50e90be7070a516343af3be21cc82618144f667f1c3a65fa7cd55d7aa7320d34

Analysis

max time kernel
137s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 09:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

440dad058c604f2754c69162a9e77b00_NEIKI.exe
Size

69KB
MD5

440dad058c604f2754c69162a9e77b00
SHA1

53485b2a709a409b8853e25389e5c5952775bc9d
SHA256

50e90be7070a516343af3be21cc82618144f667f1c3a65fa7cd55d7aa7320d34
SHA512

c93397b3b2e660f2cfa9b4bdcd3ef19305ad531fde0cb4003035b6237fba157f949e105efae6cee5f48588480efb6129efa79e2672719d03cdbb2be26e267445
SSDEEP

1536:ylNFhbDxz36nB7ib/h8l8eKhNein/GFZCeDAyY:ypL6nBeVreINFn/GFZC1yY

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iiffen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbjhlfhb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hikfip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iffmccbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcpapkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmmhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijkljp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmoliohh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqfooodg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipabjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipqnahgf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmdedo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjjjle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iakaql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fflaff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmoliohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqikdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe

Executes dropped EXE 64 IoCs

pid	Process
4912	Fflaff32.exe
1804	Fmficqpc.exe
2316	Gcpapkgp.exe
4024	Gjjjle32.exe
2924	Gmhfhp32.exe
4808	Gbenqg32.exe
4328	Giofnacd.exe
2960	Gqfooodg.exe
4076	Gcekkjcj.exe
8	Gjocgdkg.exe
3588	Gqikdn32.exe
5012	Gbjhlfhb.exe
2596	Gjapmdid.exe
1408	Gmoliohh.exe
3604	Gpnhekgl.exe
3876	Gbldaffp.exe
4028	Gifmnpnl.exe
1116	Gppekj32.exe
3988	Hboagf32.exe
1800	Hjfihc32.exe
1548	Hmdedo32.exe
3436	Hcnnaikp.exe
1376	Hikfip32.exe
3524	Habnjm32.exe
3800	Hbckbepg.exe
1740	Hjjbcbqj.exe
3860	Hmioonpn.exe
3420	Hpgkkioa.exe
2156	Hccglh32.exe
3508	Hfachc32.exe
4580	Hjmoibog.exe
1228	Hmklen32.exe
5040	Hcedaheh.exe
3076	Hmmhjm32.exe
4008	Icgqggce.exe
1712	Iffmccbi.exe
2212	Iidipnal.exe
2032	Iakaql32.exe
1460	Ifhiib32.exe
2100	Iiffen32.exe
4436	Imbaemhc.exe
4384	Ipqnahgf.exe
4724	Icljbg32.exe
2140	Ijfboafl.exe
1404	Iiibkn32.exe
4824	Iapjlk32.exe
5076	Idofhfmm.exe
2936	Ifmcdblq.exe
2488	Iikopmkd.exe
2192	Iabgaklg.exe
2568	Idacmfkj.exe
3528	Ijkljp32.exe
3188	Iinlemia.exe
3752	Jdcpcf32.exe
2228	Jbfpobpb.exe
2284	Jjmhppqd.exe
1096	Jmkdlkph.exe
3796	Jpjqhgol.exe
2620	Jbhmdbnp.exe
1256	Jibeql32.exe
3052	Jplmmfmi.exe
5108	Jdhine32.exe
448	Jjbako32.exe
3592	Jmpngk32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Jiikak32.exe	Jdmcidam.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Iffmccbi.exe	Icgqggce.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Gppekj32.exe	Gifmnpnl.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Cdcbljie.dll	Iiffen32.exe
File opened for modification	C:\Windows\SysWOW64\Jdcpcf32.exe	Iinlemia.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Iffmccbi.exe	Icgqggce.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Imbaemhc.exe	Iiffen32.exe
File created	C:\Windows\SysWOW64\Jmkdlkph.exe	Jjmhppqd.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Imbaemhc.exe	Iiffen32.exe
File opened for modification	C:\Windows\SysWOW64\Iinlemia.exe	Ijkljp32.exe
File opened for modification	C:\Windows\SysWOW64\Lalcng32.exe	Lmqgnhmp.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Jdcpcf32.exe	Iinlemia.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Mlilmlna.dll	Imbaemhc.exe
File created	C:\Windows\SysWOW64\Bclhoo32.dll	Jbhmdbnp.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Gppekj32.exe	Gifmnpnl.exe
File created	C:\Windows\SysWOW64\Eddbig32.dll	Iapjlk32.exe
File created	C:\Windows\SysWOW64\Hfkkgo32.dll	Idacmfkj.exe
File opened for modification	C:\Windows\SysWOW64\Jpjqhgol.exe	Jmkdlkph.exe
File opened for modification	C:\Windows\SysWOW64\Kmnjhioc.exe	Kdffocib.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Nceonl32.exe
File created	C:\Windows\SysWOW64\Hlcqelac.dll	Gjapmdid.exe
File created	C:\Windows\SysWOW64\Opocad32.dll	Hcedaheh.exe
File created	C:\Windows\SysWOW64\Qnoaog32.dll	Jjmhppqd.exe
File created	C:\Windows\SysWOW64\Phogofep.dll	Icljbg32.exe
File opened for modification	C:\Windows\SysWOW64\Idofhfmm.exe	Iapjlk32.exe
File created	C:\Windows\SysWOW64\Jjmhppqd.exe	Jbfpobpb.exe
File created	C:\Windows\SysWOW64\Jeiooj32.dll	Jpojcf32.exe
File created	C:\Windows\SysWOW64\Fldggfbc.dll	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Ocaapo32.dll	Gcpapkgp.exe
File created	C:\Windows\SysWOW64\Hcedaheh.exe	Hmklen32.exe
File created	C:\Windows\SysWOW64\Iiffen32.exe	Ifhiib32.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Djmdfpmb.dll	Gbjhlfhb.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Kpccnefa.exe	Jiikak32.exe
File opened for modification	C:\Windows\SysWOW64\Lgneampk.exe	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Lgikfn32.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Gjocgdkg.exe	Gcekkjcj.exe
File created	C:\Windows\SysWOW64\Jmpngk32.exe	Jjbako32.exe
File created	C:\Windows\SysWOW64\Ajgblndm.dll	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Eeandl32.dll	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6468	6364	WerFault.exe	234

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmioonpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkillp32.dll"	Ifhiib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pckgbakk.dll"	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnepih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefncbmc.dll"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocaapo32.dll"	Gcpapkgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjfihc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpgkkioa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onkhkpho.dll"	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflepa32.dll"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	440dad058c604f2754c69162a9e77b00_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpqnnk32.dll"	Iabgaklg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dakcla32.dll"	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndninjfg.dll"	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmhfhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgabcngj.dll"	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmdedo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kipabjil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jifkeoll.dll"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fflaff32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iidipnal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblgaie.dll"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gpnhekgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlilmlna.dll"	Imbaemhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphqml32.dll"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbfpobpb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3096 wrote to memory of 4912	3096	440dad058c604f2754c69162a9e77b00_NEIKI.exe	84
PID 3096 wrote to memory of 4912	3096	440dad058c604f2754c69162a9e77b00_NEIKI.exe	84
PID 3096 wrote to memory of 4912	3096	440dad058c604f2754c69162a9e77b00_NEIKI.exe	84
PID 4912 wrote to memory of 1804	4912	Fflaff32.exe	85
PID 4912 wrote to memory of 1804	4912	Fflaff32.exe	85
PID 4912 wrote to memory of 1804	4912	Fflaff32.exe	85
PID 1804 wrote to memory of 2316	1804	Fmficqpc.exe	86
PID 1804 wrote to memory of 2316	1804	Fmficqpc.exe	86
PID 1804 wrote to memory of 2316	1804	Fmficqpc.exe	86
PID 2316 wrote to memory of 4024	2316	Gcpapkgp.exe	87
PID 2316 wrote to memory of 4024	2316	Gcpapkgp.exe	87
PID 2316 wrote to memory of 4024	2316	Gcpapkgp.exe	87
PID 4024 wrote to memory of 2924	4024	Gjjjle32.exe	88
PID 4024 wrote to memory of 2924	4024	Gjjjle32.exe	88
PID 4024 wrote to memory of 2924	4024	Gjjjle32.exe	88
PID 2924 wrote to memory of 4808	2924	Gmhfhp32.exe	89
PID 2924 wrote to memory of 4808	2924	Gmhfhp32.exe	89
PID 2924 wrote to memory of 4808	2924	Gmhfhp32.exe	89
PID 4808 wrote to memory of 4328	4808	Gbenqg32.exe	90
PID 4808 wrote to memory of 4328	4808	Gbenqg32.exe	90
PID 4808 wrote to memory of 4328	4808	Gbenqg32.exe	90
PID 4328 wrote to memory of 2960	4328	Giofnacd.exe	91
PID 4328 wrote to memory of 2960	4328	Giofnacd.exe	91
PID 4328 wrote to memory of 2960	4328	Giofnacd.exe	91
PID 2960 wrote to memory of 4076	2960	Gqfooodg.exe	92
PID 2960 wrote to memory of 4076	2960	Gqfooodg.exe	92
PID 2960 wrote to memory of 4076	2960	Gqfooodg.exe	92
PID 4076 wrote to memory of 8	4076	Gcekkjcj.exe	93
PID 4076 wrote to memory of 8	4076	Gcekkjcj.exe	93
PID 4076 wrote to memory of 8	4076	Gcekkjcj.exe	93
PID 8 wrote to memory of 3588	8	Gjocgdkg.exe	94
PID 8 wrote to memory of 3588	8	Gjocgdkg.exe	94
PID 8 wrote to memory of 3588	8	Gjocgdkg.exe	94
PID 3588 wrote to memory of 5012	3588	Gqikdn32.exe	95
PID 3588 wrote to memory of 5012	3588	Gqikdn32.exe	95
PID 3588 wrote to memory of 5012	3588	Gqikdn32.exe	95
PID 5012 wrote to memory of 2596	5012	Gbjhlfhb.exe	96
PID 5012 wrote to memory of 2596	5012	Gbjhlfhb.exe	96
PID 5012 wrote to memory of 2596	5012	Gbjhlfhb.exe	96
PID 2596 wrote to memory of 1408	2596	Gjapmdid.exe	97
PID 2596 wrote to memory of 1408	2596	Gjapmdid.exe	97
PID 2596 wrote to memory of 1408	2596	Gjapmdid.exe	97
PID 1408 wrote to memory of 3604	1408	Gmoliohh.exe	98
PID 1408 wrote to memory of 3604	1408	Gmoliohh.exe	98
PID 1408 wrote to memory of 3604	1408	Gmoliohh.exe	98
PID 3604 wrote to memory of 3876	3604	Gpnhekgl.exe	99
PID 3604 wrote to memory of 3876	3604	Gpnhekgl.exe	99
PID 3604 wrote to memory of 3876	3604	Gpnhekgl.exe	99
PID 3876 wrote to memory of 4028	3876	Gbldaffp.exe	100
PID 3876 wrote to memory of 4028	3876	Gbldaffp.exe	100
PID 3876 wrote to memory of 4028	3876	Gbldaffp.exe	100
PID 4028 wrote to memory of 1116	4028	Gifmnpnl.exe	101
PID 4028 wrote to memory of 1116	4028	Gifmnpnl.exe	101
PID 4028 wrote to memory of 1116	4028	Gifmnpnl.exe	101
PID 1116 wrote to memory of 3988	1116	Gppekj32.exe	102
PID 1116 wrote to memory of 3988	1116	Gppekj32.exe	102
PID 1116 wrote to memory of 3988	1116	Gppekj32.exe	102
PID 3988 wrote to memory of 1800	3988	Hboagf32.exe	103
PID 3988 wrote to memory of 1800	3988	Hboagf32.exe	103
PID 3988 wrote to memory of 1800	3988	Hboagf32.exe	103
PID 1800 wrote to memory of 1548	1800	Hjfihc32.exe	104
PID 1800 wrote to memory of 1548	1800	Hjfihc32.exe	104
PID 1800 wrote to memory of 1548	1800	Hjfihc32.exe	104
PID 1548 wrote to memory of 3436	1548	Hmdedo32.exe	106

C:\Users\Admin\AppData\Local\Temp\440dad058c604f2754c69162a9e77b00_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\440dad058c604f2754c69162a9e77b00_NEIKI.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3096
- C:\Windows\SysWOW64\Fflaff32.exe
  C:\Windows\system32\Fflaff32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4912
- - C:\Windows\SysWOW64\Fmficqpc.exe
    C:\Windows\system32\Fmficqpc.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1804
  - - C:\Windows\SysWOW64\Gcpapkgp.exe
      C:\Windows\system32\Gcpapkgp.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2316
    - - C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4024
      - C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4328
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:8
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3604
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3876
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1116
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3988
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        23⤵
        Executes dropped EXE
        
        PID:3436
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1376
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        25⤵
        Executes dropped EXE
        
        PID:3524
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        26⤵
        Executes dropped EXE
        
        PID:3800
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1740
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3860
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3420
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2156
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        31⤵
        Executes dropped EXE
        
        PID:3508
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        32⤵
        Executes dropped EXE
        
        PID:4580
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1228
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5040
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3076
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4008
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1712
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2212
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2032
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1460
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2100
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4384
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4724
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2140
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1404
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4824
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        48⤵
        Executes dropped EXE
        
        PID:5076
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        49⤵
        Executes dropped EXE
        
        PID:2936
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        50⤵
        Executes dropped EXE
        
        PID:2488
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2192
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2568
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3528
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3188
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3752
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2228
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2284
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1096
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3796
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2620
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1256
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3052
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        63⤵
        Executes dropped EXE
        
        PID:5108
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:448
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3592
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        67⤵
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        68⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1244
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:744
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        71⤵
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        72⤵
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        73⤵
        Modifies registry class
        
        PID:4736
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        74⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4672
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2268
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        77⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2164
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4960
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2188
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1072
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3488
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4164
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        87⤵
        Modifies registry class
        
        PID:3084
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:612
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5156
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        91⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        92⤵
        Drops file in System32 directory
        
        PID:5240
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        93⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        94⤵
        Modifies registry class
        
        PID:5332
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        95⤵
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5420
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        97⤵
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        98⤵
        Drops file in System32 directory
        
        PID:5508
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        99⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        100⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        101⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5676
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5716
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        105⤵
        Drops file in System32 directory
        
        PID:5800
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5848
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        107⤵
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5932
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        109⤵
        Modifies registry class
        
        PID:6016
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        110⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6076
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3720
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5144
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        113⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        114⤵
        Drops file in System32 directory
        
        PID:5296
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        115⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        116⤵
        Drops file in System32 directory
        
        PID:5456
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        117⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        118⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        119⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5812
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5888
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        122⤵
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6124
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5220
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5364
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        126⤵
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5668
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5792
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        129⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        130⤵
        Drops file in System32 directory
        
        PID:6136
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        132⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5620
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        133⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        134⤵
        Drops file in System32 directory
        
        PID:6060
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        135⤵
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        136⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        137⤵
        Modifies registry class
        
        PID:3884
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5920
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        139⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6152
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        141⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6232
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6280
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        144⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        145⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6364 -s 400
        146⤵
        Program crash
        
        PID:6468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 6364 -ip 6364
1⤵
PID:6436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fflaff32.exe

Filesize
69KB

MD5
c16406e496f13df072546b42e2f36d33

SHA1
8b9e454f2672bcaa32104f3691b863fae3ee46c3

SHA256
46460d9c615239b55be57236211e4421af982734bcd58e1cddef3c6a23e296d9

SHA512
4ceeff3a4c52107621aa0a52bdc69ed4bfb1e56e4f1cbc78ebc61071b788360146d1745aed95f9b64288dbd29776e677aa9eabb599a1b86e980572449f736a24

Download Submit
C:\Windows\SysWOW64\Fmficqpc.exe

Filesize
69KB

MD5
190b0f9316f90a99d14d20a3fe50ea6a

SHA1
d33605c6ea3d264d6bb87170e3d3b263ad04e34d

SHA256
9aba4db1e07a66e0e58609fc624aec9130d1322dbfe99df2feb0a020bce63bdb

SHA512
522d45f7eba20aac03181bcfb599ad141a95aefce3bac0e01f3cdb105f87bd267219349d601fbd9d0cefc23f86d7271d2047414a567cb6ffbcf324faf318e9d1

Download Submit
C:\Windows\SysWOW64\Gbenqg32.exe

Filesize
69KB

MD5
97706934666f05665c3fc35fc5d14ade

SHA1
304e469c32b0ec7f292296427c089557d535e32b

SHA256
ac90038ce83feadd22fcc759e3bd29fa6924f413635b05fb169106cd6175b8cf

SHA512
a22bd8498830e5c45006b1a3d96076868936b9c5f9485433057a084e91c718717320ec170d8f084b56fa8f86587b295d12027b28dbfd9343f26df71c92bc17ac

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
69KB

MD5
f92e7566d9e3d638126a507753f38680

SHA1
2e7768f17c3705bfe3fb7c9f840b48aed78d8ae0

SHA256
bb8c189100b8ca5251e06faf6c9698666ca685b95643989a3b672fad114c9377

SHA512
b27b29008d28c63ae0973b94fccc998a3963c0e22c7cd3e7bcb43dac19f1c751c78cdfc2ee1f3ddc818a86aa304d25d6c2346b08ce83ab5ca8d824d4d998c56b

Download Submit
C:\Windows\SysWOW64\Gbldaffp.exe

Filesize
69KB

MD5
bc884b467161d7bd79cf219349f83dbf

SHA1
913da6cb3896c8861da3513abaa6638b7d7d541d

SHA256
e8a8197e4f70c2ba211ad26e58dc375cf2cbf313374bb82e01c7a681b057a2c7

SHA512
f62d4105a263104ab1230e6b9c19f56390cdc43d51713b25a88529899532f4ef9526c69dd90bb60a77b9eba9ed44aa49d77299fa0868be48a0ad5310f6b5c69f

Download Submit
C:\Windows\SysWOW64\Gcekkjcj.exe

Filesize
69KB

MD5
f611d105fb46d0fddbdc9b43eccd1bbd

SHA1
4c73ff936583af106cfb5fdaef5a8e3f7c1cb266

SHA256
6b248db91d70e1dda444e6c3363eb30e04f6be1b936c13094974573e2964c7ce

SHA512
8b2c93b07d69b937502ad044d347654d511e41092da6832e150831940e771498c95daf85124172ad5dc81e41960bc251b38a92f42c7f7e98d3077bf3272baf56

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
69KB

MD5
2a7bbeffa0a108e47f44bf1b3663491d

SHA1
40e4020fd8428f0041a656a1d1c6b22f5a7be345

SHA256
47e4f999189eebbcaa9fedf8031b8652f48b3c7438bd3954bc4348e518a0ad29

SHA512
f31a95cdb63b248b893d8b9a0c66877851723bd4abb192ade22906c26cfb8222d5fe3524e571493088245b601dc7ead8f5c5201b7810868108e9792a3f3c1c92

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
69KB

MD5
cb77deb9e4db379811b449b42e9bb502

SHA1
808eaf7954297de825cd7326e00567fb3f482df7

SHA256
3b107af52184284d5a86d6d77c583c1816898cdeeeeedbd04bc8ef60fff91f55

SHA512
884e7ab7639465188c1ba8c82331ea5ec7794c1305e2bab0b5366652c89be90b18cbca638dda9a4c9d3ec87a7c0dfa282e0d449ccb64500098842b25230cbd6a

Download Submit
C:\Windows\SysWOW64\Giofnacd.exe

Filesize
69KB

MD5
760dde9edbeee25d24c3d7283e3adbd3

SHA1
1cc90632c7069decd5a3a2f7d7711664ce6172fe

SHA256
c275684e2910336df6ba45ce9a5f8db8dacd4d7126b4f72c1f6a1844cfbeac03

SHA512
e25aa8029aa8c8c5f75613adf224c526ce1e1db7424dc2af3673649df156d54531662a6530b32bdc8519d2c9de45f57e231a9af9dc95625fe1d9d4adc6ab4fd5

Download Submit
C:\Windows\SysWOW64\Gjapmdid.exe

Filesize
69KB

MD5
cad91bdbe22af38690dc66b53dc119ab

SHA1
e6555d7c1caeadef29cacc69df9a0f89d2689477

SHA256
c0af3fbf3fbd25a94600af4bbee333cc093122339f04598ada43205e6ff4b79f

SHA512
521f7e5535fe417525d7b38bec1df166077603ba513cab62717066c0d31757fef0c5a5023065ca508e92e44c62d5a3a4df2ee70fcd388df0b85e7582c3cf7951

Download Submit
C:\Windows\SysWOW64\Gjjjle32.exe

Filesize
69KB

MD5
9d6dc7fb7d1cfc94df8da8e5c6237cab

SHA1
352235623a01ec1f301ef29960830de7a70a8fdc

SHA256
055ca91962510f8295fd6aeb06f17db008094a5d7ee4e2f4f1467ff512bcd674

SHA512
a78c0f20a818aecde6a4a995e09c053b73fe6ae48db0e67ab8dd30939692fdbebd9cecff1f17fc7b8aee868d1eead048eff6b6beec13df545587ccd03fc84dc7

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
69KB

MD5
5268357b2e468ea5434f4a957d88bcdc

SHA1
26a370772916bd320fda08486a8ec91b72edaedb

SHA256
9dcc2e2790bb7b1092154bf111c9bab7a287992ce50ee173eefb1262985541b9

SHA512
b4e76d1211017a529b0fcffd60f4db81e9d5552ce7870cd0c9ff1dde48742175279eacc68a1b37938b335e35297115d164429b3d65b23b12bbfb12f4d399643b

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe

Filesize
69KB

MD5
1427db7fc460fc6c5c9a5749cb0a37b9

SHA1
11982abfe2146a1c82d3e16b62d7af34c638934b

SHA256
de8d34a709215dcde96a0f87a3e5667853d0f0eafec093a9f18bc59463e548d8

SHA512
f016d51064bcc7e0711073a3e0cbf4dca0ae27f231b64a246b5f7c8e750585c208b5b422d4725b84fc5d6886ca3bd78909b569caf5726644592194ee2389afd5

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
69KB

MD5
75fe4e10c7cdf6baecfd7652073b0e7f

SHA1
58daa49be6bbcdd28f3515890ff2d1f9d859b968

SHA256
49322d7c3b5d162753106240ba859de1851286b76e03b0947559e75fa8f176ee

SHA512
324958082eab48b3bf8c6ee0d0b8985baef58b6e1ffd9ae34f3cdb063c599f10516ce60a5142e91a1be3c4bf508a4f8a6f64a48025144e8917a67599476dda64

Download Submit
C:\Windows\SysWOW64\Gpnhekgl.exe

Filesize
69KB

MD5
82bee99cbb39b24620c7d0704c973b81

SHA1
b52b44d8ee2b1bf81ec16efb46211c77e388bea4

SHA256
5c3e39cf40e52089ed67257d0376e887e4da90a60e0876c2e9e0b1a65fffb12f

SHA512
96ce9409dcc97e63caa9961d3cf40cbc52aa9fe4b06b8ca9149374836e5cc46543229d37142740e5e5b6565ede617e71e42dc6df0e5cf441d9408d969d65be3e

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
69KB

MD5
286187a332e8d4dd952117f8e5b117d9

SHA1
c346db2b7e2b48e5624b1f55adbddba6e570c213

SHA256
c86ce3f7dbcfd3e4d415ad617d84d757e9d6ea21171c226747c042bd4776df4c

SHA512
acae9d5b7b0a822026f10f970b565c6e7c0ae4d99a95bc3d49495b7a2de23a34694638f4c38747975c968b721513ceac4f70696e34cfc91612f2782437e23ee8

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
69KB

MD5
cdde07843cb890949369bb34f7ef71e3

SHA1
1c20b952f9062acc40cecafadb6b8048baa2e357

SHA256
d978bce8578257f1bee42333d6c89e46d6f95798d91f3bcec78d8d353f7bf9fe

SHA512
eb455b649133174e0fd4689a2e694e3b4e898bd023d0e32b2d06baefd146ef7dad16c91b14f86201260614c55718ca72da66c31f7be60bc3cb1eae0432024614

Download Submit
C:\Windows\SysWOW64\Gqikdn32.exe

Filesize
69KB

MD5
30dda368bc1af280979549e5c2bb7a70

SHA1
6292ac4d481a0d7310a6cb5b5908c28a86b28990

SHA256
da5ff11dc58b8b7ff3da22ee6dbefe93a82986a1a02b18b6c3597c820515dab7

SHA512
e3eeb03bb6225b0e5a029a0de23d430a3e1ea74c448f5ce53ea8cb2b372600bb3fcf7e3b04d6412e56d28840085dd435a1628e20f88118d7977c01f58d6bdf92

Download Submit
C:\Windows\SysWOW64\Habnjm32.exe

Filesize
69KB

MD5
2c63cd2c7b6db6f8cf3c5b9f4e5676ed

SHA1
a62dbb239f5ad8231a33f4b255e40760106790f6

SHA256
7e49f57b2b0e7b78e4175e033274a525c9e5b9e44dade815c0660f2c74bc0b66

SHA512
250ccc1d5be7a035fbb609fcf2db9a06b61835d11f208828eb9862db51c0e374817323cc653de883285c3f9014369af53c5c698832b036cceecb8460092bf1fe

Download Submit
C:\Windows\SysWOW64\Hbckbepg.exe

Filesize
69KB

MD5
9e4873cbdf272ea55706af60708ef9d0

SHA1
6b345b4a9afef472d94673a15618a07d117d53bf

SHA256
b18e5977cc603a51537aef215f8a2226dab16028701dc3cf81ba65e0290ffa3d

SHA512
2dbfdbeae10e099321a2f099191099eeade03f5a59553eb3b7c110aa04e1ea4dde81458140328bffdaefb94fe1f647748732ce3e76bee6a7c23a8b5c7e0eec08

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
69KB

MD5
ca40ed25168cd9bd22efa0fa3a527c9e

SHA1
e75297961704e6d120d12a62fd6a662cf897aac3

SHA256
fea85ccf702bd9fe05762719011ba25f3cb4c6d4cc83aee45ccef876b4069702

SHA512
9549255d93533e61b6d930de6932d705b2c57863fc70c347556c68f74a1cc44fb57eff08b99a4b08308e3e4272d00b63f645a8cdd1d3d7679e14b395aefa98ad

Download Submit
C:\Windows\SysWOW64\Hccglh32.exe

Filesize
69KB

MD5
a15c324c5558bc28fbe79084e42f2c24

SHA1
10c9a640d0689908836a2acd41f65f51e06c09cd

SHA256
7024073dbcec3e66c87e2b415649563a099bd2f6266c8fb85e16d55db1ff6333

SHA512
684d08ad5e790a98b622f607b464da1ead5ec764c82cdcd04a6d690624f33593078afc737b36c5196ddbf437c46e2d6b0febf30b2f55ac283d832ae11bbdca89

Download Submit
C:\Windows\SysWOW64\Hcnnaikp.exe

Filesize
69KB

MD5
59e655b7b04ff2a6ba56f00f7dfd62e5

SHA1
6404d244012cb8805d1dccade6b3661bc2985ae9

SHA256
510e4b99e23d337c604bb0578163c902414dc3e68bc38247c4ddd05b8d72c680

SHA512
a5060d6f5e93e495bf4d088e8ddf268dfecbf89a7de8d6a26661b2803d3504e32346fda68aa6f4cc645175a47bd91f10e36749d439be0f065e9b368a1c6905d8

Download Submit
C:\Windows\SysWOW64\Hfachc32.exe

Filesize
69KB

MD5
77d7a7ad4c26b3a651d0f6b9186beb54

SHA1
b05c16e7edd052378bd4d9f015507b32b1956427

SHA256
6bf641d6fbcc4d421220c5f2c4e05dde438fff2674d632ebe2548570374bf6cf

SHA512
1041f24cbb41fabafc926d8630c76c9739cba26b188ab613f000f7ba1914e7ee6ba65c488f0d5b39369371188fe65c8f501d250c70f8d3e4a7d21525e7c34549

Download Submit
C:\Windows\SysWOW64\Hikfip32.exe

Filesize
69KB

MD5
8adaa4ec5355c93a81636fbbb12dd73f

SHA1
4b06aa0a9e50bdc93ad653cb0eb92d8c2505a123

SHA256
d86b035900ff95b34017747ef7a7c41b4aeb43a001c9bb5a7b7a28fe891a1406

SHA512
1c247472597fafa2bfd6ce23ae3914e438c423c7ee0e26a323d28fe26d53e36fb380f315e7b8a568feee9ae68ebd74cb5680af849231e5fc943d2759ce1c3351

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
69KB

MD5
4e97c14296074ec97cd37a961b5b5b3c

SHA1
168a3869b1600adb70c0cc58783b9eabe99ad044

SHA256
361f7f7ec23477a3c8a5ad82820e307e15576824d128d9e10abe6ad58b74df3d

SHA512
3121c8697d23e50fbdacabfeaaf95691d27d2f3e5256982fd32274b0d85b9d18d7833c6066a5149b6c62991c56dd2fba888cd87b3de9b15d8a3e70ff20e66f21

Download Submit
C:\Windows\SysWOW64\Hjjbcbqj.exe

Filesize
69KB

MD5
4a65a785a6f55480689aa667450d7b6c

SHA1
407350f72e827c8e5fefb72685abd4aa26f18b8d

SHA256
1f27c9317cb41e1b4946cb0e8342ef5748e6f2c873d8786393aef0e0b88e1a09

SHA512
394d2c3e5ea52e6a5b2d214cb3d2af3cb61a82c3b74bb5d621c25d5aa1afdb7723e97ef18228419bd54cbdb4d70e1048369ce24144dd774833c1cd1cfb825192

Download Submit
C:\Windows\SysWOW64\Hjmoibog.exe

Filesize
69KB

MD5
2e4d233682f0033c803f10ba1d657ecf

SHA1
344a1fbe4ed1947f496f80fdc17ce1a017ad8d2a

SHA256
3697dbe785585d2c93067ea3cabc8e3edf0d4693f1143154b4062c76dd8fedbb

SHA512
9361e8744e52b78643fc163f116aea6402573408c26b2e27d726b0a0603c756fe342702a5ce508ec343ab7dbbe455e82ba7f4d171ea8899b7f5b7e0d080098cd

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe

Filesize
69KB

MD5
3d0a1aebc11b0da3c10a096b5f738912

SHA1
70af3757411ea23efbde52271c92e1ce28bfbec4

SHA256
79ae2b1496a55fb4c6fa423bbeb9d8592cfd2bcc640dfb2788df253ebb174f66

SHA512
87e464f97be54a001ec13c555dc77ba4a34886cee3917d8420d8cc3548fe2b650fbbcf34b088b74ef6451d14b7896e30a107934183b19704386af9c189703b33

Download Submit
C:\Windows\SysWOW64\Hmioonpn.exe

Filesize
69KB

MD5
d78b3776ab9fbe743325c5d6cbe512cb

SHA1
fa9cf1c05be12039baaa1bdcdbd29a1881d7b47a

SHA256
100c8d1c5fb70b91cdc0d0438e36c4d6e605d6f8a6b21570ef19a8c7eeea4343

SHA512
db50cbefbf26a2cb3551c47e18abcb23ef853cdcbee2b9508678d35d1a849147e33cf6d1f1880de30da2f8de1d0550e3c19194bd02e30c55f31dd3a7ddab36c0

Download Submit
C:\Windows\SysWOW64\Hmklen32.exe

Filesize
69KB

MD5
cb899bae0a343fb105e9424080b2e57d

SHA1
6de72a77d5690377db214ca1a199768408c938d4

SHA256
0c07d671bda7d99696051ebbc3abf4e29fb830154f0fc5ea742108521eaf1633

SHA512
38657460c7afe43a3d3a319ec564e5e881367dda20f41c9e9425d7c7157576bf80988f622d95d15ff36eb57d1064156ddd7c08f275820e1a901638659c605c35

Download Submit
C:\Windows\SysWOW64\Hpgkkioa.exe

Filesize
69KB

MD5
27e9357f30beefa8d6737316479a9254

SHA1
1678096f20b28ae736e8c5855a9542e4c6b0ba12

SHA256
68520af611c05d1d3a696de17603bbb6cb37c5a194e1d69e745d931048ea69ed

SHA512
579dd4834cf600ec21ecaa36dc77d2e46a03186362877cac1056346897439011ed62e4f6f52dc1d79d8ef23f6aeffb8d3e98fb8b5c36c1eca0e087cf8d3e962c

Download Submit
C:\Windows\SysWOW64\Kacphh32.exe

Filesize
69KB

MD5
7b658c212e93effd34aea40b1b386d82

SHA1
074b2437cac3e37a1105b432f4880fbb1c0021bd

SHA256
21c46e38fcf65af13a64a0a54fc518c85bee99302013dddb52a103ae875858eb

SHA512
eb2dfb27e8a0db811baecfbea36e0c696a20444b50aabc934edaeda84257bb65e9d9f5a8c24ab0b5fa043721f30aeb07b43284232d387841d98d42d929c2cdc3

Download Submit
C:\Windows\SysWOW64\Kdcijcke.exe

Filesize
69KB

MD5
5173a5caa48380b69406d2926bda4e7d

SHA1
d2e898d3771602442ebc8eccba3e97aac33d166d

SHA256
9f83bffa2fccf8671897c7127828eebf340f0dc50cadc84f8bcc096ac2d6f1f6

SHA512
93fb56c5822caa7ff825cef3a2acf13f447fe6b2b3c85635dbc36f4d9705a884a35b25251a02440c72f2c041c44dc57b43486ab795f6e85013ed7cd8e66558bd

Download Submit
C:\Windows\SysWOW64\Kkkdan32.exe

Filesize
69KB

MD5
ae7fddd465e4f5d57355407516268951

SHA1
7bffedd8a49e830b56f32db3fb48ba8211a2d175

SHA256
c4d3692da95f34acfc239e3ff56eee4632f1168c28defc81985c7944686c7c6b

SHA512
e5dca8f716b7f533863f74f47912897fb2707cc64b8e5e3655f34720bddb97d9d1a280d5b6617943969c8770bb520a749f1098991fb8ec26d0f4c3d71049942f

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
69KB

MD5
969665a400d49d55a3c3553acf1b07d5

SHA1
4ee906b25bc2054a8c6ca7e3c6a6ab38a7ba4a04

SHA256
4ad612764b0bcb26548420904575b30ee1276d5c191897288059e796f568bb49

SHA512
1d18bad751b7a5551cfe18887a675049ab960af77a1a29a1eeceb806abc6ad9d3055abb6b625b41ea27ce255a36bc173033f11e8958d900c068d8c4c13f5c6bf

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
69KB

MD5
fcd8efe701cc82ad2b5441608f411915

SHA1
78e842aa23f6aa1c6a2cf0be5c8f7c52c198ef56

SHA256
b4a264919985319d606a93b49f0d40e11ca25d2aa82b45bce15783b1cec60825

SHA512
b662343e35a1ba6d8b46eaa0b4dbcd7902c60bf0bf8ef890216ac77f39ebb77560257f2d9dbd47cd8215df13778ac936a1d34fe32ac19a1878bab0a7cfee4b53

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
69KB

MD5
167cdc77244263e23a3b220d7652ea7c

SHA1
cf612ca4299f517aa5e160f5e57f9479cf910c2a

SHA256
4d44df33fd978b51b3e80d27bc87cf668f29b5ac8fdd285f0f20b8083fd8ea2f

SHA512
958bcd32274f6d93358d7533d986705f31e2cc02215742aabbdd4129081198b251a17e1613301e07cef56d24cb82b1ae9f1537b2b17ac81ee938a9ef5b122870

Download Submit
memory/8-80-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/448-442-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/612-598-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/744-478-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1072-569-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1096-406-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1116-144-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1228-260-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1244-472-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1256-424-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1376-188-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1404-338-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1408-112-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1460-298-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1548-167-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1592-592-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1640-460-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1712-285-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1740-212-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1800-164-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1804-20-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2032-292-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2100-304-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2140-328-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2156-236-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2164-526-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2188-552-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2192-368-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2212-286-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2228-394-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2268-514-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2284-404-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2316-28-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2332-562-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2372-525-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2488-358-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2568-370-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2596-104-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2620-418-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2908-538-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2924-39-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2924-577-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2936-356-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2960-68-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3052-434-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3076-268-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3084-590-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3096-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3096-548-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3188-382-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3420-229-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3436-175-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3464-466-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3488-571-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3496-502-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3508-244-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3524-192-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3528-376-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3588-88-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3592-450-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3604-124-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3752-388-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3796-416-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3800-204-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3860-216-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3876-128-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3988-157-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4008-274-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4024-32-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4024-570-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4028-136-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4076-608-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4076-72-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4164-582-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4316-459-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4328-591-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4328-56-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4384-320-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4436-310-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4580-252-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4672-508-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4724-326-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4736-496-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4808-47-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4808-588-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4824-340-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4912-551-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4912-8-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4960-537-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5008-550-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5012-96-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5040-262-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5052-494-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5076-350-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5084-487-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5108-436-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads