8a9bec158ffa0a5c3870400d1dff6e39312adb1080ad8ae96cd2af756a615ada

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2024 20:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a7f4ba10e3e2e8a1f5113e81194e950_NEIKI.exe
Size

479KB
MD5

2a7f4ba10e3e2e8a1f5113e81194e950
SHA1

1fe981e52666c03fd2c1ccfcbb784e3241dc4c93
SHA256

8a9bec158ffa0a5c3870400d1dff6e39312adb1080ad8ae96cd2af756a615ada
SHA512

c3a02e4c459bc035f99cfe615a35b06688f4193a6b0875c02007e5d148043fb275444153da00ab81829cd01b05f3eb14491168befc7f5e67a11b6e4b8cb2891f
SSDEEP

6144:IdO4XCv5+sycRJ6EQnT2leTLgNPx33fpu2leTLg:IdOEluRJ6EQ6Q2drQ

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	2a7f4ba10e3e2e8a1f5113e81194e950_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Goiojk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iinlemia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbnhphbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqfeha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfqjafdq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmficqpc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqaeco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfachc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hippdo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehlaaddj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fflaff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcnejk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpemacql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eoapbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eodlho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjnjqfij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibmmhdhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fckhdk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbenqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbgbpihg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gqfooodg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfcgge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjocgdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eoapbo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebbidj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fflaff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gidphq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hapaemll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfaloa32.exe

Executes dropped EXE 64 IoCs

pid	Process
2200	Camfbm32.exe
4916	Cidncj32.exe
2968	Dpacfd32.exe
4924	Dcopbp32.exe
1924	Diihojkb.exe
3936	Dhnepfpj.exe
3368	Dpemacql.exe
4988	Dokjbp32.exe
2112	Dhcnke32.exe
2024	Domfgpca.exe
368	Ebnoikqb.exe
4408	Ejegjh32.exe
4676	Eoapbo32.exe
4128	Ebploj32.exe
3236	Ehjdldfl.exe
1168	Eqalmafo.exe
2628	Eodlho32.exe
1376	Ebbidj32.exe
684	Efneehef.exe
2460	Ehlaaddj.exe
1588	Ehonfc32.exe
4752	Emjjgbjp.exe
1420	Eqfeha32.exe
1752	Ecdbdl32.exe
3992	Fbgbpihg.exe
4200	Fjnjqfij.exe
4808	Fhajlc32.exe
3960	Fjqgff32.exe
3224	Ficgacna.exe
4612	Fqkocpod.exe
4348	Fomonm32.exe
2348	Fifdgblo.exe
2500	Fopldmcl.exe
3400	Fckhdk32.exe
2524	Fbnhphbp.exe
2760	Fjepaecb.exe
3820	Fihqmb32.exe
4740	Fmclmabe.exe
4936	Fqohnp32.exe
396	Fcnejk32.exe
2448	Fbqefhpm.exe
2256	Fflaff32.exe
3488	Fijmbb32.exe
2852	Fmficqpc.exe
4520	Fqaeco32.exe
2716	Fodeolof.exe
3268	Gbcakg32.exe
5080	Gfnnlffc.exe
3208	Gmhfhp32.exe
5024	Gqdbiofi.exe
2328	Gogbdl32.exe
1696	Gbenqg32.exe
4240	Gfqjafdq.exe
4296	Gjlfbd32.exe
3904	Giofnacd.exe
4428	Gqfooodg.exe
4940	Goiojk32.exe
3216	Gcekkjcj.exe
2220	Gfcgge32.exe
5084	Gjocgdkg.exe
2092	Giacca32.exe
4968	Gqikdn32.exe
3772	Gidphq32.exe
3352	Hapaemll.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gcgqhjop.dll	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Dpacfd32.exe	Cidncj32.exe
File created	C:\Windows\SysWOW64\Mdmiambh.dll	Cidncj32.exe
File created	C:\Windows\SysWOW64\Hapaemll.exe	Gidphq32.exe
File opened for modification	C:\Windows\SysWOW64\Hccglh32.exe	Hadkpm32.exe
File created	C:\Windows\SysWOW64\Jkageheh.dll	Hadkpm32.exe
File opened for modification	C:\Windows\SysWOW64\Haidklda.exe	Hcedaheh.exe
File created	C:\Windows\SysWOW64\Hbiklpin.dll	Dcopbp32.exe
File created	C:\Windows\SysWOW64\Eqalmafo.exe	Ehjdldfl.exe
File opened for modification	C:\Windows\SysWOW64\Eqfeha32.exe	Emjjgbjp.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Ebnoikqb.exe	Domfgpca.exe
File created	C:\Windows\SysWOW64\Bppheeep.dll	Ecdbdl32.exe
File opened for modification	C:\Windows\SysWOW64\Fcnejk32.exe	Fqohnp32.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Dcopbp32.exe	Dpacfd32.exe
File opened for modification	C:\Windows\SysWOW64\Gfcgge32.exe	Gcekkjcj.exe
File created	C:\Windows\SysWOW64\Olmeac32.dll	Jdhine32.exe
File created	C:\Windows\SysWOW64\Ecppdbpl.dll	Jangmibi.exe
File opened for modification	C:\Windows\SysWOW64\Ibmmhdhm.exe	Impepm32.exe
File created	C:\Windows\SysWOW64\Lppaheqp.dll	Jigollag.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Kipabjil.exe	Kknafn32.exe
File opened for modification	C:\Windows\SysWOW64\Eodlho32.exe	Eqalmafo.exe
File opened for modification	C:\Windows\SysWOW64\Goiojk32.exe	Gqfooodg.exe
File opened for modification	C:\Windows\SysWOW64\Fbqefhpm.exe	Fcnejk32.exe
File created	C:\Windows\SysWOW64\Impoan32.dll	Imgkql32.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Impepm32.exe	Ijaida32.exe
File opened for modification	C:\Windows\SysWOW64\Jmnaakne.exe	Jjpeepnb.exe
File created	C:\Windows\SysWOW64\Jdhine32.exe	Jmnaakne.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Fihqmb32.exe	Fjepaecb.exe
File created	C:\Windows\SysWOW64\Hionfema.dll	Haggelfd.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Dhcnke32.exe	Dokjbp32.exe
File created	C:\Windows\SysWOW64\Fijmbb32.exe	Fflaff32.exe
File created	C:\Windows\SysWOW64\Gjlfbd32.exe	Gfqjafdq.exe
File opened for modification	C:\Windows\SysWOW64\Jfffjqdf.exe	Jdhine32.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Ilaidmmo.dll	Gogbdl32.exe
File opened for modification	C:\Windows\SysWOW64\Jbhmdbnp.exe	Jpjqhgol.exe
File created	C:\Windows\SysWOW64\Hfljmdjc.exe	Hapaemll.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Fifdgblo.exe	Fomonm32.exe
File opened for modification	C:\Windows\SysWOW64\Jkfkfohj.exe	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Mglppmnd.dll	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Dhnepfpj.exe	Diihojkb.exe
File opened for modification	C:\Windows\SysWOW64\Ejegjh32.exe	Ebnoikqb.exe
File created	C:\Windows\SysWOW64\Gedmgfjd.dll	Fbnhphbp.exe
File created	C:\Windows\SysWOW64\Ipmack32.dll	Iabgaklg.exe
File created	C:\Windows\SysWOW64\Jkfkfohj.exe	Jdmcidam.exe
File opened for modification	C:\Windows\SysWOW64\Kibnhjgj.exe	Kdffocib.exe
File opened for modification	C:\Windows\SysWOW64\Fjepaecb.exe	Fbnhphbp.exe
File created	C:\Windows\SysWOW64\Fojjgcdm.dll	Gfqjafdq.exe
File created	C:\Windows\SysWOW64\Giofnacd.exe	Gjlfbd32.exe
File created	C:\Windows\SysWOW64\Fjkiobic.dll	Haidklda.exe
File created	C:\Windows\SysWOW64\Ijaida32.exe	Icgqggce.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6356	6220	WerFault.exe	253

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfnojog.dll"	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Efneehef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjocgdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbiklpin.dll"	Dcopbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbnhphbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeahce32.dll"	Gcekkjcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecdbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifhmhq32.dll"	Hfachc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fihqmb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hippdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Diihojkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjikbh32.dll"	Fopldmcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmcglkid.dll"	Gbcakg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcedaheh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eqfeha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbgbpihg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qekdppan.dll"	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icgqggce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfljmdjc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcbnd32.dll"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liggbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	2a7f4ba10e3e2e8a1f5113e81194e950_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ehlaaddj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcplce32.dll"	Fomonm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmhfhp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hadkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joamagmq.dll"	Kipabjil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhnepfpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Emjjgbjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbamkcqa.dll"	Gidphq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejegjh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjocgdkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqfeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndninjfg.dll"	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebbidj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkcdljbo.dll"	Ehlaaddj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fifdgblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpckhigh.dll"	Gfnnlffc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jigollag.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3908 wrote to memory of 2200	3908	2a7f4ba10e3e2e8a1f5113e81194e950_NEIKI.exe	83
PID 3908 wrote to memory of 2200	3908	2a7f4ba10e3e2e8a1f5113e81194e950_NEIKI.exe	83
PID 3908 wrote to memory of 2200	3908	2a7f4ba10e3e2e8a1f5113e81194e950_NEIKI.exe	83
PID 2200 wrote to memory of 4916	2200	Camfbm32.exe	84
PID 2200 wrote to memory of 4916	2200	Camfbm32.exe	84
PID 2200 wrote to memory of 4916	2200	Camfbm32.exe	84
PID 4916 wrote to memory of 2968	4916	Cidncj32.exe	85
PID 4916 wrote to memory of 2968	4916	Cidncj32.exe	85
PID 4916 wrote to memory of 2968	4916	Cidncj32.exe	85
PID 2968 wrote to memory of 4924	2968	Dpacfd32.exe	86
PID 2968 wrote to memory of 4924	2968	Dpacfd32.exe	86
PID 2968 wrote to memory of 4924	2968	Dpacfd32.exe	86
PID 4924 wrote to memory of 1924	4924	Dcopbp32.exe	87
PID 4924 wrote to memory of 1924	4924	Dcopbp32.exe	87
PID 4924 wrote to memory of 1924	4924	Dcopbp32.exe	87
PID 1924 wrote to memory of 3936	1924	Diihojkb.exe	89
PID 1924 wrote to memory of 3936	1924	Diihojkb.exe	89
PID 1924 wrote to memory of 3936	1924	Diihojkb.exe	89
PID 3936 wrote to memory of 3368	3936	Dhnepfpj.exe	90
PID 3936 wrote to memory of 3368	3936	Dhnepfpj.exe	90
PID 3936 wrote to memory of 3368	3936	Dhnepfpj.exe	90
PID 3368 wrote to memory of 4988	3368	Dpemacql.exe	92
PID 3368 wrote to memory of 4988	3368	Dpemacql.exe	92
PID 3368 wrote to memory of 4988	3368	Dpemacql.exe	92
PID 4988 wrote to memory of 2112	4988	Dokjbp32.exe	94
PID 4988 wrote to memory of 2112	4988	Dokjbp32.exe	94
PID 4988 wrote to memory of 2112	4988	Dokjbp32.exe	94
PID 2112 wrote to memory of 2024	2112	Dhcnke32.exe	95
PID 2112 wrote to memory of 2024	2112	Dhcnke32.exe	95
PID 2112 wrote to memory of 2024	2112	Dhcnke32.exe	95
PID 2024 wrote to memory of 368	2024	Domfgpca.exe	96
PID 2024 wrote to memory of 368	2024	Domfgpca.exe	96
PID 2024 wrote to memory of 368	2024	Domfgpca.exe	96
PID 368 wrote to memory of 4408	368	Ebnoikqb.exe	97
PID 368 wrote to memory of 4408	368	Ebnoikqb.exe	97
PID 368 wrote to memory of 4408	368	Ebnoikqb.exe	97
PID 4408 wrote to memory of 4676	4408	Ejegjh32.exe	98
PID 4408 wrote to memory of 4676	4408	Ejegjh32.exe	98
PID 4408 wrote to memory of 4676	4408	Ejegjh32.exe	98
PID 4676 wrote to memory of 4128	4676	Eoapbo32.exe	99
PID 4676 wrote to memory of 4128	4676	Eoapbo32.exe	99
PID 4676 wrote to memory of 4128	4676	Eoapbo32.exe	99
PID 4128 wrote to memory of 3236	4128	Ebploj32.exe	100
PID 4128 wrote to memory of 3236	4128	Ebploj32.exe	100
PID 4128 wrote to memory of 3236	4128	Ebploj32.exe	100
PID 3236 wrote to memory of 1168	3236	Ehjdldfl.exe	101
PID 3236 wrote to memory of 1168	3236	Ehjdldfl.exe	101
PID 3236 wrote to memory of 1168	3236	Ehjdldfl.exe	101
PID 1168 wrote to memory of 2628	1168	Eqalmafo.exe	102
PID 1168 wrote to memory of 2628	1168	Eqalmafo.exe	102
PID 1168 wrote to memory of 2628	1168	Eqalmafo.exe	102
PID 2628 wrote to memory of 1376	2628	Eodlho32.exe	103
PID 2628 wrote to memory of 1376	2628	Eodlho32.exe	103
PID 2628 wrote to memory of 1376	2628	Eodlho32.exe	103
PID 1376 wrote to memory of 684	1376	Ebbidj32.exe	104
PID 1376 wrote to memory of 684	1376	Ebbidj32.exe	104
PID 1376 wrote to memory of 684	1376	Ebbidj32.exe	104
PID 684 wrote to memory of 2460	684	Efneehef.exe	105
PID 684 wrote to memory of 2460	684	Efneehef.exe	105
PID 684 wrote to memory of 2460	684	Efneehef.exe	105
PID 2460 wrote to memory of 1588	2460	Ehlaaddj.exe	106
PID 2460 wrote to memory of 1588	2460	Ehlaaddj.exe	106
PID 2460 wrote to memory of 1588	2460	Ehlaaddj.exe	106
PID 1588 wrote to memory of 4752	1588	Ehonfc32.exe	107

C:\Users\Admin\AppData\Local\Temp\2a7f4ba10e3e2e8a1f5113e81194e950_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\2a7f4ba10e3e2e8a1f5113e81194e950_NEIKI.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3908
- C:\Windows\SysWOW64\Camfbm32.exe
  C:\Windows\system32\Camfbm32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Windows\SysWOW64\Cidncj32.exe
    C:\Windows\system32\Cidncj32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4916
  - - C:\Windows\SysWOW64\Dpacfd32.exe
      C:\Windows\system32\Dpacfd32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2968
    - - C:\Windows\SysWOW64\Dcopbp32.exe
        
        C:\Windows\system32\Dcopbp32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4924
      - C:\Windows\SysWOW64\Diihojkb.exe
        
        C:\Windows\system32\Diihojkb.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\SysWOW64\Dhnepfpj.exe
        
        C:\Windows\system32\Dhnepfpj.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3936
        
        C:\Windows\SysWOW64\Dpemacql.exe
        
        C:\Windows\system32\Dpemacql.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3368
        
        C:\Windows\SysWOW64\Dokjbp32.exe
        
        C:\Windows\system32\Dokjbp32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\SysWOW64\Dhcnke32.exe
        
        C:\Windows\system32\Dhcnke32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\SysWOW64\Domfgpca.exe
        
        C:\Windows\system32\Domfgpca.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\SysWOW64\Ebnoikqb.exe
        
        C:\Windows\system32\Ebnoikqb.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:368
        
        C:\Windows\SysWOW64\Ejegjh32.exe
        
        C:\Windows\system32\Ejegjh32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4408
        
        C:\Windows\SysWOW64\Eoapbo32.exe
        
        C:\Windows\system32\Eoapbo32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4676
        
        C:\Windows\SysWOW64\Ebploj32.exe
        
        C:\Windows\system32\Ebploj32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4128
        
        C:\Windows\SysWOW64\Ehjdldfl.exe
        
        C:\Windows\system32\Ehjdldfl.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3236
        
        C:\Windows\SysWOW64\Eqalmafo.exe
        
        C:\Windows\system32\Eqalmafo.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1168
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1376
        
        C:\Windows\SysWOW64\Efneehef.exe
        
        C:\Windows\system32\Efneehef.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:684
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4752
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1420
        
        C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1752
        
        C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3992
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4200
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        28⤵
        Executes dropped EXE
        
        PID:4808
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        29⤵
        Executes dropped EXE
        
        PID:3960
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        30⤵
        Executes dropped EXE
        
        PID:3224
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        31⤵
        Executes dropped EXE
        
        PID:4612
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4348
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2348
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2500
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3400
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2760
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3820
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        39⤵
        Executes dropped EXE
        
        PID:4740
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4936
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:396
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        42⤵
        Executes dropped EXE
        
        PID:2448
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2256
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        44⤵
        Executes dropped EXE
        
        PID:3488
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2852
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4520
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        47⤵
        Executes dropped EXE
        
        PID:2716
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3268
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3208
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        51⤵
        Executes dropped EXE
        
        PID:5024
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2328
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1696
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4240
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4296
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        56⤵
        Executes dropped EXE
        
        PID:3904
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4428
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4940
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3216
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2220
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        62⤵
        Executes dropped EXE
        
        PID:2092
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        63⤵
        Executes dropped EXE
        
        PID:4968
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3772
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3352
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4232
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2308
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        68⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3272
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        71⤵
        Drops file in System32 directory
        
        PID:3008
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        73⤵
        Drops file in System32 directory
        
        PID:932
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        74⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        75⤵
        Drops file in System32 directory
        
        PID:2192
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4824
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3176
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        78⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1196
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        80⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        82⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        83⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        84⤵
        Drops file in System32 directory
        
        PID:756
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4256
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        86⤵
        
        PID:704
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3404
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4028
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3708
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        90⤵
        Modifies registry class
        
        PID:1148
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        91⤵
        Drops file in System32 directory
        
        PID:4860
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4660
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        94⤵
        Drops file in System32 directory
        
        PID:5136
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5184
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        96⤵
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5340
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5380
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5420
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        102⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        103⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5548
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        105⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        106⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        107⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        108⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5828
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        111⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        112⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        113⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        114⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        115⤵
        Modifies registry class
        
        PID:6032
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        116⤵
        Modifies registry class
        
        PID:6068
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        117⤵
        Drops file in System32 directory
        
        PID:6112
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        118⤵
        Modifies registry class
        
        PID:4276
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        119⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        120⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        121⤵
        Modifies registry class
        
        PID:5312
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        122⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        123⤵
        Drops file in System32 directory
        
        PID:5448
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        124⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        125⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        126⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        127⤵
        Drops file in System32 directory
        
        PID:5812
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5888
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        129⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        130⤵
        Drops file in System32 directory
        
        PID:6064
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        131⤵
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        132⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        133⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        134⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6100
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5360
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        138⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6076
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        140⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        141⤵
        Drops file in System32 directory
        
        PID:5244
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        142⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        143⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        144⤵
        Drops file in System32 directory
        
        PID:6224
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        145⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        146⤵
        Drops file in System32 directory
        
        PID:6396
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        147⤵
        Drops file in System32 directory
        
        PID:6448
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        148⤵
        Modifies registry class
        
        PID:6484
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6528
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        150⤵
        Drops file in System32 directory
        
        PID:6568
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        151⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6604
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        152⤵
        Drops file in System32 directory
        
        PID:6644
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6696
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        154⤵
        Drops file in System32 directory
        
        PID:6736
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6784
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6824
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6868
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6912
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        159⤵
        Modifies registry class
        
        PID:6956
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7000
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        161⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7096
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        163⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7156
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        164⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6220 -s 192
        165⤵
        Program crash
        
        PID:6356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6220 -ip 6220
1⤵
PID:6332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Camfbm32.exe

Filesize
479KB

MD5
25f6864cdaeab12ab4ed9452933cd5b3

SHA1
4154a4e779d5f19e26a9f045d5f3de127a775ea6

SHA256
8ee0dcd6d12dcec879e44963b64e5249b56651520df5a9e60bc278d19303030b

SHA512
b9b6f93ac792eb5164af9339dd7d9c9daf6127810930a9aaeececa1ff409b3399edda70babec62772148f53c56c1a57b7fe8ec29b5f6c42484640fd813922b5c

Download Submit
C:\Windows\SysWOW64\Cidncj32.exe

Filesize
479KB

MD5
91a016f156f8f41ce6ba7f92cce0eab7

SHA1
fb35de5d5de461dc734bf831747654150f72be45

SHA256
6a757d4459f141d9e713e295417588d7aec15923f067b82f540cde9eaca8f3fa

SHA512
0099402d762fcbdde71bb893a67ebcfb6a0868d63437041e632dc64e1007678fd2c09e1f03854a5d0e51d53bac40acc081fd41fc3a5e48eb2795ae0f41f09f83

Download Submit
C:\Windows\SysWOW64\Dcopbp32.exe

Filesize
479KB

MD5
e6fc9d5f2393e521e33d7f53bb1fa9c1

SHA1
1b0247e30c9c4f574b165579458ecd21516b6aa7

SHA256
049b0afd1a452a9490d35d02c03bfb8b0baa7d768d9b2c4a8857d709c199c917

SHA512
bbfc17cd405b95cff1e0a65846c1390e44a8fad5d3fde72a5587fb13fd2d45bb4cc25e44ba614a0968be4537f68d780c0031e8f122fa8e048f505eae07e8ad55

Download Submit
C:\Windows\SysWOW64\Dhcnke32.exe

Filesize
479KB

MD5
4ee46dc9d3cb1ab676b5a8a23c8a55e7

SHA1
80de011fc536389774df15cf58022536b1fb99b9

SHA256
37f11616da871f8706e249b58685508982030241317d2ff62416bd0795af6cc3

SHA512
87f6d5057eb9b6dee9b8ce8da1cfd2b5683f9f61e997c0d93370a54343d11d087afbc3360f5f0410d18771328fe433468219b7fbb66c150424a23987282865ab

Download Submit
C:\Windows\SysWOW64\Dhnepfpj.exe

Filesize
479KB

MD5
40a320591af30a4f623b671d7a235b51

SHA1
adfa9d1a6f4ac26d99e4dbe6612ae74004d612b1

SHA256
b8a25e6d427568fb33507e435fe33309da60573b7510921c9431ce8b410c95c7

SHA512
03ebeebf2f79fe587a75b26bda1189763ac838cfa091634bee096211159a963954a71fa707e1ae677a6f2378664af2f32390940def7abb1b4fdd80460a1fcf56

Download Submit
C:\Windows\SysWOW64\Diihojkb.exe

Filesize
479KB

MD5
9785f0119f181b190a785d772a71ac28

SHA1
227bad95ca16a33088a6e68c265456e57758c40c

SHA256
7c2e23dcd93c2b913518e1de7e7b1b8d3254298fcdf66ffcf1c8fc9bb61ca943

SHA512
a973b370fd4978adb332d7770b4ca0745243d6456182a800d88e331fe9d7a3713ecefd128213e00202c919361acec33273a1824d80a2159dd872babc45709305

Download Submit
C:\Windows\SysWOW64\Dokjbp32.exe

Filesize
479KB

MD5
96a42cd0de07925f49bcb43699fbcbad

SHA1
f06996e6f2f9f79353bc50176d4a7a346cc826a6

SHA256
5a4f16011512490feb9ea131a92c2b582d81b8e659e08fafe58314dcb99a5cb6

SHA512
defb5f95e4c0f417fa79ba6836b137c558fb3c5dceffd5fffa9de6314f109b31c2874d5ae3f801eade68587099aaa415cd4799dc044e2dedb2cab4ddd2979c6b

Download Submit
C:\Windows\SysWOW64\Domfgpca.exe

Filesize
479KB

MD5
dc1e822842071e52def51641e6d97119

SHA1
23acd22c67ba94cb1102fce037a7709240fd64ee

SHA256
0ad1d6c7bd0b6bcb724b07749829dc18caed2c515f0d55d781cc3810dacb886b

SHA512
510629c0f3abcb036d41b1fe82ba7df0b715ebf752ee51d708a81057f825435a5a9f340050258c31e4d890f9242cff7d584ffe52ff7f8d2d09a973b3cbe603ed

Download Submit
C:\Windows\SysWOW64\Dpacfd32.exe

Filesize
479KB

MD5
949e72b9b048977b73c3682beaa7db03

SHA1
8114c58730539fd9b10ac1dcea88f70ee94bf7a9

SHA256
976602e6460919c19b8732adf21526b12d77facbe434d651a0d822dc19dc350b

SHA512
5142627beee51e6b1adcae8eac12e7f76a1f862886285f6f9bfebb0b7bd31382556eaba02c6a2c452a50d3096973f5822e1be7827ed1151698e0bf69c24396e9

Download Submit
C:\Windows\SysWOW64\Dpemacql.exe

Filesize
479KB

MD5
a38b5b7839efb48832fd0f06e746b127

SHA1
81edb128a1361badaf1b803395bd06ba7889c772

SHA256
93798d9e0548728983d248150cff328e79136d24ed82ee61087a7bbd2fc95a1d

SHA512
36b597b8811b6d9295b3d6dc3dfdc8ef609ac59e21f029d221bccd87ddc8a88a67150f8736dffd25b5bf1752c85d1db9e922d86d693f68d5f0ef2f6cf88f6c98

Download Submit
C:\Windows\SysWOW64\Ebbidj32.exe

Filesize
479KB

MD5
de7478dd05ba75f3533603d0da90d17c

SHA1
4b086c2158ff84da96ae64c99536e3b9b9bca41e

SHA256
0f85d2d40e50b633dee5a55f112c52883b1c8eb4bff52a85ce9cec85cac8da91

SHA512
2b01850917a31908f964dfb108125d708577a6bbf625373d9816284ea6fa49d885422ed023efa023e26de247800915cf96c8bbeda176f4987c5eebb1d578eb1f

Download Submit
C:\Windows\SysWOW64\Ebnoikqb.exe

Filesize
479KB

MD5
b01be7c68e37377a396d6014bcc40394

SHA1
90e0993c285ae939cef07b86299f0d59aeb485a1

SHA256
8ec0d4b47d8347e79a383500d5189485101c3c09d806f838acc3a91b3f21fe72

SHA512
5889112b999de4a785a8956a425aecb90556942e89845f8b70816da5bcfae8ef963d3eb17fc125fc4bfa58dcb13d6961eef5fc62406f418d935e704be3adc4ef

Download Submit
C:\Windows\SysWOW64\Ebploj32.exe

Filesize
479KB

MD5
35dccc6d3dd2781d7590f47573ea1b47

SHA1
2e9cc36434c24014b696dee6bcecadcecb14932a

SHA256
554dc9e2b7d6f02b557019c6848ce99e773a49fa0f408ad7f2ff93f52ea932b7

SHA512
a52425e6a0a1be916be2874b388ca7992f089b9078092bf730da465b94dd2e68258864e80ae95982ea6542ca70d951a569b685c4450586a78e10ed04937652cf

Download Submit
C:\Windows\SysWOW64\Ecdbdl32.exe

Filesize
479KB

MD5
020c8a7f21a4f00c158c12f0d32af0b6

SHA1
8acca4c143e216d6382c6f32df3212ca77ddf188

SHA256
ede109429850f55b8eb1c9396825b7b5db152c042b70ce39d86fe0ba1b1d3774

SHA512
191f461888e6ecd06539a77b4093e819e4699e3c8d04b89a56833a458b86b0f1c829cae6d941cf72f8652b92291555099bef5afbf9e679bacc445846d14fd68e

Download Submit
C:\Windows\SysWOW64\Efneehef.exe

Filesize
479KB

MD5
96cf91ec0d6450cbf178c785204b5aa4

SHA1
c06cb923dc4ebcf616255c47d75f5dfc2721db23

SHA256
2cc3f5666d3135d0f32b870b9fcb125f68105ee79045504bfb4c028c55deaad0

SHA512
94f955f11489ec931cef613faf6ed81ba3bcc56fb19c1ad388a46b8bb2bcfeeaf1ae9fc5ee8f7489eb1cb129f7b82f3e8ecbc76068e75c0ad71341ec94711ad6

Download Submit
C:\Windows\SysWOW64\Ehjdldfl.exe

Filesize
479KB

MD5
db95fa120456b3056bb0143bc2cf611c

SHA1
1e45fd180693321bc27aa72f31bd409d5f909517

SHA256
6b605c94e9e1e6f636fa19e3bc5daee5991c4a5259237da0bfb90074e014e8f8

SHA512
1329b9c581c899462ff59188d576928909f77075578d6f54ac69b623e161a399776b9c02710be1af4d70016cfe94bbe39fb8b4666f70e4ff07ab6c054fa5e0e6

Download Submit
C:\Windows\SysWOW64\Ehlaaddj.exe

Filesize
479KB

MD5
67441a37639e9ac1de34a7ab7d476612

SHA1
b5332390658e89d8cd79ef1408c390ddbad2e6cd

SHA256
e505fdf3e8cc59c63a64e87d2153b1ceb8b75dfc3b6a0db745b22f51cc3edb86

SHA512
0b6a1d549272d8ad66b791a44380ebfb360da36dc3e6bfaad5e8579332c2da8428968ef98b11aba5c117d39ce016311bca2e31617ae621860c78125fab5bfca2

Download Submit
C:\Windows\SysWOW64\Ehonfc32.exe

Filesize
479KB

MD5
151f29774ff9bcbee17cdd116fde8e29

SHA1
cd0257acce9f973626e08b405da83059ab9cec0c

SHA256
996a67d9d9bf3947a28d9a6eb7c64430a24eb2e97d75982d909e9537cf4fbdb7

SHA512
b68abb07d7670e550562528c5750daf371a10878cdd64332d800529667b8e40f848fb4fcff4fa14e18998a5f167a832210bab30c5bb2b11f92de1139793458c8

Download Submit
C:\Windows\SysWOW64\Ejegjh32.exe

Filesize
479KB

MD5
41f426df63ce0809352c191b8eee2e41

SHA1
3fd0b9c762bf048a1e807b85df994a293ffcb50c

SHA256
e158fd6d7213d7c4d18715c683384a21e4321b146658f66e8027a8e729c4c784

SHA512
0049d48d6cd10b67e9c70039c288c83f05788ff75d611d4ef0d62e17a7dc4a579151a68437088342564993b9d7a036f7fa8f9653f46f465d46fed94b4dfa01a7

Download Submit
C:\Windows\SysWOW64\Emjjgbjp.exe

Filesize
479KB

MD5
f732fec52af8ac934e6d5c569001fbf1

SHA1
e8f9ea7e9b9b172f1ce9a8340bd2e251f8cef80a

SHA256
1c1273dd57693a11ddc4d92756f7b76b846b6fed9e6a175e57bf6944b7d5b008

SHA512
ef43b3ef68aab2afc5b01bc04aea43a41147c9f0af7c9408691e4f4ea088bfd2e8c831244c4c31048d43e43232e36ee0c267c48892a3cf0f942e344fa87d6521

Download Submit
C:\Windows\SysWOW64\Eoapbo32.exe

Filesize
479KB

MD5
85e65da6446320eddf35148a2f5b4093

SHA1
715d8865c6703c7c6547cd9e0b86ceab3b4d9523

SHA256
d28b950ef2355ca66612137f9bc93a95a138730d12754224b0c6691139d7fb3d

SHA512
311ce97929fc197c116596654ca16036a73e4d5b8b958242f7814f06412efac04e623bcaed85de6b9483bc82ac575325e00f2ed53198b08e44edfafd1287ea2a

Download Submit
C:\Windows\SysWOW64\Eodlho32.exe

Filesize
479KB

MD5
020b5589091cccdb5843fb83525d2ba4

SHA1
9b3a27e742a98604d0dae3821495b0b62a62e706

SHA256
b91ff7fddf62df85d3f084337532cc955dc73aa8d803e2f7d61288408ae6f42b

SHA512
8e5ad0c5a9cd91f3e6125528f126e429575f5db38d39529bcd203805038d497c862cce3b1306c01340801b3ab8d21c54435a5b716006a5fcf6473ff9b2784503

Download Submit
C:\Windows\SysWOW64\Eqalmafo.exe

Filesize
479KB

MD5
7095a6553f371605500b8fed95b7a745

SHA1
a220ecaaf894835656ced5ad197de7adb83f4034

SHA256
9a9f4c107dfd30dfbeb35a26b3933ca79eaee249f6037341d64942c633376362

SHA512
82fdb0966694801f1cdfc027aa2b1dbe5503624c868ca38e6d2010b0ae0e1f09f3d2fbd371b27d6a88ac48f4200c28b271054fe0d2b7c12a984d4f8b58468c9f

Download Submit
C:\Windows\SysWOW64\Eqfeha32.exe

Filesize
479KB

MD5
946e2373aea14d7a0ceeb574b37d9f18

SHA1
99f7915bab5bcc307eaf3bd4b7e95c3ef8e6ae1c

SHA256
eabd4026921555e568e92f7d763063e70acc833d1e4c9df7c4357f5b4a19c414

SHA512
89dea644b160821ef7e6a9d454552f178b6b9b6fffb4ab4d20f7d9cb19563291a9d98485ea2a03ec1939ecf533c83c8f76bd1e0578b86647d2922db0a4c804af

Download Submit
C:\Windows\SysWOW64\Fbgbpihg.exe

Filesize
479KB

MD5
e126f388ec7e2b38b0edbc79bbf6dc03

SHA1
62274aa782686f6833ecd7118d76a29893449439

SHA256
03656ecc1075d196264e36415c7bc01cf692dcb81e9bfc428dd83acca52febf2

SHA512
cb4f5c963e508ad695e566334e1a200a3a016985a266e88b4f5458805f8d0555069fdc1da3329aa8f3cddf4f999c053d8d142d8e41df3a362a84f7eea4ab2fc7

Download Submit
C:\Windows\SysWOW64\Fhajlc32.exe

Filesize
479KB

MD5
d6fcd86928b871e1d37ebcba31f04eff

SHA1
81ffa68dd0925ae1c71a9925c96cb7b72b05f796

SHA256
2e6fc59711b6a89ac8312f294c8ebcab70fb9d0ef071f1e20cca21059988aee1

SHA512
070b922a443c0faf764607f634c823a0390a5307fedbbcd63977454c7040bf21ead008e58ce826d701df16b2a6f25075964d43f17cd4627998cf3d2a95313f8d

Download Submit
C:\Windows\SysWOW64\Ficgacna.exe

Filesize
479KB

MD5
cd84b8c962ee95f2bfbdd7795ba24b41

SHA1
11292c4eccdad9cd702db0c30cea0f0b8f0f2273

SHA256
91d32c707d7e3d2223a20a42aa64ba9d6725f95b1fe6bcce1c201aefe7903ffa

SHA512
69e40489110a98b35e13db7c2bc1f21f46200e5428778713d336891b1fa187dacb297255d6e84d725d012539f0b05565700cea9d4f7ea8b636a2ecd503ecd160

Download Submit
C:\Windows\SysWOW64\Fifdgblo.exe

Filesize
479KB

MD5
a56de9f1e4c4806258e633562aec82dd

SHA1
247fd7cfeadbeaa8a7fc61f79805d5351993f8f2

SHA256
47a69bff4637be1aec43501f6af34caa79f2bba2c44de7147950ba449a3fb8bd

SHA512
e8da500c64dd12617e5254b2a58b7234328cb17d5a1b1b94a2c2e1ae0928fc2a5737751f41b0a0dfa7aa98b68bd0a4e048bdfef458b331dee29231e1271c6288

Download Submit
C:\Windows\SysWOW64\Fjnjqfij.exe

Filesize
479KB

MD5
ed60193e12b0014b05a26d484f0a959f

SHA1
c3ea119e4dbc0a2228bfa92235f48027b821634b

SHA256
507c5be5be1d35d7d430b24756415180cbbc035778c18720de68898158958282

SHA512
4c825cda0b64d55605442d0d203382876aa7ace42b60c1628df9fce59d744029591d36594830ddd0d14c236c1eb63b1b57fe2027ad1cc685f4f2d42e371fa02e

Download Submit
C:\Windows\SysWOW64\Fjqgff32.exe

Filesize
479KB

MD5
0a083180242d091debf457ca5189df99

SHA1
0db526dcf966556241d17397279a70abdbc39108

SHA256
4a6229f404991f57e0faa13efd51d7c62b3f7bff8388c4e74e6da5bc4b929f0b

SHA512
c48a12442561320e1f6d29b17b5e9290f9804d39b7e1a500987378816da974ffc16cffa63fb7f27efa2099ba7ca898e600ad150398f818b731ee7dd31a2f2fa7

Download Submit
C:\Windows\SysWOW64\Fomonm32.exe

Filesize
479KB

MD5
b0eb7e3b91654174678fb68876c48a51

SHA1
5e859e2476e94159616fd1088273652eb1319688

SHA256
95bf9fbc6cf1e1c8fc66c48b2b3a2bf94766cbf4e5d9b85d1c815667cade1620

SHA512
fc6e830287d7b0eef88c4ae1e4e4aea4b4a992fd94e810550a78419fbeeb07308a7f483378048859ae3463a1b9a151017ea4bf23508ab90ed1dec367528fb997

Download Submit
C:\Windows\SysWOW64\Fqkocpod.exe

Filesize
479KB

MD5
23220af23c346d683364a249dafc77bf

SHA1
523303ad96a1aacd4b54f3c8ac02d4e3ec7ba0d4

SHA256
091c0043a5baa13b8a2495a1534daba1b3dbee92843daab78c652bbaa29c885a

SHA512
80ecb4b6b1f10a8923216703f6e43ff5ac7e783a21005d57dca4ff296a50c150f51fe1165e0f272f71a9f5e94de02854f5b59b145dc8ccd933ff045fbb4dfdda

Download Submit
C:\Windows\SysWOW64\Hcedaheh.exe

Filesize
479KB

MD5
1d728e2604f2f286583fc85c7100c0b9

SHA1
50be94556c8acde2f01e368e6a01853622762754

SHA256
45b41fb83f09c5a0ec63e03acc8b587cb72dfc4ac9898170d19cb5d40fa09e77

SHA512
07463f82e83a2014dc839d863f0b667a76ca9df4bf90fbc71fd292a84ff93c996094acfd2bf896ebeaca26b2ffaaff092d179fcff8aa100c1cf0001c5c5e4ec4

Download Submit
C:\Windows\SysWOW64\Iabgaklg.exe

Filesize
479KB

MD5
db76b11e7f50781cd994bf86791965d4

SHA1
73dcd475c0421bd156b44be2795368f39beeecad

SHA256
04d21ce8e791c9354b7a924e7867f44a8fc5046cee73b78a49b82d4611fd7e53

SHA512
0b32cf11c42feee07c0ab4dbd4652e568826acba60a73230fd03510ea2c3736b647d75325e29667719b928299a946886b3a853094dc59acd918908d22cf34243

Download Submit
C:\Windows\SysWOW64\Ibmmhdhm.exe

Filesize
479KB

MD5
3e4c0f2dd4e6ade9e68a362baf78f206

SHA1
16602477b9d53fcd4ee2572ccce918789400b13c

SHA256
fb0b0dc0cf3dcc2d4dbf548764091298c01e4aba77991d5990a5a729003832ec

SHA512
eaa008d319654e5ed01319f0c14fdd0e2cf960defbb936113ce3e78d81464bab32ff69e0b6f443cd515029b2b341a18b98ce1a2c052f409210c8835f71286ce0

Download Submit
C:\Windows\SysWOW64\Ipckgh32.exe

Filesize
479KB

MD5
1034881562b05c984a127bb829e7cedc

SHA1
99af2c252429afd18879d6deb037eb3a1099f0e2

SHA256
031541f50d32145b858b9f339cd5acfbbedbeec1810f1b409cd9710d36524672

SHA512
2aa50c65b3d782e30682892b61c6e201713c672f9f38b5701f767dd3197b513b83c935df9d896b6bee08533248e803188bc0a5c45c242325e70658edad2cfed2

Download Submit
C:\Windows\SysWOW64\Jpjqhgol.exe

Filesize
479KB

MD5
ef0f582cecffd77168df1b26c5f97226

SHA1
59aa2af632cccab1885c7b8d04215c803d049fe7

SHA256
2fa371f62de12a5f0e9b0810996e3b9c72d4a34e938d7e5aed98315a9dca3fed

SHA512
85c659c13352c7a412c0587bbbc0b122ccbaad0bb43bd5aa9ea4f2a41e97edc06a7d581ec9029c572f31cb87c1de59c20778f9463dc6e1ae26a78abc9375b62c

Download Submit
C:\Windows\SysWOW64\Kibnhjgj.exe

Filesize
479KB

MD5
4fa567c5b4957648a62b6b33e3586dcc

SHA1
112163f0c4003e671e2d5b80c9392a7d177bac60

SHA256
0747138c9a5235fe38a5cf6805404879d858c62e918b2f58119e7d245cfe8caa

SHA512
2a68681ef4cb458314cb2a560cf88c417df610a2d2a56cba5b655c40261e11d74c1c60f263e988067f917ca9280f40e206d3068250da7c5b54335a396576c5c8

Download Submit
C:\Windows\SysWOW64\Kinemkko.exe

Filesize
479KB

MD5
8d87c7594be6fd1b36af983fcb53fef8

SHA1
2c3cf7c788b1aa8c86814bd3e984a997fb7df1e6

SHA256
151093181e83ff8273d348b793bd8eefc49212ea318e86c779df520fd8e8639b

SHA512
47655d9117530e474e36fe2e59e0594bf4c6b5042f47526dafb96f6a3fc855c7f799df2391a5ae95f2cb02744e13d70008dbe2aed74554e53ad53f71b1a0a30f

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
479KB

MD5
d73822c7d32e13341832df2fafeb1cb3

SHA1
ec058aa155cdee1a34856c63677d980a4fba42e6

SHA256
c326e1e40ba20a15079a897645517f3d267d9bab08830b0bedad72090db5a825

SHA512
b5b52469cea037b8be58ce655a0fd696dc3f201a41d3cc0e132b934493dc9222d19741dd162e8e1a8531fd17e2c99dc5b7bcfce61064c913c2579bce2896e475

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
479KB

MD5
181f18044386686331adaae4af794ef6

SHA1
c735eb105990545de916180bbe716023f0cd8476

SHA256
4077d4acf7a219beaa046963181e904c33033326a8604c8bdc3bd946b389e165

SHA512
0456356e85c2ff305d837011b54ce1d9ea068316c78e4d3eddfc0944d30d650fd1af56ad2d838ed54aa589a9e7d0b9d6ab12d2dc60a626daa82f13877e44b84e

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
479KB

MD5
1d13c0188b4220fe7715505b66aca5ee

SHA1
b446f2d53d1922cb8a59086cccecaa8da164b592

SHA256
93584fe229439d92b6eda9b91355803d2da1f25480ed3957f312f85b4643be70

SHA512
d195d1a4eff146a168e5ba67b59e774bd4761371506fc4b79e6ff149a46afb4a7f0b79abd87d1d8879a65411569b654abb60fc058392632a7bb4400fa0bc336f

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
479KB

MD5
27b1232edb49b2f1ba03d0393cb8dc15

SHA1
072570f7a557ce3dcc64b62821cbed83a2f7fe7b

SHA256
16f0dde84efcb931cfb8bd0ebf3fce39543c6f721b020003707cf7e13215704b

SHA512
517fb50f43cba805b82bf235e3fbc0360638d5feecf4d85852c6b452e63e22901ffdda02082b92e2be08b865009757c0623761d7f4284058f6bf5c6f4c2426bb

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
479KB

MD5
95e18ba5c4c559b3a9b01793069c1442

SHA1
1344bd4c2b9d7ff75517ce9a3ee3de5c4bb9958d

SHA256
d32b46d35b429ec039066176a2f209a3f1776e270aa66620ad294e05e79d6ccc

SHA512
d315ba4052ca9342bb8be651452f8627e37f2eae1652c0538d427165e2500717a81755b3659f5c84352d5e4ec1a282a85a7eea64b53702f8723365c8b4cd9235

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
479KB

MD5
0109738598ebe984aa4a9e1c6b038244

SHA1
86acca9d96898b76bd95104c92d61ae3d56421b4

SHA256
a91b49fde878b1ca99303e35fb6dc27294cb99e5ff8dad6ac2bfdbe29eb2bcc4

SHA512
9111b1b1dc5121531829d92ccde6f564965e8c0c49521cf44b55d52930c3c6f638875aa22b9828858376e9dd75324dc023621da4d89a7c1c3277bc34d6f4ae54

Download Submit
memory/368-89-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/396-410-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/684-157-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/756-542-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/932-478-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1148-576-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1168-134-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1376-156-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1420-204-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1492-508-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1696-427-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1752-205-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1924-41-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2024-80-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2112-73-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2192-495-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2200-777-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2200-9-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2256-412-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2320-1198-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2320-596-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2328-1281-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2328-426-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2448-411-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2500-398-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2524-400-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2532-472-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2628-142-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2672-525-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2760-401-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2852-414-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2968-25-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3008-467-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3176-502-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3224-242-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3236-133-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3272-460-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3352-438-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3368-57-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3400-399-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3404-564-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3488-413-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3772-1257-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3820-402-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3904-431-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3908-6-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/3908-765-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3908-0-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3936-48-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3960-241-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3992-206-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4028-565-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4128-113-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4200-1331-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4232-439-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4240-429-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4256-553-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4276-742-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4296-430-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4296-1274-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4408-97-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4428-432-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4512-484-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4520-415-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4612-243-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4648-523-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4660-588-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4676-109-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4740-403-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4752-203-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4808-240-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4824-496-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4860-582-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4904-531-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4916-17-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4916-1378-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4916-787-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4924-33-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4936-409-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4988-64-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5024-425-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5136-605-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5224-1193-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5224-615-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5248-753-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5260-621-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5304-623-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5312-754-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5380-638-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5440-1105-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5448-770-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5456-649-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5496-651-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5604-667-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5652-668-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5712-789-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5752-679-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5792-690-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5812-1131-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5868-701-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5904-702-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5948-1159-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5948-709-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5988-714-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6032-725-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6068-726-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/6644-1081-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads