08e44207ef1fe368b5d18b3f89130e1c3544d9385c64be4f4bbb90ac070bc695

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
19-06-2024 21:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08e44207ef1fe368b5d18b3f89130e1c3544d9385c64be4f4bbb90ac070bc695_NeikiAnalytics.exe
Size

63KB
MD5

25baf0bb88480ea0db35a7799b188a50
SHA1

fb79a5f61f57c0c5c809eb4a2f3f2ab19f2ee88c
SHA256

08e44207ef1fe368b5d18b3f89130e1c3544d9385c64be4f4bbb90ac070bc695
SHA512

62308542293240e5e2fbc2811152f283333fc4efb67f6c44da899933880e0fb828f1d9910e0a93f3d0a38b8f63c1b8944c32acd513c1e2a849e1ab907c8c36d1
SSDEEP

1536:fPpWAGJaO96MjXuDK7ZLUj09iJYNYTbP0i7+7nW4DX6fl:pUJaBQ7ZLUj09iJYNYTbPinWMK9

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbqefhpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijaida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjfihc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fijmbb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqdbiofi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjcclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Goiojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbgkfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fokbim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fobiilai.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjcclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fflaff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbioei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eoocmoao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eleplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gqkhjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbldaffp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eoifcnid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmmfmbhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcggpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmapha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqohnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfcgge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Habnjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hboagf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldmlpbbj.exe

Executes dropped EXE 64 IoCs

pid	Process
2488	Dhcnke32.exe
4892	Domfgpca.exe
5112	Dchbhn32.exe
1228	Efgodj32.exe
2636	Ehekqe32.exe
2992	Eoocmoao.exe
4352	Ebnoikqb.exe
2000	Ejegjh32.exe
5104	Epopgbia.exe
4776	Eoapbo32.exe
2120	Ebploj32.exe
5024	Ehjdldfl.exe
4580	Eleplc32.exe
876	Eodlho32.exe
3684	Ebbidj32.exe
2876	Ejjqeg32.exe
1552	Ehlaaddj.exe
432	Eofinnkf.exe
1956	Ebeejijj.exe
3680	Ejlmkgkl.exe
4836	Emjjgbjp.exe
4392	Eoifcnid.exe
3844	Fbgbpihg.exe
4356	Fjnjqfij.exe
4844	Fmmfmbhn.exe
3688	Fokbim32.exe
220	Fbioei32.exe
3244	Ffekegon.exe
4056	Fmocba32.exe
1032	Fqkocpod.exe
3140	Fcikolnh.exe
5080	Fjcclf32.exe
4320	Fmapha32.exe
964	Fbnhphbp.exe
4260	Ffjdqg32.exe
2848	Fmclmabe.exe
928	Fqohnp32.exe
552	Fobiilai.exe
4900	Fbqefhpm.exe
3700	Fflaff32.exe
1572	Fijmbb32.exe
444	Fqaeco32.exe
5048	Gcpapkgp.exe
2256	Gimjhafg.exe
1180	Gqdbiofi.exe
1320	Gbenqg32.exe
2540	Gfqjafdq.exe
1924	Gmkbnp32.exe
3264	Goiojk32.exe
728	Gbgkfg32.exe
4460	Gfcgge32.exe
4464	Gjocgdkg.exe
3472	Gmmocpjk.exe
760	Gpklpkio.exe
3148	Gcggpj32.exe
3392	Gfedle32.exe
968	Gjapmdid.exe
4116	Gqkhjn32.exe
796	Gpnhekgl.exe
4944	Gbldaffp.exe
3056	Gjclbc32.exe
3768	Gmaioo32.exe
5076	Gameonno.exe
1904	Hclakimb.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mahbje32.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Eodlho32.exe	Eleplc32.exe
File opened for modification	C:\Windows\SysWOW64\Ehlaaddj.exe	Ejjqeg32.exe
File opened for modification	C:\Windows\SysWOW64\Kknafn32.exe	Kdcijcke.exe
File opened for modification	C:\Windows\SysWOW64\Ipckgh32.exe	Iapjlk32.exe
File created	C:\Windows\SysWOW64\Ghmfdf32.dll	Jmnaakne.exe
File opened for modification	C:\Windows\SysWOW64\Jmnaakne.exe	Jfdida32.exe
File created	C:\Windows\SysWOW64\Jpojcf32.exe	Jmpngk32.exe
File created	C:\Windows\SysWOW64\Lpappc32.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Dngdgf32.dll	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Mdemcacc.dll	Lijdhiaa.exe
File opened for modification	C:\Windows\SysWOW64\Domfgpca.exe	Dhcnke32.exe
File created	C:\Windows\SysWOW64\Fbioei32.exe	Fokbim32.exe
File opened for modification	C:\Windows\SysWOW64\Fcikolnh.exe	Fqkocpod.exe
File created	C:\Windows\SysWOW64\Ffjdqg32.exe	Fbnhphbp.exe
File opened for modification	C:\Windows\SysWOW64\Imbaemhc.exe	Ijdeiaio.exe
File created	C:\Windows\SysWOW64\Dendnoah.dll	Ipqnahgf.exe
File created	C:\Windows\SysWOW64\Ckfliccm.dll	Ffekegon.exe
File opened for modification	C:\Windows\SysWOW64\Gcpapkgp.exe	Fqaeco32.exe
File opened for modification	C:\Windows\SysWOW64\Hpbaqj32.exe	Hmdedo32.exe
File opened for modification	C:\Windows\SysWOW64\Lcpllo32.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Lolncpam.dll	Gfcgge32.exe
File created	C:\Windows\SysWOW64\Impoan32.dll	Imgkql32.exe
File created	C:\Windows\SysWOW64\Lcpllo32.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Jpaghf32.exe	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Kpepcedo.exe	Kacphh32.exe
File opened for modification	C:\Windows\SysWOW64\Kpepcedo.exe	Kacphh32.exe
File created	C:\Windows\SysWOW64\Eleplc32.exe	Ehjdldfl.exe
File opened for modification	C:\Windows\SysWOW64\Gmaioo32.exe	Gjclbc32.exe
File created	C:\Windows\SysWOW64\Jpjqhgol.exe	Jagqlj32.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Jdkhlo32.dll	Gmaioo32.exe
File opened for modification	C:\Windows\SysWOW64\Lpcmec32.exe	Laalifad.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Ebeejijj.exe	Eofinnkf.exe
File opened for modification	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kpepcedo.exe
File opened for modification	C:\Windows\SysWOW64\Jpojcf32.exe	Jmpngk32.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Chkede32.dll	Eoocmoao.exe
File created	C:\Windows\SysWOW64\Laalifad.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Ldobbkdk.dll	Kacphh32.exe
File created	C:\Windows\SysWOW64\Kinemkko.exe	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Ebploj32.exe	Eoapbo32.exe
File created	C:\Windows\SysWOW64\Iabgaklg.exe	Imgkql32.exe
File created	C:\Windows\SysWOW64\Jmpngk32.exe	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Jdmcidam.exe	Jpaghf32.exe
File opened for modification	C:\Windows\SysWOW64\Kkpnlm32.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Ehekqe32.exe	Efgodj32.exe
File opened for modification	C:\Windows\SysWOW64\Jpgdbg32.exe	Jaedgjjd.exe
File created	C:\Windows\SysWOW64\Omfnojog.dll	Jfdida32.exe
File opened for modification	C:\Windows\SysWOW64\Jfaloa32.exe	Jdcpcf32.exe
File created	C:\Windows\SysWOW64\Liekmj32.exe	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Ehekqe32.exe	Efgodj32.exe
File created	C:\Windows\SysWOW64\Gbenqg32.exe	Gqdbiofi.exe
File created	C:\Windows\SysWOW64\Pnfmmb32.dll	Gfqjafdq.exe
File created	C:\Windows\SysWOW64\Jqqjmnii.dll	Ebploj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5608	6944	WerFault.exe	275

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dchbhn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Efgodj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjocgdkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gameonno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chkede32.dll"	Eoocmoao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfedle32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnfmmb32.dll"	Gfqjafdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldobbkdk.dll"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjpdme32.dll"	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfdida32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbcjkf32.dll"	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbgkfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnoaog32.dll"	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibagcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ginahd32.dll"	Gimjhafg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjocgdkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hclakimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhikhod.dll"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfhilofo.dll"	Eodlho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eodlho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngiehn32.dll"	Gcpapkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggcjqj32.dll"	Jmkdlkph.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eoifcnid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilaidmmo.dll"	Gqdbiofi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbfppi32.dll"	Fbioei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egoqlckf.dll"	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fobiilai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imbaemhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmihaj32.dll"	Ejlmkgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfiapa32.dll"	Fcikolnh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbplof32.dll"	Gbldaffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honckk32.dll"	Hmfbjnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoceo32.dll"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mahbje32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4256 wrote to memory of 2488	4256	08e44207ef1fe368b5d18b3f89130e1c3544d9385c64be4f4bbb90ac070bc695_NeikiAnalytics.exe	82
PID 4256 wrote to memory of 2488	4256	08e44207ef1fe368b5d18b3f89130e1c3544d9385c64be4f4bbb90ac070bc695_NeikiAnalytics.exe	82
PID 4256 wrote to memory of 2488	4256	08e44207ef1fe368b5d18b3f89130e1c3544d9385c64be4f4bbb90ac070bc695_NeikiAnalytics.exe	82
PID 2488 wrote to memory of 4892	2488	Dhcnke32.exe	83
PID 2488 wrote to memory of 4892	2488	Dhcnke32.exe	83
PID 2488 wrote to memory of 4892	2488	Dhcnke32.exe	83
PID 4892 wrote to memory of 5112	4892	Domfgpca.exe	84
PID 4892 wrote to memory of 5112	4892	Domfgpca.exe	84
PID 4892 wrote to memory of 5112	4892	Domfgpca.exe	84
PID 5112 wrote to memory of 1228	5112	Dchbhn32.exe	85
PID 5112 wrote to memory of 1228	5112	Dchbhn32.exe	85
PID 5112 wrote to memory of 1228	5112	Dchbhn32.exe	85
PID 1228 wrote to memory of 2636	1228	Efgodj32.exe	86
PID 1228 wrote to memory of 2636	1228	Efgodj32.exe	86
PID 1228 wrote to memory of 2636	1228	Efgodj32.exe	86
PID 2636 wrote to memory of 2992	2636	Ehekqe32.exe	87
PID 2636 wrote to memory of 2992	2636	Ehekqe32.exe	87
PID 2636 wrote to memory of 2992	2636	Ehekqe32.exe	87
PID 2992 wrote to memory of 4352	2992	Eoocmoao.exe	88
PID 2992 wrote to memory of 4352	2992	Eoocmoao.exe	88
PID 2992 wrote to memory of 4352	2992	Eoocmoao.exe	88
PID 4352 wrote to memory of 2000	4352	Ebnoikqb.exe	89
PID 4352 wrote to memory of 2000	4352	Ebnoikqb.exe	89
PID 4352 wrote to memory of 2000	4352	Ebnoikqb.exe	89
PID 2000 wrote to memory of 5104	2000	Ejegjh32.exe	90
PID 2000 wrote to memory of 5104	2000	Ejegjh32.exe	90
PID 2000 wrote to memory of 5104	2000	Ejegjh32.exe	90
PID 5104 wrote to memory of 4776	5104	Epopgbia.exe	91
PID 5104 wrote to memory of 4776	5104	Epopgbia.exe	91
PID 5104 wrote to memory of 4776	5104	Epopgbia.exe	91
PID 4776 wrote to memory of 2120	4776	Eoapbo32.exe	92
PID 4776 wrote to memory of 2120	4776	Eoapbo32.exe	92
PID 4776 wrote to memory of 2120	4776	Eoapbo32.exe	92
PID 2120 wrote to memory of 5024	2120	Ebploj32.exe	93
PID 2120 wrote to memory of 5024	2120	Ebploj32.exe	93
PID 2120 wrote to memory of 5024	2120	Ebploj32.exe	93
PID 5024 wrote to memory of 4580	5024	Ehjdldfl.exe	94
PID 5024 wrote to memory of 4580	5024	Ehjdldfl.exe	94
PID 5024 wrote to memory of 4580	5024	Ehjdldfl.exe	94
PID 4580 wrote to memory of 876	4580	Eleplc32.exe	95
PID 4580 wrote to memory of 876	4580	Eleplc32.exe	95
PID 4580 wrote to memory of 876	4580	Eleplc32.exe	95
PID 876 wrote to memory of 3684	876	Eodlho32.exe	96
PID 876 wrote to memory of 3684	876	Eodlho32.exe	96
PID 876 wrote to memory of 3684	876	Eodlho32.exe	96
PID 3684 wrote to memory of 2876	3684	Ebbidj32.exe	97
PID 3684 wrote to memory of 2876	3684	Ebbidj32.exe	97
PID 3684 wrote to memory of 2876	3684	Ebbidj32.exe	97
PID 2876 wrote to memory of 1552	2876	Ejjqeg32.exe	98
PID 2876 wrote to memory of 1552	2876	Ejjqeg32.exe	98
PID 2876 wrote to memory of 1552	2876	Ejjqeg32.exe	98
PID 1552 wrote to memory of 432	1552	Ehlaaddj.exe	99
PID 1552 wrote to memory of 432	1552	Ehlaaddj.exe	99
PID 1552 wrote to memory of 432	1552	Ehlaaddj.exe	99
PID 432 wrote to memory of 1956	432	Eofinnkf.exe	100
PID 432 wrote to memory of 1956	432	Eofinnkf.exe	100
PID 432 wrote to memory of 1956	432	Eofinnkf.exe	100
PID 1956 wrote to memory of 3680	1956	Ebeejijj.exe	102
PID 1956 wrote to memory of 3680	1956	Ebeejijj.exe	102
PID 1956 wrote to memory of 3680	1956	Ebeejijj.exe	102
PID 3680 wrote to memory of 4836	3680	Ejlmkgkl.exe	103
PID 3680 wrote to memory of 4836	3680	Ejlmkgkl.exe	103
PID 3680 wrote to memory of 4836	3680	Ejlmkgkl.exe	103
PID 4836 wrote to memory of 4392	4836	Emjjgbjp.exe	104

C:\Users\Admin\AppData\Local\Temp\08e44207ef1fe368b5d18b3f89130e1c3544d9385c64be4f4bbb90ac070bc695_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\08e44207ef1fe368b5d18b3f89130e1c3544d9385c64be4f4bbb90ac070bc695_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4256
- C:\Windows\SysWOW64\Dhcnke32.exe
  C:\Windows\system32\Dhcnke32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\SysWOW64\Domfgpca.exe
    C:\Windows\system32\Domfgpca.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4892
  - - C:\Windows\SysWOW64\Dchbhn32.exe
      C:\Windows\system32\Dchbhn32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5112
    - - C:\Windows\SysWOW64\Efgodj32.exe
        
        C:\Windows\system32\Efgodj32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1228
      - C:\Windows\SysWOW64\Ehekqe32.exe
        
        C:\Windows\system32\Ehekqe32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\Eoocmoao.exe
        
        C:\Windows\system32\Eoocmoao.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\SysWOW64\Ebnoikqb.exe
        
        C:\Windows\system32\Ebnoikqb.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\SysWOW64\Ejegjh32.exe
        
        C:\Windows\system32\Ejegjh32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\SysWOW64\Epopgbia.exe
        
        C:\Windows\system32\Epopgbia.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5104
        
        C:\Windows\SysWOW64\Eoapbo32.exe
        
        C:\Windows\system32\Eoapbo32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\SysWOW64\Ebploj32.exe
        
        C:\Windows\system32\Ebploj32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\SysWOW64\Ehjdldfl.exe
        
        C:\Windows\system32\Ehjdldfl.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\SysWOW64\Eleplc32.exe
        
        C:\Windows\system32\Eleplc32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3684
        
        C:\Windows\SysWOW64\Ejjqeg32.exe
        
        C:\Windows\system32\Ejjqeg32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\SysWOW64\Eofinnkf.exe
        
        C:\Windows\system32\Eofinnkf.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:432
        
        C:\Windows\SysWOW64\Ebeejijj.exe
        
        C:\Windows\system32\Ebeejijj.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3680
        
        C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4392
        
        C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        24⤵
        Executes dropped EXE
        
        PID:3844
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        25⤵
        Executes dropped EXE
        
        PID:4356
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4844
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3688
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:220
        
        C:\Windows\SysWOW64\Ffekegon.exe
        
        C:\Windows\system32\Ffekegon.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3244
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        30⤵
        Executes dropped EXE
        
        PID:4056
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1032
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3140
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5080
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4320
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:964
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        36⤵
        Executes dropped EXE
        
        PID:4260
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        37⤵
        Executes dropped EXE
        
        PID:2848
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:928
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:552
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4900
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3700
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1572
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:444
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5048
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1180
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        47⤵
        Executes dropped EXE
        
        PID:1320
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2540
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        49⤵
        Executes dropped EXE
        
        PID:1924
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3264
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:728
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4460
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4464
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        54⤵
        Executes dropped EXE
        
        PID:3472
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        55⤵
        Executes dropped EXE
        
        PID:760
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3148
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3392
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        58⤵
        Executes dropped EXE
        
        PID:968
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4116
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        60⤵
        Executes dropped EXE
        
        PID:796
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3056
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3768
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5076
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1904
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3420
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2752
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        69⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        70⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        71⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        72⤵
        Modifies registry class
        
        PID:404
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1908
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        74⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        75⤵
        Modifies registry class
        
        PID:2432
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4604
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        77⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3016
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        79⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        80⤵
        Drops file in System32 directory
        
        PID:4756
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        81⤵
        Modifies registry class
        
        PID:1936
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        82⤵
        Drops file in System32 directory
        
        PID:3512
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        83⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        84⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        85⤵
        
        PID:392
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        86⤵
        Drops file in System32 directory
        
        PID:3284
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        87⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        88⤵
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5196
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        90⤵
        Drops file in System32 directory
        
        PID:5252
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        91⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5344
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        93⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        94⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        95⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        97⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5632
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5676
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        100⤵
        Modifies registry class
        
        PID:5720
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        101⤵
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        102⤵
        Drops file in System32 directory
        
        PID:5800
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        103⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        104⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        105⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        106⤵
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6060
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        108⤵
        Drops file in System32 directory
        
        PID:6128
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        109⤵
        Drops file in System32 directory
        
        PID:5156
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        111⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        112⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        113⤵
        Drops file in System32 directory
        
        PID:5408
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5484
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5548
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        116⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        117⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5756
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5824
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        120⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5896
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        122⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6032
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        124⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4200
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        127⤵
        Modifies registry class
        
        PID:5436
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        128⤵
        Drops file in System32 directory
        
        PID:5528
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5664
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        130⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        131⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5944
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        133⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6048
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        134⤵
        Modifies registry class
        
        PID:6056
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5316
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        136⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        137⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5712
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        139⤵
        Drops file in System32 directory
        
        PID:6120
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5376
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        142⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        143⤵
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        144⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5884
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        145⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6156
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        146⤵
        Drops file in System32 directory
        
        PID:6204
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        147⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        148⤵
        Modifies registry class
        
        PID:6340
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        149⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        150⤵
        Drops file in System32 directory
        
        PID:6432
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        151⤵
        Modifies registry class
        
        PID:6476
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        152⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        153⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        154⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6656
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        156⤵
        Modifies registry class
        
        PID:6704
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        157⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        158⤵
        Drops file in System32 directory
        
        PID:6804
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6848
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6884
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        161⤵
        
        PID:6936
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        162⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        163⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        164⤵
        Drops file in System32 directory
        
        PID:7060
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7108
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        166⤵
        Modifies registry class
        
        PID:7148
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5732
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        168⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        169⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6448
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        171⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6500
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6580
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6648
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        174⤵
        
        PID:6732
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        175⤵
        Drops file in System32 directory
        
        PID:6800
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6892
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        177⤵
        Modifies registry class
        
        PID:6920
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6996
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7048
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        180⤵
        Modifies registry class
        
        PID:7136
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        181⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6336
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6484
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        184⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6700
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        186⤵
        
        PID:6836
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        187⤵
        
        PID:6944
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6944 -s 212
        188⤵
        Program crash
        
        PID:5608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6944 -ip 6944
1⤵
PID:7116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dchbhn32.exe

Filesize
63KB

MD5
224bd84dba9e66f0cb0f21549f033e08

SHA1
bc636c574c166ff5f2596bf6a0ea7ce62a89b705

SHA256
a2dcad88977b3bc8744a98d9605a2a9635ae2252aa62222213018a5555319b01

SHA512
b000083349d443f308a26dd335bffbf5009ff21fab71a570b4e590f6a8a1dea3146bdbd08fee58d095640b1b281cedfc95aa66905f8dca5b292e7a80c93064bf

Download Submit
C:\Windows\SysWOW64\Dhcnke32.exe

Filesize
63KB

MD5
265c7212fb53316dbf19796a944eedc7

SHA1
edae706b22856b6c00fdcd3553829ac76c33e8ed

SHA256
3346bbef3a20de4e7c0eda2dc070b4f255ea5059ecf6ddd2071b0183c3a6fe49

SHA512
62c2b53f78b3b7e9b26808f40522dbedc21e511caf223b5c695a8506159d031a2499e54665b3e5b8e4391674716f3b83f1921d06fbdbf3853f1765f447385034

Download Submit
C:\Windows\SysWOW64\Domfgpca.exe

Filesize
63KB

MD5
251c2bd3bec842330e8971eefda696e1

SHA1
70154f8a997510b9dff6fe1eb578d85a1741a48c

SHA256
b591c3312c7888203a0e69a030c1007429cd276f10d0c8e9f10d47f273078c5b

SHA512
111286ff037b1c7d6862a9d63ebdee6be011c591352406a7a232f2dedbd1c9951ad9e4d18cc3f2cc4d6d07fa50e8c25f99cd0c8124b1f06a2810de0273a2f4d2

Download Submit
C:\Windows\SysWOW64\Ebbidj32.exe

Filesize
63KB

MD5
392e33b74a8c8ede8d8de88e6466e751

SHA1
9da3362eebc2f959ab28a068ca99c950c9e93c85

SHA256
374260a1d5415b9c371517aa4dcf376603e888c856997a07cdeede379728c6d4

SHA512
d35237124f3c199e3e379e24fe9dda8c894a9c3f11f12e0a694e879c0d58bfa181b6a37cd07ebd572a901405724e6d932fe5fd26db63df13b9a655d9c45fd1d0

Download Submit
C:\Windows\SysWOW64\Ebeejijj.exe

Filesize
63KB

MD5
cb443d40556fa8d3f7da266783851cf1

SHA1
89e62688886a43982631ca652d64ebe1632d971f

SHA256
468ce4494996838cd51f24c409a57268e9db1066e7a15102d4332a25612bc31a

SHA512
539bdf4cea6dd7c21516a6acdb2897f70434275d1813d14c15b399f7db94c25a3370ba0d250c65ac71cd85bcfb9e08a437fb42716ca115a2bfdd35eac5d2d045

Download Submit
C:\Windows\SysWOW64\Ebnoikqb.exe

Filesize
63KB

MD5
a32c5f589d0335fe44273a41ed335fed

SHA1
9299f73c45c5983b231783b2ea25d81638e274b6

SHA256
d655408c9b7873d81e9b37c43d9381bf86fedb01a3cbdca69e08d22d573e2b9d

SHA512
23e5043203f8a469db00b94f8077408cd59c0d0aa9c3f93b4a85e1e856f5b77b3e2c51f02b2efd2a4452daf6cf2e7336a3c5cd7ca2d7c17707fdf78b5b316f22

Download Submit
C:\Windows\SysWOW64\Ebploj32.exe

Filesize
63KB

MD5
92d27b745a15244403b80882225d84c3

SHA1
f47d163e8081a1d91b0ee3050b578eba835ae712

SHA256
b7845a983fd4a78efce81ddca1cadf2f8a2b058d0c3efa2dcaa302ed99bfa81f

SHA512
3035a9a165cede79451c552bdfc2447273b34aaecf8c27a8d36225eb9ee796cf9466b4327e7e43501da9d2efa9f9849119657c5b34ae7536f80982caacde5e28

Download Submit
C:\Windows\SysWOW64\Efgodj32.exe

Filesize
63KB

MD5
d6bdbc8e144a94b498ac180094dee1db

SHA1
28d39207d9aa42f7d276608b7576f87e78149a79

SHA256
0391661686d880999ff5f9e609e8e4f750cf8d547478622d0f2439c96fe4b0cb

SHA512
ee31bb1edbdf9ce41307d4a8266e0662ca8e347bee6621e7221ec8c304ceefe33aba3d7c53d756b7c01c04f659eec93c5b2593c634d802d351a3df0469f42b73

Download Submit
C:\Windows\SysWOW64\Ehekqe32.exe

Filesize
63KB

MD5
c8e9e84e81e6adad7a6386933c4fab48

SHA1
c9d47fd1d525e3281b2b4fc32e7bce7f03b28a1e

SHA256
7bdc4cf3b8cd0956c42c0a61d30b4a999a7af5447e76c81b089657702c789e1e

SHA512
98256833df145049ec1a5d67c5945ed18edb1a3575e1996a564da27052fa9f2cd91243accd36754e137ede1c072cce1a3c021ddabec89762ffd5729e6d5ecbba

Download Submit
C:\Windows\SysWOW64\Ehjdldfl.exe

Filesize
63KB

MD5
52d74b7ae3c9077cce36f6f5faa678cf

SHA1
704aa16cd22043a95fd082cc0df3ecbef23ac39d

SHA256
218d27ead45b57efa949f6ba46ae3333ad20c86f5fcefa39316ee5fb7a4b9fcc

SHA512
6e275ce2d6521b0cf16c06770c7e5584d744532d23a28930fead486eba2f90c511e3bf122d4797ef92b50c22f15f70a217e40c922010538d4e9d5f8b0d303e3a

Download Submit
C:\Windows\SysWOW64\Ehlaaddj.exe

Filesize
63KB

MD5
409fb18f12f55e71ceb73ab5c6bb64aa

SHA1
11b133f069aa2ab3354955256e9c9a44b0c4a378

SHA256
0b00b06edbf57273d510da03afda9397a435a5a7015aa76dc4b4fcfe8ffb1634

SHA512
2ac6714814f56cf626243c83fbf841ff857c979b0193855e73265d232c07c1c39be4c5c2dbdfac0ef0d52aae3a2aa917a62a36c2dec2df015e79ba2fadf10a0b

Download Submit
C:\Windows\SysWOW64\Ejegjh32.exe

Filesize
63KB

MD5
9c576ac7d807f769d35b7960937ab0ef

SHA1
83d5e260a673622c5e2f37cae302f307682ca52f

SHA256
25a4d4730a768b9637bafd46e2b7c1ade0920b2fd9a2016f66510098d3c3b834

SHA512
6d665ed15932faadea19c457d411f00fcbf4d1a2ae63cd022c8acf06eb73b63d0e7d5278766147c777806c7fcfd50fedf1eb015e1893e4c62b093d6dc91154e9

Download Submit
C:\Windows\SysWOW64\Ejjqeg32.exe

Filesize
63KB

MD5
581c4268770f5ba2b285db212ed18f1e

SHA1
a993de69b08c12b4cccf45cf2eb76fbf925e202c

SHA256
cbb68714662b0100ca1804f56e0eb74a8bed933aad956e42abca0cffa15353b2

SHA512
58c38d16508b268b1655a5c2fc144d8a3b2fb4ef9e46b9438afc40868bd597d8a64dfe725ce6f3b89d1eac9bf175182c4e826d1c385ec416622bc906d8099fe6

Download Submit
C:\Windows\SysWOW64\Ejlmkgkl.exe

Filesize
63KB

MD5
36fb35b275d4900b75939b6b04f791ec

SHA1
efd15b6e15397520f1a2a3764fe04d6909452beb

SHA256
81335e9d32ec22c5346e2d488439e060337910ef25f0293e17a55e614e37da6c

SHA512
3eb2e734ec893c65666268d6b5a4188ff76ba51048a9a804e8642e73d9fdd7c5512277a5e6df1af23283efdef582c1dacfcb94ea37cc3bfe01b61ca5dcb1aed1

Download Submit
C:\Windows\SysWOW64\Eleplc32.exe

Filesize
63KB

MD5
9c0f85701e0b13f0703bec0378875dde

SHA1
7aed5f4f3c65095b78d64ed1bd7455bb009304ba

SHA256
3a53ac9eacdb4d53a8647fba3ae13704357d18b32eadbbe1692b5ac989af47c9

SHA512
59da59a76b28c13ca6dcd09a14a8a2af826f3d800b968965ad6ff6bf14eaa182f40fa0bd27e685120c565d64c7aa964611ab5f1b1157adbeec1f9e8153c13737

Download Submit
C:\Windows\SysWOW64\Emjjgbjp.exe

Filesize
63KB

MD5
4ba2f1fc7b1089ab7f0d80efcc2d4f67

SHA1
ee8983b4003bb54904abeb3725c10207972becf5

SHA256
9c3fc71570dec494810f25de0ebf774a665a8d9b8136c0aded414210893849da

SHA512
1d892aaa2aabe76e71b6c8486ce62971c67b0c0db96b15d61abd176d23f8de3f4e691c426968ea916527483fb2ba84df703b49306111032e370e5c77da43f390

Download Submit
C:\Windows\SysWOW64\Eoapbo32.exe

Filesize
63KB

MD5
56fb6ae656f0000bdcac455d23a9d7f2

SHA1
22983d60605a0f0977f93563401e6f838ed27026

SHA256
986e7b2184d9fedabca09a7075ca769722ada10507f775f7ee56d492d0c38dcf

SHA512
7e67885ed1af9fcbb680ae564430c73f56946fcd31891e1c23048b1b3320029129f4ca84dd730308e21d595b97fc08adce45ed083ab807195b41ac375fa59930

Download Submit
C:\Windows\SysWOW64\Eodlho32.exe

Filesize
63KB

MD5
ea1e66b8463f2ca20dab8688669146d7

SHA1
ce00963901d1a76d06941161da2e27c77c51f761

SHA256
6390a79835cebeff0f8c45e7689c6d24e6c9608e670350918a85769ae6d62d17

SHA512
bef5a0005424707c3422c8b76bcfb43543371b4feaf8d6b20591b046511ac6e33a64a08dcd01093bdcc87d589992e50fa6c8ee9f4d33324b3be999065e2784a7

Download Submit
C:\Windows\SysWOW64\Eofinnkf.exe

Filesize
63KB

MD5
ccf1f22b5c2c9d4a24fc67ec10d18e4d

SHA1
d41ee723557cd5e6cf85e77a411dfa882f099e08

SHA256
3b30b6fa474b5d9c7dcb41492721f0bad963f1cfbbe31f92bbe5c2c22650c90b

SHA512
5455deea52d0acfce9ea5f6dcbb909a8a7606445a8c3dcaad0daa73b725191201dffa97022ca0c39c8e14d422ddc139f8af095775d0990c4989cd81291142d53

Download Submit
C:\Windows\SysWOW64\Eoifcnid.exe

Filesize
63KB

MD5
6e98b089e1f5104268763e0ee4786e8a

SHA1
95545533193ab4a63e6b475ac6e1c9a6aed5b8b4

SHA256
fe46148cea861b749f97aa240ef6344b7b736528f8abeeb6cb9eacf511faa52b

SHA512
ea55348698bb54170bcc3c0af25c10f27a6f1efb6b096c8863115ddf2c12415fed29fcb6d20f17363f057529542c99805fff5fb9d4f1430907bbf0af61bddbed

Download Submit
C:\Windows\SysWOW64\Eoocmoao.exe

Filesize
63KB

MD5
1fb8811323ebe59f36751a7dbf13888e

SHA1
7d63f6b7936c662921320f27f0481204ef4c954d

SHA256
abf38517d58447447753641aa5ab8bae49214750b254ede143548a65d158f4c0

SHA512
9c89789480a97c914017f30ae8e6265915ad5a9ed518f0b1f10c6cdcae8b8c8cae478e4631673bf6f65b78ddcf3d54ea9c2d83dff4d7051e10150e4d2e0cbc41

Download Submit
C:\Windows\SysWOW64\Epopgbia.exe

Filesize
63KB

MD5
a071f64451ba170e2c552605280472bc

SHA1
6929bcadb523e3eb69ac99d611362655258da9a0

SHA256
d7839bf9fddbeb39c7681c583f56d6117c6cb220e15ec5b45b0d7235ce9f2aa4

SHA512
3adfa36531375825e3b69b1453dfbb043ad99f0bddf21e9deca8eba54d33923c4572ff9aff018c05a77bad7aff9d3f9b7bff6b11d84407b3c0c7823c466351e5

Download Submit
C:\Windows\SysWOW64\Fbgbpihg.exe

Filesize
63KB

MD5
d0de8d61ee460faf3ae3d61a26858a9e

SHA1
88d0c74100fd91b43411d38e9763a56457c962e9

SHA256
049e35828bbcbf83cb600bf3026443084f2a5e1da6d799b13f3feecaac6deb47

SHA512
5fb6b0106f3a3e6006f2f96bc0402bdbca19d9f3d1165e2324e57ed9ad535799075b405f53efeb0634260d2349e194459a70bd60686833f111008b0b8af72789

Download Submit
C:\Windows\SysWOW64\Fbioei32.exe

Filesize
63KB

MD5
74bfb56ce1c4927405c393ea1984bdcb

SHA1
6af726be3328a0a56b2aabf7ba850ca87abae44e

SHA256
d8895d3a584f8209144b06cb68a97b44a5f7b379f4c15d62fd5e7a27a9c97cca

SHA512
514cf34c274f98f46762fa2d27595e6b8f1493d5119fc32a7d8a5ceaf2b3aac65b287ea9be26853a4a699d96747dab63d1d6461abd38a2eea2df999d93b9f74e

Download Submit
C:\Windows\SysWOW64\Fcikolnh.exe

Filesize
63KB

MD5
b47469088fd3aa8e59c6d33f69d17882

SHA1
c62d10d341ffae9e8808299ea8349a7d4da7d7f5

SHA256
cf3ce07c62bef0593975f4b4b64d1046c60034babe84fbf6f4098d4622a689ca

SHA512
8b111f53da5073b176188220fb175f3d7da9d93bec2d5527175e10222e66f1d3b65586eab93f215f2b34f50d60078dce5e267d6850199d01dc2815756063ec11

Download Submit
C:\Windows\SysWOW64\Ffekegon.exe

Filesize
63KB

MD5
8ebd85a9764452f1997b9112f3316a04

SHA1
e0869b26553dad14ab9cba5e22500ecfd542a42e

SHA256
d2adb52c847b06eb60222aeab9592c996430a246040a6c21ea16aaf57f8ab530

SHA512
1f1cf14a2896ddfdc80de24df614f436235e04230d14ce7c7aedd89da4c25b9f1cd563af7405359970a849034877ad3db4e67e743d3d5a2715dc61736ddb3067

Download Submit
C:\Windows\SysWOW64\Fjcclf32.exe

Filesize
63KB

MD5
13d53a115ce8c866ce4578330f1e14ec

SHA1
130d6584e1219ecf2b25a1079d0c8ba28115ddca

SHA256
e5d7c7079fa24b6c18b6dde06593907103452b130dd5eb0f22b4ee5598e7ef10

SHA512
642b2c02f28fe092fc523e0d3421643998c77e1bf4f76db0923b32506dd8bb92145f8991aa5aab5c9b1af9f20d82b7a240ad2ef1f4702f884de3b820af9b70b2

Download Submit
C:\Windows\SysWOW64\Fjnjqfij.exe

Filesize
63KB

MD5
92b8720ce74277a1ec7383ecf0d39479

SHA1
fcb989d4655a3e0d981bf3302454e88d5f3d4a2b

SHA256
e2eb9383dbf01e2d2589b607aa570efcefaa2e9a1506f80fc5d66ce3b26d8e2d

SHA512
879d97f27365ca89b0b61bcb1a3dd0005fb1035662f38989e67cc916f53b4afb84971ace2d84b8d82d350a14e50290e2e64575e4f42ba25edc8cc5caa1468d9f

Download Submit
C:\Windows\SysWOW64\Fmmfmbhn.exe

Filesize
63KB

MD5
d884f63a0c671c27195f38d655a1f11b

SHA1
d557a0f215e10dfa8767de45305331748411e622

SHA256
bc82f33d726a97a55aaf78c04a73531066f6a60078498d65a73407c1da8d7c03

SHA512
90ab90a39928cdfb8a866e1a71b6bc3ca562c81e9c4df031a60cb43360316e3708755cfec90a6db130e4a898c982b96da3451a5b10691b177a65b754d6cc7960

Download Submit
C:\Windows\SysWOW64\Fmocba32.exe

Filesize
63KB

MD5
306d355fe7cae95075d4ef9ae5f38582

SHA1
d20b318cf512cf85273f6fb170a4f8f4dbcfd43d

SHA256
dc697f9b2ca39d22e9253dbc78f586757da618d2c18b052f78660586bc9b1cc9

SHA512
0c0435db176eb179aafecc49ff330b8cc3475d5d663b45934843c5509e483c976325806c1917b5dd57a412483011ddb93429b02aaa26b12b442f0f852d601aa8

Download Submit
C:\Windows\SysWOW64\Fokbim32.exe

Filesize
63KB

MD5
f9cecf83ea980b19e3cfcb00a7d54228

SHA1
4a225a7e13e5283b07029bf52e8f0e80a2b2f0e3

SHA256
f767bb9b1c185357634791bb6ab712c6bf71ade31d96281a253a495a7b40cb21

SHA512
bcfb68716c76888ab9d42a1d267f1055337b59d378d26d21971d66b350bc8c63d4b1d1cbe60e4f740183af465d733e45bdcd2f5c4481b8d7cbc5a177abb4df8c

Download Submit
C:\Windows\SysWOW64\Fqkocpod.exe

Filesize
63KB

MD5
2cd1372208abee141f3487ed5f91435e

SHA1
e03bd1dd2656536866bcac71f72978d3579e334e

SHA256
0add301fd0724c12270ac5df3071dec76f23d9bc67bc8c36446309d8eeec6789

SHA512
a5bdcd20e613a4624d8e9c9ae222ce5a1ef129dde458ad378dd48709fe5cdf52a590775d46f4e34aadf49e927fd75fef805eebadef572e8badd3055575cfcd9b

Download Submit
C:\Windows\SysWOW64\Gfqjafdq.exe

Filesize
63KB

MD5
84a6ae3642524561ab24f1761aca620b

SHA1
002d42df20c5e8a683dd2815f645b79fe7f9707e

SHA256
bad97dc60e4e2c786ad9512a16cacbfb77b56e279047be6b1f29a39c054d2c03

SHA512
4ab40dc6ec52f66ce5b06b53ca4c84855e11fb00c55b894f687bcb86ead21ff731e45e44fc68638a9bd0d791acc63c97add153097b95d491462d341ebf4c1925

Download Submit
C:\Windows\SysWOW64\Gpnhekgl.exe

Filesize
63KB

MD5
13cd4d4099fe614abd0232a1f237575b

SHA1
71fbcf66b43d91b6c0043db473cf27a8850ad5c7

SHA256
d8563ec1376c4e002853a9981e4fe4a6371dea96836f339437eb074b53d78520

SHA512
a46896f2626036c5c17e953fd33e1138584c6ef7ec8cd187dc8c67e0bab7ab558b72920554e6d1aab76b2e150be002fa723458af9e38d5993ea8ad0d6615b898

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe

Filesize
63KB

MD5
ba23e29dca2fb74720d196851db5e072

SHA1
dcaea070666363f9054481d4c047496ab954510c

SHA256
f32f62636a97acbba5b68d42491330f45172d9ba3d3bd9645cc2ee1bf7b0230d

SHA512
9983ad5b0395895c381e87f7790534dd721d6abd0fe32c739a0016c0bc41a1f4ac42d639373213e2688c43f7d252e6245eafc1d07aef35d3a2a6c8813214ac16

Download Submit
C:\Windows\SysWOW64\Jmpngk32.exe

Filesize
63KB

MD5
93f9a94036888c7862a707fd5263faeb

SHA1
e17534624d4a9ab689b0263d881f36e1ae14817f

SHA256
efd19ade91f85334e5e9b661ea1133e0b1f4f456e00fb6f96b9960ed2ddb15a1

SHA512
d985214c646ca1fa75ff9e679318093e878478802164fa1058c2910e95b8a4474400071ea96870ff9cfcae7b039e16fd07c0497207d79ae2db40ad1b8f59348b

Download Submit
C:\Windows\SysWOW64\Kpepcedo.exe

Filesize
63KB

MD5
aca1e771290c4688f6aee3dc12ca9c74

SHA1
2f8335d79b2daeb73e98c113e2199cfb2ee80150

SHA256
d6e400bac55aae519c0d6046dd0e7bf72f80b7cace1b78e1312ef2fbf6a77838

SHA512
59a0ab3a7698e420d305aaa8f3b8aff5c9847e36cf37f54a427f9e4cb198d4719f565ed1a50f193a28841612e318459802789e10f8e50d13c3387714ebe10c47

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
63KB

MD5
55dcedc235c50914794360e69584f3ca

SHA1
caa65d6887540f5c7e3a2a0246eea2cc9bbf6f38

SHA256
955374d8d71856715c69b8150fd5aae9b913c5e03b79c988b184ebbabdda6a3f

SHA512
5f85b8e9821ea479a60db6ca3a97ed9b0033f45ce365cc3c3579a13df534640ac8e8f1cf9eb9e0a81775d8c8647e738c7b690af72ab340c29368726466110bec

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
63KB

MD5
24466a4b7263e19aad254bdd330c3556

SHA1
7587b203cc4816785d5616bbdb9df65fe2d9a651

SHA256
9aa18a4693c8cff6e841498f0a8bed0d646e1aee452578c331928894081a2b0b

SHA512
44f76fd4075b2c61dae59190bd3017b3394af4a0280d0de63769b6a21b833e43fa851ec1cb4009dabaa18d7fd04ec43237c1fbcc845663de8d3f3ea31af541dc

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
63KB

MD5
ab0503a819792ab307334b5f889b62ce

SHA1
77ec7fed606e2f038309b35c0d2e25ed0d0853ed

SHA256
75e1653559914352b1b66d5d5309afd0dae1a216012f3261548ae4efa6c47bec

SHA512
c2200453f64c038f97b4e57cce60c3f3b74d501650acfbc4d07bd64c0ff5aa3a62ed4f20fe4804970e7343007a68728be0f8d4d2cbed4bdc3ca2c04ed83c136e

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
63KB

MD5
84f639eb5c06c3a83a795c699cdab503

SHA1
4248190ece2c0a4c7e198a6af680e5c2e42abdab

SHA256
9327c28fcf814723ef1651ab1dcf64f15d9a6ccd5d13d9ab8e9fa912b43843ed

SHA512
b779c9e5d8408b05f61ff58c498e3c7eb56e3879d124d36c2fa3cd9c51def2f629171883b2bde66423fe1fc74b7e37ed63a3432c82a4e1ba5d1baf810eba603e

Download Submit
memory/220-217-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/392-572-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/404-491-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/432-149-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/444-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/464-465-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/552-297-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/728-369-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/760-393-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/796-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/876-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/928-291-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/964-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/968-407-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1032-241-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1064-498-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1084-521-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1180-339-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1228-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1228-574-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1320-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1552-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1572-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1904-449-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1908-492-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1924-357-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1936-545-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1956-153-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1992-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2000-65-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2120-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2256-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2432-504-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2488-558-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2488-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2540-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2636-581-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2636-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2752-471-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2848-285-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2876-131-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2992-592-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2992-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3016-522-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3056-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3108-485-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3140-253-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3148-398-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3184-528-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3244-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3264-359-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3284-575-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3392-405-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3420-455-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3472-385-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3504-479-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3512-547-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3612-561-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3680-165-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3684-121-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3688-213-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3700-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3768-437-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3844-189-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3872-473-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4056-238-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4116-413-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4144-582-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4256-546-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4256-4-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4256-5-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4260-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4320-263-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4352-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4356-193-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4392-177-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4460-375-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4464-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4580-105-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4604-515-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4756-534-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4776-81-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4836-169-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4844-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4892-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4892-560-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4900-303-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4944-429-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5024-101-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5048-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5076-447-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5080-261-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5104-77-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5112-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5112-567-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5140-593-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6836-1253-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads