b9cf1e647cead9113694cacd61ba7092f5ec445b062be2ff857d2139f2498918

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08-05-2024 07:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00f6ba1928b003e99ff12a6dfba6fde0_NEIKI.exe
Size

206KB
MD5

00f6ba1928b003e99ff12a6dfba6fde0
SHA1

77096ee835d451b2294feb09e602194d20d76ec9
SHA256

b9cf1e647cead9113694cacd61ba7092f5ec445b062be2ff857d2139f2498918
SHA512

3886a7d2534e02cd44ff7029f2c9cdea00e1cb27a94f209511ec92e3bd4da0b8e7f5414dda8f107b7cbf61ec392a0d5d1ea3821ab45fe2e2b3a6accc2934137a
SSDEEP

3072:37vbQ+BnNRHteAmDjsk5OmHCMyELiAHONdSVgtRQ2c+tlB5xpWJLM77OkemANaz:3Lke/HoJZYmHbBuqV+tbFOLM77OLjUz

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gpklpkio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gifmnpnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Goiojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gmoliohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ifhiib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gpnhekgl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqfeha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjlfbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	00f6ba1928b003e99ff12a6dfba6fde0_NEIKI.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjhmgeao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbjhlfhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kipabjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eofinnkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcikolnh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbenqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbldaffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jangmibi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gfcgge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibccic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fmocba32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjocgdkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hboagf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gcggpj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgikfn32.exe

Executes dropped EXE 64 IoCs

pid	Process
4020	Ecphimfb.exe
4684	Ehlaaddj.exe
2160	Eqciba32.exe
4908	Eofinnkf.exe
2184	Ehonfc32.exe
4988	Eqfeha32.exe
412	Fbgbpihg.exe
1884	Fjnjqfij.exe
4584	Fokbim32.exe
4188	Ffekegon.exe
3384	Fmocba32.exe
3496	Fcikolnh.exe
3896	Fifdgblo.exe
4316	Fqmlhpla.exe
1016	Ffjdqg32.exe
4656	Fmclmabe.exe
4896	Fjhmgeao.exe
4600	Fijmbb32.exe
4408	Fqaeco32.exe
1664	Gfnnlffc.exe
2512	Gmhfhp32.exe
4952	Gogbdl32.exe
2632	Gbenqg32.exe
404	Gjlfbd32.exe
4136	Giofnacd.exe
3892	Gmkbnp32.exe
3912	Gqfooodg.exe
1632	Goiojk32.exe
932	Gbgkfg32.exe
1904	Gfcgge32.exe
3748	Gjocgdkg.exe
4156	Gpklpkio.exe
3980	Gcggpj32.exe
2968	Gbjhlfhb.exe
5048	Gfedle32.exe
2024	Gjapmdid.exe
5100	Gidphq32.exe
1380	Gmoliohh.exe
696	Gqkhjn32.exe
4788	Gpnhekgl.exe
2672	Gcidfi32.exe
5052	Gbldaffp.exe
264	Gfhqbe32.exe
4372	Gifmnpnl.exe
3548	Gmaioo32.exe
1780	Gameonno.exe
888	Gppekj32.exe
2744	Hclakimb.exe
2504	Hboagf32.exe
4892	Hikfip32.exe
3440	Hmfbjnbp.exe
1956	Hpenfjad.exe
3100	Hcqjfh32.exe
1020	Hbckbepg.exe
4208	Hfofbd32.exe
916	Hjjbcbqj.exe
4416	Himcoo32.exe
2704	Hadkpm32.exe
4484	Hpgkkioa.exe
4820	Hccglh32.exe
1072	Hbeghene.exe
3456	Hfachc32.exe
2492	Haidklda.exe
3132	Icgqggce.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Kipabjil.exe	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Gbenqg32.exe	Gogbdl32.exe
File created	C:\Windows\SysWOW64\Hbckbepg.exe	Hcqjfh32.exe
File opened for modification	C:\Windows\SysWOW64\Jmpngk32.exe	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Kbapjafe.exe	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Bejkjg32.dll	Hikfip32.exe
File created	C:\Windows\SysWOW64\Cdcbljie.dll	Iiffen32.exe
File created	C:\Windows\SysWOW64\Gmlgol32.dll	Jangmibi.exe
File created	C:\Windows\SysWOW64\Lgikfn32.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Mbfppi32.dll	Fokbim32.exe
File opened for modification	C:\Windows\SysWOW64\Kgmlkp32.exe	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Kajfig32.exe	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Mepgghma.dll	Gmhfhp32.exe
File created	C:\Windows\SysWOW64\Jagqlj32.exe	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mamleegg.exe
File created	C:\Windows\SysWOW64\Jdcpcf32.exe	Jaedgjjd.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Jbhmdbnp.exe	Jdemhe32.exe
File opened for modification	C:\Windows\SysWOW64\Kmjqmi32.exe	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Eqciba32.exe	Ehlaaddj.exe
File created	C:\Windows\SysWOW64\Imbaemhc.exe	Iiffen32.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Nggqoj32.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Hkcdljbo.dll	Eofinnkf.exe
File created	C:\Windows\SysWOW64\Jdkhlo32.dll	Gmaioo32.exe
File opened for modification	C:\Windows\SysWOW64\Iffmccbi.exe	Icgqggce.exe
File created	C:\Windows\SysWOW64\Ogijli32.dll	Lkgdml32.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Impoan32.dll	Imgkql32.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Joamagmq.dll	Kipabjil.exe
File created	C:\Windows\SysWOW64\Gidphq32.exe	Gjapmdid.exe
File created	C:\Windows\SysWOW64\Ifmcdblq.exe	Ipckgh32.exe
File created	C:\Windows\SysWOW64\Omfnojog.dll	Jjpeepnb.exe
File opened for modification	C:\Windows\SysWOW64\Liekmj32.exe	Kgfoan32.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Ifegaglc.dll	Gjapmdid.exe
File created	C:\Windows\SysWOW64\Adijolgl.dll	Gpnhekgl.exe
File created	C:\Windows\SysWOW64\Jdemhe32.exe	Jagqlj32.exe
File created	C:\Windows\SysWOW64\Fifdgblo.exe	Fcikolnh.exe
File created	C:\Windows\SysWOW64\Lgkhlnbn.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Jbkjjblm.exe	Jplmmfmi.exe
File opened for modification	C:\Windows\SysWOW64\Jdjfcecp.exe	Jpojcf32.exe
File created	C:\Windows\SysWOW64\Kgmlkp32.exe	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Emhmioko.dll	Gpklpkio.exe
File created	C:\Windows\SysWOW64\Pkbjnl32.dll	Hpenfjad.exe
File created	C:\Windows\SysWOW64\Lijiaonm.dll	Hfachc32.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Mglppmnd.dll	Laefdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Gqkhjn32.exe	Gmoliohh.exe
File created	C:\Windows\SysWOW64\Qchnlc32.dll	Hbeghene.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Laciofpa.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Hcqjfh32.exe	Hpenfjad.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6772	6256	WerFault.exe	278

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	00f6ba1928b003e99ff12a6dfba6fde0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ffekegon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dendnoah.dll"	Imbaemhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibimpp32.dll"	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hofddb32.dll"	Fqmlhpla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hifqbnpb.dll"	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hfachc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fbgbpihg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addjcmqn.dll"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fifdgblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpckhigh.dll"	Gfnnlffc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkcdljbo.dll"	Eofinnkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgblndm.dll"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fmclmabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qchnlc32.dll"	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppaaagol.dll"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fihpfl32.dll"	00f6ba1928b003e99ff12a6dfba6fde0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnplgc32.dll"	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Himcoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iffmccbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gbenqg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gameonno.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kipabjil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ehlaaddj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckfliccm.dll"	Ffekegon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gqkhjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfnojog.dll"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gjapmdid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gmoliohh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ipckgh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eagncfoj.dll"	Hclakimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ehonfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fjhmgeao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gbgkfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emhmioko.dll"	Gpklpkio.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 4020	1660	00f6ba1928b003e99ff12a6dfba6fde0_NEIKI.exe	83
PID 1660 wrote to memory of 4020	1660	00f6ba1928b003e99ff12a6dfba6fde0_NEIKI.exe	83
PID 1660 wrote to memory of 4020	1660	00f6ba1928b003e99ff12a6dfba6fde0_NEIKI.exe	83
PID 4020 wrote to memory of 4684	4020	Ecphimfb.exe	84
PID 4020 wrote to memory of 4684	4020	Ecphimfb.exe	84
PID 4020 wrote to memory of 4684	4020	Ecphimfb.exe	84
PID 4684 wrote to memory of 2160	4684	Ehlaaddj.exe	85
PID 4684 wrote to memory of 2160	4684	Ehlaaddj.exe	85
PID 4684 wrote to memory of 2160	4684	Ehlaaddj.exe	85
PID 2160 wrote to memory of 4908	2160	Eqciba32.exe	86
PID 2160 wrote to memory of 4908	2160	Eqciba32.exe	86
PID 2160 wrote to memory of 4908	2160	Eqciba32.exe	86
PID 4908 wrote to memory of 2184	4908	Eofinnkf.exe	87
PID 4908 wrote to memory of 2184	4908	Eofinnkf.exe	87
PID 4908 wrote to memory of 2184	4908	Eofinnkf.exe	87
PID 2184 wrote to memory of 4988	2184	Ehonfc32.exe	88
PID 2184 wrote to memory of 4988	2184	Ehonfc32.exe	88
PID 2184 wrote to memory of 4988	2184	Ehonfc32.exe	88
PID 4988 wrote to memory of 412	4988	Eqfeha32.exe	89
PID 4988 wrote to memory of 412	4988	Eqfeha32.exe	89
PID 4988 wrote to memory of 412	4988	Eqfeha32.exe	89
PID 412 wrote to memory of 1884	412	Fbgbpihg.exe	90
PID 412 wrote to memory of 1884	412	Fbgbpihg.exe	90
PID 412 wrote to memory of 1884	412	Fbgbpihg.exe	90
PID 1884 wrote to memory of 4584	1884	Fjnjqfij.exe	92
PID 1884 wrote to memory of 4584	1884	Fjnjqfij.exe	92
PID 1884 wrote to memory of 4584	1884	Fjnjqfij.exe	92
PID 4584 wrote to memory of 4188	4584	Fokbim32.exe	93
PID 4584 wrote to memory of 4188	4584	Fokbim32.exe	93
PID 4584 wrote to memory of 4188	4584	Fokbim32.exe	93
PID 4188 wrote to memory of 3384	4188	Ffekegon.exe	94
PID 4188 wrote to memory of 3384	4188	Ffekegon.exe	94
PID 4188 wrote to memory of 3384	4188	Ffekegon.exe	94
PID 3384 wrote to memory of 3496	3384	Fmocba32.exe	95
PID 3384 wrote to memory of 3496	3384	Fmocba32.exe	95
PID 3384 wrote to memory of 3496	3384	Fmocba32.exe	95
PID 3496 wrote to memory of 3896	3496	Fcikolnh.exe	97
PID 3496 wrote to memory of 3896	3496	Fcikolnh.exe	97
PID 3496 wrote to memory of 3896	3496	Fcikolnh.exe	97
PID 3896 wrote to memory of 4316	3896	Fifdgblo.exe	98
PID 3896 wrote to memory of 4316	3896	Fifdgblo.exe	98
PID 3896 wrote to memory of 4316	3896	Fifdgblo.exe	98
PID 4316 wrote to memory of 1016	4316	Fqmlhpla.exe	99
PID 4316 wrote to memory of 1016	4316	Fqmlhpla.exe	99
PID 4316 wrote to memory of 1016	4316	Fqmlhpla.exe	99
PID 1016 wrote to memory of 4656	1016	Ffjdqg32.exe	100
PID 1016 wrote to memory of 4656	1016	Ffjdqg32.exe	100
PID 1016 wrote to memory of 4656	1016	Ffjdqg32.exe	100
PID 4656 wrote to memory of 4896	4656	Fmclmabe.exe	102
PID 4656 wrote to memory of 4896	4656	Fmclmabe.exe	102
PID 4656 wrote to memory of 4896	4656	Fmclmabe.exe	102
PID 4896 wrote to memory of 4600	4896	Fjhmgeao.exe	103
PID 4896 wrote to memory of 4600	4896	Fjhmgeao.exe	103
PID 4896 wrote to memory of 4600	4896	Fjhmgeao.exe	103
PID 4600 wrote to memory of 4408	4600	Fijmbb32.exe	104
PID 4600 wrote to memory of 4408	4600	Fijmbb32.exe	104
PID 4600 wrote to memory of 4408	4600	Fijmbb32.exe	104
PID 4408 wrote to memory of 1664	4408	Fqaeco32.exe	105
PID 4408 wrote to memory of 1664	4408	Fqaeco32.exe	105
PID 4408 wrote to memory of 1664	4408	Fqaeco32.exe	105
PID 1664 wrote to memory of 2512	1664	Gfnnlffc.exe	106
PID 1664 wrote to memory of 2512	1664	Gfnnlffc.exe	106
PID 1664 wrote to memory of 2512	1664	Gfnnlffc.exe	106
PID 2512 wrote to memory of 4952	2512	Gmhfhp32.exe	107

C:\Users\Admin\AppData\Local\Temp\00f6ba1928b003e99ff12a6dfba6fde0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\00f6ba1928b003e99ff12a6dfba6fde0_NEIKI.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Windows\SysWOW64\Ecphimfb.exe
  C:\Windows\system32\Ecphimfb.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4020
- - C:\Windows\SysWOW64\Ehlaaddj.exe
    C:\Windows\system32\Ehlaaddj.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4684
  - - C:\Windows\SysWOW64\Eqciba32.exe
      C:\Windows\system32\Eqciba32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2160
    - - C:\Windows\SysWOW64\Eofinnkf.exe
        
        C:\Windows\system32\Eofinnkf.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4908
      - C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:412
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\SysWOW64\Ffekegon.exe
        
        C:\Windows\system32\Ffekegon.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4188
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3384
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3496
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3896
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4316
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1016
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4408
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4952
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2632
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:404
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        26⤵
        Executes dropped EXE
        
        PID:4136
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        27⤵
        Executes dropped EXE
        
        PID:3892
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        28⤵
        Executes dropped EXE
        
        PID:3912
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1632
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:932
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1904
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3748
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4156
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3980
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2968
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        36⤵
        Executes dropped EXE
        
        PID:5048
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        38⤵
        Executes dropped EXE
        
        PID:5100
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1380
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:696
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4788
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        42⤵
        Executes dropped EXE
        
        PID:2672
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5052
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        44⤵
        Executes dropped EXE
        
        PID:264
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4372
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3548
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1780
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        48⤵
        Executes dropped EXE
        
        PID:888
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2744
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2504
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4892
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        52⤵
        Executes dropped EXE
        
        PID:3440
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1956
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3100
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1020
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        56⤵
        Executes dropped EXE
        
        PID:4208
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:916
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        59⤵
        Executes dropped EXE
        
        PID:2704
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        60⤵
        Executes dropped EXE
        
        PID:4484
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        61⤵
        Executes dropped EXE
        
        PID:4820
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1072
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3456
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        64⤵
        Executes dropped EXE
        
        PID:2492
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3132
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4464
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        67⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4280
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        69⤵
        Drops file in System32 directory
        
        PID:3508
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        70⤵
        Modifies registry class
        
        PID:212
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        71⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        72⤵
        Modifies registry class
        
        PID:592
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        73⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        74⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        75⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        76⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4992
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        78⤵
        Modifies registry class
        
        PID:4616
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        79⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4676
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        81⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        82⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        83⤵
        Drops file in System32 directory
        
        PID:3756
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        84⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        85⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        86⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:452
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4652
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        89⤵
        Drops file in System32 directory
        
        PID:4352
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        90⤵
        Modifies registry class
        
        PID:3492
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:676
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        92⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        93⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        95⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5228
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        97⤵
        Drops file in System32 directory
        
        PID:5264
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        98⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        99⤵
        Drops file in System32 directory
        
        PID:5352
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5396
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        101⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        102⤵
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5532
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        104⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5616
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        106⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5712
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        108⤵
        Drops file in System32 directory
        
        PID:5752
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        109⤵
        Drops file in System32 directory
        
        PID:5788
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        110⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        111⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        112⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5972
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6016
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6060
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6108
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        118⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        119⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5424
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5496
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        122⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        123⤵
        Drops file in System32 directory
        
        PID:5640
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        124⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        126⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5940
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        129⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        130⤵
        
        PID:60
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5288
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        132⤵
        Drops file in System32 directory
        
        PID:5476
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        133⤵
        Modifies registry class
        
        PID:5608
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        134⤵
        Drops file in System32 directory
        
        PID:5768
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        135⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        136⤵
        Modifies registry class
        
        PID:5980
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        137⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5192
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5432
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        140⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        141⤵
        Drops file in System32 directory
        
        PID:5848
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        142⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        143⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5936
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6100
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        147⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        148⤵
        Drops file in System32 directory
        
        PID:5448
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        149⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        150⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6172
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        152⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6220
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6268
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        154⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6360
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        156⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        157⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        158⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6504
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        159⤵
        Drops file in System32 directory
        
        PID:6576
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6624
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6692
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        162⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        163⤵
        Modifies registry class
        
        PID:6780
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6856
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6908
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        166⤵
        Modifies registry class
        
        PID:6972
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        167⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7020
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7064
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        169⤵
        
        PID:7108
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        170⤵
        Drops file in System32 directory
        
        PID:7152
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        171⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        172⤵
        Drops file in System32 directory
        
        PID:6292
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        173⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6444
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        175⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6512
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6632
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6728
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        178⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6884
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        180⤵
        Modifies registry class
        
        PID:7012
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        181⤵
        
        PID:7088
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        182⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        183⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6408
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        185⤵
        Drops file in System32 directory
        
        PID:6584
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        186⤵
        Drops file in System32 directory
        
        PID:6688
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        187⤵
        Drops file in System32 directory
        
        PID:6848
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7000
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        189⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        190⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6256 -s 428
        191⤵
        Program crash
        
        PID:6772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 6256 -ip 6256
1⤵
PID:6640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ecphimfb.exe

Filesize
206KB

MD5
85b33cd542ba023db42d7b45a3213eed

SHA1
40335e5c77a8007c959bb7ad10c7bbe109440491

SHA256
e998e5fa8682c65fbcad0184a4933d02e1cef467d7907fc374c20767c491077c

SHA512
c069f5f78bf4ee92cf2e59fd4b49c8d19ab9414743b506d736e8502095c62699ce2b3dafc4fa3223256b5ba1d08f34947e8b8cf1513629259b943a46953b3d9c

Download Submit
C:\Windows\SysWOW64\Ehlaaddj.exe

Filesize
206KB

MD5
f3116159a8cfbc0ee4f531a758b02a8e

SHA1
bc5bdb02a5d4a9673cfac031299561c0de123252

SHA256
2d0b88ec826eb417c5b104bc1eb87c5535781995f89ba9425b040ee580ae9403

SHA512
7c65ee2ffcfcda018f1ecf00114b808ce6e19b41289d49afe8d9d435bea160ed726255e73ce57a067c694d5192466b6a78d244eeabea2764e5133593504fb6e6

Download Submit
C:\Windows\SysWOW64\Ehonfc32.exe

Filesize
206KB

MD5
5d0b87d77d3d3933f429a3383ef86383

SHA1
8742253065fd246ba34a16c92ee2ef421612cece

SHA256
644f5fa581fd9503a8d2acd1e60ea86d0da5692d4ae914265ce3d6d4896dc7bd

SHA512
5a5c22dbc2d5fc2e8ed82457b769bc5c88f509b1aba0757e305fe18b557bdeb92c26e3546b92772e99feac5f002dd766d44cefe86325526e9e329eb700501f09

Download Submit
C:\Windows\SysWOW64\Eofinnkf.exe

Filesize
206KB

MD5
f5896cdd8744893cd18fc20b6ecca7ae

SHA1
a17d954de8489641231d519547aecb71f3d5d7b0

SHA256
3693fab16a8d0b6330d5a91454e1aa411ee6035d79442abe6830bc2c20bbab07

SHA512
6b95a729397ff714c9d5bb616975386a39306ab9e1b17488fabe679c5cf319a3d0bcde9ec5e0f5fd5841b9b82e92e85396d3fda0f894c2e86322c64c8e224584

Download Submit
C:\Windows\SysWOW64\Eqciba32.exe

Filesize
206KB

MD5
8d5ac37c81dd9c00e720454e51ed2634

SHA1
37fba6225c5c955751a1364d9616f87ae2cd3f21

SHA256
bb6018050c0210d5104ad9159382c67f0f916384cde8e5a982c873a0c1c7bf00

SHA512
417b26cf447549c4b1cefa59d851d5061c8f5928f8141af01668119da249be6bda7fa37087e92c708394e32bd9549147d2fc57974ff7e2d21bd606cfb76693ab

Download Submit
C:\Windows\SysWOW64\Eqfeha32.exe

Filesize
206KB

MD5
280a1b46423eaf5702c1ba88925d7683

SHA1
a929378c2a9554a27948bbb963c7d4ef82e6ad07

SHA256
aca383219dca4698a122892fcb8af31a7dbbf819a806a6d6af90033230007a12

SHA512
1dc5cc00819cb3dd1f6c8325677b863c8a4f940e7e40730e45fe23b399cb5ac97a43cc864e0be484da26d88eaef2e4f86c4f95410e0335be5cac1173807d1331

Download Submit
C:\Windows\SysWOW64\Fbgbpihg.exe

Filesize
206KB

MD5
0d16d808f7ab1a3b4f567518e82f0c0b

SHA1
70a4a1eb384ad0c279dd17bcf650be9b2a7aa083

SHA256
859489d5f9987d2b4d13127ab213c7051b22e49600520e3ee1015735fe7db65f

SHA512
e590c39a32224bcf8fd3e18d13d97658caf3346be1967eaa45be879f6fb922aca13e60806ad85546884f9ea434f342cf1b9fa5bbcb8cde72ca6ff6a5e3f1862b

Download Submit
C:\Windows\SysWOW64\Fcikolnh.exe

Filesize
206KB

MD5
e412db88a1da6fc0e6faf97004f6a861

SHA1
e3ca4b5f0f8be00feb6f378671c076eae5ba3951

SHA256
96f0a7dd601e441b4da155114f7edaee66a304552e74edc3122e7908fbd47717

SHA512
72ce51ed9d74e226c70e587a9d986e6e31d809b7aa069be8b210a519043a7329fd4ea915f13bf93878ea10d237132b418a6e8dd2895e23ef0bda52e0ee9af166

Download Submit
C:\Windows\SysWOW64\Ffekegon.exe

Filesize
206KB

MD5
a66dfd8893aeaa93e8f694f6bdbdc674

SHA1
e21a683d72bb6ecc7739eb8317a253a3862d266e

SHA256
a8b9abd2de18057b71fc505eb461ae3ba91d71c7d8152ab918a8d9265fcea961

SHA512
3e01e70abcfa583838ac662ad81584eb597b3cf36bf482f28a872f992aabd07f604785fe0215edf405506d27f68512f9c79f7636756af0a56d81303eb4e76d6e

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
206KB

MD5
82cc66904d58f3c446f0e0fa1e1cd176

SHA1
0b2624599d205d9ff2980bea28fbbf33bc1eec65

SHA256
f48cd04cadba47432ce8a264f5141e086a5b478809779b334fe1ad74c7e86ce4

SHA512
704e185628c6cdefeddba72eae4e2dc14bcd2c7b1eb832045a3e19cc0ccbfdcf560ab3ab41d26829bda24a9a1320fb41f541c9b0e12025e4d5e48e22c3d83101

Download Submit
C:\Windows\SysWOW64\Fifdgblo.exe

Filesize
206KB

MD5
b53c1dd202bc57bbf0ba23d0ce7dc80a

SHA1
dae859118e8846397edd9059580b4d9bec35b228

SHA256
934575097ec465d597eda386723eea2a5e404f36dd6bd49fc5840db36b592488

SHA512
f0cd48c915ce43cb79df517b6c77b84448fb6a6faa3f909d9970c85ec091d4669b281e9519a42eb2b5bff74d268a64fa2348c2949de82e2ae307787295bd9120

Download Submit
C:\Windows\SysWOW64\Fijmbb32.exe

Filesize
206KB

MD5
560942186b31ae8e6d03ca94c151026b

SHA1
e690258a07b2da3f9aab0424e00a4130e399848e

SHA256
9f99c2757da45bc2042ffca774b2d9c032e597f1169e005f44c9b160a2e315b0

SHA512
879019b8bccdbd7f4afe28f94d2e2d81dc6920a20ba91812f7df9b2f0c84886d996de68f2dd675efba48df0eb002269efdc95d6ab1e02fcee50d9d3123709b15

Download Submit
C:\Windows\SysWOW64\Fjhmgeao.exe

Filesize
206KB

MD5
efd77e72f46a4742086f9a01f7bf8092

SHA1
759e4457e9831139b8f043c14a3b777966204f20

SHA256
c8bc39e3c53f857e30240f0e825d562f23b738d1d0b25c604a359e5fdf29f78b

SHA512
c13adbbab5457cc93eecdbc20037c04cdcc540fab5932f437575a1dad85ed579301ee2a74ea26123534b629673c4d1532bc6fe2425ea41eba1aeef6aa10a2c0f

Download Submit
C:\Windows\SysWOW64\Fjnjqfij.exe

Filesize
206KB

MD5
54d405e9f901cec96248505d1c4064b1

SHA1
6bd637cb8d18c6d0d13853887f78846dd854a952

SHA256
fd9edba2485b2b0b3f29e752c59f1eeda9a0c9aede80e7c0c881767b54f899c1

SHA512
d2d05abc2f6b3155390dce8f73a692b8493005d72d5313d091f14ad18de899e3bba5c1879d4039b1770d118dcc286a1d52bc2836c03024f69ac95fc2576954e4

Download Submit
C:\Windows\SysWOW64\Fmclmabe.exe

Filesize
206KB

MD5
fea3489a9b8a8bedd36f1419a37a3bd4

SHA1
ce0504327527b5902068fa15b7b1e5861a159788

SHA256
01837213f7bd5311c3aa8f92c0e5dcc18444d56f45db0c114ed32aa06b559222

SHA512
ea56817d245872cb7dcb8c635f63f7ade15e6aeebee2d1d2eb6565641c033ed51dec15ac39329d456d1bfbf6708a7ddad1f32652d1f100b23c106be8e594f661

Download Submit
C:\Windows\SysWOW64\Fmclmabe.exe

Filesize
206KB

MD5
89e3369a32caeabd263bee3d60aa0869

SHA1
f66c6b0e152a8be07332ec08ecafde48448473d4

SHA256
93620afdf5c5d5b53307640c32f1b516bff346d998a6f24d30ab583d9b88ec1f

SHA512
0f0821e54e738a25845abb8f95da8554c09e2c4d87655a1b8ecf14b13d4ca45243089385ebfb8ca12bfa9e1b004e8ef1ba0a2e84f3ebe78b5ea42f7321bb034a

Download Submit
C:\Windows\SysWOW64\Fmocba32.exe

Filesize
206KB

MD5
9374b926347bc38248893d1789821f7f

SHA1
6252191746061c9942333bb7d8b0b208913b8d37

SHA256
021959abd473b868b60517924a7be74f0d18ab3c779c147e6f968c0662e8ee39

SHA512
308855df5ebc99e751ff41d08a68250b4bb8ad10dccea652573e9eb1224968df0e36184b07b94af6b7c117eb51f9d67bb1f6b7a949dca1aec427de22779b688d

Download Submit
C:\Windows\SysWOW64\Fokbim32.exe

Filesize
206KB

MD5
78b55343708c4e1bc4696f7707f966b5

SHA1
057ffd37bd3d630febacdc9135c58a405c2996f2

SHA256
068c93ec1d0f1ced7ec0474bab328c2a9fef1d66ffd6b6fc39bfacb651a8016c

SHA512
a0f3b83eb6a2c7874631d6eb4b11aadc52473f97b507ec1f8aca08d9e8cb56e250786e454caffa571596a8db4571516aeefaf673a30652a9e3d0356e99797d37

Download Submit
C:\Windows\SysWOW64\Fqaeco32.exe

Filesize
206KB

MD5
33e3c473ce688e60b146812009823fea

SHA1
03d7316b9622c76e9e64fa3abc61feab995ad6e1

SHA256
5abe4c69a9779819251bc6542c9f468a5d1fd58232bbed18ef65116641adc29a

SHA512
65838fa7cd638884454d5148df485022851373ef01b12925d5dffcc04affe252139fcf102e1233bc6b8b9c34f5705f557479b594306e66a005bf6944c5877048

Download Submit
C:\Windows\SysWOW64\Fqmlhpla.exe

Filesize
206KB

MD5
1f3eec1f3a7e63bc626d2bd9dcc86f42

SHA1
1961c5db443d87a5fad849ded8c3cd2bcfef6cdf

SHA256
3c9d8b0564d350cb558551db0925b1c55d425c9b7000e581963d41c3fc685301

SHA512
9421dabebe080926c5fe0ca86d628910c6c9b93bc0c2a6879f3881c18910d34a1697bfccfc5d8e35034b5fd59ed217737b2a65525e967475bc3c7b6fe74ea2b4

Download Submit
C:\Windows\SysWOW64\Gbenqg32.exe

Filesize
206KB

MD5
21de301e8f289639fe3218409de3bd1d

SHA1
e3b0e2bbecc44f1b5961f0233830e88ba7f220be

SHA256
fd864ded7f56838774713270206c46b45eaff28de4a3854c5f6becfbc0a68a7a

SHA512
e91d54ea39265d7375887e2a8de2306eeef7b107952612f18e18e04e90f83995c1aacdb6c5a3ed5b561f5f751395c0898e23624b66d15c4d8cc968b8a6495f62

Download Submit
C:\Windows\SysWOW64\Gbgkfg32.exe

Filesize
206KB

MD5
2a9b230820800d8028b5bfbe677fc903

SHA1
26496384b37c53b07462b69093954a949f73be5e

SHA256
26ff18cf0c5c0b45fb0dbe09f712cb24327f6e73f28646d49d1be80279410caf

SHA512
3f90bf7179172f3fc2542536abc2e958c389cc3adce8f7e08be08fe935feedb213fcf750f1d81c8ea444bb58625703fbac39ed2d924295afd472f9d6c1f0b4b1

Download Submit
C:\Windows\SysWOW64\Gfcgge32.exe

Filesize
206KB

MD5
603e6890119f5b9f54e34333bb1a80b0

SHA1
5dc564b129bbc581afabad5d3010aa04f4eaa9ff

SHA256
37fb1aaab20d1f594aece434935549d4be07b29760ed9d0a03249a713721fe75

SHA512
bb45e85c18bf975b8c3a27737b899305b30bd42e660fd13836566f9a34ec9d7db3fbcee46af5a8b851214a314e1680820ba87e99e2883d18378cc7adf28c800b

Download Submit
C:\Windows\SysWOW64\Gfnnlffc.exe

Filesize
206KB

MD5
2000209e9b4da46170c423aa63199898

SHA1
67e5c4be31565b22bc6fbc4381c042dae64ce7f7

SHA256
587c815de13c5dc254a9699de36ace2dcf63e497e8c144206905aaf43c249663

SHA512
6aaa858cb6072b8c862a79fd6c68961ef7550b4a34158459abb13bad8742070baa02a5602b95592718b60ac074d9987ffb9366cc74b2d5fcaa4a918eefc2cb18

Download Submit
C:\Windows\SysWOW64\Giofnacd.exe

Filesize
206KB

MD5
ad9e0db4738561450b4a829c33648df1

SHA1
29188e1c47741c154f078ac4edb459a6239b0a32

SHA256
165c5ea82448fab879ab50206b4da701cecfb662355261a54cab3a1aa3b9eec0

SHA512
45c821d9a99790c2f7d47fc1c2214f20937ff65db12e26454fbdc72d9c3bdaa7f1ad746a143f649434d58305461f113262ad57e6a465c0b7a3dcdb4632980233

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
206KB

MD5
6c2eac0607510aecc8dc2e9e0372824b

SHA1
e39403db9cd10c36ded949ef74e98671c01b7b9c

SHA256
65e7447ae6234c10de2eeac72ab0def5ece70711b50b2b82a5512e349ea100a6

SHA512
9615530dab09bbaeadf2a226f2d818f3d63a9b3d4e0e86555db4cf39d47a6cd3619f0559c7e61779c729ca101653c73f550eef435cf03eba60d27cfbe7bcb223

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
206KB

MD5
ac68309752ecee672821e6a287a1d841

SHA1
3bbcbcbb15626c1db5bbae00bb05b7d9eec150f8

SHA256
cad127392b6866d90214cf52f69ba1ea40d529f982a6dae54638a780d54923e5

SHA512
99d75c60bc7ab52642b109ee107f583530bc43db2c9a3a76d743a41b97188679a418cb75a66ff9aac4018fe810c312621be4c04bc63acd9ebcab674125d10eb8

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe

Filesize
206KB

MD5
509a296089f0aadd2fc336faac54fa37

SHA1
313ad252a9b1327861fa5f1be42f05150093da64

SHA256
244094f6ef4024454c5075b35e1d8c228eea4c5406f3cec2c955f4da5a2f1724

SHA512
ca1b4ee3714493aa5949a3d724a0ac730eaad8c49834365e0c508c9f49656c1a65295c3d1fcc32ea32eb6e0e317534f59ef62eed5191008cdc2e8d0bcd085fd1

Download Submit
C:\Windows\SysWOW64\Gmkbnp32.exe

Filesize
206KB

MD5
b98b1d5b800f6b64868ce73537e4e10a

SHA1
929e7a596bfd9b0b618edd1b18568ab48d639b95

SHA256
d83ec562b386f53cb7ddcae5bb5ec8772fed581bedb600b5f4b04427b0859002

SHA512
f97c885ee88f89bc5dcb75d10aeb24af3adae96afea87fc6790902c4088d1d1a22b639df8681f6c11442a86b64a3a22f4f8ce0a4bd8f6e5aa57c31a439f92f3d

Download Submit
C:\Windows\SysWOW64\Gogbdl32.exe

Filesize
206KB

MD5
f698441f809390606d13efdb4058b675

SHA1
28cd44aa17a69093a6c871f948306bb4c0d70761

SHA256
c379037b394330e723e1d9ed446b832116ecff13f65a10370a1b379e123df637

SHA512
0536706cab4deea18b76248782644ed72d34794ce3d43a3daf97c414c181beefb921ea5be4ec3c7a9735dd59500b45d7a0b926023fe5dc25829cd08ec76da50b

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
206KB

MD5
2fcbb7b4c23162ef28302043c2bc9c1b

SHA1
19c1aae466c6ef33be11710e136d3e4a9f77e35e

SHA256
5bd4920b11a61682d178ca936b80b1c33bc2e6291272efe358efaf09d5cc93ec

SHA512
69e6c360e3b522c580f66d87ac60b9c8a7c43fe5d501b56c5bb45d3c206eb5874463e14eb4c303e4ba18a123731d5210bbba0c114b0bf7b1460dd12519c5981f

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
206KB

MD5
1af2f0d0684d887ebf2146bdd63f9fc9

SHA1
762d49a80b90845166b6b9409e91e8587a469bf2

SHA256
d0f0d51a8f389bfba7764391c4aaa0e0839fd50a178648298b15e488fa813f0d

SHA512
146296008cfdb9109dbf4c9a48a30ef8c234651bd3485aa32e4bb3e9b79dabf8781fd0a52940ed63651def3314f11edc66a0b7be789a5890f925dba37190ca71

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
206KB

MD5
6c3b073aa8a589a87509d44ae804ac52

SHA1
524617540c4297fe9381550fbb2d209a46f9dd3a

SHA256
28337f199add5d075d0160b8a261616dad1fea28fef7c857d8b9da142d41cfe6

SHA512
e7ccef26e0e0166949e5c18f7291c8b30323c77ecce0c664a418f2459dd3bb5a53253430317a7536d0364d88e13118ac566513b9462c8b5db4d6f863d641211c

Download Submit
C:\Windows\SysWOW64\Hkcdljbo.dll

Filesize
7KB

MD5
cf7971d719978a91ada420e35a9b0f20

SHA1
1d0cb7cdce0255c7770bd0a564eb22ccd02d2ba3

SHA256
93d3e613f6590a54183ae5280bd1088e30d844aa9de77d487bca4d89c6999e50

SHA512
002908b26e1457507a64bbc06b93e57d585f4c2ffef6642d8aee994f6ce034615e598e50dc7ecded44f47f187e1054b51ff24f1fbc042757d1731dbd2438b80b

Download Submit
C:\Windows\SysWOW64\Iinlemia.exe

Filesize
206KB

MD5
591f41ec34087cdf1d256f190d20c22c

SHA1
cbd96e0513744a9723580b33e94d0ab69a2df9bd

SHA256
ee79d387b80d2d0f51464d1ecd919fae24bb112ccf6a8a5812a7ed065646a44f

SHA512
773f648f04e18e0b5ddc95541ed9eabf2b0d85c2761a1c8b9c6f9f44858c78e7af389a0a719bcaadf0cd0d8fe7a49c9483bfc99c4a990324e0e709ea3b8bacba

Download Submit
C:\Windows\SysWOW64\Jdcpcf32.exe

Filesize
206KB

MD5
f3a0075cc02521f9cc02ff4760fa5c7a

SHA1
7ba9d29b9ede3ecb9df237f45054a687017ce7bf

SHA256
1c04820a6823f21cc1b948f6d4fad8b540c1447116ee6dd72aab2b1f36ce0634

SHA512
b3dd142000bdcecf9cfed606198caaad9e3f2091ee779d4eecba2a3657d6e4015ab91e1ff3aec06eb04c1999e7286859296a8d3b54d681eade81cc67d4d4b405

Download Submit
C:\Windows\SysWOW64\Jjmhppqd.exe

Filesize
206KB

MD5
4d06850bd076e81e7dad4442802abaf8

SHA1
ec8e11577b3546b7673c1d5eca8db0d3186946cc

SHA256
799a1b323587f51f9a08502ffb1a0acabd2453a6deed70ee75d928d8180fec71

SHA512
2d890242564b54b488e5b4fa51bcb9c69e95393df2b63ffb77a92385b17c75155d1ea038faee4769ad4b4a6116e38c4cd48ee8dda215229ebc6bfcdabb03f0d8

Download Submit
C:\Windows\SysWOW64\Jjpeepnb.exe

Filesize
206KB

MD5
31675c72131b800a5be932aad546753e

SHA1
fa388fbd0fe391ef81faaeb5f562fd6b69bf5804

SHA256
156e421c340f7568e89bab0fe4185f016385943849053559f209c73b8fbe870e

SHA512
881a1e5903cc00979feaa5947edc15a5c3fdd4b060b453ac981f166b88df56c9aee4b0f0ba61a0e4fc13a405610f8ad68a166bb36ef3d58152c5915849ae76de

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
206KB

MD5
ff97500cd75ce105a4d8a60ea3c3c921

SHA1
4f2031b3f30c4f23d2aeca4c7b94fe3b9c184b41

SHA256
23feee2bc1b79b4d339d0a49702dcc4aeae53a3c9e274358fd7afab90d8b772a

SHA512
1b972848674c6dab95fc1ceb0852e049c1a2cab413f161659e86072f41157e6a2f09d560ed4e01725cbd21fc4524f8dbbb67827613da3a144ce07c1c18d3964e

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
206KB

MD5
591258c58d2e6d9a361d5def2a82998e

SHA1
fceca44adc9283a0804b34bd3fb9cd6cda561b3f

SHA256
f06e058754b4e217389b83fd818c136e63bbda90ef2e88640d17cc03b498bd69

SHA512
5261dd8996cb41ae886d79f5fc5c127bfc1f6bc3021b2e50dec744f983019fd5f57de62621b786686c20620718b3585af8b93b91c0cee8bf04a82722069d8fda

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
206KB

MD5
2e8f411fa1d80182200eb3a52d4b3d01

SHA1
1f8f83b03847b418717088216374311ac47aec48

SHA256
e63474c0de4887d5c7e0d085c55498f3015de7c6b4ca23120628ee654e6829a2

SHA512
b1111c54755369c35ef9a1372f778c77dc5185e34eb3cebf0b0d661d9bb1ccfed8d4649967c4d6de849eb085fb96a824510776b14ddf3b986dd2e917e113661d

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
206KB

MD5
0c82a8c5da8b7b11acc5464e447846b7

SHA1
15da01671a47fb5bd246c7ef87f76b583e309b72

SHA256
5d7a0a4a9df4efa784e7fae9ea8e2938f1948386c40608b501761386e142c0f6

SHA512
b4289b689cf191f862b60e4ca66c2847e649bc1424dbdbe03f0f3037da5c3a3f0460815eb62c76832aff7ec4f20a33b66106f21faf9f56568be94270246f7279

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
128KB

MD5
1663c51ce840034af65dd218a57e1f7d

SHA1
c74c117e289ef5b753253094d440428d6b761701

SHA256
89d3d0e361593da04b6338593e52e1d7079a1b6812810a9fd395820162aba709

SHA512
32fcc1a9b952cf76e80f2a30651cb1d91ab529382a7f9422535859c355984ea6febd9c13725d3f9477f0cb8c0bb5f47427e0fc84bc5a0b2dea99f9aea4c10a0a

Download Submit
memory/212-502-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/264-365-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/404-215-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/412-56-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/412-148-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/592-514-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/696-361-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/888-369-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/916-440-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/932-257-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1016-433-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1016-125-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1020-438-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1072-450-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1380-360-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1632-256-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1660-80-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1660-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1664-468-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1664-168-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1780-368-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1884-166-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1884-63-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1904-258-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1956-436-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2024-358-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2160-28-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2184-43-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2184-123-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2492-462-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2504-372-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2504-507-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2512-181-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2588-478-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2632-214-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2672-363-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2704-445-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2744-370-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2968-356-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3100-437-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3132-469-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3224-508-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3384-90-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3384-213-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3440-435-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3456-520-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3456-453-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3496-99-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3496-253-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3508-493-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3548-367-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3748-259-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3748-490-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3864-529-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3892-254-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3896-107-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3896-353-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3912-255-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3980-355-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4020-89-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4020-8-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4036-521-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4136-216-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4156-354-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4188-81-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4188-185-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4208-439-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4280-488-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4316-371-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4316-116-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4372-366-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4408-167-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4416-441-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4464-471-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4484-447-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4508-527-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4584-180-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4584-72-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4600-156-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4656-451-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4656-133-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4684-16-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4684-98-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4788-362-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4820-448-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4892-434-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4896-150-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4908-115-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4908-32-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4952-186-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4952-477-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4988-132-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4988-48-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5048-357-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5052-364-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5100-359-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads