg32.exe
File opened for modification	C:\Windows\SysWOW64\Gjclbc32.exe	Gbldaffp.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Jigollag.exe	Jbmfoa32.exe
File created	C:\Windows\SysWOW64\Hefffnbk.dll	Kgbefoji.exe
File opened for modification	C:\Windows\SysWOW64\Jagqlj32.exe	Jdcpcf32.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Fckhdk32.exe	Fqmlhpla.exe
File created	C:\Windows\SysWOW64\Hcnnaikp.exe	Hmdedo32.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Ddhbep32.dll	d2ea10c4232a54a1051b79f2663c2cc0_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\Kcifkp32.exe	Kpjjod32.exe
File opened for modification	C:\Windows\SysWOW64\Gjlfbd32.exe	Gcbnejem.exe
File created	C:\Windows\SysWOW64\Oimhnoch.dll	Kkpnlm32.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Denfkg32.dll	Hbckbepg.exe
File created	C:\Windows\SysWOW64\Kpjjod32.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Nilhco32.dll	Jigollag.exe
File opened for modification	C:\Windows\SysWOW64\Kpjjod32.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Lkdggmlj.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Hfcpncdk.exe	Hcedaheh.exe
File opened for modification	C:\Windows\SysWOW64\Ipnalhii.exe	Iakaql32.exe
File opened for modification	C:\Windows\SysWOW64\Ibagcc32.exe	Iapjlk32.exe
File opened for modification	C:\Windows\SysWOW64\Jplmmfmi.exe	Jmnaakne.exe
File opened for modification	C:\Windows\SysWOW64\Gbcakg32.exe	Gcpapkgp.exe
File created	C:\Windows\SysWOW64\Ijdeiaio.exe	Ifhiib32.exe
File created	C:\Windows\SysWOW64\Kkpnlm32.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Ldkojb32.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Kjeebd32.dll	Fijmbb32.exe
File created	C:\Windows\SysWOW64\Egoqlckf.dll	Ipldfi32.exe
File created	C:\Windows\SysWOW64\Haggelfd.exe	Hippdo32.exe
File created	C:\Windows\SysWOW64\Bekppcpp.dll	Haidklda.exe
File opened for modification	C:\Windows\SysWOW64\Jdcpcf32.exe	Jaedgjjd.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Kijjfe32.dll	Habnjm32.exe
File created	C:\Windows\SysWOW64\Ehbccoaj.dll	Hpenfjad.exe
File opened for modification	C:\Windows\SysWOW64\Fijmbb32.exe	Fflaff32.exe
File created	C:\Windows\SysWOW64\Eeandl32.dll	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Iidipnal.exe	Ijaida32.exe
File created	C:\Windows\SysWOW64\Kmnjhioc.exe	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Kckbqpnj.exe	Kajfig32.exe
File created	C:\Windows\SysWOW64\Plilol32.dll	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Iakaql32.exe	Iidipnal.exe
File opened for modification	C:\Windows\SysWOW64\Jpaghf32.exe	Jigollag.exe
File created	C:\Windows\SysWOW64\Kagichjo.exe	Kgbefoji.exe
File opened for modification	C:\Windows\SysWOW64\Ldkojb32.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Ijaida32.exe	Ipldfi32.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Jmkefnli.dll	Hjjbcbqj.exe
File created	C:\Windows\SysWOW64\Ibojncfj.exe	Icljbg32.exe
File created	C:\Windows\SysWOW64\Imdnklfp.exe	Ijfboafl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6504	6364	WerFault.exe	232

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ffjdqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hpenfjad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ibagcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Habnjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hadkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Giofnacd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Icljbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hefffnbk.dll"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlmpolji.dll"	Hcedaheh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fflaff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehbccoaj.dll"	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipmack32.dll"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibimpp32.dll"	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geekfi32.dll"	Hmioonpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmbkmemo.dll"	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmnlpfhd.dll"	Fqkocpod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honckk32.dll"	Hikfip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dendnoah.dll"	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjpdme32.dll"	Hfjmgdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mngoghpn.dll"	Gameonno.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hbckbepg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeandl32.dll"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdkhlo32.dll"	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmjdia32.dll"	Hcnnaikp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hionfema.dll"	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpqnnk32.dll"	Imgkql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpckhigh.dll"	Gjjjle32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gjocgdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifhmhq32.dll"	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dakcla32.dll"	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ifhiib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkageheh.dll"	Hadkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgdnaigp.dll"	Hfcpncdk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gameonno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Habnjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joamagmq.dll"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fqkocpod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gbldaffp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mahbje32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4520 wrote to memory of 5064	4520	d2ea10c4232a54a1051b79f2663c2cc0_NEIKI.exe	82
PID 4520 wrote to memory of 5064	4520	d2ea10c4232a54a1051b79f2663c2cc0_NEIKI.exe	82
PID 4520 wrote to memory of 5064	4520	d2ea10c4232a54a1051b79f2663c2cc0_NEIKI.exe	82
PID 5064 wrote to memory of 700	5064	Ficgacna.exe	83
PID 5064 wrote to memory of 700	5064	Ficgacna.exe	83
PID 5064 wrote to memory of 700	5064	Ficgacna.exe	83
PID 700 wrote to memory of 2120	700	Fqkocpod.exe	84
PID 700 wrote to memory of 2120	700	Fqkocpod.exe	84
PID 700 wrote to memory of 2120	700	Fqkocpod.exe	84
PID 2120 wrote to memory of 4864	2120	Ffggkgmk.exe	85
PID 2120 wrote to memory of 4864	2120	Ffggkgmk.exe	85
PID 2120 wrote to memory of 4864	2120	Ffggkgmk.exe	85
PID 4864 wrote to memory of 4556	4864	Fjcclf32.exe	86
PID 4864 wrote to memory of 4556	4864	Fjcclf32.exe	86
PID 4864 wrote to memory of 4556	4864	Fjcclf32.exe	86
PID 4556 wrote to memory of 796	4556	Fqmlhpla.exe	88
PID 4556 wrote to memory of 796	4556	Fqmlhpla.exe	88
PID 4556 wrote to memory of 796	4556	Fqmlhpla.exe	88
PID 796 wrote to memory of 2028	796	Fckhdk32.exe	89
PID 796 wrote to memory of 2028	796	Fckhdk32.exe	89
PID 796 wrote to memory of 2028	796	Fckhdk32.exe	89
PID 2028 wrote to memory of 2284	2028	Ffjdqg32.exe	90
PID 2028 wrote to memory of 2284	2028	Ffjdqg32.exe	90
PID 2028 wrote to memory of 2284	2028	Ffjdqg32.exe	90
PID 2284 wrote to memory of 3740	2284	Fmclmabe.exe	93
PID 2284 wrote to memory of 3740	2284	Fmclmabe.exe	93
PID 2284 wrote to memory of 3740	2284	Fmclmabe.exe	93
PID 3740 wrote to memory of 2676	3740	Fobiilai.exe	94
PID 3740 wrote to memory of 2676	3740	Fobiilai.exe	94
PID 3740 wrote to memory of 2676	3740	Fobiilai.exe	94
PID 2676 wrote to memory of 4940	2676	Fflaff32.exe	96
PID 2676 wrote to memory of 4940	2676	Fflaff32.exe	96
PID 2676 wrote to memory of 4940	2676	Fflaff32.exe	96
PID 4940 wrote to memory of 2372	4940	Fijmbb32.exe	97
PID 4940 wrote to memory of 2372	4940	Fijmbb32.exe	97
PID 4940 wrote to memory of 2372	4940	Fijmbb32.exe	97
PID 2372 wrote to memory of 4328	2372	Gcpapkgp.exe	98
PID 2372 wrote to memory of 4328	2372	Gcpapkgp.exe	98
PID 2372 wrote to memory of 4328	2372	Gcpapkgp.exe	98
PID 4328 wrote to memory of 4020	4328	Gbcakg32.exe	99
PID 4328 wrote to memory of 4020	4328	Gbcakg32.exe	99
PID 4328 wrote to memory of 4020	4328	Gbcakg32.exe	99
PID 4020 wrote to memory of 2860	4020	Gjjjle32.exe	100
PID 4020 wrote to memory of 2860	4020	Gjjjle32.exe	100
PID 4020 wrote to memory of 2860	4020	Gjjjle32.exe	100
PID 2860 wrote to memory of 2024	2860	Gmhfhp32.exe	101
PID 2860 wrote to memory of 2024	2860	Gmhfhp32.exe	101
PID 2860 wrote to memory of 2024	2860	Gmhfhp32.exe	101
PID 2024 wrote to memory of 1780	2024	Gcbnejem.exe	102
PID 2024 wrote to memory of 1780	2024	Gcbnejem.exe	102
PID 2024 wrote to memory of 1780	2024	Gcbnejem.exe	102
PID 1780 wrote to memory of 440	1780	Gjlfbd32.exe	103
PID 1780 wrote to memory of 440	1780	Gjlfbd32.exe	103
PID 1780 wrote to memory of 440	1780	Gjlfbd32.exe	103
PID 440 wrote to memory of 3924	440	Giofnacd.exe	104
PID 440 wrote to memory of 3924	440	Giofnacd.exe	104
PID 440 wrote to memory of 3924	440	Giofnacd.exe	104
PID 3924 wrote to memory of 4564	3924	Gbgkfg32.exe	105
PID 3924 wrote to memory of 4564	3924	Gbgkfg32.exe	105
PID 3924 wrote to memory of 4564	3924	Gbgkfg32.exe	105
PID 4564 wrote to memory of 2000	4564	Gjocgdkg.exe	106
PID 4564 wrote to memory of 2000	4564	Gjocgdkg.exe	106
PID 4564 wrote to memory of 2000	4564	Gjocgdkg.exe	106
PID 2000 wrote to memory of 5016	2000	Gmmocpjk.exe	107

C:\Users\Admin\AppData\Local\Temp\d2ea10c4232a54a1051b79f2663c2cc0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\d2ea10c4232a54a1051b79f2663c2cc0_NEIKI.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4520
- C:\Windows\SysWOW64\Ficgacna.exe
  C:\Windows\system32\Ficgacna.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5064
- - C:\Windows\SysWOW64\Fqkocpod.exe
    C:\Windows\system32\Fqkocpod.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:700
  - - C:\Windows\SysWOW64\Ffggkgmk.exe
      C:\Windows\system32\Ffggkgmk.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2120
    - - C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4864
      - C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:796
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3740
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4328
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4020
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:440
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3924
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        23⤵
        Executes dropped EXE
        
        PID:5016
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        24⤵
        Executes dropped EXE
        
        PID:3356
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        25⤵
        Executes dropped EXE
        
        PID:416
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        26⤵
        Executes dropped EXE
        
        PID:5000
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:396
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4764
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4448
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4212
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:316
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        34⤵
        Executes dropped EXE
        
        PID:920
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:456
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3220
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4952
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5024
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4524
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4040
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3616
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        42⤵
        Executes dropped EXE
        
        PID:2100
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1148
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4116
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        45⤵
        Executes dropped EXE
        
        PID:4924
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3548
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3864
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2384
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        50⤵
        Executes dropped EXE
        
        PID:1900
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4572
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:848
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2540
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4220
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:868
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        57⤵
        Executes dropped EXE
        
        PID:4144
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4164
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2468
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        60⤵
        Executes dropped EXE
        
        PID:3116
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3240
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:996
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3584
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:400
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2868
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        67⤵
        Modifies registry class
        
        PID:3896
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        68⤵
        Modifies registry class
        
        PID:3564
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        69⤵
        Modifies registry class
        
        PID:3720
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        70⤵
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        71⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1680
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        73⤵
        Drops file in System32 directory
        
        PID:3312
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4732
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4052
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        77⤵
        Modifies registry class
        
        PID:4492
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3244
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        79⤵
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3276
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5028
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        82⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4124
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        84⤵
        Drops file in System32 directory
        
        PID:4656
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        85⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1128
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5136
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5180
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        89⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        91⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5364
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5452
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        95⤵
        Drops file in System32 directory
        
        PID:5496
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        96⤵
        Drops file in System32 directory
        
        PID:5540
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5588
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5636
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5680
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        100⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5768
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        102⤵
        Drops file in System32 directory
        
        PID:5812
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5856
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5900
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        105⤵
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        106⤵
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        107⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        108⤵
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        109⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1852
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        110⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        111⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        112⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        113⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5580
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        116⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        117⤵
        Drops file in System32 directory
        
        PID:5844
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6024
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6104
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5156
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        122⤵
        Drops file in System32 directory
        
        PID:5348
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        123⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5820
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6068
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        128⤵
        Drops file in System32 directory
        
        PID:5132
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        129⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        130⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5796
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6036
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        133⤵
        Modifies registry class
        
        PID:5924
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        134⤵
        Drops file in System32 directory
        
        PID:5732
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5992
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        136⤵
        Drops file in System32 directory
        
        PID:5176
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        137⤵
        Drops file in System32 directory
        
        PID:5148
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5880
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        139⤵
        Drops file in System32 directory
        
        PID:5996
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6192
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        141⤵
        Drops file in System32 directory
        
        PID:6232
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6276
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        143⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        144⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6364 -s 412
        145⤵
        Program crash
        
        PID:6504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 6364 -ip 6364
1⤵
PID:6440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fckhdk32.exe

Filesize
296KB

MD5
c33f62fee98449cedd264c75f914ef25

SHA1
59174418561e4e5a2de43fb901843ec03d03e905

SHA256
ad250de9e38cf87bb4abd812a675c45718047ef4b998e90a4543728a273b6b5e

SHA512
4ae9a943d4dc1ac8d14653bf3643caa32da93b4c165a9724f5fa3cdc2765552946fd3ddbfe7b8c075ad3df39f55942af190b3e5db243d7620f093297f128823b

Download Submit
C:\Windows\SysWOW64\Ffggkgmk.exe

Filesize
296KB

MD5
2b5ad24df35c9907d5fddf8797cc7502

SHA1
01f397a70323d5d06139f79b11ab66f0b6fa1f65

SHA256
a6ea93206341610a41d6726314a32f21eb07aa77e1930d97cd64fb703f6d3e97

SHA512
a62e2ad47f623aab94a37d8d75aa1cf1c4e65b639fae51259a779d353a6c5dc8a8355d35b2adda6354585ed46b6e38ada4a3182e5d787dcf40ca4b395e01c7e8

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
296KB

MD5
f7e2acce6311847c674dccfa28d3d4ec

SHA1
463420c837ad0ef6cbd0e70933679f3a6646bba2

SHA256
07be191e335c4602457fd96be935da586e13b328b6cf80a17e1296e6bc87c74f

SHA512
9eb45ffe9e9c9fb140e8b5363f902d95a62632595a70184e6ccb55042cc1a60f63037a160fb37c1cd163cf217debc935ce985aed4add2291d1776b87809f9ae9

Download Submit
C:\Windows\SysWOW64\Fflaff32.exe

Filesize
296KB

MD5
ff2c1c9ccb268552f9f19e95d6a7eae6

SHA1
6df23954049d86638c63b234bea8ec6df90144dd

SHA256
b87e3d3187ee14c6d557b826dd7f9f8ead95210abf422dc4cc0e9fda8a13724a

SHA512
e6dfe2369544ed6ad3c885cff3d9eb948f8abcddcdb725338c7e4cb9ddb4489c0a7cdcbb9cfb11022e33e5b42101741c7dd7cd291136427c0bbdf23dba404081

Download Submit
C:\Windows\SysWOW64\Ficgacna.exe

Filesize
296KB

MD5
683c5b47275b031439a00ed55d9df69a

SHA1
e789f52c00f01ba535f931e142a8c39447319ae0

SHA256
ba69700dad165436f891d14d192446ec6fa1934522223afc4391526a3f0fa82b

SHA512
24ed83e722af818ba9dce6fbeaf97422975e833c6c6f3f4c522da891e78a9fa7f047592f15d1fc440f61953e12990a3cce0c92efc30f2b1edeff78036312da33

Download Submit
C:\Windows\SysWOW64\Fijmbb32.exe

Filesize
296KB

MD5
45b17f5f31ede6ce56127cb4c18a5419

SHA1
cf5dad4188e6ff9b270611ce0541e530fb0eb15c

SHA256
7afcb818629b9fcca70fc02212ba687106ff74a214e52579faca77f37b61f414

SHA512
6e85684e1c559473c95193117ab9455ca63e276d379629528f2ed7acbd2f315660153518a25595f96596519143b57866b80cc0980b153b6d7f873d1c785d5cf9

Download Submit
C:\Windows\SysWOW64\Fjcclf32.exe

Filesize
296KB

MD5
4ca9be269572291379af8186eb697e56

SHA1
3b9fb916cb05617cc6132518254d1582c8145798

SHA256
1e54438258fc1c6d17341710385dd5a0a808bfafcc779a8d9c0e6627cec75f8f

SHA512
6e1f184d28c5b9c254636b87c73a206414a5fdd840f66893e8795763022756b9899803ea8f773a8ab8be545a907aa31f4ef3166e91d53b0d2cd7249ed130a595

Download Submit
C:\Windows\SysWOW64\Fmclmabe.exe

Filesize
296KB

MD5
d0f93c00d103120e10235a2034a8f55b

SHA1
7f692d16d243a2969fded8137f7b46817aed3817

SHA256
e4e5488cafe3c32cd0fe1e3c2e9dca149f4518c45912b4e09e3a3aecc097e366

SHA512
b6f91c32340a73e66563e2a7ae9ba2b082cab69a5c474f07836d6975e0e838439b7820656812012b6fa8a2c5a3c3c5f4273408ed6a282e75502308176cb413b0

Download Submit
C:\Windows\SysWOW64\Fobiilai.exe

Filesize
296KB

MD5
e860673191768c6f66102b84427e5e95

SHA1
87d89cd8823f535a72350fe8a123b733b610b6cb

SHA256
77184919c001d275cc31cf3bdd2355c6a8c35bbde4ab6033017e7f2f77fa71e3

SHA512
25ce1cb0eca324164821d04711f2cc55a1a777be164ea0d95c78370a5fef85b8454f27174cd69854d51595ca6ea47737ef0188f13235480243a427090e2d8b21

Download Submit
C:\Windows\SysWOW64\Fqkocpod.exe

Filesize
296KB

MD5
03ad6e9efed70f42732518524e5cf8b2

SHA1
8b5d163b184a8f87a330bf78faf280b956fe251e

SHA256
533b268538ee8ca23731fe32cb82f6210f56aaee506894de0930b927cc791940

SHA512
160aa9a75be214da103c218fa326b504039f575f9c81782921fd22eae969da7238eccd535db53d5e4fce11df60026309e2be9fe1b6babe89ff70adeb75857f63

Download Submit
C:\Windows\SysWOW64\Fqmlhpla.exe

Filesize
296KB

MD5
011395bbcf610564475610f0865f8598

SHA1
ecdd2d58367285eb893e03efbbaeadafaa4f1956

SHA256
7e326fa872c36e10ca14bd682e581c7eb8ffd2b90bc1c2210445c4ee2351b8e8

SHA512
a27c6190a42dc2fe64f42021995ecc71419e377a53508fe98b610d6d3a21dce1f108c5406ecb48c1a3205609b9bd9f7e0dbade31b216e8f4ca75c6a7e298bdb8

Download Submit
C:\Windows\SysWOW64\Gameonno.exe

Filesize
296KB

MD5
e47c9a14546dd0e51cef261dba362e04

SHA1
31eeb19e88232ca13298de1929193397933e5a9d

SHA256
e3bb81cc9e3485d8d450f7ff38ffb28fc3f6c3731823b640645fe503205e50a0

SHA512
f54c2e299233b36dfe5086e5c5790180fd4d1febf7d250a55f968e020fd133113225a7b6fe8a0846629c98ca590e78d252589953fa4a0fc4d64cead60aaceef9

Download Submit
C:\Windows\SysWOW64\Gbcakg32.exe

Filesize
296KB

MD5
60782ae870a67b03d3dfca8c9d374656

SHA1
fb4c20545c4e760229a944fc94d2870d5efd5977

SHA256
86d182b155425c99cab18d977be7149987c5346f7b64db3223ed938169f233bd

SHA512
86403e52c45a7cef0267460185cd82ad8e9f67c72fc56bc22e139aaed264cdddae8a45c2e0c10d0372764f25d7b857abc003ba0655276d42477ed752fc86372d

Download Submit
C:\Windows\SysWOW64\Gbgkfg32.exe

Filesize
296KB

MD5
b91cfa3eb5827f297b9f8330481ccc48

SHA1
f013eb352df08ad5f130615551fae99294602dfd

SHA256
27e7094f29c4ed8377ee711898fe843a3a5cbbcf68c52ca051c24f64ddc594c1

SHA512
c3bdc89212c59303e84a9e3db40d0cef5aa20e4d9d3840f284986ced51683d1366e5fee3348385b03241872263f0b4bdcd993a43d3e5d287a3267b0ccf61f1d6

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
296KB

MD5
39cb6a1446b5148ea0245ba556a5fc58

SHA1
915331a35b7655168c29b9656013e58891024b99

SHA256
adec3ae0b0b40375735623c43dcc652a27ecd345c892e41ee0f7d2b4a5ce6b50

SHA512
f438a5b09b4f3a51f86da75136c01762be1af4ea2d42832cd53326c8a7ff6c2ffdfdfb76c95ac800e6f1bdb2e9b831d88a2c8ab890fb721402545c8d633a9e76

Download Submit
C:\Windows\SysWOW64\Gbldaffp.exe

Filesize
296KB

MD5
19f04257dc8dc8a3a3800c547f7a188b

SHA1
a48931e75999bd002cb4efd54847b6db1a747185

SHA256
2c3af9160f7ead9dfe23466575e7de7cab62df3f24d8da52788e398e4eeb2c8d

SHA512
f6a8b3f892db971646ff732e50de50651a05749d0f8cea6b7fa4bae1306f17868c8d14d3d776a2f23fa7d21517508236e04780dbc520abd8535a0aac98a245f3

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
296KB

MD5
9799a4329ad93d4c8c0d2c830fc4cf82

SHA1
634d4cf8aebcf13826b2e412b25438085fa87ac8

SHA256
d90d7d3d9db7a528117ee1485caa9552a6d99be8a4e6e68b03d690c69460a143

SHA512
df4ee1f963366910c81ad02d9a75a5f4ec253d9acaffd18e217b213ea9ce728016b6ed9476a1e0c586f095e1ebfac14c03aac1ab7cedadf137b019396bc3766d

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
296KB

MD5
35d3c3c9db8629503298e0fe1a32aede

SHA1
aff7e6a81c2233dfb4c3764df8272969a804e403

SHA256
b2902c73f369a05b291fce0a7652ceec210aa5838256718369b1aa6b45b19d85

SHA512
158accf7147ca78a7419cda2c57fd1462a4285686c5092a45c9f7b6aea8081e205af300337a19c9b5e65a85b009c1edc65cb19dd9fe1bdd7bb0e010c390b4f8c

Download Submit
C:\Windows\SysWOW64\Gfedle32.exe

Filesize
296KB

MD5
180657fde7879ddf07c4cc4b89d2117c

SHA1
e772720491d154602a253de0fc7b21defc8995f2

SHA256
c28e332ed3413d3409c66bc854b7944c344122e1b4e1fc37806c30d20ba2addd

SHA512
442052d59770f7ac1419932c46df0dc65f76c3ba08fd1083de60f0f982a70b2c37c54d1b89ecabd7546e6efa327c4690a32c4eac9f99e0aee2d286256c725d56

Download Submit
C:\Windows\SysWOW64\Giofnacd.exe

Filesize
296KB

MD5
a3d2d5ba622648dea500b6a636ccc4f4

SHA1
80abf49270541155d3ec62a5764ff4c9a71f6682

SHA256
1ace424aa8d3c6b014d4052aa4f3d05b2b937b1a822235fb256399d00322f995

SHA512
c2c6a9f727288c66eca01208b3bb032df3031d23ecad0b30e7797820a836ed2db81f566614b447524cc6eecea218f03b069c6f59746692d56d983e45584e835b

Download Submit
C:\Windows\SysWOW64\Gjclbc32.exe

Filesize
296KB

MD5
4ff81df1206a8d66a48d6aed63eae9b8

SHA1
0d4070869f332912c1979c3a28e588be6cf1bc77

SHA256
3dd4473ae34f6156604632f8bd629ff8a542e814b05802a9ccc0f04ae6ec6343

SHA512
757373f4d3d5e37b986c8c472110c53c84e6e35ccb4ed3adf399515670cb5030db3ef2329ce92baae4058c391ce8e4b243882e16385641a54bca49c31bef39b1

Download Submit
C:\Windows\SysWOW64\Gjjjle32.exe

Filesize
296KB

MD5
b6a983f9db402ad87081841bfe8e9014

SHA1
9501f446543fff68dd4daf2fc68b06ca33ad1d15

SHA256
5035065e34bb5dc5c6c6603667f846d2070b1cb34363d82ac2ad994322c832a0

SHA512
29a5a40def2eeb6585b6aa83cfc1c63b6d226433a1e4672b56cd84a9a0559e712dcdc0f0c6465a8d0fa720250a4e86dcf639b1244fae73bd153dabdb11db70c9

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
296KB

MD5
6d1e8d64bd95a85baff3ed5d7caa71f1

SHA1
00201ba81e4c153bc537d6b39c42bbb1cb45ad5c

SHA256
c4c4759f84e7e0aaca9ae0d2e2c55cc19b2f3b0527fc298da8e5b5ece36a3714

SHA512
6f4a956aedd054b2d9452112476c1e7e98ce0fdb98397bbbb4e4e7dd10d80118b9aed5b5b6e43a423cd6d4d781a72821ccaec7990f74ba4c6d5980e526d06c87

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
296KB

MD5
c8eda693e3b0f533f212a5b830c2e938

SHA1
5cae3f75285d30a0b261eca5c0fa9f781cfe38fe

SHA256
9e9ef4d73b09701ed5c894060611daab98e5e84f2202ac01a2842ac7dc8b309c

SHA512
ad6604fce856f35d0278c1200c54dd0cf85e9bba6780ea35f02c0ff4d1d9b31035fbd8015af186fec41eac2ae5713bca6f12cd96b1c688d145a32c8b2c6953d4

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
296KB

MD5
89af5154a07df098ba7f146f77eb9e62

SHA1
ac535e49e50d3b501314ed8426a7f5b0c26629b4

SHA256
e1155837ccbe94bd7dbd65441fc43546973d3248a548b0788932b366928b5d79

SHA512
7717d10f35dbbe0adc328589ce3ccbbeb4c863c09d60edefa7005df4cb73bf8234549a94f047c4477c1b0655f02a862ed00689a2f33c284ccc573c568feb333b

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe

Filesize
296KB

MD5
c25c6187ee608ba3a45883de616ddfee

SHA1
6e44d11499a9220de6b98f21c6480ed81d1008b8

SHA256
a044544f634a8da61c063d0e87a614ac2dd0a54cbfad329d638c963c8e696114

SHA512
f7ae9d6bc68f52cc789f3573174f5ee5ec1dd8db53ff6b9ca354abb696ef4ce7edcdbeaf04104fb9faf10a4e606ba30666627a86cfacd87d8568a2fb50ec58f5

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
296KB

MD5
a04950b80f91c7a139a222eed0a9482c

SHA1
5b3b8e22ad6c45f1b52d87f474a15052dfe8bd5b

SHA256
a04acab95a3188d70407dd20b4672a4c274505dc7810f958d6f85d4950ea5427

SHA512
348120fedd62874f8332b58302568a26f0ef4783ee4cd20512cb2b0dc5d9723c68ae690b42951dc1c46cb19e6463193f3908eb6e93f218b1e4e60c065df99a5e

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
296KB

MD5
1c19acb2760932bc2a016f326b671968

SHA1
2e28097ced75b3ab04099118f41fdfe7a5451336

SHA256
cdb4044905b500626c9f273b1fee3ed1fd9b84001266111b550eb4f70ed20f3f

SHA512
a3b212e19353ab62f35d4359723768dcab3b7e8cc52f52eb8c35b5eb7a9e14a068fe113e5ec3ac57c90c308b34503c92963d7c0e7e1685c3c8f847af6b3daeec

Download Submit
C:\Windows\SysWOW64\Gpnhekgl.exe

Filesize
296KB

MD5
004df5a3879ba6913e416fc5b14d7cdb

SHA1
48d00991e2bebbf965d33ab124da09dbbd2c725b

SHA256
cf16aab3c2b486c7caabeaacff3e8c34759ea296b1a735d8cff2afa5e57c42c5

SHA512
2285126a88b1f7d1baf6d1921f4f008843cf121ab2da33e04a1b9f5b552c28e83a3410a7be70335cd5720af9dd74f57b602b0e6d949fdbcbc7b15e902966f296

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
296KB

MD5
3c7631567e9dac339b872bfd30476d49

SHA1
32b24f20aaff593445b8d32923bd6912b89eb575

SHA256
cbd93db79c82eae3dc6ba24d2e804f81cc27f3da357fa6c4902d817b896a7edd

SHA512
3c70d85a64984f4de7c344d4b5ad8ae068ebc7f612420a764fca65450f7cc0a0e80287ee29084bfcc86ff558dc898b33c230c25080b4ea81105deb1debd2ad48

Download Submit
C:\Windows\SysWOW64\Habnjm32.exe

Filesize
296KB

MD5
74b85f9445e36996ad786d303acef808

SHA1
8b254f1ef9d45dd2e15638e0ca5baf5d13f29344

SHA256
fc600e8192bcf28f37ebb592ca36d7f3a19f1288b302d8df5889920638246dc4

SHA512
ea28d22e2f6951e145ffb4d6c4bcfada06efa5a3dc8c81f8145c18812be74685e48bc76232ac1f7e392e74762f8656db145594dbebd43a10186f665c32839c6b

Download Submit
C:\Windows\SysWOW64\Haidklda.exe

Filesize
296KB

MD5
33e4d0533ae431b634b87fca7d67d48b

SHA1
45b08b8b6ca493414f38ff3d2eb1a8d316d5d88d

SHA256
a5be2f1b3dc5703815de9eadb86f227f39789d6d96ca2a786de8fbf08473f728

SHA512
e041a029a7526ae96dc1cbc84e857b8c59d7068efd9d9f2156c8a5d7e787dc22d7e0bc08eaa528fa11527364f1228fd8de2828ff9336c00a2a76ad97a0e2a383

Download Submit
C:\Windows\SysWOW64\Hcnnaikp.exe

Filesize
296KB

MD5
db50ad982ad82775dd8ae4d5843f104c

SHA1
54b7fddd8f6c2c646bc95fd6f30987906a25c3ce

SHA256
6780caef1b4f23b19beeaec8480e168f3ec4deedc150ac54e358abd5a018f4cf

SHA512
357ec300f8f7cbd93164c9097e633cc956fe53fdc35642ee6fd6b43bd691e35d423e47631de9bd80fa4ed312d19c381a95db47c1d8562867847dcb7946dcbe9f

Download Submit
C:\Windows\SysWOW64\Hfjmgdlf.exe

Filesize
296KB

MD5
9fe65cc13b94f098fb49e77bf94e520b

SHA1
f566117a72991fd2dd9b62b8ee0512c556234e34

SHA256
8b9f7e7bbf978a29d0184d122d6026f20b2a0b569ffc7ed058496bed00465c20

SHA512
59f869b6527a0e3407ce798d9afc7e037b3f33e75ff06272860f2454633ddf0a4da318a495e1974385164753b8dafbd3b2287bdb68d979697feb648225f6a889

Download Submit
C:\Windows\SysWOW64\Hjjbcbqj.exe

Filesize
296KB

MD5
c2f550f543059364c7eefdc1493ba26f

SHA1
e9c0aff12e5061b6f268513d55ddb32b56439674

SHA256
7df1306c6cc0f420aea6d569107971e71bf09f842f4ad33e95c255972e1e7169

SHA512
cd30fec496e2f03a044515cab2230552853f2ac91c4e0dfd1bf67a439ab7599d83b564f0d75d5bb4b23f8bf88ae31b1fbeff633f838d08833632f0b576f96b9a

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe

Filesize
296KB

MD5
4402cb6dc965ebf2617ad1226ff91373

SHA1
91b377ffd45730485d10b40529c2d8f8a4d45c4e

SHA256
317c0467a84e51bf17d9a11b6dbf6ca9ee7873f4e9828d46dc2ca7bd1e29825d

SHA512
c66c4e77923fe47f63d4691c13a7af764caea93e39ba152250a0dea07c71b4ad82411aeff72b3b5608674e773dce7bd3a71168292604f718b488de8dfe27edb3

Download Submit
C:\Windows\SysWOW64\Hmioonpn.exe

Filesize
296KB

MD5
24cfd550fb13bd81310a4c55d9b01435

SHA1
3e51a8fec3bdd0d5584f8a8cdcbe66adc8e4de3a

SHA256
73facbe1aa98038b9fbe25c9190b3f8c8af70c0596e67d9e2ddbd1449912705f

SHA512
c0f75b34a854ccd1a96f526bc2480737dcf6bdc2f65d7061f0eabd2eb7eabcce9cd79793174e46d6318d6d715a54c50759d5ef6a906349ead3fcdacf13c2dcc0

Download Submit
C:\Windows\SysWOW64\Ijdeiaio.exe

Filesize
296KB

MD5
258196283fed424a765157a4a326a6b9

SHA1
74950d4e611dd290d7cf57d433afd9114a964653

SHA256
b8b15f272e3ad6f2fb02243515fe589934ff381a81464cdfaf57c2786c207c35

SHA512
b6bd0b0f138dfca8650013614670954b2db68d7ecefd7d86836e1718686ca1d35378a89b4cd319a7b90bafb7cdbbc068c0877bb77f8ec72a414128d1f7eedf18

Download Submit
C:\Windows\SysWOW64\Imbaemhc.exe

Filesize
296KB

MD5
5c0aa79cf5cdc613fc8635ada07ddd9e

SHA1
0ced9be2f724f87e42656d5365ceaf57179ee25b

SHA256
02926f9845651c6bcdfb073f269457cba22881f987ef08c2a544d4396b1b4e54

SHA512
85c6aedd37074ad2bdd0e85b67ebb8d00b0c58f1aa3f01be167f921a6a722f4f11159748bbf1b2bba58046e031db27a98fe01d7a5e0914d2cd030b2eebfa2917

Download Submit
C:\Windows\SysWOW64\Jfhlfk32.dll

Filesize
7KB

MD5
1aac23ed34ab0ecb27fd1ab9f74a5936

SHA1
3c995bf7bcd5bde1e68f48d7e383912d8fb59d3e

SHA256
a2a3ec316345cb936dd482c4e77ad6f7fd099efbf8d4267da90480b60977e80b

SHA512
4fc6a7e924bb7b07bc4272400469ea5805b4817d8413cffa62dc865aa5fd29d3d6aaab57cab7587b72ee2322ddb2de11631b00d9a1f23db83dfaf954e3017d5d

Download Submit
C:\Windows\SysWOW64\Jiikak32.exe

Filesize
296KB

MD5
4b40a324bbfcce9ccef3e346b634fb99

SHA1
ffc652272802da56125e1932a251142b4e160e96

SHA256
56b634cfd6dd7ecb96387507160313128e58c08a900ccc5615077ba88100614a

SHA512
a8366daac8d2ba85a93442795a12da347d5f3d1cc6bcaae85a7806ea42bee3a2c1c74508e4def13c4257b6270ffbd58afd77797e83d97a95df33a726f96ac7da

Download Submit
C:\Windows\SysWOW64\Jmpngk32.exe

Filesize
296KB

MD5
568b09f49bf428e7f183075fb8e35d55

SHA1
2abb500ef38de7fb7b807a04ebd476b397dbcee7

SHA256
5e099bc740626191aab00428dddd430609000df2a2956ed1653894490c915876

SHA512
bf89b2bb04451fd03eb51d8f2dddeb844631f8dff6afe7588bd3dca19f2f23c9ebf6bb5326c75c34d44b7805e046fbe4b0b45da3ad129d462381162916a62af5

Download Submit
C:\Windows\SysWOW64\Jpaghf32.exe

Filesize
296KB

MD5
f5d9abde7e93bbc40b8e750753a76e48

SHA1
e7849c24bdd2fec2d979379cfded8f35262e9778

SHA256
e55ee1e80f07d7738ceb7b310bb509982aeaa830626a1046073dff24454137a1

SHA512
207952b973be5a63df93360fc2f7174039fc7dfcaee7acb15d38eeeb3c0ca1724c8f97f7c23348700e8358bcfd2780565f46df42ce8c90eee7b0fc454085b3cd

Download Submit
C:\Windows\SysWOW64\Kkkdan32.exe

Filesize
296KB

MD5
78a92ad9e048428a0af0662407ae08e5

SHA1
43bd2a9529f04ddde3683bc0203901db04a19f5e

SHA256
1115a3af01c12ceb16170e6e49b213f0977ac5ca51f38df98470948c9230e2e1

SHA512
844f2991e18f835738b93fa37cba977dcf2db530f6178173a359b889874cefd20a726f5000caf1765cee9d97e2bcf793238217e7bc2f7a4187b86a61013b7d01

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
296KB

MD5
3b1e27b49f6ef07a395d62844a5f33b9

SHA1
fde036ca162d736712064d9ba3ad994acdf57440

SHA256
97c20e452809ae5774e7d1fd4df56646ecb1b8f476a484a5730f714068e0e407

SHA512
15e5f69757a90190dc151b3c31b211ed7f36b3da3736eccf2134b5880dd58c49277bd6986b04776640ccd6f5ab7e66ee56853b9e423868c797c23891fd14670f

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
296KB

MD5
0e3bd092dff022344128992694f682d7

SHA1
6f9177cee13544db62a1f8d9d2079363e3caec45

SHA256
1bd3148fd829d778991251ef5512fb28cd4ff4450755b06e1f6c267258ff3f7e

SHA512
cc7d1c07febf38feac00e9350a328091df8abba09f349dbdb87775a220b6cb24f993319ffbd7196838ea05b5ca69726a33f85edbea73494099a5e493dec6e2bd

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
296KB

MD5
fee5396466f6128100f8d7e450d97cc8

SHA1
41d25abab536a7f064593781528cb1a7edd51683

SHA256
47150fb9a726ef6f7837a5d9f0ea0fe9de3c21da1181b331481bbbe433d0d67c

SHA512
77d0483bb84cff7f72a81770928e95f339d5d64faf6bcb42ac026d242f331081409ab3d49cdb0b0bf53bd127e5787e2f0bbb7b873e87cd0e2dbe715b2c55d229

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
296KB

MD5
003cedcd553e66b46114981582ecf24e

SHA1
897a94f0bc361acdfe52b02fb362b42db4c47298

SHA256
5ca415b3759fdd6a505fb1dda2187f2f08ee292161486d8c260accec921a7fab

SHA512
6ec61c14332997cc8838fcb88971106da027b4ea4f052a8aa52e6a5661a4029ec2c7ea6309438c2e9cc38028b5a068712c5caf578361bd897d8e5b918debac11

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
296KB

MD5
713a7d49a71d747e315615f765b30ad5

SHA1
2ec9d3dbe14e88aa5c8b706ed0e27699b345891b

SHA256
48ce142a249ec8f8578ff2e09750299a3ba722df9c4a33e28f2e197d894a8ae9

SHA512
f3e4a7d2a3ac1c8abb9b78db07b862afd935ee202655fa68b7a5bfd5b35551c6d9b993d457c288e2d35fb0e26538a9f7ead6828a90d4841da3ce98cd551dcbe3

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
296KB

MD5
20f3051104d88c3bc44eea82bf4aab33

SHA1
7521b08f216fb5dc5ea95262e2172d02360c7ff7

SHA256
d8cd128293c1a862bee221c7fa9ed23c47a72dc68735fd54e25408f238a80595

SHA512
9310d86b06e81b9ebbac82ec1cb6ad8255729f58609fbf412992bee822d0191bc81b9be09ec61643e94f8a8d9aa8586b5100f6ba8756e3df04947a3a6248e58b

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
296KB

MD5
5f117ad8dfc7f40d33cd4ee5ed317ea6

SHA1
30681e336a7abcbf45a726c765147ff1d5a0df2b

SHA256
20277938a5b175cb8947c67854464c6c796ae6249171c010bca6d83ca36bcf0e

SHA512
d5314cd972717370783db674521283e454884808a32eb21727a253e88d4358ad808cd23db11934d70c60e5f822df7e7b53d04412ed7e2bb89fff0cc23d4dbf4d

Download Submit
memory/224-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/316-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/396-226-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/400-446-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/416-196-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/440-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/456-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/700-582-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/700-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/796-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/848-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/868-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/920-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/996-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1128-576-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1148-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1484-532-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1680-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1780-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1900-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1920-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1956-344-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2000-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2024-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2028-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2100-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2120-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2120-589-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2284-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2372-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2384-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2468-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2540-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2676-83-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2860-126-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2868-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2964-260-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3000-452-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3116-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3220-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3240-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3244-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3276-538-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3312-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3356-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3548-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3564-470-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3584-440-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3616-309-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3720-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3740-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3864-350-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3896-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3924-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4020-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4040-302-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4052-518-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4116-325-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4124-556-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4144-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4164-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4212-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4220-386-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4328-105-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4372-399-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4448-237-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4492-525-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4496-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4520-573-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4520-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4524-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4556-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4556-603-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4564-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4572-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4656-562-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4688-550-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4732-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4740-488-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4764-227-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4864-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4864-596-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4904-574-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4924-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4940-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4952-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5000-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5016-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5024-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5028-548-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5064-575-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5064-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5136-583-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5180-590-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5224-597-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5272-604-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5820-1009-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5856-1042-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads