c2285acbd477293b6b690b267d5141ff88012206799f277b1959de1fa0e5ff7b

Analysis

max time kernel
137s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08-05-2024 08:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34475bebe71890e0098e9bb8c828d780_NEIKI.exe
Size

176KB
MD5

34475bebe71890e0098e9bb8c828d780
SHA1

b4c28964e484d4f9d507db95283bfddb22add337
SHA256

c2285acbd477293b6b690b267d5141ff88012206799f277b1959de1fa0e5ff7b
SHA512

14a3bc2102029bbad7a981edf66a6425d72f2a744ae43e5fd4926e2d17ecb087691b75431f26ac3b262858f47f081f2eca6052991a0299565d989fcb383ff1ec
SSDEEP

3072:KVowCUSmrEUf9jgarlOGA8d2E2fAYjmjRrz3E3:KOwm4TjgRXE2fAEG4

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcnejk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbcakg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjepaecb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gimjhafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbenqg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpgkkioa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfcpncdk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpgkkioa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjepaecb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcnejk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfcpncdk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdhine32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idacmfkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifopiajn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fomonm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcggpj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpnhekgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hippdo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fckhdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfjmgdlf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idacmfkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfljmdjc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpnhekgl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcedaheh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmdedo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbeghene.exe

Executes dropped EXE 64 IoCs

pid	Process
2032	Ffekegon.exe
756	Fomonm32.exe
3764	Ffggkgmk.exe
4808	Fqmlhpla.exe
3320	Fckhdk32.exe
3876	Fjepaecb.exe
528	Fmclmabe.exe
4260	Fqohnp32.exe
3724	Fcnejk32.exe
4724	Fbqefhpm.exe
404	Gbcakg32.exe
3096	Gimjhafg.exe
5052	Gogbdl32.exe
2984	Gbenqg32.exe
1208	Gjlfbd32.exe
4708	Gmkbnp32.exe
1496	Gcekkjcj.exe
1656	Gfcgge32.exe
4864	Giacca32.exe
2024	Gmmocpjk.exe
4640	Gpklpkio.exe
1568	Gcggpj32.exe
3468	Gqkhjn32.exe
3508	Gpnhekgl.exe
2424	Gjclbc32.exe
2732	Gppekj32.exe
3300	Hboagf32.exe
408	Hfjmgdlf.exe
3848	Hmdedo32.exe
3296	Hcnnaikp.exe
1032	Hbanme32.exe
4344	Hfljmdjc.exe
3736	Hfofbd32.exe
2696	Hpgkkioa.exe
3688	Hbeghene.exe
1264	Hippdo32.exe
4544	Haggelfd.exe
904	Hcedaheh.exe
1916	Hfcpncdk.exe
3264	Hjolnb32.exe
4840	Haidklda.exe
3892	Ibjqcd32.exe
4820	Iidipnal.exe
632	Iakaql32.exe
920	Icjmmg32.exe
2188	Ifhiib32.exe
4540	Iiffen32.exe
3456	Icljbg32.exe
1964	Ifjfnb32.exe
2472	Ijfboafl.exe
3144	Iiibkn32.exe
4744	Idofhfmm.exe
1860	Ijhodq32.exe
4288	Iabgaklg.exe
1928	Idacmfkj.exe
1772	Ifopiajn.exe
1168	Imihfl32.exe
3104	Jpgdbg32.exe
3344	Jbfpobpb.exe
2068	Jjmhppqd.exe
392	Jiphkm32.exe
3340	Jagqlj32.exe
2692	Jjpeepnb.exe
4956	Jmnaakne.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Gimjhafg.exe	Gbcakg32.exe
File opened for modification	C:\Windows\SysWOW64\Ijhodq32.exe	Idofhfmm.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Hionfema.dll	Haggelfd.exe
File created	C:\Windows\SysWOW64\Imihfl32.exe	Ifopiajn.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Gmmocpjk.exe	Giacca32.exe
File created	C:\Windows\SysWOW64\Hfljmdjc.exe	Hbanme32.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Fomonm32.exe	Ffekegon.exe
File created	C:\Windows\SysWOW64\Gbenqg32.exe	Gogbdl32.exe
File created	C:\Windows\SysWOW64\Gqkhjn32.exe	Gcggpj32.exe
File opened for modification	C:\Windows\SysWOW64\Gqkhjn32.exe	Gcggpj32.exe
File created	C:\Windows\SysWOW64\Ifhmhq32.dll	Hbeghene.exe
File created	C:\Windows\SysWOW64\Kdopod32.exe	Kmegbjgn.exe
File created	C:\Windows\SysWOW64\Mepgghma.dll	Gimjhafg.exe
File opened for modification	C:\Windows\SysWOW64\Kcifkp32.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Idofhfmm.exe	Iiibkn32.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Laciofpa.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Njljefql.exe
File created	C:\Windows\SysWOW64\Haidklda.exe	Hjolnb32.exe
File created	C:\Windows\SysWOW64\Dendnoah.dll	Iiffen32.exe
File created	C:\Windows\SysWOW64\Pnfmmb32.dll	Gjlfbd32.exe
File created	C:\Windows\SysWOW64\Hbeghene.exe	Hpgkkioa.exe
File created	C:\Windows\SysWOW64\Jjmhppqd.exe	Jbfpobpb.exe
File created	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Haggelfd.exe	Hippdo32.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Ffggkgmk.exe	Fomonm32.exe
File created	C:\Windows\SysWOW64\Dbcjkf32.dll	Jdjfcecp.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Gcekkjcj.exe	Gmkbnp32.exe
File created	C:\Windows\SysWOW64\Oeahce32.dll	Gcekkjcj.exe
File created	C:\Windows\SysWOW64\Kcifkp32.exe	Kpjjod32.exe
File opened for modification	C:\Windows\SysWOW64\Kbfiep32.exe	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Ngiehn32.dll	Gbcakg32.exe
File opened for modification	C:\Windows\SysWOW64\Gcekkjcj.exe	Gmkbnp32.exe
File opened for modification	C:\Windows\SysWOW64\Ifjfnb32.exe	Icljbg32.exe
File created	C:\Windows\SysWOW64\Jbfpobpb.exe	Jpgdbg32.exe
File opened for modification	C:\Windows\SysWOW64\Jdhine32.exe	Jmnaakne.exe
File created	C:\Windows\SysWOW64\Fomonm32.exe	Ffekegon.exe
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Lnjjdgee.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Gedmgfjd.dll	Fckhdk32.exe
File created	C:\Windows\SysWOW64\Ekfnlmai.dll	Fqohnp32.exe
File created	C:\Windows\SysWOW64\Iiffen32.exe	Ifhiib32.exe
File created	C:\Windows\SysWOW64\Lcgblncm.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Iabgaklg.exe	Ijhodq32.exe
File created	C:\Windows\SysWOW64\Feambf32.dll	Jdhine32.exe
File created	C:\Windows\SysWOW64\Cqncfneo.dll	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lcbiao32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6368	6272	WerFault.exe	233

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kknafn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Giacca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fcnejk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gpklpkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplmgmol.dll"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqjfoc32.dll"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcedaheh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emhmioko.dll"	Gpklpkio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baefid32.dll"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmclmabe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoceo32.dll"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqncfneo.dll"	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekfnlmai.dll"	Fqohnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfnojog.dll"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfcpncdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fckhdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kibpam32.dll"	Fjepaecb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anmklllo.dll"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	34475bebe71890e0098e9bb8c828d780_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdkind32.dll"	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmfdf32.dll"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbeghene.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqohnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2032	2972	34475bebe71890e0098e9bb8c828d780_NEIKI.exe	83
PID 2972 wrote to memory of 2032	2972	34475bebe71890e0098e9bb8c828d780_NEIKI.exe	83
PID 2972 wrote to memory of 2032	2972	34475bebe71890e0098e9bb8c828d780_NEIKI.exe	83
PID 2032 wrote to memory of 756	2032	Ffekegon.exe	84
PID 2032 wrote to memory of 756	2032	Ffekegon.exe	84
PID 2032 wrote to memory of 756	2032	Ffekegon.exe	84
PID 756 wrote to memory of 3764	756	Fomonm32.exe	85
PID 756 wrote to memory of 3764	756	Fomonm32.exe	85
PID 756 wrote to memory of 3764	756	Fomonm32.exe	85
PID 3764 wrote to memory of 4808	3764	Ffggkgmk.exe	86
PID 3764 wrote to memory of 4808	3764	Ffggkgmk.exe	86
PID 3764 wrote to memory of 4808	3764	Ffggkgmk.exe	86
PID 4808 wrote to memory of 3320	4808	Fqmlhpla.exe	87
PID 4808 wrote to memory of 3320	4808	Fqmlhpla.exe	87
PID 4808 wrote to memory of 3320	4808	Fqmlhpla.exe	87
PID 3320 wrote to memory of 3876	3320	Fckhdk32.exe	88
PID 3320 wrote to memory of 3876	3320	Fckhdk32.exe	88
PID 3320 wrote to memory of 3876	3320	Fckhdk32.exe	88
PID 3876 wrote to memory of 528	3876	Fjepaecb.exe	89
PID 3876 wrote to memory of 528	3876	Fjepaecb.exe	89
PID 3876 wrote to memory of 528	3876	Fjepaecb.exe	89
PID 528 wrote to memory of 4260	528	Fmclmabe.exe	90
PID 528 wrote to memory of 4260	528	Fmclmabe.exe	90
PID 528 wrote to memory of 4260	528	Fmclmabe.exe	90
PID 4260 wrote to memory of 3724	4260	Fqohnp32.exe	91
PID 4260 wrote to memory of 3724	4260	Fqohnp32.exe	91
PID 4260 wrote to memory of 3724	4260	Fqohnp32.exe	91
PID 3724 wrote to memory of 4724	3724	Fcnejk32.exe	92
PID 3724 wrote to memory of 4724	3724	Fcnejk32.exe	92
PID 3724 wrote to memory of 4724	3724	Fcnejk32.exe	92
PID 4724 wrote to memory of 404	4724	Fbqefhpm.exe	93
PID 4724 wrote to memory of 404	4724	Fbqefhpm.exe	93
PID 4724 wrote to memory of 404	4724	Fbqefhpm.exe	93
PID 404 wrote to memory of 3096	404	Gbcakg32.exe	94
PID 404 wrote to memory of 3096	404	Gbcakg32.exe	94
PID 404 wrote to memory of 3096	404	Gbcakg32.exe	94
PID 3096 wrote to memory of 5052	3096	Gimjhafg.exe	95
PID 3096 wrote to memory of 5052	3096	Gimjhafg.exe	95
PID 3096 wrote to memory of 5052	3096	Gimjhafg.exe	95
PID 5052 wrote to memory of 2984	5052	Gogbdl32.exe	96
PID 5052 wrote to memory of 2984	5052	Gogbdl32.exe	96
PID 5052 wrote to memory of 2984	5052	Gogbdl32.exe	96
PID 2984 wrote to memory of 1208	2984	Gbenqg32.exe	97
PID 2984 wrote to memory of 1208	2984	Gbenqg32.exe	97
PID 2984 wrote to memory of 1208	2984	Gbenqg32.exe	97
PID 1208 wrote to memory of 4708	1208	Gjlfbd32.exe	98
PID 1208 wrote to memory of 4708	1208	Gjlfbd32.exe	98
PID 1208 wrote to memory of 4708	1208	Gjlfbd32.exe	98
PID 4708 wrote to memory of 1496	4708	Gmkbnp32.exe	99
PID 4708 wrote to memory of 1496	4708	Gmkbnp32.exe	99
PID 4708 wrote to memory of 1496	4708	Gmkbnp32.exe	99
PID 1496 wrote to memory of 1656	1496	Gcekkjcj.exe	100
PID 1496 wrote to memory of 1656	1496	Gcekkjcj.exe	100
PID 1496 wrote to memory of 1656	1496	Gcekkjcj.exe	100
PID 1656 wrote to memory of 4864	1656	Gfcgge32.exe	101
PID 1656 wrote to memory of 4864	1656	Gfcgge32.exe	101
PID 1656 wrote to memory of 4864	1656	Gfcgge32.exe	101
PID 4864 wrote to memory of 2024	4864	Giacca32.exe	102
PID 4864 wrote to memory of 2024	4864	Giacca32.exe	102
PID 4864 wrote to memory of 2024	4864	Giacca32.exe	102
PID 2024 wrote to memory of 4640	2024	Gmmocpjk.exe	103
PID 2024 wrote to memory of 4640	2024	Gmmocpjk.exe	103
PID 2024 wrote to memory of 4640	2024	Gmmocpjk.exe	103
PID 4640 wrote to memory of 1568	4640	Gpklpkio.exe	104

C:\Users\Admin\AppData\Local\Temp\34475bebe71890e0098e9bb8c828d780_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\34475bebe71890e0098e9bb8c828d780_NEIKI.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\SysWOW64\Ffekegon.exe
  C:\Windows\system32\Ffekegon.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\SysWOW64\Fomonm32.exe
    C:\Windows\system32\Fomonm32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:756
  - - C:\Windows\SysWOW64\Ffggkgmk.exe
      C:\Windows\system32\Ffggkgmk.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3764
    - - C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4808
      - C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3876
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:528
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4260
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3724
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3096
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1568
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        24⤵
        Executes dropped EXE
        
        PID:3468
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3508
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        26⤵
        Executes dropped EXE
        
        PID:2424
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        27⤵
        Executes dropped EXE
        
        PID:2732
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        28⤵
        Executes dropped EXE
        
        PID:3300
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:408
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3848
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3296
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1032
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3736
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2696
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3688
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1264
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4544
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:904
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1916
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3264
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4840
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        43⤵
        Executes dropped EXE
        
        PID:3892
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        44⤵
        Executes dropped EXE
        
        PID:4820
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        45⤵
        Executes dropped EXE
        
        PID:632
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        46⤵
        Executes dropped EXE
        
        PID:920
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2188
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4540
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3456
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1964
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2472
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3144
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4744
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1860
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4288
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1928
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1772
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        58⤵
        Executes dropped EXE
        
        PID:1168
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3104
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3344
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2068
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:392
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3340
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2692
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4956
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4064
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        67⤵
        Modifies registry class
        
        PID:4016
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        68⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4732
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        70⤵
        Modifies registry class
        
        PID:4592
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1132
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3260
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        74⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1376
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        75⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4912
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        78⤵
        Modifies registry class
        
        PID:1500
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        79⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        80⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        81⤵
        Drops file in System32 directory
        
        PID:4396
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        82⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        83⤵
        Modifies registry class
        
        PID:3292
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        84⤵
        Drops file in System32 directory
        
        PID:4740
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        85⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        86⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        87⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5256
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        90⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5424
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5468
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        93⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        94⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        95⤵
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        96⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        98⤵
        Modifies registry class
        
        PID:5744
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5820
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        101⤵
        Drops file in System32 directory
        
        PID:5864
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        102⤵
        Drops file in System32 directory
        
        PID:5904
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5948
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        105⤵
        Drops file in System32 directory
        
        PID:6032
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6076
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6116
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        108⤵
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        109⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5312
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5392
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        112⤵
        Modifies registry class
        
        PID:5452
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        113⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        114⤵
        Drops file in System32 directory
        
        PID:5584
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        115⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        116⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5832
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        118⤵
        Drops file in System32 directory
        
        PID:5896
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        119⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        120⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        121⤵
        Drops file in System32 directory
        
        PID:6124
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5188
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        123⤵
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        124⤵
        Drops file in System32 directory
        
        PID:5496
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        125⤵
        Drops file in System32 directory
        
        PID:5576
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5752
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5860
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        128⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        129⤵
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5180
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        131⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        132⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        133⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        134⤵
        Drops file in System32 directory
        
        PID:6020
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        135⤵
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5592
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5928
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        138⤵
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        140⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6064
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        142⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6180
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        144⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        145⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6272 -s 408
        146⤵
        Program crash
        
        PID:6368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6272 -ip 6272
1⤵
PID:6332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fbqefhpm.exe

Filesize
176KB

MD5
459d048154b104040598cd013f702dbb

SHA1
e4c240110e82457a6f53e102a5a0b80e21c8bceb

SHA256
12a699b55c42f434a24c5559e02655e930c693c108d35d25d790764a87d33d7f

SHA512
45dfcf973bcfa8d2bcf0dc7e503519ed477de76c08906a44926e0457f034744401024ede2a4ee3fb4fad22f7e6779ccee7804fca8f6360f46478dd642d2e2182

Download Submit
C:\Windows\SysWOW64\Fckhdk32.exe

Filesize
176KB

MD5
f30e187f2f344b01a12e2f8140c9320e

SHA1
35363236e2d9a263c33b4d1ef32c9cbe0344fd0a

SHA256
1e7d588b2c843a6bd0409eaa22898c3f6ce7157c4c0b1cf75716a247d9b4c088

SHA512
4597f291da3e9e347ceacb2b4f6ae2f9dea91dc0e5e5ddeb3410ee7245be224b9786efa3f2455fc68b76866b5352b6705ec6053dff5fe8f84d9f0c55d7fefb5e

Download Submit
C:\Windows\SysWOW64\Fcnejk32.exe

Filesize
176KB

MD5
2c8e6942f1a2f7b8422c0315b3fddff2

SHA1
20bb4c14c4f996344da0abc89d9ebf361c505204

SHA256
b745352b8d0ef5811a51a8168760b1a442b29de294c22473734a41bf7f4d7d3b

SHA512
e03a501576cb8e44c764d789d383a1612ea537e406800a621f44197a57bef6484dbec9bd9085564cde1e0ce673c649175f7a4a7e4767a190f04cde0aaa06788d

Download Submit
C:\Windows\SysWOW64\Ffekegon.exe

Filesize
176KB

MD5
ddfe54a3885b4904035ac0c4e015d1c7

SHA1
86a1a38f0b1d0955f81f5de9a245dd1b7710d24e

SHA256
689af36e973b83b2b6326892adbe8a8a9c64420019b3f141e27ef5e050d51da3

SHA512
d977d8740a7367596e941cb99de53820c496b2db8a17a69a79d1f02d2a3caecc54ac9cd2bdd4129e3eebe442fe03b89117226aca7bb00525c1a49a0f82177ee9

Download Submit
C:\Windows\SysWOW64\Ffggkgmk.exe

Filesize
176KB

MD5
01f1f4f9c8c62b9b5994159388321145

SHA1
12e3be52220e967d3c729b7461fd6e05be103e84

SHA256
1fd47c84c7b92fc43c3bfc2712b95da61b2a9406de5c43289622b192595e7f61

SHA512
74ed5cf8b61e50bdb7f1f68415dafaf4da7c68b5ca7d02e0bf119bed6f2d3d8d50fa38aa2bb393e948929a553185832ac2cd51d98b25c157097c4b24776ff876

Download Submit
C:\Windows\SysWOW64\Fjepaecb.exe

Filesize
176KB

MD5
6fc6be31ce484c58249402201d0e6c81

SHA1
3eaa83e13b7461115cdcf121587fab812840e551

SHA256
b6d613bf4673e8d95e98a76b6abb1e768d108fcb9999c99a217025aad41b1c70

SHA512
c8638d77a83f17eaae573ac49a1ce83a17e2df1867e7cd93d7b6fc7d91d4088392ce0ca456d104ca770aea3acfbcf4d5392efd17c60ea9f7f93f209fb2c916e8

Download Submit
C:\Windows\SysWOW64\Fmclmabe.exe

Filesize
176KB

MD5
554d2a7a103a121a1ecbfe56b57e2a69

SHA1
143bc8e49a524ac6b692915fff44f7af2d5f9a87

SHA256
83f5242f5dd97bd2bc3eb76692c6b9f2f6f58b68c52f1907b38bc1e4cf12bb04

SHA512
f46bd0d969815261870054de05a19609bc9bd08f1f484c2d7f59db3da06819aef3658afc6e69f7ce21f31dc3cf1d34b7d3918aa55d711a574ffbb07957336a9d

Download Submit
C:\Windows\SysWOW64\Fomonm32.exe

Filesize
176KB

MD5
645310c3d7d93eb4e038a6b6db137b4a

SHA1
b9dba27c1ad4f078e107fe4c39934b21371956ac

SHA256
6e4bd9702467cb682831e780d33a1cee70ce4aa221d9ff4aab5cb2cee57d8972

SHA512
e6c1ef1f6af944cb3d62341c669b0f2d0162eca7e6aaef2adee4dd926dfcb33f7675fadf03b7e6ebc894d759e434e7ede136ecaa0260f3933ffa9d8f1b3eb125

Download Submit
C:\Windows\SysWOW64\Fqmlhpla.exe

Filesize
176KB

MD5
7ae3d03693569b8ffe4e5d7b1961c584

SHA1
215e47470967a3b5e8d04d2dcaa6b3c7ad556b88

SHA256
6ccc4bc82187aa30beef1049d04b49c8eeceb30a70e5b08cd56ae3a32ea7143c

SHA512
86c6fdde192693677438256cc9574273b35e2e571c77748fd61b2268df44af4267f5f094ac64e60d1f78d8ff6cf2ff894aaa92acb63954d721dad6fc894c2d53

Download Submit
C:\Windows\SysWOW64\Fqohnp32.exe

Filesize
176KB

MD5
d21305168c41c331a6cf40b2ade167bb

SHA1
445561bf006acbace924aa1ee7eb66b3d0fea175

SHA256
c585f352d63de38b018af54b4c1ba3285a7cbeabd795f4f2ec7167afd4d023bd

SHA512
007d30a43d6cf05eea997696af66678acf30ba79bfecfd44eebda588241521739cefd7948fe9f87d376b9921f0e0b484eca34891a186a028851d8e3efd025475

Download Submit
C:\Windows\SysWOW64\Gbcakg32.exe

Filesize
176KB

MD5
56f53b1db06d22e7eaee83407bc5a825

SHA1
66fdf883587d952bdb1af2d777305ea4e3d0d3fa

SHA256
c2fec7065dfbc7c06c207eed2ddd68e2b16be18798d801bbb7698d78b06f960f

SHA512
a1d0aa71003a4703be98e212bab79bcd59ae10eef6d1f4ebfc210c371864a19ea9b24aa0992342996acb69adb8bc612038c4fb0b3c765544fec7523358d84713

Download Submit
C:\Windows\SysWOW64\Gbenqg32.exe

Filesize
176KB

MD5
23a3b523dfe1907cc3f1f618c04edd1d

SHA1
e160851961c4491287c43673acce42d8458f2216

SHA256
9a04efc8ed06b71d703e8c9f6c8e919c85125d99f9d217dcfa72d3321fe009f8

SHA512
89a56e144d4cbe3989ec78e32da9daa8d51c627f2fb6685261e2d704172c31c796a8a8f199e3cda3ba540fca39ae23414db8ced6e0c24efe60c9c226c482a530

Download Submit
C:\Windows\SysWOW64\Gcekkjcj.exe

Filesize
176KB

MD5
aa4bb935c28b933b26469549036e5d53

SHA1
3f3f8f8037d769c6132a2758302246fb991f372b

SHA256
8431e3f412805f90fbeec7df9ae98541507613122d52fd0b9192d1f338513402

SHA512
c0d301252640a1a739e90b5814fdffe646de93c915fb3f2e4f9a55db07405c2bbee8ff65f2c3a5c8138458ea9dfd859516d0217d315e21d5dbf8b877d204f44a

Download Submit
C:\Windows\SysWOW64\Gcggpj32.exe

Filesize
176KB

MD5
abce17636eb1d40bf03942c003ca080e

SHA1
3b541ef6711caee594f52a4840642b26dee18fd8

SHA256
4c3e7f4782903370b6e37670442b95e089ee47d0c80438c09c4153bf19e5307f

SHA512
8dbe805532c67278182604a94e05b8ae4b02d033cd441cebc765d255b97b09f6a7b274c2e9acd5bb050b985662dd4b123a26a3cf0d5f07e1ef349b2a9aa81af1

Download Submit
C:\Windows\SysWOW64\Gfcgge32.exe

Filesize
176KB

MD5
b35e790cb845fe68bbff2afcc800d385

SHA1
2ccf4e08bf77c973365ee0006acea8b0930642fa

SHA256
d460711a8d73dd6db902f34842099287fa7f552d11a8522eaa5f4c17c3451b46

SHA512
722ae168ac70486cc639599590dedeb977c0fb908d43bcb5b386e24cded25161f45dd745fe89f69c848fe2cb37ce2c6c9a658c59b0b487f158fe9ee76c549ff9

Download Submit
C:\Windows\SysWOW64\Giacca32.exe

Filesize
176KB

MD5
704835a02c37d93b66261d61a1c7fb0e

SHA1
b13e9250480273551d57a6859592a8bf080c3639

SHA256
c896fa1f46897c1611b05e87ef51c5099e64940ab7d4b85eead50ec029f3d41c

SHA512
b73599b020eebdc09ab931b95a733e6d484f22ec92b5356def6390748e44cde0efe7be0878afd3f1a470aaefd347241c5c7558f99e8b09ec83924cb29ac64569

Download Submit
C:\Windows\SysWOW64\Gimjhafg.exe

Filesize
176KB

MD5
4958550fb8f42f59cab445bf2696fad5

SHA1
927d48e1297ddf9bfd7b912512a413659eb620ae

SHA256
8593a9533e34466e3234f627713a5abd2d3f84cfff4641f45ada6e96061c73d6

SHA512
3a98cb8da71f110b2de9c2b93a8c767b609c9d2f7fd58729ef2477fa5f285e6aaf811688d3b9bab92e65bb0cd61a89398d6e97a151c5ff77a44341cb3c912497

Download Submit
C:\Windows\SysWOW64\Gjclbc32.exe

Filesize
176KB

MD5
f44e35def4b704d33cb67035adaeebea

SHA1
9c85b16eecd2edbb8a1a889edd783fe55655cf42

SHA256
995ba2acf760ca47bf6655edc1f35c956c9c2ec65952710ca25bbda2094f15ba

SHA512
10d82cf2339b6d363022516e3ef2679d5cdd525cf07b748ab94ca054a297fccc58f56cfca04c3e197ecd1d32179cf211d2f3cdd10be7dd5215974236a3a825e8

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
176KB

MD5
d49c401a4c5ef472f33e5206884e8635

SHA1
92a04b5f2fd7412bbdac7c5bca0a351b6368e9bb

SHA256
f581552de5b2e4060f03cf709599f42ca6752e02bea2d4c6b02c0c8a6930a7c1

SHA512
7fa04a8a8cf35c942302a4f6c5387cb4fdb3deeae010242dacfd60fb9a0989ea6cde5ea9bcef7aaad7f5f132c9eac819cfd2f8aa8ada3bcb3e31c810306f4e00

Download Submit
C:\Windows\SysWOW64\Gmkbnp32.exe

Filesize
176KB

MD5
4a1a1f6b35d174d5068bd119a7ea70d5

SHA1
08f76c921ad53542c476f03e0911a077b6e87da2

SHA256
c78a558717a020a7f613bb50aedbf3d4a9dd9e88dbe28cafe0e7ebed276c36b3

SHA512
fefcd5d321d5a8db4ccba5f8e99d8d35e2ced86475aba758e07d17c33c09fb33a20d7cf5044829a91b5005512cc321ff64e288754f8e1c4fff6d744a30897ee1

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
176KB

MD5
49237b635c8dd18e9800a4bb30b2ae26

SHA1
a8f6a8abd6e21b9e9a6e4f25f6c6c621cf14d02b

SHA256
c725552b1e901f2ab1fd0974fbc431bbbc7e7e8421673f56904b65693c9b127a

SHA512
27e6bd60d77799ca8a7218557b03d6854e7f188f862c8680fee2983ff078d576115ad6dee2e04f8df8400e7f2b9ad66b29e17fa41212fbcc0f5695268c2c78c0

Download Submit
C:\Windows\SysWOW64\Gogbdl32.exe

Filesize
176KB

MD5
37c8cd2d643ee67dc95359968c1f1164

SHA1
813813b166fb0cfcb3ad0db12ebab65f41ddde50

SHA256
7ca69f61170da899f51bf0897f81ba2d6c1240b7f974c74df17cc047441eac31

SHA512
b8600d432957e1260dc1b85f2b02e5256615e38a293de57affb23c6e90e4ae0a795fbd8573fe661d3d0bb60d4bccfdd3a54629cf16604e1fa419b645daed1dc0

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
176KB

MD5
c756e90776bffd4e0654b3a2a052842a

SHA1
b6b427ed931b603c90d06c3e6d2828efd7f04dbf

SHA256
97be947123508067b99da9fefbe0c06cb4568746f9100a81bb6a942e2efae283

SHA512
e4fd001984e4edc137b4d79e17d2c48ca534e6dd6ebe0ca5451981c160c65e73cb2688ed15be11433dfcb4c5b2d627f3964e361815130bb57230ebc67b8fb19b

Download Submit
C:\Windows\SysWOW64\Gpnhekgl.exe

Filesize
176KB

MD5
ab9d0c3a9072c365582bee41cb30111d

SHA1
e3d1894e9c317e4e8c33e64493b805d487743e83

SHA256
c6cf1e19989a06649108965b45faa1dac56f0f4f11498ba50c4d405bb1617316

SHA512
42b94a952b6929401cd2716612da8c86c4e342edb6b25a4c7158bdcad25dbf2b8385d744f49a2600084f564f81fdef16a601a71e24086caa746e6714834b089c

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
176KB

MD5
e4a89497ecd6a16c32b811f47e74ec38

SHA1
2a6873c4b2fceb620565b94cd7fff721c609056e

SHA256
3dd2b60736ed4483a9a46d972d6db2b16dc50f4019b45f18a55bec7a4cdcd0ef

SHA512
68322fa768c695bbe74530cf1ea97bc42caad602540f1b5c9da8f3ae59a5a1b2d65ffe9022bbe7d35cb8ee552f3c8450e939f4a9364f6ae179962a6f4ab49759

Download Submit
C:\Windows\SysWOW64\Gqkhjn32.exe

Filesize
176KB

MD5
e31d8a7a4238a03e3de58329a626476d

SHA1
c2ff1ebc1b28eaf7be830bb77ffab3df14d3c5c5

SHA256
34de6ccdafed42d1904799f8980f86d11d0a77fd7207f46f46fc04d1dd02237d

SHA512
55145c777f7a37760ea9ee1310e5cd171a5fd3297cad30d808d54c150d13486c26b02deecd18f3d0e3170570d5058c86e420baa836f3d5464a235ae48f62f4fe

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
176KB

MD5
2bd0fb21cf0ea7b40f6a277f325cea4b

SHA1
e52c10080a600762ca5ce55fb4c45c77ad0625da

SHA256
9ba086e99fa0215f9d5aaab160a14506d2bc8cffa364ea9f5dc0ee486d42284a

SHA512
251bbe9ad97dd172c5ba512561a074ad7f6734f5aa21f9cc10afd3da5a7dd8bd0d7318a4f84f38c671cef9b981f4e94430f5acce6d6726f24cc37acc5dfbba98

Download Submit
C:\Windows\SysWOW64\Hbeghene.exe

Filesize
176KB

MD5
5a77b077eba0c84e84073720edc2c585

SHA1
0c6ed039a9259fa90947c85143556bff3ba4cd56

SHA256
a523fc2736c14b39f70be734e00efa751b61d4df5260150f5b7c1079079d1033

SHA512
3f991364a29f571e76b2a368aa3b96c3ad3bd5d9a2f524390b531bccf4f85474e35f1f9372fc6ee663569c462a71b4380a14a188ec7ac59b983db07c13c8ebc7

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
176KB

MD5
a743c898ced7eb02c392176ec9ac1565

SHA1
f11ed9f83223bb43ee0a589429cee71cd8423e5c

SHA256
b02ffb75ee4c26acb988a64e72f056d6903b74f2da172d934216b397b1db76e6

SHA512
1019b7714fd76220239da06f7a10f88cb578ad2aa1b0310bf816d908c680984fc26c98365fb0af755d441e4f883d1223c55cd55309bfa6bda329e75cb476795c

Download Submit
C:\Windows\SysWOW64\Hcnnaikp.exe

Filesize
176KB

MD5
e35088c396b06c5bf5b5e1e85c698b01

SHA1
fb4342d41524bf71417778504a663ad3a9f57bf2

SHA256
124d87d0dafd101d77309fe7aea0db9d31dc40012fe316436eecfcfc4572ecaf

SHA512
9db3a38e15f1fa52755bff6d17a9bdb8eb5b186a4da28b261a8a030f2a197eba85e0b6d31e9fa555919bc965616f7fc636572f0f29fea0186552352d230a19b9

Download Submit
C:\Windows\SysWOW64\Hfjmgdlf.exe

Filesize
176KB

MD5
e74e1c19e00c6423d78c2c200ca0317f

SHA1
46633f0f8b3784cd3d92c4cb1d3654c486489acc

SHA256
f8178dbad26b0b3993043c222d129f4d6150ea00dad9e1fefbc7faea42984f63

SHA512
74b30c4e17a71f5fa44ca3fd3f7adfb2b78700a1f70f3ce8b9ab322379fa335324f8a71818ea2faffc6ff21f000c026ecd102e09020822f803d5775175a6579c

Download Submit
C:\Windows\SysWOW64\Hfljmdjc.exe

Filesize
176KB

MD5
a3e41313ec2f852457e673f47d7ef76e

SHA1
a613d3430a8e8827959ef686b4882c565a79ebdf

SHA256
8452b1c4873a613d2790221b1caedc0180f514e91d20eb84d0036c1272502611

SHA512
7901e3ba5f3b9d3f2fae487c86905ba8a782bc0fc45a57724d4f35297bbba25d5d13d4e536502f20e8ad42e25d3332c6db6fc11135ce9b0027010668f8fdd09b

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe

Filesize
176KB

MD5
9b9e6b6b5a8e7dd505044866ca710320

SHA1
7affae39059782897bcde0901e34c61f470a9a8e

SHA256
b16ad04b55600021601b48e919fc1a2f43ca712b19bfd976755b8f29126c5832

SHA512
36bf17201131f8a8cac7788382be0180b7170f3aeada75fbd89608bc8acc6f67f5f49cc6ed072f55e5f0f958b3e0d6f0ac8088c7c6892f867d126b22307e6195

Download Submit
C:\Windows\SysWOW64\Ibjqcd32.exe

Filesize
176KB

MD5
ae73b29021e604a71cf85b1bdf8209b3

SHA1
8f0d438683808319fcd632582bbe5e3ec27af5a5

SHA256
e1318aa412c8aa35be93c0d1e6f1feae177e2f3dfca30cd2316dd0fd7ec58f55

SHA512
72dd207e91a364cd614d666e543e238b6a99e19f7ea4c3b3835c62a55dffb061d790c8b768bdaa65b26ef3d95a497ef9f8d9e25be48b6ab0f3ac5ef34ca1eb74

Download Submit
C:\Windows\SysWOW64\Ijhodq32.exe

Filesize
176KB

MD5
d89cdeb38209edb7e256758c2d9f1ad0

SHA1
be82a0c79ebf13c5f5c0153a4edf71b448eaf80a

SHA256
664edd754115218e5195fed247d826bd05f789927b46db05e15f3f87027e4612

SHA512
81ebb6d9ef0ae2ba3d8e77df420f08a2b3858952f8240b1f2240f4bc9d7f73d8379b374ed1296741695a76ecca478e77ae9a0fc180dde205b11338e47a5bc2d7

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
176KB

MD5
1e07f5d08ed0436ccfd36c44cf29075e

SHA1
7ed98db36602073f43f0d9d501ae487a779db126

SHA256
5b0bebec3a519b00e33dd2b5a615f2b37c211934af66e0acbdc6569341593d2c

SHA512
c70a565159aeb1b6a5d8e7927591502879fd59cf6a8fe5012ef769feed12c8062f86a2bebe27f391d3bf09832fba292fd68f65750cae3c331913c9ebc059e65f

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
176KB

MD5
fa48a4fe4cb1b4dcf777f406d2892012

SHA1
8278ab398c9f99cc7db376ccdde38ae9e58e3b81

SHA256
9288f73c78cd68222c21c5be3037281838bf64437f92cd7ae4bcfbb66e10872c

SHA512
1d9f2a5f0a6dd81adf769681bfdd689a22a1861d11f276401b9509a1114f37936e4c042052be6498606fb2955b4ed7edfafcd96d2c48423dd59f9e8f86ed7b75

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
176KB

MD5
73d3f41911d6f45a664743935c6be95b

SHA1
24a4d7fc3b281ec6988813b10c44090f22d99b15

SHA256
ada0ec774899bc1694faebe0b6f64d54ce1a2e9209721bd5a9677a3afecd400f

SHA512
9423d14959d69fc7e076be993a0b1ae7107658198aa2668c6365d68e1e8a3d012fed7013b01ad5b0e115170d2ade6cbed1f33fb42caee4a88f010735eef6eec0

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
176KB

MD5
fe6ba5131605384857d70d627dcf2729

SHA1
9a0e143007c0e4475d542164220ca5618121661f

SHA256
9864671f0199f3634492b3259aad7624818760ba479b0cbfc994505ac5164d7d

SHA512
85f5367a1e765e579ac35c7a70e9fe00201b9df86675b9bbbacbcce38f7d9198c29641df8916bcd5f4765fd3f5365861521dce68eda402b22fd19ae880269043

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
176KB

MD5
34def75878d304e8c1d49c8b3e82faa7

SHA1
5c16ac6e023e8545193fa38c5ee2901472fc97ee

SHA256
744a2ac9715434c42c707c69abc99616a186a34f0dcb8071d322d27f2d1f0545

SHA512
3e8822deadb1253296f7e90219f60bc56cd8ea7fbf6d2ea4e4521c928e31bda3759d57d7c526a24e3c6abe356796f3dedfef89a6e904ff036b333e545c6e8b56

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
176KB

MD5
eb4f065e7f9f85d64bcf26a47eeb0dcd

SHA1
4cd8693f2632116d58bc5de0f5be06c6cdc97d35

SHA256
7deda78bea9e2fc6f2be9ba04a160a294824330483d95090ac2503f3e1f340c9

SHA512
5334d785407ba64cd4013959674da2fcd8fa56d7a9f9787e01054ebf880675f9a1000194bbfaec4be8c5ed954922640c87b3b370395ecc3334456e488cc2bdd5

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
64KB

MD5
76e34b095f7c998f83c593b0308f6015

SHA1
620d2f7e6e8e7a3218c05a4aa787d705024605de

SHA256
498ed4e75aeb73105922f438edb296944255b556631a76747a3ca407cbcb45b4

SHA512
fa40387c929755e5f19ff41c8b3e4cdcd70905bcffacf142852f76de924965c0f29258b22b309602d2f826fc7d32ad675acbd1a5e9497ebeb980a18642a0b71b

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
176KB

MD5
80599110a9a9bfaf2d31ebca3b03c354

SHA1
f76b63d4a8873e01d737475acd139c80770b54b4

SHA256
3975f9b5212b72281426508e13cf4d1f127d34712bef909895a316ea5376ede9

SHA512
2d0be8204a23947674fc0b40956c6489829d0201c46e140d9fb99b7810d82585c8c3f530b879ed442d59d88bfb27c07d253f51b0650bbf5890a5053f59b37020

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
176KB

MD5
b865bbc63727376c336a6cba8c97c282

SHA1
34107941823195f09b2c53bcd6a8db2772406b7e

SHA256
baec10e9e6ea71380ced541cbf3219b8c587cf0afc6a1cac227bbf8e686463f9

SHA512
b1652cebd52933ffd08f1e0082203388e44c4bf5349c7676b155750d4ed3fd9c3932ed0be8f667411c1f6d88f9cf0f8b4dcc257fe3357a4eb5f232aba5f13316

Download Submit
memory/392-436-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/404-94-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/408-230-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/528-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/632-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/756-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/756-571-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/904-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/920-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1032-252-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1132-495-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1168-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1208-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1264-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1376-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1496-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1500-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1544-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1568-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1656-150-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1772-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1776-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1860-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1868-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1916-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1928-398-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1964-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2024-166-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2032-564-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2032-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2068-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2188-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2252-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2424-205-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2472-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2692-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2696-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2732-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2748-575-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2972-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2972-551-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2972-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2984-117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3096-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3104-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3144-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3192-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3260-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3264-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3292-558-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3296-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3300-222-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3320-592-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3320-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3340-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3344-423-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3456-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3468-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3508-198-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3688-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3724-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3736-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3764-582-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3764-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3848-239-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3876-53-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3892-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4016-465-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4064-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4260-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4288-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4344-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4396-549-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4444-519-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4540-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4544-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4592-483-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4640-174-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4708-134-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4724-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4732-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4740-570-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4744-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4808-585-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4808-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4820-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4840-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4864-158-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4912-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4956-453-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5052-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5088-556-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5132-584-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5172-586-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5188-1004-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5256-598-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5320-599-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5320-1058-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5744-1045-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5812-988-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6020-987-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads