6c4c928f1430048f9957f132d2a7a45c152e6ac40286e27657c9e094523c002c

Analysis

max time kernel
138s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 12:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b47331af01357ac7595d2477f1f5a290_NEIKI.exe
Size

196KB
MD5

b47331af01357ac7595d2477f1f5a290
SHA1

7270ec8333f4ae0c70f559029c7ca31af9f81699
SHA256

6c4c928f1430048f9957f132d2a7a45c152e6ac40286e27657c9e094523c002c
SHA512

5396fb97fc21909deb05473a781f10955a3b9a93c127f53e5ef3c8d97cb505bc73e8a832e4abd319f524c199d5975c9a8f418c8b8a86abd44c914c7dd10e0ae8
SSDEEP

3072:zst6eyXkIrigyYq4YJH681+jq2832dp5Xp+7+10K0k7SS6S+psBB6sI69FH:Q0edIrBTsa81+jq4peBK02SjSM0zI6rH

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jagqlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kipabjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcikolnh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hapaemll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejgdpg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbgkfg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqikdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipabjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjepaecb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gameonno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdhine32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b47331af01357ac7595d2477f1f5a290_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gqfooodg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejlmkgkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jagqlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hippdo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Giacca32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hapaemll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eodlho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmfbjnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gidphq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjepaecb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fijmbb32.exe

Executes dropped EXE 64 IoCs

pid	Process
2920	Ehhgfdho.exe
2720	Ebploj32.exe
3420	Ejgdpg32.exe
2528	Eodlho32.exe
3604	Efneehef.exe
2592	Elhmablc.exe
3456	Ecbenm32.exe
2236	Ejlmkgkl.exe
2200	Eqfeha32.exe
4848	Eoifcnid.exe
1076	Ffbnph32.exe
1084	Fqhbmqqg.exe
4072	Fbioei32.exe
3524	Ficgacna.exe
4196	Fcikolnh.exe
780	Fmapha32.exe
3880	Fbnhphbp.exe
2316	Fjepaecb.exe
1008	Fcnejk32.exe
1704	Fijmbb32.exe
4112	Gcpapkgp.exe
3516	Gfnnlffc.exe
796	Gogbdl32.exe
2676	Gfqjafdq.exe
4448	Gqfooodg.exe
3512	Gbgkfg32.exe
4180	Giacca32.exe
224	Gqikdn32.exe
2792	Gidphq32.exe
4356	Gbldaffp.exe
2976	Gifmnpnl.exe
3504	Gameonno.exe
1736	Hboagf32.exe
620	Hihicplj.exe
4760	Hapaemll.exe
2432	Hcnnaikp.exe
4116	Hjhfnccl.exe
2664	Hmfbjnbp.exe
4776	Hpenfjad.exe
4244	Hbckbepg.exe
1252	Hjjbcbqj.exe
4548	Hmioonpn.exe
216	Hccglh32.exe
372	Hfachc32.exe
3808	Hippdo32.exe
2392	Hpihai32.exe
3396	Hfcpncdk.exe
1004	Hibljoco.exe
4476	Haidklda.exe
3296	Ibjqcd32.exe
3356	Iidipnal.exe
4436	Iakaql32.exe
3960	Ipnalhii.exe
4716	Ifhiib32.exe
3908	Iiffen32.exe
4924	Iannfk32.exe
2292	Icljbg32.exe
1332	Ifjfnb32.exe
3116	Iiibkn32.exe
1588	Imdnklfp.exe
2908	Ibagcc32.exe
2560	Ifmcdblq.exe
624	Iabgaklg.exe
2420	Ibccic32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Ejlmkgkl.exe	Ecbenm32.exe
File created	C:\Windows\SysWOW64\Iakaql32.exe	Iidipnal.exe
File opened for modification	C:\Windows\SysWOW64\Hfachc32.exe	Hccglh32.exe
File opened for modification	C:\Windows\SysWOW64\Hccglh32.exe	Hmioonpn.exe
File created	C:\Windows\SysWOW64\Jdkind32.dll	Jfaloa32.exe
File created	C:\Windows\SysWOW64\Ecppdbpl.dll	Jangmibi.exe
File created	C:\Windows\SysWOW64\Kgfoan32.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Pipagf32.dll	Kdhbec32.exe
File opened for modification	C:\Windows\SysWOW64\Ehhgfdho.exe	b47331af01357ac7595d2477f1f5a290_NEIKI.exe
File created	C:\Windows\SysWOW64\Hmioonpn.exe	Hjjbcbqj.exe
File created	C:\Windows\SysWOW64\Lgkhlnbn.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Ficgacna.exe	Fbioei32.exe
File created	C:\Windows\SysWOW64\Fbnhphbp.exe	Fmapha32.exe
File opened for modification	C:\Windows\SysWOW64\Fjepaecb.exe	Fbnhphbp.exe
File created	C:\Windows\SysWOW64\Gcgqhjop.dll	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Mdemcacc.dll	Lkgdml32.exe
File opened for modification	C:\Windows\SysWOW64\Elhmablc.exe	Efneehef.exe
File created	C:\Windows\SysWOW64\Eoifcnid.exe	Eqfeha32.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Ehifigof.dll	Jpojcf32.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Eeecjqkd.dll	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Ldkojb32.exe	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Jfaloa32.exe	Jbfpobpb.exe
File created	C:\Windows\SysWOW64\Kkkdan32.exe	Kacphh32.exe
File created	C:\Windows\SysWOW64\Ficgacna.exe	Fbioei32.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Jfdida32.exe	Jagqlj32.exe
File created	C:\Windows\SysWOW64\Jdhine32.exe	Jmnaakne.exe
File opened for modification	C:\Windows\SysWOW64\Laalifad.exe	Lkgdml32.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Gifmnpnl.exe	Gbldaffp.exe
File created	C:\Windows\SysWOW64\Ehbccoaj.dll	Hpenfjad.exe
File created	C:\Windows\SysWOW64\Hpihai32.exe	Hippdo32.exe
File created	C:\Windows\SysWOW64\Aqnhjk32.dll	Iakaql32.exe
File created	C:\Windows\SysWOW64\Fbkmec32.dll	Jidbflcj.exe
File opened for modification	C:\Windows\SysWOW64\Kgdbkohf.exe	Kdffocib.exe
File created	C:\Windows\SysWOW64\Gagaaq32.dll	b47331af01357ac7595d2477f1f5a290_NEIKI.exe
File created	C:\Windows\SysWOW64\Kncfca32.dll	Fcnejk32.exe
File created	C:\Windows\SysWOW64\Gcdihi32.dll	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Eoifcnid.exe	Eqfeha32.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Ffbnph32.exe	Eoifcnid.exe
File created	C:\Windows\SysWOW64\Laopdgcg.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Hdgpjm32.dll	Haidklda.exe
File opened for modification	C:\Windows\SysWOW64\Hboagf32.exe	Gameonno.exe
File opened for modification	C:\Windows\SysWOW64\Jfhbppbc.exe	Jdjfcecp.exe
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	Laopdgcg.exe
File opened for modification	C:\Windows\SysWOW64\Lcdegnep.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Ehhgfdho.exe	b47331af01357ac7595d2477f1f5a290_NEIKI.exe
File created	C:\Windows\SysWOW64\Fdcfcpdf.dll	Elhmablc.exe
File created	C:\Windows\SysWOW64\Jagqlj32.exe	Jiphkm32.exe
File opened for modification	C:\Windows\SysWOW64\Kkpnlm32.exe	Kgdbkohf.exe
File opened for modification	C:\Windows\SysWOW64\Hjjbcbqj.exe	Hbckbepg.exe
File created	C:\Windows\SysWOW64\Aajjaf32.dll	Jbfpobpb.exe
File created	C:\Windows\SysWOW64\Jdmcidam.exe	Jangmibi.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6424	6332	WerFault.exe	238

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjhfnccl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibimpp32.dll"	Jdhine32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oijnep32.dll"	Eoifcnid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgblmpji.dll"	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akihmf32.dll"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmfbjnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkageheh.dll"	Hmioonpn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecppdbpl.dll"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekfnlmai.dll"	Fjepaecb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfkkgo32.dll"	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmfdgkm.dll"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdmaid32.dll"	Efneehef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbnhphbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmkefnli.dll"	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iiffen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kphmie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecbenm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqhbmqqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddhbep32.dll"	Fbioei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimhnoch.dll"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eoifcnid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmddeh32.dll"	Fcikolnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkmdbdbp.dll"	Gbgkfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lijiaonm.dll"	Hibljoco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbnhphbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibjqcd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejgdpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaqnkb32.dll"	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebploj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbgkfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifegaglc.dll"	Gqikdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bejkjg32.dll"	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kphmie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kipabjil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkbkamnl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4740 wrote to memory of 2920	4740	b47331af01357ac7595d2477f1f5a290_NEIKI.exe	83
PID 4740 wrote to memory of 2920	4740	b47331af01357ac7595d2477f1f5a290_NEIKI.exe	83
PID 4740 wrote to memory of 2920	4740	b47331af01357ac7595d2477f1f5a290_NEIKI.exe	83
PID 2920 wrote to memory of 2720	2920	Ehhgfdho.exe	84
PID 2920 wrote to memory of 2720	2920	Ehhgfdho.exe	84
PID 2920 wrote to memory of 2720	2920	Ehhgfdho.exe	84
PID 2720 wrote to memory of 3420	2720	Ebploj32.exe	85
PID 2720 wrote to memory of 3420	2720	Ebploj32.exe	85
PID 2720 wrote to memory of 3420	2720	Ebploj32.exe	85
PID 3420 wrote to memory of 2528	3420	Ejgdpg32.exe	86
PID 3420 wrote to memory of 2528	3420	Ejgdpg32.exe	86
PID 3420 wrote to memory of 2528	3420	Ejgdpg32.exe	86
PID 2528 wrote to memory of 3604	2528	Eodlho32.exe	87
PID 2528 wrote to memory of 3604	2528	Eodlho32.exe	87
PID 2528 wrote to memory of 3604	2528	Eodlho32.exe	87
PID 3604 wrote to memory of 2592	3604	Efneehef.exe	88
PID 3604 wrote to memory of 2592	3604	Efneehef.exe	88
PID 3604 wrote to memory of 2592	3604	Efneehef.exe	88
PID 2592 wrote to memory of 3456	2592	Elhmablc.exe	89
PID 2592 wrote to memory of 3456	2592	Elhmablc.exe	89
PID 2592 wrote to memory of 3456	2592	Elhmablc.exe	89
PID 3456 wrote to memory of 2236	3456	Ecbenm32.exe	90
PID 3456 wrote to memory of 2236	3456	Ecbenm32.exe	90
PID 3456 wrote to memory of 2236	3456	Ecbenm32.exe	90
PID 2236 wrote to memory of 2200	2236	Ejlmkgkl.exe	91
PID 2236 wrote to memory of 2200	2236	Ejlmkgkl.exe	91
PID 2236 wrote to memory of 2200	2236	Ejlmkgkl.exe	91
PID 2200 wrote to memory of 4848	2200	Eqfeha32.exe	92
PID 2200 wrote to memory of 4848	2200	Eqfeha32.exe	92
PID 2200 wrote to memory of 4848	2200	Eqfeha32.exe	92
PID 4848 wrote to memory of 1076	4848	Eoifcnid.exe	93
PID 4848 wrote to memory of 1076	4848	Eoifcnid.exe	93
PID 4848 wrote to memory of 1076	4848	Eoifcnid.exe	93
PID 1076 wrote to memory of 1084	1076	Ffbnph32.exe	95
PID 1076 wrote to memory of 1084	1076	Ffbnph32.exe	95
PID 1076 wrote to memory of 1084	1076	Ffbnph32.exe	95
PID 1084 wrote to memory of 4072	1084	Fqhbmqqg.exe	96
PID 1084 wrote to memory of 4072	1084	Fqhbmqqg.exe	96
PID 1084 wrote to memory of 4072	1084	Fqhbmqqg.exe	96
PID 4072 wrote to memory of 3524	4072	Fbioei32.exe	97
PID 4072 wrote to memory of 3524	4072	Fbioei32.exe	97
PID 4072 wrote to memory of 3524	4072	Fbioei32.exe	97
PID 3524 wrote to memory of 4196	3524	Ficgacna.exe	98
PID 3524 wrote to memory of 4196	3524	Ficgacna.exe	98
PID 3524 wrote to memory of 4196	3524	Ficgacna.exe	98
PID 4196 wrote to memory of 780	4196	Fcikolnh.exe	99
PID 4196 wrote to memory of 780	4196	Fcikolnh.exe	99
PID 4196 wrote to memory of 780	4196	Fcikolnh.exe	99
PID 780 wrote to memory of 3880	780	Fmapha32.exe	100
PID 780 wrote to memory of 3880	780	Fmapha32.exe	100
PID 780 wrote to memory of 3880	780	Fmapha32.exe	100
PID 3880 wrote to memory of 2316	3880	Fbnhphbp.exe	102
PID 3880 wrote to memory of 2316	3880	Fbnhphbp.exe	102
PID 3880 wrote to memory of 2316	3880	Fbnhphbp.exe	102
PID 2316 wrote to memory of 1008	2316	Fjepaecb.exe	103
PID 2316 wrote to memory of 1008	2316	Fjepaecb.exe	103
PID 2316 wrote to memory of 1008	2316	Fjepaecb.exe	103
PID 1008 wrote to memory of 1704	1008	Fcnejk32.exe	104
PID 1008 wrote to memory of 1704	1008	Fcnejk32.exe	104
PID 1008 wrote to memory of 1704	1008	Fcnejk32.exe	104
PID 1704 wrote to memory of 4112	1704	Fijmbb32.exe	106
PID 1704 wrote to memory of 4112	1704	Fijmbb32.exe	106
PID 1704 wrote to memory of 4112	1704	Fijmbb32.exe	106
PID 4112 wrote to memory of 3516	4112	Gcpapkgp.exe	107

C:\Users\Admin\AppData\Local\Temp\b47331af01357ac7595d2477f1f5a290_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\b47331af01357ac7595d2477f1f5a290_NEIKI.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4740
- C:\Windows\SysWOW64\Ehhgfdho.exe
  C:\Windows\system32\Ehhgfdho.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Windows\SysWOW64\Ebploj32.exe
    C:\Windows\system32\Ebploj32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Windows\SysWOW64\Ejgdpg32.exe
      C:\Windows\system32\Ejgdpg32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3420
    - - C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2528
      - C:\Windows\SysWOW64\Efneehef.exe
        
        C:\Windows\system32\Efneehef.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3604
        
        C:\Windows\SysWOW64\Elhmablc.exe
        
        C:\Windows\system32\Elhmablc.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3456
        
        C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4072
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3524
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:780
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3880
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4112
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        23⤵
        Executes dropped EXE
        
        PID:3516
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        24⤵
        Executes dropped EXE
        
        PID:796
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        25⤵
        Executes dropped EXE
        
        PID:2676
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4448
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3512
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4180
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2792
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4356
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2976
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3504
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1736
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        35⤵
        Executes dropped EXE
        
        PID:620
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4760
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        37⤵
        Executes dropped EXE
        
        PID:2432
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4116
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2664
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4776
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4244
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1252
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:216
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:372
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3808
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        47⤵
        Executes dropped EXE
        
        PID:2392
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        48⤵
        Executes dropped EXE
        
        PID:3396
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1004
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4476
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3296
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3356
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4436
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        54⤵
        Executes dropped EXE
        
        PID:3960
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4716
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3908
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        57⤵
        Executes dropped EXE
        
        PID:4924
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        59⤵
        Executes dropped EXE
        
        PID:1332
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3116
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        61⤵
        Executes dropped EXE
        
        PID:1588
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        62⤵
        Executes dropped EXE
        
        PID:2908
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2560
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        64⤵
        Executes dropped EXE
        
        PID:624
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2420
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        66⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        67⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        68⤵
        Drops file in System32 directory
        
        PID:1544
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        69⤵
        Drops file in System32 directory
        
        PID:3904
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        70⤵
        Drops file in System32 directory
        
        PID:2312
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4968
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        72⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        73⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4976
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3928
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2740
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        77⤵
        Drops file in System32 directory
        
        PID:3436
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        78⤵
        Drops file in System32 directory
        
        PID:2080
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        79⤵
        Drops file in System32 directory
        
        PID:2532
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        80⤵
        Modifies registry class
        
        PID:1116
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        81⤵
        Modifies registry class
        
        PID:4960
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3740
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        83⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3140
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2696
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        87⤵
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4372
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        89⤵
        Modifies registry class
        
        PID:4296
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4432
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        91⤵
        Modifies registry class
        
        PID:2852
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        92⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        93⤵
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        95⤵
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5356
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        100⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        101⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5540
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        103⤵
        Drops file in System32 directory
        
        PID:5592
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        105⤵
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5772
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        107⤵
        Drops file in System32 directory
        
        PID:5816
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5864
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5980
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        111⤵
        Drops file in System32 directory
        
        PID:6052
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        113⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        114⤵
        Drops file in System32 directory
        
        PID:5176
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        115⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        116⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        117⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5476
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5552
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5656
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        121⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        122⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5924
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        124⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        125⤵
        Drops file in System32 directory
        
        PID:6132
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5172
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5300
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        128⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        129⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        130⤵
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        131⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6036
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        133⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        135⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        137⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        138⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5320
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        140⤵
        Drops file in System32 directory
        
        PID:5724
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        141⤵
        Drops file in System32 directory
        
        PID:6088
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        142⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        143⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5804
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        145⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        146⤵
        Drops file in System32 directory
        
        PID:6160
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6204
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6248
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        149⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        150⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6332 -s 408
        151⤵
        Program crash
        
        PID:6424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6332 -ip 6332
1⤵
PID:6400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ebploj32.exe

Filesize
196KB

MD5
855058793464a19450ae87b2f4f7fa49

SHA1
611b2f8e383e24c946ed974fb38a964e2e618c23

SHA256
0d3be0372e8519e3600a33d065960f277fd92cb9abd2adf931db06c629c4078b

SHA512
b82cc74995213e4aa351e54f8d57e334b6a3ed6c1033bc1b80f66a1f38baf61ddd11b39a7f6838b23c3eddbac8d31dc3a540a5401a9ec3fb332a76d41aa6cbe8

Download Submit
C:\Windows\SysWOW64\Ecbenm32.exe

Filesize
196KB

MD5
196ceb9ce54244d929c078b1450441af

SHA1
5977c03f895c39bbfb4c693c1ab75750151654ff

SHA256
bb516b6deb0b992f48231fdbfa68501f33f5131e71e5ec9af4f9e255eff39821

SHA512
ce3723a959bed4069932f724c7b0037813b3bdc07fecf89f1eb7d03b1e514a0b7d74487eccc6eec668042f89f2f40925782b8734155e51ec485bdb594e54a3a6

Download Submit
C:\Windows\SysWOW64\Efneehef.exe

Filesize
196KB

MD5
978521ca0dfe39fa004c4a1f5e769d83

SHA1
516fefe50a465fce70a8a128c55053f5da190e48

SHA256
a32dd00644eac21836dcf53fc7506ea12526bafcfe4f6698fe279bc1737028ae

SHA512
5480784be8af4ba94be2aa865b0fd0f432e05424fcdf8c5e25ec45bddf91cc36746ce3470a8e6c75588566e6819b453a87c15812e72c5808e2c9ea053cde00ee

Download Submit
C:\Windows\SysWOW64\Ehhgfdho.exe

Filesize
196KB

MD5
ffde05cde131097e0942af34ac176cf1

SHA1
94e6cfe8e057eb6c8431a5c8972ec73af6c84512

SHA256
ac4cf2e708cd15f61f5a086fa56044365e4d83313d936dc878f1877c9397815e

SHA512
0632f5eb6842a384617dabb0e99a776f2db4fd5dea56ae1cb795afefb9880ae4cc94e766221e97013275e86d64d8c42941409bebb11c497550c43acf68d96bf0

Download Submit
C:\Windows\SysWOW64\Ejgdpg32.exe

Filesize
196KB

MD5
a79474944a911e0031f40518b414eccb

SHA1
3b3df8e24f5dcddca5428bb67fcd6a3fd516a60a

SHA256
a9836b670c7cbacffbc9ed214bbaaee543a9c23585490462a3da51a8eefb9b27

SHA512
5454ee4167164156d818e01efe349a34eeec64981e13d64e79485b544e60ff408942b5b62bd4906865b2a07a0141cce41667dd9403a090319a5eaeae8b15f6e6

Download Submit
C:\Windows\SysWOW64\Ejlmkgkl.exe

Filesize
196KB

MD5
89d7d9c4553b4ed4b9048fd763c8837b

SHA1
9602761e467d5c52a75e25b97c9d5aefec88f2bc

SHA256
17bacb33273e384440e354dc2f7a464aa60b1a40dc735bf3e59fa06fbce0c0e5

SHA512
7294540c3a0a895cee8bcf7e38e8e591ef6f9d37471d21f45e8f1ce522c5238e2fa9e232c6787204f73891d7b521da822cb2682cbc7aae3194c117df5dc83bb1

Download Submit
C:\Windows\SysWOW64\Elhmablc.exe

Filesize
196KB

MD5
70c8530c19b0f27aeade75e4ae26fd8a

SHA1
91f2779165e8993894dceda431ad1772465c0a77

SHA256
d20ec97bda2fcbaf9faf72d563b3933ea25330ee9c71770b433db73328deebfe

SHA512
1837820b83434d03ad9cfabb30a09208ae76c3724c8ad987a9197b4807fb3d4ad66f48e5428214c9ac2bcda5780b4e09e70cad5cc7897a75592dbe1bc62d9e8b

Download Submit
C:\Windows\SysWOW64\Eodlho32.exe

Filesize
196KB

MD5
26e5133d7067279e9ff81f0d98d080f4

SHA1
b10e508b4ee7c14d32ba1b29d4adc70059976824

SHA256
bc12dd82c36087edbb7005fee37574497f0ef5ddbf0760f6933afa5e927bf41e

SHA512
d9eac67774e33b996aa5a6ca44452ce779f10d21e5e5f832073758ee782ae1c6c2a532171e84e89968fab09bb5fb86cae610fb9504eb9a08b384267e8a2cb25f

Download Submit
C:\Windows\SysWOW64\Eoifcnid.exe

Filesize
196KB

MD5
1bdf9bc8d62f9e1f0c2dd05f6c3fc043

SHA1
59466c683169d2adc4a8e3019890529c6ca0712c

SHA256
1ab1fe32d8ae32d3900fb6f1a2200e911e61fffb9a3d55d97d26253608dce139

SHA512
abca45033e88fbdf92e69e1fce175179055fed28a4f582c7e35f2f2e560fe2c76bc20ca27155920dcf6fa568eeb9ac623acdcd32b0c340a65aa13a0db1e8f6ba

Download Submit
C:\Windows\SysWOW64\Eqfeha32.exe

Filesize
196KB

MD5
b3985ffcb6cd8b9c33c3404d7441e4f5

SHA1
22557759ef77a4240dd69a2481130922c43f5048

SHA256
4aea8ec16e0529c67e81e9665e21cef7d108818a5348a17cc68d801c1d788271

SHA512
16c36564f797fff08758cff6fcfcc9c82a8194a52bff3e7260988e4ff9703b22aec28be9caed76f00c86aa9c6c3ec91e369be2b91b159fc7b844186af04caf7d

Download Submit
C:\Windows\SysWOW64\Fbioei32.exe

Filesize
196KB

MD5
24617542da214e5d9bad1d603b8b83ea

SHA1
ab94f4481a0d0e54837a2f607f61ee938d925e86

SHA256
901955d73a9bb4c3af8aa7335601d28733302d9e0305a2bc7f32f8cf2beb6ebe

SHA512
5100b0780cd5d91e75145c5a67aef9dc482eb850768a32a7cfa4c18c8d56d954f1a699660be674467030e73a41840825387d5386146964a5f6626103e8a212c3

Download Submit
C:\Windows\SysWOW64\Fbnhphbp.exe

Filesize
196KB

MD5
720ceee41fda2a63eb32a9c1b900b4f1

SHA1
51fbb54ec2731fa85dcee4575b0cd1162e096827

SHA256
71a30900caa2166830c2d33affa3401a1bd0e0841dbf04f613af43093157e509

SHA512
8fa7db9646a2e9452c751fcf20d1337fa9313fcaf5f797cde9eb58ecd67024492fee2bb4c0b404544618743fe9067627126888458158864dfea3e9d2d5f2db64

Download Submit
C:\Windows\SysWOW64\Fcikolnh.exe

Filesize
196KB

MD5
a0363a24ecdbd2603b34a8335ea27a3e

SHA1
e5cedf86ef6c94e8eddd18f6a768bb9da02ad858

SHA256
fbb1afcacb97e61198cf1844037968b594e9d767cf548023053b94795cc4f7f0

SHA512
5853c3253f793e99fc2c4f21632a31f8fcb5d566f1665f34855df47259ad066400c835d4d03f5e70974f9449b04d69644e44a3fbe327c7fc5eced86659872d33

Download Submit
C:\Windows\SysWOW64\Fcnejk32.exe

Filesize
196KB

MD5
ebff3b8966f6c72ca35d3f0fe5e62032

SHA1
c467fde9a912176720a9628b7c7489d19fc8de29

SHA256
26f490548ecda96268ccff1d8aefc1be5f8283e768e6ae86c36205801a7f1d8b

SHA512
b808170ba4847662e6b5d3c480e13f155e9f5eb1db0011009dd215959dfa908e55471258a8a2173c3b1c294ce8d9034f0dc993223b4ebf9fa2bf6e54d789e726

Download Submit
C:\Windows\SysWOW64\Ffbnph32.exe

Filesize
196KB

MD5
9d68ae2abee595165b608980589ab8b2

SHA1
f8b85d49689fa6e426ab3e645c1aaffd31243555

SHA256
b134de2ce4aedc92233fcd02676454599553721743dec3de23c9e4a0c53f369a

SHA512
54b24ec50e45a3256d7c58c0350e19ade53ac876390e7d2c6806a14260f0ab2517490d10c37a2b1f4a184e74042e5cc974fb3e8e3710b6ac2d39222f1f7f4686

Download Submit
C:\Windows\SysWOW64\Ficgacna.exe

Filesize
196KB

MD5
0255289941919c0eebe4ccbb589f0755

SHA1
cbc5a9920431909ca6d89f803820fdcbab7885bb

SHA256
06717030ea56aee44ab7e72b11a0ac6df59ee7aadea4c6735b821ad4b4ceb623

SHA512
23854b26a0dea77077c264d68fe2774c9c9527355fd008962314597ad5935a740a73edabce979afa05cee098bbeeadb69994929a5276c9ba7faf5613405949ce

Download Submit
C:\Windows\SysWOW64\Fijmbb32.exe

Filesize
196KB

MD5
a49fa0788cbf216378e96bf8108f0c52

SHA1
85ea6c848005131abcaca1ec7bd83a82448cfb72

SHA256
363b3cec3d472390855e3094673c66b62c41d8f7606373a467337def9a5cd528

SHA512
4a9e4965009c79b459efe1c47ad8c86415fb3289ceb2a086aab06d81eeeb212d773ddcfffd1190dbd33ff6e8225eade1b0f3b4f337092fdc22feebcfce728a7e

Download Submit
C:\Windows\SysWOW64\Fjepaecb.exe

Filesize
196KB

MD5
c36a0815bdb36edc1ff1d5b862e261d5

SHA1
cc20afb5ed71e1ca48998768b16f5fc59cc58d57

SHA256
62d13926ed39a96af2ec07acd6bbd642d5e2569b7113a71d31949612d05beded

SHA512
0d446e2857e274cdfa788b48e931199d80c622f4d096fe5129f2552df911bf1e2a39507bc6e120be85d1d1b0801541d85af135d3e233bd7b1e8970c455bb7b68

Download Submit
C:\Windows\SysWOW64\Fmapha32.exe

Filesize
196KB

MD5
19ed1d89dddbb6bafb88687ec651e0d2

SHA1
ee4a1e06de1cedfe9e7e67898327ec54121b99ef

SHA256
7a7bc5b3f9dfa7a70614c80adc39ce98ead61cb6f142fd56b3df56049e66ef1c

SHA512
2521cb77dfdf8b4c837125bca5edc9e651dde7bc7c8e28a19968be18f5daf65b562f2b74d31dbd3deb6d33db3284b34ada17630354c22fc123af0c36eb972028

Download Submit
C:\Windows\SysWOW64\Fqhbmqqg.exe

Filesize
196KB

MD5
6101044a675359a9077753f2b05df0c1

SHA1
d16d16168797d48e4ef81de183613350c25f221e

SHA256
0262377340383a0a8acb0fd3ffa5eebf97cb13014745c28c604fef3b68c8b0f7

SHA512
ffbdc5019c8418fe032b0edae37b9e58b72a909f4d403f7485a12ec0b24d5fea1cb0867c5bb16574a56334d6a0b5a1fc28d449bdce71090a24a7f8bcdaa3b34c

Download Submit
C:\Windows\SysWOW64\Gameonno.exe

Filesize
196KB

MD5
fabdde0c41374e067fed58c7c632286c

SHA1
90df93d029348c5dd3497bb106840a3dca12652d

SHA256
4d52493bb9500596ee29ae4de13c7c97c13833bfc2d16c2162b99604072b629c

SHA512
1d864a02e7f3b12a1753c9a3ac53a371ad56b9ce7ca5e520b8ea5055263284aadd7b7eeeb8e316ab2b144102ce3a59292e673ee213b58a32ef1025e5f7d13bc6

Download Submit
C:\Windows\SysWOW64\Gbgkfg32.exe

Filesize
196KB

MD5
f22a5eefb5e2c730eb2ecf3abe100dcd

SHA1
0886be5a77f691ea83ccd696fc7f0f30ba20a2c3

SHA256
34d2b9bd2e12bd12f14816ba4baf14799e97084f045b59cf93c8f944c61c0249

SHA512
ab8a7de0782e98b53ba32a208de78b2b6e142dd7d2ebfaabee26479a0939d56b1ebf255296c25ce701e52fae935e3995d05df914699851729227991ebdceb65f

Download Submit
C:\Windows\SysWOW64\Gbldaffp.exe

Filesize
196KB

MD5
af786a0494b6c4752c5bc8b40bf78732

SHA1
405310b0556ee6feba36a66926b8c9c40526ca94

SHA256
205964bb3bde700bd45c5609ec96700859554406ecd7c893837e89fa9f849e26

SHA512
309f035d82ad0df0fde4cd05323266976d575a5b1ee1b55f4728db9abc6d5d25a218a478cfdaf53d6c792da3029049c5ef421ba8a3ef4bc5873e78d072c62869

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
196KB

MD5
d1af4c93b50d0a7e1b889efed5d16780

SHA1
9a768296d4d77277569ccfc4394bacb8f6d70de0

SHA256
a3813c0778e1dd338304fa6c17ca38ba360091673495ad52aaa59e83c6442fef

SHA512
57592086941a458b89167a80845cf8bf1f65bf7c782a9f00930ce72189698cfecc54b076810656db35975a6e18d2dcb24685c94df59ed9487c3a1d689f01155c

Download Submit
C:\Windows\SysWOW64\Gfnnlffc.exe

Filesize
196KB

MD5
98c398484fe5f28a83a5e8f064509315

SHA1
fc7b20b01cec3c7116bbf54a74bb327f482e60af

SHA256
d6206af5a1caf32ac6681c205351cbe9c9064262bbc8cd597b8ed682f271c45b

SHA512
f36637bfed87deda0c89c3fdf28d8e5117e8bddcc41194aa1cabe5c9fab5921276c801ff8c2793974cacbb08f71e76c5f2a4952b63008b7861bfdd899bfd81b3

Download Submit
C:\Windows\SysWOW64\Gfqjafdq.exe

Filesize
196KB

MD5
1748edb772096ed9791692439eec097c

SHA1
a5d271e0e4435577b5c0d11af60619e928ad5d26

SHA256
82c502cb94926bee6334af67c2ec2e6da9faa3f4009c56f8c57f17104dd07d9f

SHA512
cba8466c7d6fdad4bd72e77209ea663f1b0c68d132af145b64d3f7b04a299ac4ba717c7d53628721ee0b27a382731e146ef3c0de43b3e20841f032bf2a724e28

Download Submit
C:\Windows\SysWOW64\Giacca32.exe

Filesize
196KB

MD5
1ea259fe28b22fb08f2da8d7cd4daf30

SHA1
81da4a840b0abb23187f4996e7e5debac5be9f89

SHA256
a3428ede72438c24012a0ae8a89069828f2bd00a5a030e80f5b8056060658806

SHA512
dacc4f13260d14a275280343169dbb036a42c8de3d07749ab122c18b5e9343d25c23f117cae0dbc70f6cfde8ba3e821fa185feabf4caca840a6921bbc98512fa

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
196KB

MD5
9a47b4c28c4feeb084834341cf65b749

SHA1
8daa1e5f77c3f1f74d13b6fd525d9d9cc5e44b79

SHA256
6826889a66ec0ec99ccb8bee7fcfb3444fc4e2aaaa173bfe38598a84c5af79ec

SHA512
ae63ecaa4946c53a0597c16bd4acff2763c4e661c85e1814568c06b0f83ff09c2a2c7acedc8cad1341831d00751217ac010bc88372128e2af9c4c378bf097a5f

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
196KB

MD5
a695a656cf922622ddc0e64b313fc21a

SHA1
116b5af7efb296c0090df89732fc58a82d180f53

SHA256
621a1b624f6627a5a499bf2ddc95592b30fe0db1c1585161370cba0f26636d8b

SHA512
64e80a264e6988b9acd8fe5ef07e552d142dd065ced9e6f0f1ac02efe6311de81615486095b180b586358e4b1a72af0402503ce8d79217d65318380c2f2dfd8b

Download Submit
C:\Windows\SysWOW64\Gogbdl32.exe

Filesize
196KB

MD5
1e9800e97601be93853c159cee6ac3f3

SHA1
d0975cc16d92bc5e7447b5b320ee4c06fb821fec

SHA256
124ffbbf7f072b0a738b64fd820265081e7e4aab58797c780ca642088ee06cef

SHA512
cb2c06569c229308ac6cbddf922ba7067562993f8ec144c3b1dc9e7632cd51dd8ae7857d86cd2a3902665617e464fee73cba030768324a7b5e706846a149fd29

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
196KB

MD5
117460b26e9fd4c470efe13eb119a384

SHA1
d5c537d8b108a8be0d5e0f7857bb67e1d729e9ce

SHA256
f6fedde900ab567ee1dc25d3f578b229f06c324ae88584a6955497a4d07199a3

SHA512
a5a04bffc1a4846669298367331036f74f2491075f851c586a8dd9734674e97208889cb3bb9c08dfc0badd53d1aad8c9b26e3f5a5a88ccec1c8ebf05cacad741

Download Submit
C:\Windows\SysWOW64\Gqikdn32.exe

Filesize
196KB

MD5
8ae2634e6a755974a4a963729021907f

SHA1
0a144981a56b6455559c1f842f8dcc4d222b9702

SHA256
d239543e9fdbeb592ca80dc329686717807f3181a6c3f11eec797f075fd2b467

SHA512
3e986ddcb55b47e56c4cc26cc1d3b3777812d9cec7fc8e7bdb2f4d72d8e3144e7e4f76c273863854fcc5cf073c5ffd742d5953b624b12939682574b5db8f605c

Download Submit
C:\Windows\SysWOW64\Imihfl32.exe

Filesize
196KB

MD5
b59134f989ce4bc796d3a00a9e0ce12d

SHA1
77010b003595a52c0a8f86f869e3db1f8157afd2

SHA256
ee697bf4ace4f3f8d04d2a3f321899bbacfbcdd517aeb00d2ebc922cafd0ba30

SHA512
e6b9ab1a4f6bd1ba8e3ceb6148e7bdde76bf72c63c6c97738fb6af510118068c1f569663c3054341310c92ee2aaae3b25577ce9750e1f7d2a899e69eee99ff76

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
196KB

MD5
6623a19e89627eee6da81ea7707f6e5e

SHA1
ca09774ea98b1ae7210810a626621e06356fffd0

SHA256
996594902f812b8f800fe7baf17d9e46a61b2a50df7ea92cd28d864bffaf0b5d

SHA512
3da2e6ee6f583303fcfadb594343efe0824e0884aa71ba0823a86150831e1300da82d158412cddf8e5af8a8a97333147218769f85209e9eda5802eabcd2f8db2

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
196KB

MD5
243a92233c6e9684990f5d24ca0df904

SHA1
3df1b1f588e09205f5812784656e9c18c2f66d31

SHA256
df9d97db766ef2c8a84286f377c1073df9a9bea5e461bbfc68ed6f28f468818b

SHA512
a43664e35fba376ef7e2ade7cc3a8bcf5afa1a381f6a4cb8dd8037eaf33d40eb4b85d1553ae51cba067397ae49d214a234dd2cc668bed721c1fee1c320778edc

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
196KB

MD5
9950e34aa0045c2596acbe12b2fa4f41

SHA1
c72cb6d94dd1bbcee901495d70b0248ce7056e29

SHA256
edda6516506a401d02acead564d2302c3aff575643ed66433ec1e1e8e8259c54

SHA512
cbdd2daa2494a6c75243f24f3b0519616e9aac4dd0de4cbc2fa8026a96eea0f0cb988b41d79edee7dbf98dcb0981dff0e080ee082b9d35d90d1d4bb7af67d6c5

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
196KB

MD5
56d57b844cc46acba8ef4ccb6c53e6fb

SHA1
86481584981629c5cf212a27bf2750f62bc4dc9a

SHA256
5921bee3356f3c939d472bc61c97194d1ac20a1543087e0739ae02cd82d507f0

SHA512
09004a5bcc7fe21ea9578e8508bb4914a7754f5ff032fc779405bdca46968e52056063d2e15a984ac871e4dca97f765fa67c4b2484e8db913b5f04c4a403db82

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
196KB

MD5
291aa2437a5b768f8b9907d50f2f42f9

SHA1
59942e461713ce7203d16c4548cc9aa65f70636c

SHA256
52c60f318961090f946e725c737f79ff8346c38d4792df3ceb489a57c3aa6acf

SHA512
f1bbfefff2bd6c38fcad68b2e4838e7789c96f6067fb4de513efb128782cfdd722ca09a81e0f3d13f4ce268a7f2e3435c107f34bd2fe5207a62c060b55853dd6

Download Submit
memory/216-323-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/224-225-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/372-329-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/620-269-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/624-443-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/780-129-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/796-184-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1004-357-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1008-153-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1076-89-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1084-96-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1116-545-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1196-455-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1252-311-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1332-417-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1544-467-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1588-425-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1704-160-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1736-267-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2080-527-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2200-77-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2236-65-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2260-497-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2292-407-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2312-484-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2316-144-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2392-341-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2420-454-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2432-281-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2528-572-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2528-33-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2532-537-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2560-437-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2592-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2592-586-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2664-293-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2676-192-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2696-573-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2720-559-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2720-21-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2740-519-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2792-232-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2908-431-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2920-552-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2920-8-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2976-249-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3116-423-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3140-571-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3232-461-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3296-365-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3356-376-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3396-347-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3420-30-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3436-521-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3456-57-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3456-593-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3504-257-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3512-214-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3516-177-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3524-112-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3604-40-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3604-579-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3740-557-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3808-335-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3880-136-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3900-560-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3904-478-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3908-395-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3928-509-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3960-383-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4072-105-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4112-168-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4116-287-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4180-217-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4196-120-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4244-310-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4356-241-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4372-594-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4436-380-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4444-590-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4448-201-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4476-359-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4548-317-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4716-393-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4740-543-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4740-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4740-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4760-279-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4776-303-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4848-80-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4924-405-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4960-546-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4968-485-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4976-508-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5068-496-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5112-580-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads