2f004cd947096da746b58bd4520c58b7d7b22b5fbe120ff15655686604518a28

Analysis

max time kernel
140s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 09:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4af516af758bc7c077751b953d143260_NEIKI.exe
Size

512KB
MD5

4af516af758bc7c077751b953d143260
SHA1

ddf029d5023d732ab98712dc659bc64e7af80bc7
SHA256

2f004cd947096da746b58bd4520c58b7d7b22b5fbe120ff15655686604518a28
SHA512

a895b24d1fcc0619dd1cbb7e6e07c69b2aa053ad9f60ec79acff9d7bdb2ab74160d115c56309903058357c0d8133e6648bd6ed0a752c3b6c1bcd254a50b902d5
SSDEEP

6144:ew/qrdQt383PQ///NR5fKr2n0MO3LPlkUCmVs5bPQ///NR5fjlt01PB93GxK:dvr/Ng1/Nblt01PBExK

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eoifcnid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcgoilpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbqefhpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djnaji32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gameonno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	4af516af758bc7c077751b953d143260_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imbaemhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbocea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebbidj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfdida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjcclf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ficgacna.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hihicplj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imbaemhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daifnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Epopgbia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfdbojmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hihicplj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hadkpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfljmdjc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imgkql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffbnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjcclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipabjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iikopmkd.exe

Executes dropped EXE 64 IoCs

pid	Process
2160	Djnaji32.exe
2360	Dokjbp32.exe
1520	Daifnk32.exe
4264	Dfdbojmq.exe
2716	Ebnoikqb.exe
4888	Epopgbia.exe
2812	Eqalmafo.exe
2032	Ebbidj32.exe
4112	Ejjqeg32.exe
3348	Eoifcnid.exe
2932	Ffbnph32.exe
4868	Fcgoilpj.exe
448	Ficgacna.exe
3728	Fjcclf32.exe
1728	Fqmlhpla.exe
636	Fbqefhpm.exe
1212	Fijmbb32.exe
884	Gbcakg32.exe
1584	Gjlfbd32.exe
3376	Gqfooodg.exe
2268	Gmmocpjk.exe
2628	Gcggpj32.exe
2080	Gcidfi32.exe
1968	Gameonno.exe
4956	Hihicplj.exe
3240	Hfljmdjc.exe
2560	Hcqjfh32.exe
1780	Hadkpm32.exe
4496	Hbeghene.exe
2412	Hpihai32.exe
3560	Haidklda.exe
444	Ibjqcd32.exe
3508	Ijaida32.exe
1196	Ifhiib32.exe
4636	Imbaemhc.exe
4004	Ibojncfj.exe
1404	Ifjfnb32.exe
548	Iiibkn32.exe
1200	Iapjlk32.exe
3936	Ibagcc32.exe
3012	Iikopmkd.exe
2692	Imgkql32.exe
4232	Idacmfkj.exe
2416	Ijkljp32.exe
1524	Imihfl32.exe
5092	Jpgdbg32.exe
2220	Jbfpobpb.exe
3596	Jiphkm32.exe
3788	Jdemhe32.exe
4940	Jfdida32.exe
4100	Jmnaakne.exe
3116	Jfffjqdf.exe
4448	Jidbflcj.exe
1092	Jdjfcecp.exe
4104	Jfhbppbc.exe
2240	Jigollag.exe
2468	Jdmcidam.exe
4748	Jbocea32.exe
4148	Jiikak32.exe
3356	Kaqcbi32.exe
4612	Kbapjafe.exe
388	Kilhgk32.exe
1464	Kpepcedo.exe
936	Kbdmpqcb.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Fijmbb32.exe	Fbqefhpm.exe
File opened for modification	C:\Windows\SysWOW64\Hihicplj.exe	Gameonno.exe
File created	C:\Windows\SysWOW64\Lpocjdld.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Gmlgol32.dll	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Chkede32.dll	Dfdbojmq.exe
File opened for modification	C:\Windows\SysWOW64\Ficgacna.exe	Fcgoilpj.exe
File created	C:\Windows\SysWOW64\Lpfihl32.dll	Iapjlk32.exe
File created	C:\Windows\SysWOW64\Lihoogdd.dll	Ibagcc32.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Eqalmafo.exe	Epopgbia.exe
File opened for modification	C:\Windows\SysWOW64\Gcidfi32.exe	Gcggpj32.exe
File created	C:\Windows\SysWOW64\Iiibkn32.exe	Ifjfnb32.exe
File created	C:\Windows\SysWOW64\Kgdbkohf.exe	Kdffocib.exe
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Lcdegnep.exe	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Mhollf32.dll	Djnaji32.exe
File created	C:\Windows\SysWOW64\Epopgbia.exe	Ebnoikqb.exe
File created	C:\Windows\SysWOW64\Hpihai32.exe	Hbeghene.exe
File opened for modification	C:\Windows\SysWOW64\Kipabjil.exe	Kbfiep32.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Kagichjo.exe	Kipabjil.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Djnaji32.exe	4af516af758bc7c077751b953d143260_NEIKI.exe
File created	C:\Windows\SysWOW64\Egoqlckf.dll	Ibjqcd32.exe
File opened for modification	C:\Windows\SysWOW64\Jidbflcj.exe	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Kkkdan32.exe	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Ppgjkamf.dll	Ejjqeg32.exe
File opened for modification	C:\Windows\SysWOW64\Kmnjhioc.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Ofdhdf32.dll	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Lgikfn32.exe	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Fcgoilpj.exe	Ffbnph32.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Odhibo32.dll	Gqfooodg.exe
File opened for modification	C:\Windows\SysWOW64\Laopdgcg.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Gcidfi32.exe	Gcggpj32.exe
File created	C:\Windows\SysWOW64\Olmeac32.dll	Jmnaakne.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Jdmcidam.exe	Jigollag.exe
File created	C:\Windows\SysWOW64\Jbocea32.exe	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Gqfooodg.exe	Gjlfbd32.exe
File opened for modification	C:\Windows\SysWOW64\Ibjqcd32.exe	Haidklda.exe
File opened for modification	C:\Windows\SysWOW64\Iikopmkd.exe	Ibagcc32.exe
File created	C:\Windows\SysWOW64\Eqbmje32.dll	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Mahbje32.exe
File created	C:\Windows\SysWOW64\Eoifcnid.exe	Ejjqeg32.exe
File opened for modification	C:\Windows\SysWOW64\Fqmlhpla.exe	Fjcclf32.exe
File opened for modification	C:\Windows\SysWOW64\Ijkljp32.exe	Idacmfkj.exe
File opened for modification	C:\Windows\SysWOW64\Jiikak32.exe	Jbocea32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5284	6004	WerFault.exe	205

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dempmq32.dll"	Ijaida32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdhdf32.dll"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adakia32.dll"	Gameonno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imihfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jiikak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gqfooodg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dokjbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkbjnl32.dll"	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibjqcd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adijolgl.dll"	Gcggpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbak32.dll"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	4af516af758bc7c077751b953d143260_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Epopgbia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbfpobpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpmkpqcp.dll"	Daifnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lijiaonm.dll"	Hpihai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflepa32.dll"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnnkcb32.dll"	Imihfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhollf32.dll"	Djnaji32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjcclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbeghene.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pellipfm.dll"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfmige32.dll"	4af516af758bc7c077751b953d143260_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djnaji32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3400 wrote to memory of 2160	3400	4af516af758bc7c077751b953d143260_NEIKI.exe	83
PID 3400 wrote to memory of 2160	3400	4af516af758bc7c077751b953d143260_NEIKI.exe	83
PID 3400 wrote to memory of 2160	3400	4af516af758bc7c077751b953d143260_NEIKI.exe	83
PID 2160 wrote to memory of 2360	2160	Djnaji32.exe	84
PID 2160 wrote to memory of 2360	2160	Djnaji32.exe	84
PID 2160 wrote to memory of 2360	2160	Djnaji32.exe	84
PID 2360 wrote to memory of 1520	2360	Dokjbp32.exe	85
PID 2360 wrote to memory of 1520	2360	Dokjbp32.exe	85
PID 2360 wrote to memory of 1520	2360	Dokjbp32.exe	85
PID 1520 wrote to memory of 4264	1520	Daifnk32.exe	86
PID 1520 wrote to memory of 4264	1520	Daifnk32.exe	86
PID 1520 wrote to memory of 4264	1520	Daifnk32.exe	86
PID 4264 wrote to memory of 2716	4264	Dfdbojmq.exe	87
PID 4264 wrote to memory of 2716	4264	Dfdbojmq.exe	87
PID 4264 wrote to memory of 2716	4264	Dfdbojmq.exe	87
PID 2716 wrote to memory of 4888	2716	Ebnoikqb.exe	88
PID 2716 wrote to memory of 4888	2716	Ebnoikqb.exe	88
PID 2716 wrote to memory of 4888	2716	Ebnoikqb.exe	88
PID 4888 wrote to memory of 2812	4888	Epopgbia.exe	89
PID 4888 wrote to memory of 2812	4888	Epopgbia.exe	89
PID 4888 wrote to memory of 2812	4888	Epopgbia.exe	89
PID 2812 wrote to memory of 2032	2812	Eqalmafo.exe	91
PID 2812 wrote to memory of 2032	2812	Eqalmafo.exe	91
PID 2812 wrote to memory of 2032	2812	Eqalmafo.exe	91
PID 2032 wrote to memory of 4112	2032	Ebbidj32.exe	92
PID 2032 wrote to memory of 4112	2032	Ebbidj32.exe	92
PID 2032 wrote to memory of 4112	2032	Ebbidj32.exe	92
PID 4112 wrote to memory of 3348	4112	Ejjqeg32.exe	93
PID 4112 wrote to memory of 3348	4112	Ejjqeg32.exe	93
PID 4112 wrote to memory of 3348	4112	Ejjqeg32.exe	93
PID 3348 wrote to memory of 2932	3348	Eoifcnid.exe	94
PID 3348 wrote to memory of 2932	3348	Eoifcnid.exe	94
PID 3348 wrote to memory of 2932	3348	Eoifcnid.exe	94
PID 2932 wrote to memory of 4868	2932	Ffbnph32.exe	95
PID 2932 wrote to memory of 4868	2932	Ffbnph32.exe	95
PID 2932 wrote to memory of 4868	2932	Ffbnph32.exe	95
PID 4868 wrote to memory of 448	4868	Fcgoilpj.exe	96
PID 4868 wrote to memory of 448	4868	Fcgoilpj.exe	96
PID 4868 wrote to memory of 448	4868	Fcgoilpj.exe	96
PID 448 wrote to memory of 3728	448	Ficgacna.exe	98
PID 448 wrote to memory of 3728	448	Ficgacna.exe	98
PID 448 wrote to memory of 3728	448	Ficgacna.exe	98
PID 3728 wrote to memory of 1728	3728	Fjcclf32.exe	99
PID 3728 wrote to memory of 1728	3728	Fjcclf32.exe	99
PID 3728 wrote to memory of 1728	3728	Fjcclf32.exe	99
PID 1728 wrote to memory of 636	1728	Fqmlhpla.exe	101
PID 1728 wrote to memory of 636	1728	Fqmlhpla.exe	101
PID 1728 wrote to memory of 636	1728	Fqmlhpla.exe	101
PID 636 wrote to memory of 1212	636	Fbqefhpm.exe	102
PID 636 wrote to memory of 1212	636	Fbqefhpm.exe	102
PID 636 wrote to memory of 1212	636	Fbqefhpm.exe	102
PID 1212 wrote to memory of 884	1212	Fijmbb32.exe	103
PID 1212 wrote to memory of 884	1212	Fijmbb32.exe	103
PID 1212 wrote to memory of 884	1212	Fijmbb32.exe	103
PID 884 wrote to memory of 1584	884	Gbcakg32.exe	104
PID 884 wrote to memory of 1584	884	Gbcakg32.exe	104
PID 884 wrote to memory of 1584	884	Gbcakg32.exe	104
PID 1584 wrote to memory of 3376	1584	Gjlfbd32.exe	105
PID 1584 wrote to memory of 3376	1584	Gjlfbd32.exe	105
PID 1584 wrote to memory of 3376	1584	Gjlfbd32.exe	105
PID 3376 wrote to memory of 2268	3376	Gqfooodg.exe	106
PID 3376 wrote to memory of 2268	3376	Gqfooodg.exe	106
PID 3376 wrote to memory of 2268	3376	Gqfooodg.exe	106
PID 2268 wrote to memory of 2628	2268	Gmmocpjk.exe	107

C:\Users\Admin\AppData\Local\Temp\4af516af758bc7c077751b953d143260_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\4af516af758bc7c077751b953d143260_NEIKI.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3400
- C:\Windows\SysWOW64\Djnaji32.exe
  C:\Windows\system32\Djnaji32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\SysWOW64\Dokjbp32.exe
    C:\Windows\system32\Dokjbp32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2360
  - - C:\Windows\SysWOW64\Daifnk32.exe
      C:\Windows\system32\Daifnk32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1520
    - - C:\Windows\SysWOW64\Dfdbojmq.exe
        
        C:\Windows\system32\Dfdbojmq.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4264
      - C:\Windows\SysWOW64\Ebnoikqb.exe
        
        C:\Windows\system32\Ebnoikqb.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\SysWOW64\Epopgbia.exe
        
        C:\Windows\system32\Epopgbia.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\SysWOW64\Eqalmafo.exe
        
        C:\Windows\system32\Eqalmafo.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\Ejjqeg32.exe
        
        C:\Windows\system32\Ejjqeg32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4112
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3348
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3728
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3376
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        24⤵
        Executes dropped EXE
        
        PID:2080
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4956
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3240
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2560
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1780
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2412
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3560
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:444
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3508
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        35⤵
        Executes dropped EXE
        
        PID:1196
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4636
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        37⤵
        Executes dropped EXE
        
        PID:4004
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1404
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:548
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1200
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3936
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3012
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2692
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4232
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2416
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        47⤵
        Executes dropped EXE
        
        PID:5092
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2220
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3596
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        50⤵
        Executes dropped EXE
        
        PID:3788
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4940
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4100
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3116
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        55⤵
        Executes dropped EXE
        
        PID:1092
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4104
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2468
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4748
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4148
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        61⤵
        Executes dropped EXE
        
        PID:3356
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4612
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:388
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1464
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:936
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2500
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:116
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        68⤵
        Modifies registry class
        
        PID:4092
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2536
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3040
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        71⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        72⤵
        Drops file in System32 directory
        
        PID:2924
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3504
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        74⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        75⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1260
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4272
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        80⤵
        Drops file in System32 directory
        
        PID:4076
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3068
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5152
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5200
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        84⤵
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        85⤵
        Drops file in System32 directory
        
        PID:5296
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        86⤵
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        87⤵
        Modifies registry class
        
        PID:5404
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5448
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5584
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        92⤵
        Drops file in System32 directory
        
        PID:5628
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5672
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        95⤵
        Drops file in System32 directory
        
        PID:5756
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5884
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5920
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        100⤵
        Drops file in System32 directory
        
        PID:5968
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        101⤵
        Modifies registry class
        
        PID:6012
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6056
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        104⤵
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5288
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5376
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        108⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5516
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        111⤵
        Modifies registry class
        
        PID:5648
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        112⤵
        Drops file in System32 directory
        
        PID:5728
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5868
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        116⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6004 -s 408
        117⤵
        Program crash
        
        PID:5284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6004 -ip 6004
1⤵
PID:6140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Daifnk32.exe

Filesize
512KB

MD5
dd35cca96f4350d28f44d556a5826d8c

SHA1
a0143cdba7df357521237a43a4dac7e5a2ac04a9

SHA256
291cdbae3846e5258111cfa6f51748affb123a6a8789ebb661b39981eb9a70f5

SHA512
6b69ef6e156e76dcb29c0e5745a6f8d07b4874eb8ac7f2947f6308c9691f2795a3a9bf651b596dc7d4a454f6395310610c1ebd2ab2e5a255ffaef5c795c63c4a

Download Submit
C:\Windows\SysWOW64\Dfdbojmq.exe

Filesize
512KB

MD5
4fa7af4971e4fcba785cda4fe4f0bdd7

SHA1
6190a34c3170d05e977a81cf036f60ba0b34821d

SHA256
1ae2f659b910260925a058e6f3f01c86eedf8eabcc80399d1e5d63c8d229b59b

SHA512
cf4aa8adf96a6ad7f824f4e2fe841b6f47563ec8591047ce79ef70043913e2903793e8a5ccd2e8c16350862f391fc8eb334067834ca98ab90a63cd9a8030459b

Download Submit
C:\Windows\SysWOW64\Djnaji32.exe

Filesize
512KB

MD5
1e0aa68ab0d01fa659a9b9ab3b9ba196

SHA1
fe743d90b232af0f79cfaa4cff2a44e0b516b6b5

SHA256
58bb2d3bee33f15ee40316da6887283419152dadb1897615ba883f31c954c630

SHA512
42b93442fa2a8fafbdd9b6c05275bb2a9728fa4997c066cef37a0b9314e7b1cc3b05eabb8d536fe30243a35328ec47fd423eaf30515e55a111ce31d4834bc772

Download Submit
C:\Windows\SysWOW64\Dokjbp32.exe

Filesize
512KB

MD5
020111c28ec3e9af530a124140583421

SHA1
9cc181a5458ad142274dcaa3c7615df5e3ba193a

SHA256
53f958a7329aee3f57daa5c8697230118a8449e2bdff2bb98fa6843afe057b54

SHA512
4fff7716bdfd8b40ebe346055a0cae3f871f8debbc06d3aefbd9c9cf06ffa999ef640593615ee2f78b618566d727b57f3f77758e923563cd51cc7c229abcfc66

Download Submit
C:\Windows\SysWOW64\Ebbidj32.exe

Filesize
512KB

MD5
254ccf3ca763427aa91b1d5a892d63d4

SHA1
659554bfe045b539986fbea07e8a7451a472d8eb

SHA256
ece507c7b2a847c53f07e89618bc8bed33757c6a270302e5cfc4800656971b78

SHA512
a5453da58299a06bc69040ddcaf7fae5dabd88c369db1753318f9169efcb814acc35a17d6bae575f21407937aa760baf01264eee0891e20675a9d5223f684ebd

Download Submit
C:\Windows\SysWOW64\Ebnoikqb.exe

Filesize
512KB

MD5
4d08694444f616d53bbcb11022663f4f

SHA1
3e365f12fdb6854f944f49d7c0a50ebdacf90e7b

SHA256
63cdb93cde5c70ab816049b07f5b7ed585878e0a41c74c1174ed6d9ff59402ec

SHA512
be4ef813062c30af9c1790ae0df4060a58275f8a16f39ab064ded3d6f7fa10bc54bec87329dbdbf9fbc06bc98c9b9bf265e9ea3909ede1b0cbccd0c310e4d3e7

Download Submit
C:\Windows\SysWOW64\Ejjqeg32.exe

Filesize
512KB

MD5
94b9464576a1439cc4b1a601ef549c8d

SHA1
891bba465f3e41b284d1e4d81408f0fa7e8bf4ec

SHA256
dd3064c5536ab93270caf9ef7ef6d95d32baf8570a5f067f4b977cef671b3c93

SHA512
85a1f6ae491170ffc17a4f784741cfed18662e986f0f27debcd82376c79bdd488eae7fde11a51d57e101e8ff1a3bd523a1c7354043bb48ec6242498589a2b94d

Download Submit
C:\Windows\SysWOW64\Eoifcnid.exe

Filesize
512KB

MD5
3cab72a49cab8da7dee339da58728b16

SHA1
8847e0181f5d825d48b0b6577f0e4456b971ec61

SHA256
9f0e9b19852aee4932a7e53bc0fa4f91c504f8cce8287f4a3a45ed9b339a8699

SHA512
4cc624c6b492f67eb0b8736b96f51936a8f4153dd51f4aba68ff3107e9252e3af5673e942a30a57c5fc9e93120300a05548370bbcf51c202e6db4c880f11e961

Download Submit
C:\Windows\SysWOW64\Epopgbia.exe

Filesize
512KB

MD5
fe15b2c1f217e8ebc258ef4fb05f262c

SHA1
517ca95c27aa78263bd774914a864167ff23a31d

SHA256
3e48f0ee14ec9d670f51f91d8025be52cebaf901f00afe339946342106b596df

SHA512
fb0fc28d73d73dc966c3b3dac14f439f66b5542fc6ce95d87d1acb3b410401a45e4483fa2d4d10b2e54c16bac5fb10db68061c41b3968e0b8298d2fc4499eb6a

Download Submit
C:\Windows\SysWOW64\Eqalmafo.exe

Filesize
512KB

MD5
30118bc9cdd9ae713c8be3090aa26b6d

SHA1
605fd3a9e2f4aa15a17fa829107a4648338c97d9

SHA256
b75a3de710ba7645a85a57fb2c15a1e0b519aa66253a3f312c07848690611a80

SHA512
94c27c7e86d1953e13f8bb343b16db27bdcc2289612b4de5de0a8c2b273a5e9139c1cff3283179edea758a2e4019abe3d35dd8f0cf06da135e93030468694668

Download Submit
C:\Windows\SysWOW64\Fbqefhpm.exe

Filesize
512KB

MD5
45899f3c43bfb0f3a1dc59fcf0cf3a1a

SHA1
b4096e5f3426342c02c1b4c193cf34130fac01c6

SHA256
2dc36b8aef7c821f4304da5fdd2976e521a0e6b2b3d9483221305bf985ace80d

SHA512
0ed5821fc472768395cda83b3a868ed6e194007a113cdea6c36a61018646617016f44e11705533282ddafc155e7923dbf7a4c40daa074cf5b33b528ec198632e

Download Submit
C:\Windows\SysWOW64\Fcgoilpj.exe

Filesize
512KB

MD5
442d5b72517503645429c32ce2a54067

SHA1
bb304f8f5f7e796979cd71036d448a62f79af69c

SHA256
7b1bb2b93d956a9fb18b9c1aca978b7f12b262ba1d2bf7771769560115f351bc

SHA512
65a88fd68a35070bbd27acfe2fa2f04d730aae8a621d4ece6f74dd281a7043af3c678dc946ff92d12b5e0d3d3d2725cfb4115c4914e216f7cfe2710c9219c943

Download Submit
C:\Windows\SysWOW64\Ffbnph32.exe

Filesize
512KB

MD5
b993d9e17b0cee3ed165b81953aa3ed5

SHA1
485c336315bb4110e41db589866b037c4b10f0a7

SHA256
275e5d3b924e7d89fcba423b24ec37abc03dce004a02b66980e84b4481513e4e

SHA512
de61ceb908ebe3e495ccbf663b05b372968d92d7c8713dfcd5710e0dfb65f5dde8a898b96e3587e1d594c2f7af5032767f29e76e2269a66c88adc0986b72d464

Download Submit
C:\Windows\SysWOW64\Ficgacna.exe

Filesize
512KB

MD5
de685d48113dcdbea4b83b9c7ed2be10

SHA1
e27ad8eaa2b1a2f201f88d23e2cecdf59f1f58a7

SHA256
fcd41d1861d3b38a81b70e19eae1a82edac936bfe0035885b6a9c626830a1bc4

SHA512
e30bbe02c5dfdc80d45ee057908d0054503aec7bfbabab00d8da7f1aad3aacd6c818a6ef58ed52efc99eda988e192676ecdfeca4cf12f91992194ef806bee9a8

Download Submit
C:\Windows\SysWOW64\Fijmbb32.exe

Filesize
512KB

MD5
932e5fee424515f437d8015173816997

SHA1
79795bbddfef6454826add6aaf40a3dbbe3ea9a9

SHA256
8a3f5d92fe9bd97d8dec9b50b291e59c24e2552dab5af7c30b12a855859db3ef

SHA512
837d78d831a0a9ce67a580f0f8631809676945f290bacb58aa0457348035b39c1c83dcf46df5940b08cbdb4d695e9f58d0f2eafba069c2b699382e08e51e4791

Download Submit
C:\Windows\SysWOW64\Fjcclf32.exe

Filesize
512KB

MD5
afb06bc04bd5a780e0c420f9ae24e03c

SHA1
a7196d9583304bf831f87e6d2ae6b0377531d419

SHA256
13a89b61b86838d0ba82127f54ec174eddc98629652283b1772fdaec5ea6ccd3

SHA512
385f23ca605d0ab9362ffc2bedf6256f1c34ba5d1a5b310b9e1e93dc324d8e450d4f33e2dbdcc3d2460de8047e555c4def8f3550b02bc731870fa5f1a59e58c9

Download Submit
C:\Windows\SysWOW64\Fqmlhpla.exe

Filesize
512KB

MD5
e1c6c5f498068a25147242374811fd9a

SHA1
3f07b990b175dfe4e19ff00e40ae12a48b7336b1

SHA256
7dc8e05b9ed002975d592b863aa0635290ab94de985030c342eb54da865a2899

SHA512
ba341b4c0efacfec5dbd1308f5b02cfc523e0c150192d8cdf0166e4fb43b974b17b069ab706722761749ffe9d2d52448b8131dc72379f2f1ecc05de583c3af70

Download Submit
C:\Windows\SysWOW64\Gameonno.exe

Filesize
512KB

MD5
3e071bbbb300598b812974b519c505a0

SHA1
4ea97386d19bb3fb8549f7d8a9cc4b1d9b1f67e9

SHA256
04d066f4bdd13f0d8d410dd3316302888b8b2889fb17f1a3ace814cc5d56e7c9

SHA512
e7d5db9cf973c35f28bab871a215a8a1911dad73a682d8cf069f89ca36a44e1e2f3540a78d820462cdff2b5e8ae0a5061905e0b4d1d1049bacc1e29e83b7adfc

Download Submit
C:\Windows\SysWOW64\Gbcakg32.exe

Filesize
512KB

MD5
2dd76b052ae6bda98e97a9c90e725cb8

SHA1
7ad1c015c0e2e097790a75e40fb6dce850008896

SHA256
7caf21b3851d82ea0b32cdc3d863970f58c0679464010deb820ac0918f773ef5

SHA512
c15aa94943acb5ae9d72c6f8fe2206aafb96ebdeb7a336a206e4d98e5b04ef83dc8709789380d185c46d2167ed586dbca38a87ec3a5934c2953f0a8389c08caf

Download Submit
C:\Windows\SysWOW64\Gcggpj32.exe

Filesize
512KB

MD5
2978cf7d7c0e9fd1037327f91b1a432c

SHA1
639ec77d98466c367b11328d6460697f70d154ff

SHA256
18c38d42d123abebe1775f4ca977f6587da590f36993b72ef8b67768bbbf8cc3

SHA512
467e675f0844b29758afc89faebbdd60deaac0e21897117674cc0540f7b7bcee2601b847633075ddcfc960155cdf5b4f2516ca8dabb59b1adf4425b725b9b95d

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
512KB

MD5
f46d94fc663560573f1e3954b05fa89c

SHA1
8a3a0f6d6325e6aae61f1c7ffd0006dddd5018ef

SHA256
3d924468b43d01ef2f7f454d668b934eeda7507f000cdc7ed4cc4809e0aa2d85

SHA512
bfb1d2d2bc38a85af2421066320939188658d128b30c228d4784cf784faba4cdf506dcd98871c8518f468ebb4b75e08a53bc182a028dc4b552da8ea643e25f02

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
512KB

MD5
9f24ea7bd29aef9317dd58c9a67c1d82

SHA1
0a7ecb698bf29b80bdb0bb3b14f389f182219b98

SHA256
12b3a3a5558bacfbe49bd565260c9a91ddf470d45fd25544411928e8a65610d2

SHA512
90831e3db7f0bf83c45658c992361fa6d2aa04be53dc9b263e7577a8ea484a6f1b3aaf1b3ed92eee155d4430b242be6031ca39528bc32f8bd8d33689b0282b10

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
512KB

MD5
ea1bb5af2085c7ea82e8e0200c877509

SHA1
8e7e3ebf58d09e1a9ac4875864838293f1e49a64

SHA256
f06247cc2da3d8e76074b1e088b149efb268e824e82521df6f22fb4813f18c40

SHA512
56b1e6db0fdf7b7fb07983d21f194a1bdbd4a81f1f17edc14826c8cf14fd3f2e4485d3b43b041a75f39dbb4bd559ee49c5299f10a8803587590619c93f8620ef

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
512KB

MD5
76c33fb84fca10de2645d89b5a608e00

SHA1
2ce6b05cfc3b4cf697082dcc5f56b8eba588f457

SHA256
de9602e3eb17a27f266e522455f9ebc914f17e5d3e1f22551562d97013d29e54

SHA512
617a35ccd494900ace2add68fd653d11e1edfba87850cb52968a625c1ca844353eb7ca49ef66755bd31bed40e793e6d38765aff9506455afe7acfa6e02411960

Download Submit
C:\Windows\SysWOW64\Hadkpm32.exe

Filesize
512KB

MD5
3b484846240faa0ae0dc95451ad95245

SHA1
e77eb3b735317386669c426c93e65928d960d59e

SHA256
e2f2ba69f661494ce586361f12896dfd644d701e103fa7b75688973055968f88

SHA512
85ad01a3d98167faceed39e5cbee4009756b2761809e9296a2f898d0872393b2660a33b2de57c435a5c7ca5daf7764eeb9f1205611a1394c968ec6cae95468c5

Download Submit
C:\Windows\SysWOW64\Haidklda.exe

Filesize
512KB

MD5
ea306aa59a7ba8426ed98f84ef375c2a

SHA1
b81ba9d3b1ce8867bcebab986fc4c742e3f7f7fa

SHA256
ebb56a6effd8f7cb5699c0abdd8f9c5fd84e7e7c751f9098091da84758db4c14

SHA512
c691a191aa7c1bc047f745121a06cc046f1758de1b97303361780ede404682fca329d7cf730b300dbe2b02ffe4eb3b996b5cdc32c067efa68dc741fe234e2f83

Download Submit
C:\Windows\SysWOW64\Hbeghene.exe

Filesize
512KB

MD5
9b2ded948933b62debacf63c27653669

SHA1
69aa64ee64f2bfcb5abdf33b60c3e97e2a02bc15

SHA256
c1b87b9f9072c9c2e532730df59e828a05185ee5958b4a7b50ffad734b534921

SHA512
8a3c9fa1ee0fbc145e64e9ee63e55c42bdd31a9f62067e6e1267ee80a7f9d68d23a2b97d9edc29689e35f58c0b466e48aacab50306a1237317d32e097d0c1b03

Download Submit
C:\Windows\SysWOW64\Hcqjfh32.exe

Filesize
512KB

MD5
e1b5bd2c53cd459ea4b3f2e7ee18695d

SHA1
4675cedbfcce37aaaf31282f275f33f876403093

SHA256
5b639bc6831ad45ad7084f02fb4b6fd2fee60e8619e540178d07e4cce0ee1ea2

SHA512
a0eb186c0a4a4e66c9dcb662c63abc6c93fe970fcc30fdc12c638b8240442404d693f11d123761feeb45e02db30c6d19434391341ab5d9ae053ec3e4bbdc061e

Download Submit
C:\Windows\SysWOW64\Hfljmdjc.exe

Filesize
512KB

MD5
78aa0a2ec78de9a515df4aa9b2198f04

SHA1
03586e80c0906b682225b7bd6669afc66af4e360

SHA256
58e58b0d0810cea83f8d57a7803de896be911812d4bdb56f1b324d1b4b7fbc71

SHA512
4b43e49ee010faef2744c75e25e166471e56ff1ae790e5eb6b35d787321f76b6c2809bd54f0d22d0ae66be81e989fe585ca25ea50f99f56828a841be9cf9ec57

Download Submit
C:\Windows\SysWOW64\Hihicplj.exe

Filesize
512KB

MD5
666f9159cc9a41fc1de88bd48b993fd7

SHA1
65381bf116d5c2f9ceb398f5a51adb80e208f79f

SHA256
67a7f9e3e32175fe0de0a3e72894f2d46dec715f54c8b8187e543830726c5e2a

SHA512
fa974ece373959f98885bdb1212af616035093556048f0c66e23c6b8d325fbbb6124aa10fbd382691dfc09aa9329967976fba164cf9c1ba5602e090dbbaf3f59

Download Submit
C:\Windows\SysWOW64\Hpihai32.exe

Filesize
512KB

MD5
366e1b1fd78e064e22dc1b0b68beac8c

SHA1
816a30c7b06aa919db4bbd8a6ee779be0e2cd1ac

SHA256
4d99fece1d29dd2bdd9821a28773b5b516a80dd3a0a4ab829249eea3740a24a8

SHA512
8329944251d148784c0fd47755cf425e13eb127a69648b6832556ae95cb1c63c627c046c28c5c6ef15b4020e1898f1664115fd4bffa171e929524db89ae33279

Download Submit
C:\Windows\SysWOW64\Iapjlk32.exe

Filesize
512KB

MD5
cc6a201d9fc9bab8261b6cd7c769c07e

SHA1
6e9cf5142a921449c02559c1a84e2b5c915619f3

SHA256
f6aab096a992fad6e9e174d1074b2c159cabf4078830a21b5fc2fefc8175d899

SHA512
bc1d0acf25769e2afac0620cc542de4145b672c995916e6d5e41462aade5250507cb474fbcdafe047d26093bea6fe183d6e4c26f57beaa3ae391644c26d5d8c7

Download Submit
C:\Windows\SysWOW64\Ibjqcd32.exe

Filesize
512KB

MD5
5f047dfd1f5103ee2af2b83ffb558501

SHA1
1cc43e3209e0310ab6b5aa4a175cdfce464e70fc

SHA256
9f7343e14237ddf79a5ff72a05dea1a38d1604c01b5b5a1a31b3e4b40d8b8ea2

SHA512
bae07525713ca568e18813f8bed92c9a5aabe6c18449ba81febd518313b27496f69d749613e935e2cee15358f99b41b08f60dac0dd011457003cf94164e47117

Download Submit
C:\Windows\SysWOW64\Jdemhe32.exe

Filesize
512KB

MD5
c331c58d4f19df89743dfdb30a8a1625

SHA1
f16769992c3b7b1958ca29d575038f77deadf6cc

SHA256
c2eabefc0caced7d9e53c7b2fdf87ed226c84c0ea7cb37abc7d16fbb0ac9f305

SHA512
4205d353ba111cfc2b0d3cfed1133a89fd5cd12412cf91c7648a3fe73222e396c7790521f20f9c9ad22c93025e67cd875578f9f5a95f4ee18b8340e536b8d534

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe

Filesize
512KB

MD5
a8c6dfaaff188628a4141cf298503e45

SHA1
a55443bd0d8a943e987c57db381b282d39505a89

SHA256
7adf97c4f800235afc5b9d52a5be4aa64c6dc7f152337b7eb3e505d8955e7b60

SHA512
e0d46e97d7b8309491f1e62a461d0bbf77d8a1231d55e8cbeaf894f6a1da581cf141062e3734427feeca7045b7089aca77f75630d16240d09270925956b24e99

Download Submit
C:\Windows\SysWOW64\Jigollag.exe

Filesize
512KB

MD5
5eb0833e8873e1b8c2cbf5fc8c562a0e

SHA1
a837fd78848306fea89f9a6d69a52623c2e8c0dc

SHA256
f1a40cedabb5f3d1d1b7ea7969a9663169e3b96e15e9c94ce13b026f5c716723

SHA512
338854a51b8e4730bcc275ee98941b7c01f5854bd3e6c992a46e56f31e593bdaa1532270ce00c48fef46069b4739d8a3648f27650e43f5ecefd3170edbace961

Download Submit
C:\Windows\SysWOW64\Jiphkm32.exe

Filesize
512KB

MD5
de82a97835e398f88f69807daadd321e

SHA1
168d15c6f7e6546638f63f627b75ee6797e9c5dc

SHA256
6a6af945b6d9ab9f756c441529633be58ac7763b3743fe9003138dbb4a7414e4

SHA512
51b2b5160e87cd9688c8d945259fdc9366bca4f6537833db81a272af3eed3553ba009ab2a3adf8dcbd1a60f65b541ad7116641a7a9b32e16cfa5c9ede2066c73

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
512KB

MD5
6fc5e86bda942969ff69279071253fd6

SHA1
cbf1b85151dc456563e720071693df34cf1447c7

SHA256
81015e038411d3ab4fad415d69490a675687b2899bc3f85f3d11323bdfc5199d

SHA512
0cd32e4563c01a34c814fc13dba8754495f472cc1ab5ed77e6bd593f23f87114d5c60f98e986c26b8f9c19d4467a053aaf9dee9f380f7895ca21ef6146b01311

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
512KB

MD5
ae6a262da82122798f45b956d04b6da8

SHA1
5fc1e58c86c84e1dfebfba51a3dc3fe22a958bce

SHA256
8cb1814228bbce7676b9b6ccff1037f1c51549b7860dc5a2d4bf4492c86cb14b

SHA512
fba0941f73d6e5e2f7a9918659cacd0d5ec78f73bb5ddf2023fe0172773e8ad5b695a32994353c743f429037952ea790db120bca1c219d756fb7b532881da26b

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
512KB

MD5
3061763162c8e53586f726eb0905bbf9

SHA1
5818728f571ec8a1ab3be431b3649c30d3d10065

SHA256
8762b5661bef868e2f1566fc07eacdb30e06310dc8980595d512de515066dd77

SHA512
0d3d0a7f6237b9f6f7a697feecad9b50a7c7d70cf9deaad2723e9fa6a975dbaf5593105c5e157518bf7961ab4fe1a80747351d79c4ff3f41822e50d661ecbe8d

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
512KB

MD5
f516ff314779dbd6dbaade91103984a4

SHA1
f2106130f153900a7b9166cdca6fea8d897fc80d

SHA256
538d85dd89ee28035d8e19a1e0aa4df9e380b9a8e1274f09eadc3e5289592d6e

SHA512
79d0c86f39e808c44f31832da4d1481b9eec68f3c3afb34589f4f5410a2243e357ffa3e57b798464d18ac4123ddfb01a5172ec6bf728368735d39580478308a5

Download Submit
memory/116-465-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/388-437-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/444-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/448-109-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/548-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/636-133-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/884-149-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/936-453-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1092-393-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1196-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1200-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1212-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1260-521-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1404-291-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1464-443-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1520-29-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1524-338-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1584-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1604-515-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1728-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1780-229-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1968-193-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2032-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2080-185-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2160-556-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2160-13-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2220-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2240-401-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2268-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2360-563-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2360-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2412-241-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2416-331-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2468-411-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2500-457-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2536-473-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2560-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2628-177-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2668-527-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2692-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2716-579-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2716-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2812-593-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2812-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2924-495-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2932-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2952-485-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3012-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3040-483-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3068-550-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3116-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3240-209-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3348-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3356-425-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3376-161-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3400-539-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3400-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3400-5-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/3504-497-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3508-263-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3560-249-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3596-353-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3728-113-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3788-359-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3936-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4004-285-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4076-540-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4092-467-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4100-371-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4104-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4112-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4148-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4228-503-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4232-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4264-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4264-572-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4272-533-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4272-847-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4448-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4496-233-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4524-509-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4612-435-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4636-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4748-881-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4748-413-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4868-101-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4888-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4888-586-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4940-365-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4956-201-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5092-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5152-558-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5180-803-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5200-564-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5252-566-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5296-573-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5356-580-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5404-587-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5448-594-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5536-829-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5728-793-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads