4a586f3e4e12b32320cc6cfc421ded64609765755e4e554487702a5a860e0fa0

Analysis

max time kernel
138s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 01:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b62033b5e356f89d6cea86bcf4b19bf0_NEIKI.exe
Size

704KB
MD5

b62033b5e356f89d6cea86bcf4b19bf0
SHA1

7491cfd7cf45bfc7e6d2ed2aeb3c8edeafa3a168
SHA256

4a586f3e4e12b32320cc6cfc421ded64609765755e4e554487702a5a860e0fa0
SHA512

0be70b8fa1cbe4edbbca2728f6d2aa0b8bf481cdc2041eda5d4b88dc39ec5a5f2aee58028d8a70085c8dd37c98457681eb2196d0907e3bd18e092710c0252c36
SSDEEP

12288:3yewCrQg5W/+zrWAI5KFum/+zrWAIAqWim/+zrWAI5KFHTP7rXFr/+zrWAI5KW:9wCrQg5Wm0BmmvFimm0MTP7hm0b

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gqikdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hjfihc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b62033b5e356f89d6cea86bcf4b19bf0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hadkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hbeghene.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbocea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Idacmfkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfnnlffc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gfnnlffc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Himcoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibjqcd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmaioo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ffekegon.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe

Executes dropped EXE 64 IoCs

pid	Process
1072	Ffekegon.exe
5184	Fmocba32.exe
1372	Fmapha32.exe
5680	Fckhdk32.exe
6120	Fjepaecb.exe
4072	Fmclmabe.exe
3264	Fcnejk32.exe
1956	Fjhmgeao.exe
6012	Fqaeco32.exe
3616	Gfnnlffc.exe
1232	Gimjhafg.exe
3032	Gbenqg32.exe
3368	Gqfooodg.exe
3048	Gbgkfg32.exe
508	Gfcgge32.exe
4980	Giacca32.exe
5556	Gqikdn32.exe
5776	Gjapmdid.exe
4040	Gpnhekgl.exe
5764	Gjclbc32.exe
4596	Gmaioo32.exe
2996	Hjfihc32.exe
2256	Hpbaqj32.exe
4592	Hfofbd32.exe
2276	Himcoo32.exe
3208	Hadkpm32.exe
1864	Hbeghene.exe
4560	Hjmoibog.exe
452	Hmklen32.exe
1608	Hpihai32.exe
1220	Hbhdmd32.exe
3288	Hjolnb32.exe
4276	Haidklda.exe
3468	Ibjqcd32.exe
3740	Ibmmhdhm.exe
4908	Iiffen32.exe
1116	Ifmcdblq.exe
1448	Iikopmkd.exe
1852	Iabgaklg.exe
2208	Idacmfkj.exe
5232	Ijkljp32.exe
3176	Imihfl32.exe
3068	Jpgdbg32.exe
4544	Jdcpcf32.exe
4820	Jiphkm32.exe
908	Jpjqhgol.exe
4468	Jdemhe32.exe
2220	Jibeql32.exe
5260	Jaimbj32.exe
4032	Jdhine32.exe
4352	Jfffjqdf.exe
5340	Jidbflcj.exe
4636	Jpojcf32.exe
5308	Jbmfoa32.exe
1016	Jkdnpo32.exe
3768	Jmbklj32.exe
4988	Jbocea32.exe
5532	Jiikak32.exe
3720	Kaqcbi32.exe
6108	Kbapjafe.exe
968	Kgmlkp32.exe
3704	Kilhgk32.exe
1500	Kacphh32.exe
4744	Kdaldd32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Hpihai32.exe	Hmklen32.exe
File created	C:\Windows\SysWOW64\Cmafhe32.dll	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Gqikdn32.exe	Giacca32.exe
File created	C:\Windows\SysWOW64\Mnnkcb32.dll	Imihfl32.exe
File created	C:\Windows\SysWOW64\Oimhnoch.dll	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Nggqoj32.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Ghmfdf32.dll	Jaimbj32.exe
File opened for modification	C:\Windows\SysWOW64\Kacphh32.exe	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Iiffen32.exe	Ibmmhdhm.exe
File created	C:\Windows\SysWOW64\Jdcpcf32.exe	Jpgdbg32.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Kkdeek32.dll	Kgmlkp32.exe
File opened for modification	C:\Windows\SysWOW64\Gimjhafg.exe	Gfnnlffc.exe
File created	C:\Windows\SysWOW64\Iebapp32.dll	Gqfooodg.exe
File created	C:\Windows\SysWOW64\Bpqnnk32.dll	Iabgaklg.exe
File opened for modification	C:\Windows\SysWOW64\Gmaioo32.exe	Gjclbc32.exe
File created	C:\Windows\SysWOW64\Hbeghene.exe	Hadkpm32.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Lcpllo32.exe
File opened for modification	C:\Windows\SysWOW64\Kaemnhla.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Hehifldd.dll	Kbapjafe.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Kkpnlm32.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Fckhdk32.exe	Fmapha32.exe
File opened for modification	C:\Windows\SysWOW64\Iiffen32.exe	Ibmmhdhm.exe
File created	C:\Windows\SysWOW64\Gncoccha.dll	Kinemkko.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Ekfnlmai.dll	Fmclmabe.exe
File created	C:\Windows\SysWOW64\Olmeac32.dll	Jdhine32.exe
File created	C:\Windows\SysWOW64\Offdjb32.dll	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Gcdihi32.dll	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Lkdggmlj.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Inccjgbc.dll	Hjfihc32.exe
File created	C:\Windows\SysWOW64\Hiaohfpc.dll	Iiffen32.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Hjolnb32.exe	Hbhdmd32.exe
File opened for modification	C:\Windows\SysWOW64\Lnjjdgee.exe	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Lcpllo32.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mjcgohig.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Ilaidmmo.dll	Gimjhafg.exe
File opened for modification	C:\Windows\SysWOW64\Jpjqhgol.exe	Jiphkm32.exe
File created	C:\Windows\SysWOW64\Bnjdmn32.dll	Kmnjhioc.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Hpihai32.exe	Hmklen32.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Lcdegnep.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Gimjhafg.exe	Gfnnlffc.exe
File created	C:\Windows\SysWOW64\Kinemkko.exe	Kbdmpqcb.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lcbiao32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2752	5812	WerFault.exe	235

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejif32.dll"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckfliccm.dll"	Ffekegon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iikopmkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmbkmemo.dll"	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichhhi32.dll"	Jiikak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbocjjm.dll"	Giacca32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addjcmqn.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidmdfdo.dll"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkbhbe32.dll"	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfogkh32.dll"	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogndib32.dll"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gfnnlffc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gfcgge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Imihfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gfcgge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fckhdk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gjclbc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qknpkqim.dll"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbfppi32.dll"	b62033b5e356f89d6cea86bcf4b19bf0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gbenqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmddeh32.dll"	Fmocba32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdmn32.dll"	Kmnjhioc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3728 wrote to memory of 1072	3728	b62033b5e356f89d6cea86bcf4b19bf0_NEIKI.exe	83
PID 3728 wrote to memory of 1072	3728	b62033b5e356f89d6cea86bcf4b19bf0_NEIKI.exe	83
PID 3728 wrote to memory of 1072	3728	b62033b5e356f89d6cea86bcf4b19bf0_NEIKI.exe	83
PID 1072 wrote to memory of 5184	1072	Ffekegon.exe	84
PID 1072 wrote to memory of 5184	1072	Ffekegon.exe	84
PID 1072 wrote to memory of 5184	1072	Ffekegon.exe	84
PID 5184 wrote to memory of 1372	5184	Fmocba32.exe	85
PID 5184 wrote to memory of 1372	5184	Fmocba32.exe	85
PID 5184 wrote to memory of 1372	5184	Fmocba32.exe	85
PID 1372 wrote to memory of 5680	1372	Fmapha32.exe	86
PID 1372 wrote to memory of 5680	1372	Fmapha32.exe	86
PID 1372 wrote to memory of 5680	1372	Fmapha32.exe	86
PID 5680 wrote to memory of 6120	5680	Fckhdk32.exe	87
PID 5680 wrote to memory of 6120	5680	Fckhdk32.exe	87
PID 5680 wrote to memory of 6120	5680	Fckhdk32.exe	87
PID 6120 wrote to memory of 4072	6120	Fjepaecb.exe	88
PID 6120 wrote to memory of 4072	6120	Fjepaecb.exe	88
PID 6120 wrote to memory of 4072	6120	Fjepaecb.exe	88
PID 4072 wrote to memory of 3264	4072	Fmclmabe.exe	89
PID 4072 wrote to memory of 3264	4072	Fmclmabe.exe	89
PID 4072 wrote to memory of 3264	4072	Fmclmabe.exe	89
PID 3264 wrote to memory of 1956	3264	Fcnejk32.exe	90
PID 3264 wrote to memory of 1956	3264	Fcnejk32.exe	90
PID 3264 wrote to memory of 1956	3264	Fcnejk32.exe	90
PID 1956 wrote to memory of 6012	1956	Fjhmgeao.exe	91
PID 1956 wrote to memory of 6012	1956	Fjhmgeao.exe	91
PID 1956 wrote to memory of 6012	1956	Fjhmgeao.exe	91
PID 6012 wrote to memory of 3616	6012	Fqaeco32.exe	92
PID 6012 wrote to memory of 3616	6012	Fqaeco32.exe	92
PID 6012 wrote to memory of 3616	6012	Fqaeco32.exe	92
PID 3616 wrote to memory of 1232	3616	Gfnnlffc.exe	93
PID 3616 wrote to memory of 1232	3616	Gfnnlffc.exe	93
PID 3616 wrote to memory of 1232	3616	Gfnnlffc.exe	93
PID 1232 wrote to memory of 3032	1232	Gimjhafg.exe	94
PID 1232 wrote to memory of 3032	1232	Gimjhafg.exe	94
PID 1232 wrote to memory of 3032	1232	Gimjhafg.exe	94
PID 3032 wrote to memory of 3368	3032	Gbenqg32.exe	96
PID 3032 wrote to memory of 3368	3032	Gbenqg32.exe	96
PID 3032 wrote to memory of 3368	3032	Gbenqg32.exe	96
PID 3368 wrote to memory of 3048	3368	Gqfooodg.exe	97
PID 3368 wrote to memory of 3048	3368	Gqfooodg.exe	97
PID 3368 wrote to memory of 3048	3368	Gqfooodg.exe	97
PID 3048 wrote to memory of 508	3048	Gbgkfg32.exe	98
PID 3048 wrote to memory of 508	3048	Gbgkfg32.exe	98
PID 3048 wrote to memory of 508	3048	Gbgkfg32.exe	98
PID 508 wrote to memory of 4980	508	Gfcgge32.exe	99
PID 508 wrote to memory of 4980	508	Gfcgge32.exe	99
PID 508 wrote to memory of 4980	508	Gfcgge32.exe	99
PID 4980 wrote to memory of 5556	4980	Giacca32.exe	100
PID 4980 wrote to memory of 5556	4980	Giacca32.exe	100
PID 4980 wrote to memory of 5556	4980	Giacca32.exe	100
PID 5556 wrote to memory of 5776	5556	Gqikdn32.exe	101
PID 5556 wrote to memory of 5776	5556	Gqikdn32.exe	101
PID 5556 wrote to memory of 5776	5556	Gqikdn32.exe	101
PID 5776 wrote to memory of 4040	5776	Gjapmdid.exe	102
PID 5776 wrote to memory of 4040	5776	Gjapmdid.exe	102
PID 5776 wrote to memory of 4040	5776	Gjapmdid.exe	102
PID 4040 wrote to memory of 5764	4040	Gpnhekgl.exe	103
PID 4040 wrote to memory of 5764	4040	Gpnhekgl.exe	103
PID 4040 wrote to memory of 5764	4040	Gpnhekgl.exe	103
PID 5764 wrote to memory of 4596	5764	Gjclbc32.exe	104
PID 5764 wrote to memory of 4596	5764	Gjclbc32.exe	104
PID 5764 wrote to memory of 4596	5764	Gjclbc32.exe	104
PID 4596 wrote to memory of 2996	4596	Gmaioo32.exe	106

C:\Users\Admin\AppData\Local\Temp\b62033b5e356f89d6cea86bcf4b19bf0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\b62033b5e356f89d6cea86bcf4b19bf0_NEIKI.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3728
- C:\Windows\SysWOW64\Ffekegon.exe
  C:\Windows\system32\Ffekegon.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Windows\SysWOW64\Fmocba32.exe
    C:\Windows\system32\Fmocba32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:5184
  - - C:\Windows\SysWOW64\Fmapha32.exe
      C:\Windows\system32\Fmapha32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1372
    - - C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5680
      - C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:6120
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4072
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3264
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:6012
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3616
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3368
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:508
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5556
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5776
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4040
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5764
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4596
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2996
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4592
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2276
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3208
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1864
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4560
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:452
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1220
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        33⤵
        Executes dropped EXE
        
        PID:3288
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        34⤵
        Executes dropped EXE
        
        PID:4276
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3468
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3740
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4908
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1116
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1448
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1852
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2208
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5232
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3176
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3068
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4544
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4820
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        47⤵
        Executes dropped EXE
        
        PID:908
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4468
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2220
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4032
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4352
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5340
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        54⤵
        Executes dropped EXE
        
        PID:4636
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        56⤵
        Executes dropped EXE
        
        PID:1016
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        57⤵
        Executes dropped EXE
        
        PID:3768
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4988
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        60⤵
        Executes dropped EXE
        
        PID:3720
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:6108
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:968
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3704
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        64⤵
        Executes dropped EXE
        
        PID:1500
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4744
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3908
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2404
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3460
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        70⤵
        Modifies registry class
        
        PID:1464
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        71⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        72⤵
        Modifies registry class
        
        PID:1728
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        73⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        74⤵
        Drops file in System32 directory
        
        PID:5008
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        75⤵
        Drops file in System32 directory
        
        PID:4960
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2396
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        78⤵
        Drops file in System32 directory
        
        PID:3308
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2364
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        80⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        81⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        82⤵
        Drops file in System32 directory
        
        PID:3188
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3760
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        84⤵
        Drops file in System32 directory
        
        PID:2112
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:864
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:544
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4524
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        88⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        90⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        91⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5312
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2460
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        95⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        96⤵
        Drops file in System32 directory
        
        PID:3472
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        97⤵
        Drops file in System32 directory
        
        PID:3168
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        98⤵
        Drops file in System32 directory
        
        PID:4552
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        99⤵
        Modifies registry class
        
        PID:1340
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        100⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        101⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:944
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        103⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        104⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        105⤵
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:624
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5684
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        108⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5432
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2536
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:840
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1924
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5724
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        114⤵
        Drops file in System32 directory
        
        PID:2936
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1880
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        116⤵
        Drops file in System32 directory
        
        PID:5108
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        117⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1084
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        119⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        120⤵
        Drops file in System32 directory
        
        PID:5652
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5672
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        122⤵
        Modifies registry class
        
        PID:4572
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1832
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        124⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:220
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5732
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        127⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3184
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4768
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        130⤵
        Modifies registry class
        
        PID:2584
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        131⤵
        Drops file in System32 directory
        
        PID:4136
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        132⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4024
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        134⤵
        Drops file in System32 directory
        
        PID:2072
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        135⤵
        Drops file in System32 directory
        
        PID:5376
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1264
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        137⤵
        Drops file in System32 directory
        
        PID:2240
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        138⤵
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3732
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        140⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2784
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        142⤵
        Drops file in System32 directory
        
        PID:5512
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        143⤵
        
        PID:952
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        144⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2388
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        146⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        148⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3516
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        149⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5860
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        150⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5812 -s 420
        151⤵
        Program crash
        
        PID:2752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5812 -ip 5812
1⤵
PID:5216

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:1452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fckhdk32.exe

Filesize
704KB

MD5
b119ad665ae13e629fb74113720cb5a4

SHA1
de9034dfcc82e63502a99339ebb0bd8635465190

SHA256
399535722f2bcb52311b7f9ada96a96f5595afe4d2017d042a35c4b34f78b5db

SHA512
884ae866d3e69489af0dd567a4ae4f7c39262f8854765266d2141836e456d3f2205958eb0040cc756763e5b463eced79262b789b1b6658102ff9b9af5dbccacb

Download Submit
C:\Windows\SysWOW64\Fcnejk32.exe

Filesize
704KB

MD5
d823acc8024acd7263d9d8cbbbd61778

SHA1
390cebc66b58eb32c736a1fcb78f2c9ea3b9c87d

SHA256
ba3c6f61d9e25822305485a0fa64963462fe30e26d9974d8d3853eadf16b8c8d

SHA512
457d4211942dd98ec20c34752e858918fc149f5418eab11ae5c618b2a3da436ab303500b468f4d55215bb2c262a7d96b115446286b22d56e5b9676cdafb0a7e1

Download Submit
C:\Windows\SysWOW64\Fjepaecb.exe

Filesize
704KB

MD5
3a741f5e7bfcdcb3e4c7ed417090660b

SHA1
bf89c27a2c6262c5dcda69c99325697f361211b8

SHA256
e38410d5ca247a7bb7b9fd895f24e2a95fb855d3d18e694ae52791a4ea201f54

SHA512
88a275a70a62d4f6b25a11746c69f2e4b936c9bc7ae0da6818e159517635fd7b989ae214010ab81eb5bea8f392833b2100cdee1ec11e38027b3afce00475fcf0

Download Submit
C:\Windows\SysWOW64\Fjhmgeao.exe

Filesize
704KB

MD5
f07578c73b02a5d8716567c19fb9b45a

SHA1
92eee691855062a507b50b3b1d49bf5e15b3bf83

SHA256
06acd929ca45223638f07f1ece8947c75ec3f7fd5504dd51d5f1c7950d4d8723

SHA512
4df77f85bd913ba7eb2f5c52ac030433b053587e07c48a5ea320e88c196d8c5115f61dac4b7cfaaa23286bde06b33950e907b18251f53ad33cc1a4d471e26535

Download Submit
C:\Windows\SysWOW64\Fmapha32.exe

Filesize
704KB

MD5
103b125ea4035ec7369feae66291f719

SHA1
871d2d7b5e7c73bc1321adcb2b4e156ed4283901

SHA256
cd89d59077d4ae18a4258a51f6f3e9965169f73b635a22921004b10080106bcc

SHA512
f2467be4f96c49f8ec70a041b610299e96b02ef8ccbe8dd99f23b27e539658e9178a94041ef1bf6097c089bf13aec6c481d142ef69075fa6cf8d3ed6af184902

Download Submit
C:\Windows\SysWOW64\Fmclmabe.exe

Filesize
704KB

MD5
f93cd189dbd75184d2bc41d48c93aaa8

SHA1
430ca7c0687bfcaa58781dfa7328be2086221c0e

SHA256
e27eb2b13166780f63af8682d93ff4b109c2d33daf6c4cd746e5efa3cc59e733

SHA512
26d8dfd92cda74ce0f10da2b244a0d69d7f3ea6f801f952bffcda3c156022263fc7fa5a9e4b4d379d766efbd3fe197aba8af96b69760c836064eaab78dfb62b2

Download Submit
C:\Windows\SysWOW64\Fmocba32.exe

Filesize
704KB

MD5
7eaee7deecae051b6b561535eae5d49f

SHA1
fc96d438973de5c1a7c1219f4ee6b6b7e7d4d763

SHA256
24c3cf378197837119573a619aea66e50219aa94a33a253b14071a4570c30ac2

SHA512
773c0b130841f35859edfcfb16523e01a0ef981119e14a572cfb51d45d5238c6752bcef4b8f81b993524481caaeaf0c159fd2304bfaed63b5c02ea81f9d4937a

Download Submit
C:\Windows\SysWOW64\Fmocba32.exe

Filesize
704KB

MD5
f2fb94bc4bd7be9666fb7cd6653fa94c

SHA1
e103703668917e3f50be2c8085c64e34bb3eb2e7

SHA256
7693844071051698a09f391197f2b1327e5cd9c04dd4dfb1db3b8e54e384dbb8

SHA512
a6115a1ba9bd7737a2e456e5bec0fce1060c0201d5ed58b678c494feb772c32f630ec1b35d2ed1ef7469dd8eaeb25fa852b32a5e4fcc63f0559c3064537b609b

Download Submit
C:\Windows\SysWOW64\Fqaeco32.exe

Filesize
704KB

MD5
f7972631cd8529ef8c919ea041c95f5d

SHA1
a01793142bbe39b4240cbec1bed4de30c2176432

SHA256
00210223cc79ceb8150d3a6e42ce096851d3199d3f064b1ea4244857484cf947

SHA512
d3f8991db93de8492bd9aecc500147f77243ef8321681b3bba3b5d1a9935e76b7fb4deef5dfce133aeb289dc932054d67d38e4198074a9bfc3051b1819d2954b

Download Submit
C:\Windows\SysWOW64\Fqaeco32.exe

Filesize
704KB

MD5
ac460a2ae09567e0834d6d3d7ac08ac4

SHA1
8185d4318d7230f76fa67f90d449ac239d0e5669

SHA256
b3a9cb88ec703a682931b110662645e4cfe0bc67c4a97635da574496aa544208

SHA512
db924a5e99d06283a18c0c1440e70ad439cae2905958bdcda583b4a852403d714dfce15436ceadb386863af7a2ae96813508a50af5062c91123fb1cf10c0aa59

Download Submit
C:\Windows\SysWOW64\Gbenqg32.exe

Filesize
704KB

MD5
b3a88280c371b9a8fc5f45660b261e09

SHA1
34bc2f54dda096e4ec3cd5307f7540ae854d0495

SHA256
8656d4f956f6930621728d4b2e3c9afd17309dae24f75f5165964daf8cc98d91

SHA512
7913a3c9294cf0333831ee4fe02a747f20e89d2c9061ac2b6b8e8def6d08452cc8247a0e74789732ffcf189d176e6bc0df8606a3a8e689bb5284a233fc23146b

Download Submit
C:\Windows\SysWOW64\Gbgkfg32.exe

Filesize
704KB

MD5
4a6f833f33d230b7211e2755059edf6d

SHA1
129df9b3c61fd605513e88e362f2c3f6aa49562c

SHA256
f0341da8e7e2a9c2383c8befa9fd84acbcc8e8b646793c2c06c6f451afdb8ca5

SHA512
9512f1c27f58f9a72c88b1a605bcb1802683d090ecb54253931c05bea32cec52e8417431ac9dc191d45cc25710bcdd227eb558a6a7d11bd22b843ee054da0209

Download Submit
C:\Windows\SysWOW64\Gedmgfjd.dll

Filesize
7KB

MD5
6ac29b6b12655434378c049e7f70ea91

SHA1
87b9020df7f8b260580d632c8190e49fa402699c

SHA256
36ffc8615190b8d701232bea78ccde1f3a1245b0442421a3b0dc9c914f7c9482

SHA512
5e6bc62df63921d578268ab14b031069c50cc866b70cf5a552a44f9a4f03965bcd97a36c7188887b917c07bc66baee2f60e685845786e45a20775a7faab5fd8e

Download Submit
C:\Windows\SysWOW64\Gfcgge32.exe

Filesize
704KB

MD5
30681ab03d1268194673cf336d12544c

SHA1
f887c7000fa5de20168bfdb4d2de09bb2716a001

SHA256
33f36d06def0099e985035542a6f51872866a374dd88b537a2483c2954b5a499

SHA512
76b66e46667118e6a54fde79973bd62a750061dac5b93fb56c6dc3bf503797d8ca150bd9dbc77a31a78cf21034f6ad94b81810e2e58f622c9edec7cd4f8e86b5

Download Submit
C:\Windows\SysWOW64\Gfnnlffc.exe

Filesize
704KB

MD5
10746a2fddb678f7a6de61be810f63dd

SHA1
107de66a7ab6530f0ad8ef17a0b2f2a641a5eb56

SHA256
ae15f642e94d2a0b1e8f6abc6ef6fe071d0a4ac7d7869c7a54494522b9dd1c78

SHA512
33e21fbe136c010048a724ae7e48af7d6420df331bd97200c37f329fc8c95225923e47c07ee938a58060fbb3aadd5c78e6b798110d721234f00e9df21ec25491

Download Submit
C:\Windows\SysWOW64\Giacca32.exe

Filesize
704KB

MD5
e4ac8f77a806c2c765e34f5ad1016104

SHA1
8a37435a69e88472dfe7259420a2539c80b5c46d

SHA256
178a389c3b9ef407e1a89bcfbe541618dcc93e999bfc785ee57fce1ae09368c0

SHA512
18feadd557bbe1e7a254fd1637068a3953362bba903dd1b4da142c8722db84197e927c4d3e18901763dab134e20b8c6388c6ad518b781968303a37abdf713a64

Download Submit
C:\Windows\SysWOW64\Gimjhafg.exe

Filesize
704KB

MD5
3fa2f96b66eb3a0cf85d99349cd1de30

SHA1
eef9cd1025e665b7e908519ce679f33e8a3b20b4

SHA256
0021b3da6a5628c40c9c43940164e6549d07079414c4ed7d673a48d041fe5608

SHA512
65759acd3a9c21e5a49ebcede4a8468ed6ea883d66da00f4519768489b293c3ded2afc8c6d138e3ce4bd006065c0fda7d4bf3d1b009e140345798649f2969fdf

Download Submit
C:\Windows\SysWOW64\Gjapmdid.exe

Filesize
704KB

MD5
840d9c0644903360c2a049e56067c6e3

SHA1
b17fc562a0b18ec0d924b959caf7df09c6affe32

SHA256
f29b707c963131382c2d0057fd57d6b74ee565f9c0f86e888ce0c3603fb8a1b8

SHA512
953cf437a901adf7cb22561507dc471667f5beac50b8617b8f52ba8b830130a385a1617ea16f70d827c66a5d248a72d17e640fc73c4d671bacaf9fa946cf714c

Download Submit
C:\Windows\SysWOW64\Gjclbc32.exe

Filesize
704KB

MD5
7aeadc0c6f51f5d01764513f9005470f

SHA1
ecb6ff3e7d98739243760446dd84ad5233ffaff8

SHA256
bec24ec4309536935f8d9a7f4136edf49f12d497e5fecb1bad4dde3d0d7f61b4

SHA512
19f52836d0c9dbbc216b208b8a23056d62ab476e4f561898bb2d7dc9231114d538038ed9fc9afcb7cc6e8af460d4341b74976916ea9a1ff4a8fef3b874f25672

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
704KB

MD5
c630481aa3b1cbc0de25fb282bfc3cc8

SHA1
91950ba4e105ed7a5991c79e6bd30a2ed1758eb7

SHA256
a9e4c564dcb36e9952615d4d137453920b7f5b2aef497052b949bbac505251f7

SHA512
8f5e130c2b5f58d240fa0bfb0fb738bb8779c9c33bb25f3aaa6c7b48f828ad41bce4aeac42e69b5e1148b0063a940ce333cbc43436867784f29496130e0a1939

Download Submit
C:\Windows\SysWOW64\Gpnhekgl.exe

Filesize
704KB

MD5
83007608ba7254513f35d1234348b465

SHA1
96c5de6e7fd30a5b5a2f12aef9a182e401def250

SHA256
975c212ba78992ac561934739f3c6f2b92c02b4f794e0954116992d90424a7b4

SHA512
b5691bbd82ee062e12b6703b8fde6afc305c29e86e0c1755b27eeb8455bb543c203795e7e91c8312999de04e8af42538bcab366e9a14029d46296fbed1cb62a9

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
704KB

MD5
66e5470c64f6e46787c939443c48a6d9

SHA1
578ae74e9b517fe955cd324b705a17da6e35fdf7

SHA256
1675834550714f1224e30b0c3855e0570d228aeaae8d7fd84cae2b56e10775ff

SHA512
b4948a9de6e9a9e57644f50a688f44b44d80c0b42684530b871f7cec6d2042a2fd2bd069d90c8850cd1f5f135eebbc62c9565bf713288a12fd199fddaf1e1fbc

Download Submit
C:\Windows\SysWOW64\Gqikdn32.exe

Filesize
704KB

MD5
01d81a365dd4424f27daf621b97cab97

SHA1
7bf33c0f7255e35c293eb95c411eb456def82ed6

SHA256
1e1349957bf2b2ec75437fdc317538ea33c5a98667fd294ef326fec840dd138f

SHA512
a17a4c2d79e081a3c6d458bd926b6c5c55ea2f82144cf02546c78457e4d852f249e6e09d125b99638e01f10af0e71a8abaf09ba1bff75836d8b6ada711f48a96

Download Submit
C:\Windows\SysWOW64\Hadkpm32.exe

Filesize
704KB

MD5
e5e5bf97c94d7f3a695451403ffcb94f

SHA1
c91c22383b968f3b4abab9929610e960faaa1220

SHA256
2af8964764d3c30143f8edfa2ac879213090c82f9ffe6e411447b7263dfc2231

SHA512
c59ada825763121e82190b590a8879377769a5f38ae711dc66c6693ba6f53373741f0ba528a168c50622aa9c7b1cd52b10e09a891b8dfe17736ad82f07018924

Download Submit
C:\Windows\SysWOW64\Hadkpm32.exe

Filesize
704KB

MD5
2028c6c87677ed14459f18cd4e23ca0f

SHA1
65d5b3c5aeade17c3fa8987c6d0eafc0808bee3f

SHA256
f9516623ac2d1cbc8e6dfd82392b1cf5a896820bb1e58f6b1f712574b9c36340

SHA512
5199056fb0527a7553e6286897e4c342645bf67433972559ac7d56b79a970294ed30309c2b1da6085acb7275e65cf746ee7fc9de6048d948e1970775162702aa

Download Submit
C:\Windows\SysWOW64\Hbeghene.exe

Filesize
704KB

MD5
432c3c71529273dc3b099eeaa2478daa

SHA1
e5b995de68b61552d3dc1430055b558ec4ba60c7

SHA256
a7428b6c08ee816119c82ee73d46268849236a44d612cc1edd2b4103fd42c0ae

SHA512
c2117776a225762bc1e38859316649f81c6f4fde121c1d6f0965d5f343819c3ef5cd04723c86fe729c3b77dfe7e4e834555bbffb06dac05910b6d56067353e1e

Download Submit
C:\Windows\SysWOW64\Hbhdmd32.exe

Filesize
704KB

MD5
d5238597da86386686b17012e4a60fe8

SHA1
203b6faec1a20eb00d3bb184f4fd303db5e56cba

SHA256
17e02ae18fe6b891a453f36e56848ce0aa7938f48710eb819b05c193f633ed4c

SHA512
a07877a530178755d13ffc0db4547550049e52f70764d1b93c4561826a6cc1085161d30bfdfba8959783f3a3ff067b155932b737ae2d349c9ffd1ee1c767f06f

Download Submit
C:\Windows\SysWOW64\Hfofbd32.exe

Filesize
704KB

MD5
eb0b260b0303203186f6bfd831d835ee

SHA1
5f8e944752078b00d72edd7313763b9a183878b0

SHA256
2328099f9008df2ac17948d484ab7add64d4caf89ec692ecc02a3c76d9d94a7f

SHA512
76198d0850d7d3f422b6cde7d7e4efb5093d40440082c8072be7df3bc4808782b821e7bf823ab9d7bd5055186c855ee881e4427e97e022f14c9e6e155221a31f

Download Submit
C:\Windows\SysWOW64\Himcoo32.exe

Filesize
704KB

MD5
9ff59f3d282a5179118c78360af0edd3

SHA1
0de759082fb550532311340b21fa0ebf912f9266

SHA256
6ce692824c8666003c24db930807dac09d4977ad226a37e5ae7a5e45855069fb

SHA512
d416b9fbf58dbb2ca1ca7bd2bb6a4074c0df3d8f3a097da1e351ed44bc227ab27300d13393ab85b10fed5bc1567e40dbcb12fd4e75510ee059db9e91ccd2b2de

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
704KB

MD5
7f5ad3f49ac91e47263ea013328f6e32

SHA1
c0f2abf11b300de9523b346ae402c9612e25f99b

SHA256
e061b59ebda2ddd8de6f05cb1661e118d4fc95ccf39c492199b380d798e507ef

SHA512
57ec0b1bd18e5a342429a8225bad5d83893d7925531ca1f85c9040eff36d47855ef2dea39fc5b0035cedece4f3b9c549c00e08ef156548e3b0e02d76b2fc3e08

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
704KB

MD5
83252e3d8d5ba36f6c741d52e30b8fe2

SHA1
be786edcf663a643a4a9f96de57f61a6ed3a5a12

SHA256
7055c9fa6368a1d9c9efc0bb690693c3e997d197a65a4bf0b618982152ea35ed

SHA512
594d370fc1d7ba1757a7ff58bbec664a352d623da751bf2efe5eaa269e7972a26a5925194db064032c52d65e835f6cd3776ea132a79c0485f55af4fb1c090b50

Download Submit
C:\Windows\SysWOW64\Hjmoibog.exe

Filesize
704KB

MD5
e2ea4389ab553dc7d894ec2684b20171

SHA1
4f0565c1e9e9ed825165cd64000356625fdf9ca2

SHA256
253ba3ce4718ae7f69650f54a3159ba8da8b23fd8d3942c0991ed09e124ecd8f

SHA512
5f9ea9a2f5dd7ff5a98a92b3dacdebd05ea9895022fdf6670725c3d58b1eec88b4d4c1fc7ed5776df1b0330d569c5636eeb1c43830e8dff434b5956be6915dd2

Download Submit
C:\Windows\SysWOW64\Hjolnb32.exe

Filesize
704KB

MD5
f55af57a05c7c6467baadb849d1725ed

SHA1
94dc081e451a808dfd302a86ffd8a3ae3eb1c4f7

SHA256
8340d729737d15910150f019959a7758ff4f026aa490dad86e735ea5af2ca72e

SHA512
bddb7dab6561d0f80ec81341914b64400bbef0cbeea4618bce09617b17cf9eb93f831ec7293802afe36835fd6a9e4bb5d38d86a80a3122c1091b489f7d502a10

Download Submit
C:\Windows\SysWOW64\Hmklen32.exe

Filesize
704KB

MD5
4a7899d3354ab80ea8407732a0914807

SHA1
e36929ce769084b6dd3e3b1486739a22256ed80e

SHA256
c1a6e1a9c2f80ed773e38467ecfb597ddc6c0025a10e8ce39a8faa772b3d1d79

SHA512
3195e09dcf128f50e4b99a1e6b8d29d0602c9accc82b9ce27e7a69d55a490a06ae3a6119246832c4b0a6e4fe306c800c521aa257ba07ee2ddf3d163ee2f964e8

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
704KB

MD5
cec9c0959958917aeff7d9dbbd91d09d

SHA1
de73d6c667ec076a3cf1ce6acf48bc7c721e7109

SHA256
c4773d5e14676ba2fe71f5461d1fc53136e8997d6072a23fffac69ec506101b6

SHA512
061cda28541d1832d583c1feb0fa7fa369957b2848f902d96a71dc0d02012f995a42ef9271b588b41436d5be675a44966546dc0a492031257bc9aa7ba7585450

Download Submit
C:\Windows\SysWOW64\Hpihai32.exe

Filesize
704KB

MD5
f704bef658093184092e3778f1367a4a

SHA1
8518c0c85a981907aeab8b00478a24eb9b329a16

SHA256
ecefb544a0ab61a1b9ac6373822ee502107f656bd42bf4c821f4a76f44100503

SHA512
236c29d3e0ebe540e8aa37f93ac0b79f74e7bf652cb12d0f953c87b34df1ae37085fb9d18b258f9db096d3405949aaffefce107a853758ea87cb58a5e37b0e35

Download Submit
C:\Windows\SysWOW64\Jdemhe32.exe

Filesize
704KB

MD5
c673a6dda4bb8b5780a87b9a6e64ae93

SHA1
c4d7dc82c8e43b794092b9d8fcc31dc0d25c5caf

SHA256
90e14cc7adb8ebf6b969c8077f850551dde74eefb3508333d7c48ca85fc1420d

SHA512
5c78f09f7a24d5027fee1504d43818bc67f5c32a155da53927f73f38e51ce2fb8771dfda490af4a94e9b3bc117dfc51aa927e49f069c0ded68c91c5160b89802

Download Submit
C:\Windows\SysWOW64\Jibeql32.exe

Filesize
704KB

MD5
5ef1c166f8bab59f9cee3be890753e23

SHA1
f563f26ca3e5c2533c0ac4266078da06c2c0fbb4

SHA256
7197f2260577dc0686ea38e23e7d6442020528d37ca39216d060199e138643ab

SHA512
187a74f85df01f393904605688279d02773e810b4e6e7cc46e6fc9f444e4981e7da708c3b2da389a33333a963e38d2dba02a347ae792ca109b8f5e7aa49953bb

Download Submit
C:\Windows\SysWOW64\Jiikak32.exe

Filesize
704KB

MD5
fbb55d4e285fd854b7c34c7f58556c1e

SHA1
09bb392492666b622dea14da7f20a69fe1a6159f

SHA256
64fc4e6493f54ce370ed814bf409321e84bee83d33a70d2389669b5e5a5e49d4

SHA512
4816fa97d50386b75fff0dffe31f7d0125d5b5eb564b2e6e37fca9f904839aa741bdfb65d249cdbf5a46f88446aaacdbfadabf0d0ac32f6dc5b5c3360026c97c

Download Submit
C:\Windows\SysWOW64\Jiphkm32.exe

Filesize
704KB

MD5
face30a7f85227693f81df33e1940e7c

SHA1
ec31a77d4c5f9a826bd5922f5f4dac4e3bcd5282

SHA256
8e231c43ce81022ab87ea5722bfce8eb45f99e4d57071b193ee03b9c6ca23fb2

SHA512
b32599ec58e80e8233386919a68659dd51c72aeec1cede4a0f0702b0c241faafccb0a13d5c7dbf76a60bcf027f64df29efadc2574b457dca5220182abec1f570

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
704KB

MD5
63c941cf09f4aafc7f54054e9cd5bc36

SHA1
f66ab2e0122c749b37fb5918b24674e69c5cb7b0

SHA256
7cc42e0f242237ca93406d64dade17462007c023b5996111884fce37cdc34cce

SHA512
c19387ef186fbe5d07d3435b3bd39e149344fe4fbd379900e3cee3fe970aec54f5e6f1ed75e42ce96e50f95cb9a988a289888549b974dde30f7cc7211dfa1a60

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
704KB

MD5
06a2877877aca0ac43b476024ff5831e

SHA1
5f627283aa48a7819c405cb6753db5b68b463f8e

SHA256
4a0e8ff33fe6a2939e094f8ca7f6edb5f31efb18e636dd08f261787f49e5895f

SHA512
91e910981bae132d472e94e700cc77694c23e57ce220a3d582b3e7361309fc6eada5be7bf07c7a3f0e5f2196529a316541f22340949d43c01c3510cd9cf109b8

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
704KB

MD5
8151a43087c37749a8e99953e555264d

SHA1
5c12bd594214d61536bebb07e6d0d644742066da

SHA256
b5cf3deae18ec63c99e89f5ca6e71524cd3112a9016aecba1f33ed462db50357

SHA512
3566f87868353558ca42979630b17e2d90add67aa702a46e2995a445853d7f547e28bce6297f6a811fd13fa08c4b6c18da8b8deaf64f6ddc4efc05c75312ac77

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
704KB

MD5
01e47bb8b8cf3a426364c04a0c059586

SHA1
1e938f2ab3fa949c7b5cc55a64f056b3f6ddb937

SHA256
6bef1fcffb944e159e278686841fd0d11842158f2c7fe4d14ff30ef5077509dc

SHA512
08faccb6a5fec8cb3242fba0b7f4993eaf8101590e6b2b321cfa551eac5c2b820e816017125b61cf7495d17a936472bf74eb90454f00e1740cd048a8c05fd4dc

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
704KB

MD5
50e63f4c4b3cb6e6001533f5942555e5

SHA1
edf3d7846090e123e2d0a36d9692407e041adbc9

SHA256
3b5eb98af19102c6dfdb643a59fc77caf48466dcac9ebf42466b70e9694f2f42

SHA512
c8693efcc0efb8d63dca7d06770af577a82d5e92ea1c741327ab189b15d88bf98fbf21eca8e8bb32f4567dadd04a2846cfbbe62e5fadb4aa77eb174e978012d0

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
704KB

MD5
827828c2146ca4af945fa82e40b6e4c2

SHA1
bfb4908853793e2f77efa0ef05d0b57b8a1ff554

SHA256
de1ed228273325e34f91dd6d919bec959176f4864d7625fb3711e29a94bd8267

SHA512
f0694a176b04200df05a5e20cbe25a35f04963af3d0a265febb1889108fcee75fe9fc557827d7e0fc7cc622e71f088ab75166b88f834723639798c842eb5b19f

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
704KB

MD5
d0dac0ba7f6e6da54b6010c0fa79355e

SHA1
10ec5d0bd00096197ffdb954ec179cbabd89d251

SHA256
d1120d6488e7148348ffe05e55b0b48e9ef66cb910e12d364616a329be9f2442

SHA512
ba51fc125f9871d8225517ed443a55c772c7885fbc51973b12d52cfdcbfbc9abe9ee16dfe623dd8b7af56cd881bf5851e65969ef7d697418c6c2e3253925a094

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
704KB

MD5
235e9c07f62bedb5acc5c309398036f7

SHA1
80f936f8625163bbc0c32914f641c4b21ee66ea3

SHA256
a145b33dbe2e72cea431de3eea07509848d5a1f85fb1cae7f621b32be20a070a

SHA512
f79d403c9112711fb5e43418dd7eb369faa20d3bded76e564ac25fe2aeb97d27b9f3ddd0cd2fff62c162a2c08c86fefdab9c8e8636878d6eadd3965e0924a42f

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
704KB

MD5
662bad1d4cd0fa8d475b896181006b90

SHA1
3376ed35389423990623ea6cff501d043c8dcff3

SHA256
6fb82213f6f87a1816a2e259b671e6615003876659cfb98911ff5f11e52569f0

SHA512
0ea8112d5702ab82a0598c6f3d0283c2db7b646653a172d6160226f6799c5eb70c221de3c5527fe8d32bb2b91fe798e4a4d6aeb11fb3f618032c8f7cb8f10e18

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
704KB

MD5
b5e17215be667cb2538aa305797b9728

SHA1
118de1c218591f71b744256a510143cdae3bbf1f

SHA256
733fc2b83cc569ade50c5c383780350896db818d51651ca3b17d2f95262db2e4

SHA512
cff23a02743b9f3e1785b9ed6c2a10db667a63dbd09c2ae5e6816de592383f39585f4817635693095a2a431562b4cf7bf387e708a4ef8bdf034e925e1e7f9f0e

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
704KB

MD5
34d7fb42d87dc1246bf7c5e1fe8a05de

SHA1
33866477b988df8782156e312ca3849e78bc54f0

SHA256
dc0913b2717157169628361d0d9660847fdfb4e49820ed12bff7c2f87556f476

SHA512
50a815fcaf4cf7d17f207ac0a74fa3934544e16388eed96a11bf15b1a33452ef7dbd5f02c33f0ecceaacd4742c6dac1bd28cae58d885e005f7684ba58c939e74

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
704KB

MD5
06c740a4ba4dbd297e6cefb6a41cf9c4

SHA1
fa3f48312e4d86d06a1a6898855ec92e7b6a29b0

SHA256
3bc17654dcd931800800e69b222b3f205c324772dad0253e2bf75015ee5f2ecc

SHA512
f5ac3b2b2baa25a22905bca04ca6c9f75ea6a38d8476b4bb036d9a608218377305c89d089384959f8933da9764f6b0b90e8e96c0fe8550484c249286e9b8fe4e

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
704KB

MD5
69b504033b5b17207a1f2c9c68d68523

SHA1
5cc917c3ee05e5ecdb06360b202136cd9cd898c6

SHA256
d04567496d8fda0d1f89730b5d98f802e962359e5782ebaf9f9c1768cae61d15

SHA512
0420cd3e4a207686e1a94c6cf1c529bda91aa0f99d730b95ef84bcd7520cef456dcaea1a7f6eb15f25c9761622409d7135d22f3a85c7fa632374a107514fb2d5

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
704KB

MD5
503d09e461ed89a286da88f5644db805

SHA1
69a634478a8b47a9acdbb26fd2edfff2ee9e233d

SHA256
0d69f15eac190651a617ebb161b235cd64d679f9ab96f6b21b2073ab0338d126

SHA512
74d1d6109585529da4efde494401425c7b686c3015adf2720d7fd8e198b6fcce117fea344e77c879003f4a1012b2ff93d5d3035068af881076c2266ab1fac988

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
704KB

MD5
fe12dbca4c42b7efd0b52ce35e463335

SHA1
eb90c9fa7d5f3ab279dd0afcdcfaf43c83c97101

SHA256
76d2a8b310cdc23c45f8e48444896ea13f546ca6c52d4c4aca957edbdcbf5108

SHA512
d5692ee4fa16289988af90e09629b2ccd485bfed7a6b34de89846933618c7628d242dcd3b69e6395a41c3e4e355856db3cffdca14778f3c392cd09f643769bbf

Download Submit
memory/452-320-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/452-246-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/508-203-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/508-130-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/908-373-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1016-432-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1072-89-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1072-8-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1116-307-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1116-375-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1220-267-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1232-90-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1232-183-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1372-24-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1372-106-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1448-314-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1448-382-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1608-327-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1608-258-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1852-389-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1852-324-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1864-230-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1864-306-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1956-64-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1956-161-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2208-396-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2208-328-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2220-383-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2256-278-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2256-193-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2276-212-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2276-292-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2996-271-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2996-185-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3032-98-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3032-192-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3048-122-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3068-417-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3068-350-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3176-341-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3176-410-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3208-220-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3208-299-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3264-55-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3264-152-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3288-272-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3288-340-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3368-202-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3368-107-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3468-286-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3468-354-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3616-81-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3616-175-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3728-80-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3728-0-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3740-293-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3740-361-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3768-438-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4032-397-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4040-162-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4072-52-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4276-279-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4276-347-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4352-408-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4468-444-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4468-376-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4544-355-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4544-424-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4560-238-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4560-313-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4592-204-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4592-285-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4596-266-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4596-176-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4636-418-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4820-431-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4820-362-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4908-300-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4908-372-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4980-219-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4980-135-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5184-20-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5232-407-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5232-334-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5260-390-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5308-425-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5340-411-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5556-140-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5556-229-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5680-36-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5764-171-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5776-153-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/6012-170-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/6012-71-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/6120-40-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/6120-131-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads