0cfd3d0afa5d99f5e7c8840bd1eb71ce29d84b919025a6b3687efb4f31a95845

Analysis

max time kernel
145s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 22:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ba4c3409bfcc4cba0d6c7263869dde0_NEIKI.exe
Size

145KB
MD5

5ba4c3409bfcc4cba0d6c7263869dde0
SHA1

68cbcdf32baf81d5b018a7f728645ead277747d2
SHA256

0cfd3d0afa5d99f5e7c8840bd1eb71ce29d84b919025a6b3687efb4f31a95845
SHA512

41af701cffb4f39ab1abe3193757bcfc86d5b435dc36049f552ef242a277a9594761e318b74b2a9ab54c0f6273dfa4b653055d2c877c8cbd6cacfcbd437a0d07
SSDEEP

1536:Q+Hz1IXuqqYgVQwR2tb7KQoHWRqEy3J30WPrIPrWFFZy6BEVsNo2Ae5JYFnVEyQu:azqYgGqTWRqD3pFBEV52Ae5aFnVB

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fflaff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jagqlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjbako32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gogbdl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifmcdblq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqohnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfcgge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcidfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gidphq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gogbdl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmmhjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipabjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifopiajn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqaeco32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcggpj32.exe

Executes dropped EXE 64 IoCs

pid	Process
436	Fihqmb32.exe
2812	Fqohnp32.exe
2456	Fflaff32.exe
3276	Fqaeco32.exe
4052	Gcpapkgp.exe
4888	Gfnnlffc.exe
4152	Gogbdl32.exe
3492	Gfqjafdq.exe
4944	Giofnacd.exe
5080	Gfcgge32.exe
4080	Gqikdn32.exe
2980	Gcggpj32.exe
4868	Gidphq32.exe
4840	Gcidfi32.exe
2112	Gjclbc32.exe
864	Hclakimb.exe
2888	Hjfihc32.exe
4352	Hmdedo32.exe
1672	Hpbaqj32.exe
1628	Hjmoibog.exe
3220	Haggelfd.exe
4400	Hcedaheh.exe
3140	Hjolnb32.exe
3336	Hmmhjm32.exe
3860	Iffmccbi.exe
2632	Iidipnal.exe
1412	Ipnalhii.exe
2660	Ijdeiaio.exe
4492	Iiffen32.exe
4332	Ibojncfj.exe
4724	Iiibkn32.exe
2844	Iapjlk32.exe
3688	Ifmcdblq.exe
3836	Imgkql32.exe
4580	Idacmfkj.exe
4992	Ifopiajn.exe
4468	Ijkljp32.exe
3932	Jaedgjjd.exe
456	Jdcpcf32.exe
4584	Jbfpobpb.exe
4676	Jiphkm32.exe
5012	Jagqlj32.exe
3080	Jdemhe32.exe
4632	Jjpeepnb.exe
2680	Jmnaakne.exe
1716	Jplmmfmi.exe
3824	Jbkjjblm.exe
3368	Jjbako32.exe
2236	Jidbflcj.exe
4636	Jaljgidl.exe
4112	Jbmfoa32.exe
4416	Jfhbppbc.exe
4808	Jigollag.exe
5076	Jpaghf32.exe
208	Jfkoeppq.exe
4484	Jiikak32.exe
2140	Kaqcbi32.exe
1036	Kdopod32.exe
1464	Kgmlkp32.exe
4232	Kilhgk32.exe
4540	Kpepcedo.exe
1272	Kdaldd32.exe
2676	Kmjqmi32.exe
5008	Kaemnhla.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Lkgdml32.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Lmbocjjm.dll	Gfcgge32.exe
File opened for modification	C:\Windows\SysWOW64\Kdopod32.exe	Kaqcbi32.exe
File opened for modification	C:\Windows\SysWOW64\Kgbefoji.exe	Kbfiep32.exe
File opened for modification	C:\Windows\SysWOW64\Jagqlj32.exe	Jiphkm32.exe
File opened for modification	C:\Windows\SysWOW64\Kaemnhla.exe	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Fqohnp32.exe	Fihqmb32.exe
File opened for modification	C:\Windows\SysWOW64\Giofnacd.exe	Gfqjafdq.exe
File opened for modification	C:\Windows\SysWOW64\Jiphkm32.exe	Jbfpobpb.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Kjeebd32.dll	Fqaeco32.exe
File created	C:\Windows\SysWOW64\Haggelfd.exe	Hjmoibog.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Ipnalhii.exe	Iidipnal.exe
File opened for modification	C:\Windows\SysWOW64\Ijkljp32.exe	Ifopiajn.exe
File created	C:\Windows\SysWOW64\Jdcpcf32.exe	Jaedgjjd.exe
File created	C:\Windows\SysWOW64\Kmjqmi32.exe	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Hakfehok.dll	Fflaff32.exe
File opened for modification	C:\Windows\SysWOW64\Gfcgge32.exe	Giofnacd.exe
File created	C:\Windows\SysWOW64\Gcidfi32.exe	Gidphq32.exe
File created	C:\Windows\SysWOW64\Pellipfm.dll	Lmccchkn.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Milgab32.dll	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Hjmoibog.exe	Hpbaqj32.exe
File created	C:\Windows\SysWOW64\Jjbako32.exe	Jbkjjblm.exe
File opened for modification	C:\Windows\SysWOW64\Kbfiep32.exe	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Kdopod32.exe	Kaqcbi32.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Hpbjkl32.dll	Fqohnp32.exe
File created	C:\Windows\SysWOW64\Qdhoohmo.dll	Jdemhe32.exe
File opened for modification	C:\Windows\SysWOW64\Jidbflcj.exe	Jjbako32.exe
File opened for modification	C:\Windows\SysWOW64\Kpjjod32.exe	Kipabjil.exe
File created	C:\Windows\SysWOW64\Ljnnch32.exe	Lgpagm32.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Hjfihc32.exe	Hclakimb.exe
File created	C:\Windows\SysWOW64\Iiibkn32.exe	Ibojncfj.exe
File created	C:\Windows\SysWOW64\Kdaldd32.exe	Kpepcedo.exe
File opened for modification	C:\Windows\SysWOW64\Kdaldd32.exe	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Hjmoibog.exe	Hpbaqj32.exe
File opened for modification	C:\Windows\SysWOW64\Iiibkn32.exe	Ibojncfj.exe
File opened for modification	C:\Windows\SysWOW64\Jaedgjjd.exe	Ijkljp32.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Iiffen32.exe	Ijdeiaio.exe
File created	C:\Windows\SysWOW64\Jeiooj32.dll	Jaljgidl.exe
File created	C:\Windows\SysWOW64\Kajfig32.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Kgbefoji.exe	Kbfiep32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6068	5932	WerFault.exe	210

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiaohfpc.dll"	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnckcnhb.dll"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jigollag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoceo32.dll"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmdedo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iapjlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gogbdl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gqikdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hclakimb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imgkql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbfpobpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fflaff32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Giofnacd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjpdme32.dll"	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmdedo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfjbmnlq.dll"	Fihqmb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dakcla32.dll"	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnepih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfcgge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjfihc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmmhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgblmpji.dll"	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feambf32.dll"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplmgmol.dll"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehifldd.dll"	Kdopod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpjjod32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 436	2644	5ba4c3409bfcc4cba0d6c7263869dde0_NEIKI.exe	83
PID 2644 wrote to memory of 436	2644	5ba4c3409bfcc4cba0d6c7263869dde0_NEIKI.exe	83
PID 2644 wrote to memory of 436	2644	5ba4c3409bfcc4cba0d6c7263869dde0_NEIKI.exe	83
PID 436 wrote to memory of 2812	436	Fihqmb32.exe	84
PID 436 wrote to memory of 2812	436	Fihqmb32.exe	84
PID 436 wrote to memory of 2812	436	Fihqmb32.exe	84
PID 2812 wrote to memory of 2456	2812	Fqohnp32.exe	85
PID 2812 wrote to memory of 2456	2812	Fqohnp32.exe	85
PID 2812 wrote to memory of 2456	2812	Fqohnp32.exe	85
PID 2456 wrote to memory of 3276	2456	Fflaff32.exe	86
PID 2456 wrote to memory of 3276	2456	Fflaff32.exe	86
PID 2456 wrote to memory of 3276	2456	Fflaff32.exe	86
PID 3276 wrote to memory of 4052	3276	Fqaeco32.exe	87
PID 3276 wrote to memory of 4052	3276	Fqaeco32.exe	87
PID 3276 wrote to memory of 4052	3276	Fqaeco32.exe	87
PID 4052 wrote to memory of 4888	4052	Gcpapkgp.exe	88
PID 4052 wrote to memory of 4888	4052	Gcpapkgp.exe	88
PID 4052 wrote to memory of 4888	4052	Gcpapkgp.exe	88
PID 4888 wrote to memory of 4152	4888	Gfnnlffc.exe	89
PID 4888 wrote to memory of 4152	4888	Gfnnlffc.exe	89
PID 4888 wrote to memory of 4152	4888	Gfnnlffc.exe	89
PID 4152 wrote to memory of 3492	4152	Gogbdl32.exe	90
PID 4152 wrote to memory of 3492	4152	Gogbdl32.exe	90
PID 4152 wrote to memory of 3492	4152	Gogbdl32.exe	90
PID 3492 wrote to memory of 4944	3492	Gfqjafdq.exe	91
PID 3492 wrote to memory of 4944	3492	Gfqjafdq.exe	91
PID 3492 wrote to memory of 4944	3492	Gfqjafdq.exe	91
PID 4944 wrote to memory of 5080	4944	Giofnacd.exe	92
PID 4944 wrote to memory of 5080	4944	Giofnacd.exe	92
PID 4944 wrote to memory of 5080	4944	Giofnacd.exe	92
PID 5080 wrote to memory of 4080	5080	Gfcgge32.exe	93
PID 5080 wrote to memory of 4080	5080	Gfcgge32.exe	93
PID 5080 wrote to memory of 4080	5080	Gfcgge32.exe	93
PID 4080 wrote to memory of 2980	4080	Gqikdn32.exe	95
PID 4080 wrote to memory of 2980	4080	Gqikdn32.exe	95
PID 4080 wrote to memory of 2980	4080	Gqikdn32.exe	95
PID 2980 wrote to memory of 4868	2980	Gcggpj32.exe	96
PID 2980 wrote to memory of 4868	2980	Gcggpj32.exe	96
PID 2980 wrote to memory of 4868	2980	Gcggpj32.exe	96
PID 4868 wrote to memory of 4840	4868	Gidphq32.exe	97
PID 4868 wrote to memory of 4840	4868	Gidphq32.exe	97
PID 4868 wrote to memory of 4840	4868	Gidphq32.exe	97
PID 4840 wrote to memory of 2112	4840	Gcidfi32.exe	99
PID 4840 wrote to memory of 2112	4840	Gcidfi32.exe	99
PID 4840 wrote to memory of 2112	4840	Gcidfi32.exe	99
PID 2112 wrote to memory of 864	2112	Gjclbc32.exe	100
PID 2112 wrote to memory of 864	2112	Gjclbc32.exe	100
PID 2112 wrote to memory of 864	2112	Gjclbc32.exe	100
PID 864 wrote to memory of 2888	864	Hclakimb.exe	101
PID 864 wrote to memory of 2888	864	Hclakimb.exe	101
PID 864 wrote to memory of 2888	864	Hclakimb.exe	101
PID 2888 wrote to memory of 4352	2888	Hjfihc32.exe	102
PID 2888 wrote to memory of 4352	2888	Hjfihc32.exe	102
PID 2888 wrote to memory of 4352	2888	Hjfihc32.exe	102
PID 4352 wrote to memory of 1672	4352	Hmdedo32.exe	103
PID 4352 wrote to memory of 1672	4352	Hmdedo32.exe	103
PID 4352 wrote to memory of 1672	4352	Hmdedo32.exe	103
PID 1672 wrote to memory of 1628	1672	Hpbaqj32.exe	104
PID 1672 wrote to memory of 1628	1672	Hpbaqj32.exe	104
PID 1672 wrote to memory of 1628	1672	Hpbaqj32.exe	104
PID 1628 wrote to memory of 3220	1628	Hjmoibog.exe	105
PID 1628 wrote to memory of 3220	1628	Hjmoibog.exe	105
PID 1628 wrote to memory of 3220	1628	Hjmoibog.exe	105
PID 3220 wrote to memory of 4400	3220	Haggelfd.exe	107

C:\Users\Admin\AppData\Local\Temp\5ba4c3409bfcc4cba0d6c7263869dde0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\5ba4c3409bfcc4cba0d6c7263869dde0_NEIKI.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\SysWOW64\Fihqmb32.exe
  C:\Windows\system32\Fihqmb32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:436
- - C:\Windows\SysWOW64\Fqohnp32.exe
    C:\Windows\system32\Fqohnp32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Windows\SysWOW64\Fflaff32.exe
      C:\Windows\system32\Fflaff32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2456
    - - C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3276
      - C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4052
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4152
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3492
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4080
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:864
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3220
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        24⤵
        Executes dropped EXE
        
        PID:3140
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3336
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3860
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2632
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1412
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2660
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4492
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4332
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4724
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3688
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3836
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4580
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4992
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4468
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3932
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:456
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4676
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5012
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3080
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        45⤵
        Executes dropped EXE
        
        PID:4632
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        46⤵
        Executes dropped EXE
        
        PID:2680
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        47⤵
        Executes dropped EXE
        
        PID:1716
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3824
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3368
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2236
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4636
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        52⤵
        Executes dropped EXE
        
        PID:4112
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4808
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        55⤵
        Executes dropped EXE
        
        PID:5076
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:208
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4484
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2140
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1036
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        60⤵
        Executes dropped EXE
        
        PID:1464
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4232
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4540
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1272
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2676
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4688
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3452
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4528
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        69⤵
        Modifies registry class
        
        PID:3692
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        70⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        71⤵
        Drops file in System32 directory
        
        PID:3736
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        72⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2768
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3884
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1516
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2620
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2380
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        78⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1260
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        81⤵
        Drops file in System32 directory
        
        PID:2928
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3948
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1332
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4488
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        85⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        86⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2348
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        88⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        89⤵
        Drops file in System32 directory
        
        PID:2968
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4280
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        92⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5256
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5300
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        96⤵
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5424
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        98⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5516
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        100⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        101⤵
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5644
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5680
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        104⤵
        Modifies registry class
        
        PID:5728
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5776
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        106⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5864
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        109⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6032
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6076
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6116
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        114⤵
        Drops file in System32 directory
        
        PID:2760
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        115⤵
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        116⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5328
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        119⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5524
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5592
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5664
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5696
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        124⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5848
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        126⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5932 -s 400
        127⤵
        Program crash
        
        PID:6068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 5932 -ip 5932
1⤵
PID:6040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fflaff32.exe

Filesize
145KB

MD5
7e8504290cd0aece65f64c2ebc632e4a

SHA1
05ebff7b2739bfe941273b7e321c68dd0605c2aa

SHA256
f696556bbb474f4bb8f971c5b7b026f4ba4a8d32534a8666c83825bacb7929b3

SHA512
0ea0ab56b62441d6cb722bf90e563aecd7160723b3e2e1b686dbe635246c2d927e2d23eeb724e60ae4d7c1bdf5b0a3c88af6a24e3a3d1c88c47c4e1e68121d4d

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
145KB

MD5
fd6aea3146a147fbf71266092680e478

SHA1
ebc1316c2c4d33bb42fba2e729c45d38431e7356

SHA256
c75f09db1d252dd9ec542000fe4de53b62f45d18762f93df341ae01f71aa5804

SHA512
086ed81cb6b893232c877c03e1be56f1f6440abc29a2132692ba7d3e494f336ffe69a658d5d3c7c2cbb4f978411fb847350c02af0801e8b92f8f2972f43602d6

Download Submit
C:\Windows\SysWOW64\Fqaeco32.exe

Filesize
145KB

MD5
c11c895f633408884097a699591d582e

SHA1
90058d802ee6e2ca0c20354235b4e5913bed22a4

SHA256
d6f982f376926ea48119ffcc3ae5f676845c2f946e0657ddd90ef08c0a306145

SHA512
cbf7728e8e414f9f0691a1fa75382306c536c76d7ed38972739535a0465c918b0635813d0cc08783eddecad4e71ec2eb172b10a65e9b8ba6006231fe56f6bea0

Download Submit
C:\Windows\SysWOW64\Fqohnp32.exe

Filesize
145KB

MD5
da4f44d8ad49be9f164689ece2740da0

SHA1
3e4ff736d77d2061076c4a18ef5794e9ff9e8c02

SHA256
c791a46159d2dbf87e16faeffe3e9dbcb6e2599572c157edc60bacc4c623604d

SHA512
93b4a8017b61ae8f5841f542f79b5f7a733ac08518067254ee867765e40bd9015590debb6824978d181875aa6edae59661232dc406861960ffafe180203de7e1

Download Submit
C:\Windows\SysWOW64\Gcggpj32.exe

Filesize
145KB

MD5
2ad026f4fd692b2f9141d0ca4c4ac70b

SHA1
77edb819a169aad504420e1a5ee3e47faf64ee1c

SHA256
74e08397ceb43258535a852dc7083e6daaf607b41377d6c8827f4a5ac8eb0ad7

SHA512
c3f2b3a6b4c711f84dada26d19bdd6ae4b5f7dfb087a90de6546873833986ebbe720849195885fb5b899cc1833f47c2c4551a42898da6c2a4573afd46bc91024

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
145KB

MD5
1b4089b7bd7f1cf849d52df490222db7

SHA1
bae7a2f33d33c38b93106978bb2dccd6727645d4

SHA256
d26f26218bba445b9da46f0c34f55936acf90f25302980ecbcb71db5399dae49

SHA512
5f1a7b2a9e188c9cdb00eb161dbb044dbcc1afc1c000b2071eb0f55cf07e35fb1f8fb4d2d4045fad9ce167dfe30e5f52ec5c43ab5005dd860055c4ea23f6e058

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
145KB

MD5
ced8f4c68d1d3188067f57cf90445896

SHA1
a24db3a56c238a57e163005755b294a2423b65e0

SHA256
1195cd510a5c70fa7833f61b3970e6546a29fe3aaea3f456b8566d439fbfa2da

SHA512
936fa0172df26080a13eb8dcf80aba40dbe28cd04a606049a81649c6ded8f3f08e3fe8e5e4bdcf7b6eb2458d7bcf81af126c75aa79015f975b88fba8115497e6

Download Submit
C:\Windows\SysWOW64\Gfcgge32.exe

Filesize
145KB

MD5
3a8ffcd1f99ebda18c502b9e0c991351

SHA1
c4475906a8559a137ad8a186dc4224bf28f6837e

SHA256
b775659eca00c1b039deb6aee2a988e68fe1c611f032d96b1fce87321557b353

SHA512
743112fd463d737fe5ee2af955b1f6382aec17d6e1588173312241b862d64bd65628b9fd721e3dee452aee2ca2b9553d9ccbfb4522e68a2b0c4213c9b23bbf55

Download Submit
C:\Windows\SysWOW64\Gfnnlffc.exe

Filesize
145KB

MD5
3068901879af0d23d7e2d50c94ee62ba

SHA1
3fdc2249963fb73f23cf53f5e18a5b850f7cd389

SHA256
e71f739ae771380a2746e7b0d82d5646e4144b2818a13a3c45c90509a4988fa9

SHA512
7d92ceac316675a4b0dffb409457c5760e98858948caa5df1a2fbce67ab075c3b493b7fdf761f083e46f5ff1a8d461e318c35109febe0dee103a329e2dfed1fa

Download Submit
C:\Windows\SysWOW64\Gfqjafdq.exe

Filesize
145KB

MD5
592ba5d0fecc92168f159cd100234af4

SHA1
46b499006b77aa786db7187cd441fe743cedf86e

SHA256
c83cc9ef69554c77f60b9dc4845cb2810ed4aa3af818f7fc2e6abd8e758b6a18

SHA512
4b0cbcca392a9b423e7b19ed1cbc816823b7dc67e4c99b9857bdec58a315bfa7104fd53b537fb1c71bf303ecad23ea99e8a371e735da10e96fa3c382664d13d4

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
145KB

MD5
927e8dd1ef9babeba3250ee7129eff84

SHA1
5fa0f9b0ac07a7c852c924e039e50f21a6ea5d40

SHA256
c2c589c5758fb4d7568af2a8a9cf400a54d40713c8eab8dcf8edd70b0fe322af

SHA512
4fb141d1e1d6c441a9897f8d89b020ce6e99f8746d7f95c9a1ba28e397326cc3b48e67c6a079cee1a429ff5723e8460a0822f4bc407a217b1e170faa4b2f11e1

Download Submit
C:\Windows\SysWOW64\Giofnacd.exe

Filesize
145KB

MD5
b8ca96283881c2a8b2531886db9f20a6

SHA1
83f26a6c5afc3f0d8b9b4f210e17d691d3b4c94b

SHA256
2b701a125328150fbf6837f11768b2e17015591023fd7a8bb83544019b690ddd

SHA512
7420ecac83db7e8eedb1e124b61d4fc7236395ed9e6fa90dbae5a72076d59c010ff9546140b4e80715205d4b64b49b5e553fd1d9c117f96dc8c405913788f31c

Download Submit
C:\Windows\SysWOW64\Gjclbc32.exe

Filesize
145KB

MD5
cd4fce2d707d6e203ffe4b6034752b9d

SHA1
c4cf33870af3c291a03c5f32a6c8a5011ba9da5e

SHA256
4cfd66da06de17436967720431df80b8f12a4fc61547a62ed34a1b1d4813397c

SHA512
53c018bf7cbfff972114c96d40db8706804603312037dc916b3b180716cad95c3e7d256d7e3e90c48bdaa017b54515e5bb2d5cc0b80323c2399752d8304e936c

Download Submit
C:\Windows\SysWOW64\Gogbdl32.exe

Filesize
145KB

MD5
4b27de899e76183dd3b2b7d976c29364

SHA1
e6c8c970174bae04f0649d789cb21a43cb00fa57

SHA256
458351255faef5c451c733691c947d752f65a3a19aaca19165d752be1ab33aeb

SHA512
3093b8aa5f3dc09002b2ba4e9c1770f727f00bba0847068140618f7143674b8892a2d4b0cecb8a5166f1b091568e67bc2dfc9c854363ee7989edbd9280a25138

Download Submit
C:\Windows\SysWOW64\Gqikdn32.exe

Filesize
145KB

MD5
88dce8559a94bff312a37717675957ec

SHA1
89d701c3fe451672307336341b72bd0d5dfec462

SHA256
43d82c964c3d610c42a360134dbb6592cee9b5c8ba129416b234d0ec5e0153cd

SHA512
64aca355a753139c40a46aa1438a4515273ccb7a119227ccfb814d158f8a7f43b6523b30208dedbe6fdf8b1213aff67199099f818fc13a2b4276ff1dcd5d4687

Download Submit
C:\Windows\SysWOW64\Haggelfd.exe

Filesize
145KB

MD5
80e0ba823b4ddff82fa6bd85f02d6138

SHA1
4c6fc325f275b5f8d1dbaee95283905677181171

SHA256
33590bec0c5fd30b4891d66e9230de70e96fddf9a960c81f15fbb8845c6e9494

SHA512
a50a2b064faa1276e7f15e53c3e1681ab05607428d1c3788d88197e5a5ee5d3e414553db61030b19655086dc41400af2c30d154121faffe9c756a981be5b3c95

Download Submit
C:\Windows\SysWOW64\Hcedaheh.exe

Filesize
145KB

MD5
4f94ce62afc4ca6025a06a8d40f500a4

SHA1
c7f6f8e609c8af7677c57508ce3828f646feae92

SHA256
fb21dac9a4d431846c1a235e181fcbd0c06771ba0d175c4c10bfe0276237fc2e

SHA512
063d33d4673cbc316bd79eb98c478b9a7862ae12b8d1f2da2ae48706af3947a3cfd740320e21a78ab328f22196ddea49d7a5f83e86641ffdf1951764f4a9558f

Download Submit
C:\Windows\SysWOW64\Hclakimb.exe

Filesize
145KB

MD5
96ec9c849dc4ab9ba187b9a0c284b010

SHA1
01c90c00113f42174ffe7e5e393120efa4224423

SHA256
2c62746aa3a61f3800ae0fff9718b482db17dafafc1c7fcae236037c2dd3003b

SHA512
622a488d70956c1e7fe481ae9d21cab3d59f1c1b70c3a081936b601cdc9bd8133fc0d0fb63210a0281617359bed8c17e00acd155899edebc1a3274f61a117be9

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
145KB

MD5
4b0f73b3efe300d86b95bbdd7cec66e2

SHA1
fd833bbacc9f22084fb3a44959f583c2fd9da271

SHA256
331e8ded738863cfbd80e569f29ff64d2644f8b1742a7666862de8188bbf2819

SHA512
24de343eb0ec73e4d7a7fa0b6b7344727320e47915660a982d5fcac23dbc3f47738054ffff522587a64112c8a9dbcaf3aa2079dcce399641c459dd8dc1a1700e

Download Submit
C:\Windows\SysWOW64\Hjmoibog.exe

Filesize
145KB

MD5
1fbd05f3dc78c636cab621e04a6fb17a

SHA1
5b269332fb3701799afacae8fb1342bb16db53b1

SHA256
2e5ed8bbba954befeab3628bae4a0ede6f16a6c7f4396e95b3283ff73f3a9588

SHA512
c5d6fe7b588c4bec776a057bbc4328231e728de32df61db923c158754cd33e18afa10311b7e7e03fb96c089c74843862ce0386ec00c9e006780c546d3278256e

Download Submit
C:\Windows\SysWOW64\Hjolnb32.exe

Filesize
145KB

MD5
f901666b0cf97351550f2d47e6adb592

SHA1
49fcc0f8d243d8359766d45c2b5acdf2508be1ee

SHA256
9ecf1c67b9cf35462cde9cf8fd0c51362eafcb40f8757542771a2f9d1ab73a8f

SHA512
d1fa077c94935549c523934bc36b9f95d7cd4c524ffdc47ba885d7716c5d1b58b79266cda576b120fefd00598634bd795a9e5438dcbeb213fb79cf573c775cb7

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe

Filesize
145KB

MD5
c18309889fa8b00839650614a7a7e257

SHA1
aeb32cc5d743c7c92e2e154017caaa1348c57643

SHA256
d460a861467b634e054d0f937b36db21eb5e1fe95d4f245075cc915e62db18dd

SHA512
ac7e571aa15f83a230b0ed19f0b81b9b0d4d2c0c472e3314c0f160709d6d3c59473b96e3a0622bdc357616a1e17dd5423887c8a09a9e646854363c4e894d09f1

Download Submit
C:\Windows\SysWOW64\Hmmhjm32.exe

Filesize
145KB

MD5
f4a483f048dda0597a8d916a240f9216

SHA1
6ca8fd65bde56313d0810ae017ef12a236c27f7d

SHA256
081c5f38acbf6fe69ddc4b80cf237b77a1ce6dd633bf1fe5347bb86132692ab2

SHA512
bcac322852c6fdacd4e090ee60d2d0f0a1889151bbec7ae03e9b779041b011410a6db56978cba35faede7f563c580ccfcc418426204bbf58656bda2672fe7e0f

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
145KB

MD5
7ba507f86edbe2f97cef3ba656d33a49

SHA1
f7548ba1b99b469d1412c5112bd07910cd849c71

SHA256
8306d87ef4d94fdc66c1010c3caac780acc4c9cae36354d4ae5039e7407daa48

SHA512
1b0041235a70ce9999164f137c880df37d4ef7ba9aaf2a0992a6ca590ecefbc65a4468737b1457d161977a51f6918f41105ab47a2559ebea52d71f326a1138ca

Download Submit
C:\Windows\SysWOW64\Iapjlk32.exe

Filesize
145KB

MD5
d432b0dd0350fe30179648a3abeafe43

SHA1
d22e0b0f37c7dd3607c312d13b721cd731e3b491

SHA256
543b2b1265809e77d1dcc424377e8941fc9c63d709e0634b8818057f78c1e710

SHA512
1fef0ed2fb101012e5b176376e5ccbef3a46ee2b8c0fa768d0baa39458586756d4ce1f263257053875d272f5b1c3ea174c04a652a7bd39e8a4336f540d4822bb

Download Submit
C:\Windows\SysWOW64\Ibojncfj.exe

Filesize
145KB

MD5
ab2a567db589c5f5d86b4ed8beb2f7a3

SHA1
2f9c135710134db2acd373d3c84a20d54100c0ce

SHA256
7b0fd8b68b3c3515a348963cf6375e53dc1845ff3ebc0778853b20fb8e80803c

SHA512
4908308886dc5cd46dd681822b6a5796afc15c71babeb34db029d8d535c36cd73439f1ede42d301a53af52737877c624d1a21eaa7c65c8f3d1ab4acefbe444d8

Download Submit
C:\Windows\SysWOW64\Iffmccbi.exe

Filesize
145KB

MD5
545ba6defeb40878de6f677f8eb7e3d5

SHA1
2cad555ae34e6edbeb8d3e13cbb9264508ed9fea

SHA256
96891cd10b04fa21851f00e0e86d257c7003b5664548c1a4f7ba5ef571fa894d

SHA512
a2cccdac9d60daea994a9f89a76744a7223f57a4bdd74b83a002c8c7a03eb54a68d1ee67e4c12b73c2b50d7ca3c744419ead77e161a55bd0e873db5833a83bf1

Download Submit
C:\Windows\SysWOW64\Iidipnal.exe

Filesize
145KB

MD5
987f21bba2bfe0f085bca28daf4effc2

SHA1
de2241037e3bd10317c0f042fdb432a7557cddbb

SHA256
5300512413ba04d9d5d65919d21a7abc4a967b38f8f84b2ccc028201e4b0e1c7

SHA512
26c28f3a92326fd9cb75dfecc3155bb79983f5fa2b76db60702b3cd21ae191c4eef568c3df914d2d297b8c695f84e66ad96eeec0c43cf48481a955ac699da0a4

Download Submit
C:\Windows\SysWOW64\Iiffen32.exe

Filesize
145KB

MD5
4c665d46d1ea122529efa27fb19dbc1f

SHA1
6400f0fe7dd5f0f43f10a38ed6fbce4cedf8478a

SHA256
d1f1212d0ffde9ec2960d1db7eb776139f7c2c895579b8b426fcc5b7847a9e91

SHA512
2ff294195a08065649aaf7e00157c8d0fee4dd6720345021144bcb42731550c8f63db51ac19cc81afd4761639d6c5377207026bed72167b6e16a4dcc008d6ea6

Download Submit
C:\Windows\SysWOW64\Iiibkn32.exe

Filesize
145KB

MD5
ae9c03ab1768d5744b259909294f3c8f

SHA1
91f3f21e691924ce4363b47e51bac9abf5ac5eef

SHA256
e8f64cbdfb42f53e08df92df07b5134d8552ec05dbc2975629ade15c19bbcdb1

SHA512
0c7ad90f2b49ea981908d4ebe83a046b537385ad42f9802007a96c72e9d3348f5f51d5b915b123c10cb13cbfc342df4a4d2d523854de013ebe6de7581dd6e307

Download Submit
C:\Windows\SysWOW64\Ijdeiaio.exe

Filesize
145KB

MD5
72dc1cb463ed4ca553fd319134861a7c

SHA1
1bf620719f3e7cd9b30294baaba9404d166b3f82

SHA256
957c65144a57cf90d7200d3341735bb77c531e575c42c6e5b059536558173820

SHA512
20efb82d44440f0ea8ca907644591953051ecccb1221037817dd0c53d7d7844e0d201c059dd2c775f0f8ada77b408cbc60a4aaf6f20aa7205b59959256b995fc

Download Submit
C:\Windows\SysWOW64\Imgkql32.exe

Filesize
145KB

MD5
134a7ed36869ec5b095c541b2f2308b0

SHA1
068b1e7511cda668b170e0b29a3b3ba1fc60c250

SHA256
5096e41803ca277e96a1172ae87b14e9a0a4db919ef01799f43faf5f1a6d9cc5

SHA512
337deac39829c31acdd5ff541f68363cf6897f377c888682a9196a19e5ba0388539bd70abaed0bb26fce28474b53a71721864ea8eff539dd12df240d10f28d35

Download Submit
C:\Windows\SysWOW64\Ipnalhii.exe

Filesize
145KB

MD5
d598d9e031483df3be3a681109af1ad0

SHA1
0d586fbd4c5049f217fff6376a5ea40129a72fd7

SHA256
44c0aaa772ee668474b3ab454d8f6a292d77d8e62890a1a21469348504c33471

SHA512
54cefbbbc39ac06e594333a80799f2826d79c1194631a5d1b24353d14a8b8ab340c93912f544d623d6eb626a85d53de6d854cb64743194b1ac3248927ca4ed80

Download Submit
C:\Windows\SysWOW64\Jiphkm32.exe

Filesize
145KB

MD5
255952c34f23d1a29280e9cd9088ee0b

SHA1
dcb74638c60c97fbc857ce9ffa1d9ef63bde2335

SHA256
faa242041d72d39ad4f602ad9873baf28149ee656434db7ab565fac3d9b6bd4a

SHA512
f77ed59783c2bf9ea6a2d9702012b7af981bd2ab684dbf3d0b18f32f205959ad6b534a3298998158208b90a6aaebdd94e85635dd7621e266de606307465ce2df

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
145KB

MD5
5c6f0374fd56dfefdcd68fbe59a71c43

SHA1
5f0fb72dd60cf7872e01d3820276100017fa655d

SHA256
7d1bfc1da80be6aac07f1f9cde2ecb8e7dc6de928c2c5decaa95b672f27da71e

SHA512
9d1a0f4abc0b51eb1a5cef7f28d853a7020b76a62aa2bed30ed8b24d38751e8e3d0e9f4bb36e3fafa263d49a2bb76fd93e43b33e3f747318399a406debeee5f9

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
145KB

MD5
ddaf00e1421b0c290d7c645a516909d0

SHA1
f08d93f72b1a61024b67c908eb583aba64ced1f9

SHA256
753b1d756d5b32e5c05d4d8f6f9c1dd4d2f50a4fdc4bdf7dc2955586cb42842d

SHA512
f5e83fe4815fa9f001a3d6a77e0028666e666754af49cd9425577ae949603de79422c34d2bec0fa1618c7ed54bbb6b61f47c66b193585bccd3894ee94c64b5f3

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
145KB

MD5
9a4cc9f36addbec0183f866e165f817b

SHA1
5838c5c7e3c776ede423853c72dd42dfdc5013b1

SHA256
f4af539003499a244fa0873f5c0bba546d11b92057ba4e8814db9fe6e0426b84

SHA512
bfaec0411464927b73747fb90063895ff47e0eb1834934d317219af8c9004c491c3d3aad847e8a984733b31b9ada4ba199e48924dd8f1ec33f3088e4d8d0eb85

Download Submit
memory/208-392-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/436-544-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/436-13-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/456-296-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/864-128-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/864-635-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1036-405-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1244-469-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1260-526-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1272-429-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1464-411-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1516-503-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1628-160-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1672-151-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1716-337-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2112-120-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2112-633-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2236-359-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2380-509-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2456-551-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2456-25-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2620-927-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2632-208-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2644-527-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2644-0-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2644-6-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2660-223-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2676-435-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2680-335-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2768-491-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2812-17-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2812-549-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2844-254-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2888-1042-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2888-636-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2928-533-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2968-583-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2980-609-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2980-101-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3080-320-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3108-909-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3140-184-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3220-168-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3276-562-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3276-37-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3336-192-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3436-576-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3452-453-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3492-65-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3492-582-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3688-261-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3692-463-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3736-475-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3824-347-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3836-267-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3848-481-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3860-200-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3932-290-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3972-525-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4052-45-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4052-563-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4080-89-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4080-602-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4112-369-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4152-60-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4152-575-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4232-417-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4332-239-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4352-654-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4352-144-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4400-180-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4468-284-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4484-394-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4492-231-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4540-428-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4584-302-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4676-308-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4688-450-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4724-251-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4808-376-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4840-112-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4840-622-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4868-615-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4868-105-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4888-49-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4888-569-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4944-589-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4944-73-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4992-282-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/5012-314-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/5076-382-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/5080-595-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/5080-81-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/5164-596-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/5212-603-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/5300-616-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/5344-623-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/5424-637-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/5472-643-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads