f4d95cf19f873677341332d33aa8143a7b4810f47b55dbbf79c8651ef9a49b2d

Analysis

max time kernel
96s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 09:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0fc190a6619ba8e0c9ade1f815cbe7d0_NEIKI.exe
Size

264KB
MD5

0fc190a6619ba8e0c9ade1f815cbe7d0
SHA1

adad0665b14d12db85b83beb26c3169b2ca7a19a
SHA256

f4d95cf19f873677341332d33aa8143a7b4810f47b55dbbf79c8651ef9a49b2d
SHA512

7be8bc623e0484d1f1cb15d0b3430a157302433f043735d7157d622a8325933c5675a2b02a4fe5c6e8748e87e7f0956f9bdc253c65fc096a70cbbbf58b4a6d72
SSDEEP

3072:qyy/d3OHY124ho1mtye3lFDrFDHZtO8jJkiUi8ChpBhx5Zd424ho1mtye3lFDrFA:qyAO46sFj5tPNki9HZd1sFj5tw

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gameonno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hihicplj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifhiib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jibeql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Himcoo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpnhekgl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gifmnpnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjolnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipckgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iinlemia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfhqbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcidfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hadkpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpgkkioa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Haidklda.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijdeiaio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmkbnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haidklda.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipqnahgf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibagcc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcqjfh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmklen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbeghene.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe

Executes dropped EXE 64 IoCs

pid	Process
4816	Fqaeco32.exe
3032	Gcpapkgp.exe
4444	Gqdbiofi.exe
4388	Gbenqg32.exe
4988	Gjlfbd32.exe
3308	Gmkbnp32.exe
684	Gbgkfg32.exe
2304	Gmmocpjk.exe
2840	Gbjhlfhb.exe
4688	Gmoliohh.exe
4976	Gpnhekgl.exe
2724	Gcidfi32.exe
1584	Gfhqbe32.exe
4472	Gifmnpnl.exe
1744	Gameonno.exe
5024	Hclakimb.exe
3684	Hboagf32.exe
2008	Hjfihc32.exe
4176	Hihicplj.exe
3280	Hapaemll.exe
4968	Hpbaqj32.exe
2024	Hbanme32.exe
3724	Hikfip32.exe
3636	Habnjm32.exe
312	Hpenfjad.exe
1268	Hcqjfh32.exe
1408	Hfofbd32.exe
5048	Himcoo32.exe
3676	Hadkpm32.exe
2900	Hpgkkioa.exe
1416	Hbeghene.exe
1772	Hfachc32.exe
3012	Hjmoibog.exe
4368	Hmklen32.exe
4468	Haggelfd.exe
3492	Hpihai32.exe
4136	Hbhdmd32.exe
3556	Hfcpncdk.exe
1700	Hjolnb32.exe
4488	Hibljoco.exe
1528	Hmmhjm32.exe
1984	Haidklda.exe
3904	Icgqggce.exe
5044	Ibjqcd32.exe
3116	Iffmccbi.exe
2600	Ibmmhdhm.exe
4896	Ifhiib32.exe
2812	Ijdeiaio.exe
2832	Iannfk32.exe
2432	Ipqnahgf.exe
3196	Ipckgh32.exe
3708	Ibagcc32.exe
2400	Ijhodq32.exe
3104	Iabgaklg.exe
3852	Ibccic32.exe
1600	Iinlemia.exe
4804	Jpgdbg32.exe
4752	Jdcpcf32.exe
2644	Jjmhppqd.exe
5028	Jmkdlkph.exe
4808	Jdemhe32.exe
2140	Jfdida32.exe
2168	Jibeql32.exe
4788	Jplmmfmi.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Gbenqg32.exe	Gqdbiofi.exe
File created	C:\Windows\SysWOW64\Pnfmmb32.dll	Gjlfbd32.exe
File created	C:\Windows\SysWOW64\Dngdgf32.dll	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Gpnhekgl.exe	Gmoliohh.exe
File created	C:\Windows\SysWOW64\Ebkdha32.dll	Ibagcc32.exe
File created	C:\Windows\SysWOW64\Qekdppan.dll	Jidbflcj.exe
File opened for modification	C:\Windows\SysWOW64\Kibnhjgj.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Hclakimb.exe	Gameonno.exe
File created	C:\Windows\SysWOW64\Hfachc32.exe	Hbeghene.exe
File created	C:\Windows\SysWOW64\Kpccnefa.exe	Kmegbjgn.exe
File opened for modification	C:\Windows\SysWOW64\Gmoliohh.exe	Gbjhlfhb.exe
File opened for modification	C:\Windows\SysWOW64\Kgfoan32.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Cmafhe32.dll	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Laopdgcg.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Hbanme32.exe	Hpbaqj32.exe
File created	C:\Windows\SysWOW64\Hcqjfh32.exe	Hpenfjad.exe
File opened for modification	C:\Windows\SysWOW64\Hibljoco.exe	Hjolnb32.exe
File created	C:\Windows\SysWOW64\Ifhiib32.exe	Ibmmhdhm.exe
File opened for modification	C:\Windows\SysWOW64\Ipqnahgf.exe	Iannfk32.exe
File created	C:\Windows\SysWOW64\Qchnlc32.dll	Hbeghene.exe
File opened for modification	C:\Windows\SysWOW64\Ijdeiaio.exe	Ifhiib32.exe
File opened for modification	C:\Windows\SysWOW64\Jibeql32.exe	Jfdida32.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Ibadbaha.dll	Haggelfd.exe
File created	C:\Windows\SysWOW64\Icgqggce.exe	Haidklda.exe
File created	C:\Windows\SysWOW64\Ehifigof.dll	Jaljgidl.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Hpgkkioa.exe	Hadkpm32.exe
File opened for modification	C:\Windows\SysWOW64\Jfdida32.exe	Jdemhe32.exe
File created	C:\Windows\SysWOW64\Bpcbnd32.dll	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Gqdbiofi.exe	Gcpapkgp.exe
File created	C:\Windows\SysWOW64\Mnnkcb32.dll	Iinlemia.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mglack32.exe
File created	C:\Windows\SysWOW64\Eagncfoj.dll	Hclakimb.exe
File created	C:\Windows\SysWOW64\Hmklen32.exe	Hjmoibog.exe
File opened for modification	C:\Windows\SysWOW64\Hjolnb32.exe	Hfcpncdk.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Hjmoibog.exe	Hfachc32.exe
File created	C:\Windows\SysWOW64\Eilljncf.dll	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Gmkbnp32.exe	Gjlfbd32.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Ipckgh32.exe	Ipqnahgf.exe
File created	C:\Windows\SysWOW64\Kibnhjgj.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Hikfip32.exe	Hbanme32.exe
File opened for modification	C:\Windows\SysWOW64\Hcqjfh32.exe	Hpenfjad.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Geekfi32.dll	Himcoo32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6156	5648	WerFault.exe	231

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjkiobic.dll"	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjcfkp32.dll"	Hpgkkioa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ginahd32.dll"	Gcpapkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpacnb32.dll"	Gmoliohh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qekdppan.dll"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adijolgl.dll"	Gpnhekgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gncoccha.dll"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbeghene.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgabcngj.dll"	Hboagf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcidfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibccic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iabgaklg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipqnahgf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hclakimb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibmmhdhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibmmhdhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidmdfdo.dll"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	0fc190a6619ba8e0c9ade1f815cbe7d0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gqdbiofi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggdddife.dll"	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqjfoc32.dll"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qknpkqim.dll"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldggfbc.dll"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaoimoh.dll"	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmcfa32.dll"	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcqjfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbeghene.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eilljncf.dll"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcpkbc32.dll"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkdnpo32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 452 wrote to memory of 4816	452	0fc190a6619ba8e0c9ade1f815cbe7d0_NEIKI.exe	80
PID 452 wrote to memory of 4816	452	0fc190a6619ba8e0c9ade1f815cbe7d0_NEIKI.exe	80
PID 452 wrote to memory of 4816	452	0fc190a6619ba8e0c9ade1f815cbe7d0_NEIKI.exe	80
PID 4816 wrote to memory of 3032	4816	Fqaeco32.exe	81
PID 4816 wrote to memory of 3032	4816	Fqaeco32.exe	81
PID 4816 wrote to memory of 3032	4816	Fqaeco32.exe	81
PID 3032 wrote to memory of 4444	3032	Gcpapkgp.exe	82
PID 3032 wrote to memory of 4444	3032	Gcpapkgp.exe	82
PID 3032 wrote to memory of 4444	3032	Gcpapkgp.exe	82
PID 4444 wrote to memory of 4388	4444	Gqdbiofi.exe	83
PID 4444 wrote to memory of 4388	4444	Gqdbiofi.exe	83
PID 4444 wrote to memory of 4388	4444	Gqdbiofi.exe	83
PID 4388 wrote to memory of 4988	4388	Gbenqg32.exe	84
PID 4388 wrote to memory of 4988	4388	Gbenqg32.exe	84
PID 4388 wrote to memory of 4988	4388	Gbenqg32.exe	84
PID 4988 wrote to memory of 3308	4988	Gjlfbd32.exe	86
PID 4988 wrote to memory of 3308	4988	Gjlfbd32.exe	86
PID 4988 wrote to memory of 3308	4988	Gjlfbd32.exe	86
PID 3308 wrote to memory of 684	3308	Gmkbnp32.exe	88
PID 3308 wrote to memory of 684	3308	Gmkbnp32.exe	88
PID 3308 wrote to memory of 684	3308	Gmkbnp32.exe	88
PID 684 wrote to memory of 2304	684	Gbgkfg32.exe	89
PID 684 wrote to memory of 2304	684	Gbgkfg32.exe	89
PID 684 wrote to memory of 2304	684	Gbgkfg32.exe	89
PID 2304 wrote to memory of 2840	2304	Gmmocpjk.exe	90
PID 2304 wrote to memory of 2840	2304	Gmmocpjk.exe	90
PID 2304 wrote to memory of 2840	2304	Gmmocpjk.exe	90
PID 2840 wrote to memory of 4688	2840	Gbjhlfhb.exe	91
PID 2840 wrote to memory of 4688	2840	Gbjhlfhb.exe	91
PID 2840 wrote to memory of 4688	2840	Gbjhlfhb.exe	91
PID 4688 wrote to memory of 4976	4688	Gmoliohh.exe	93
PID 4688 wrote to memory of 4976	4688	Gmoliohh.exe	93
PID 4688 wrote to memory of 4976	4688	Gmoliohh.exe	93
PID 4976 wrote to memory of 2724	4976	Gpnhekgl.exe	94
PID 4976 wrote to memory of 2724	4976	Gpnhekgl.exe	94
PID 4976 wrote to memory of 2724	4976	Gpnhekgl.exe	94
PID 2724 wrote to memory of 1584	2724	Gcidfi32.exe	95
PID 2724 wrote to memory of 1584	2724	Gcidfi32.exe	95
PID 2724 wrote to memory of 1584	2724	Gcidfi32.exe	95
PID 1584 wrote to memory of 4472	1584	Gfhqbe32.exe	96
PID 1584 wrote to memory of 4472	1584	Gfhqbe32.exe	96
PID 1584 wrote to memory of 4472	1584	Gfhqbe32.exe	96
PID 4472 wrote to memory of 1744	4472	Gifmnpnl.exe	97
PID 4472 wrote to memory of 1744	4472	Gifmnpnl.exe	97
PID 4472 wrote to memory of 1744	4472	Gifmnpnl.exe	97
PID 1744 wrote to memory of 5024	1744	Gameonno.exe	98
PID 1744 wrote to memory of 5024	1744	Gameonno.exe	98
PID 1744 wrote to memory of 5024	1744	Gameonno.exe	98
PID 5024 wrote to memory of 3684	5024	Hclakimb.exe	99
PID 5024 wrote to memory of 3684	5024	Hclakimb.exe	99
PID 5024 wrote to memory of 3684	5024	Hclakimb.exe	99
PID 3684 wrote to memory of 2008	3684	Hboagf32.exe	100
PID 3684 wrote to memory of 2008	3684	Hboagf32.exe	100
PID 3684 wrote to memory of 2008	3684	Hboagf32.exe	100
PID 2008 wrote to memory of 4176	2008	Hjfihc32.exe	101
PID 2008 wrote to memory of 4176	2008	Hjfihc32.exe	101
PID 2008 wrote to memory of 4176	2008	Hjfihc32.exe	101
PID 4176 wrote to memory of 3280	4176	Hihicplj.exe	102
PID 4176 wrote to memory of 3280	4176	Hihicplj.exe	102
PID 4176 wrote to memory of 3280	4176	Hihicplj.exe	102
PID 3280 wrote to memory of 4968	3280	Hapaemll.exe	103
PID 3280 wrote to memory of 4968	3280	Hapaemll.exe	103
PID 3280 wrote to memory of 4968	3280	Hapaemll.exe	103
PID 4968 wrote to memory of 2024	4968	Hpbaqj32.exe	104

C:\Users\Admin\AppData\Local\Temp\0fc190a6619ba8e0c9ade1f815cbe7d0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\0fc190a6619ba8e0c9ade1f815cbe7d0_NEIKI.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:452
- C:\Windows\SysWOW64\Fqaeco32.exe
  C:\Windows\system32\Fqaeco32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4816
- - C:\Windows\SysWOW64\Gcpapkgp.exe
    C:\Windows\system32\Gcpapkgp.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3032
  - - C:\Windows\SysWOW64\Gqdbiofi.exe
      C:\Windows\system32\Gqdbiofi.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4444
    - - C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4388
      - C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3308
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:684
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4688
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3684
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4176
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3280
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        24⤵
        Executes dropped EXE
        
        PID:3724
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        25⤵
        Executes dropped EXE
        
        PID:3636
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:312
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1268
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        28⤵
        Executes dropped EXE
        
        PID:1408
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5048
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3676
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1416
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1772
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3012
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4368
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4468
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3492
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4136
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3556
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1700
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4488
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        42⤵
        Executes dropped EXE
        
        PID:1528
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1984
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        44⤵
        Executes dropped EXE
        
        PID:3904
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        45⤵
        Executes dropped EXE
        
        PID:5044
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        46⤵
        Executes dropped EXE
        
        PID:3116
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4896
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2812
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2832
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2432
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3196
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3708
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2400
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3852
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1600
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        58⤵
        Executes dropped EXE
        
        PID:4804
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        59⤵
        Executes dropped EXE
        
        PID:4752
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2644
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        61⤵
        Executes dropped EXE
        
        PID:5028
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4808
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2140
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2168
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4788
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        66⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1936
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1500
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2588
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        70⤵
        Modifies registry class
        
        PID:1220
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        71⤵
        Modifies registry class
        
        PID:4192
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3856
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2692
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4376
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2948
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        76⤵
        Modifies registry class
        
        PID:3140
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4084
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        78⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        79⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        80⤵
        Modifies registry class
        
        PID:2428
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3244
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        82⤵
        Modifies registry class
        
        PID:4340
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4012
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1740
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4620
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        86⤵
        Drops file in System32 directory
        
        PID:4856
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        87⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        88⤵
        Drops file in System32 directory
        
        PID:3372
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        89⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        90⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2508
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1804
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        93⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5168
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        98⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5332
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        100⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        101⤵
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        102⤵
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        103⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        104⤵
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        105⤵
        Modifies registry class
        
        PID:5592
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5640
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        107⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        108⤵
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        109⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        110⤵
        Drops file in System32 directory
        
        PID:5824
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5876
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        112⤵
        Drops file in System32 directory
        
        PID:5924
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        113⤵
        Modifies registry class
        
        PID:5968
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        114⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        115⤵
        Drops file in System32 directory
        
        PID:6056
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        116⤵
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        117⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5236
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        120⤵
        Drops file in System32 directory
        
        PID:5328
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        121⤵
        Modifies registry class
        
        PID:5404
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        122⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        123⤵
        Drops file in System32 directory
        
        PID:5528
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5624
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        125⤵
        Modifies registry class
        
        PID:5680
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5768
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5844
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        128⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5900
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5996
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        130⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6112
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5152
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5316
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        134⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        135⤵
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        136⤵
        Drops file in System32 directory
        
        PID:5712
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        137⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5908
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        139⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        140⤵
        Drops file in System32 directory
        
        PID:6136
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        142⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5556
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5764
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5868
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        145⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5444
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        147⤵
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        148⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        149⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5648 -s 408
        150⤵
        Program crash
        
        PID:6156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5648 -ip 5648
1⤵
PID:5912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fqaeco32.exe

Filesize
264KB

MD5
33d0d196be939569230622dbcf780ed2

SHA1
a9a141f0e0fd4c86eb16e5a51d50255ac560128e

SHA256
9b4d6f53837fef94a37eb176601d55e6837eab85f3ac70bf6ae787309e572b88

SHA512
943d92efb0fd5265870a4cb233ccb8208157d6f48459ceb788470462dcfea930ee87be0a1d703db992cb996fc33ca05ad3abf88f6ba6b69002c6d61b587eeb48

Download Submit
C:\Windows\SysWOW64\Gameonno.exe

Filesize
264KB

MD5
2c78281f39e756467543f1fb388c557f

SHA1
5e79910218bdf924fa59fc9404590873ca4e3d9b

SHA256
4b61f8e14a15fd924f4f76f4a84bbc565c7151a112f34e6f7b7b8e13753ffc87

SHA512
e08619beb8724af07c79ecd507b95d9e4d16bc2108b9833f097eabaea5117f8b218289779a2c1bef9b3ec7d2e476c23ea906e598d9a299d361a862f016180111

Download Submit
C:\Windows\SysWOW64\Gbenqg32.exe

Filesize
264KB

MD5
ee289cf3a60a4114b8c70bc0104dbc25

SHA1
b068202434ca131a3ee129e900cd6333f20f4a2c

SHA256
24ba53ed58c7e88fad0e7b33ce867df81fe164a57e53f16054d283a4f6f929cc

SHA512
c5dd8c3cfba27bbf20f4cec9300061c76ddd403b2b92b594c5d7ce8317ac157d7b3167a9292db96e61377ecdf0d1c22c0a6c0d455484171cdc398353430813f5

Download Submit
C:\Windows\SysWOW64\Gbgkfg32.exe

Filesize
264KB

MD5
ab27816a24879d19e39fb94cc810b804

SHA1
0377c8cdbe1628f91598449bdd1f4112a2beee6b

SHA256
bfad6b53361e1000a564812998149ae6bd3bfa709ee0c401f863a7f7e1811c4d

SHA512
c369dd29c14e59774480c6505595ec105fb5dfebb108c4c38137230bfd937c136f54b4d4d6acf17cbe42d46c33a7ab1e4cc730b8767c841a47554f82c04d8da5

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
264KB

MD5
bb72730a889ad5f8b8833e0a3e862d1d

SHA1
582d7d5239f176b2ba5deb0f8960179a0812f59a

SHA256
7f7dbd1864ed14916820c6477c5b3c7fd77ee007ff5f3570cd6488bd65b38e08

SHA512
b77c4e962d0a901ae6dbfe29eb28ba31c46372eb83813a20f37376f1d39f2a96c4a33a33ba913ec9d4a525ef6a7c27b1d41dbca484ef4a1d5217e65ac5f0c347

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
264KB

MD5
28535c1c0b6b48d519d30dde3e39d6d1

SHA1
64b8ae4ec5e2d045a81337487c8a91e519049cb6

SHA256
7345cf92d2d42b74e86fabaa95523847859fdb30e16a90e63ca558e69b2f257e

SHA512
447181bd82e69922ab14c818f93f90331449740f0ca90f3b4b0eecb9dbcb47555ad7b779bbac4ef19b3270b16bf25154dc9b648ae23f44d6fd4814d2d44f4021

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
264KB

MD5
c53cbcc2e08021ab095286ee2676029f

SHA1
4e4a71d1ee1d2b77fb8782045a7bbb909a200c55

SHA256
dab64a3fb25d1dc9fdd27e16daacd191d0bfc2d3f0f8284d3211e035d7aca6fe

SHA512
55f60805693292de0814e92ddc42ae48611ec33d91c060dd3c080c65e8928efcfb6c96358456eeae236e609d2d6c5d50a453e48947cdbe543b14f5a14379987e

Download Submit
C:\Windows\SysWOW64\Gfhqbe32.exe

Filesize
264KB

MD5
285c35f30dc8147cb527146f50cc2b33

SHA1
66bfa75c84da00abbef8ca30aa8ebd0a8625660a

SHA256
8061244df6acdb92ee3a5feb28f75eb7b229ae482aea8bcd120a8a7203d2213f

SHA512
85e3a98953876da8130aa5a4f8e472bb265e198b742bf3eccd61ac091b6d4c0886e0b5811e538734eba43756b332fc3538ff8eae93064a953a85b3522d2f1ed9

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
264KB

MD5
2a20fba22db0ec0c4259e3672860d834

SHA1
dd66dedf913dd352caa9911138840a9bcac20b16

SHA256
6fa5e344c151b40231385e75efc1d9ae4b7ce926afbb6298bce410a14205f26f

SHA512
ad2ffc4b71704222795a4b05acb3dec860c16857e8598d950a7e28bd1602114a2ac8a03bed739f8c092ec1cef7a645c61750f19a87eedc03486fde8db9424abf

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
264KB

MD5
3b78835f67d139c5431200dd3cb78808

SHA1
95f831809eaedc3ef80b17ecf017011e1a4d7c53

SHA256
cf386afd1bb3dac56fe255c8476975bafb57efae44809233f7867a4b7b0dd980

SHA512
ef135b1a6e4835ac8646c39180093a6bb50c2f9b636a976e08ccb656cc232f531f0da157814e7ca6d9eef15beaac44e56f5d4cdeace01afb0abd1cec3d1153c3

Download Submit
C:\Windows\SysWOW64\Gmkbnp32.exe

Filesize
264KB

MD5
5509b681e954ed8af37469e5a5e56a1e

SHA1
8b1c30e5dd00ff926ace4637db57340aec49d726

SHA256
ad08d505b6942bfea2816fd2e74774d49966bc9b8ccca324d189592ad52e9f1f

SHA512
dc1fc94848a44401da27e7d85c0f6638b517f4eca66e29281415ff12641198c9c84bcf9588d8853a550b28126202dcf6dbcdbf5d3f00de53e4570d3c14075e26

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
264KB

MD5
fe7d498d033576a80bc6da17f4b39a68

SHA1
126826281a6a6348c179e0cfb529677950d6dc50

SHA256
d077de6a38efabf83a7775b29d6a73e842a4959e6bb0dc4112a719cb3bf154c6

SHA512
8f18778007c115b98ceb26ec985132f1412b4427429bd3a0ac3ea67a4e918e5651f6a68a9f989394ced1108e76d26027bfee84bdbcf9eb120c32cc4ac0d4c214

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
264KB

MD5
de4ee02795e4688314c87f6642994563

SHA1
98d5b0ac8df4e8c831db1e8f05aecc8870a7ecb8

SHA256
6d53c05db60b9e50a2a49ea11194e9801dee3c360e86369d0361d298b1154646

SHA512
6c836282b4b12599b7eed6408732da3fe03ccf411306d0d072ddc540baa094f49ef96b589566573e6e0fbc1677c78cc1aa465ccf5e955ffc4c1bb320f049d377

Download Submit
C:\Windows\SysWOW64\Gpnhekgl.exe

Filesize
264KB

MD5
24c02b88b07ca094d7f496d20bd1c543

SHA1
0e89d0e8e1ffd90f474475bd84e0074d0b18a31e

SHA256
379701615fb354a99ffeb787ed25a369feba8006264791017e5652f11be3356e

SHA512
7a370cf8c2a5cca76a49af5773d8c6cb8f1ec4e0264b27d917b026665d73746c1cfc014a5f5778b3a1546fb3185d0460bd7b4f69005362c5dc68e41b42108a6d

Download Submit
C:\Windows\SysWOW64\Gqdbiofi.exe

Filesize
264KB

MD5
cab2b5803c357007d47e9b775828494c

SHA1
d895c98ab8faf9f02eb722a8c61e22ad31d15bbc

SHA256
89c80771fd87db84a4948dbff1bba9fd673020fd0f1bcaf489c41a81272d6749

SHA512
91ce76efcbfde10c372c07de98b44b301219e5211601177e45587917dd0611f73bb8a2f8bb7701a10a13a37eece42e19767a450f637c6fb01760e57e6fab3340

Download Submit
C:\Windows\SysWOW64\Habnjm32.exe

Filesize
264KB

MD5
1b9e31eee0a699515965eaabd727054e

SHA1
462a53b8b710d09130a7f9c139c56271c0e57964

SHA256
b30141592918b41da001574b4129cca5e3dc406bcabfb1402ab87f076b630fa5

SHA512
6397105e4788a5b65ec454cc500991cd2527b056063730d709d9d280548b133c51996eb50998b1ddd614f37f013db10f4eff880998201c920a905632d62814cb

Download Submit
C:\Windows\SysWOW64\Hadkpm32.exe

Filesize
264KB

MD5
0a864f3e55c3fb0bfae4df9b27d14832

SHA1
8ec9904131255c641f67c039c140058949f277b9

SHA256
213cc40472ecaea9b533eedd9607f6747b8a52c96e65a4c67a8472aa73f2440a

SHA512
ac67f3fa85d29526b3631116b85708eaebbb29b9d9bc93b9513f3d9aa84fc56df884ec415d916eb401b45a9a2ed4d762f3ae84d9105df957e97412cbab7c626f

Download Submit
C:\Windows\SysWOW64\Hapaemll.exe

Filesize
264KB

MD5
5ccfafba608f4c7d917229ef8defd899

SHA1
8ef9f0e7a990ab000cdf5c5056ef18d815911ea4

SHA256
fdd2ed1facf21419490034ba7f013fb3e50ea3ea04503a4d2bba0dfc31ca505b

SHA512
5f7fe0e66fdf698b3f595ccb4320f1943a314f56db100eab1f21a40ef8666e26a011fd8dccdd098a2099465fbdcb984f9732dbd4335c72f08f10f821c3db67a2

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
264KB

MD5
a347d8195d744dd9ee2e18bcc2cdcc4b

SHA1
fc92084cae6e8759fa7b31eb3f410c00d48cd223

SHA256
958203d11ce7f301e94665eaf124311007790458f82a786699824dc36974e585

SHA512
fb57eb5f7e3572679c03516934456b36769c118c7cc78be38adba3dc313c13f19be243f6e90aad06025b6e1cd9d98579770d3ce541ff97bfa2dd798d41987066

Download Submit
C:\Windows\SysWOW64\Hbeghene.exe

Filesize
264KB

MD5
76b7fac6472bb26dab3d5f7be235ea30

SHA1
9567f6ad6c6e8dfc81ea6c49dc2e20a06a56e808

SHA256
d484e360d622f1d0faa388c0bd11ed7e590ccb9171321933f1ff4b903a75ea61

SHA512
a25567a1796eedf5e8e2b9469880f16ccf84a6230e8ea02c41394f787f40fd8420a1cfc335b9a02cfb8513dabc9480318bd1f32eaf4eb9a7392ead7b107dd66b

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
264KB

MD5
e0f03fe57efbaffe9deffcb5b5566fce

SHA1
2051e9db2cdb187376308110e210668b15f429bd

SHA256
2b03b126f0b6388a9333d6a13d78a17984b5d718d42d21df01eae4218be887d4

SHA512
665c806c8a5c96e25dec06180f18768825af553b6937b93d99fdefac7537737f504e202bb7bf5fe820cfcc08d0dd13a4f9128a97c8e9791c29717d43ec929ee3

Download Submit
C:\Windows\SysWOW64\Hclakimb.exe

Filesize
264KB

MD5
a28f76e6bae08b116cf6a5db25f30c94

SHA1
fbf23814bb15f37a82e9780563a77e31170745b9

SHA256
f723033cd3cc40feaf7cf377064881d692f03df95fbdf32fc06cfa6648268026

SHA512
d6258becd2df4d9bb40299257c3f719daaaf099de61ec154c3534077fea30d610d484cdcd69dfa557a67d750acd16b200ed661ab91b4377cd01c450e81fad655

Download Submit
C:\Windows\SysWOW64\Hcqjfh32.exe

Filesize
264KB

MD5
b9195f7f3b736ae57905238e36c45d4e

SHA1
28ef359f36584d3153e9f548e279bdb69fe1122f

SHA256
2a9b7cef784170fbadb61c216cd66f999e2bf4b1c094117bd8afedc77ec01f04

SHA512
9641be5a37777fbe2424dac3987c341cc4fa9885acf9ceb59fc39bf0508377b25b1cf827cec7f4795c7df8965d2e28faa60e688b2c4ef32d0ae7586d77030d7d

Download Submit
C:\Windows\SysWOW64\Hfachc32.exe

Filesize
264KB

MD5
43f069d7b5ef3c03ac1c1c96b78418ef

SHA1
2b7d83650cef3ac51f8bff35d84b669a33b504b2

SHA256
7f94699aa6adf3fdff610e51bda54d452cda907fa10a1123822ffc721047bce4

SHA512
f17c7dfc127c0268ff3d3f4736df9d819a328f285fd17518f700908dc1b210e0804773e7bbc4498d12b762c9ca7bf7d8418b7f6be62e2c20307dccbaa4bedae5

Download Submit
C:\Windows\SysWOW64\Hfofbd32.exe

Filesize
264KB

MD5
9e9813205376495217263d57156dfc49

SHA1
c48fb01f8ab4f6a999659be9b9c6c8f02d340152

SHA256
fc80bc5f719b143dd97707b12610b60d6cd93df6c2a514c0292a8fce1fbfe9d8

SHA512
796bb933341e24c6e187872ad9cc46465521897d39422898783d9625b66df93ae2ed483d9ea2f0ded999254fbcd579ad63234fc9685cdf6929733768b94ca5ab

Download Submit
C:\Windows\SysWOW64\Hihicplj.exe

Filesize
264KB

MD5
478607a96e4c6d16be564e33f8a4f866

SHA1
288fd92619e7692beec7ea62767cc1334303ee16

SHA256
09d814c7a1eacf6eea91f352d479ad7d5e1bdb0cd7f5c76ece4243d74623c45b

SHA512
3ed84858145912572b5eb9c9b96d18a9e80efaa9bc7f31a24f3f7a04d54a5e92dfa9ae8ef687fa65fe0d78035f1cfcb31167bc6270665934ffd2386f9cccd089

Download Submit
C:\Windows\SysWOW64\Hikfip32.exe

Filesize
264KB

MD5
586879e5cbb9d926c96259f54d4d590a

SHA1
95c8e01a7963bb55bc251f68b3234093c5b3605a

SHA256
ade5f2dde781b34795ab3926c27af2ee419a52a38952ff0576771c00f5dec23d

SHA512
74f80d0cece24200c75ed8ebbc0c0cc3cb38b89f95274c93b9cdcb19aa85f6ac32f6fd91025d9d440dda2284cf20f565a00a2becb046ce143d3a31c3f385aff3

Download Submit
C:\Windows\SysWOW64\Himcoo32.exe

Filesize
264KB

MD5
c403fff5e5d76706dc4cf27f105e61b9

SHA1
73a8ba1e5f5905e68359c7e86026c3dbdff17d1a

SHA256
2afd46a1119b4a50e1d2ba19e18b0f8f21ae04be13588f30cc15cb8b193401b6

SHA512
78032b49ba74d89258231c9ab631226b0ad6c405f3b8431cac49d4096691e6f5b8f35012e693c55bd4bd66c41714c2d952bef36d4fb2edbf2fba94e1aac3d069

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
264KB

MD5
0ff531cb0e52840f212ab7c26243fec1

SHA1
df00cc8dc6449983b665829ba9165187858525a8

SHA256
bf1217d2f2011e551b41aa1fadb04d1acc57cec524353a84caf0b06b9dfe29cd

SHA512
2ce90204ecc2a4376be1e0309a15619cc2cfd9cea02622704718a1bc61592e2079b8a8c231f94ae74b0e98789eba965d8652ab3246c0cfe7ddbe87c641ecb7a9

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
264KB

MD5
600278bd646c43a78ba149a51d326fcf

SHA1
b56c35b930d17476c89acffbfdba028e6c735bf3

SHA256
2c037ced42fe08c59687402f80c722e677ba9cbdbe3dd04fbb47d83fd149e503

SHA512
94d613bb2e3533288f06d24775eecba2720d3678caac31e3cade8806862aa505336b278a7c1733595375c3a5bc3d2bf7ee3970221a1174bb4dd0d69289385905

Download Submit
C:\Windows\SysWOW64\Hpenfjad.exe

Filesize
264KB

MD5
cbce97e0ab9090c526cfdb0f9049bf4b

SHA1
ee0e89d30dcbf99cfc1fc01158ceeaf95aa1481b

SHA256
a044183daae131121f70b0f76afcf49c845918c86bd417a51c72be6b3a6c8f06

SHA512
840d8b60e60e08c96f8cbe5521ae5543f42e4aff7ede094e0bccd90b8d22e2306b3fbfeb18942974821041f8bdce3a3614a6b1b578e611f96afc59d899be9b74

Download Submit
C:\Windows\SysWOW64\Hpgkkioa.exe

Filesize
264KB

MD5
ce993b240d2c780e49eaa0b5ea25070c

SHA1
4d3cfd5baadc0f53cb871dd3eb9a38ed1717b2f9

SHA256
692d1e7ca861b7dc64d13ebc369e8ffc273bc21010ae132fd57e3860584d0174

SHA512
55e223119e371b6a059783ea413e126d54e398205f2ee89f5355fd68a7f7a33d9bd39b179711df2c799f859091995c969f5e1137bcd3dc7e4bbbd44756871f5c

Download Submit
C:\Windows\SysWOW64\Ibccic32.exe

Filesize
264KB

MD5
919afd34715aeb581f294bc1d5317e2e

SHA1
3734ab59d0666903d021ed35687216efe8d2e04a

SHA256
90ad0957551d0209ebadf1e7e7bcfa6d69a5899ca7e1369336d1b9072809b625

SHA512
6ba23620c024c6d93219ff376f6a1ad78f1ed329e79e5d89a5137b0b623e0615154f0d76bec8541623fb30651dc4fa9059094c051150401f1bd2b94e1d55fbb1

Download Submit
C:\Windows\SysWOW64\Iinlemia.exe

Filesize
264KB

MD5
9196022989805ea709640ca85dd829d0

SHA1
c696fa47ceadb12ad2bfaa2ef8b52913d5f14b45

SHA256
dc4c467163ec81d5ee8b9beea74c2832071797d7c4de37bb1b154ef9273c63dc

SHA512
f66ae9083df0ee861d601093ce53841dfe645aaa2339a45c724af9ce34e6e883b5cad9571273f9fb06252386ffe686966f7dec5dbfaf579c1b94ea4a04356596

Download Submit
C:\Windows\SysWOW64\Jdcpcf32.exe

Filesize
264KB

MD5
b7f699e38a47b7693e9806bd24121921

SHA1
a9183415676bb25519ce5099abfb7efa72b83996

SHA256
8d6dfcdc61c01d97884fb3b234fbe626a1e9b0a98f46ee01b70a972af859dedb

SHA512
d43f43f5bedf854ce8621de1f1a415c9ce7e77b49561ed6590fd99227164fd43fef4383dcee9ba76087717334314a36bd72b3264cc8590de26eed96abf3032ba

Download Submit
C:\Windows\SysWOW64\Jibeql32.exe

Filesize
264KB

MD5
2f7b1e3375d22ada6476ad269ad2d4c8

SHA1
65f697fd5dc72a3e0cce95181b3b19c22a2564d5

SHA256
63c1af82bd774dd8323dc3d933cf4025e47d4432ead5cdc38725506fdad609c0

SHA512
50c88c1ce26163add724a636cba5838117372b4d121a5f5e9a469e90818225ea3fbb37c370a2893e0d46a296a6b79f3522494c149ee6ad1dabe1f6cb99a20b42

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe

Filesize
264KB

MD5
bc036e9f5f7503251b56fd68c251242e

SHA1
743c18944493dcb15ca966b09d299c41899bc3f4

SHA256
696d31e73279a01683a222865c7a18120be0c7238e17a73f9e942ca546b61fb7

SHA512
04a7aa76b4abbae3ea7e1e7909f82c36abff141713a65bf7b8b2c49d05a31c5668bfb2607a92bc6fb8f33d9037738fad9f187d226d24f46ad4e7e34a17f8772c

Download Submit
C:\Windows\SysWOW64\Kgfoan32.exe

Filesize
264KB

MD5
3f162c59ca6689298f791cab6c9a33af

SHA1
96007d6e91c99de06b600ac881e2ce9af03de3d3

SHA256
15a2485d37923b603af9966fdca231875ad5992826e23e16ffa76c2731accc6f

SHA512
c6b5eebbae457dec3788c1eb6f87543eb69fc70bd0f1ff2b334eb24abe09763e647a6e272edd77d2152a7766a83540fd742a04fe622f37bb7108cc21a32b2362

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
264KB

MD5
38bc3315facbe7b0afae6afb1ec28343

SHA1
a8c54815ae6c2d0f3d84ca0c1ce52b4ccb1802ef

SHA256
981449dec6268dd31d79b06fbafb9f3a0a7bd0068b99913b729e5b54fb86cdf0

SHA512
f607ae2ec539a4fa76971d0186343169cbe9645ba63d0a6f0401d626e1bdd84b4aed8e57edc2c429ffbc647cb608b3b58cc8d46c1877b494eab05af1df468ce5

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
264KB

MD5
5dcd1fb2e37c2ecb08e6ed9fc014d932

SHA1
7e949491893a3e4a020e4230489e5f455c67f898

SHA256
1f22db157c5d3b4c62c17ea47c1188ce1f6b9701d8c5c12897ba9a0dabb39afe

SHA512
bfd7c2fe153141c9fcba62286f241803fbe044feda2eff0d015f4ca1020b6be4de1a9f5964403b33d51fce6da0756397ac3f0e2d4ff46270c2edefa8468a7667

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
264KB

MD5
eb6aed15dbd3229841d609e800d8ab2f

SHA1
602b39ad525c5fd5e78f5d8f05252f3bc17b1489

SHA256
a9d77aabd30722aa8191a4e18194c1403dd7e558ee170729fd9d6ace5d912215

SHA512
882fc9b3e79a6fb8b35a4adb2332ddefce4e105bac29443c8e578a203b719ddac9204d2c4967506052c0ea318a11dd4396914cd502adbe57d858fcf131376fc9

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
264KB

MD5
cf4149260ad10d1df2eec4a19c1f07bf

SHA1
c965b0a8f15770a98ff1968e50790343f8e09971

SHA256
828a148da4da5b38d0e20f633428be21b4d631645ab7864bbdcd0af4c58888de

SHA512
43c27b9fa7f864e6db6f44a86d8ed82ba5d1c18c1d58c51dc0451d309c96a06942a7baae9b9288935846e0f8b218c04518839f633165f7f91e7e4f4c64dab97a

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
264KB

MD5
a96e52890dcf232f41f27876f34ce63b

SHA1
e39c7d3b231ff92e34b63fda6439d3b8c26a6003

SHA256
bbadec6e6036feafb59b55d2e36d7d980566d68c2b04d6fdcde26999f3bab749

SHA512
82bfddc27df683ce1525dbc862c830a0da7a4e5da4956ce30115f0a99eda454a19debd3d8357bd05e853a314cf1acab5a7a70d4a3c0611c3fa011b08df439271

Download Submit
memory/312-314-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/452-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/684-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1220-483-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1268-315-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1408-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1416-320-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1500-470-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1528-354-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1584-108-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1600-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1608-580-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1636-531-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1700-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1740-562-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1744-120-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1772-321-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1804-614-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1936-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1984-355-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2008-155-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2024-311-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2140-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2168-446-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2304-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2316-537-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2400-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2428-538-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2432-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2508-604-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2588-476-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2600-363-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2644-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2676-454-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2692-501-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2724-100-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2812-361-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2832-362-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2840-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2900-319-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2948-512-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2988-620-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3012-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3032-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3104-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3116-359-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3140-514-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3196-374-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3244-544-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3280-171-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3308-48-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3372-587-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3492-325-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3556-351-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3636-313-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3676-318-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3684-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3708-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3724-312-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3852-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3856-493-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3864-598-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3904-357-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4012-556-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4084-524-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4136-326-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4176-156-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4192-484-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4340-550-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4368-323-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4376-507-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4388-36-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4444-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4468-324-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4472-116-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4488-353-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4620-568-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4624-592-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4688-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4752-416-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4788-448-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4804-410-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4808-435-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4816-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4856-574-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4896-360-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4968-172-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4976-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4988-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5024-132-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5028-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5044-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5048-317-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5128-622-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5168-628-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5216-634-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads