34f3c3c0b4b8bc595cf60926de5a199cf9d998e1d1146e45751d985db2cf997b

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 03:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e15814f6016ddcbac409f2fa864016a0_NEIKI.exe
Size

198KB
MD5

e15814f6016ddcbac409f2fa864016a0
SHA1

2da3876f136de98f61151be18c5fc6c4e131b06c
SHA256

34f3c3c0b4b8bc595cf60926de5a199cf9d998e1d1146e45751d985db2cf997b
SHA512

6dc1108be4ebff0c8857264883ec77170e1d930e1ad38d35951c02bd5e1af9feba556872054fa2cb52d4d8bb7085cdec48b87c700c23f7b6c83c01c28b95add5
SSDEEP

3072:3PgSZO1fJOMI16ziH4Sp+7H7wWkqrifbdB7dYk1Bx8DpsV6OzrCIwfE:fgdfJOMC6ziHBOHhkym/89bKws

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbcakg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Himcoo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hadkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gqfooodg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gfhqbe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iinlemia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjhmgeao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hihicplj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ecdbdl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffbnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpklpkio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbjhlfhb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gameonno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iannfk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ficgacna.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqaeco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fbioei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgikfn32.exe

Executes dropped EXE 64 IoCs

pid	Process
3528	Emjjgbjp.exe
3808	Ecdbdl32.exe
4564	Ffbnph32.exe
4908	Fcgoilpj.exe
976	Fbioei32.exe
3092	Ficgacna.exe
1064	Fcikolnh.exe
696	Fifdgblo.exe
5112	Fopldmcl.exe
1596	Ffjdqg32.exe
2968	Fihqmb32.exe
4112	Fobiilai.exe
4976	Fjhmgeao.exe
2196	Fqaeco32.exe
2276	Gbcakg32.exe
4704	Gjjjle32.exe
1428	Gmhfhp32.exe
2328	Gbenqg32.exe
4388	Gfqjafdq.exe
4412	Gqfooodg.exe
2932	Gbgkfg32.exe
4792	Gjocgdkg.exe
1188	Gpklpkio.exe
3340	Gbjhlfhb.exe
4676	Gjapmdid.exe
2828	Gpnhekgl.exe
3324	Gfhqbe32.exe
2468	Gifmnpnl.exe
4104	Gameonno.exe
2260	Hihicplj.exe
4516	Hpbaqj32.exe
1000	Hjhfnccl.exe
5068	Hpenfjad.exe
4404	Hcqjfh32.exe
4276	Hfofbd32.exe
3980	Himcoo32.exe
5028	Hadkpm32.exe
544	Hccglh32.exe
3196	Hjmoibog.exe
4472	Hmklen32.exe
1508	Hpihai32.exe
4460	Hjolnb32.exe
4332	Hibljoco.exe
1580	Ipldfi32.exe
2960	Ibjqcd32.exe
4508	Ijaida32.exe
3848	Impepm32.exe
3628	Ipnalhii.exe
4992	Ijdeiaio.exe
1004	Iannfk32.exe
2256	Icljbg32.exe
4644	Ifjfnb32.exe
624	Imdnklfp.exe
4216	Ipckgh32.exe
4504	Ifmcdblq.exe
1864	Iikopmkd.exe
3040	Ipegmg32.exe
440	Ibccic32.exe
1080	Iinlemia.exe
860	Jpgdbg32.exe
4592	Jbfpobpb.exe
3732	Jjmhppqd.exe
4204	Jdemhe32.exe
4076	Jjpeepnb.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Fqaeco32.exe	Fjhmgeao.exe
File created	C:\Windows\SysWOW64\Hcqjfh32.exe	Hpenfjad.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Lcdegnep.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Jiphogop.dll	Ipegmg32.exe
File created	C:\Windows\SysWOW64\Mnnkcb32.dll	Iinlemia.exe
File created	C:\Windows\SysWOW64\Laefdf32.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Ijdeiaio.exe	Ipnalhii.exe
File opened for modification	C:\Windows\SysWOW64\Jkfkfohj.exe	Jpaghf32.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kkbkamnl.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Gjapmdid.exe	Gbjhlfhb.exe
File opened for modification	C:\Windows\SysWOW64\Kphmie32.exe	Kinemkko.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Gbgkfg32.exe	Gqfooodg.exe
File created	C:\Windows\SysWOW64\Fbkmec32.dll	Jmpngk32.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Lcdegnep.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Dnapla32.dll	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Fqaeco32.exe	Fjhmgeao.exe
File created	C:\Windows\SysWOW64\Gpklpkio.exe	Gjocgdkg.exe
File created	C:\Windows\SysWOW64\Hfofbd32.exe	Hcqjfh32.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Himcoo32.exe	Hfofbd32.exe
File opened for modification	C:\Windows\SysWOW64\Hibljoco.exe	Hjolnb32.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Hihicplj.exe	Hboagf32.exe
File created	C:\Windows\SysWOW64\Hccglh32.exe	Hadkpm32.exe
File created	C:\Windows\SysWOW64\Ikjmhmfd.dll	Imdnklfp.exe
File opened for modification	C:\Windows\SysWOW64\Iikopmkd.exe	Ifmcdblq.exe
File opened for modification	C:\Windows\SysWOW64\Gfqjafdq.exe	Gbenqg32.exe
File opened for modification	C:\Windows\SysWOW64\Jmbklj32.exe	Jkdnpo32.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Gfhqbe32.exe	Gpnhekgl.exe
File created	C:\Windows\SysWOW64\Hjhfnccl.exe	Hpbaqj32.exe
File created	C:\Windows\SysWOW64\Hjmoibog.exe	Hccglh32.exe
File opened for modification	C:\Windows\SysWOW64\Kmegbjgn.exe	Jkfkfohj.exe
File created	C:\Windows\SysWOW64\Milgab32.dll	Kphmie32.exe
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Eeandl32.dll	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Jkageheh.dll	Hadkpm32.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Fbioei32.exe	Fcgoilpj.exe
File created	C:\Windows\SysWOW64\Iikopmkd.exe	Ifmcdblq.exe
File opened for modification	C:\Windows\SysWOW64\Kgbefoji.exe	Kphmie32.exe
File created	C:\Windows\SysWOW64\Ldkojb32.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Ijaida32.exe	Ibjqcd32.exe
File opened for modification	C:\Windows\SysWOW64\Kilhgk32.exe	Kbapjafe.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6952	6860	WerFault.exe	243

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbkmec32.dll"	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gmhfhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdiihjon.dll"	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnplgc32.dll"	Hcqjfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilaidmmo.dll"	Gmhfhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ffbnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fopldmcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpjljp32.dll"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkbhbe32.dll"	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fbioei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkeebhjc.dll"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gfhqbe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Icljbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gbcakg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egoqlckf.dll"	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnnkcb32.dll"	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fifdgblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibadbaha.dll"	Hmklen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ipegmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbfpobpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diefokle.dll"	Gpnhekgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddhbep32.dll"	Fbioei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pckgbakk.dll"	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gqfooodg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gbgkfg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbapjafe.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 412 wrote to memory of 3528	412	e15814f6016ddcbac409f2fa864016a0_NEIKI.exe	83
PID 412 wrote to memory of 3528	412	e15814f6016ddcbac409f2fa864016a0_NEIKI.exe	83
PID 412 wrote to memory of 3528	412	e15814f6016ddcbac409f2fa864016a0_NEIKI.exe	83
PID 3528 wrote to memory of 3808	3528	Emjjgbjp.exe	84
PID 3528 wrote to memory of 3808	3528	Emjjgbjp.exe	84
PID 3528 wrote to memory of 3808	3528	Emjjgbjp.exe	84
PID 3808 wrote to memory of 4564	3808	Ecdbdl32.exe	85
PID 3808 wrote to memory of 4564	3808	Ecdbdl32.exe	85
PID 3808 wrote to memory of 4564	3808	Ecdbdl32.exe	85
PID 4564 wrote to memory of 4908	4564	Ffbnph32.exe	86
PID 4564 wrote to memory of 4908	4564	Ffbnph32.exe	86
PID 4564 wrote to memory of 4908	4564	Ffbnph32.exe	86
PID 4908 wrote to memory of 976	4908	Fcgoilpj.exe	87
PID 4908 wrote to memory of 976	4908	Fcgoilpj.exe	87
PID 4908 wrote to memory of 976	4908	Fcgoilpj.exe	87
PID 976 wrote to memory of 3092	976	Fbioei32.exe	88
PID 976 wrote to memory of 3092	976	Fbioei32.exe	88
PID 976 wrote to memory of 3092	976	Fbioei32.exe	88
PID 3092 wrote to memory of 1064	3092	Ficgacna.exe	89
PID 3092 wrote to memory of 1064	3092	Ficgacna.exe	89
PID 3092 wrote to memory of 1064	3092	Ficgacna.exe	89
PID 1064 wrote to memory of 696	1064	Fcikolnh.exe	90
PID 1064 wrote to memory of 696	1064	Fcikolnh.exe	90
PID 1064 wrote to memory of 696	1064	Fcikolnh.exe	90
PID 696 wrote to memory of 5112	696	Fifdgblo.exe	91
PID 696 wrote to memory of 5112	696	Fifdgblo.exe	91
PID 696 wrote to memory of 5112	696	Fifdgblo.exe	91
PID 5112 wrote to memory of 1596	5112	Fopldmcl.exe	92
PID 5112 wrote to memory of 1596	5112	Fopldmcl.exe	92
PID 5112 wrote to memory of 1596	5112	Fopldmcl.exe	92
PID 1596 wrote to memory of 2968	1596	Ffjdqg32.exe	93
PID 1596 wrote to memory of 2968	1596	Ffjdqg32.exe	93
PID 1596 wrote to memory of 2968	1596	Ffjdqg32.exe	93
PID 2968 wrote to memory of 4112	2968	Fihqmb32.exe	94
PID 2968 wrote to memory of 4112	2968	Fihqmb32.exe	94
PID 2968 wrote to memory of 4112	2968	Fihqmb32.exe	94
PID 4112 wrote to memory of 4976	4112	Fobiilai.exe	95
PID 4112 wrote to memory of 4976	4112	Fobiilai.exe	95
PID 4112 wrote to memory of 4976	4112	Fobiilai.exe	95
PID 4976 wrote to memory of 2196	4976	Fjhmgeao.exe	96
PID 4976 wrote to memory of 2196	4976	Fjhmgeao.exe	96
PID 4976 wrote to memory of 2196	4976	Fjhmgeao.exe	96
PID 2196 wrote to memory of 2276	2196	Fqaeco32.exe	97
PID 2196 wrote to memory of 2276	2196	Fqaeco32.exe	97
PID 2196 wrote to memory of 2276	2196	Fqaeco32.exe	97
PID 2276 wrote to memory of 4704	2276	Gbcakg32.exe	98
PID 2276 wrote to memory of 4704	2276	Gbcakg32.exe	98
PID 2276 wrote to memory of 4704	2276	Gbcakg32.exe	98
PID 4704 wrote to memory of 1428	4704	Gjjjle32.exe	99
PID 4704 wrote to memory of 1428	4704	Gjjjle32.exe	99
PID 4704 wrote to memory of 1428	4704	Gjjjle32.exe	99
PID 1428 wrote to memory of 2328	1428	Gmhfhp32.exe	100
PID 1428 wrote to memory of 2328	1428	Gmhfhp32.exe	100
PID 1428 wrote to memory of 2328	1428	Gmhfhp32.exe	100
PID 2328 wrote to memory of 4388	2328	Gbenqg32.exe	102
PID 2328 wrote to memory of 4388	2328	Gbenqg32.exe	102
PID 2328 wrote to memory of 4388	2328	Gbenqg32.exe	102
PID 4388 wrote to memory of 4412	4388	Gfqjafdq.exe	103
PID 4388 wrote to memory of 4412	4388	Gfqjafdq.exe	103
PID 4388 wrote to memory of 4412	4388	Gfqjafdq.exe	103
PID 4412 wrote to memory of 2932	4412	Gqfooodg.exe	105
PID 4412 wrote to memory of 2932	4412	Gqfooodg.exe	105
PID 4412 wrote to memory of 2932	4412	Gqfooodg.exe	105
PID 2932 wrote to memory of 4792	2932	Gbgkfg32.exe	106

C:\Users\Admin\AppData\Local\Temp\e15814f6016ddcbac409f2fa864016a0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\e15814f6016ddcbac409f2fa864016a0_NEIKI.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:412
- C:\Windows\SysWOW64\Emjjgbjp.exe
  C:\Windows\system32\Emjjgbjp.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3528
- - C:\Windows\SysWOW64\Ecdbdl32.exe
    C:\Windows\system32\Ecdbdl32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3808
  - - C:\Windows\SysWOW64\Ffbnph32.exe
      C:\Windows\system32\Ffbnph32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4564
    - - C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4908
      - C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:976
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3092
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:696
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4112
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4388
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4792
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1188
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3340
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4676
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2828
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3324
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2468
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4104
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4436
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2260
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4516
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        34⤵
        Executes dropped EXE
        
        PID:1000
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5068
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4404
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4276
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3980
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5028
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:544
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        41⤵
        Executes dropped EXE
        
        PID:3196
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4472
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4460
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4332
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        46⤵
        Executes dropped EXE
        
        PID:1580
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2960
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        48⤵
        Executes dropped EXE
        
        PID:4508
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3848
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3628
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        51⤵
        Executes dropped EXE
        
        PID:4992
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1004
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4644
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:624
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4216
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4504
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3040
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:440
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1080
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:860
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4592
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        64⤵
        Executes dropped EXE
        
        PID:3732
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        65⤵
        Executes dropped EXE
        
        PID:4204
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        66⤵
        Executes dropped EXE
        
        PID:4076
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4780
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:840
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2580
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4856
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        72⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2448
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        74⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2052
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        77⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        78⤵
        Modifies registry class
        
        PID:1324
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3576
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1172
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:516
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        82⤵
        Modifies registry class
        
        PID:4244
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2396
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4872
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        86⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        87⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3356
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5144
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5180
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5228
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        93⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5360
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        95⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        96⤵
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        97⤵
        Drops file in System32 directory
        
        PID:5500
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        98⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        99⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        100⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5712
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        102⤵
        Drops file in System32 directory
        
        PID:5760
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        104⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        105⤵
        Drops file in System32 directory
        
        PID:5892
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5928
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        107⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5976
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6016
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        109⤵
        Drops file in System32 directory
        
        PID:6064
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        110⤵
        Drops file in System32 directory
        
        PID:6112
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        111⤵
        Drops file in System32 directory
        
        PID:5140
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        112⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        113⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        114⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        115⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        116⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5596
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5660
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5780
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        120⤵
        Modifies registry class
        
        PID:5880
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5968
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6056
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        123⤵
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        124⤵
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5620
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        127⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5868
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5964
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        129⤵
        Modifies registry class
        
        PID:6028
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        130⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        131⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        132⤵
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        133⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5916
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5756
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        136⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        137⤵
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        138⤵
        Drops file in System32 directory
        
        PID:6172
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        139⤵
        Modifies registry class
        
        PID:6212
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        140⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6260
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6304
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6348
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6388
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        144⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6436
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        145⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6468
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        146⤵
        
        PID:6520
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6560
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        148⤵
        Modifies registry class
        
        PID:6608
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        149⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6696
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        151⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        152⤵
        
        PID:6772
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        153⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6820
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        154⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6860 -s 412
        155⤵
        Program crash
        
        PID:6952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 6860 -ip 6860
1⤵
PID:6924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ecdbdl32.exe

Filesize
198KB

MD5
cd3c41dd2a0d1bb6bef37c763b6b4b9a

SHA1
d262c8e95a338a13a0bb230bd1e368e46fe8b3d9

SHA256
8a52605290f19ed2bfa1cfc12873178aa4202e07657285dd5437114b2553b0f8

SHA512
efb07ffe2aeeaf0614aae0610cfbacf13c13bae3db9d1ca51447d77634d15a9500f5bd2145d41855356a04cb35f5acf3e6081e136bbcc138763462061ee37316

Download Submit
C:\Windows\SysWOW64\Emjjgbjp.exe

Filesize
198KB

MD5
f358212cad7c8c87f7bdffde3d0614c2

SHA1
9baa1426b3e261349b1f242450d0d330c45f40dc

SHA256
0e4631ef16d56fab41abfc04b0297438ccd2a0512f7451b67325964f1f0b1674

SHA512
3854ac1c1e2bf5d7a18aef25cc698d4882a0ebb964ae4b80f300cc4c14b069cf2a087b584fcaf794d674118ad3ff35f3b988801e5690c82bc62769bc9a28d8ea

Download Submit
C:\Windows\SysWOW64\Fbioei32.exe

Filesize
198KB

MD5
9e5981fab26bbddf29d3e13a76afccb8

SHA1
debbef458462299f17c368f25b3b9d4d70417b44

SHA256
1d623174aece676394796cb2bf9c8f9606f277a38e652f8eb318d2d63222c63c

SHA512
ebd2e7ad7d73fcaca5fa00db06f8d3497da07a3abb6bc0de5745a6e4b89ca003cb3fc75c46abcfe75c9621f52350742fcc9b09e3b5d8f8de55828381590c8bdf

Download Submit
C:\Windows\SysWOW64\Fcgoilpj.exe

Filesize
198KB

MD5
179b603148998576f2264d7b02394601

SHA1
89c2fa0ab4affe99b7c01e2e5d4a47368b46593a

SHA256
e2ce4b81c73ad6669ee37573e2c5ff3535963732db5ebbfd1170f6cb251d3a8b

SHA512
7460fe074da82a726653f9e7fe48ea7e31bc386240a0b5ca48ef12ac45d84258bde9491fbf9589d2b9b5ef9671f0ab6b676809eb63afb0505379b2c0abc9e441

Download Submit
C:\Windows\SysWOW64\Fcikolnh.exe

Filesize
198KB

MD5
2b88c574d5a69ca29daa1ed415526896

SHA1
08202b5c1221c759d9120854221509fba20929a1

SHA256
75bbf2a921445cd7e73458522a13dc61140a50ad242e56292e8688d1b26c83fe

SHA512
5188007b6e23b8849e6a00e40185461b015efe29ab0030665041113a5d551cd78af55862fd56727773d5e83a94f2ff117ec5f34f2c1281036ba334e93bb9e471

Download Submit
C:\Windows\SysWOW64\Ffbnph32.exe

Filesize
198KB

MD5
5c29a60c2335caf45e5097c3a959860f

SHA1
e78352651bde6af8c10cff1cf58b364827031359

SHA256
70a1fc04a981f89cc32c8fba1fd48cda2fd4ca68d800b614d7ca120d3e6fa488

SHA512
f0388c569ab2959280e950c5e0943367e2e790e26be8c798209fa67e3bd49a0b6f1a4c27791bb9a3c4829efefe158b8eb3c3ea816624c50f1bb395d668390c70

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
198KB

MD5
34e1105bf1700e6dbbbd41ad71005616

SHA1
0bfd4f49bba48483eb5fb563235c8e7d23eeac1e

SHA256
95bd3f6649759928c0a18b6109488555c67140eea0ea29b729793a03b7f18fd1

SHA512
1f18c8506314d8da04c2f1d1d4a2104ad34e541d11072a168cc65030bfbe5805264e26b2e666d5a79240b84072aef4ab9ad3ee4b6c9b6289ac68dadf55cd9c1f

Download Submit
C:\Windows\SysWOW64\Fibgnfha.dll

Filesize
7KB

MD5
8998e69685fa2ce618d8c47217194126

SHA1
58c40067c4c93782557ed33ad36d09b636a55be2

SHA256
cda53fc66a2a386a897de6bd40166385f653831ebee4881405455e0b8cb43553

SHA512
f228b8cc2137763d01aa5c324eb8f8d8930daf62ffa6ef3d36c79b6143f5f71acbae8e8407cfd7201c73bbadfb381d1f9a1eacc7c43da16a36836682abf0aff3

Download Submit
C:\Windows\SysWOW64\Ficgacna.exe

Filesize
198KB

MD5
468efcdb09814b01dc03a84c4ed5e3d7

SHA1
aa4538bc71c46280d50aa3ac76602db21f92bfb1

SHA256
92581a66c65f858f6307d22b9a05f507c7c62ad74042878f27ce1007b869d0c5

SHA512
899f5d99117afd7c1ab5248280ab64b9564eca900a822bb5ad0b53395297d85e5bec8df3831d4a145ebb168c06fca7afa4f69207d2bab327152c90d948f8dae7

Download Submit
C:\Windows\SysWOW64\Fifdgblo.exe

Filesize
198KB

MD5
52b99991305764480dcd06d4f620fdda

SHA1
c6a2c4f5e196d4f791b54d0b022663d10be061e5

SHA256
c240b58bf6fc44ccc9785ddd73dfb64871851561abcf8a07021ed9dab6b2011d

SHA512
6fe537540951a2e104dec33b9c1441672abec47342686676c1c111bbc418491865e3b07b11ba9fd0a7ff3b8a0ba11cb469f49a33e514fb65cedde883f1f34059

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
198KB

MD5
994f454687852a0aa0cd4939522ff4aa

SHA1
461b509b8ebc06d3763e850c5cd0ddc7ad3d5b16

SHA256
006535be612c9f33a7edae488434eb4fd3fa9a4639e555f7dcdf7f8dbcdeb91c

SHA512
788f705715b064eee5e93a84b310dc8aa078c1c597eb3465dddb6e75d8fb53624271133ff6a4820f3937158a890007f6fe1f28f32f339c71893a8c741863a449

Download Submit
C:\Windows\SysWOW64\Fjhmgeao.exe

Filesize
198KB

MD5
816bdbc9ed48aebb159e43d1300749b9

SHA1
972e97366b41bfbd6b4e66834b29f898b72301c2

SHA256
f19c9574f060b8a02cf6983f877f458c370455a9d8fe8ee13b6340d68048ef68

SHA512
5f89c1bd7cde174cf71396b0f4056703a54cfedd664d4b317346e7bef81fcba405ca75cf887e57156526b2877c4c8205bfed9d6f566b54293a27f48bbbaa2dd2

Download Submit
C:\Windows\SysWOW64\Fobiilai.exe

Filesize
198KB

MD5
24abf1d3ddf95988a59d0a08c844e929

SHA1
0918fd7fe868d2351b318488efeb18b0d77904f1

SHA256
cae7a9cdb79d48527d009e5092cd3ca6e9841377a9e7e52b8242d5ead84573aa

SHA512
0434b386adf92c7268adcaa749c6131caa9016ac80423f1f15dd0c0a32dbb0bf3d2e66c63ff18a385cc271bf165339c58e4c00210ab3f3a1de45fc82e32593ae

Download Submit
C:\Windows\SysWOW64\Fopldmcl.exe

Filesize
198KB

MD5
89185ca8d62894b31c5addcccc8b0d72

SHA1
39731a4b67992b3c48cc8ad78ba25a051eb62752

SHA256
d7b58625130dcff9e027b0e7d7c58b95a7b29ebdd72211d2918a5b8b45dcf8be

SHA512
adb55987de617f1bebdeac7347cf28d215058f4461bc629ac20ac5b452b09e224658a491c43ae00597b551d2b0b9dd69cefa9b7b3775a9bfcfd106931305ebd7

Download Submit
C:\Windows\SysWOW64\Fqaeco32.exe

Filesize
198KB

MD5
02773fe874c5cc123ec566e8b0c47cf4

SHA1
290a257ca7b6eb891ee54ec25478a5090aa920ab

SHA256
fb81268a7c78477654ae1beb18f05717b45f6659de36e3711f4dbf596bcdf3c7

SHA512
8adc2bd10e1c215565d0d6d0ce21a7d3c2c4518a828c5d4a25761ddf7c0856bc5cc7a13651300f0fc8496ac4aa5429ba77bce6c247b77ae4527a40393061efa5

Download Submit
C:\Windows\SysWOW64\Gameonno.exe

Filesize
198KB

MD5
8a787c73e032d27dbcca3953ad787375

SHA1
00cb654238b679bd991faf2910f74ce61b1854f2

SHA256
2d885d890339cfb4a1acfbda79017eecc5610c85b30e52136cc06a5b075c3e89

SHA512
c03c28de532b3755ccb9ac31bcc221c1e2a36185980a421df3232998bdd43a01b9f7532e9ffc01f9908e9e1465e76a62aaf54ced3b071417feefcc626e4b0b54

Download Submit
C:\Windows\SysWOW64\Gbcakg32.exe

Filesize
198KB

MD5
41607ffbe3feedb451898b08e3621cb8

SHA1
2128267abb9faac137cd2ccef29222a15ea94813

SHA256
139fcec3564bee67abe535d9daa5bc20a19e9534a06a27861866afee2b5d6547

SHA512
11af2e8163e81081567a9dd1c2cdb5c1a8859a96d62b303ebd64a2284273b4fbaaf47444e53776f59f3ab7db0ac7f47eb7068b656a071a63c4a086fb37a0674f

Download Submit
C:\Windows\SysWOW64\Gbenqg32.exe

Filesize
198KB

MD5
bba036d3909abcfb03e1a3d5f5b27703

SHA1
ab8bb2c956be7b6ac1804f02c4686e580897adca

SHA256
a5278343bf1444acb3247c171f7450652d19aefabcd7ed8a48dce25d9d8f3e53

SHA512
f97c794a5c298a50b72f9dc443912186e21e436b7186cfcb4a7333b72bc33a2af251f64f8d7f6ab854c288b41e61e5064af92b56dc48ac89e75c26640f3492a9

Download Submit
C:\Windows\SysWOW64\Gbgkfg32.exe

Filesize
198KB

MD5
3ba3126530c74aac8ee328d8b99f8f10

SHA1
8b25af2a63bfd572d99f7046e3a860cccfd3d1cd

SHA256
efe0d179ae9546f1dace25c471650aa95e1dec9a6f4668f36ef3dc71d0e76c75

SHA512
a0ae6844e736771be25d3db78aca44d5ac414b9e3c0ed00f1f0232492e0bede9b63612f117e6ad1151fda14d037a2f543ea1f76625e66624038f300f3722af91

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
198KB

MD5
48d8a9a734fc5c18b3ab4345354e2c04

SHA1
a6f7045c9554b17f7011341ae449942ab73841dd

SHA256
ec5d879648ea322ec4b4e17e86ee3f02ad7bf3e9a9f1878c5b1e51524621764b

SHA512
2569f3a73af2514613932426b6021a29cda67c9a1e8ed1b0fd8d9dc7a137be29b157f1df9555968faf748ad3fc204c68c626b47c45dcdc591c234b178fd1bf3d

Download Submit
C:\Windows\SysWOW64\Gfhqbe32.exe

Filesize
198KB

MD5
51fe9e6c8f6281eabdacc65adee26f7f

SHA1
a3c82e9635e1e00d16b343484b43cb51b4a13222

SHA256
f4aa541894080068bc2a8eccac0d52eeb364cbef43d9c5b6bb254259fd0f6ebd

SHA512
d04728d9ba23f32327fc904c7822c3f1ff1271aa762b5cebb0dbdf8c2e8e86bbd3f827973e63e8da7161b206b293ff4edc38de0b7c2693672d57b4a641d9b20f

Download Submit
C:\Windows\SysWOW64\Gfqjafdq.exe

Filesize
198KB

MD5
9a4febdd193f888a00817cf08a062147

SHA1
4225fc4b6dbca093c29af9d2d4fdab937b234fbc

SHA256
7e77774a4b034eb5a49096b8c6147a4c8daab5a605c7ad05d0f47eb244879d46

SHA512
856e9463a174863654364ea54a38e53d5d3ea1e2f43b8c14a60f6f98b14d21a5b944a60cf656f110ea9f88a7bdc3c92e668d23b860c351647095dbf987fc2254

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
198KB

MD5
abd67a707ef8ba332052af21350b4f92

SHA1
fef41b77898d07c14fdafb25a83a84df2b275c24

SHA256
9901f803f9a43907ca60a16165eed3a8f1454fc45bd582a377eeceed211f3f5e

SHA512
21b471c70708f8c6e6782818e9f58ad476be112bb6d2f3b7638f0e3fd5763db4b4fc6ebdc35b2760f1d770d250029b84be220d2801238462d7dc5e9caf9e2d25

Download Submit
C:\Windows\SysWOW64\Gjapmdid.exe

Filesize
198KB

MD5
a18c0b0ec4d91a424e420b369eb6b9f1

SHA1
c8379266c98a7cc9ffabed6422701b5f177b4bd4

SHA256
4279bdd14babd9cd33355331a9f7e728a29a9bca2e33cf045a5c40eb2083d35e

SHA512
40b88ec452d94fa74df5a7bb7c94418b31f96220fa33ee24e63bfec99053996b9979a74e11dadd28493e3c94001ea617f14cc2c3c76f29b2240e075c84d90bd6

Download Submit
C:\Windows\SysWOW64\Gjjjle32.exe

Filesize
198KB

MD5
793f07d7f8fc00c2d258b21f65a6f360

SHA1
b307465e55b8617317c392f2289fb34caa24b9da

SHA256
b9bbdad219dcff4f5d6865168c77074de703c75657b137451729e515c25eb0cc

SHA512
ea6b8b2d4f739708f137c2ac69d1731b7bb2035731ccce66b8765dbb4b75391e7a4bdbd4cce77c67fcf7a83c7014ec51cfd11ed9d5142519997e14ca1b716046

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
198KB

MD5
3b6012c8204198f3045c1ecded800ab8

SHA1
886b3f314bd956f92a53b38dd7533d7d202d32d2

SHA256
a79200288388bfed260b39a461485600bf93f0792b341e4da995633831074ec4

SHA512
ca1956eb9d22051a931962137cc01847697673ae0b2e6d63348a0cb0187c84a82a670a1cea7d900bcf7c47d599bb02399586255cc381e476026a54e668360aa8

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe

Filesize
198KB

MD5
7ea1ab76c26c6a6b36e59d298eee3b11

SHA1
969c6dd0bf0c55099d1fce401c5b1afe8cffaf7c

SHA256
5cfcbd67d7d3c04a6691d15997c69aeff2c91129f3d59dd9b46b75f3c1f9e91a

SHA512
74dc0878717362ff09aa8ec376195c57114be0f4631db07dc4089150b049160c0efdbd84c1d9681b61abaf819c98a8f9d22177cf5a631b62326dafca2879026a

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
198KB

MD5
17191e7880b05ef0ee97742d83af1fe4

SHA1
d52afe108bd6ca8c7540db5ffeeabd0aef50783f

SHA256
0ee4ef893ec8a00284a1392c4d8a918dfda244031089a122927bf208fa950dcc

SHA512
e429659426f16d46cb0f976be3d4e980dd8258970f2a5e3c8da3968016089b04e97918d5d08927d29cc7ba1f79305abf5793f3181fe30a60e08980507633070c

Download Submit
C:\Windows\SysWOW64\Gpnhekgl.exe

Filesize
198KB

MD5
9fdcbc5157498159b2dfb8a2f007e065

SHA1
81cc3be5ccb1dda4f6234d04f7fd964abb6df5e6

SHA256
7a52f59f1ffd0fe4f2b373b4b3044402901ed6493dcbeb378b5c5e0e11a5719d

SHA512
399297d1f2cb7a03bbfea2541f83eade6f6d20e4ce4a04783ad226f9b2b3daa9de36b1112c14365a058b740484f14e1528b44d239e3326d6e0ca65420030f3b9

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
198KB

MD5
09cd4e79cb49e8043fb9d27168259955

SHA1
baafb7ba940a9d88e3d09602911a3bd2aec39149

SHA256
f4368b260442d0159390262c97c203905e2e790754ae0bcdb5ebc0acb2b58aab

SHA512
c0ed02c4abb23bf42731736f9b58758db12fc3515d8f4acd180e6c4578eaeac34de87f3ac8ed01399c83e233af4eface2cc250a2a7bda784bc77f94d0dfefe6b

Download Submit
C:\Windows\SysWOW64\Hihicplj.exe

Filesize
198KB

MD5
cd1a5c33a6bbdfc4308c63afc8110d16

SHA1
1a972e615bbcdef9d748af50a9cee6e7eb723c56

SHA256
bb1975935734c46cf15e450a6d9fef51b5e07e2ffae7ccdbffc5933d8298833e

SHA512
7a75a33af425cf5f8d0d526960c948a2d86f7a52eb261efc343a6ca4c311f698aef10fa245462f266722ad64544046427cbb318b878a9c9709fff41682187174

Download Submit
C:\Windows\SysWOW64\Hjhfnccl.exe

Filesize
198KB

MD5
8f9a1697cf0a7182832c798bb863c43c

SHA1
36cfea2d37f5748d22ddaddd646fc0e1ac77201d

SHA256
c5d8c4c5d510d4c333ebe76826e58d1fba68f6d671e90867db0d6522a452f1e5

SHA512
2a03f5262be10a9f9e11ad5871a456e4d739165370ef471758a9bfb11ad562cfbc27293c5f4059d72caf0e37d14c61933da962c47f0e6b0002b965d7d0491ef2

Download Submit
C:\Windows\SysWOW64\Hmklen32.exe

Filesize
198KB

MD5
e9a2a19ac8af8aa2ad9a44a9538ca249

SHA1
8e6b8e1f45880abefbcc8993998f8e7138fcc3da

SHA256
b1f5b72a8536f32cefdf3fe3f37733bc5b34efe49daf5eaa2088b9d425372c10

SHA512
94254f198ab96cbe4612eeee403afb9900c6936432bf85d26280d6db531ebe197909be797360309ffda39a7bf876dc30d89d735eb9c8f71e227f9b12ac4bddf6

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
198KB

MD5
2b29915ddf8c47fef6956feea235308d

SHA1
78ecace5436b0dccd4da6485fe2bc5bec52c5fd1

SHA256
80e313a23512f705d56c17feed582d23689a4e630a62a5f1953db86caf8adeb3

SHA512
f21b39a2597f939196a6100e2aa6336e5252cbf66ea8b805b66f603b89c26be1b44aef30778a99e031e89f2261e508da4f46df732bffbb72ceb972fe4a11add1

Download Submit
C:\Windows\SysWOW64\Hpenfjad.exe

Filesize
198KB

MD5
0187bbeb108e3b833bdca27477666b33

SHA1
47c17e9f7427feb79e5a93396f4091a0ff6a5eeb

SHA256
be141a3fa1813e495ba195db5f63704cea647ad2cc075f4c404de769c12599f8

SHA512
af449b34521c32d64b54088aeba622861fc4e15f78bbc87403cd6d6aad5143af7f3c849625f673e28e58aa1dbf698adb83b48377904b6a01054625058488c897

Download Submit
C:\Windows\SysWOW64\Iannfk32.exe

Filesize
198KB

MD5
1f2224148a969dcd3ce463cdd01bef01

SHA1
97287ad8b140c581416a65545a139287a07f2e4e

SHA256
e6ae2074fa83896509c6ba87cf7911104bcfd95bb983da50896d7d8c009b0500

SHA512
5a2bb832902af7ead8a444c9d08ec75a7f650271ccb8b995e09fe184882e7cc3d3b60da749ebb3006a30dcbeb6995ce2b25207a336841273cb892e86bf1ac4bb

Download Submit
C:\Windows\SysWOW64\Ibjqcd32.exe

Filesize
198KB

MD5
a044473ae29e34f5a0e3984fa302e0ac

SHA1
c4ec500a6b8b8912d48de40b8cc1c5ee4fcaeec2

SHA256
871fe50944743d2d23c03e07b32ff97a7be95a579285714efd7fbfb6180cbc70

SHA512
8632d700b6c98a6762e1c626d7fce192fbfd6ab11fa2d56a8f6e8338297317878bb7c8efb454ab2272e8fa8b15153218b402b154d12f07ae007ed19bc562d83e

Download Submit
C:\Windows\SysWOW64\Iikopmkd.exe

Filesize
198KB

MD5
9b3d8fa5b0f8c8b7e7b8db6458d38403

SHA1
a2c83c36e1d1b94ee7fdb9709c2d21b2d8e89553

SHA256
152f1a11ab9c7d6b44d437740908c0e2720e77c7a73b18f2d06a15fab2ee0918

SHA512
dd8f7ac5ccea7ab610c48087ffe9cd406c74f40738d4dd5d986c4c32e5546a35aaca91c4a539b532b706cd14bf7e5c482144e37c2470821802a9bbd544665a89

Download Submit
C:\Windows\SysWOW64\Iinlemia.exe

Filesize
64KB

MD5
d8b83fd84f577d672fd7793023f4935b

SHA1
7c3d5b3dfdffe17d02bf9c8e30414eb8f5d97e33

SHA256
a7480d2254f07aa75e3d882054e1e435edae928f8c1a8275a5e1a29fe03fd5cd

SHA512
3758b3fa29b519faec041acf7644085f5c44f56ee67e66229c8d1cbeb136fdda7a78923dba5d575660eeace928c84b828b49125b8d4e78ab334e5afb26d8b661

Download Submit
C:\Windows\SysWOW64\Ijdeiaio.exe

Filesize
198KB

MD5
36f939bb08f0f39c18357f3034686db5

SHA1
9cd5d948ebfaa1d5efcbda200db0c80dcfd4a2fd

SHA256
7b08360887d541e40b1caefc31cf25ce50caf285a4cdfdaf1721ef61ca8fefc3

SHA512
8e7dfdccf903121d74b488982499fdb0fba851bea109ef1899f76d3550fbdc0f24be723e40f61fa7e0bf76e580edb23d9a706fedeb45805ecfa007cf0527a5cd

Download Submit
C:\Windows\SysWOW64\Jjmhppqd.exe

Filesize
198KB

MD5
2df91c5cc7a4d34ee30f6778af01fafb

SHA1
16a74b77201c394e5a3b6f003230e3ce517d0ca3

SHA256
b523909652c985b0ed7c975d574eb9a23537eef3d040f1088fc538fd4d45eaa3

SHA512
8a40f9909025d6d203eec56ac8c8882542bbe5e273bb24edea486d969b989ef461a61fbf12524f56bb0996feda3bb1e4ba6ec1216a944c4671eb59e525bc1dd7

Download Submit
C:\Windows\SysWOW64\Kilhgk32.exe

Filesize
198KB

MD5
1cd6004e735d1a89a1f1745175500778

SHA1
332cd472564a231149d97a4981ebd0bed102d2cb

SHA256
56d1a0caef18865865515c25a10271d80dda3b0f543c6bfa75d1fd174c55d542

SHA512
dfefcf9df039592cee4615e72446e69850cb99ab664fa405f69dec1978f85b076bd959005ac421424af76e5463aadb9915b3284fc897fa596dfd4d3ea433dc09

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe

Filesize
198KB

MD5
27c7e7959d225d8eb4202b37acfe9691

SHA1
fef1a99b983ef6ad14e1094731cd49462e4933a2

SHA256
002da9e9cd6fa42d27d136173f1e499001c4003b3ced04bd3888d84b653f2803

SHA512
001dc747a58ca08a3774d7e9578baf7371e04d6024815c5fccfa3c66dacaf210e9a608d4086fb34cca1408a5468757475400f511dc8937d41444f91294bd6b86

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
64KB

MD5
fe61eab37384c9f937dd6b96625d8304

SHA1
2b294fed80f809d12be99411b0203d06ba66daab

SHA256
dd560a54736b7e46de4de87d38516dd6d45a996b6a84c6432d8e378ac7def7e8

SHA512
fc180f7b9373767d8e360cc05b2cef64908e0b8487cf072cbfba51431d603cba9bda98eb66152b644efeff5ee116c76e941def0fa369fde5884475660f0f5177

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
198KB

MD5
f3ff8ed569885122bacd1ccd999b27f0

SHA1
81685506eaed247f420c2a6f27c78372d9e8b4cb

SHA256
fcd1eb8fc35b82ca9fc8215ddbc33beccec9627578dd83eb527ce46966e71672

SHA512
539b2e3330148ef7126bd839c36a20c8a99084738676b69f5e55ae805ec2494597a07bd905b569065dd5637606ade2fc113f4145b44d6fb7027d9b235df8689b

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
198KB

MD5
160d39f9adcec9966d7c092776e8ac72

SHA1
f68fd22164138da272424a1c19aa94d008c3dc47

SHA256
ddeb496c8639d083b4b2d7c7fa501025370697534ea1ef4b03689ed655ac1c48

SHA512
ad507a10b396d99bb95b0a34f5c16a1a628ffd42a3d1d06f529e74343e4980e702ba9291996508b8ae7e94ad07782da965c62817c4909b8be37ede6de0c61f78

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
198KB

MD5
f1963e5829ae11e174a1fcbdf8e3f157

SHA1
87ae2cf2174c9b6d9798c3a6874d3c2a5f0b6377

SHA256
5285a6eeb72299ae9cbd315b2be87cdd02087d2174142b6fd6ea44cc4a9218ce

SHA512
2c9985e0c1b3a1405c4162a9b50d29ce4eada6614e9f790ddf091e18f555518be795ca2a35625fb51733196a8a436cd6b6f6ad6e81c7329f45c0a7ebd595f149

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
198KB

MD5
e7663502d1e73a3104c6ee0caded3412

SHA1
9b011c3f2bbe79ad833ce365be7362bb78f3c75f

SHA256
134fab48220a5a060fb98f6f6915661fc60c719819ae09cec603e8434b0fc1ae

SHA512
cbb76dc81f2be49e426d7f83bada2343bcaf9f3a90541285f29c0af5650690e847860fc354fab7ea9d1db32e33163260ef0000bdcbca1dc207b64b3b4c06470c

Download Submit
memory/412-549-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/412-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/440-413-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/516-543-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/544-293-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/624-383-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/696-63-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/840-461-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/860-425-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/976-40-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/976-580-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1000-255-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1004-369-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1052-501-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1064-598-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1064-56-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1080-423-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1172-533-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1188-187-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1324-521-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1428-135-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1508-311-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1580-329-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1596-80-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1864-405-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2052-509-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2156-503-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2196-112-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2256-375-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2260-240-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2276-124-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2328-146-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2356-575-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2396-564-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2448-496-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2468-224-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2580-472-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2668-558-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2828-207-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2932-168-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2960-339-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2968-92-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3040-407-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3092-48-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3092-587-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3196-299-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3228-581-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3324-216-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3340-196-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3356-588-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3528-556-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3528-7-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3576-527-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3624-485-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3628-353-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3732-437-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3808-559-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3808-16-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3848-347-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3980-283-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4076-450-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4104-231-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4112-96-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4204-443-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4216-394-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4244-550-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4276-275-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4332-323-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4388-152-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4404-273-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4412-160-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4436-236-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4448-477-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4460-317-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4472-309-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4504-395-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4508-341-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4516-254-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4564-566-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4564-23-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4592-431-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4644-377-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4676-200-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4704-128-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4708-519-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4780-455-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4792-176-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4856-479-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4872-570-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4908-573-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4908-32-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4976-104-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4992-359-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5028-292-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5068-267-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5112-72-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads