9dc8d57faaccbc8c600ba730d8356e09ca1b8c90abb666db8cf3a38202c8e649

Analysis

max time kernel
139s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 11:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

786587f69801f3df64534a6816682b30_NEIKI.exe
Size

224KB
MD5

786587f69801f3df64534a6816682b30
SHA1

c9a9a1b58886756e31f7aab52648687e34be14b6
SHA256

9dc8d57faaccbc8c600ba730d8356e09ca1b8c90abb666db8cf3a38202c8e649
SHA512

e84ff169744ac6c73aeb13dde78d0679d8bdf23105376815f694eb8f37f6d2dc0b61487a2e8ec52d9a4ae8cd7492a7177ab354c09c9932966e94ba87d70753d7
SSDEEP

6144:sWMzoLHE4rQD85k/hQO+zrWnAdqjeOpKff:s6LprQg5W/+zrWAI5KH

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	786587f69801f3df64534a6816682b30_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpgkkioa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iannfk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpbaqj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmfbjnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iakaql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbgkfg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	786587f69801f3df64534a6816682b30_NEIKI.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imihfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fmclmabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Icgqggce.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idofhfmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fobiilai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gcbnejem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbanme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbfpobpb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpgkkioa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hbanme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gjjjle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laopdgcg.exe

Executes dropped EXE 64 IoCs

pid	Process
556	Fifdgblo.exe
2520	Fmapha32.exe
2828	Ffjdqg32.exe
3744	Fmclmabe.exe
4068	Fobiilai.exe
3580	Fbqefhpm.exe
2660	Fmficqpc.exe
2584	Gcpapkgp.exe
3368	Gfnnlffc.exe
5068	Gjjjle32.exe
3524	Gcbnejem.exe
4972	Gjlfbd32.exe
1376	Gqfooodg.exe
4132	Gbgkfg32.exe
1840	Gjocgdkg.exe
3116	Gqikdn32.exe
4448	Gcggpj32.exe
4276	Gqkhjn32.exe
4584	Gcidfi32.exe
436	Gjclbc32.exe
1308	Gppekj32.exe
3944	Hjfihc32.exe
3180	Hpbaqj32.exe
1956	Hbanme32.exe
1648	Hmfbjnbp.exe
648	Hjjbcbqj.exe
4680	Hmioonpn.exe
2524	Hpgkkioa.exe
3588	Hfachc32.exe
924	Hippdo32.exe
888	Haggelfd.exe
516	Hpihai32.exe
404	Hbhdmd32.exe
5076	Hfcpncdk.exe
396	Icgqggce.exe
1316	Ijaida32.exe
2888	Iakaql32.exe
5016	Ipnalhii.exe
4996	Ijdeiaio.exe
3908	Iiffen32.exe
1636	Iannfk32.exe
2336	Icljbg32.exe
1372	Ibojncfj.exe
4392	Iiibkn32.exe
2148	Imdnklfp.exe
1268	Ipckgh32.exe
4988	Idofhfmm.exe
3496	Ijhodq32.exe
4296	Iikopmkd.exe
2380	Ipegmg32.exe
1500	Ibccic32.exe
4628	Ijkljp32.exe
932	Imihfl32.exe
4440	Jaedgjjd.exe
1564	Jbfpobpb.exe
4644	Jjmhppqd.exe
1088	Jagqlj32.exe
2472	Jbhmdbnp.exe
3404	Jaimbj32.exe
4280	Jbkjjblm.exe
1292	Jmpngk32.exe
1628	Jpojcf32.exe
3456	Jfhbppbc.exe
3008	Jkdnpo32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kilhgk32.exe	Kkihknfg.exe
File opened for modification	C:\Windows\SysWOW64\Liggbi32.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Mngoghpn.dll	Gjclbc32.exe
File opened for modification	C:\Windows\SysWOW64\Hmfbjnbp.exe	Hbanme32.exe
File created	C:\Windows\SysWOW64\Hippdo32.exe	Hfachc32.exe
File created	C:\Windows\SysWOW64\Qknpkqim.dll	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Iikopmkd.exe	Ijhodq32.exe
File created	C:\Windows\SysWOW64\Jjmhppqd.exe	Jbfpobpb.exe
File created	C:\Windows\SysWOW64\Kibnhjgj.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Efhikhod.dll	Liekmj32.exe
File created	C:\Windows\SysWOW64\Jifkeoll.dll	Lalcng32.exe
File created	C:\Windows\SysWOW64\Gcggpj32.exe	Gqikdn32.exe
File created	C:\Windows\SysWOW64\Hmioonpn.exe	Hjjbcbqj.exe
File created	C:\Windows\SysWOW64\Kbmebabl.dll	Iiffen32.exe
File created	C:\Windows\SysWOW64\Leqcod32.dll	Jbhmdbnp.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Mjqjih32.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Gbgkfg32.exe	Gqfooodg.exe
File created	C:\Windows\SysWOW64\Gbajhpfb.dll	Gcggpj32.exe
File created	C:\Windows\SysWOW64\Ikjmhmfd.dll	Imdnklfp.exe
File created	C:\Windows\SysWOW64\Hpgkkioa.exe	Hmioonpn.exe
File opened for modification	C:\Windows\SysWOW64\Hfcpncdk.exe	Hbhdmd32.exe
File opened for modification	C:\Windows\SysWOW64\Ijkljp32.exe	Ibccic32.exe
File opened for modification	C:\Windows\SysWOW64\Fobiilai.exe	Fmclmabe.exe
File created	C:\Windows\SysWOW64\Gjclbc32.exe	Gcidfi32.exe
File created	C:\Windows\SysWOW64\Lgabcngj.dll	Gppekj32.exe
File created	C:\Windows\SysWOW64\Kflflhfg.dll	Iikopmkd.exe
File opened for modification	C:\Windows\SysWOW64\Kacphh32.exe	Kilhgk32.exe
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	Laopdgcg.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Fmapha32.exe	Fifdgblo.exe
File opened for modification	C:\Windows\SysWOW64\Gqikdn32.exe	Gjocgdkg.exe
File created	C:\Windows\SysWOW64\Gqkhjn32.exe	Gcggpj32.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Ldaeka32.exe
File opened for modification	C:\Windows\SysWOW64\Imdnklfp.exe	Iiibkn32.exe
File opened for modification	C:\Windows\SysWOW64\Kmnjhioc.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Imppcc32.dll	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Jmbklj32.exe	Jkdnpo32.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Kkdeek32.dll	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Ldooifgl.dll	Hpbaqj32.exe
File opened for modification	C:\Windows\SysWOW64\Ipckgh32.exe	Imdnklfp.exe
File created	C:\Windows\SysWOW64\Mfpoqooh.dll	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lilanioo.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Fmclmabe.exe	Ffjdqg32.exe
File opened for modification	C:\Windows\SysWOW64\Fbqefhpm.exe	Fobiilai.exe
File created	C:\Windows\SysWOW64\Jbhmdbnp.exe	Jagqlj32.exe
File created	C:\Windows\SysWOW64\Ogdimilg.dll	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Lgkhlnbn.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Ibojncfj.exe	Icljbg32.exe
File created	C:\Windows\SysWOW64\Bnckcnhb.dll	Kacphh32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5244	5656	WerFault.exe	216

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Icgqggce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iakaql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fmclmabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjeebd32.dll"	Fmficqpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emhmioko.dll"	Gqikdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gcggpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcbnd32.dll"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	786587f69801f3df64534a6816682b30_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hfcpncdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmcfa32.dll"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbgaem32.dll"	Hmioonpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahgndd32.dll"	Fbqefhpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpjljp32.dll"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hpgkkioa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iannfk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogjfmfe.dll"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlmpolji.dll"	Hbhdmd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anmklllo.dll"	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblgaie.dll"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekmihm32.dll"	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gqfooodg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hjfihc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bejkjg32.dll"	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qknpkqim.dll"	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gcbnejem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Haggelfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeopdi32.dll"	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imppcc32.dll"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkillp32.dll"	Ijdeiaio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjobcj32.dll"	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jfkoeppq.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4572 wrote to memory of 556	4572	786587f69801f3df64534a6816682b30_NEIKI.exe	83
PID 4572 wrote to memory of 556	4572	786587f69801f3df64534a6816682b30_NEIKI.exe	83
PID 4572 wrote to memory of 556	4572	786587f69801f3df64534a6816682b30_NEIKI.exe	83
PID 556 wrote to memory of 2520	556	Fifdgblo.exe	84
PID 556 wrote to memory of 2520	556	Fifdgblo.exe	84
PID 556 wrote to memory of 2520	556	Fifdgblo.exe	84
PID 2520 wrote to memory of 2828	2520	Fmapha32.exe	85
PID 2520 wrote to memory of 2828	2520	Fmapha32.exe	85
PID 2520 wrote to memory of 2828	2520	Fmapha32.exe	85
PID 2828 wrote to memory of 3744	2828	Ffjdqg32.exe	86
PID 2828 wrote to memory of 3744	2828	Ffjdqg32.exe	86
PID 2828 wrote to memory of 3744	2828	Ffjdqg32.exe	86
PID 3744 wrote to memory of 4068	3744	Fmclmabe.exe	87
PID 3744 wrote to memory of 4068	3744	Fmclmabe.exe	87
PID 3744 wrote to memory of 4068	3744	Fmclmabe.exe	87
PID 4068 wrote to memory of 3580	4068	Fobiilai.exe	88
PID 4068 wrote to memory of 3580	4068	Fobiilai.exe	88
PID 4068 wrote to memory of 3580	4068	Fobiilai.exe	88
PID 3580 wrote to memory of 2660	3580	Fbqefhpm.exe	89
PID 3580 wrote to memory of 2660	3580	Fbqefhpm.exe	89
PID 3580 wrote to memory of 2660	3580	Fbqefhpm.exe	89
PID 2660 wrote to memory of 2584	2660	Fmficqpc.exe	90
PID 2660 wrote to memory of 2584	2660	Fmficqpc.exe	90
PID 2660 wrote to memory of 2584	2660	Fmficqpc.exe	90
PID 2584 wrote to memory of 3368	2584	Gcpapkgp.exe	91
PID 2584 wrote to memory of 3368	2584	Gcpapkgp.exe	91
PID 2584 wrote to memory of 3368	2584	Gcpapkgp.exe	91
PID 3368 wrote to memory of 5068	3368	Gfnnlffc.exe	92
PID 3368 wrote to memory of 5068	3368	Gfnnlffc.exe	92
PID 3368 wrote to memory of 5068	3368	Gfnnlffc.exe	92
PID 5068 wrote to memory of 3524	5068	Gjjjle32.exe	93
PID 5068 wrote to memory of 3524	5068	Gjjjle32.exe	93
PID 5068 wrote to memory of 3524	5068	Gjjjle32.exe	93
PID 3524 wrote to memory of 4972	3524	Gcbnejem.exe	94
PID 3524 wrote to memory of 4972	3524	Gcbnejem.exe	94
PID 3524 wrote to memory of 4972	3524	Gcbnejem.exe	94
PID 4972 wrote to memory of 1376	4972	Gjlfbd32.exe	95
PID 4972 wrote to memory of 1376	4972	Gjlfbd32.exe	95
PID 4972 wrote to memory of 1376	4972	Gjlfbd32.exe	95
PID 1376 wrote to memory of 4132	1376	Gqfooodg.exe	97
PID 1376 wrote to memory of 4132	1376	Gqfooodg.exe	97
PID 1376 wrote to memory of 4132	1376	Gqfooodg.exe	97
PID 4132 wrote to memory of 1840	4132	Gbgkfg32.exe	98
PID 4132 wrote to memory of 1840	4132	Gbgkfg32.exe	98
PID 4132 wrote to memory of 1840	4132	Gbgkfg32.exe	98
PID 1840 wrote to memory of 3116	1840	Gjocgdkg.exe	99
PID 1840 wrote to memory of 3116	1840	Gjocgdkg.exe	99
PID 1840 wrote to memory of 3116	1840	Gjocgdkg.exe	99
PID 3116 wrote to memory of 4448	3116	Gqikdn32.exe	100
PID 3116 wrote to memory of 4448	3116	Gqikdn32.exe	100
PID 3116 wrote to memory of 4448	3116	Gqikdn32.exe	100
PID 4448 wrote to memory of 4276	4448	Gcggpj32.exe	101
PID 4448 wrote to memory of 4276	4448	Gcggpj32.exe	101
PID 4448 wrote to memory of 4276	4448	Gcggpj32.exe	101
PID 4276 wrote to memory of 4584	4276	Gqkhjn32.exe	102
PID 4276 wrote to memory of 4584	4276	Gqkhjn32.exe	102
PID 4276 wrote to memory of 4584	4276	Gqkhjn32.exe	102
PID 4584 wrote to memory of 436	4584	Gcidfi32.exe	104
PID 4584 wrote to memory of 436	4584	Gcidfi32.exe	104
PID 4584 wrote to memory of 436	4584	Gcidfi32.exe	104
PID 436 wrote to memory of 1308	436	Gjclbc32.exe	105
PID 436 wrote to memory of 1308	436	Gjclbc32.exe	105
PID 436 wrote to memory of 1308	436	Gjclbc32.exe	105
PID 1308 wrote to memory of 3944	1308	Gppekj32.exe	106

C:\Users\Admin\AppData\Local\Temp\786587f69801f3df64534a6816682b30_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\786587f69801f3df64534a6816682b30_NEIKI.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4572
- C:\Windows\SysWOW64\Fifdgblo.exe
  C:\Windows\system32\Fifdgblo.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:556
- - C:\Windows\SysWOW64\Fmapha32.exe
    C:\Windows\system32\Fmapha32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - C:\Windows\SysWOW64\Ffjdqg32.exe
      C:\Windows\system32\Ffjdqg32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2828
    - - C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3744
      - C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3580
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3368
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3524
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1376
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4132
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4276
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1308
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3944
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3180
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1648
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:648
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4680
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3588
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        31⤵
        Executes dropped EXE
        
        PID:924
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:888
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        33⤵
        Executes dropped EXE
        
        PID:516
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:404
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5076
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:396
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        37⤵
        Executes dropped EXE
        
        PID:1316
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2888
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5016
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3908
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2336
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1372
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4392
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2148
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        47⤵
        Executes dropped EXE
        
        PID:1268
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4988
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3496
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4296
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        51⤵
        Executes dropped EXE
        
        PID:2380
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1500
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        53⤵
        Executes dropped EXE
        
        PID:4628
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:932
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4440
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        57⤵
        Executes dropped EXE
        
        PID:4644
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1088
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2472
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        60⤵
        Executes dropped EXE
        
        PID:3404
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4280
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1292
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3456
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        66⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4368
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        69⤵
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4176
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:996
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2508
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3596
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5048
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        76⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3112
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        78⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        79⤵
        Modifies registry class
        
        PID:3736
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        80⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        81⤵
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4228
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2920
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4848
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1208
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4092
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        87⤵
        Drops file in System32 directory
        
        PID:5140
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5232
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        90⤵
        Drops file in System32 directory
        
        PID:5276
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5332
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5376
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5420
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        94⤵
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        95⤵
        Drops file in System32 directory
        
        PID:5500
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5552
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        97⤵
        Drops file in System32 directory
        
        PID:5600
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5644
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5692
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        100⤵
        Drops file in System32 directory
        
        PID:5744
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5788
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5832
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5876
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        104⤵
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5976
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6016
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        107⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6140
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5212
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        110⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5304
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        112⤵
        Drops file in System32 directory
        
        PID:5484
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        113⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5680
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        115⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5820
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        117⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        118⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5972
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6060
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5360
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        122⤵
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        124⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        125⤵
        Drops file in System32 directory
        
        PID:5884
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        126⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        127⤵
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        128⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        129⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5656 -s 412
        130⤵
        Program crash
        
        PID:5244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5656 -ip 5656
1⤵
PID:5932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fbqefhpm.exe

Filesize
224KB

MD5
d4dd65fa2a2fbec679c0825acdf30d66

SHA1
b67d60d9765270c2086e95fdc39196cd31fb7954

SHA256
036442d3bc562ce4f56c74f5fa291b027a21c73c18467ac70643eae798dcec16

SHA512
1178b2b370d8593ea88522497c399752843e4ba63a578a2523cb22adafe9cc6bc8e9bb63174193cec84ddefc17cb4351428b33a3d22142b8c075449f82335f3f

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
224KB

MD5
98e1d4c055786927b1225e7d8ae89ea5

SHA1
e97c57f40d387604c5d084c1ffce2a3b844e6bf4

SHA256
84bd44f12a2de5802fa4557cf2ad8ce38a9c02fd974986a0de6ad9c140fe7d16

SHA512
93f7729eeef31506f9f054b124c70d7bf96cd7186c77e86488b3dde31cbdce6850fbb907e2a3baec333004f300172870163103ec9ecf36d509df95a7bda042d4

Download Submit
C:\Windows\SysWOW64\Fifdgblo.exe

Filesize
224KB

MD5
d5895c24d5ef2d92cd2bcc6c86452a07

SHA1
398056a3c2288a912aeff3d887afff66327eb0f6

SHA256
ebf9356b61061bcc91142c13df929ff798a9267febc7dc9bb1d1e39034230cb9

SHA512
5fca3c4791ca0dd815871a47258c6c99e5885dc5c6f4ba792f41ede358eb9f7359bfebb6c3b67beec3ccb067820efc20c04ac35f7921475e0eed7baf5002dca4

Download Submit
C:\Windows\SysWOW64\Fmapha32.exe

Filesize
224KB

MD5
f8110677492efbd42a6fa30735f2d9ac

SHA1
69c1dfeb86e9689b041b9801c6ce6da677a019f0

SHA256
df838c014c7c3a90d0ecc58f0adf6646a08c061d5455f3ca56717f6814b78cd5

SHA512
6a292f570ea5e704a6848bb77fd298fd8eb2c54f4da52e9309f7260418fc3e4e2bf3bb6ccb3ce5404d0c26e75ed617934508d4d48c82d9aa4a4558c2d9426301

Download Submit
C:\Windows\SysWOW64\Fmclmabe.exe

Filesize
224KB

MD5
7af24f5e65c2bba8c2d95f8a9a5455e1

SHA1
440870b6b9524870e8ca2a1cbb9c6b5ab451b0bd

SHA256
14b228ee028e6d56f22e6ab47e26f7d0db06f21faff2491ae917fdec4c366129

SHA512
c4c8cda6622c89019916c6566fc314d48264e805962f7afa340f4cb4129386b3c9259174a794158fecaf2788c34dc5837f643fb83f9d08cab1877947ef300ba0

Download Submit
C:\Windows\SysWOW64\Fmficqpc.exe

Filesize
224KB

MD5
111e0f1615d5c5d2fbd35a9951c5f802

SHA1
38184ef16ef21b0549488769ca9cecfb79a7a615

SHA256
ee1ca3676de229bb35b5a05aed25694c9c4ea021864f859c68f63c044cefaeb8

SHA512
c3bdd79ec9804052cf1e8f34f6d18d539f816bf51ff16a7ab78caa1d07b52cf99f404460630814fa0053492d19ee16d587cc1b49dfbb4f5dcbe09b114995eb80

Download Submit
C:\Windows\SysWOW64\Fobiilai.exe

Filesize
224KB

MD5
9bf3ae1224e0b9ada80b90c5b8e29846

SHA1
9f0876f97f4af0d6204bfdef6b1de228734690aa

SHA256
c781e06153eac34a63ff62ffd431dd7c0624adad598edde1224693b0f683d677

SHA512
7c42da00d3c92fb8ad9172ed2a0a4dcb2af25e9febb25e298b9f95070e53798dd485b42aea0782c7be31b60246b7a69b56361648f9bfe83dd47f7f5d61516731

Download Submit
C:\Windows\SysWOW64\Gbgkfg32.exe

Filesize
224KB

MD5
ba7565c82467e7feec09c34ebba49567

SHA1
080b855d5acc36ddb3f24ebca95351bbbcfc5a79

SHA256
ad76435ee327ce6128b95016bb3485344f0b10be3ac06c318ea844462ba42546

SHA512
c31fa83cbe4727cb501c779cbf9243f7c5aa48200e433eb42b7e6100548e59c83346a2fc4b3e0876f64ee8c1cae8b2e7c098562099811c51d5472c548491df09

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
224KB

MD5
7ee41797f0081cb7eb1e1f8dcc1d43a7

SHA1
534fa393ef9d7ceefb3e26fb86ac0fa12d67711c

SHA256
41ffa24dd0fe685c19f22bc516c43baeb1b9d1f78dbe75df2ad07683c2aec4b0

SHA512
1ece2b01930f847655bf230a91244d258f3341fcf01e442432f598d759a9a582bf6a932230c93af068b1bdfc7352a7b12b872a01c463c9ac5fa8bde79eaa7f22

Download Submit
C:\Windows\SysWOW64\Gcggpj32.exe

Filesize
224KB

MD5
06478f2f9cc8e8034a831005c9901e34

SHA1
fd5458d774bde5454ecb1b7d16fcd4928cf311cb

SHA256
c886b3a45694c4062ef327d0d77c5d34d3c4932fb807d6fde7b2e5cfab4b665e

SHA512
0264d9f32227b2f7d527291f42a00e9b2d980406e1d002e82f694e1843f9350bbe7f8cc04f1d5e3113f7e56ca92742e5674f1ec0790f8566e61532b493452d1f

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
224KB

MD5
5ce425313ce2e8cc2d6b39b77daca9e2

SHA1
02ad93e00c74f929a5e295a5eb7333fd723c1acc

SHA256
0a07ca347f15c304c668b2a8dd3db1d05ad8b1ff06264d27eee0c28f0a8cd12b

SHA512
04c70fe9d59170582c5c95db3f284aa9b86a893993b8a9241c32ddfb08732f2be8252aef4aacf51c6a2b041f45b90670f941bda09d9787fda51b59e192a224ec

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
224KB

MD5
828156067cf183e2c27e6b86a27f0070

SHA1
e35158150ae5ee28f8de19851fce2231d9e3b64f

SHA256
21b89ad74190477982bb03eb9f57463f11d6bd96f275eceb1372fc782de7017d

SHA512
ea59fa9b491b642dfaf12ada965f4138925a5cfe990fbb80f328641ae04a8b2c1b1fc14c3a8c8bb95538c4ac86fde285bbc8b16402fee35bac12024e491e4b66

Download Submit
C:\Windows\SysWOW64\Gfnnlffc.exe

Filesize
224KB

MD5
96ed38eb753e5287dad76d087de16cd3

SHA1
25d6f221170dc6fbc574549acee244330bb6633c

SHA256
6aa1093559570de3e71f0dcfbd171fbf2727a8721cf35fd752e6cb1dbddb3940

SHA512
4b0dee1d25e77a1eddc129966ff39b85d5fc0649b0d992bf65055172c02c6d0add2a0a372d7ca86cf8ff9b60968a406ac9aa701aadcff1b2099f11aab59989b5

Download Submit
C:\Windows\SysWOW64\Gjclbc32.exe

Filesize
224KB

MD5
2a2c5c919a41f266646ed64778a228ca

SHA1
b10c424bfed6c3edae326a384d804a6a878106e9

SHA256
6cd0106cabb8f3b38b1bf169baeb790816f7729264d84e2521c4e91688be0abd

SHA512
62d51b68163cf477406a27d8d42e48b6cabab43107feb724cc4561acf0f0df3bff33bd5469e3d3ccaf60da6998fc5999d793a11423c53ae7a8a09141abca5c04

Download Submit
C:\Windows\SysWOW64\Gjjjle32.exe

Filesize
224KB

MD5
2f6ff4ce534b241066585ce34c2eebe4

SHA1
16ec195b66e700592da2646971cf05b1f506a3fe

SHA256
a49516456fcd6fd018928cdaa7e33ab0e924b1446954524971fb8ad8a2c4c5cc

SHA512
c87daced742570bb595ef7acb040952da2e0183bb8dfb0e4bbc9b3f5643a63d56b01ce5911ae3ebf49e2297a034828f282f5854fb47b3d4ea6f8c68c971a7952

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
224KB

MD5
5bfd5cf9a45cdf7f2385df8807e5a4cd

SHA1
369249c1a2aeeb693a01d83858ffd38b164d44e4

SHA256
1cfa7d1ec20a5b381ee14728615c7ec4ef4dbcca5cb70789dba880686984a4e3

SHA512
971dc7f21e58993a2e6ede53c7475b5a5a0c11de4b1daaf649cc0eb84dd807a20191f007ffb0c37e2867767b8c4d15ba63583cd2f141ef708ed0baa7590ad536

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
224KB

MD5
b30bf78e780a4e358b34c1c3f7572ec3

SHA1
165d505f409bcd777b7e58d302ce1027c92afe8d

SHA256
27ffbe26e5fd2514ab1bf6883f0b958ba14d1a7efc7d266765f2c3d26fc98256

SHA512
a94e003425277712007fc6b8231a110b984c3f4313dd7e2c6beaed02197a84e57685533776b542661e92d3ce427dff7e695290ec11f5cce3cf6f85e916cf7acd

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
224KB

MD5
4906618e5f10dd033f50a5a34971be18

SHA1
837c0fc5a9aebb028003083aa6fee2d4776f0416

SHA256
0bdbb285db198465366752f870e3a002eebd2cd4c1382b527bb891e9e13e9504

SHA512
75eae9af8ef9150f7416782c11182014b8eeebd44d4d33302ca6aaed801f9eb11d70f20ba6f43467fd03d7fba64276a822ab87266841b2ed403fdded86d096d6

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
224KB

MD5
1136d62aaf13f3b48b748d0712adc7d1

SHA1
cc485185e0e16b8fb9a6bb770d6120d59beeac66

SHA256
257ac3b8f6733ce15dded15c041e6eca6fad21979f4f6a206c17ab9688dcc8cc

SHA512
2a92d6ad5f3044811e472b0667738fbaa23ccd92594f11d58cf2618e1332bf65bc6042533709b84b2d2d034e55328bca2f8e7cdcb9e37241ba225c1767a303e3

Download Submit
C:\Windows\SysWOW64\Gqikdn32.exe

Filesize
224KB

MD5
9b1f9a88bdfd0fcbf434ec0a41ee25f1

SHA1
a21cdf50de411c5575a1cb6260c84885eb3b11f0

SHA256
827eb77f79ace83c83219f97106be7692ab5d18d0b6ab57e0a5d8bc37ec3bee5

SHA512
f1755310a1b63cf307c8cc50896172624454e01cded3df84c078cc7f33d0204baf54a4e1014e3ed3400c9dd6311e8f456e31f4ff50e9b19f6e5c6083508108ec

Download Submit
C:\Windows\SysWOW64\Gqkhjn32.exe

Filesize
224KB

MD5
adfd351a431c2bd818842b4d10b4a7f5

SHA1
5d64ef9f50e239f1612e663dbf1edbe32eef840b

SHA256
4faaf57b193ad340bacda4f9cf9f15b7d6855ba4c9df42a23462a3da4ffcf8cf

SHA512
fdff130e00126d6c0fdbbfc64f3a3149ffd52751d974a9574bddd3b6cf560f111c7cb0cd04d9dbe091764aa5726e09c24b1008948ab15a14c662aed455e51425

Download Submit
C:\Windows\SysWOW64\Haggelfd.exe

Filesize
224KB

MD5
c006b9fff256cf58581b0e58684c52e4

SHA1
5c806214bb1aed09878c2666ad895dcf4007675e

SHA256
879d7ec21e723c614bde4f9e9990b752f607da4f93eb1d0ff850c646ffb335cf

SHA512
adf847df02930888cd8394625b920a9a7e5e0a9bd4e0430d49070ae3ea34601a13c4956e7a1cbc483006730922ea6ec4782ccf3e7da507eb9eaf4740ac443118

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
224KB

MD5
cf262c1e5b5367f07760ebd2b344a9c4

SHA1
f9312747c4c85a95c2da9161b052311f0790f31b

SHA256
eeba131fc23049f18fb96efa1af41a5a9faee0c781a3edbc124fd90bda9059ea

SHA512
ab5ad613a7fb78d885690fc6a14d0383b40dd93353855aadfd9e8a31f80929aab059e1d00c79d91da78c9b88539e1a306410e79b78bff6fcb657a14837710232

Download Submit
C:\Windows\SysWOW64\Hfachc32.exe

Filesize
224KB

MD5
636d41ba0d20fba51cb5cb274c2e70da

SHA1
5217ef2885a4ced6b0d6b4946e546816a491ff4c

SHA256
eb614b42c7a46cc66003a1de813d3a1014b93e42fc71809cc92adb7d5ee3902a

SHA512
fd69abc39b9ae9dd681b77a0fea72089fb6bdb09197ffa620cf8d09166789eef8287b3ca5c98249945b4d35a7af902af3a8f6eb708ea090c14db17f3e662cbf1

Download Submit
C:\Windows\SysWOW64\Hippdo32.exe

Filesize
224KB

MD5
0038b0d6787ee5f1659068fbf4f3f1db

SHA1
bab9a670247d2347952fb712907fb4b6c5c5f2a0

SHA256
fd71b94e4bd64cdfeec2336e9a9d7878285c9e03597372163a36313317399f9a

SHA512
b263008163fc5faa28fd1e5852136ac2674037bbb33735804ee9e2f37e11d2b69386f2a94748244406ec5656b1bc9cb958d8566dc60908eda924a5a49e483523

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
224KB

MD5
18678a3dda89c7a0ab530d4581ef2902

SHA1
e3ae4f5d1f609c5dbd93b0d08f63edbd0fd06619

SHA256
aff5c100c1f6ecee66cce4ac86699e17be7fc20f875bd9f0876d529747d6b8a8

SHA512
6b325456434063b76f8d9253bcbc0693781a0f9fb17f0ab744e4d6d6d58c05939237495cb4e84de4a783a4e9f51efc2eb06a308060c0517ebc0739aae06badb2

Download Submit
C:\Windows\SysWOW64\Hjjbcbqj.exe

Filesize
224KB

MD5
12c16ad3befe784d8123f975f8ebf133

SHA1
0fd620716827620e8cf0f5457f9d7931e9c5a889

SHA256
662fcdc0fc7b2f903bfa043590d925f3a0aabe52c1937f70a8a9df7e2d47f05a

SHA512
9afb703d7d904b92d817811162531e1bd7b05df11b8bc11d6b90c7865caffb6842b3b5f641d9c1ed22b3a4624b04b88fa4af3d1585f96bcecbcdf36d40b9ba78

Download Submit
C:\Windows\SysWOW64\Hmfbjnbp.exe

Filesize
224KB

MD5
0b5ffd5433dbc07642bcbf863d546931

SHA1
54cfbba4636f563ce54822cd7c6812a3355b1b12

SHA256
4f0d30860b0349b18f25768b4509bbe2f5ddbf95deb674d45d61225bb02a36e0

SHA512
51c379d7b80a0691b1d06348ea836a15e2d866de71457a59c36dee29f04af402f77cd2bf0242ca37f8dd72271c79161720a45ee20c1a8b58477a697b32c77c10

Download Submit
C:\Windows\SysWOW64\Hmioonpn.exe

Filesize
224KB

MD5
6dba6a270942edff84a0203bcf7156b5

SHA1
e4e3d876f28f17eedce63bdae87aad0c7746b329

SHA256
6c9c18a30bd1368c0a83f21ebc698f9a6034fda86042e34c1021b6c034160979

SHA512
8d7dc12e1d024a472aaac433dbc97a666ca5b04a6789aade7bce92d7e4d780d76730e75e47b4be0528d267d9602a9e389f3b70af45ed72375ab1bd31fa30ea02

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
224KB

MD5
5013b13e80e974b8ce1882675c902af9

SHA1
0eb37b47b5266b7022ee3d4c793ac83edb5e1af2

SHA256
0116dd61205685b524aaa23e080c721d3c126b53d5fa089c884d78d1348e6662

SHA512
5e9b9094b428f3e53494e6f803fd6b645b25616edc177b1c06e0abf6a119090fc824b13f450580bc1140ad287e4fe2bc85b0a5e7fea16b14ece276e8ad37c058

Download Submit
C:\Windows\SysWOW64\Hpgkkioa.exe

Filesize
224KB

MD5
584835b334ee9c8a023cd5f35bee45a3

SHA1
15f97ea081bf39574b2e1ccacd3a601549d852f5

SHA256
a4607474f1b7c5d480e7c4f421efc25c62bc47fd19f170d2b465ca7f36ad2b7f

SHA512
3a1fb03f4ad29da8441e5dcab6d2925a8c48648429b6de89ce0ddd9c90e7a0e6b44bc0f46b68e0bf362942798df15f5c433fcc217875cac5665f64b9bdbbcaab

Download Submit
C:\Windows\SysWOW64\Hpihai32.exe

Filesize
224KB

MD5
23ff3036d9bccb59d718aac53631bda9

SHA1
68a2f077e83ea8de521ecb9c8b21db0d43e3e89d

SHA256
6328d8b12e1f78265eef212b6be946bd7a7557c70bbc35388072c108d8ffd003

SHA512
f84ecb089d9225aca574aa1c1fe1a07a36fa9223517ec88f3da93809e4724396f87412859e405896337ae5feaa554c6df7de8eeeba55c8a2792bf6875e31d210

Download Submit
C:\Windows\SysWOW64\Iblilb32.dll

Filesize
7KB

MD5
c72a53a03cfb19adb117e7e0f45c7249

SHA1
db830e90f9a785fd375aabc52a1bd7a2ac21ec45

SHA256
ec2717c3ac2407ae6f18feadfcb3e777c844c1bec051e8e7c822593a7ee6c1d1

SHA512
e531f4c568fd4b5888b5dc0ebd6d0181ac1ddc2f1433b3db391ec242d8f7d5ca2fa02879204dd8e9aa2d923525d3fd85a534d3b42d05098beaef6d2414a985ea

Download Submit
C:\Windows\SysWOW64\Jbkjjblm.exe

Filesize
224KB

MD5
759a6820508d9167e1bda6f50ea25415

SHA1
0201961eb7a6d72ad629243ec6e0ef2a24c1c989

SHA256
496744e2b91d8bdea5921c9cdcc41e73676e9556017304da0bf08d7d3198437b

SHA512
21178c55c243e5c1681ca5f1f7a80c6df91f4e0cfff019f21b008b87ff79ecf7ea6300e835a844ae080467aba8f38da52ef7c42d88692bfa0ab269e8c32aec5a

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe

Filesize
224KB

MD5
adbbdc803ef4147eaa133b229e30052c

SHA1
52911201182a5889c111d11a0a66d38112f43018

SHA256
b7bf83671835667294b3ca4b14bd082ba07c4b26a7eae58f29960f5f59cf5130

SHA512
49453a784872a4c4c70efbc7348cef728a53ddddeca8ef56e203e030681a7c99d904c4a49c66ead050c133438510f5131127e832010d02a7d4a2df82da277ee6

Download Submit
C:\Windows\SysWOW64\Jpojcf32.exe

Filesize
224KB

MD5
80b829907b54f63a6aee4f6af301e119

SHA1
a36e78a479cb2b476b60edca68b6a156b1b716c9

SHA256
ed400964598d2af43b6539d1c8945656c3d1793f4020bbd393002385085e74f3

SHA512
42edcf0469c7af85e000d66228dd065cd9baa9e1f8d1826408e5e503f261bccabb2005d0bcaf14e8726cbe713fde43d91cd0b52438f54226a111fbea72cb4e5b

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
224KB

MD5
d042d90065bbc3ef6868c00be38e4a62

SHA1
f91a45895463f68f9c6be7c083951ca2868787c6

SHA256
55d93ad16b114942a4e2d75ae0f01cdfd6829bed5b4e373cf603dec1b4613459

SHA512
e4d2ccd1a85a4d439a0caea34a62e6d635ba49ef363c474c096852a221921ab8f4bd9aa24af280e32f77f5e4190eb4430c106e8e9a825a916f6966481cdefa6e

Download Submit
C:\Windows\SysWOW64\Kgfoan32.exe

Filesize
224KB

MD5
d1556bfe2a4d426917287948e910cc25

SHA1
9a09e154773467650dcbb5c5dbc5c01a309ea269

SHA256
dc0302b5688094385b01ff9a8c99fca73f7f6b57ae58676e70b77f76063a8238

SHA512
796062ec560938956838623bdb01db1e36cde5345fa60d0822e34bb0f4dffab85a295ea164d89b8aa5364c5faf54e0a20cf49d54cf81b401acdf05949e3ecb74

Download Submit
C:\Windows\SysWOW64\Kgphpo32.exe

Filesize
224KB

MD5
1b9e14362c39fc8b810ab85dedf6914e

SHA1
ff826b96cf1031ece1015bd4169dcb965a4e2ab1

SHA256
0d20231ae9bef88b27bde5bb7020515d958db751d5c04ec2b6e61cdda3c10c35

SHA512
0462a41e1e7768ae61a9b0967a11996c73c01ea69e2ac000d6c754c8d64f317079ad3ae435e67d4849098e8c5b03394a69c31c4c38f14a75dcc8f1c36817978c

Download Submit
C:\Windows\SysWOW64\Kilhgk32.exe

Filesize
224KB

MD5
047a8de67da685e7b992763d4641eb70

SHA1
340c9cfc679e0702162293dce1e0281e01f6f47d

SHA256
5e6238cc1d304f454aa19967edbf8698033673bc51c3af6117e3b8a55c0c6c7d

SHA512
a4f5fe77a220a9a0337cc043bd1118957433cffdfb8e2b2f2becc5e95d0bba5102f35d33d90a49f6f6715d2986d9380f755c87f95bc80d61054ac3affd00e3af

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
224KB

MD5
365c88c4fb920bb1bd1b51ddc7113c4a

SHA1
2716c0f30b07ddf58d0a99361b4e70c966db13c3

SHA256
90fa86a216993b3e53f355aac28b29c3b9df77e00c8fac14a7811a59f8fdcb9d

SHA512
bd3eaa17cebca2d934403dd745bdbf926b6eaaa3df56f10b408b0a3aa1141bdc3d02db613aad488d00d2143b2cdca6b69252c2ff679cdd827201e690ea42d8ba

Download Submit
C:\Windows\SysWOW64\Kmnjhioc.exe

Filesize
224KB

MD5
778bc641dda6276a9da64b8c55e72232

SHA1
b15e0a19c2dc2ed6db25eb0b03b157d7dab2399d

SHA256
cae56bcc069fa53b34396eae7978db153e02fc2bd4244599ac0f910abbdd8ae2

SHA512
30a8f59201fad6f2422c8588219aeb9faa990988d08474f2a26813ae421f5145952ad812a1310af22f20e73c6a79227bec2beffaad76dd7396902c8b2229bd35

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
224KB

MD5
053d1dc0b525935bd4320f8b19b2a4a3

SHA1
47072caa3f02582121c2326849c101713f9c0e3e

SHA256
098aa38233363fbf402c26fa24cb46012ec52b93d43b9bfc983c218ddbbba02b

SHA512
b216a1677569a4b50b4f0e3285797ec40d66bddbb8172e7032128f07479617e45c31c7ce34850b06025fce88b3a2697026cc0acc2fcac318d3427f756d887b55

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
224KB

MD5
29297b26e3aa2750b5a9649397ed85a3

SHA1
e7d767eb5543d9a2cf16c93131069eab55ab0e09

SHA256
208380ffe895f99c3add6a1618bc20d5f725cd4ab3cde69fe3d2a03f2bc8bcb5

SHA512
cd9cc8cb0bf64f8dc3388cdef5061a1a4e6052ed6651cd90ff7a15e362684dfe65bb22be9589ad78a1b8326aa17a5d28387cb616477e1faa1c9e6e243546d5c1

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
224KB

MD5
d2511d33147bad29f3c12e96da1ce163

SHA1
871301f3a220a47775856ec14300b5979e92b918

SHA256
6ee044c5824b86a6fc1929263e73df1e45a970ce818c8be2990443c55f1b1fdb

SHA512
000916a793873e2e3fae8fed6a08ac8912576a0d507713c2a5c768e6c86bab4376202270d9860099d360eb583e3da4e2c11c601cef9e88749690ff9024882c27

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
224KB

MD5
7a6ccf46eea09c207755cc5946ffa5ef

SHA1
810a2cf87d7ec57bc2f0fe98dcde85629f013d13

SHA256
883ea276a51bb5caba034b86abab251d692dc6aede5fbcd61f45313e6e72088b

SHA512
de910715c8d74a7b48cfa3a14578b8c6c12642089ba698d0191590c233c631ffcf6858a68a44d59f284058e54072f1fc4373b8ca48af4766226dd14462ea03b3

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
224KB

MD5
95344576471f74c93a1ce44e458e128e

SHA1
255a5d74afc83199c109fa2520f8b49e6b0ded83

SHA256
421570792e8f75c5cc7e442584ef4a05642a502d134f0ab0f644ab93d09c2f88

SHA512
7c7bb611f2b0f76a8fa8d8af31699d059d821fb9e6edc5989782283328f8c3a0bce9abd662cf898680f663b8f93f725e688473a6559bd038fa52d96c72283d34

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
224KB

MD5
537a209fe05afc8367e96370a119dd12

SHA1
ed7e6515d7c410910590b207f638d806266df189

SHA256
73098e321095668a712cc8a7c1e96771520bdbed7c8395c600bc907b0a726336

SHA512
951026012a7e703f6f19270c9d9f005121f57a60ec8273da298c6f236e581447e4229646e54ea70993a2a02e408454e08499b2eb70e614cb615cd1b91db80c6c

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
224KB

MD5
78fd1e8a85cef1570fb8ae2994d64dd6

SHA1
842bc439b841feb6d8d561a7683c9e2d81669435

SHA256
9a53679df42267522818c0783ed7d15722ed331ef45116f3615629158ef547ac

SHA512
3c9598cdf36390b223b72884e6ea6c52cb16287e112d6410e7c93944452c1d17ec9fe9cfd71130ca155a368ef26e97b171dadea153e5ba657f06ba5bafc1881b

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
224KB

MD5
4b6bea2647ea05bd160763238580d7b0

SHA1
9983dc4a65f515d56e22da7b0f06e58e52d80601

SHA256
ecf797ff7f4308b86a126ccd6e22affde6800cf7f4c30d756a48196f40a38c33

SHA512
267780551f5c6f0486a236f54d50c8988ae7f77d1adc42ef74d21b85751b24738bbf9c815b83315b851dfbe61dd3cc53a53186503ed27a52e4e041860e0efc56

Download Submit
memory/396-359-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/396-299-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/404-281-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/404-346-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/436-168-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/436-264-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/516-280-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/556-12-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/648-220-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/648-314-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/888-266-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/888-343-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/924-265-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/932-417-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1088-439-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1268-371-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1308-176-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1308-279-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1316-370-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1316-302-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1372-347-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1372-416-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1376-107-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1376-194-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1500-403-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1564-430-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1636-333-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1636-398-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1648-219-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1840-125-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1840-218-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1956-204-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1956-301-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2148-429-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2148-360-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2336-345-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2380-392-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2380-458-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2472-445-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2520-96-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2520-16-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2524-244-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2584-69-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2660-55-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2660-142-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2828-23-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2828-105-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2888-312-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3116-134-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3116-221-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3180-294-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3180-198-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3368-76-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3404-452-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3496-384-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3524-175-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3524-89-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3580-133-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3580-48-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3588-254-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3744-32-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3744-115-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3908-331-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3944-291-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3944-185-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4068-124-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4068-40-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4132-203-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4132-116-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4276-155-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4276-243-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4280-459-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4296-386-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4296-451-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4392-418-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4392-355-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4440-419-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4448-235-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4448-143-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4572-79-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4572-0-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4584-253-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4584-159-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4628-409-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4644-432-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4680-236-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4972-98-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4972-184-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4988-377-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4988-438-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4996-325-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5016-383-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5016-315-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5068-80-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5068-167-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5076-292-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads