d51121822f93ccdb326c807fbe2ca32c703ddea19f1c5ebfe616448c8749013b

Analysis

max time kernel
139s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 05:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8981f71f55ebed6a9e772bc522758d0_NEIKI.exe
Size

487KB
MD5

e8981f71f55ebed6a9e772bc522758d0
SHA1

57a3d85e87d83fe6af46fe233b0977f0dab8b5e6
SHA256

d51121822f93ccdb326c807fbe2ca32c703ddea19f1c5ebfe616448c8749013b
SHA512

a646f91c15f346adf19f42a7a031fbd67686d1478601bc23f47f8af8b7f7add455feb4ee845f8480f1821c5b5d278a72529cd95fceccf9e49cf60fb9988de02d
SSDEEP

6144:K4HpvnS9I2y/JAQ///NR5fLYG3eujPQ///NR5f:K0pzTx/NcZ7/N

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbgkfg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	e8981f71f55ebed6a9e772bc522758d0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eoocmoao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfedle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eodlho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqkocpod.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emjjgbjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fokbim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijaida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmocba32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfedle32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejgdpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbnhphbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fhajlc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfcpncdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebeejijj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Emjjgbjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fckhdk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbocea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjhmgeao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjjjle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhajlc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfjmgdlf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcpapkgp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbcakg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmmocpjk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iikopmkd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hapaemll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbocea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjqgff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmhfhp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hclakimb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe

Executes dropped EXE 64 IoCs

pid	Process
2372	Dcfebonm.exe
664	Djpnohej.exe
1824	Eoocmoao.exe
2016	Elccfc32.exe
4864	Eoapbo32.exe
2932	Ejgdpg32.exe
4524	Eleplc32.exe
4144	Eodlho32.exe
5004	Ecphimfb.exe
1704	Efneehef.exe
2368	Ejjqeg32.exe
2500	Ehlaaddj.exe
3892	Eqciba32.exe
4700	Eofinnkf.exe
3936	Ecbenm32.exe
1724	Ebeejijj.exe
4068	Efpajh32.exe
4900	Ejlmkgkl.exe
2820	Emjjgbjp.exe
852	Eqfeha32.exe
1936	Eoifcnid.exe
712	Ecdbdl32.exe
1160	Fbgbpihg.exe
3928	Fjnjqfij.exe
4160	Fhajlc32.exe
1636	Fokbim32.exe
956	Fcgoilpj.exe
2868	Fbioei32.exe
3160	Fjqgff32.exe
3952	Ficgacna.exe
1996	Fmocba32.exe
1152	Fqkocpod.exe
1944	Fomonm32.exe
4916	Fcikolnh.exe
4988	Ffggkgmk.exe
1932	Fjcclf32.exe
4576	Fifdgblo.exe
4892	Fmapha32.exe
3836	Fopldmcl.exe
4644	Fckhdk32.exe
1876	Fbnhphbp.exe
3384	Fjepaecb.exe
4956	Fihqmb32.exe
4936	Fmclmabe.exe
4420	Fobiilai.exe
3168	Fcnejk32.exe
3108	Fflaff32.exe
1492	Fjhmgeao.exe
5088	Fmficqpc.exe
116	Fqaeco32.exe
5072	Gcpapkgp.exe
1924	Gbcakg32.exe
1060	Gjjjle32.exe
4108	Gimjhafg.exe
2032	Gmhfhp32.exe
3204	Gogbdl32.exe
2116	Gcbnejem.exe
428	Gfqjafdq.exe
3804	Gjlfbd32.exe
3188	Gmkbnp32.exe
4584	Gqfooodg.exe
3792	Gbgkfg32.exe
2200	Gfcgge32.exe
3348	Gjocgdkg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fagmapfi.dll	Efpajh32.exe
File opened for modification	C:\Windows\SysWOW64\Jkdnpo32.exe	Jaimbj32.exe
File created	C:\Windows\SysWOW64\Jiikak32.exe	Jbocea32.exe
File created	C:\Windows\SysWOW64\Eoifcnid.exe	Eqfeha32.exe
File opened for modification	C:\Windows\SysWOW64\Fckhdk32.exe	Fopldmcl.exe
File created	C:\Windows\SysWOW64\Hihjpn32.dll	Fckhdk32.exe
File created	C:\Windows\SysWOW64\Ibadbaha.dll	Hmklen32.exe
File opened for modification	C:\Windows\SysWOW64\Fhajlc32.exe	Fjnjqfij.exe
File created	C:\Windows\SysWOW64\Jpckhigh.dll	Gimjhafg.exe
File created	C:\Windows\SysWOW64\Hcnnaikp.exe	Hpbaqj32.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Eleplc32.exe	Ejgdpg32.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Gmggiogn.dll	Ehlaaddj.exe
File opened for modification	C:\Windows\SysWOW64\Eqfeha32.exe	Emjjgbjp.exe
File created	C:\Windows\SysWOW64\Gcidfi32.exe	Gpnhekgl.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Ifegaglc.dll	Gjapmdid.exe
File opened for modification	C:\Windows\SysWOW64\Gifmnpnl.exe	Gjclbc32.exe
File created	C:\Windows\SysWOW64\Kkdeek32.dll	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Bnckcnhb.dll	Kpepcedo.exe
File opened for modification	C:\Windows\SysWOW64\Kaemnhla.exe	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Fflaff32.exe	Fcnejk32.exe
File created	C:\Windows\SysWOW64\Gogbdl32.exe	Gmhfhp32.exe
File opened for modification	C:\Windows\SysWOW64\Hfjmgdlf.exe	Hclakimb.exe
File opened for modification	C:\Windows\SysWOW64\Lalcng32.exe	Liekmj32.exe
File created	C:\Windows\SysWOW64\Kbbfkb32.dll	Djpnohej.exe
File opened for modification	C:\Windows\SysWOW64\Fcnejk32.exe	Fobiilai.exe
File created	C:\Windows\SysWOW64\Qbplof32.dll	Gfhqbe32.exe
File opened for modification	C:\Windows\SysWOW64\Haidklda.exe	Hibljoco.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Fjnjqfij.exe	Fbgbpihg.exe
File created	C:\Windows\SysWOW64\Lmmcfa32.dll	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Kdffocib.exe	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Oeahce32.dll	Gbgkfg32.exe
File created	C:\Windows\SysWOW64\Mngoghpn.dll	Gameonno.exe
File opened for modification	C:\Windows\SysWOW64\Kgdbkohf.exe	Kdffocib.exe
File created	C:\Windows\SysWOW64\Fjqgff32.exe	Fbioei32.exe
File created	C:\Windows\SysWOW64\Gnbbnj32.dll	Gjclbc32.exe
File created	C:\Windows\SysWOW64\Hmklen32.exe	Hippdo32.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Hbeghene.exe	Hccglh32.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Ejgdpg32.exe	Eoapbo32.exe
File opened for modification	C:\Windows\SysWOW64\Ficgacna.exe	Fjqgff32.exe
File opened for modification	C:\Windows\SysWOW64\Fmocba32.exe	Ficgacna.exe
File created	C:\Windows\SysWOW64\Gjjjle32.exe	Gbcakg32.exe
File created	C:\Windows\SysWOW64\Lolncpam.dll	Gfcgge32.exe
File opened for modification	C:\Windows\SysWOW64\Icgqggce.exe	Ipldfi32.exe
File created	C:\Windows\SysWOW64\Ibccic32.exe	Iikopmkd.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Eleplc32.exe	Ejgdpg32.exe
File created	C:\Windows\SysWOW64\Miimhchp.dll	Eqciba32.exe
File created	C:\Windows\SysWOW64\Ipldfi32.exe	Haidklda.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Djpnohej.exe	Dcfebonm.exe
File created	C:\Windows\SysWOW64\Fckhdk32.exe	Fopldmcl.exe
File created	C:\Windows\SysWOW64\Gqkhjn32.exe	Gidphq32.exe
File created	C:\Windows\SysWOW64\Milgab32.dll	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Efneehef.exe	Ecphimfb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6924	6788	WerFault.exe	256

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bofjdo32.dll"	Fjnjqfij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjhmgeao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Emjjgbjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fcgoilpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcplce32.dll"	Fjcclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gameonno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hibljoco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijaida32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fihpfl32.dll"	Eodlho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fcnejk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iebapp32.dll"	Gqfooodg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hclakimb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hapaemll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbfpobpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fihqmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	e8981f71f55ebed6a9e772bc522758d0_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ficgacna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fopldmcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejgdpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klfbpcko.dll"	Ecphimfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fcikolnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipldfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gedmgfjd.dll"	Fbnhphbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnplgc32.dll"	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bekppcpp.dll"	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fihqmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdgpjm32.dll"	Icgqggce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmocba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jokmgc32.dll"	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfdcbdnc.dll"	Eoapbo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibjqcd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lalcng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dcfebonm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejgdpg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfcgge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfogkh32.dll"	Hpihai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kipabjil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eoapbo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ehlaaddj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ficgacna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gfhqbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjkiobic.dll"	Ipldfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kajfig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfedle32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcnnaikp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3816 wrote to memory of 2372	3816	e8981f71f55ebed6a9e772bc522758d0_NEIKI.exe	83
PID 3816 wrote to memory of 2372	3816	e8981f71f55ebed6a9e772bc522758d0_NEIKI.exe	83
PID 3816 wrote to memory of 2372	3816	e8981f71f55ebed6a9e772bc522758d0_NEIKI.exe	83
PID 2372 wrote to memory of 664	2372	Dcfebonm.exe	84
PID 2372 wrote to memory of 664	2372	Dcfebonm.exe	84
PID 2372 wrote to memory of 664	2372	Dcfebonm.exe	84
PID 664 wrote to memory of 1824	664	Djpnohej.exe	85
PID 664 wrote to memory of 1824	664	Djpnohej.exe	85
PID 664 wrote to memory of 1824	664	Djpnohej.exe	85
PID 1824 wrote to memory of 2016	1824	Eoocmoao.exe	86
PID 1824 wrote to memory of 2016	1824	Eoocmoao.exe	86
PID 1824 wrote to memory of 2016	1824	Eoocmoao.exe	86
PID 2016 wrote to memory of 4864	2016	Elccfc32.exe	87
PID 2016 wrote to memory of 4864	2016	Elccfc32.exe	87
PID 2016 wrote to memory of 4864	2016	Elccfc32.exe	87
PID 4864 wrote to memory of 2932	4864	Eoapbo32.exe	88
PID 4864 wrote to memory of 2932	4864	Eoapbo32.exe	88
PID 4864 wrote to memory of 2932	4864	Eoapbo32.exe	88
PID 2932 wrote to memory of 4524	2932	Ejgdpg32.exe	89
PID 2932 wrote to memory of 4524	2932	Ejgdpg32.exe	89
PID 2932 wrote to memory of 4524	2932	Ejgdpg32.exe	89
PID 4524 wrote to memory of 4144	4524	Eleplc32.exe	90
PID 4524 wrote to memory of 4144	4524	Eleplc32.exe	90
PID 4524 wrote to memory of 4144	4524	Eleplc32.exe	90
PID 4144 wrote to memory of 5004	4144	Eodlho32.exe	91
PID 4144 wrote to memory of 5004	4144	Eodlho32.exe	91
PID 4144 wrote to memory of 5004	4144	Eodlho32.exe	91
PID 5004 wrote to memory of 1704	5004	Ecphimfb.exe	92
PID 5004 wrote to memory of 1704	5004	Ecphimfb.exe	92
PID 5004 wrote to memory of 1704	5004	Ecphimfb.exe	92
PID 1704 wrote to memory of 2368	1704	Efneehef.exe	93
PID 1704 wrote to memory of 2368	1704	Efneehef.exe	93
PID 1704 wrote to memory of 2368	1704	Efneehef.exe	93
PID 2368 wrote to memory of 2500	2368	Ejjqeg32.exe	94
PID 2368 wrote to memory of 2500	2368	Ejjqeg32.exe	94
PID 2368 wrote to memory of 2500	2368	Ejjqeg32.exe	94
PID 2500 wrote to memory of 3892	2500	Ehlaaddj.exe	95
PID 2500 wrote to memory of 3892	2500	Ehlaaddj.exe	95
PID 2500 wrote to memory of 3892	2500	Ehlaaddj.exe	95
PID 3892 wrote to memory of 4700	3892	Eqciba32.exe	96
PID 3892 wrote to memory of 4700	3892	Eqciba32.exe	96
PID 3892 wrote to memory of 4700	3892	Eqciba32.exe	96
PID 4700 wrote to memory of 3936	4700	Eofinnkf.exe	97
PID 4700 wrote to memory of 3936	4700	Eofinnkf.exe	97
PID 4700 wrote to memory of 3936	4700	Eofinnkf.exe	97
PID 3936 wrote to memory of 1724	3936	Ecbenm32.exe	98
PID 3936 wrote to memory of 1724	3936	Ecbenm32.exe	98
PID 3936 wrote to memory of 1724	3936	Ecbenm32.exe	98
PID 1724 wrote to memory of 4068	1724	Ebeejijj.exe	99
PID 1724 wrote to memory of 4068	1724	Ebeejijj.exe	99
PID 1724 wrote to memory of 4068	1724	Ebeejijj.exe	99
PID 4068 wrote to memory of 4900	4068	Efpajh32.exe	100
PID 4068 wrote to memory of 4900	4068	Efpajh32.exe	100
PID 4068 wrote to memory of 4900	4068	Efpajh32.exe	100
PID 4900 wrote to memory of 2820	4900	Ejlmkgkl.exe	101
PID 4900 wrote to memory of 2820	4900	Ejlmkgkl.exe	101
PID 4900 wrote to memory of 2820	4900	Ejlmkgkl.exe	101
PID 2820 wrote to memory of 852	2820	Emjjgbjp.exe	102
PID 2820 wrote to memory of 852	2820	Emjjgbjp.exe	102
PID 2820 wrote to memory of 852	2820	Emjjgbjp.exe	102
PID 852 wrote to memory of 1936	852	Eqfeha32.exe	103
PID 852 wrote to memory of 1936	852	Eqfeha32.exe	103
PID 852 wrote to memory of 1936	852	Eqfeha32.exe	103
PID 1936 wrote to memory of 712	1936	Eoifcnid.exe	104

C:\Users\Admin\AppData\Local\Temp\e8981f71f55ebed6a9e772bc522758d0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\e8981f71f55ebed6a9e772bc522758d0_NEIKI.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3816
- C:\Windows\SysWOW64\Dcfebonm.exe
  C:\Windows\system32\Dcfebonm.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\SysWOW64\Djpnohej.exe
    C:\Windows\system32\Djpnohej.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:664
  - - C:\Windows\SysWOW64\Eoocmoao.exe
      C:\Windows\system32\Eoocmoao.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1824
    - - C:\Windows\SysWOW64\Elccfc32.exe
        
        C:\Windows\system32\Elccfc32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2016
      - C:\Windows\SysWOW64\Eoapbo32.exe
        
        C:\Windows\system32\Eoapbo32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\SysWOW64\Ejgdpg32.exe
        
        C:\Windows\system32\Ejgdpg32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\Eleplc32.exe
        
        C:\Windows\system32\Eleplc32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4144
        
        C:\Windows\SysWOW64\Ecphimfb.exe
        
        C:\Windows\system32\Ecphimfb.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\SysWOW64\Efneehef.exe
        
        C:\Windows\system32\Efneehef.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\SysWOW64\Ejjqeg32.exe
        
        C:\Windows\system32\Ejjqeg32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3892
        
        C:\Windows\SysWOW64\Eofinnkf.exe
        
        C:\Windows\system32\Eofinnkf.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4700
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3936
        
        C:\Windows\SysWOW64\Ebeejijj.exe
        
        C:\Windows\system32\Ebeejijj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4900
        
        C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:852
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        23⤵
        Executes dropped EXE
        
        PID:712
        
        C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1160
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3928
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4160
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1636
        
        C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:956
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2868
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3160
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3952
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1996
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1152
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        34⤵
        Executes dropped EXE
        
        PID:1944
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4916
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        36⤵
        Executes dropped EXE
        
        PID:4988
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1932
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        38⤵
        Executes dropped EXE
        
        PID:4576
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        39⤵
        Executes dropped EXE
        
        PID:4892
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3836
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4644
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1876
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        43⤵
        Executes dropped EXE
        
        PID:3384
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4956
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        45⤵
        Executes dropped EXE
        
        PID:4936
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4420
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3168
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        48⤵
        Executes dropped EXE
        
        PID:3108
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1492
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        50⤵
        Executes dropped EXE
        
        PID:5088
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        51⤵
        Executes dropped EXE
        
        PID:116
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5072
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1924
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1060
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4108
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2032
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3204
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        58⤵
        Executes dropped EXE
        
        PID:2116
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        59⤵
        Executes dropped EXE
        
        PID:428
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3804
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        61⤵
        Executes dropped EXE
        
        PID:3188
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3792
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2200
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        65⤵
        Executes dropped EXE
        
        PID:3348
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1416
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        67⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        68⤵
        
        PID:408
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:60
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        70⤵
        Drops file in System32 directory
        
        PID:3080
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        71⤵
        Drops file in System32 directory
        
        PID:4604
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        72⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        73⤵
        Drops file in System32 directory
        
        PID:1664
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        74⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4740
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        76⤵
        Drops file in System32 directory
        
        PID:4476
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        77⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        79⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4432
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        82⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        83⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        85⤵
        Drops file in System32 directory
        
        PID:1028
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        86⤵
        Modifies registry class
        
        PID:3736
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        87⤵
        Modifies registry class
        
        PID:1012
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        88⤵
        Modifies registry class
        
        PID:5044
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        89⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        90⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3920
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        92⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        93⤵
        Drops file in System32 directory
        
        PID:4300
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4292
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        95⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        96⤵
        Drops file in System32 directory
        
        PID:5124
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        97⤵
        Drops file in System32 directory
        
        PID:5156
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        98⤵
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        99⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5268
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5304
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5336
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5376
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        104⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5412
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        105⤵
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        106⤵
        Modifies registry class
        
        PID:5484
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5604
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5660
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        110⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        111⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5808
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        113⤵
        Modifies registry class
        
        PID:5860
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        114⤵
        Drops file in System32 directory
        
        PID:5932
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6016
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6056
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        117⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:856
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        119⤵
        Drops file in System32 directory
        
        PID:2432
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5144
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4536
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        122⤵
        Drops file in System32 directory
        
        PID:5320
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        123⤵
        Drops file in System32 directory
        
        PID:5404
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        124⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        125⤵
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        126⤵
        Drops file in System32 directory
        
        PID:5556
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5672
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        128⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        129⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        130⤵
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        131⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        132⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        133⤵
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        134⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        135⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        136⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        137⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:996
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        139⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5612
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5704
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5916
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        143⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5524
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        145⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4112
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        146⤵
        Drops file in System32 directory
        
        PID:5428
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5540
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        148⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        149⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        150⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5576
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        152⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5956
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        154⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6148
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6184
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        156⤵
        Drops file in System32 directory
        
        PID:6224
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6264
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        158⤵
        Drops file in System32 directory
        
        PID:6300
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6348
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        160⤵
        Modifies registry class
        
        PID:6384
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        161⤵
        
        PID:6416
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        162⤵
        Modifies registry class
        
        PID:6464
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6496
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        164⤵
        Drops file in System32 directory
        
        PID:6552
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        165⤵
        
        PID:6592
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        166⤵
        Modifies registry class
        
        PID:6628
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        167⤵
        
        PID:6672
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6708
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        169⤵
        Modifies registry class
        
        PID:6748
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        170⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6788 -s 408
        171⤵
        Program crash
        
        PID:6924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6788 -ip 6788
1⤵
PID:6864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dcfebonm.exe

Filesize
487KB

MD5
d5c18998ac447d9c2b6ad9e841df6d09

SHA1
595530c2f27405c9f5e2c46d7678cbab5c9b2cd9

SHA256
8bdddd555e8c9e4726a3275deddfbd06d76f57e5290bf95b623f14e8d8a23d1a

SHA512
1132a0fbf1c8e8ec3ba293028600b1e9a7285eb25dc0baef047348587340c57b2cb8ce36b3327de405ddc02c360b37ba2fee2fcc0bcf7fcabb72dd3d80afa120

Download Submit
C:\Windows\SysWOW64\Djpnohej.exe

Filesize
487KB

MD5
3496cfdf0b2c1184d85f226f0565b7b5

SHA1
12081f505461239c7e80f4f3a1023e5b8566c1c8

SHA256
709e27c68ce2e934d5fde424133e46d09db15115b81534183df06ad953d63e67

SHA512
069327a203958584fd99787b581ec3ad0ec2431a587b482af69ba13ae831c1aeb37a585bc8332330117eea505086c4b12c877c82fbbc34942f7d913e33b71547

Download Submit
C:\Windows\SysWOW64\Ebeejijj.exe

Filesize
487KB

MD5
a64332e621dd6267c5c9b6cd8e585e9a

SHA1
6d89d6ba74b988a000fea5bf784e68de23ecb85b

SHA256
9f6ed780e85123b3a4e0080ceed169909c6dfc8537525e4fa66ae1af996c06b7

SHA512
9651d8340e5099338f496ee72d726ccb2e2a5c5f24a9324b4c903dcf35750bf939942372ac88c654aa8cf550334bf0c13fdaf197a4003285e469b1716859223d

Download Submit
C:\Windows\SysWOW64\Ecbenm32.exe

Filesize
487KB

MD5
aa0e795ba47013de9df6c9f10bedbbec

SHA1
09ebbf4d91257adbee78b9dddb1d82e7a532b588

SHA256
ef9098d455a3f47df850dba6e4389086f1d23ce9dc9be3f4c50238d7436169f0

SHA512
4a1beeafe7d35601106f221f246a96cfcca41102860bf87f93b2dadb86ddd7a54edf5abe72847cda6471afee6060a2d5f749ec9612c565ec75a494210b0f2756

Download Submit
C:\Windows\SysWOW64\Ecdbdl32.exe

Filesize
487KB

MD5
b215d7e61ce6dad92b03aab17b93d2e7

SHA1
c509ee252efe1683225e1d9ef941d0bfd5afcfc5

SHA256
2e6e8118a6398719ea5a2f20be94604fb2d8cc4a8664dfc5171730ec2b4fd6d8

SHA512
e3a86a02ecfd92b5469964c3c9d1923cdc19ba45a5c52e3691b51078ccd771d68d4948f9b391c7d11cf74081232c5f25e8a046d529538df68d65a960c914eba4

Download Submit
C:\Windows\SysWOW64\Ecphimfb.exe

Filesize
487KB

MD5
56622b97ef17eff07c3b2714d32155d0

SHA1
e22cbb42f88a731d5711e8b52da81116a6cc57ef

SHA256
69b45b0542a2a9cf6306b98f3f76a56bf3c08eecbec535dff00b96907bf64047

SHA512
dc2534b8a0749da22b8a187e98ef53e957990f2f83692728f3c5c7a67971bcd2a4947ebd97edc24a36a4d86286d1aa129591983439d89acd8f72703fde1ed7e9

Download Submit
C:\Windows\SysWOW64\Efneehef.exe

Filesize
487KB

MD5
913f655d97f57cfd2e0ef8b20671de04

SHA1
161397413282cb536120eb9c2c243a3ea66c5fa1

SHA256
1f441f7ff7556b2fdbf341f5415d05e589952aa76b540329047cac6156d1a109

SHA512
5b9d270dccf317bdb786bc50f41817b63aa9afab12855d04d8a58ce4d3edaf37864b39424380ed8f88f7a91787c92435ec521cbee19fd32975c4fa02ae21f188

Download Submit
C:\Windows\SysWOW64\Efpajh32.exe

Filesize
487KB

MD5
3f16509012d1a30bbe4bd9f337da592a

SHA1
71c6a91322699428ad3fc2dbdfbd2fb1fb64e5bc

SHA256
cb109721a167dbe780007b8740ab92f69f27ffc41f45d8f432c7f1725dbef2a7

SHA512
c5cfc24e295878bc2bb4904f53f7e1397976e7c972c5ae5f3a08f4973394129ecf8f17431d09f518f6f5011b3faf403267572afb2bdc4bb88d58a79cd76aa0b6

Download Submit
C:\Windows\SysWOW64\Ehlaaddj.exe

Filesize
487KB

MD5
85272f12058ff6af94e3177d0d4c40a5

SHA1
2b1bfe57a0fb0cab8a8b33132556cc7342e23da2

SHA256
3f26af463bf6699a6c72ce504513b58e807db940b8e4f2982d7babcd73c1948d

SHA512
0a7004ecfd39af0ba8c89db92966b7aabf4dbc046c152d71058002cbac6e8db85e2060c4f7f76bc39913203d740b105b7443b882a8078adcef07b3ef30f03944

Download Submit
C:\Windows\SysWOW64\Ejgdpg32.exe

Filesize
487KB

MD5
a0653c5f72e41902914ee12e38f69bf0

SHA1
9f5d853a4b6d0c4e205e9dd6d0494eb1f4f19c17

SHA256
315be22f1a4e0488b2d14d085c84980a3fd053ffde1f58aca20d29c5a9c6db78

SHA512
86335eddf053dc048f814907e1fcbcbaf39a2bce769af711e54bf2d667c4eeb8043b38517fccd30c63738d7ba1b341090403fe8d09945db5e1885d3207d1bde5

Download Submit
C:\Windows\SysWOW64\Ejjqeg32.exe

Filesize
487KB

MD5
e5619384c9df9e6565aa3d807540fdc0

SHA1
52321554fce8368a00dc4345ec376f4eb78f12cc

SHA256
ba27c5718e4b8b97f3ff8eb218dc4c5309fe8af45b492e2a9385cfeeb491c134

SHA512
35ae73d3aea4e0a0e6e2eac3fbbdaad406b99e276dbda210d09fd8bd482a79b690172e666b674fb604abb578bf103c8d94bd18eba33a256559aeec79f16ef019

Download Submit
C:\Windows\SysWOW64\Ejlmkgkl.exe

Filesize
487KB

MD5
a3d846ea2b07ab7b705ec936295323e2

SHA1
12273fb207c2db9a6d79d191b4b965e3ff0f6762

SHA256
c7af516133e200a182c01a455ac304562a4c9fbda4214526bcc3513a99bed173

SHA512
fd2080d8064ffaf9e15fa597b1fa8755f456c51efb63cfa9ae39a268654ac0b25530260ee86f91af5f568ec0120da81d0af9a519e8063296e474b490b5d6bc7e

Download Submit
C:\Windows\SysWOW64\Elccfc32.exe

Filesize
487KB

MD5
98e3d3cd75874c0c44c01306490b6305

SHA1
9c582b4bb907dcbba9cc678efa83b7b48b94b4bf

SHA256
f785b4c3f12b80244d699f6e32f327b3065f6c139328237e7a1b99d14cebef3c

SHA512
f84767950cd51aff5475508386e9d21707e9a484faee3dab933a14792f5f2b24bea26e5b7ebbaf49da6c66d68029604dbd54df37c1aeaa65061db4fc2a9bfaad

Download Submit
C:\Windows\SysWOW64\Eleplc32.exe

Filesize
487KB

MD5
856e2f173013b5b7394691cdc1a90d66

SHA1
2f82b6fd3b875f5461675030f666dccf9642e3c6

SHA256
78005cca16856e3d4d89de57e1a071f24f9b8dd9670493bcd04873db82c465d5

SHA512
696cfa8e35ade2bc43acce67baca6dc39cc0673311c7b0ea9653dc2eb8380241bac9921ac8f360efaf82c2b2d836f9da10ab9ff483b041ab736828260650738c

Download Submit
C:\Windows\SysWOW64\Emjjgbjp.exe

Filesize
487KB

MD5
f4c785bce37a9578c6808ca01685d190

SHA1
d93577ea6670b795cfc72f3939aa64e78b3e9a3f

SHA256
6a80c7a478bc6e4fd352d158b9b53db02146130ebe8b02012f4c6e3073bcb01f

SHA512
f39a2cebc6b06dc2dc4315cff613178fb2ecac1dd743ce55a560c6102830fd670caff95171a42afab4b57bfc7b2d3d93ac8bd3b5c78570138bb7f99236ae7984

Download Submit
C:\Windows\SysWOW64\Eoapbo32.exe

Filesize
487KB

MD5
b2c9148d5f00860622ead5df7bcf147c

SHA1
67148daf447618cca4d71d05299d4133dbef042e

SHA256
46c31a3437aacd29c9dd7e3658f904b9a696f79d961ffc7e27e5048abee1ae65

SHA512
883467f5d617ae4bc33ff11ee3cae8331e9f0ea279556eab478f889791289292c1b528f5d77d6f83faff105a2fb4adb5aa568fc22111886fd3c791dd138d2c17

Download Submit
C:\Windows\SysWOW64\Eodlho32.exe

Filesize
487KB

MD5
ebfb4a5a0ba9abe67454aa8b47237086

SHA1
728ea80bd266c460743489fea31e37ebe5531a02

SHA256
c8922549c786b9bcb2482c71876e6175616dbb3b90fd2936b7c14d7472db3352

SHA512
50d6ee43f00508b2d932503cf4948f3bf1e4f7eacb7483c4fa508633c8f46ecca5673870c7a2784acb4bd855573ef777a04b11dfe469472f570f00b2bec36e5f

Download Submit
C:\Windows\SysWOW64\Eofinnkf.exe

Filesize
487KB

MD5
dc9da6e473151293ff167f6117c6a4b5

SHA1
ea03b3a2a10cb58a06861c1cc7d9c5be018c0268

SHA256
26735068b2c53c6ad5588eea42847a7ebce6efd0ff2e06a76ea1be3ff4f2120d

SHA512
1fc0f7e19246dcdb95453c7da973385813f066f573cb96905b7b857ad79be5229e41bd40da979cd2d43fc664395c810807aa87bb449ddfeec1d50c21332f45c8

Download Submit
C:\Windows\SysWOW64\Eoifcnid.exe

Filesize
487KB

MD5
3709364feb0657fc2bbc5638cd2eaa88

SHA1
da732c2856597b5e1675f647d57a220c97b3fd05

SHA256
646657304167b7db7dbd149af955014d12cef7c597a31aee8d7daf114390cf32

SHA512
f7e8cd228c4010d16710b63f91c7b59be630a593ff7ba43d528f3442dff941b79624f4ebc5cb5842f0ab4dd057fc5e7c4092fd099f241f2da5599861c030eee7

Download Submit
C:\Windows\SysWOW64\Eoocmoao.exe

Filesize
487KB

MD5
b29918fcc5e10a571203bd12728fee95

SHA1
0085bcec9d802ce8da49471e809a98dd616da580

SHA256
b3c1fcb01f7d6ee353f05a51165886c126edf66b52df3b9ee4a7053db21f3319

SHA512
108b04bc88508fe7655a2b88cd0c379dda0e59ed2276b5245f875a8de76ca5ad6e8148146c6e2125642d7f6500c17793af74f58adc54706122f64a33fc5ddaba

Download Submit
C:\Windows\SysWOW64\Eqciba32.exe

Filesize
487KB

MD5
958691b7b83310317cd3d88ed2f0482f

SHA1
d36d4361e591c601a6c1c39a4a7c81c77e1a404f

SHA256
a53f5c6b9059ecdf78d19b2625f5df307f820a0534168007b34313418d908674

SHA512
0fa8eaad3515db3e12c5583194bd7388905e083df6448ca6dd1de4b9f63b0b41664dd4a8786a94aac6a9d894e21ab1d5b1e0eaee06ca50aa65cf42df9b9f1cef

Download Submit
C:\Windows\SysWOW64\Eqfeha32.exe

Filesize
487KB

MD5
b57a09d10881adedf67a3267ae0b0589

SHA1
ea69cd5425d0bf160099564d08950cfff3c705a7

SHA256
b33728de626cb3707c8fc3dbfeef2dd21b55a9e8fa7b28458aff36ce4a3ca845

SHA512
3d0d6f0459735578163515abb529b7a646cff91711020d97af1463c50cfd067bad8f742997c018102db3ca67f8f036ebe7e8716418f4aa242e2e6fccf8cea2e5

Download Submit
C:\Windows\SysWOW64\Fbgbpihg.exe

Filesize
487KB

MD5
1036f98681567b77b0dce4ae70e46ca5

SHA1
ccf11d60816f1edd8a097754ff192e8ff98924cb

SHA256
6d2d8693462c2dfa69038c3ea59208d7ad36f403517105557327d8a9881b92fb

SHA512
212d2f9fe959d7b3587de4f9a3522c80dc140f3fc2a6bb9bf13174ef807230d1030a4a433794326be4b77e86ca1c035bf55a620e446ce7f464a6f39659a2d60e

Download Submit
C:\Windows\SysWOW64\Fbioei32.exe

Filesize
487KB

MD5
4dbdf607d1366ac8cc7d50673bf9bc5b

SHA1
379485f9e44cfc491465d3a4e4ccc2737ed922cb

SHA256
cb31f6fdd0074d9c0250a4380422c9e2406020e33a70fba94d92bf2df25eab49

SHA512
2d44ed475eda7fd8c4704386617919c207bebe8c28dbf9eb75ebfaa4a080846d284caa85ada41c21eb70df0a266a8fc915e6eba24472241b7311fc4f0db541d7

Download Submit
C:\Windows\SysWOW64\Fcgoilpj.exe

Filesize
487KB

MD5
954a27bd41b46af0ce513127d11f4af9

SHA1
c6a980070d1108ddbcb6433d1d49f935092ced71

SHA256
b16786cccebdfaf9ca9f22587097478368b536800b1ed1097effade455287259

SHA512
692a668652425276548737720c36e0bfa0aca8ee73694d689b0000325021dac1b0ed374a0d87c533ae1aab5a7348bd3732c3b6cd57b3ea138029b9cc21c9dfd1

Download Submit
C:\Windows\SysWOW64\Fhajlc32.exe

Filesize
487KB

MD5
3524f17744d37de3669fd51be9eaed77

SHA1
15aad6fcb536819a3f73313dcec91614624cb0ca

SHA256
2f610b2aa9cfa8f2e443b81770bf925fc95b9247df00c330d96ad28ed61db647

SHA512
bbfd58c7b553f3e01ed8707d66de2069fc9dc81584edd898579f3f96fd2c5dabb1d7a282c6d5c24d97c4250e1a02f989e1a7eed3265c23d5c529f72cdfe93617

Download Submit
C:\Windows\SysWOW64\Ficgacna.exe

Filesize
487KB

MD5
e4202c1b48413e0c696cef182aee36a4

SHA1
2e8b71cffa3b9a040acaf4028ff8d0e31aebc11f

SHA256
2e78b4ee466c21032d9cf18849058e5d9a7f7c087bf8922477a2c45fc9736be4

SHA512
3051aa196df47865f9a631319d16c268a881e9a382036268e794245effa011a275f2c1b7cda36f681875bc3c15ea310730c462898ba0350e9609785a41563f9f

Download Submit
C:\Windows\SysWOW64\Fjnjqfij.exe

Filesize
487KB

MD5
30af2610ac102903b2dc91d654988952

SHA1
8f42de4df74193abfbc4dd6e959bf404c150abbe

SHA256
256483e5092071d55e0ee44ec52c285c5c042f42efd83db6bd4ffea85f5be2a3

SHA512
80e1c33d80849885477313d96d285f374c757f72160b728ef9383319dee72f10145b48e5aa5aea11279e3aa2d076a327929bd687f95d62e78c1a82a3b51143aa

Download Submit
C:\Windows\SysWOW64\Fjqgff32.exe

Filesize
487KB

MD5
21a2e67e7264ad44cffe2b2374b941b1

SHA1
e7044cd6277f4a9b9ac670b680fe9720778e028b

SHA256
7229084a8ba2b20e5dc80ad170f4d3b9c470ce8efd4f03803ef56ed6a6833b16

SHA512
0403e65f383d2b396275fa6daa1a9b75f713a4b0eeaa400a9c23572e375aea0555b97a0a5b74ef551f58f72d7922051c16680923be461591d143b19ae8205293

Download Submit
C:\Windows\SysWOW64\Fmocba32.exe

Filesize
487KB

MD5
202f07f6eb6c6453cae814ef8564f762

SHA1
f0f26f633936f18465879fa1baa38af23f999d0a

SHA256
3c947531f53705b2424c71712d673f5a83878f8853af08d335a8e4531c428d62

SHA512
2e3250d62fe0fa0e7a676ed6b9a237bd9cf83e6d8beca0f8149f3e20f835d293dcac8cd7e8eeccf3cbc8c2307750fe875497754a2b0d903090cc688df8d721f8

Download Submit
C:\Windows\SysWOW64\Fokbim32.exe

Filesize
487KB

MD5
b116b0ced38bddf7b699a8f131a79300

SHA1
6205310624dc16bc6ea81d8d00345bb22ddf2e9f

SHA256
ecb58719c4c0c4051edc11cb95c7dd9c94c44fb884b7cc3790020de3f7e583ca

SHA512
8e3eab1fd0a1e3bb3ebaea0f1cd227fa2bb5a7d1d1942e66152f76973c5efcde4e7d36e7f6dcaf0008b24f26d2d35c0e2527fe00abd7d2e5305fc70c15d26e0e

Download Submit
C:\Windows\SysWOW64\Fqkocpod.exe

Filesize
487KB

MD5
7e9a09122ec0fb62302137e29f8ee743

SHA1
5eefecdc4e130035886fd78c070a80aeafac397f

SHA256
35648234a7d88528a8526af1e4f7a05a37c3f65b48bf2fe92f38ef44afb86ff7

SHA512
fc0dbca433c24e8cad5566fe5910a10740cf00b97f304209ec237a4269180ee594c1312b3405709fb7d8b24e281ba8f32a7a7c50d9ceaa3c7766c536dc6308b2

Download Submit
C:\Windows\SysWOW64\Kaemnhla.exe

Filesize
487KB

MD5
2f6e541b4bee2786b53c020be002ae1f

SHA1
4631d694cc102e6bef6ab24500104e43c74e2cb6

SHA256
321396d60c07b6da8cc23aa19a975f85f2f536b4ff332b77b5a16073fccd6d15

SHA512
2c79b95d4a01b017d82a98a59cb88a3fcf62d2f73af8095f9918778d89814be01fd2858531ea3621ebd9973e99c03d566b05c0bca42c0fc14579285f65c06f69

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
487KB

MD5
1586a98f15041abbe0eead708df3a5ae

SHA1
790632da6a9b6713001a6c47d53c73593abdd653

SHA256
47dc75cd1bb20a68d00a30255b7672368604d1cf2f3e8ec7e630ee0cbea3921e

SHA512
9ae322ab68484bc7f4bb9a01127e383f3c4cb65f686eda20b1d25171689c85c7fade24856cccc362ce7a0ec4a6222c828bfc2dead98b5ecae4813a83b2cb0537

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
487KB

MD5
ae6cab78fd40df831cc74630ac896ae2

SHA1
b0aef2e75b03864eca2524f16bf6d8f47b92019a

SHA256
2827940deb443056367dca7b9181d28f9cf13a2e91c01f2be2985c82c4517da3

SHA512
810c418a603d49ebc350f8d02810ad534e5279ef6d5fa786cb948b21c484361658b620426c1f8424eec55906e9a8e2da83b2cab3878ac7d9c4de616525cc7141

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
487KB

MD5
91fc8fe1b81416ce7de3ec4e68c3abdb

SHA1
bf67fd30e948e8ebd1b27197f8d4d93901e794ea

SHA256
0afb169037045a29fc6c60917308372fb81c42b4f8f2f57fe9cb13213369d5bf

SHA512
a5fef6cf71bab4f32e3e12969c7585cf826d01fe71fe405586c574c1498132500145f72210b984344a942dba8a14e9fd9e25eb8df8f47da0e766f8568e038039

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
487KB

MD5
97f7f7ebeb974122978569f7359adf7b

SHA1
3b4cb9620b06f8db8d643fde2fc8abe48ec401bf

SHA256
87a28e57c8607c86ecc4344e76da761f065cb3b0a54fa8d1b88007c3031e8dc0

SHA512
86244fbfeec617b9cc9ed6c9da3cd96f28abe3d2ecdf9c4b903b6391d876eeb666092ddc4324478ab56f27f59ae14c42da82315d3e5f06672ee5145290d3092b

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
487KB

MD5
fc69f0c92aab2ff807463bbeb1eaf030

SHA1
856a2a3b0ebc21b279183dab3559bab1c2fbd1e4

SHA256
d015bfde0f331890d65f86b80ee295371e89e1ee233f3c137715a8104e0131cf

SHA512
9bae94111f28a693f0eb51fd746307ea3bbc15c518dc8a22241725fc4b4e7045cc3e2154864e6befeaeaf6aa19be95e8ff9fa952b62cce8fd9e993fb5019c606

Download Submit
memory/116-615-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/664-17-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/856-704-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/956-534-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/996-818-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1012-652-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1028-648-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1060-618-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1244-660-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1400-635-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1492-613-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1636-1281-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1688-637-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1688-1174-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1704-517-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1724-526-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1824-24-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1924-617-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1996-536-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2016-37-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2032-620-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2116-626-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2200-633-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2368-520-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2372-13-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2500-521-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2932-49-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3168-612-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3188-628-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3204-623-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3508-796-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3736-650-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3816-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3816-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/3892-523-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3920-675-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3928-528-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3936-525-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4068-527-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4068-1299-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4072-659-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4108-619-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4112-857-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4144-513-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4160-533-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4292-1147-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4432-643-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4524-512-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4536-721-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4596-644-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4700-524-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4864-48-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4872-636-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5004-514-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5044-657-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5072-616-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5088-614-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5124-661-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5144-716-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5156-671-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5216-806-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5376-673-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5404-728-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5412-674-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5492-739-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5524-847-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5528-676-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5540-869-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5556-750-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5576-890-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5588-741-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5612-829-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5660-1117-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5704-830-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5728-767-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5784-772-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5932-677-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5956-901-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/6016-683-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/6040-783-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/6048-841-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/6092-785-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/6096-694-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/6116-880-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/6184-913-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/6264-923-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/6300-925-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/6384-940-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/6416-942-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/6464-953-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/6496-954-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/6552-960-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/6592-971-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/6628-1004-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/6672-982-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/6672-1001-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/6708-1003-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/6708-983-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/6748-998-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/6788-996-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/6788-994-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads