8349a18d4dff25915247b333302d2d852b403f2773bd6506be878800c30e3a0a

Analysis

max time kernel
129s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2024 21:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c774210b23c02573989ebb6789f8e60_NEIKI.exe
Size

320KB
MD5

3c774210b23c02573989ebb6789f8e60
SHA1

7dfe924565c3b009c76a99571ebb113889635682
SHA256

8349a18d4dff25915247b333302d2d852b403f2773bd6506be878800c30e3a0a
SHA512

07a5052b0d3ca0f17fa51a8e6cce200b327c4027b6b667ce4fc1e5c05212cf135565293a03903590670561be77c4d841734f6263952dc796c3430dc018906671
SSDEEP

6144:fdvleY/m05XUEtMEX6vluZV4U/vlf0DrBqvl8ZV4U/vlfl+9Q:1vjm05XEvG6IveDVqvQ6IvP

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iiffen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	3c774210b23c02573989ebb6789f8e60_NEIKI.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipegmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iapjlk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijkljp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jagqlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbapjafe.exe

Executes dropped EXE 64 IoCs

pid	Process
5056	Hibljoco.exe
1648	Ibjqcd32.exe
4828	Impepm32.exe
1064	Ipnalhii.exe
3052	Iiffen32.exe
1416	Ibojncfj.exe
1152	Iapjlk32.exe
1192	Ibagcc32.exe
208	Imgkql32.exe
4032	Ipegmg32.exe
3148	Ijkljp32.exe
4988	Imihfl32.exe
4264	Jaedgjjd.exe
4164	Jpgdbg32.exe
3948	Jdcpcf32.exe
3428	Jfaloa32.exe
4560	Jjmhppqd.exe
2716	Jiphkm32.exe
3080	Jmkdlkph.exe
4760	Jagqlj32.exe
4208	Jdemhe32.exe
3508	Jbhmdbnp.exe
920	Jjpeepnb.exe
400	Jibeql32.exe
1544	Jmnaakne.exe
3088	Jplmmfmi.exe
4056	Jdhine32.exe
4680	Jbkjjblm.exe
3152	Jfffjqdf.exe
3408	Jjbako32.exe
4496	Jidbflcj.exe
228	Jmpngk32.exe
1640	Jpojcf32.exe
4320	Jdjfcecp.exe
740	Jfhbppbc.exe
4532	Jkdnpo32.exe
1960	Jigollag.exe
2880	Jmbklj32.exe
4140	Jangmibi.exe
3768	Jpaghf32.exe
3920	Jbocea32.exe
2656	Jfkoeppq.exe
4544	Jkfkfohj.exe
1324	Jiikak32.exe
2416	Kaqcbi32.exe
1552	Kpccnefa.exe
1592	Kdopod32.exe
3552	Kbapjafe.exe
4592	Kgmlkp32.exe
1836	Kilhgk32.exe
2236	Kmgdgjek.exe
2976	Kpepcedo.exe
4388	Kdaldd32.exe
3720	Kbdmpqcb.exe
2408	Kgphpo32.exe
4804	Kinemkko.exe
2916	Kmjqmi32.exe
2936	Kaemnhla.exe
2868	Kphmie32.exe
968	Kbfiep32.exe
4780	Kgbefoji.exe
4768	Kknafn32.exe
3404	Kmlnbi32.exe
3620	Kagichjo.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ghmfdf32.dll	Jplmmfmi.exe
File created	C:\Windows\SysWOW64\Olmeac32.dll	Jbkjjblm.exe
File opened for modification	C:\Windows\SysWOW64\Jmpngk32.exe	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Kkdeek32.dll	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Eeecjqkd.dll	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Qdhoohmo.dll	Jbhmdbnp.exe
File created	C:\Windows\SysWOW64\Ghiqbiae.dll	Kpjjod32.exe
File opened for modification	C:\Windows\SysWOW64\Lcpllo32.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Lkgdml32.exe	Lcpllo32.exe
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Ibagcc32.exe	Iapjlk32.exe
File created	C:\Windows\SysWOW64\Mjlcankg.dll	Jagqlj32.exe
File created	C:\Windows\SysWOW64\Bbbjnidp.dll	Jmnaakne.exe
File created	C:\Windows\SysWOW64\Fbkmec32.dll	Jmpngk32.exe
File created	C:\Windows\SysWOW64\Kpjjod32.exe	Kagichjo.exe
File opened for modification	C:\Windows\SysWOW64\Kkpnlm32.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Kgmlkp32.exe	Kbapjafe.exe
File opened for modification	C:\Windows\SysWOW64\Kdaldd32.exe	Kpepcedo.exe
File opened for modification	C:\Windows\SysWOW64\Kgdbkohf.exe	Kcifkp32.exe
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Jdkind32.dll	Jjmhppqd.exe
File created	C:\Windows\SysWOW64\Bgllgqcp.dll	Jdemhe32.exe
File opened for modification	C:\Windows\SysWOW64\Jpaghf32.exe	Jangmibi.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Fldggfbc.dll	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Jjbako32.exe	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Anmklllo.dll	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Dbcjkf32.dll	Jbmfoa32.exe
File opened for modification	C:\Windows\SysWOW64\Kmjqmi32.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Efhikhod.dll	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Laefdf32.exe
File opened for modification	C:\Windows\SysWOW64\Hibljoco.exe	3c774210b23c02573989ebb6789f8e60_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\Jiphkm32.exe	Jjmhppqd.exe
File opened for modification	C:\Windows\SysWOW64\Jplmmfmi.exe	Jmnaakne.exe
File created	C:\Windows\SysWOW64\Jpojcf32.exe	Jmpngk32.exe
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Lnjjdgee.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Jiphkm32.exe	Jjmhppqd.exe
File created	C:\Windows\SysWOW64\Jjpeepnb.exe	Jbhmdbnp.exe
File opened for modification	C:\Windows\SysWOW64\Jdhine32.exe	Jplmmfmi.exe
File opened for modification	C:\Windows\SysWOW64\Kaqcbi32.exe	Jiikak32.exe
File opened for modification	C:\Windows\SysWOW64\Kphmie32.exe	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Jibpdc32.dll	Ijkljp32.exe
File created	C:\Windows\SysWOW64\Honcnp32.dll	Jjbako32.exe
File opened for modification	C:\Windows\SysWOW64\Kgmlkp32.exe	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Ppaaagol.dll	Kphmie32.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Kbfiep32.exe	Kphmie32.exe
File created	C:\Windows\SysWOW64\Dnapla32.dll	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Hibljoco.exe	3c774210b23c02573989ebb6789f8e60_NEIKI.exe
File created	C:\Windows\SysWOW64\Ibjqcd32.exe	Hibljoco.exe
File opened for modification	C:\Windows\SysWOW64\Jfaloa32.exe	Jdcpcf32.exe
File created	C:\Windows\SysWOW64\Bdiihjon.dll	Kgphpo32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5704	5680	WerFault.exe	201

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppaaagol.dll"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppaheqp.dll"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghiqbiae.dll"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkdeek32.dll"	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgiacnii.dll"	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfnojog.dll"	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iapjlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehifigof.dll"	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidmdfdo.dll"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmkdlkph.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogjfmfe.dll"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeiooj32.dll"	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflepa32.dll"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphqml32.dll"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	3c774210b23c02573989ebb6789f8e60_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3116 wrote to memory of 5056	3116	3c774210b23c02573989ebb6789f8e60_NEIKI.exe	85
PID 3116 wrote to memory of 5056	3116	3c774210b23c02573989ebb6789f8e60_NEIKI.exe	85
PID 3116 wrote to memory of 5056	3116	3c774210b23c02573989ebb6789f8e60_NEIKI.exe	85
PID 5056 wrote to memory of 1648	5056	Hibljoco.exe	86
PID 5056 wrote to memory of 1648	5056	Hibljoco.exe	86
PID 5056 wrote to memory of 1648	5056	Hibljoco.exe	86
PID 1648 wrote to memory of 4828	1648	Ibjqcd32.exe	87
PID 1648 wrote to memory of 4828	1648	Ibjqcd32.exe	87
PID 1648 wrote to memory of 4828	1648	Ibjqcd32.exe	87
PID 4828 wrote to memory of 1064	4828	Impepm32.exe	88
PID 4828 wrote to memory of 1064	4828	Impepm32.exe	88
PID 4828 wrote to memory of 1064	4828	Impepm32.exe	88
PID 1064 wrote to memory of 3052	1064	Ipnalhii.exe	89
PID 1064 wrote to memory of 3052	1064	Ipnalhii.exe	89
PID 1064 wrote to memory of 3052	1064	Ipnalhii.exe	89
PID 3052 wrote to memory of 1416	3052	Iiffen32.exe	90
PID 3052 wrote to memory of 1416	3052	Iiffen32.exe	90
PID 3052 wrote to memory of 1416	3052	Iiffen32.exe	90
PID 1416 wrote to memory of 1152	1416	Ibojncfj.exe	91
PID 1416 wrote to memory of 1152	1416	Ibojncfj.exe	91
PID 1416 wrote to memory of 1152	1416	Ibojncfj.exe	91
PID 1152 wrote to memory of 1192	1152	Iapjlk32.exe	92
PID 1152 wrote to memory of 1192	1152	Iapjlk32.exe	92
PID 1152 wrote to memory of 1192	1152	Iapjlk32.exe	92
PID 1192 wrote to memory of 208	1192	Ibagcc32.exe	93
PID 1192 wrote to memory of 208	1192	Ibagcc32.exe	93
PID 1192 wrote to memory of 208	1192	Ibagcc32.exe	93
PID 208 wrote to memory of 4032	208	Imgkql32.exe	94
PID 208 wrote to memory of 4032	208	Imgkql32.exe	94
PID 208 wrote to memory of 4032	208	Imgkql32.exe	94
PID 4032 wrote to memory of 3148	4032	Ipegmg32.exe	95
PID 4032 wrote to memory of 3148	4032	Ipegmg32.exe	95
PID 4032 wrote to memory of 3148	4032	Ipegmg32.exe	95
PID 3148 wrote to memory of 4988	3148	Ijkljp32.exe	96
PID 3148 wrote to memory of 4988	3148	Ijkljp32.exe	96
PID 3148 wrote to memory of 4988	3148	Ijkljp32.exe	96
PID 4988 wrote to memory of 4264	4988	Imihfl32.exe	97
PID 4988 wrote to memory of 4264	4988	Imihfl32.exe	97
PID 4988 wrote to memory of 4264	4988	Imihfl32.exe	97
PID 4264 wrote to memory of 4164	4264	Jaedgjjd.exe	98
PID 4264 wrote to memory of 4164	4264	Jaedgjjd.exe	98
PID 4264 wrote to memory of 4164	4264	Jaedgjjd.exe	98
PID 4164 wrote to memory of 3948	4164	Jpgdbg32.exe	99
PID 4164 wrote to memory of 3948	4164	Jpgdbg32.exe	99
PID 4164 wrote to memory of 3948	4164	Jpgdbg32.exe	99
PID 3948 wrote to memory of 3428	3948	Jdcpcf32.exe	100
PID 3948 wrote to memory of 3428	3948	Jdcpcf32.exe	100
PID 3948 wrote to memory of 3428	3948	Jdcpcf32.exe	100
PID 3428 wrote to memory of 4560	3428	Jfaloa32.exe	101
PID 3428 wrote to memory of 4560	3428	Jfaloa32.exe	101
PID 3428 wrote to memory of 4560	3428	Jfaloa32.exe	101
PID 4560 wrote to memory of 2716	4560	Jjmhppqd.exe	102
PID 4560 wrote to memory of 2716	4560	Jjmhppqd.exe	102
PID 4560 wrote to memory of 2716	4560	Jjmhppqd.exe	102
PID 2716 wrote to memory of 3080	2716	Jiphkm32.exe	103
PID 2716 wrote to memory of 3080	2716	Jiphkm32.exe	103
PID 2716 wrote to memory of 3080	2716	Jiphkm32.exe	103
PID 3080 wrote to memory of 4760	3080	Jmkdlkph.exe	104
PID 3080 wrote to memory of 4760	3080	Jmkdlkph.exe	104
PID 3080 wrote to memory of 4760	3080	Jmkdlkph.exe	104
PID 4760 wrote to memory of 4208	4760	Jagqlj32.exe	105
PID 4760 wrote to memory of 4208	4760	Jagqlj32.exe	105
PID 4760 wrote to memory of 4208	4760	Jagqlj32.exe	105
PID 4208 wrote to memory of 3508	4208	Jdemhe32.exe	106

C:\Users\Admin\AppData\Local\Temp\3c774210b23c02573989ebb6789f8e60_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\3c774210b23c02573989ebb6789f8e60_NEIKI.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3116
- C:\Windows\SysWOW64\Hibljoco.exe
  C:\Windows\system32\Hibljoco.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:5056
- - C:\Windows\SysWOW64\Ibjqcd32.exe
    C:\Windows\system32\Ibjqcd32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1648
  - - C:\Windows\SysWOW64\Impepm32.exe
      C:\Windows\system32\Impepm32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4828
    - - C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1064
      - C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1192
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:208
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3148
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4264
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4164
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3428
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3080
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4760
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4208
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3508
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        24⤵
        Executes dropped EXE
        
        PID:920
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:400
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1544
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3088
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        28⤵
        Executes dropped EXE
        
        PID:4056
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4680
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3152
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3408
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4496
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:228
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        37⤵
        Executes dropped EXE
        
        PID:740
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4532
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        39⤵
        Executes dropped EXE
        
        PID:1960
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2880
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4140
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3768
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        43⤵
        Executes dropped EXE
        
        PID:3920
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2656
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4544
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1324
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2416
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1552
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3552
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4592
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1836
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2976
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        55⤵
        Executes dropped EXE
        
        PID:4388
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        56⤵
        Executes dropped EXE
        
        PID:3720
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2408
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4804
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        59⤵
        Executes dropped EXE
        
        PID:2916
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2936
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2868
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        62⤵
        Executes dropped EXE
        
        PID:968
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4780
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4768
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3404
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        66⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3620
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2392
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3056
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:748
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1664
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        71⤵
        Modifies registry class
        
        PID:4460
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4340
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        73⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        74⤵
        Drops file in System32 directory
        
        PID:1392
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3736
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2920
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        77⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2332
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        79⤵
        Drops file in System32 directory
        
        PID:4236
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        81⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5244
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5276
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5348
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        91⤵
        Drops file in System32 directory
        
        PID:5620
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        92⤵
        Drops file in System32 directory
        
        PID:5672
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5712
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5804
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5844
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5892
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5940
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        99⤵
        Drops file in System32 directory
        
        PID:6008
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6060
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6112
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2356
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4128
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        105⤵
        Modifies registry class
        
        PID:1788
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        106⤵
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        107⤵
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5284
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4364
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        111⤵
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        112⤵
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2068
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        114⤵
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        115⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5680 -s 400
        116⤵
        Program crash
        
        PID:5704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5680 -ip 5680
1⤵
PID:5536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Hibljoco.exe

Filesize
320KB

MD5
b510b5ad7b97d3a6d14b38c9d75645d5

SHA1
60b0bb76aecea3734b097b63488d4d51c8809ab1

SHA256
26081c2acdc38b6803a51992d61e8c6ddbe69e03eb961bd9ab547ee7caf4b345

SHA512
e4767f52d8dafd708d9b655756e9b59bd18713d96926284523f8c55e6946c5761923af4939d8819bf33ee364670de8392e8416c210f13d4d6122e4dd21b8f1e1

Download Submit
C:\Windows\SysWOW64\Iapjlk32.exe

Filesize
320KB

MD5
7bc8aa20c776d0b98c1ebac3b638c6be

SHA1
a6c4940ef341977129678e95bfdfd5b4ff912635

SHA256
9e790e7111c54535984b1dae1c2b897ca5fc27b33f79e8d3bd067bcc422d825a

SHA512
7773c25856d04fca6170b718f55bf7220e976ddd6a99985f3180db4063b41cddd5f29557f5a91e1f1329bc0bc3f0c0003fd0896eb7bf69d5363329e8d2638edc

Download Submit
C:\Windows\SysWOW64\Ibagcc32.exe

Filesize
320KB

MD5
caabb54ef09f3006eb1c16ce37e5de75

SHA1
1945f820401223f3c7283e14e0b9e83b6088f665

SHA256
5a5eb82db063290020aad70517dff85a1b0cee067c39174aa3888c32efc13ac0

SHA512
b3541a2304de86d7ca58f102814d48b4e141c6742d7ebe2743f4a495ec169125e206168b598d7346606d328b35302e5ade293eeea7178e239e1eec3945818cc2

Download Submit
C:\Windows\SysWOW64\Ibjqcd32.exe

Filesize
320KB

MD5
3a1c70c484b125f57ee62c5b9a6e9360

SHA1
f2a868f78c186e626647f440742544b1c720c5c6

SHA256
88c5019241fe4add13f23cac97d3101b93bda00e236a2f7402fe8644423a7a7c

SHA512
01fdd78a19176f4e09450ead69e216f9fae4a21b7397c6562ad514c7ed6df85bc80d2af6492b4215fbe98a239fd12c7056318032e4646e5c3427186594988c5c

Download Submit
C:\Windows\SysWOW64\Ibojncfj.exe

Filesize
320KB

MD5
8b2b5c5f2f7a8c4cf907af9cbeb0d275

SHA1
044b216148a5a4d5eedc418e7162b308c9868110

SHA256
fffc1cfc84df115e234faae730ece9c9c982827dde82b8337b699f4195303cca

SHA512
78ef250ce15e4e88e3580992dbba634f260b83320644c131be412c51cfe343e6566775def1d8bae97c34fd0358e51cec8ba9e53903355d216d2abf3a1455dbcf

Download Submit
C:\Windows\SysWOW64\Iiffen32.exe

Filesize
320KB

MD5
402c6f0bde0d4dfca1c9f5529c9e1804

SHA1
93f06edeb20ff095cc3f02e455595810253a0500

SHA256
7e8350d3ca37bc03d951ddf59a3b92bc6c31ef2f7a98036f438720d766306c35

SHA512
450657dcd3232500f3ce9b8a8b0e73204a8ae930ad4fb1af787001506af9c1306e3688c3b9edc9fb27879bd5018edf7199d6eff70ab2a3e65031cb6d8e770035

Download Submit
C:\Windows\SysWOW64\Ijkljp32.exe

Filesize
320KB

MD5
33208951de907114698c05730c8d1552

SHA1
aa7bcfe550d9eaadcfba7ce0620945d96bdeeddb

SHA256
24506f08bf33f830a5393ba09a1bda63a606ccf612a5f705cba83b61d5e399bb

SHA512
df43cae2a3b8fd91864523c9bed63e62455687a8e8a9c04bd06a39fec11f7108cf3865410ee26431f989f7646c6fdf4bb3f1142041041cddad88809fa550016d

Download Submit
C:\Windows\SysWOW64\Imgkql32.exe

Filesize
320KB

MD5
c3600ba10796cce3bff495641b87a1b3

SHA1
635bcb14a81073c306dbb6d8ca7a69f6a6f3ef68

SHA256
952491e8dcf08914891229e0b6f5fa9b2341071888fffa5ea2ff95b31dec79b9

SHA512
5881533cf14a1605fe27909913721aa709238a45782211f8c771252f757eccf65dec072360398012236e7a6ae683e9e65e204d217ddddd2acba9ec6968136f6a

Download Submit
C:\Windows\SysWOW64\Imihfl32.exe

Filesize
320KB

MD5
d538a7bf8a7184842cb399fb278a9e70

SHA1
063cdb9a8b546be24a548a36ae28bcaa4feca5bb

SHA256
7a8fe9f672d5997740e4e0ad1c7177de92bd1d45068cf99ecab342c8f8c90c9b

SHA512
2a665ef1cf054ccdbe9d3e41532bdb21da28d05d782301041fbb44be42e8d04b7952b31e4d17c377cf3b3c727b4b2dfabd49a21d202c6b9ece3121d66b3effa7

Download Submit
C:\Windows\SysWOW64\Impepm32.exe

Filesize
320KB

MD5
6c252b911d214d87d6be8325ce6f38f4

SHA1
4f0ab8fb775876251ac59692f17c35e1996b1973

SHA256
7781937fd4b04d9e9c018e2232b9991e1756e40d757aa41d3016b6c5723fbec8

SHA512
d3ecc9586181363c5c24de805522bac45f7dd57a419e89d7058cebe2760c00085b0c9d83e4304529d557ac91a4f52d5a11e51c3b5a67caa52f92a42cbd28862b

Download Submit
C:\Windows\SysWOW64\Ipegmg32.exe

Filesize
320KB

MD5
402ea7cdee51d6de1ef028608bf8c8a6

SHA1
8a2566a04273b2fbb73ef8c061e17e82a7263cbf

SHA256
291592d0529b062e03ba950b829ebace652680f881d16910ad51e1b35a4f032d

SHA512
c7d1fed55e3612a3108f9303bba97c9b45c691af85084f382f7b88fb47251ef2155a564f8b4462a8ff55e29cbc9fc17190bf7443682fc632ea1e1b8aa0d36da5

Download Submit
C:\Windows\SysWOW64\Ipnalhii.exe

Filesize
320KB

MD5
03fcd3a58e8f3b68e9d5bebc84e2c0e7

SHA1
ed0bd93b4177dd32e74369ed595808fdd5b2faeb

SHA256
e0b0d9eb8129cf62d8cd9d82217a6f258768f411bfe134e0a06426d7e8be9f60

SHA512
e0e2b63ecb47002c37e41da59687b6085bf132c1df86a030090a776d3628594c8a65b8398f51addb34cb2462a58018b8e93a92fc9bf336347c81b1f534ace254

Download Submit
C:\Windows\SysWOW64\Jaedgjjd.exe

Filesize
320KB

MD5
d7f7ba32a791e86a46ae730d22907a34

SHA1
6eba6608dd17b7e34f15f13fc5c719f0dfca668c

SHA256
784b924b33883f238ccebddc0e0c069e80cfa93fcbfcd45c3939a3f6da6b850a

SHA512
f038fd057abb1dbeebc99b123b07ce2e1448aec92f9c75fda73550b1e77360fb064c6e37596d0900ce550e2e788e02fd831fd137f865ef5905965a5543cc0c96

Download Submit
C:\Windows\SysWOW64\Jagqlj32.exe

Filesize
320KB

MD5
e40b969aabaefb50e56a193899771548

SHA1
bfa863f493569c21adaeac44af1c2cfaac6570ea

SHA256
0c95bf9a8432f59dfdd2d332073b632264b9980a5075a4b46b81b12cd6290eba

SHA512
578594aef36e17c921600488064698a9664b7b94ff1e2a49e61492f840f9864dd974ff3eb45b3f7945cd6b645681dba259be1bec2db70c3d6169f7cb140013c1

Download Submit
C:\Windows\SysWOW64\Jbhmdbnp.exe

Filesize
320KB

MD5
54b332ae7843a5848eda7ba07e56a889

SHA1
18f92985525a7f7244c97ab756e4380514bd2741

SHA256
5768bacb6d5388d1f252946e71b365acb6a6bee93c3ee88830b0bc1a7dae7939

SHA512
36f5de22db8c8bf2236d48166d27a18525c01890d4dbf2e5e2c51a4dd0a2521fe1fc9fa9d07594a26c57a83f33bff69e45637d03fdf90f38d6bd0ffb586d3989

Download Submit
C:\Windows\SysWOW64\Jbkjjblm.exe

Filesize
320KB

MD5
646e2483e3810478b4cd9e4cec954a8e

SHA1
04c242a15567bfeafcc48925823d5de38bfa0257

SHA256
8f321be946038d4e629bdaf96fdbc1b1d187cca6d59e16bc9bb816af9eccd9c8

SHA512
fff00bd55ef182ed3204b925a564691a64fb68d530f2cae2eb43f499effa85f261ebb42b6ec7cae698882bbf09d655763c69e023d35cb556d309db792b95aec5

Download Submit
C:\Windows\SysWOW64\Jdcpcf32.exe

Filesize
320KB

MD5
e3d0c45b177899e56eaaabe89f914cfa

SHA1
1dae70490adfc10f4bd4cc3ea484e85d088d1ddc

SHA256
7998e740dd380f9a83c3185528ed8237cc88dcdb0e6af83b76fe18ce2294a699

SHA512
4d6d3b68fbf112a63fff8892a52272445d02f4e11365ed1f6bba15f8fe66b663658c2bacac6744326a955abefaaaf37c00e36740b38befad45ed8b8fecd693b5

Download Submit
C:\Windows\SysWOW64\Jdemhe32.exe

Filesize
320KB

MD5
997a2fe0e39ebe13b20158c77c264ef0

SHA1
6f58380b48fd38e2900b9500612af8ec0bceefbf

SHA256
68412991247874357ffab1d81d2487b302f00d44754eaebaebcb09ea2407dc8e

SHA512
1445eb46df614f1b6fb96be36b761d79c95287eebf2d3b6b2bec750e547b7da1e48df223352059a5b3b0a718ee1bad84ef77b69cc1a21c22a6954d60eaf66b8c

Download Submit
C:\Windows\SysWOW64\Jdhine32.exe

Filesize
320KB

MD5
82e9f4e260a28288ccbe57fa61929589

SHA1
784c02641dd0991695e936731af81b1c6c88ac36

SHA256
7f2d2d592165109fb84e015e79a69d93f11a022f71150f1ca615b09bda3b62e1

SHA512
e6acde9b4196a4b96b50cec0f20448dd08299f148a2af4d4216cbec6506d6370da546dd1b4ed7005c52c8f5200dd11310e50cc36d3caf1a5cc084fd60464c059

Download Submit
C:\Windows\SysWOW64\Jfaloa32.exe

Filesize
320KB

MD5
44c3f15ef59ba227b8319c1e792c2b08

SHA1
d7203ad3b46366306708e3b668f483de4159830b

SHA256
4d4637f87b261af94cebc16f7af3f1cec8efeb7290d56670f4568a6f4c33c68e

SHA512
184a5d4c2b67faf4be1a7a06c2357e264b33ca92519902326bcd493629f9c0d6bfc0d3fd1c0204881384f98178f96d28fe8eea79feebb9116097b8e5762454f6

Download Submit
C:\Windows\SysWOW64\Jfffjqdf.exe

Filesize
320KB

MD5
df1b2f1d27f7d1112941c6a2a3b06a38

SHA1
7203c84dfba751a9f19b6765fd3e142c92a9f3ba

SHA256
e4ad80e3cf188043e221e2db3af1b013df92b07adc5ec203a4c8de9ca49e90d4

SHA512
38d1581b0722f9e61018dcfc95bbc782f8e4c8dbbf4bff2318fad1997a761e91a55f52cfe8393542644252003a922625fd3bbde93d5e85feb3b68d19ad8da618

Download Submit
C:\Windows\SysWOW64\Jibeql32.exe

Filesize
320KB

MD5
f6c3afd2f2c51f803935983967bd5de6

SHA1
eee4dcad2dc43668f66c75049584cc598b9ac045

SHA256
e3bd2c36b6c6143e6df3cbc354b559f7ecc5947bdefed18d067082d3b40bac71

SHA512
1aaacfb39136bd9c496fab5eed117618498c1b2c11d4b5d775124d85f101e8923aa3f4ce28a93f01821267e932775a6530cb80a6894ea5322a9bfa308eff33df

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe

Filesize
320KB

MD5
03c24f39874d850456f9fc5ac6387566

SHA1
ab936fbd36dd7491d69db9fb24ec8abc1fe50a85

SHA256
36654da6e0e36e2700ff9d9c9edd55a5950061d8eb434aa0c2b566f55cf6d22b

SHA512
4664b582a0a6f7c525780a6dc6e1323c428493f00c441512b01bf54650cbe43c47d32938f332c0a10982e0f2702e7537d8cce8ea94a17db08d1dc9413d0179d2

Download Submit
C:\Windows\SysWOW64\Jiphkm32.exe

Filesize
320KB

MD5
adaa65fda1cbef8d7151b7dc378f64a9

SHA1
047a735c626de084bbd42dd63ae9d0cbb05f0be4

SHA256
86a418ec5325173d9af7e0f9213381ac7d3e46d3e81f5376410a886fa2c055f8

SHA512
db071732ea17c949394e65765251ed115d016e2c4be3996d410ab917f7580c8d2178cd345230b6c8ebb6eeefaa7a870b88103c6a2cacca2616d55ba73949da97

Download Submit
C:\Windows\SysWOW64\Jjbako32.exe

Filesize
320KB

MD5
fd3161e32c4a560140e2bddc3e7ceb30

SHA1
abe3696799778d8d98633c43ac53db4c1f2f8b28

SHA256
8df526b6865461937e85de248ac34555759ff86d9f3ad672cb146107d9139655

SHA512
d9c37f5a54e503f5f2b4460e33e058e92c729a06eebe1fd7591a2fd70c0fd92fbc0904150a05551bd3750d6330dd010a62bd03bbf232eed7f4b6e7ac9457a0b9

Download Submit
C:\Windows\SysWOW64\Jjmhppqd.exe

Filesize
320KB

MD5
58bf82768468b719f8370a9dbb761de1

SHA1
d99088354d445257608b9c00ef64bcad2324fc9d

SHA256
04579fbe2724301fe521eb65c975f53a2a2ba568f2cec46500100280e6a478a6

SHA512
ad9eed142466b7f2538cd5e3c2fd3e31bce53f2058677dd7574c779c1d65872f82e4c3837fbd585de2e8554b374046b3fe68f71a08619031974e7940ba38c9e0

Download Submit
C:\Windows\SysWOW64\Jjpeepnb.exe

Filesize
320KB

MD5
c7873e446213be6cc89906cc05ea0ddb

SHA1
63eb9779fba24a27bdef46cad9b210d29a4012b5

SHA256
a19dc19f6bab6dce4e42b96b0817121402e537f6ffaa5223e76620c3ab336711

SHA512
73ea9852737121d079cf30cca34d99a9fc5187bd2fb8137f2d6facb88b02ee044ef8d5530ad777fa55ef3e871a5abc9d8a52a0243128a9e297b48641fba18fa5

Download Submit
C:\Windows\SysWOW64\Jmkdlkph.exe

Filesize
320KB

MD5
03c07b46bb56080a96dc9aaa371eabf1

SHA1
35bb50fb4932b00ef9396c94fded45ace3bcf2b1

SHA256
976132719a6129fb44b364e67cf54442cce4c0ed9380488798ca237c45a0b9da

SHA512
8810e06af9ba7f8be83feeb6a488d033a0508aae77e6ddc6452a57a9deb2ed4044d0a807d59adb91f278025560d6eda5c9fc3da4bd055571d145c0cb94500dad

Download Submit
C:\Windows\SysWOW64\Jmnaakne.exe

Filesize
320KB

MD5
ad7f97cacd99729c94e5d29da0b173ab

SHA1
33e028ca1c3c602acd69bf0b619e6f56ea17b85a

SHA256
98ba27ce2524245b2c095a6fb820777248a0803e7f43642633dc5f2137f8b348

SHA512
18843ec6c21fd5310f656ea87908a514ac948f1eb0078926f3eb8b46fd3a05d5d82ce3f4f65c12eb9761199ce39bf5e5e93d345f7df116103049710e9a48f62f

Download Submit
C:\Windows\SysWOW64\Jmpngk32.exe

Filesize
320KB

MD5
888d1ff93c8da9b71a87b0331c8bdd60

SHA1
c9e649d9efdff1d74da7fad12b1a2ae5827bc365

SHA256
72591833fecb44b7caa9bbb6beb7d679c80c088f39775a33c19b3764d88b2705

SHA512
6540a2b58b38c0458f0fbc17f0a758cd1b0a74c533e10cad4f0b8c69ad0f0ab28ebf9307bdf2d3fb6ea176e7e4721d3395d5b0d22b1ac1a8f188c173cda0d5b9

Download Submit
C:\Windows\SysWOW64\Jpgdbg32.exe

Filesize
320KB

MD5
98a369b382b543ab7c45076c16fd3f28

SHA1
2c41f11a1fd5080536cd6804239491b24e161697

SHA256
df8400bd8d9495175bb378d98f3b057dae6979730f1eebe03f72be12acf1ad62

SHA512
a1c87e7dc0bb63a9e0e40daffed5464f18f5e5697cd83e2cff7478b6c738d2dbc186ad4e1e52bcc70cde458dbcd760f2fb480865b078ee0fd160764041d16605

Download Submit
C:\Windows\SysWOW64\Jplmmfmi.exe

Filesize
320KB

MD5
cac77057f2afd2afea575fda7a4ec56b

SHA1
c3b5f2708c191a0b053081acbb4714325b7f9883

SHA256
06cb5620492b01f464784d5b59840deb22853d85592adff39063baa251903c3a

SHA512
19dac71cfa1f83dab56ea4e455669f403389c7db71c0d72a816fbbe84943ffef047d60b54c2a6706df98a2c77e29cc24f2470021af9a9568e9ff699bcd66c4c7

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
320KB

MD5
b74cc79ff6aec78bb7b2953a2efe13ac

SHA1
668836e031dcb80fbe4c196c0894d734f700e108

SHA256
e2107f8d8a40dd94667c1a3eb3ed12b974367eeaca0393fa589d7ed91dc958e7

SHA512
c248deb8a428f5fbc9e92ba60fb73194cda9c869e447a4150efee1262147343478ce3f863afefb9b20017501b470f18252846506b6d39a4f45ff976dbb7a640b

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
320KB

MD5
a01be58936d9055d02d66c0782ec392b

SHA1
137b4b893831f3b097af664a630506cc5dc85aab

SHA256
3aee490cce85920e3ff11a374a821771a82e2f52d8b37415425a2f4778f10e85

SHA512
64fe183bb0f39d635be1ca963615b99b79ba6a01caec438d1fa651e3217acd2bec010128a605b9119a3c0a9da9fa8086d47043803afebb65c70bf95d96899eb4

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
320KB

MD5
124497b43a618ebf609450d2abd2838b

SHA1
ff333a0cc43484316fed34dfa0a768924c38d6ad

SHA256
010968f3c6d5003a24cd520aee2fc055c0680084cf0d4f9982f657e551b12526

SHA512
d2b003ce170b857e58a880b064a4a568ad7f614237a2493afbf1ec450edbce91cf47fb7105f62d3019d32c340e17dbcf2fb2de2389a2ae1bfed836619ace936b

Download Submit
memory/208-78-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/228-442-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/400-429-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/740-446-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/748-573-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/920-428-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/968-566-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1064-33-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1152-57-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1192-65-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1324-460-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1392-575-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1416-49-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1544-430-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1552-462-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1592-463-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1640-443-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1648-17-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1664-591-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1836-466-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1960-448-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2236-467-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2332-579-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2392-571-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2408-471-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2416-461-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2656-453-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2716-423-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2868-565-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2880-449-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2916-562-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2920-577-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2936-564-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2976-468-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3052-41-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3056-572-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3080-424-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3088-431-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3116-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3116-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3148-89-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3152-438-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3404-569-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3408-439-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3428-421-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3508-427-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3552-464-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3620-570-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3720-470-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3736-576-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3768-451-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3920-452-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3948-420-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4032-86-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4052-578-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4056-432-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4140-450-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4164-419-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4208-426-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4236-580-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4264-418-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4320-444-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4340-593-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4352-445-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4388-469-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4460-592-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4496-441-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4532-447-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4544-459-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4560-422-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4592-465-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4680-437-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4760-425-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4768-568-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4780-567-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4804-561-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4828-28-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4868-574-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4988-417-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5056-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5080-581-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5132-582-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5172-583-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5208-584-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5244-585-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5276-586-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5316-587-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5348-588-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5388-589-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5420-590-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5460-599-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5620-609-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5672-610-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5712-612-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5760-618-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5804-624-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads