5ea10dd33e5a8f1498e5be1ca56095f4a00067f3193f2c52f64d2081a67d5ca6

Analysis

max time kernel
136s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 12:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5ba9035cb51602b65e903001017fbf0_NEIKI.exe
Size

320KB
MD5

b5ba9035cb51602b65e903001017fbf0
SHA1

eadcb362690ca9f8ec355fd7b73bb3115bf3556c
SHA256

5ea10dd33e5a8f1498e5be1ca56095f4a00067f3193f2c52f64d2081a67d5ca6
SHA512

dde679119a03d6f5d8de303c0cbe4fb2122fa50ed7422f22eea32fe3d9018ed645d9d32a3d0b3ac61210abc015f45ac2339e8921fe4e3dbd45c39b9010f329a1
SSDEEP

3072:fkGkuYVMkNwS/A4MK0FzJG/AMBxjUSmkCMQ/9h/NR5f0m:fRXglNV/Ah1G/AcQ///NR5fn

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dlegeemh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcalgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbqefhpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipabjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibmmhdhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbioei32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbjhlfhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eoifcnid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gameonno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cidncj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcggpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjfihc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eoifcnid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbjhlfhb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dohmlp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eodlho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifjfnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiikak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbgbpihg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqaeco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cidncj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clqnjf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlegeemh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhqaefng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebnoikqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imbaemhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcikolnh.exe

Executes dropped EXE 64 IoCs

pid	Process
3428	Clqnjf32.exe
2076	Cidncj32.exe
2916	Ccmclp32.exe
3492	Dlegeemh.exe
3320	Dcopbp32.exe
400	Dcalgo32.exe
4596	Dohmlp32.exe
2412	Dhqaefng.exe
1432	Dokjbp32.exe
4016	Dpjflb32.exe
3436	Efgodj32.exe
4676	Epmcab32.exe
5060	Ebnoikqb.exe
364	Ecmlcmhe.exe
980	Eodlho32.exe
1660	Elhmablc.exe
3864	Efpajh32.exe
1216	Eoifcnid.exe
3744	Fbgbpihg.exe
544	Fbioei32.exe
4944	Fmocba32.exe
2156	Fcikolnh.exe
4864	Fmapha32.exe
3464	Fckhdk32.exe
3756	Fjepaecb.exe
1616	Fmclmabe.exe
4396	Fbqefhpm.exe
388	Fjhmgeao.exe
2368	Fmficqpc.exe
4292	Fqaeco32.exe
3636	Fodeolof.exe
4632	Gcpapkgp.exe
1256	Gfnnlffc.exe
2996	Gjjjle32.exe
4528	Gogbdl32.exe
2084	Gbenqg32.exe
1560	Gjlfbd32.exe
4996	Gqfooodg.exe
3664	Goiojk32.exe
4728	Gbgkfg32.exe
2520	Gfcgge32.exe
5084	Giacca32.exe
3376	Gmmocpjk.exe
4440	Gcggpj32.exe
3732	Gbjhlfhb.exe
4812	Gidphq32.exe
1948	Gameonno.exe
2080	Gppekj32.exe
4924	Hclakimb.exe
3336	Hboagf32.exe
2516	Hjfihc32.exe
3228	Hapaemll.exe
4840	Hbanme32.exe
4796	Hjhfnccl.exe
4472	Habnjm32.exe
2928	Hcqjfh32.exe
2304	Hfofbd32.exe
4940	Hccglh32.exe
1072	Hfachc32.exe
3796	Hmklen32.exe
1392	Hpihai32.exe
1688	Hbhdmd32.exe
2604	Hibljoco.exe
2812	Icgqggce.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Jdmcidam.exe	Jangmibi.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Hakfehok.dll	Fmficqpc.exe
File created	C:\Windows\SysWOW64\Ifjfnb32.exe	Icljbg32.exe
File created	C:\Windows\SysWOW64\Jdjfcecp.exe	Jaljgidl.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Iifpphha.dll	Efgodj32.exe
File created	C:\Windows\SysWOW64\Fjkiobic.dll	Hibljoco.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Laopdgcg.exe	Ldkojb32.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Eodlho32.exe	Ecmlcmhe.exe
File created	C:\Windows\SysWOW64\Efpajh32.exe	Elhmablc.exe
File created	C:\Windows\SysWOW64\Bjikbh32.dll	Fmapha32.exe
File created	C:\Windows\SysWOW64\Mepgghma.dll	Gjjjle32.exe
File created	C:\Windows\SysWOW64\Cgkghl32.dll	Gppekj32.exe
File created	C:\Windows\SysWOW64\Eoifcnid.exe	Efpajh32.exe
File created	C:\Windows\SysWOW64\Hbhdmd32.exe	Hpihai32.exe
File opened for modification	C:\Windows\SysWOW64\Impepm32.exe	Iffmccbi.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Ifopiajn.exe	Ipegmg32.exe
File created	C:\Windows\SysWOW64\Jdmcidam.exe	Jangmibi.exe
File created	C:\Windows\SysWOW64\Kphmie32.exe	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Pipagf32.dll	Kpmfddnf.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Chkede32.dll	Epmcab32.exe
File opened for modification	C:\Windows\SysWOW64\Gfcgge32.exe	Gbgkfg32.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Bbopfj32.dll	Dohmlp32.exe
File created	C:\Windows\SysWOW64\Fmocba32.exe	Fbioei32.exe
File opened for modification	C:\Windows\SysWOW64\Hboagf32.exe	Hclakimb.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mnocof32.exe
File created	C:\Windows\SysWOW64\Icgqggce.exe	Hibljoco.exe
File created	C:\Windows\SysWOW64\Mnnkcb32.dll	Ifopiajn.exe
File opened for modification	C:\Windows\SysWOW64\Kkihknfg.exe	Kdopod32.exe
File created	C:\Windows\SysWOW64\Efhikhod.dll	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Gbjgbh32.dll	Ecmlcmhe.exe
File created	C:\Windows\SysWOW64\Hjfihc32.exe	Hboagf32.exe
File created	C:\Windows\SysWOW64\Gmbkmemo.dll	Ipnalhii.exe
File opened for modification	C:\Windows\SysWOW64\Kgfoan32.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Dcalgo32.exe	Dcopbp32.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Hjhfnccl.exe	Hbanme32.exe
File created	C:\Windows\SysWOW64\Fjepaecb.exe	Fckhdk32.exe
File created	C:\Windows\SysWOW64\Fibgnfha.dll	Fbgbpihg.exe
File created	C:\Windows\SysWOW64\Fodeolof.exe	Fqaeco32.exe
File created	C:\Windows\SysWOW64\Hfofbd32.exe	Hcqjfh32.exe
File opened for modification	C:\Windows\SysWOW64\Jmnaakne.exe	Jfdida32.exe
File created	C:\Windows\SysWOW64\Ichhhi32.dll	Jiikak32.exe
File opened for modification	C:\Windows\SysWOW64\Icljbg32.exe	Imbaemhc.exe
File opened for modification	C:\Windows\SysWOW64\Ldkojb32.exe	Lalcng32.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Ggdddife.dll	Gcggpj32.exe
File created	C:\Windows\SysWOW64\Jiikak32.exe	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Goiojk32.exe	Gqfooodg.exe
File opened for modification	C:\Windows\SysWOW64\Iffmccbi.exe	Icgqggce.exe
File created	C:\Windows\SysWOW64\Kmgdgjek.exe	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Ilaidmmo.dll	Gogbdl32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5864	5268	WerFault.exe	228

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecmlcmhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbjgbh32.dll"	Ecmlcmhe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjjjle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fcikolnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fodeolof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enbofg32.dll"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimhnoch.dll"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbopfj32.dll"	Dohmlp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqaeco32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbjhlfhb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imbaemhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eoifcnid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gqfooodg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppaheqp.dll"	Jigollag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Epmcab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbjhlfhb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clqnjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Impepm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Efpajh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmficqpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbenqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fckhdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebnoikqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbhdmd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbpag32.dll"	Fmocba32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gogbdl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dcalgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjhfnccl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iifpphha.dll"	Efgodj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iebapp32.dll"	Goiojk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbgkfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgkghl32.dll"	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjikbh32.dll"	Fmapha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbqefhpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpfjejo.dll"	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4880 wrote to memory of 3428	4880	b5ba9035cb51602b65e903001017fbf0_NEIKI.exe	83
PID 4880 wrote to memory of 3428	4880	b5ba9035cb51602b65e903001017fbf0_NEIKI.exe	83
PID 4880 wrote to memory of 3428	4880	b5ba9035cb51602b65e903001017fbf0_NEIKI.exe	83
PID 3428 wrote to memory of 2076	3428	Clqnjf32.exe	84
PID 3428 wrote to memory of 2076	3428	Clqnjf32.exe	84
PID 3428 wrote to memory of 2076	3428	Clqnjf32.exe	84
PID 2076 wrote to memory of 2916	2076	Cidncj32.exe	85
PID 2076 wrote to memory of 2916	2076	Cidncj32.exe	85
PID 2076 wrote to memory of 2916	2076	Cidncj32.exe	85
PID 2916 wrote to memory of 3492	2916	Ccmclp32.exe	86
PID 2916 wrote to memory of 3492	2916	Ccmclp32.exe	86
PID 2916 wrote to memory of 3492	2916	Ccmclp32.exe	86
PID 3492 wrote to memory of 3320	3492	Dlegeemh.exe	87
PID 3492 wrote to memory of 3320	3492	Dlegeemh.exe	87
PID 3492 wrote to memory of 3320	3492	Dlegeemh.exe	87
PID 3320 wrote to memory of 400	3320	Dcopbp32.exe	88
PID 3320 wrote to memory of 400	3320	Dcopbp32.exe	88
PID 3320 wrote to memory of 400	3320	Dcopbp32.exe	88
PID 400 wrote to memory of 4596	400	Dcalgo32.exe	90
PID 400 wrote to memory of 4596	400	Dcalgo32.exe	90
PID 400 wrote to memory of 4596	400	Dcalgo32.exe	90
PID 4596 wrote to memory of 2412	4596	Dohmlp32.exe	92
PID 4596 wrote to memory of 2412	4596	Dohmlp32.exe	92
PID 4596 wrote to memory of 2412	4596	Dohmlp32.exe	92
PID 2412 wrote to memory of 1432	2412	Dhqaefng.exe	93
PID 2412 wrote to memory of 1432	2412	Dhqaefng.exe	93
PID 2412 wrote to memory of 1432	2412	Dhqaefng.exe	93
PID 1432 wrote to memory of 4016	1432	Dokjbp32.exe	94
PID 1432 wrote to memory of 4016	1432	Dokjbp32.exe	94
PID 1432 wrote to memory of 4016	1432	Dokjbp32.exe	94
PID 4016 wrote to memory of 3436	4016	Dpjflb32.exe	95
PID 4016 wrote to memory of 3436	4016	Dpjflb32.exe	95
PID 4016 wrote to memory of 3436	4016	Dpjflb32.exe	95
PID 3436 wrote to memory of 4676	3436	Efgodj32.exe	97
PID 3436 wrote to memory of 4676	3436	Efgodj32.exe	97
PID 3436 wrote to memory of 4676	3436	Efgodj32.exe	97
PID 4676 wrote to memory of 5060	4676	Epmcab32.exe	98
PID 4676 wrote to memory of 5060	4676	Epmcab32.exe	98
PID 4676 wrote to memory of 5060	4676	Epmcab32.exe	98
PID 5060 wrote to memory of 364	5060	Ebnoikqb.exe	99
PID 5060 wrote to memory of 364	5060	Ebnoikqb.exe	99
PID 5060 wrote to memory of 364	5060	Ebnoikqb.exe	99
PID 364 wrote to memory of 980	364	Ecmlcmhe.exe	100
PID 364 wrote to memory of 980	364	Ecmlcmhe.exe	100
PID 364 wrote to memory of 980	364	Ecmlcmhe.exe	100
PID 980 wrote to memory of 1660	980	Eodlho32.exe	101
PID 980 wrote to memory of 1660	980	Eodlho32.exe	101
PID 980 wrote to memory of 1660	980	Eodlho32.exe	101
PID 1660 wrote to memory of 3864	1660	Elhmablc.exe	102
PID 1660 wrote to memory of 3864	1660	Elhmablc.exe	102
PID 1660 wrote to memory of 3864	1660	Elhmablc.exe	102
PID 3864 wrote to memory of 1216	3864	Efpajh32.exe	103
PID 3864 wrote to memory of 1216	3864	Efpajh32.exe	103
PID 3864 wrote to memory of 1216	3864	Efpajh32.exe	103
PID 1216 wrote to memory of 3744	1216	Eoifcnid.exe	104
PID 1216 wrote to memory of 3744	1216	Eoifcnid.exe	104
PID 1216 wrote to memory of 3744	1216	Eoifcnid.exe	104
PID 3744 wrote to memory of 544	3744	Fbgbpihg.exe	105
PID 3744 wrote to memory of 544	3744	Fbgbpihg.exe	105
PID 3744 wrote to memory of 544	3744	Fbgbpihg.exe	105
PID 544 wrote to memory of 4944	544	Fbioei32.exe	106
PID 544 wrote to memory of 4944	544	Fbioei32.exe	106
PID 544 wrote to memory of 4944	544	Fbioei32.exe	106
PID 4944 wrote to memory of 2156	4944	Fmocba32.exe	107

C:\Users\Admin\AppData\Local\Temp\b5ba9035cb51602b65e903001017fbf0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\b5ba9035cb51602b65e903001017fbf0_NEIKI.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Windows\SysWOW64\Clqnjf32.exe
  C:\Windows\system32\Clqnjf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3428
- - C:\Windows\SysWOW64\Cidncj32.exe
    C:\Windows\system32\Cidncj32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2076
  - - C:\Windows\SysWOW64\Ccmclp32.exe
      C:\Windows\system32\Ccmclp32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2916
    - - C:\Windows\SysWOW64\Dlegeemh.exe
        
        C:\Windows\system32\Dlegeemh.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3492
      - C:\Windows\SysWOW64\Dcopbp32.exe
        
        C:\Windows\system32\Dcopbp32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Windows\SysWOW64\Dcalgo32.exe
        
        C:\Windows\system32\Dcalgo32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\SysWOW64\Dohmlp32.exe
        
        C:\Windows\system32\Dohmlp32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4596
        
        C:\Windows\SysWOW64\Dhqaefng.exe
        
        C:\Windows\system32\Dhqaefng.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\SysWOW64\Dokjbp32.exe
        
        C:\Windows\system32\Dokjbp32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\SysWOW64\Dpjflb32.exe
        
        C:\Windows\system32\Dpjflb32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Windows\SysWOW64\Efgodj32.exe
        
        C:\Windows\system32\Efgodj32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3436
        
        C:\Windows\SysWOW64\Epmcab32.exe
        
        C:\Windows\system32\Epmcab32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4676
        
        C:\Windows\SysWOW64\Ebnoikqb.exe
        
        C:\Windows\system32\Ebnoikqb.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\SysWOW64\Ecmlcmhe.exe
        
        C:\Windows\system32\Ecmlcmhe.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:364
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:980
        
        C:\Windows\SysWOW64\Elhmablc.exe
        
        C:\Windows\system32\Elhmablc.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3864
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1216
        
        C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3744
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3464
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        26⤵
        Executes dropped EXE
        
        PID:3756
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        27⤵
        Executes dropped EXE
        
        PID:1616
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        29⤵
        Executes dropped EXE
        
        PID:388
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3636
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        33⤵
        Executes dropped EXE
        
        PID:4632
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        34⤵
        Executes dropped EXE
        
        PID:1256
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2084
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        38⤵
        Executes dropped EXE
        
        PID:1560
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3664
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4728
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        42⤵
        Executes dropped EXE
        
        PID:2520
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        43⤵
        Executes dropped EXE
        
        PID:5084
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3376
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4440
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3732
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        47⤵
        Executes dropped EXE
        
        PID:4812
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1948
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2080
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4924
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3336
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2516
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        53⤵
        Executes dropped EXE
        
        PID:3228
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4840
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4796
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        56⤵
        Executes dropped EXE
        
        PID:4472
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2928
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        58⤵
        Executes dropped EXE
        
        PID:2304
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4940
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        60⤵
        Executes dropped EXE
        
        PID:1072
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        61⤵
        Executes dropped EXE
        
        PID:3796
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1392
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2604
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2812
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        66⤵
        Drops file in System32 directory
        
        PID:5016
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        67⤵
        Modifies registry class
        
        PID:2184
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        68⤵
        Drops file in System32 directory
        
        PID:4216
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2284
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4968
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4340
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3608
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        73⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        74⤵
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        75⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        76⤵
        Drops file in System32 directory
        
        PID:3572
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1844
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        78⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4080
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        80⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2836
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        82⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        83⤵
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        84⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3704
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        86⤵
        Modifies registry class
        
        PID:4088
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        87⤵
        Modifies registry class
        
        PID:3296
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2720
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        89⤵
        Drops file in System32 directory
        
        PID:4508
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3920
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        91⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5244
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        94⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        95⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5364
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        97⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        98⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        100⤵
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5572
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5612
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5660
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        105⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        107⤵
        Modifies registry class
        
        PID:5832
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        108⤵
        Modifies registry class
        
        PID:5868
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        109⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5996
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6040
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6128
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5148
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        116⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5308
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5372
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5456
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        120⤵
        Drops file in System32 directory
        
        PID:5508
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5600
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5636
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        123⤵
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5800
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5876
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        126⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        127⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        128⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6068
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        129⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5264
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        131⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        132⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5788
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        135⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5880
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        136⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        137⤵
        Drops file in System32 directory
        
        PID:6112
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        138⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        139⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        140⤵
        Drops file in System32 directory
        
        PID:5624
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        141⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5776
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6024
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6120
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        144⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5268 -s 400
        145⤵
        Program crash
        
        PID:5864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5268 -ip 5268
1⤵
PID:5724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ccmclp32.exe

Filesize
320KB

MD5
7fc88ad78252d755e16fd69a63e7f20d

SHA1
3014e3e214b4a28ee2ff2779cef075cb722e5f7c

SHA256
79a24b6bf937a52700590311979b5825797cc9ee87bd2893157cd484201ac85b

SHA512
4ad93475946b6617fb21fc98bc053c82b292c76b1ed7d28d2aaf1a65210c95fb7f66f925479cc554c139c6966092834524ac5ef94a25c72708d3e73e4eb1a137

Download Submit
C:\Windows\SysWOW64\Cidncj32.exe

Filesize
320KB

MD5
189e00e6b13fd3ebfa724450002ef3f6

SHA1
adf1cdfb37be8828981741b936c76977d4fd2178

SHA256
1de9cafc6df765e43a6098ea3294a649a2a96b33062d3b9d3a78f9d5e1e73d2b

SHA512
fe666ebf646154e0402d9b78831e0d66fd604363869880f18b9872b67603a1750e58cfba13d5130b22b5e6fe0aa6ad49c69965c86fd3f4af313974bf044ba78a

Download Submit
C:\Windows\SysWOW64\Clqnjf32.exe

Filesize
320KB

MD5
c5c2f0b8a425f7551840fb141e9c33dd

SHA1
da8bbd5e124119a0f97e67f548820835cf01d76a

SHA256
b7a7e8f0b9a0e79ef0c2cf4ffb1b449e40692634144b2e32357cadb2e63ad501

SHA512
46a6446fabc9cd0e3358f9eb053633e42b1d3f4c2ed101d7b748bfdca17e847c21d7e902213a52a4cb62061f596985debe32058fdbeae9c0758cd668babec618

Download Submit
C:\Windows\SysWOW64\Dcalgo32.exe

Filesize
320KB

MD5
d9d6fe3430aebe54343bd901fd5f9a00

SHA1
bffb25aca2c24e8b1a6ab838a5881c3d489edc12

SHA256
6176fd03ca66db17bf5e0d0b490ff5a390f248ab1b4c46356f9abaa27b99441b

SHA512
adf589eb159c7f5fda3fd6da308dc48b9050e493a16eb3d8d6ff2c64d22f917629f562bf0869359d3f2b2c60c8fa91ce84b771ad208553fbdbf5855db6efd05c

Download Submit
C:\Windows\SysWOW64\Dcopbp32.exe

Filesize
320KB

MD5
8ea9223d9053c34742f7f15425e15a1d

SHA1
dbe3807b41e6e160ade27e62a43857417625788d

SHA256
3e2bbe68a9ce47f73aaee978f164575fa538c2fb73d6e321c0e5346f2e82f711

SHA512
704ef7a06564ea5be7840024c7a292d17524d325b84361bdd8b1d1f96c3293d2b6470ef5970acdd88e82d6ab82fa613ce8c2ff1b4ce6c0e8f1cef3362450edbd

Download Submit
C:\Windows\SysWOW64\Dhqaefng.exe

Filesize
320KB

MD5
a62cec6451607cc14935711f3af367fb

SHA1
84ab8b42a2589512c06ca9a45244cac8363bfba9

SHA256
b000bc096fe18922137fed2a6c2f56974b0f8b5d77bce37c88f8312ac342c0c5

SHA512
07c7564e374134d6678f096f27c5cf72421d9f0e3c3b3d9542abbb88538cdd331428e95787c2425c7eff05ab42722c3ea21e30862478715a6b0bd5eb2346b14a

Download Submit
C:\Windows\SysWOW64\Dlegeemh.exe

Filesize
320KB

MD5
2ff3f265b69d0d388237c78d03477c21

SHA1
3e49ed02779be552f2a986799828f2bba8d19e45

SHA256
335687ee185a8347088e7048d81b1308420456e9e70aaf90219949619254c69d

SHA512
1379dba7b8e88db4ff5ee5f9797c224820b382d8cef690df1ecca5048425021f37615e073b055baeba1a4a333cc6590f984a8b39a7f2bf8bc9792cf4814aeab4

Download Submit
C:\Windows\SysWOW64\Dohmlp32.exe

Filesize
320KB

MD5
d47ba1a300b585a4fdeb2654f03834e9

SHA1
65350468ab069c72011c7ac5076c0c1473845083

SHA256
9386779458f3b282af3ec2c4c2a5c8ecf49d31e29d1ecc3e8c167b2fcadb402a

SHA512
347bc72e2a1a08a0e08649aee4c7a73719ef227226fd0b7f59c5db75cfbfaa68737538816ffe91462df982538de1cd5963a32fc98618339559b1e915ffc861e5

Download Submit
C:\Windows\SysWOW64\Dokjbp32.exe

Filesize
320KB

MD5
501ee0b4a078f296fa0034da377ea669

SHA1
1c18acc544fc2dfcdb3aac028040bb0b56e76376

SHA256
a1ca47a3853da32a9c33b929cfb405228092a3e9f0e58f223cf8e55183f693af

SHA512
ea63a685a3799ed3482d53ee4f7d4d64c38486fc60bf1a2f2b8a8cfe4dd04eb8efde4cb3ed79a8f9d72a0bb7b85a276907dff7123c665fde9646df4cfcbe80bb

Download Submit
C:\Windows\SysWOW64\Dpjflb32.exe

Filesize
320KB

MD5
231ef4a3d28025f6f61f970f19259de5

SHA1
7b3f5c35e4b0e8a35b8ae0d76ef64f129e750915

SHA256
7aaf299b89420eba30f55024119f8d759b6e8f56acc819891bf3789697d97b80

SHA512
69eeda413a64b54d02a75bd22419629e600f8ebb2320d72e90d8771ec20f189d5fddacfc99130cf160f5f975d825b70e19207642593fe1dfcbeebaf94dbd0164

Download Submit
C:\Windows\SysWOW64\Ebnoikqb.exe

Filesize
320KB

MD5
b41314a839a0b540f4635edf124fdc8d

SHA1
6f7c2f1451d8dde75ae6676e5d2d7de52a0d0c6d

SHA256
2a3504982ccdc2582535934d26a1cfb61f5c60228543dedd6beb2eeb4c53a3c8

SHA512
be1e9e7cb313049dd4da38a8a72b8a1b30b81efc3907de6072f9742e97fc5e7998083576102616c38dd110bcc9363801297a330135cf09726116682f41d80b83

Download Submit
C:\Windows\SysWOW64\Ecmlcmhe.exe

Filesize
320KB

MD5
4d9e85d2fd3d04319149db58d4f0ba1a

SHA1
e306c5a17c675f8358433f47b2246bd809b04463

SHA256
31e215e44611fdf53d8eae46b84883efddbf993fd65993da5909e319151f7438

SHA512
7654ea8f4065de5ec4eb9513cc3f3da69d88a614569574b0bd835add0498db04609d5a3d1a6b5320cab165c42807026cd46a6fa1ac3f4aee696bb7084e3fb6dd

Download Submit
C:\Windows\SysWOW64\Efgodj32.exe

Filesize
320KB

MD5
8e744e0d4f2987dafc31fb98da042134

SHA1
f69b9edfbd5c7a2d4394dd395bffb71c44c5e9a5

SHA256
7c74fb7bd295828377f9d0bbfd3f969256c8ff85e33de5a45f175faf6886b523

SHA512
76632ab6916f29d4a93ddb260716f791487805c283051c64c08fe15fed10bfc2cc88ffb3121739f59a57b83035743816e54191bf269b618aa0a0a2b9e16cedc0

Download Submit
C:\Windows\SysWOW64\Efpajh32.exe

Filesize
320KB

MD5
3f6d374c5d416aa423e78c3d45e60a51

SHA1
4f0bb9e25a40b7772b6b5f9a6a806022c4c5bb81

SHA256
84693af027179cb27d1ff1c96256e432c0ac7dab95782009a3a64a0c03827440

SHA512
a17819dafbc475614d0d735ba73213fd55aab1b1cd687a8d1fafffb581fcd6ffff11257279e76c02f9a22d409d003eb478a14e1da1208b282ba18a85dbf37dce

Download Submit
C:\Windows\SysWOW64\Elhmablc.exe

Filesize
320KB

MD5
77ef3c019d34bc3c6e542a8e9dba6e7b

SHA1
0b47bc7d5dda25ebe1a1a35740de3f31a39fe57f

SHA256
307979be376c5bdfe00ba96ec7ed6156893ac58e4488a446b88559050f888a65

SHA512
2a6a75357c0c2ae080c737be06d189321d7817c879a116ab19b2966453baf8c34a4fa926fdd9fd8d8402fe18d851ee3dff0da983eecaad0b66be4f2673586c61

Download Submit
C:\Windows\SysWOW64\Eodlho32.exe

Filesize
320KB

MD5
97c9a62fb46a3e710f2a43ecc569c909

SHA1
3ae5b77ee6c083145b5ded9dfba092d68b97d11b

SHA256
1930224e209bfd3206fd24bb03fe25e6fd66de1d829dcd549959d1a48ccc2da3

SHA512
928587344ac8674ac59cc0d6df47aec11c993228b3edc6662c87172dfbdf960f63c0dbe2d601e7d6dfd8c10413d236c5bbadc3476966d8eed6fb135e9431bca9

Download Submit
C:\Windows\SysWOW64\Eoifcnid.exe

Filesize
320KB

MD5
b3fe2417106f7995d473f6cdd43cac0b

SHA1
d8e77822b00371241a0042aaabc2e35757675519

SHA256
77edf2a8f72843e6c26b96d986c3870c0fee7e717c4f2eb488eae2ff137db3cd

SHA512
9149cd5d9f54370e6bd83b470e32ad8255939a5824f63c416755f32d9653351da93d4906f98f3f8f6e80a479764b52bbb19071c0e7fb08d51189f49e2100992b

Download Submit
C:\Windows\SysWOW64\Epmcab32.exe

Filesize
320KB

MD5
b0e0da8c494eb4036aa10a09407db729

SHA1
f518c469aa5962c9db5812b3838ad49a3173367c

SHA256
2df98b189a1d882a8bf41bc4ad934c027eb5e356cac475aa552ae089e73f5240

SHA512
0580155d2da25b5329a9f4c415ec2da49b0dc8821b48f68bef5ba95e840c40dc1972cbc4f629afeeda9652649599d3af9c65330f2e79b9655d4774a7262a4da2

Download Submit
C:\Windows\SysWOW64\Fbgbpihg.exe

Filesize
320KB

MD5
b93a145b231072a73fde532ddfdfc858

SHA1
9a2ba2ddeadeaa4c9eeba91d8e3226b9fe5050d0

SHA256
7d4ba03b082d6dbb2bd89f2bdb488521360a375273e3c875d8ecc8f594b08c92

SHA512
e470671617620ae96c6faa3ee62747c81beee85e6866e7b3f4b44c8591ee073f0f39b0b5699948ca8f491b164aeb09f117860522b65d2466d52013e6ae0cb26a

Download Submit
C:\Windows\SysWOW64\Fbioei32.exe

Filesize
320KB

MD5
a56f883a85480c1b60bb08cbe053bc88

SHA1
20964095d5c141749dba5d6ed9d36b0ff6f2d373

SHA256
ce12ca2279bce225de63bce9062ebfeb5e5b4ebd30bb8c0edf889c8c5ca6ae30

SHA512
b04da2e463d11bf53b4571d68490e2d5d4381abe06ca2d3f58fe5b92811d2231856e2a3bce4fb478d44f2024d1858423faabb9e27ef8976c82e30ce36ce28095

Download Submit
C:\Windows\SysWOW64\Fbqefhpm.exe

Filesize
320KB

MD5
b7f1144b6c3af49a9c7e0fe3dc7543a4

SHA1
56fa2d9e9a6d5c428a91431b3a464e86a9a42d25

SHA256
fa4b6ff70d7b7ea90c2d83578467a35325021b33d810debeadc17ca02bfd4033

SHA512
0d00b9f8f8ef8f6a69262778e689f1faf2a2b41e055aa049ff94bea7ff25bcf44c5d3f9c4bc0682e8191f5f5731d8708fe40744ab76aed87eaa728f1ff989d4e

Download Submit
C:\Windows\SysWOW64\Fcikolnh.exe

Filesize
320KB

MD5
22be2f6648ea767daed68508a2bf4728

SHA1
5bbd24638bccbf4d7e1e20c46be5f6b0f49fba29

SHA256
45760662b345fba68bba7d1895351e8ec85393649a67f963a6c8383664af6f57

SHA512
85faf2167ed51ea1e6deece66d36754c2c1dc5d2c9344ea449431430b32a715a3921d7e355fcaa3dc243d56e0d61b40e579514cee4d481513ab1698794070fc6

Download Submit
C:\Windows\SysWOW64\Fckhdk32.exe

Filesize
320KB

MD5
6698563ea631b59d0d2b0d66c8fb3298

SHA1
cc6c3f0297c605a58ac2b744710ab1bcc3c2f09b

SHA256
016c46e60890a2d9234f164333af7cff2c5c3d88eb710e90a041bd3b9ca2a0ab

SHA512
5c0c09210eb15a8a7517857c2b2ab710957a9049f80303912041f901d97cd2ea9affc31c6e82302bb67ae1789c24f0a7973424cf9017a626716bf0e280e4216b

Download Submit
C:\Windows\SysWOW64\Fjepaecb.exe

Filesize
320KB

MD5
7b84a2fb446a3a8d6fc069beb60b49b4

SHA1
43058d1338a057d37be711da7a7bb0ff8230c706

SHA256
c4182493cb9d4423f68ce6491303e4f6fb971ece673e1a913ad7824776d8780f

SHA512
e9d1d338e0f52946e5ccd4c4031d4a68808c556767649b5013631b9837b35d39d96d638be67aa3943af469a138ec17ca0fd6d17255ddbbd84e8d3128f369c1d1

Download Submit
C:\Windows\SysWOW64\Fjhmgeao.exe

Filesize
320KB

MD5
7197ab335ff30b7bd6d9c7c14248951e

SHA1
546827c41441ea2b22620b2d4aacd0578dd58270

SHA256
96903f4a40714c36504b0d0f5d3227f0d772b9563afa195f3e1066840cfcd38a

SHA512
c2470d4d53b8e56f9777eb7af970d485fe0f0aefbb190c71b6cab42ddeeb1fd8f7dc09923d887be3b3362e1d9a129f78f26acfa5a0ea41bec40f4b9b00821957

Download Submit
C:\Windows\SysWOW64\Fmapha32.exe

Filesize
320KB

MD5
b39ac50e4ae29db1a8482b0155987bf4

SHA1
7280f38ce7b34a14c7397be76b1a5a95e996036e

SHA256
c88fcdb84a8ea597e8ef1c7b4e173906898b04e5effce620f9e2f86a74091741

SHA512
94cdcb10640e83fe894617102ed72929576965a1af0a292332e181c318ba0caf50d68477fecafbdd0814202cf562eaaf10ea1bbcd3178cb1dcca0295759d8b51

Download Submit
C:\Windows\SysWOW64\Fmclmabe.exe

Filesize
320KB

MD5
57454cacfee7bd64336d0e6a49330004

SHA1
cb32fb05f4398f77b7f5ccaabe4d71bbcb04d01e

SHA256
779d2fdfabc0dc8a9c86a57ef1dac79518930987671626ea159e656086bc7ef7

SHA512
d921cde37be4f709cd44b927553332f4c37294bbd05ffc7e747150692032740a93bcc4b7df55acc1d4216cf10b2d2996300e4843cd8576eeb3615b5625ba3631

Download Submit
C:\Windows\SysWOW64\Fmficqpc.exe

Filesize
320KB

MD5
72e6b2e704d34f691c13d5b9f50fd291

SHA1
e07af78d9bad0fbe76c4b8c28ee4d980e287da8a

SHA256
dc1c40105c56a9cc5c6175256337a6fb30b62cd5bbd64597d098c1ee5c75ca64

SHA512
e3202f152abf642b4352c3c9e0334e3f4180bad85ecf30a5e4e5535cf147c33c37d313fdd5025a04adadba39eebd47e3fba05d70ad6ec2465f994770904d0a6e

Download Submit
C:\Windows\SysWOW64\Fmocba32.exe

Filesize
320KB

MD5
38e37e8c63f09275b566a3d33f6fbc52

SHA1
0b22f904da7d70865841a4d8a87a7c2d8d7e11bf

SHA256
421592d0a2d1d9d7f20f4b0edae6b9cd9308fad0ca66fb5f6f77171480489821

SHA512
4190b496df9420be9fa9a0a458ded5b6c79a877f6a3d89b0ff6ce12a42c3f0f4daed723c08a52025adadfbd75ef97108516662455e006147ef54b0804e707890

Download Submit
C:\Windows\SysWOW64\Fodeolof.exe

Filesize
320KB

MD5
0f8da0053edbbc9b697f7632e0f01792

SHA1
97fdfe00578b8817d0064f9855c06d0802bf04bf

SHA256
f8aae37642a88f538f2bdf264960b355acb0aeec7d32143db9caa40f081ca668

SHA512
50b69ddca6c37df826eefde914779a69ce89e1b0d8648237fc6feeba672af05c69e240806c46596f26d236864ea8c168feb8a06d0c540b434a6dda92194990a5

Download Submit
C:\Windows\SysWOW64\Fqaeco32.exe

Filesize
320KB

MD5
88b20b2af8a1d5cf3a2be7b713159848

SHA1
7169e1dfd93b8fe968c017f624c32ba9f9b3f548

SHA256
b97899b64886e7596ae555c5fc9851911bdae5b688415e136ee4fdb4235dac55

SHA512
57ae887789fd3ff18920e3748610da17ffaac76bbe93db2966ab84531d2a070a4f21ab8500c9e3f67f0f7789870692fe5ee76dea5c12792b5dbfce642cea4161

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
320KB

MD5
47d7ef602254e5cf3b61c35e90416958

SHA1
29b8c9a28864dd8d275f572e60a30d953ec2d8cd

SHA256
f6ecd4b25aae82b99f556c141042835d3379af3401d5fe1797b50e07b82820b5

SHA512
5d4ce4efd6cfcbbd2b1b0794357615563a003034f21a6904576241c1dc7ac247601681e801f179da9d2208572d49726cf3170a9ac6ea578f124f0a190ccedb63

Download Submit
C:\Windows\SysWOW64\Hfofbd32.exe

Filesize
320KB

MD5
6e023820df9294478f0734ad27fc09f7

SHA1
0866c9ce86c034d089ca50efa80139dfa8949af0

SHA256
3bef85b004ca1de62168f015b0806d3dac04560a7d1ed68e032e81d676872eca

SHA512
c8884a140f563db4a983b1c012565b2e93ac0facd259eba6bacac15a87c12ff57a612629ca2aa885e6384c2fcc68dcfc8023976197e02387ff96fa30b503f9f0

Download Submit
C:\Windows\SysWOW64\Ifopiajn.exe

Filesize
320KB

MD5
d3ee373badd52176cbc8224d5dbae116

SHA1
0a479f24e893ff8bf5487f53f453dca6cfe88763

SHA256
963400bf637594cf53f5f3cb4f0fa96d7e0d17a3172823c4feded0e90028e9b1

SHA512
d0c224050ef1693926090aef7d85db0dc517ee7f613e2a960dac5807680066ede30ee7f2568031e29da39ea7378c384ce48c3df4f0199ae9304d96b12e1bd29b

Download Submit
C:\Windows\SysWOW64\Jfdida32.exe

Filesize
320KB

MD5
a281cb982c80abb8301b0aac82bf7fc8

SHA1
804c4ebdb51e8d9e7038065a75799bb86646832a

SHA256
149fe3bb9cdfcc6682728e6f38fd7b515209e99975746bbc3284dc020f300bea

SHA512
f47ce2cf3536a826eb103c2e9be2d4f23f7d174aeb0b2cbef028f2581872e35aed33031212e8c8c1a5c0da46db42fadde96ed4b2d27581a9bc8afe5789360053

Download Submit
C:\Windows\SysWOW64\Kipabjil.exe

Filesize
320KB

MD5
dcb416d09d5dc65f5af18acbd18f5e79

SHA1
bc9c65194c82ce2fe814dd7650ba9e7e5f378587

SHA256
e342263f844d7cf643a9239169b868ee2fb3292e591e1a3ece600ffc0a63f571

SHA512
b8ce0a2d33ab7583928ed722cb6d97fb855fd6b092850e9df06dfd9fe3d257e6c7c625fbfaeeff237f13accebbe753c0e308ef56452038413e069d4880afa9c8

Download Submit
C:\Windows\SysWOW64\Kmgdgjek.exe

Filesize
320KB

MD5
2f623040d6a5a6db9e951d5df6e26eb6

SHA1
44aebf2398cf224e54f1577558b64576e98841af

SHA256
8b392afa9bb8aab3fc14bbe9fc205b091fff11dca32421bd4a5e4fcc6989837e

SHA512
f15a7b287dee1f2a84d81458e1c8dec7d21acf20d779115b710383c967db9b3496e923b6ed8c804e56c81afeba7d3ed496ea46a11fa46486d9fcd4b8c26602e6

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
320KB

MD5
356f2474b9f8c26fa5f41d350692612c

SHA1
5abd7ebdb0e9438e3bd2739544c6a563cf03eb4a

SHA256
ab3f821843fa1f577ed55a33a9340f8ec6db4a372f250d0d15db6f90a8909595

SHA512
694dc92867bc5ec9b7011c3bf34f1d3d881a64853e39d83b643e32b4dfb73dcaa0b3d301c2ba6a93ba8d8e58a2d5ab1aa6fee79d8dcd99bde704bbac7e5a0583

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
320KB

MD5
84a2a1ccdee81e9268c5bc8df8e40b0a

SHA1
7212b942aca9ea3cc406049db42e61de7987c7e8

SHA256
ea58fdc1e6846ca70b469375c3799e80b1f4272dccf7beea354512ff0ec5207b

SHA512
8043d5b4caec33de52185c1c1411bfdefb2bebc82c2711fc721bc1d63b12ca0a21d617b9033000de0b9efa3399d7282828eefb56391f89f526d4d0a27d38386a

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
320KB

MD5
bdd8e5b270607df041a97149369674f1

SHA1
9b4b07fc6637153d9bdbbdcb0018bacba26b4235

SHA256
b3370484c573a2fa6d908611ff8a50805a852dbefdeee7bef73d44666e8e5389

SHA512
fe12a62b170bf7dadf5ea6e38c9e6d5d0d6f9ea0e037bfb2a6e4db980c20a6c27500a4e6c3e4457d976c19000c509df96cd5137f0550387e99b2703c4e44e9ff

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
320KB

MD5
541965b8fb68bdb52523aabe1a57c668

SHA1
459b6a2fba991c2a66cccd10e57a388b8e7cae37

SHA256
8881691c0157773f97519dec024d73e40e971d8ea0f07f4a1d78ca5737713b5a

SHA512
e54221249968467cfe65c93c901b1b37b1a48a7109bf595ed342641f9255ef3b651e020138a85d0883f6674023fb0a9d4ba843851ed946d0ef308db4d7cbf02f

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
320KB

MD5
233a0ff503249b980f6098024d823032

SHA1
50fdcac638baa0116e28bac5a6a40e8ac1500be8

SHA256
3eb4c71223e44e016445d87b99d0e7c1ef60f0dcd429c8946bfbcd604eb279f9

SHA512
22ec585b4f08f902afbfc682dae0decddb71e01b94c9a4ecb31eb124d41633ae5a4794b906e89fe89b1f5a452e1b0eb1a51ff009c4446fba059d411206ecaae8

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
320KB

MD5
b22b057fabbfb4c3992cdefeb6371147

SHA1
d53c2dc12afde15f899659a31eec2a3b1ffec700

SHA256
56570b0209f36bab9237319023d0464921dadc4d41ea6d1e658526652ac63d7b

SHA512
e4f13f28e4abc57f0e7c4039e9bfc8378a1f6b9d5a795d1d54901510c524cc5da3a86f562d44e4371dc3d080e1da73cce3e6f0a104c2e73bba9fc736f24b6937

Download Submit
memory/364-113-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/388-266-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/400-677-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/400-49-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/544-160-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/980-121-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1108-537-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1216-145-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1256-1156-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1256-311-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1300-511-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1392-418-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1432-695-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1432-73-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1560-323-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1616-215-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1660-129-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1844-509-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2076-17-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2076-651-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2084-322-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2156-176-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2284-458-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2304-395-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2320-539-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2368-267-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2412-693-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2412-65-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2516-360-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2592-522-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2604-429-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2604-1095-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2720-572-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2812-435-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2916-660-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2916-26-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2928-389-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3228-366-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3320-670-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3320-40-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3336-1120-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3376-1134-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3428-9-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3428-644-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3436-89-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3436-708-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3492-664-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3492-33-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3572-498-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3608-475-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3636-305-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3704-551-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3704-1054-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3744-153-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3756-205-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3796-417-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3864-1188-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3864-137-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3884-545-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3920-1044-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4016-701-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4016-80-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4080-1066-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4080-516-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4088-557-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4216-456-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4292-304-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4340-474-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4396-216-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4420-486-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4440-332-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4440-1135-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4472-1112-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4472-387-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4508-574-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4596-57-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4596-688-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4632-306-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4676-101-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4676-714-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4712-492-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4728-1140-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4728-326-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4812-334-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4840-376-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4864-185-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4880-635-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4880-0-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4880-5-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4940-401-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4944-169-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4968-1084-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4996-324-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/5016-445-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/5060-104-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/5084-327-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/5160-590-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/5192-966-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/5200-591-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/5244-597-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/5284-603-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/5364-619-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/5440-962-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/5448-625-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/5488-637-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/5528-638-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/5572-649-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/5612-652-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/5668-957-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/5740-671-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/5832-1009-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/5952-702-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/5952-1004-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads