e7d36bfe6ca7448a064cca98b88d4b1dd63f689ff4d6c306369a1f2bc2f2c8ad

Analysis

max time kernel
136s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08-05-2024 10:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5726d9c1133d959b2468d5d7bd94d340_NEIKI.exe
Size

79KB
MD5

5726d9c1133d959b2468d5d7bd94d340
SHA1

f4cf4fb8f88719328d6843ce57a448302b69f3bb
SHA256

e7d36bfe6ca7448a064cca98b88d4b1dd63f689ff4d6c306369a1f2bc2f2c8ad
SHA512

4a64138de2505a9a2b42778b93aa4d0e606eff56241baca271c4f7a2dc1b6e7f2b08fd79eb42798d34a35f8355d4e6bf09bbe5a1b1d33133cbb725d6a60dfcd6
SSDEEP

1536:DnsFBo49d9OqLiyUId+isqzl2UZ2WGlNMwZrI1jHJZrR:4FmGyiiytd+isqzl2UZ4NMwu1jHJ9R

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqkocpod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Giacca32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcggpj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffggkgmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hippdo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibojncfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcnejk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfjmgdlf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hibljoco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijaida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijdeiaio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iannfk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpenfjad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jigollag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gqikdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfnnlffc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpbaqj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kibnhjgj.exe

Executes dropped EXE 64 IoCs

pid	Process
224	Fmocba32.exe
4252	Fqkocpod.exe
380	Ffggkgmk.exe
2768	Fifdgblo.exe
2916	Fckhdk32.exe
2012	Ffjdqg32.exe
1096	Fihqmb32.exe
3200	Fcnejk32.exe
1820	Fflaff32.exe
4192	Fijmbb32.exe
636	Fqaeco32.exe
3320	Gfnnlffc.exe
2660	Gmhfhp32.exe
4488	Gogbdl32.exe
2780	Gbenqg32.exe
4968	Gjlfbd32.exe
3988	Gqfooodg.exe
3476	Gcekkjcj.exe
3864	Giacca32.exe
3080	Gqikdn32.exe
1564	Gcggpj32.exe
4648	Gjapmdid.exe
2176	Gpnhekgl.exe
4392	Gjclbc32.exe
2716	Gmaioo32.exe
4572	Hboagf32.exe
4884	Hfjmgdlf.exe
3204	Hpbaqj32.exe
1948	Hfljmdjc.exe
2528	Habnjm32.exe
2336	Hpenfjad.exe
3528	Hfofbd32.exe
3788	Hmioonpn.exe
2860	Hpgkkioa.exe
3796	Hccglh32.exe
3028	Hippdo32.exe
2028	Hpihai32.exe
4908	Hcedaheh.exe
2244	Hjolnb32.exe
4460	Hibljoco.exe
1380	Haidklda.exe
5012	Icgqggce.exe
1244	Ijaida32.exe
3228	Iidipnal.exe
4248	Iakaql32.exe
3516	Ipnalhii.exe
4104	Ifhiib32.exe
3128	Ijdeiaio.exe
2268	Imbaemhc.exe
3564	Iannfk32.exe
2712	Ibojncfj.exe
4592	Ifjfnb32.exe
2420	Iiibkn32.exe
1408	Iapjlk32.exe
2856	Ipckgh32.exe
608	Ibagcc32.exe
4912	Ifmcdblq.exe
2668	Iikopmkd.exe
4864	Ipegmg32.exe
856	Ifopiajn.exe
1440	Imihfl32.exe
1036	Jpgdbg32.exe
2460	Jjmhppqd.exe
4696	Jiphkm32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Lijdhiaa.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Fmocba32.exe	5726d9c1133d959b2468d5d7bd94d340_NEIKI.exe
File created	C:\Windows\SysWOW64\Kncfca32.dll	Fflaff32.exe
File opened for modification	C:\Windows\SysWOW64\Gmaioo32.exe	Gjclbc32.exe
File created	C:\Windows\SysWOW64\Mnnkcb32.dll	Imihfl32.exe
File opened for modification	C:\Windows\SysWOW64\Jiphkm32.exe	Jjmhppqd.exe
File created	C:\Windows\SysWOW64\Laopdgcg.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Dmnlpfhd.dll	Fqkocpod.exe
File created	C:\Windows\SysWOW64\Gqfooodg.exe	Gjlfbd32.exe
File created	C:\Windows\SysWOW64\Chbijmok.dll	Gqfooodg.exe
File created	C:\Windows\SysWOW64\Hmioonpn.exe	Hfofbd32.exe
File created	C:\Windows\SysWOW64\Ibadbaha.dll	Hippdo32.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Giacca32.exe	Gcekkjcj.exe
File created	C:\Windows\SysWOW64\Iiibkn32.exe	Ifjfnb32.exe
File created	C:\Windows\SysWOW64\Kckbqpnj.exe	Kpmfddnf.exe
File opened for modification	C:\Windows\SysWOW64\Ldkojb32.exe	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Ilaidmmo.dll	Gogbdl32.exe
File created	C:\Windows\SysWOW64\Jchbak32.dll	Lalcng32.exe
File created	C:\Windows\SysWOW64\Pellipfm.dll	Lmccchkn.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Bkmdbdbp.dll	Gcekkjcj.exe
File created	C:\Windows\SysWOW64\Hpgkkioa.exe	Hmioonpn.exe
File created	C:\Windows\SysWOW64\Iikopmkd.exe	Ifmcdblq.exe
File opened for modification	C:\Windows\SysWOW64\Jmnaakne.exe	Jdemhe32.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Hfjmgdlf.exe	Hboagf32.exe
File created	C:\Windows\SysWOW64\Jdjfcecp.exe	Jaljgidl.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Qekdppan.dll	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Mghpbg32.dll	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Maohkd32.exe
File created	C:\Windows\SysWOW64\Fmocba32.exe	5726d9c1133d959b2468d5d7bd94d340_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\Gpnhekgl.exe	Gjapmdid.exe
File created	C:\Windows\SysWOW64\Dnplgc32.dll	Hpenfjad.exe
File opened for modification	C:\Windows\SysWOW64\Jkfkfohj.exe	Jbocea32.exe
File opened for modification	C:\Windows\SysWOW64\Kdopod32.exe	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Kkihknfg.exe	Kdopod32.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Bademghm.dll	Fmocba32.exe
File created	C:\Windows\SysWOW64\Hccglh32.exe	Hpgkkioa.exe
File created	C:\Windows\SysWOW64\Ppaaagol.dll	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Fckhdk32.exe	Fifdgblo.exe
File created	C:\Windows\SysWOW64\Jkageheh.dll	Hpgkkioa.exe
File created	C:\Windows\SysWOW64\Bjikbh32.dll	Fifdgblo.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Hibljoco.exe	Hjolnb32.exe
File opened for modification	C:\Windows\SysWOW64\Ibagcc32.exe	Ipckgh32.exe
File opened for modification	C:\Windows\SysWOW64\Kpepcedo.exe	Kacphh32.exe
File opened for modification	C:\Windows\SysWOW64\Kkkdan32.exe	Kpepcedo.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Gmaioo32.exe	Gjclbc32.exe
File created	C:\Windows\SysWOW64\Ggcjqj32.dll	Jiphkm32.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Ffjdqg32.exe	Fckhdk32.exe
File created	C:\Windows\SysWOW64\Ekfnlmai.dll	Fihqmb32.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mjcgohig.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6148	7076	WerFault.exe	250

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibimpp32.dll"	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilaidmmo.dll"	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmaioo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fijmbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifopiajn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gncoccha.dll"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jplifcqp.dll"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inccjgbc.dll"	Hfjmgdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hefffnbk.dll"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akihmf32.dll"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmioonpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplmgmol.dll"	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijdeiaio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejif32.dll"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckfliccm.dll"	5726d9c1133d959b2468d5d7bd94d340_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbbjnidp.dll"	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblgaie.dll"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbcjkf32.dll"	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egoqlckf.dll"	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kijjfe32.dll"	Habnjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmocba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcplce32.dll"	Ffggkgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gogbdl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbenqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipagf32.dll"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3496 wrote to memory of 224	3496	5726d9c1133d959b2468d5d7bd94d340_NEIKI.exe	85
PID 3496 wrote to memory of 224	3496	5726d9c1133d959b2468d5d7bd94d340_NEIKI.exe	85
PID 3496 wrote to memory of 224	3496	5726d9c1133d959b2468d5d7bd94d340_NEIKI.exe	85
PID 224 wrote to memory of 4252	224	Fmocba32.exe	86
PID 224 wrote to memory of 4252	224	Fmocba32.exe	86
PID 224 wrote to memory of 4252	224	Fmocba32.exe	86
PID 4252 wrote to memory of 380	4252	Fqkocpod.exe	87
PID 4252 wrote to memory of 380	4252	Fqkocpod.exe	87
PID 4252 wrote to memory of 380	4252	Fqkocpod.exe	87
PID 380 wrote to memory of 2768	380	Ffggkgmk.exe	88
PID 380 wrote to memory of 2768	380	Ffggkgmk.exe	88
PID 380 wrote to memory of 2768	380	Ffggkgmk.exe	88
PID 2768 wrote to memory of 2916	2768	Fifdgblo.exe	89
PID 2768 wrote to memory of 2916	2768	Fifdgblo.exe	89
PID 2768 wrote to memory of 2916	2768	Fifdgblo.exe	89
PID 2916 wrote to memory of 2012	2916	Fckhdk32.exe	90
PID 2916 wrote to memory of 2012	2916	Fckhdk32.exe	90
PID 2916 wrote to memory of 2012	2916	Fckhdk32.exe	90
PID 2012 wrote to memory of 1096	2012	Ffjdqg32.exe	91
PID 2012 wrote to memory of 1096	2012	Ffjdqg32.exe	91
PID 2012 wrote to memory of 1096	2012	Ffjdqg32.exe	91
PID 1096 wrote to memory of 3200	1096	Fihqmb32.exe	92
PID 1096 wrote to memory of 3200	1096	Fihqmb32.exe	92
PID 1096 wrote to memory of 3200	1096	Fihqmb32.exe	92
PID 3200 wrote to memory of 1820	3200	Fcnejk32.exe	93
PID 3200 wrote to memory of 1820	3200	Fcnejk32.exe	93
PID 3200 wrote to memory of 1820	3200	Fcnejk32.exe	93
PID 1820 wrote to memory of 4192	1820	Fflaff32.exe	94
PID 1820 wrote to memory of 4192	1820	Fflaff32.exe	94
PID 1820 wrote to memory of 4192	1820	Fflaff32.exe	94
PID 4192 wrote to memory of 636	4192	Fijmbb32.exe	95
PID 4192 wrote to memory of 636	4192	Fijmbb32.exe	95
PID 4192 wrote to memory of 636	4192	Fijmbb32.exe	95
PID 636 wrote to memory of 3320	636	Fqaeco32.exe	96
PID 636 wrote to memory of 3320	636	Fqaeco32.exe	96
PID 636 wrote to memory of 3320	636	Fqaeco32.exe	96
PID 3320 wrote to memory of 2660	3320	Gfnnlffc.exe	97
PID 3320 wrote to memory of 2660	3320	Gfnnlffc.exe	97
PID 3320 wrote to memory of 2660	3320	Gfnnlffc.exe	97
PID 2660 wrote to memory of 4488	2660	Gmhfhp32.exe	98
PID 2660 wrote to memory of 4488	2660	Gmhfhp32.exe	98
PID 2660 wrote to memory of 4488	2660	Gmhfhp32.exe	98
PID 4488 wrote to memory of 2780	4488	Gogbdl32.exe	99
PID 4488 wrote to memory of 2780	4488	Gogbdl32.exe	99
PID 4488 wrote to memory of 2780	4488	Gogbdl32.exe	99
PID 2780 wrote to memory of 4968	2780	Gbenqg32.exe	100
PID 2780 wrote to memory of 4968	2780	Gbenqg32.exe	100
PID 2780 wrote to memory of 4968	2780	Gbenqg32.exe	100
PID 4968 wrote to memory of 3988	4968	Gjlfbd32.exe	101
PID 4968 wrote to memory of 3988	4968	Gjlfbd32.exe	101
PID 4968 wrote to memory of 3988	4968	Gjlfbd32.exe	101
PID 3988 wrote to memory of 3476	3988	Gqfooodg.exe	102
PID 3988 wrote to memory of 3476	3988	Gqfooodg.exe	102
PID 3988 wrote to memory of 3476	3988	Gqfooodg.exe	102
PID 3476 wrote to memory of 3864	3476	Gcekkjcj.exe	103
PID 3476 wrote to memory of 3864	3476	Gcekkjcj.exe	103
PID 3476 wrote to memory of 3864	3476	Gcekkjcj.exe	103
PID 3864 wrote to memory of 3080	3864	Giacca32.exe	104
PID 3864 wrote to memory of 3080	3864	Giacca32.exe	104
PID 3864 wrote to memory of 3080	3864	Giacca32.exe	104
PID 3080 wrote to memory of 1564	3080	Gqikdn32.exe	106
PID 3080 wrote to memory of 1564	3080	Gqikdn32.exe	106
PID 3080 wrote to memory of 1564	3080	Gqikdn32.exe	106
PID 1564 wrote to memory of 4648	1564	Gcggpj32.exe	107

C:\Users\Admin\AppData\Local\Temp\5726d9c1133d959b2468d5d7bd94d340_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\5726d9c1133d959b2468d5d7bd94d340_NEIKI.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3496
- C:\Windows\SysWOW64\Fmocba32.exe
  C:\Windows\system32\Fmocba32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:224
- - C:\Windows\SysWOW64\Fqkocpod.exe
    C:\Windows\system32\Fqkocpod.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4252
  - - C:\Windows\SysWOW64\Ffggkgmk.exe
      C:\Windows\system32\Ffggkgmk.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:380
    - - C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2768
      - C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1096
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3200
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4192
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3988
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3476
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3864
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3080
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4648
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        24⤵
        Executes dropped EXE
        
        PID:2176
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4392
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2716
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4572
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4884
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3204
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2528
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2336
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3528
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3788
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2860
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3796
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3028
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        39⤵
        Executes dropped EXE
        
        PID:4908
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2244
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4460
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1380
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1244
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        45⤵
        Executes dropped EXE
        
        PID:3228
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        46⤵
        Executes dropped EXE
        
        PID:4248
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        47⤵
        Executes dropped EXE
        
        PID:3516
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        48⤵
        Executes dropped EXE
        
        PID:4104
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3128
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        50⤵
        Executes dropped EXE
        
        PID:2268
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3564
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2712
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4592
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2420
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        55⤵
        Executes dropped EXE
        
        PID:1408
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        57⤵
        Executes dropped EXE
        
        PID:608
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4912
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        59⤵
        Executes dropped EXE
        
        PID:2668
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        60⤵
        Executes dropped EXE
        
        PID:4864
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:856
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1440
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1036
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2460
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4696
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4336
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        67⤵
        Drops file in System32 directory
        
        PID:4344
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        68⤵
        Modifies registry class
        
        PID:1584
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        69⤵
        Modifies registry class
        
        PID:3740
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        70⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4276
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        72⤵
        Drops file in System32 directory
        
        PID:1432
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        74⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1492
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5072
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        77⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1276
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3512
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        80⤵
        Modifies registry class
        
        PID:2756
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        81⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1352
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2680
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3176
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        84⤵
        Drops file in System32 directory
        
        PID:4596
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        85⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        87⤵
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5200
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        89⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5308
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        91⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5424
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        93⤵
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5508
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        95⤵
        Modifies registry class
        
        PID:5552
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        96⤵
        Drops file in System32 directory
        
        PID:5596
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5636
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        98⤵
        Modifies registry class
        
        PID:5684
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5728
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        100⤵
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        101⤵
        Drops file in System32 directory
        
        PID:5816
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        102⤵
        Modifies registry class
        
        PID:5860
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        104⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5984
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        106⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        107⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6120
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4388
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5148
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5336
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        113⤵
        Drops file in System32 directory
        
        PID:5444
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5484
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5580
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        116⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5648
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5720
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        118⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        120⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        121⤵
        Modifies registry class
        
        PID:5980
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        122⤵
        Modifies registry class
        
        PID:6052
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        123⤵
        Drops file in System32 directory
        
        PID:6104
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        124⤵
        Drops file in System32 directory
        
        PID:5156
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        125⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        126⤵
        Modifies registry class
        
        PID:5456
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        128⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        129⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5964
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        132⤵
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        133⤵
        Drops file in System32 directory
        
        PID:5492
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5768
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        135⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        136⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1436
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3812
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1668
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        139⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6184
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        141⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6272
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        143⤵
        Modifies registry class
        
        PID:6312
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        144⤵
        Modifies registry class
        
        PID:6364
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        145⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6404
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6444
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        147⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        148⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6604
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6648
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        151⤵
        Drops file in System32 directory
        
        PID:6688
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        152⤵
        Modifies registry class
        
        PID:6736
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        153⤵
        Drops file in System32 directory
        
        PID:6780
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6820
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        155⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        156⤵
        Drops file in System32 directory
        
        PID:6904
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6948
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        158⤵
        
        PID:6992
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7036
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        160⤵
        
        PID:7076
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7076 -s 400
        161⤵
        Program crash
        
        PID:6148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 7076 -ip 7076
1⤵
PID:7140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fckhdk32.exe

Filesize
79KB

MD5
03ec6c8e230e1adda99e7de246bc2544

SHA1
3ec0feedc7be8a5e49f9fd34cb2e542c55576fa2

SHA256
81faac8dcd44771cbc8e8063150893de362c15f4b69c3bca2ea6c46bf98adbd0

SHA512
4a9361a922fc082eda002848640648533ea0ace626f5fbdca9a0da3c082a4b80e55db70c417b26a34807865e665506304bb6f289a1759c0a151e8bcca0c46673

Download Submit
C:\Windows\SysWOW64\Fcnejk32.exe

Filesize
79KB

MD5
69d05de8d98b9ecc0b42a94b99949226

SHA1
af0a7ad23f0d27a24fbe35fff0ada502c3a0efaa

SHA256
68c734623e0569a27ac1b98f7761dd44376edf80c70090b53e3e3b104bd766aa

SHA512
cc51955647c253c1d9215aeb4ac90d5f35ab3b5796c1d01f5cf45fd29fe44f734e34d6ccce0bcec5d8721fa438c645d39ee775038d98db6ccc9873297401d440

Download Submit
C:\Windows\SysWOW64\Ffggkgmk.exe

Filesize
79KB

MD5
c726f1edd935244a598fb60d21f2a59a

SHA1
2f327e6525ac8619936bac90c163d0806df01ecf

SHA256
f7214ee5a93a5f3d254a9c54e3e1330603372a7b6d1b20be403b44720fca5f5b

SHA512
3a3a6e6e676fda01cde8c751668f3b280e35a855d8c5f02ac12a045297cc4ecdf66333d4cad0f1aea20838a41dc28902b4d6719a67526c21bb99753ecbb41c89

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
79KB

MD5
1ff66af600a321581f00f7a71acfe61c

SHA1
e451a44f40181532d0dcb59065ce9c8a48a061ac

SHA256
8edcc64e326c5b6139cc798320a884926713655eed618c54be55fae6e1853431

SHA512
76f0ee374236002dbedc21d8329dd07fab59e49035dec5ae37163f9e95a590dd2debf1367c2b8e13bdca7ccdab990bc0e5f00f11e227b85057fd245e0239d94a

Download Submit
C:\Windows\SysWOW64\Fflaff32.exe

Filesize
79KB

MD5
6745f231b8676e5f348df7f0dc9cc8ec

SHA1
5d8b35e09d562caf5187d9166b88e92d97513d59

SHA256
50c2ac03c9e5e01ae86521f8e2dfe4adaf2386589531d40e346273ea4f74726b

SHA512
52fd4a8b615c9ce00acd9a72ff4493e7538da0176e28056bc3510d4d65918bc46128d0b13c4667f4fac028587b73620bd821180bda5c19423b41a73357624d06

Download Submit
C:\Windows\SysWOW64\Fifdgblo.exe

Filesize
79KB

MD5
682e57981b12388d67395af5316b1e16

SHA1
94627de4c5b86624cf3c1db5020b4755cb594cbc

SHA256
ce16be128b9e53012fe2679e8e04f01b209d3fe13ff8a64b9b14fda319aafb07

SHA512
fd4af0bbeff2fff32febd556576f2fcde3c13a3d4c7acac31e4042f693b57def3b7f43fb81e6ef512dcb3872e8c0cfb9dc545b4e029ab4a3c8e8c58d5c459643

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
79KB

MD5
8c6687a2998398b6e6b854a44aa191cc

SHA1
762b926067661b8f3d4193d3e2f92e823bfc79a7

SHA256
459cd1719237431cf61f0c429e410e25ac27ce048582233333ea234aa1b72df4

SHA512
f72f38752f7f2797fe8c2f6ca973c29b7be63795bafba69e2a1e074ff6971acb1bd0a76908581ec3bbce3fff216a2fdc07f4cfc38caac3fa51c853f6567058b8

Download Submit
C:\Windows\SysWOW64\Fijmbb32.exe

Filesize
79KB

MD5
99a48f48ffdfd472a34e3b52f6a911f5

SHA1
d25110a5af8b0473a3eb6bb01656be203334c804

SHA256
f3a69f74214de9fc751c036e62de7cd56ba68364ebbf9869009cd5799a2c6596

SHA512
c40deee3a2a0002c9f6e4a92bdf33dacb021a3f6cc60ae8a877dd283677bddee38cfaf90f7e64d5968f5cff7fef30127cce876a2c6a6800a3c345e6f25e2c4b3

Download Submit
C:\Windows\SysWOW64\Fmocba32.exe

Filesize
79KB

MD5
5696e524d0d119377cebb5d4bfa5c3e0

SHA1
2eeed2f2562be97580c91643c9f646e502d3ce2b

SHA256
0a1339403b25e3e151c624f0dc5d6466a2978de3e2b89c5413141eefb450ac51

SHA512
4e7e426a04be78d66577a5decc4cc0e11bc00e191ad3ecf88df9c6983f5d95bf32d6e0bbe51ec86776d2285b348a8d6836bfb59733f0c4c1f1cb4fe8d9c0abc3

Download Submit
C:\Windows\SysWOW64\Fqaeco32.exe

Filesize
79KB

MD5
ef40cca50889fe34eff978e9015c84bd

SHA1
fd98966577619897b61a537ebcd93c809e7b098b

SHA256
3594573458f8f77f6bc03933763dea498352cd454a59ee66b8e087a6d680bb36

SHA512
5d5ce4a682ce5bf2444e61bac79a5018803c64c04713d11524f5583a6ddcf619dfec35ce33041a939e3849ce06b8092af17b1d0c7f9dc942f89c024d7926c2f6

Download Submit
C:\Windows\SysWOW64\Fqkocpod.exe

Filesize
79KB

MD5
133d83944a13e69d40ac917fb846f6c9

SHA1
19d1b3a2cf79a6046cee1622338cd128a7961dc8

SHA256
1cb9db51951b6431d91d991a1c6ee3cd34172141a678b7edc0e289d97f8a9fd3

SHA512
81d5bdf1a3059b97f7bd092c807aa5af6c1d90fb4c737e78310146378f496d21234ea95318167de3c045de2ef27dec902cc00c7abc248727f4ef0f9e3cbb6765

Download Submit
C:\Windows\SysWOW64\Gbenqg32.exe

Filesize
79KB

MD5
4e349a53efa039283b8f69b6ad53fcc6

SHA1
2d32e4405f6dad5fceaf479e00dfacf80b33b467

SHA256
a4356968c636ca92707e855e3077d214b24279425eaf7852f32b3dfb87a1c1a0

SHA512
99ca9c6db16acae3d30f489755c9513391880e837015f5012d8ef3c664f8e245e5bc04b5bd6293d089f38650a83aa0e6dc07ddd21daebf822b582a4b95436c2f

Download Submit
C:\Windows\SysWOW64\Gcekkjcj.exe

Filesize
79KB

MD5
20edb92af7d3ba9c4091efb54a30e6ce

SHA1
02dae49ecb09498ca8b084947d552f22f10e1b0e

SHA256
ff799c0e72ab515a48a29280234cace6853880cb3b10bb4c2faba3417a256b8d

SHA512
9c42ffef864a632690eaf37b99a4cd2653c46c139137a9d6526f903e25ff21a52f669f4f5b33dbf3bee83cda1d6a7f81d42f8cc7444b3a4a637c6add6cd46167

Download Submit
C:\Windows\SysWOW64\Gcggpj32.exe

Filesize
79KB

MD5
92070e62f7e09a2829b1f1aa53bdbaee

SHA1
05db1a925c0b8824911241a54e593f841088e452

SHA256
6ae0713b12a8075440da25ccc19edb0b4d9db9a018ce6228bcd82b7517ec8150

SHA512
6fa2f191d563915542766fd81af6116f8a6af5755c6c0c717281506ba70482cc8421133b2d70eb5e8204804b6928028d78fc13a7dd770d13af3c57bd9b6a7286

Download Submit
C:\Windows\SysWOW64\Gfnnlffc.exe

Filesize
79KB

MD5
75efc6b5040cc9bcbeddfbcc707fa138

SHA1
b52a3598b74771fb926b3d2ebc12c628a1b5b97c

SHA256
a185d747dfb27e3916c47262bd903edfc36436cd214b84f9703fe85070d82d1b

SHA512
0bcbe14482b88cf6027424aa756cda02e09f8e3d1c7e0c847ff5ce17e50fea18c68c91eda360dfef1a5c723219859f13f5ff1a732373f4ffec8a2f2d84d89086

Download Submit
C:\Windows\SysWOW64\Giacca32.exe

Filesize
79KB

MD5
0924ecbea607398f291f4eaa9421579c

SHA1
49fbc07878b771cfe0965f21a95c544d1b63dd0c

SHA256
1d4d1599a26ac534f54432db5e0e3fb40a25271af2cbccd55e29d689571a639e

SHA512
bbc05451342a4568c31c26bcb3ae6e3ba8eeb7fb6019ab12965040553afb9cf2a7d8fdb21fe685ca389d2840b344ce294c1d0bbbfcb79bbaa8e5672b12743cc2

Download Submit
C:\Windows\SysWOW64\Gjapmdid.exe

Filesize
79KB

MD5
f0aceb200d8f5603aea732104a89ba7b

SHA1
1da780ed797be1822544fc51152468fe22e5c9f5

SHA256
3c01abe33a9c650475db2ef16e27d09d504e2e9ab86a9370369443d0f024d530

SHA512
c7fc2ce1e81d829e820c319e8f0fa85110cb4343562f90557d41ae549268a795b9e6550558de7043aafdfadd66f16b9f363433c00192e1842e9a783431853097

Download Submit
C:\Windows\SysWOW64\Gjclbc32.exe

Filesize
79KB

MD5
0e47cce8299d83cdb0ef5de5cc77222b

SHA1
313aadacd62e8d746f7cc792d31e18e59d1d9b80

SHA256
c6b82352c4b5e39a98aeda4ef7ab7f147825b657b149def61dce50a9ebcfa71c

SHA512
7c901cba3822407c0e777ca3091c6e428946a687cf9f6d25e5e371a2b946160ee457d947a9bf80735fdd39f9411922f7c91738f2cc044861790af6b6b9ba52be

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
79KB

MD5
6b5b3d1035df5ca162104e391b5f87c2

SHA1
8f72e153344bf62cdea2e10fff1ad14448069a98

SHA256
ba237a5da5081fd24567abdf572559268a376cfc2319ac8567f984c0f046de61

SHA512
b664ad08f474e99bcf10b45b605a1085e469b6c1bfd72895cb8714c1c7652d8059480be7d13e6eae09353567bfca582db29150643f01928d133509632aa2c270

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
79KB

MD5
763d7c6ceb3ec2802e899b1c4a96a3da

SHA1
6e4f28c783f46b4aba705aaec077b11b4ef3b6f8

SHA256
61b8a0ef04ae31d45d1dd9c7f64f40bad3e454aa4c9f15ac54d9f7dfa9740d57

SHA512
a71b436403654be366e325b023715e6850d365a07d9d5769f73ba4b40b9034f31f4b3dc98efb45526ab16f85e4faffb8ad50fac689d18a400cbe850e99487755

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe

Filesize
79KB

MD5
0f53b72a97aa0fd91882612cd0992360

SHA1
77e71d52d2cb787235ca300031da9ebbf875e330

SHA256
1091db7911f15f326042b2aa27c87e35b8a304eddca995ddbaea8d533add4a9a

SHA512
b0bb2d6a93a1d1103ed97973ad73478afac3d56eba37a46e119d25678b4bea46e5fb0315ffde1324d66c3ab25fb3399cd28211bdd2dcb9320f1033fadfefec20

Download Submit
C:\Windows\SysWOW64\Gogbdl32.exe

Filesize
79KB

MD5
58d0705f6b414e9c6e3e8035c1760cde

SHA1
40d809eebc20fcb81ab852c8db6a969efdc07f1d

SHA256
400c84c57a670dab34df40c2a685c36265842f847bdb167fbc9289528cc286c8

SHA512
e413ec5fd031ab4a9068b8d500033a33afc2f16a4c0a24a7bdbfab966bcf6cfdde80ee50b3decbcbc3bd34ff4894a59c8f334629e6b68f24e8af3d2a202393b0

Download Submit
C:\Windows\SysWOW64\Gpnhekgl.exe

Filesize
79KB

MD5
68c08f76dbdb715114860220174702c8

SHA1
b591c1f78718635be834a6e4ae628578ff4f7846

SHA256
8a47a9857f961c1f5c1e6df430237ab884612118e868494c6b0a78c635f80315

SHA512
e96fa6628a2d4e405105c36e45ad83dc6d913d0a415d4828601c6c40a6fa7a38b4306f9f0e7a54ca9adc6b0eebcf36bb256568a4af4a556bb0d320807e72dca6

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
79KB

MD5
c5ce002ee83f0d71d2fff130713a853e

SHA1
7f148be0a6731c8560f10f94cdd32f7603d35455

SHA256
2de812f7c22102ab9cf3e0e3f58cbaf80f77d8016657693238c99815bafaaf82

SHA512
33588ad79779ef6ff49a2a0f0be4a542a758d9f18b6194afa8efb65ed1ea1aafe5f93c7a67ffc47a7d196ff610fc6773fe06fbd822f371c0dc2124002e508893

Download Submit
C:\Windows\SysWOW64\Gqikdn32.exe

Filesize
79KB

MD5
a6f467574c413d32c497a19f85d880c0

SHA1
76dc6d2d705faf87b9328fae3fa5a177e175c6e2

SHA256
b3f5e218b9de14e619778ca4ed3b9b953954a156c3f1abe4a8ef7aa9d141ee73

SHA512
741b172328f239293330bb6dd27b8d43b1a0c953e4ea84b43ba2b3ec74bfd046dec09da67c1340dc5767c93544cca9121628401090bff325c5e061845d55bdc6

Download Submit
C:\Windows\SysWOW64\Habnjm32.exe

Filesize
79KB

MD5
ea7c3af0d12d0eb0eede3f6f66e329f2

SHA1
21874d634de8fa899b6193cc2f7987756ba0f9b0

SHA256
6a58c70d3dc4528d13b3ed90ab0e495e0808bed817badb85b8fa6532653306f1

SHA512
d1ec34c72eb70785cbe8ff624942c97412f884ad75b829414306abeae4e6d00a269f5750587a10377443b3afe908cd9294ed9c4b3b5512abf73572c5ab64420b

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
79KB

MD5
372cb4c65133b9ccec7eedbe2f83cd2f

SHA1
8bbaccf5758ef385f97691ca6354c42efe4a0f8b

SHA256
b26aa32f4b7e7ebda302a9924900fe6139116121a1e2264f67026b93fc47b512

SHA512
93cd0dd58a2da737d2680eab25887567479856ceb86742f48d814a0e3d64c05236e01ac0e26cea0982e922c205aeae2aaf577856c95d38bd489002cbfd4410b6

Download Submit
C:\Windows\SysWOW64\Hfjmgdlf.exe

Filesize
79KB

MD5
e911d106b616051b25ae7f9cb6007b0d

SHA1
6609dd016c83417382803491d9586ee0bd190a24

SHA256
6acf262d56dd21be0c20e1f2083967c712de2ada60823a39c21e1dba2150a453

SHA512
05b1c0eb1f349f96fb2bc2e90c0c12336f4df4c9c376630a47300f0d45ce27a5750d7653730186ddede5443e2d45e32274333d9831d46dfc24c69f8e593f9e57

Download Submit
C:\Windows\SysWOW64\Hfljmdjc.exe

Filesize
79KB

MD5
50784678b22c35188bc0fbc5288056ab

SHA1
c0bb9cd7400e1714a3de74b2f225206f66a5b7be

SHA256
76ea0084b4e1b515c109c95fa41cc575e3bcb391aeac534dbedd4fbc5b6368d5

SHA512
997f7ecbfbb1a3bbdd31f828647f7826ce2ba5e3bbc92e7f403b6ef7d29c1aee2106a31957178930a710675c0d86f0f97def0b2b07514ec095b34a04891a5991

Download Submit
C:\Windows\SysWOW64\Hfofbd32.exe

Filesize
79KB

MD5
b2d4b7d3301bb21d23830675bf026a98

SHA1
bc9bab1f4d6cd5bbd61fd5535656df23bf3ad7c0

SHA256
2589b6641edbbf6981cabbf9ef8fe9474516f8af4f1a39517b0a225fffc95355

SHA512
7cf1da426bb3e9a8b206eb5900446bbd36a5de159cb157ba380d639bbf08c417bd9de3f7f4d2ebdb65eef1208263fac980717133aaa3b69f788696e8068695f8

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
79KB

MD5
3f0185f6d2fee34eb7e5be2b7bb283f0

SHA1
758f018f1cbc1e58176d9537ea44d4f6757d6149

SHA256
5e66221fa7068703711e31228748fc7cf810ad7db48afe48e08a797d8e4e88a1

SHA512
077a05b8238b1833c1553270109109026318ac09d6700a2dcc05738ba8a7db5091d274a9e77a787d8c29d02498d6589211359980fbdcc832208d970658e33694

Download Submit
C:\Windows\SysWOW64\Hpenfjad.exe

Filesize
79KB

MD5
3e6612d0d2824cd3406a6f6758d389f7

SHA1
87334383b08c80f1eb1e55c5d8ac4dfba2b76ed0

SHA256
b1cc7ad5a9b3e08be4bc36a08d1a9dd25d192a131b2144448131005f3aa53464

SHA512
29277e8a02f35f09241f705903ae51e28a6e90bbb36947db43cd735f7a5a20da71ef5713f8c5623ab3772fc4817c612f29cdbf1132dbb9214a93e21fac87179b

Download Submit
C:\Windows\SysWOW64\Jpgdbg32.exe

Filesize
79KB

MD5
281ef1811ca061b8fb54c6bc0f443ec9

SHA1
fb5afb3f9d959782061889cd298c071cf6653f35

SHA256
a2055bb5347970bf868425f42e74d313554eeb13753dc339aa42d76f49ed5e41

SHA512
e71b8503d887c821e6a441f7533ee107a6a73cebd468da9fd349324e655bfb38c53f983be7a0db1aa864f3186bc5795bab16c2cb1603d2e79e878a85c180f581

Download Submit
C:\Windows\SysWOW64\Kdopod32.exe

Filesize
79KB

MD5
bd092d5de61918ddb6b769588eb64046

SHA1
0e419f52881b2cf72b2ec2736c9e80c32ba5d4ee

SHA256
54be8a79a14a57abec90064a4a7ce3a27a044e00b96919bd01cb986841958a92

SHA512
2eecd17ada549e064ee50cc9ce5a68323020acea8a378863f47504c27415bdf1767f7b35dd225eafaa7e1b9e29ed776611fef5c620add9ef30f15ea1e89fb0b5

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
79KB

MD5
14c158a526e05dc86776308d1671ecf2

SHA1
551aeb57bdc08ff0a308567edb9846cda7929d60

SHA256
7d7e6d9765778363a1f87cf37149dfd9d6aa62a3e5ae858f95c047c8e0542c00

SHA512
522f044dba380e0f4a3762baeffa0e167cbfbc6be211407a2b074b191f30e307d8ab703913559869ccb227baa4203848c0dd201be041b537aea538f9c3e5e2fd

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
79KB

MD5
157abc0816d7f8e0f7f1cb3f708869d4

SHA1
5429ec25e24b2e3a8253a58e0653e057571e50cf

SHA256
19ae267021385efdda7659e5cbd8b0d282a305157f3f48dc3a10bbb097e6b61a

SHA512
e9eb90b506aa381897caf1a5cb24cb2ba470bf6c7e0091692ef2b7955a72ba92b4dbd2b94851c219e57e7dffba0955da5ff471eb59e1510f7fa6427105778ec7

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
79KB

MD5
0d60181bf721aa04182ce8ee14a2c633

SHA1
85a6952320a0686b804159c0213ec7c15966da80

SHA256
df91cfba8c9c1d95fa60ad4605ea5db99d0d8b98495f1df9988ab0914b1f1c13

SHA512
b2e928413f029fda113d271b34a380916309e6fcc0cb25d8bcb1bc8c9df5331b84b44083f8a70a918a23414ce45d33716fb6ea495b826f9145b7293b6ec781d6

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
79KB

MD5
9c7da3f02635e204cb2449cec1d4c939

SHA1
bc28f22df882fd84f856e36bf0503163f778a17a

SHA256
662de65fae4ee1563a485dd8f352eca889ab7d99c8e82f92aa9221ae563168f4

SHA512
f67824e61ef74728115b3abd265e4d0b85589fe579ed3343f6668aff28fabab91cd461292549617fbd381633c49ac434827d4a917cf5e240b1554fe8fc250a62

Download Submit
C:\Windows\SysWOW64\Nggqoj32.exe

Filesize
79KB

MD5
a931a0fd752388339a9a32c3daf62d4e

SHA1
225772ea4ab69be4315697619c0d3a02c0946d0d

SHA256
a06093a8af0c5d1a87cff59ec89fde7af3dad0c0708e7d1b01c9eb0283c53095

SHA512
a5e79224ef0744a8b198d6d00e3becb7662058482e61fce731484eada843a401c951f4e6dc66c8d64ee3196a666ed290f13fede3628d845a88d2182295819065

Download Submit
memory/224-9-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/224-552-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/380-25-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/380-566-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/608-405-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/636-88-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/856-425-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1036-437-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1096-57-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1096-599-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1244-323-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1276-528-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1352-546-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1380-315-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1408-394-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1432-491-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1440-431-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1492-509-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1564-173-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1584-467-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1780-574-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1820-73-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1948-233-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2012-592-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2012-49-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2024-583-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2028-287-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2176-185-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2216-503-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2244-304-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2268-359-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2336-248-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2420-383-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2460-448-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2528-245-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2660-104-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2668-413-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2680-553-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2712-371-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2716-200-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2756-540-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2768-573-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2768-33-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2780-121-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2856-400-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2860-274-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2912-501-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2916-40-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2916-580-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3028-281-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3080-161-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3128-353-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3176-564-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3200-65-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3204-225-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3228-333-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3320-97-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3404-479-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3476-145-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3496-533-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3496-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3496-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3512-538-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3516-341-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3528-256-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3564-365-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3740-478-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3788-263-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3796-275-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3864-153-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3988-137-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4104-347-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4192-85-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4248-339-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4252-17-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4252-563-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4276-490-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4336-459-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4344-461-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4392-193-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4460-310-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4488-113-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4572-213-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4592-382-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4596-567-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4648-177-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4696-449-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4864-423-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4884-217-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4908-293-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4912-407-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4968-128-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5012-317-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5040-521-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5072-515-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5164-593-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads