4f22dc0998ac93169f4f85c823bcc0968e7d60390c52cc1b095bb7b16e087080

Analysis

max time kernel
139s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 23:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6a1784cfc9db77dd829ed3f169901980_NEIKI.exe
Size

163KB
MD5

6a1784cfc9db77dd829ed3f169901980
SHA1

1a2aa30af7e83fb769d8a203bc44dc2320e9c6a2
SHA256

4f22dc0998ac93169f4f85c823bcc0968e7d60390c52cc1b095bb7b16e087080
SHA512

387ac7ce77e0fdc0d8c290fcc74c0902add6be8aa8713623af6d4cc65a4d9078a9aed54fb528c044a0368bb22496e2ebeb4ab7c2320b70ab71eae3abcae01078
SSDEEP

1536:PrKYWUx3XBp1T5MeaZT7r2d3APV8lProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:vlx3XL1tuHrq3yKltOrWKDBr+yJb

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbocea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Haggelfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imihfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpbaqj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfcpncdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbocea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmapha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdhine32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fopldmcl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcikolnh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqohnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	6a1784cfc9db77dd829ed3f169901980_NEIKI.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbfpobpb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffbnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Impepm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haggelfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipldfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibojncfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gifmnpnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gqdbiofi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijaida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe

Executes dropped EXE 64 IoCs

pid	Process
2664	Efneehef.exe
4440	Elhmablc.exe
3108	Eofinnkf.exe
4272	Ecbenm32.exe
4948	Ecdbdl32.exe
4220	Ffbnph32.exe
4008	Fokbim32.exe
2044	Fjqgff32.exe
3808	Fmocba32.exe
3160	Fcikolnh.exe
3256	Fmapha32.exe
4752	Fopldmcl.exe
2084	Fqohnp32.exe
4568	Fflaff32.exe
4576	Fqaeco32.exe
4584	Gfnnlffc.exe
4928	Gqdbiofi.exe
880	Gbenqg32.exe
5044	Gjlfbd32.exe
4636	Gbgkfg32.exe
1200	Giacca32.exe
3564	Gcggpj32.exe
4500	Gmoliohh.exe
60	Gpnhekgl.exe
4640	Gifmnpnl.exe
2744	Hboagf32.exe
220	Hmdedo32.exe
4872	Hpbaqj32.exe
4408	Hikfip32.exe
3444	Hpenfjad.exe
3260	Hbckbepg.exe
4424	Hjjbcbqj.exe
3052	Hbeghene.exe
412	Hjmoibog.exe
1132	Hippdo32.exe
1152	Haggelfd.exe
2996	Hfcpncdk.exe
1976	Hibljoco.exe
3644	Haidklda.exe
1980	Ipldfi32.exe
1184	Ijaida32.exe
3164	Impepm32.exe
3152	Ipnalhii.exe
3448	Icjmmg32.exe
4836	Iiffen32.exe
1352	Ipqnahgf.exe
3556	Ibojncfj.exe
2160	Ijfboafl.exe
3496	Iapjlk32.exe
1780	Ibagcc32.exe
2244	Ijhodq32.exe
4920	Imgkql32.exe
4116	Ipegmg32.exe
212	Ijkljp32.exe
4400	Imihfl32.exe
2428	Jbfpobpb.exe
3264	Jjmhppqd.exe
2796	Jagqlj32.exe
4368	Jdemhe32.exe
4388	Jfdida32.exe
4708	Jibeql32.exe
2292	Jaimbj32.exe
4756	Jdhine32.exe
1828	Jidbflcj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Lpcmec32.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Fmapha32.exe	Fcikolnh.exe
File opened for modification	C:\Windows\SysWOW64\Fqohnp32.exe	Fopldmcl.exe
File opened for modification	C:\Windows\SysWOW64\Fflaff32.exe	Fqohnp32.exe
File created	C:\Windows\SysWOW64\Eagncfoj.dll	Gifmnpnl.exe
File created	C:\Windows\SysWOW64\Aqnhjk32.dll	Impepm32.exe
File created	C:\Windows\SysWOW64\Jbfpobpb.exe	Imihfl32.exe
File created	C:\Windows\SysWOW64\Jidbflcj.exe	Jdhine32.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lilanioo.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Hjmoibog.exe	Hbeghene.exe
File created	C:\Windows\SysWOW64\Mlmpolji.dll	Haggelfd.exe
File opened for modification	C:\Windows\SysWOW64\Kajfig32.exe	Kkpnlm32.exe
File opened for modification	C:\Windows\SysWOW64\Kdhbec32.exe	Kajfig32.exe
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Efneehef.exe	6a1784cfc9db77dd829ed3f169901980_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\Ipldfi32.exe	Haidklda.exe
File created	C:\Windows\SysWOW64\Ibojncfj.exe	Ipqnahgf.exe
File created	C:\Windows\SysWOW64\Ggcjqj32.dll	Jjmhppqd.exe
File opened for modification	C:\Windows\SysWOW64\Jdhine32.exe	Jaimbj32.exe
File created	C:\Windows\SysWOW64\Milgab32.dll	Kkkdan32.exe
File opened for modification	C:\Windows\SysWOW64\Liekmj32.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Ldaeka32.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Jdmaid32.dll	Efneehef.exe
File opened for modification	C:\Windows\SysWOW64\Fjqgff32.exe	Fokbim32.exe
File created	C:\Windows\SysWOW64\Leqcod32.dll	Jibeql32.exe
File created	C:\Windows\SysWOW64\Kmegbjgn.exe	Jbocea32.exe
File created	C:\Windows\SysWOW64\Lalcng32.exe	Liekmj32.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mgidml32.exe
File created	C:\Windows\SysWOW64\Gjlfbd32.exe	Gbenqg32.exe
File created	C:\Windows\SysWOW64\Hjjbcbqj.exe	Hbckbepg.exe
File created	C:\Windows\SysWOW64\Mjlcankg.dll	Jagqlj32.exe
File created	C:\Windows\SysWOW64\Jangmibi.exe	Jigollag.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Hlcqelac.dll	Gcggpj32.exe
File created	C:\Windows\SysWOW64\Mlilmlna.dll	Iiffen32.exe
File created	C:\Windows\SysWOW64\Jdemhe32.exe	Jagqlj32.exe
File created	C:\Windows\SysWOW64\Ecppdbpl.dll	Jangmibi.exe
File created	C:\Windows\SysWOW64\Kdaldd32.exe	Kacphh32.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Fjqgff32.exe	Fokbim32.exe
File created	C:\Windows\SysWOW64\Ilaidmmo.dll	Gqdbiofi.exe
File opened for modification	C:\Windows\SysWOW64\Ijfboafl.exe	Ibojncfj.exe
File created	C:\Windows\SysWOW64\Lpfihl32.dll	Iapjlk32.exe
File created	C:\Windows\SysWOW64\Efhikhod.dll	Liekmj32.exe
File opened for modification	C:\Windows\SysWOW64\Lcbiao32.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Lalcng32.exe	Liekmj32.exe
File opened for modification	C:\Windows\SysWOW64\Fmocba32.exe	Fjqgff32.exe
File created	C:\Windows\SysWOW64\Fflaff32.exe	Fqohnp32.exe
File opened for modification	C:\Windows\SysWOW64\Gfnnlffc.exe	Fqaeco32.exe
File created	C:\Windows\SysWOW64\Hboagf32.exe	Gifmnpnl.exe
File opened for modification	C:\Windows\SysWOW64\Hbeghene.exe	Hjjbcbqj.exe
File opened for modification	C:\Windows\SysWOW64\Ijaida32.exe	Ipldfi32.exe
File opened for modification	C:\Windows\SysWOW64\Impepm32.exe	Ijaida32.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Ecbenm32.exe	Eofinnkf.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6048	5692	WerFault.exe	217

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogedoeae.dll"	Ecbenm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inccjgbc.dll"	Hmdedo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipegmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojjgcdm.dll"	Gbenqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Efneehef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eofinnkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpfjejo.dll"	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lijiaonm.dll"	Hibljoco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbeghene.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbcjkf32.dll"	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilaidmmo.dll"	Gqdbiofi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijaida32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblgaie.dll"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpbaqj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejif32.dll"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdcfcpdf.dll"	Eofinnkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fokbim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iebapp32.dll"	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfkkgo32.dll"	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqnhjk32.dll"	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pckgbakk.dll"	Imihfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecdbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbpag32.dll"	Fmocba32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Giacca32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeecjqkd.dll"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjqgff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifhmhq32.dll"	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icjmmg32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 2664	3016	6a1784cfc9db77dd829ed3f169901980_NEIKI.exe	83
PID 3016 wrote to memory of 2664	3016	6a1784cfc9db77dd829ed3f169901980_NEIKI.exe	83
PID 3016 wrote to memory of 2664	3016	6a1784cfc9db77dd829ed3f169901980_NEIKI.exe	83
PID 2664 wrote to memory of 4440	2664	Efneehef.exe	84
PID 2664 wrote to memory of 4440	2664	Efneehef.exe	84
PID 2664 wrote to memory of 4440	2664	Efneehef.exe	84
PID 4440 wrote to memory of 3108	4440	Elhmablc.exe	85
PID 4440 wrote to memory of 3108	4440	Elhmablc.exe	85
PID 4440 wrote to memory of 3108	4440	Elhmablc.exe	85
PID 3108 wrote to memory of 4272	3108	Eofinnkf.exe	86
PID 3108 wrote to memory of 4272	3108	Eofinnkf.exe	86
PID 3108 wrote to memory of 4272	3108	Eofinnkf.exe	86
PID 4272 wrote to memory of 4948	4272	Ecbenm32.exe	87
PID 4272 wrote to memory of 4948	4272	Ecbenm32.exe	87
PID 4272 wrote to memory of 4948	4272	Ecbenm32.exe	87
PID 4948 wrote to memory of 4220	4948	Ecdbdl32.exe	88
PID 4948 wrote to memory of 4220	4948	Ecdbdl32.exe	88
PID 4948 wrote to memory of 4220	4948	Ecdbdl32.exe	88
PID 4220 wrote to memory of 4008	4220	Ffbnph32.exe	89
PID 4220 wrote to memory of 4008	4220	Ffbnph32.exe	89
PID 4220 wrote to memory of 4008	4220	Ffbnph32.exe	89
PID 4008 wrote to memory of 2044	4008	Fokbim32.exe	90
PID 4008 wrote to memory of 2044	4008	Fokbim32.exe	90
PID 4008 wrote to memory of 2044	4008	Fokbim32.exe	90
PID 2044 wrote to memory of 3808	2044	Fjqgff32.exe	91
PID 2044 wrote to memory of 3808	2044	Fjqgff32.exe	91
PID 2044 wrote to memory of 3808	2044	Fjqgff32.exe	91
PID 3808 wrote to memory of 3160	3808	Fmocba32.exe	92
PID 3808 wrote to memory of 3160	3808	Fmocba32.exe	92
PID 3808 wrote to memory of 3160	3808	Fmocba32.exe	92
PID 3160 wrote to memory of 3256	3160	Fcikolnh.exe	93
PID 3160 wrote to memory of 3256	3160	Fcikolnh.exe	93
PID 3160 wrote to memory of 3256	3160	Fcikolnh.exe	93
PID 3256 wrote to memory of 4752	3256	Fmapha32.exe	95
PID 3256 wrote to memory of 4752	3256	Fmapha32.exe	95
PID 3256 wrote to memory of 4752	3256	Fmapha32.exe	95
PID 4752 wrote to memory of 2084	4752	Fopldmcl.exe	96
PID 4752 wrote to memory of 2084	4752	Fopldmcl.exe	96
PID 4752 wrote to memory of 2084	4752	Fopldmcl.exe	96
PID 2084 wrote to memory of 4568	2084	Fqohnp32.exe	97
PID 2084 wrote to memory of 4568	2084	Fqohnp32.exe	97
PID 2084 wrote to memory of 4568	2084	Fqohnp32.exe	97
PID 4568 wrote to memory of 4576	4568	Fflaff32.exe	98
PID 4568 wrote to memory of 4576	4568	Fflaff32.exe	98
PID 4568 wrote to memory of 4576	4568	Fflaff32.exe	98
PID 4576 wrote to memory of 4584	4576	Fqaeco32.exe	100
PID 4576 wrote to memory of 4584	4576	Fqaeco32.exe	100
PID 4576 wrote to memory of 4584	4576	Fqaeco32.exe	100
PID 4584 wrote to memory of 4928	4584	Gfnnlffc.exe	101
PID 4584 wrote to memory of 4928	4584	Gfnnlffc.exe	101
PID 4584 wrote to memory of 4928	4584	Gfnnlffc.exe	101
PID 4928 wrote to memory of 880	4928	Gqdbiofi.exe	102
PID 4928 wrote to memory of 880	4928	Gqdbiofi.exe	102
PID 4928 wrote to memory of 880	4928	Gqdbiofi.exe	102
PID 880 wrote to memory of 5044	880	Gbenqg32.exe	103
PID 880 wrote to memory of 5044	880	Gbenqg32.exe	103
PID 880 wrote to memory of 5044	880	Gbenqg32.exe	103
PID 5044 wrote to memory of 4636	5044	Gjlfbd32.exe	104
PID 5044 wrote to memory of 4636	5044	Gjlfbd32.exe	104
PID 5044 wrote to memory of 4636	5044	Gjlfbd32.exe	104
PID 4636 wrote to memory of 1200	4636	Gbgkfg32.exe	105
PID 4636 wrote to memory of 1200	4636	Gbgkfg32.exe	105
PID 4636 wrote to memory of 1200	4636	Gbgkfg32.exe	105
PID 1200 wrote to memory of 3564	1200	Giacca32.exe	107

C:\Users\Admin\AppData\Local\Temp\6a1784cfc9db77dd829ed3f169901980_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\6a1784cfc9db77dd829ed3f169901980_NEIKI.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Windows\SysWOW64\Efneehef.exe
  C:\Windows\system32\Efneehef.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\SysWOW64\Elhmablc.exe
    C:\Windows\system32\Elhmablc.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4440
  - - C:\Windows\SysWOW64\Eofinnkf.exe
      C:\Windows\system32\Eofinnkf.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3108
    - - C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4272
      - C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4220
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4008
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3808
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3160
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3256
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4752
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4568
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:880
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4636
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1200
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3564
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        24⤵
        Executes dropped EXE
        
        PID:4500
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        25⤵
        Executes dropped EXE
        
        PID:60
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4640
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        27⤵
        Executes dropped EXE
        
        PID:2744
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:220
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        30⤵
        Executes dropped EXE
        
        PID:4408
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3444
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3260
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4424
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:412
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        36⤵
        Executes dropped EXE
        
        PID:1132
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1152
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2996
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3644
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1980
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1184
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3164
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3152
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3448
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4836
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1352
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3556
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2160
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3496
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1780
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2244
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        53⤵
        Executes dropped EXE
        
        PID:4920
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4116
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        55⤵
        Executes dropped EXE
        
        PID:212
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2428
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3264
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2796
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4368
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        61⤵
        Executes dropped EXE
        
        PID:4388
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4708
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4756
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1828
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        66⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2440
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        69⤵
        Drops file in System32 directory
        
        PID:812
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2132
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        71⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2684
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        73⤵
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4724
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        75⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        76⤵
        Modifies registry class
        
        PID:2220
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        77⤵
        Drops file in System32 directory
        
        PID:3008
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1652
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3208
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        80⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        81⤵
        
        PID:388
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        82⤵
        Modifies registry class
        
        PID:1148
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        83⤵
        Drops file in System32 directory
        
        PID:4720
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        84⤵
        Drops file in System32 directory
        
        PID:1864
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4128
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        86⤵
        Drops file in System32 directory
        
        PID:5128
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        88⤵
        Modifies registry class
        
        PID:5232
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        89⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        90⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        92⤵
        Drops file in System32 directory
        
        PID:5452
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        93⤵
        Drops file in System32 directory
        
        PID:5488
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        94⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        95⤵
        Drops file in System32 directory
        
        PID:5652
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5696
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        97⤵
        Drops file in System32 directory
        
        PID:5740
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5804
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5852
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        100⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        101⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        102⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6016
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        104⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6100
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3740
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        108⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        111⤵
        Drops file in System32 directory
        
        PID:5544
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        112⤵
        Modifies registry class
        
        PID:5644
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5728
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        114⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        115⤵
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5940
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        117⤵
        Drops file in System32 directory
        
        PID:6008
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        120⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        123⤵
        Drops file in System32 directory
        
        PID:5592
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5840
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        125⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        126⤵
        Modifies registry class
        
        PID:6068
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5168
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        129⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5692 -s 404
        130⤵
        Program crash
        
        PID:6048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5692 -ip 5692
1⤵
PID:5924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ecbenm32.exe

Filesize
163KB

MD5
8cfe4e54f5c2523b09d216bc14d9997f

SHA1
3b672f6190c359ea54a8b0d4dcf9be6f4d0934fd

SHA256
1f92a97ae6314e21fe6b6f18cba62a602f4c921cdb2ad7a4d76db5fa3d28e970

SHA512
41c2b8c4ea87707ea3aad13085e952bea8e2f9f6d232e3240bf83f0e34a9708d2e1186e6d8393d73742cb7afb7a93e6cc44e6b079c6f3ba79ff8d056c791b1ca

Download Submit
C:\Windows\SysWOW64\Ecdbdl32.exe

Filesize
163KB

MD5
335f53bd0677b7a674bdfb0904cd6f54

SHA1
e271cdf2ef8d9a9955c08456356768581cb5b5fc

SHA256
d2fd7d9ae39503e7fe263cb269057f77e8c5b0ea78a42a95c06dff201aeeff2d

SHA512
62c6157ff4e1df93d02ece2f4428123cf005b5dc3a5a1e4e9e1095810516cb54c0069672cde8069551f9df310dff2f0d1582f835605c3061789322372a9a43fa

Download Submit
C:\Windows\SysWOW64\Efneehef.exe

Filesize
163KB

MD5
ae05d32f9a0663334ab815ff2f065f17

SHA1
e73f45aac435b5a5ece2b45ce06425f4bd990656

SHA256
532b1f4a7e0137dea54c25fc32ac9d98efb05cfe284aedf20e4194877a5e0537

SHA512
13e369ca7b11c2d0e71e042bff96259c55df0d05215f23bfa3c555083943b09cf446a9b10bee4d55d70c3b53b9cc2386e3983225af9ab526682cf17ce8608702

Download Submit
C:\Windows\SysWOW64\Elhmablc.exe

Filesize
163KB

MD5
1b41614224345ebc6d21008b006b04a3

SHA1
1f1e11181b2c02d705f88be7d3f47b0a43d0c5f1

SHA256
bd65fb0f096e183b5a8fd7d07c1ff1042355cc04c5936126e288017027fb7b56

SHA512
0f977623a876aa491a8cd403207093062c185c0bf2aa088c35fdecfe4b5e8567dd6f5399eea3fda0c4a1abd0b43f176866ea47bdd91cb6531a7f218294bca42d

Download Submit
C:\Windows\SysWOW64\Eofinnkf.exe

Filesize
163KB

MD5
a612af9a20f5b0e7d0331d539fcdc74d

SHA1
c2959484bd2ba8951bf9dabff0a09b97f54af5d9

SHA256
29a2728c9602079beca9882fcec0416b945d0bc9f411f7f1138beea3011d978f

SHA512
613fc02ef412eb504e7c7015baaaa25275e76b5eb80bfad6d54a49a8e9e0abff8efe39fe548aff2627c856f64ad9719cb14a92433833ef37290cbf190f5411b1

Download Submit
C:\Windows\SysWOW64\Fcikolnh.exe

Filesize
163KB

MD5
67eede09d285704df043a7c64ca0f755

SHA1
3d686f5d800b122a0116e4e17999b5b92123085b

SHA256
6fb46be9aef33bb526869e1e40d0bee37a007447f27d35ed2b37e7b3ae08ee43

SHA512
7a53aad715184c53439c9ebdd2581a5a438b04fc8616744346fd20204ee05f060bd563ffd6406f9029225b9876011bc81b68b9c77a8c30d0db41fafcfe0eabfd

Download Submit
C:\Windows\SysWOW64\Ffbnph32.exe

Filesize
163KB

MD5
cf3a94e696767deba894565a5449d89b

SHA1
f81be50415b24b86766d73733225c9e281f1a488

SHA256
e2a30dab9859cbc34ff1e1861140bad00b59234ea7f0eab6bb080603ccdf8217

SHA512
d3c68ec14666af6baf947f2e8d5875ae29e538398c953d1928f1773cebc0de744f86e0642c84a3c6ffb9642352bda5c86a31c72a97ccf2a0a69482c83d2a5fcb

Download Submit
C:\Windows\SysWOW64\Fflaff32.exe

Filesize
163KB

MD5
d4c40dfac668729335f11bfc79002a2a

SHA1
999d1e674d4414a3c192699b8faf93272c2bf29b

SHA256
5e9e570d9306feaefa5762fec11ab1e112d8dc6969fd7a74b92670fe80801e7d

SHA512
2b80c00cba845861043bb706113c94cb1e2ae7e1149f6de79e649807289c6cb1754b01ca5f5136a58529fe2df3e5b1012cec48b537fef792fe1a23878e06610a

Download Submit
C:\Windows\SysWOW64\Fjqgff32.exe

Filesize
163KB

MD5
c017d2ee50376d0c48d4caddf18db033

SHA1
d613412c3e388b2a21c3072e78e2b1c9832f574b

SHA256
054d6fa3dc8ac4a9e62cc6e5e2b5bac269008cc41a0ea936183690ff04df7243

SHA512
86073c21b56c156731d19ed590020165d74f541f74db2d8938b834650a0f18aa36869d3cb6619dda8935917a97a7d821dd96591aafc5b7234e81fd6b99aa81a3

Download Submit
C:\Windows\SysWOW64\Fmapha32.exe

Filesize
163KB

MD5
ce2811a81bcea4d35f7b941f5b4c936b

SHA1
0ae201f39561e7cfcaa2541fc805fd45bdc4b62b

SHA256
52a5d9a03b9e800790245bc22bba518274a93ae86bd7ad21d7d925af23070c34

SHA512
c4e8d160f75f36290e9bc7f3ac0af450e86e0671b07fc517904d4cfa07585c181b779ce1aca1a0b1e8e236ba353f29f3de88424b594ae316f1b1c533cc9f705e

Download Submit
C:\Windows\SysWOW64\Fmocba32.exe

Filesize
163KB

MD5
4cb92ba7f84fa54ab972ad6faffa2224

SHA1
efa9bc7773ce5afcb996e0f706c62e831214b00a

SHA256
bcdf721aa42bcfa1758b0ba7658e93b14f63732cd5cf7aa1f3894ef26a2cf5b3

SHA512
88b5ab553539d91bc0644d89a578da8c024de08cb4fa1032234d322809957a5bc324fe7b1bf07aee1a3ef35e82bd4c2ab1cd5569626f977fb3e87b8a9779494d

Download Submit
C:\Windows\SysWOW64\Fokbim32.exe

Filesize
163KB

MD5
54a72893f0d8ac7330f6d5f784047070

SHA1
95279f969d4d3d2e9ce2435d3f2f9f6f36c35eb8

SHA256
b0daa54c0d123709d7f964a3c05868bfc65f3a7bb2ffd5a3333ab6366df3aae9

SHA512
a500afab97d743cc68ec79b2353fd322f89153e383dc9917b71f3e380569c7cdf4c6a147600b7e998c1a6b63aab411adcd55ecb7ca4e9cafddda4bd4ac62c887

Download Submit
C:\Windows\SysWOW64\Fopldmcl.exe

Filesize
163KB

MD5
4bbda47e6931622ad08cc884273a8090

SHA1
55f9ae173a0b25a71d6d6bab4d47aac516b3945c

SHA256
3238f548ad4506ff5baa226313556c7dc237618848ae3a1da5ea5479adf16d28

SHA512
9f7cf16b4d29c1fefdfae84a92e228be763f70267ad4b3f50c3cf97bf7b4ff4765246f1217b98ad964660a4c9fa8cacc517fb3b9873625f25a1d31c6a1e57a49

Download Submit
C:\Windows\SysWOW64\Fqaeco32.exe

Filesize
163KB

MD5
7e1a425cf0cb0c4c80daef626cf42ea7

SHA1
308cbf05e0185d6255c173cd14408445be92d8e8

SHA256
0f6110d8438039a4ae5b97cd5564457516f12d6531df1b6a36684f1fcfcbdb3e

SHA512
4e7ef2ee9fe66f883eb0f42aec86af8906d5bb7a75169ad702f2d1ecf97649c056cd51652e2730ee54147110f8c80c3817305f3cc7f39ab6aea93f625c9b8b24

Download Submit
C:\Windows\SysWOW64\Fqohnp32.exe

Filesize
163KB

MD5
b9bd0719659b3cb676d50dc7d8adb332

SHA1
cd373fe20c9a44d6bf9d15e15130060a02099285

SHA256
b5ffd1c256a72a767809dbd6823871ba362e2ab5a9a89d06846a867db497a1d0

SHA512
1ea26c4b9e8d5b7b7316a24d5606452da5f303b665de83b7319bb2f7ea33a52bc898138fd4b12f2c7f3cd82bdd9c03f4a06aff658d56ac9f9392720b7d2912f5

Download Submit
C:\Windows\SysWOW64\Gbenqg32.exe

Filesize
163KB

MD5
05791debab0233aff39551a48bb40d71

SHA1
bcfbe8fd4bd15caa35fd786fff0d85c85cf7576b

SHA256
1c04e6e0a2ab65b41bd2638ae3eb82e654110f3472645ea423e1d68cb4cea927

SHA512
da2baa1da5aafb9308e6bbf83f3968bb0cb2ae330c7c2041d2c167800e64b194a76d10e6f4b219aaa524dc688d07af0f496d4d058f2e1a7487e27d1b09c400ff

Download Submit
C:\Windows\SysWOW64\Gbgkfg32.exe

Filesize
163KB

MD5
6f48589942a7f1b5867c9c54061cf80f

SHA1
a250ff7630964c70d07b8c493cd32dd9a60a0a1d

SHA256
04a41ca1bd63ad1d7e64b7d0ffe55cb40b2f77a50611abdc21c05546f5b51d45

SHA512
ec2028a382c54155dc1265adb5b773bf6a783561d4f490f8462cab5e1024009f02e9e2ea48c52e721baa8906195a3f300190294480ba43efa67f515604b1839a

Download Submit
C:\Windows\SysWOW64\Gcggpj32.exe

Filesize
163KB

MD5
2f79a3c366975c883828c9f051f493ec

SHA1
9fa6573f8a92952929f07c08ab058f3be04154c2

SHA256
57a8ec503ea71b1069b52614f1d4b984bd2b8ef3407ac0b6847bdd4fdbaa74b2

SHA512
856d0830a419516d0e52f72b783e06c24b8c320c5b06f9a0405cb066bde85341339070294edeebc0e1337b21f1671fefd133cc2730ca6535c222ff231a84aad9

Download Submit
C:\Windows\SysWOW64\Gfnnlffc.exe

Filesize
163KB

MD5
4525eeefcb8d7418afc7363c6eea4407

SHA1
4b25096628cfba8781a8df88113a229c579ce2a0

SHA256
364b8610ad7214a0fb3882c072713293f00e6fae575c4f4ca191d62d72e67451

SHA512
40db7f867c668f6e85b5798016587ff3591d799e3893e72387f4ffa20097864d01fb6bea7773dd05df48f3cce7bbcb1f9cfc92ecbc60bc7ea69e959fb36c6426

Download Submit
C:\Windows\SysWOW64\Giacca32.exe

Filesize
163KB

MD5
6361725e7cc922ed2108835190635519

SHA1
98e27f28b1e1ea57a4e19f8bc607b49a257582a0

SHA256
884f4ed13bbc70383aedde962d43b5f8d76ce757fab04362cbcad41b58a166f6

SHA512
a5978d2631649fd242e749cf8aabfb11757a8e920d9e18e9d541229e0cf67caccdafe286dbec116df64147bff15c1c222fcdfce74a28d2eed7bcef9919b38965

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
163KB

MD5
ef82a19c5e42216e60ef1d8dc1f22ab9

SHA1
6a19230c1fea6ab7e086b28d0c8564b52a21aca5

SHA256
f6d8e7048c441e017bca532fd24993736ed77657ba7339209bbdd06cb8eb6a63

SHA512
9440400d09db1b57b610414b553db83b59d92de300cfe2bdeffe9425ad889f07a170a4294f6166b5dc467815d479be60093893c0d076756c14f6705e39e495f5

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
163KB

MD5
7f43f9cb95dc06ffaa2d48de378d6cae

SHA1
b13578f0d9275762f1beb7044a75f1cdf4b04415

SHA256
4907e600b0e3e287c55ffc383726d73e460707036e382970f36fca82fa0f0f13

SHA512
080e00f51725bd73b6564d3fa1f7ab9f5da475bdb9b81fffd779935b8fe4d45ac17288b89ce633f39fb075d57d17d5837047f947cdf4153ef93a499944380b42

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
163KB

MD5
3833e494d9a2b8e8379d82c4688daace

SHA1
102b4c7216f7c12bbda80241bbbbe535aa8208b4

SHA256
f847220f8879e994901dd055c69ef1298f256332dd8ed5042dfdbe13ff07b568

SHA512
3d5b864eb59ddf45dad1598e069e2efa364b4738e26ecf676ccbf44372f5be893e685debf93f7663feb9575906b3dd8e393716e1745323370625ce84f7da0921

Download Submit
C:\Windows\SysWOW64\Gpnhekgl.exe

Filesize
163KB

MD5
7c02e68bf1918f5b93cbdb5fe899038e

SHA1
9014fb5125a628e7d824419c13d210d89bc0ce7b

SHA256
9b5938af42e342544e984998861f01d8d5c154a04d69276d2940964a2ef8bd93

SHA512
486a9d7ba470d947aa919eef0f5cd188402e95bee54ff3575b7d1552cf6108a26ffd4fedfd3d4b1e5a740edbacb378cca7561d4e5c2353c7a43d1f2a9be8e70e

Download Submit
C:\Windows\SysWOW64\Gqdbiofi.exe

Filesize
163KB

MD5
1cfe96dc07d271d7dd5edb2ebc95b4f2

SHA1
5cc44e1e8a3ef14e499db2d981ea632effa46c0a

SHA256
d4e3e34869e6fb2a4b4cb2c9ad4ce08240739d32fd2fc9aa1ce8b92736f59c68

SHA512
abe26da148cee8f93391a898191f2c3dbf03377ee778d9b969b830fb17139c3ee4f1dac1b7c80a4e4d4b4a4567dcc2dac13763d7455a2574c7fc0fbaeafecac7

Download Submit
C:\Windows\SysWOW64\Hbckbepg.exe

Filesize
163KB

MD5
d5ea050888e04476217e8b24b21716b8

SHA1
ee1431df322e19c9de57b9496c26776aa789ef4b

SHA256
b28bf71fd5dd62f8558cdaed5343e882d56397b0170ce2d40f15d5222402a9c9

SHA512
8379b24c168713f2902f8e0f2dc67f5ae376c6347826e3eb446220ee0d8ca774f812da949663b54ac77b29b9a429dcee03418a91e0171529f2c8f8e414566158

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
163KB

MD5
50634eb033975c67d0d4140ffd2696e7

SHA1
3956159cd9a49a150f410f2b756d6dc27e86a14f

SHA256
5f25f65b7e5fc1da50cccca036993047ec60ace32d753028e66048f3a0a12111

SHA512
97b113ded62e81232f037447c1db315d56d0e591438148e084be00e746e863f2b70ffa225b17b527cdb312f125824ac863955515ef922036f4fd7f140db3e56a

Download Submit
C:\Windows\SysWOW64\Hikfip32.exe

Filesize
163KB

MD5
847be748ee0cd72c9158ec83d1995459

SHA1
6914485427001d2cec693db626f374aea8a6e926

SHA256
3263a23c858ff44b21de774137525737482b8034dd0cc4fff6224bcf70417ac9

SHA512
35c5fcbfbf23b5910446a78b4ef6735f48c28789cda755177ce0bb1b7d7bb31958675f5f6b956dc7087cdcfc05cde89d7e59419afff31bc87325d5696ff93500

Download Submit
C:\Windows\SysWOW64\Hjjbcbqj.exe

Filesize
163KB

MD5
32ac4b88167beb8f797993a9ae649dc2

SHA1
a6ddbb6da0e1cb6f95eedce74085ed5ff1be7f82

SHA256
3d0eff8ab764b8aaad8d0e6274366cf38da6d383d44de570e62a9fdf4152aacf

SHA512
493a25e51845206defc75c4c9d4ffe8f5eb11a3895410cb9095e50763654eac4aacbd954ac6286bfc06c58cd48922e9a79f480652e4eb0084f65c63e3624e7ba

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe

Filesize
163KB

MD5
7e662ab1a303f880e01d1c4ced78fd4b

SHA1
f2bc2b9f2251c6efe99b3e932e781b75e5a1a038

SHA256
4d203669abe33aa883ee6abb8d8514971ab42abaaa979556e40eeff0ed3014ef

SHA512
5356074d8942929d022dcb3188c2943302dd45a4d2952921bd462878014ca0c544bb9e29d07076409659fcb0cdfe041bbb443dbe7857a5c0ec56cdb27cf7da3f

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
163KB

MD5
e8ca4ef8db1db2739ebb0cb476a9bde5

SHA1
a705534d1fcc159c838a053759b36b860efd8121

SHA256
d4239510129744fddab7026393b84dbba40ae28d789b184efa1307856f0e690d

SHA512
9c732174e61deebd6686775b23a08c5662fc44c2f53108d7521928c74aa49e61098d137cfdc04f9741bda0d5f5583bf3e72fab0ed6f7dc820fa1eeee4ceb4c9f

Download Submit
C:\Windows\SysWOW64\Hpenfjad.exe

Filesize
163KB

MD5
211c27f8ae6f892f78ea116939ad17f6

SHA1
49ed2141c7a7aaef7e14790dcd0e99b5c1c42fed

SHA256
29d28916fc07983e2085ccae96f468be07419d178d63069af38ed1fe243d4a68

SHA512
8f5edf09424956bbe88c2107e1e0d0da38f74d4819d87940baeed57288a034144d265e90041418c5d624768ca2a1fa1838419507191d26a26581bbf40cca1a58

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe

Filesize
64KB

MD5
33a452e75ef21e69b40bac3c05c9d8da

SHA1
3ca10c6dbf85edd7f9ae2cb9ec5b9dcc7d751246

SHA256
d31b8f59b0f48f57efa701c327a2d2ec064a3de556c480b12e414581993eeb00

SHA512
35b5863af25832d660c06f91104ebb096942c3dfd2c16819469600a7368cf1a54d9f4e8c0e5d31fe44621f9471eac55155d8d44108548034c67e794332cff707

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
163KB

MD5
72341c49223ab899ede559c83f0646d1

SHA1
1d8a19e7bda4356dc481c82c18c504492fbc06d2

SHA256
fa0ca64dcb337797897d29816cd3ef52b5018100c08c27370be4dac1d324466f

SHA512
339f7ce95f47dd480a240aa66f792e2088cde9f3952e125ad708e2c04bdd4aac6fbd7c53a5b40a627357d2b090bfa1bdb04cb629476838c066f44e86b89d5ac9

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
163KB

MD5
759f568c0cb635ab40bd6825a070659b

SHA1
902d276358a89376338c287b5834a4058de46e01

SHA256
198375e4dfc15655d4ab2c900ff3043084b6a24cc765dfb0efc2a4007f544285

SHA512
7c55e21cbc9389731dcecf1c147c40b7faae2015646ec699b06030cd8fb1b20e8fd3b00de5fd5dc56382d6cadc991bdeb8e68f5981826dfd97a9dcb43df170a4

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
163KB

MD5
408547c224c719945604316ae5a0dc3c

SHA1
72a36dac48dc8fe7c0a8f99d1870611f6d6e91eb

SHA256
4ddb6efbf8b0e22d3d0ab28861b600f3de53604107f771c0c6f157c40ea17559

SHA512
f36ba6ff0526783ca47d0532658077ee95ef9a3c7c49816cb4fc346a04c4d190fcfda40cb4a02dd53f7fe0e29d9bef50185ff19fc2ae771faf27513a967ed345

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
163KB

MD5
ba9b9289fd72d16e4e261f01fb5fda1d

SHA1
2d81141f802435886038ab7b42615aad5bce216e

SHA256
ba9a57b63f2e86a40239d799f0b9dde37b51e3a9a40238b5d49056e63a8077c4

SHA512
4ca87032038cffecd4150a5c3b3ce807752b35c21f7926ea050a072c88a48879d690d05a35a6413e62a893618d2d6e6b6f4d10eac071965ee54eef0c2ad7b3a5

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
163KB

MD5
5e87dbda48ba4fefa4690e1572e5aac8

SHA1
b9f5245907a4cd73caa60ab8ea3758121286f88e

SHA256
8b64974b3b39bcd5b7083aae380806b6aacea3b971fe9983d1dc10658b51f02f

SHA512
d344dd586757bdcc9ccfa0237a5c3d106c4b72766721674af3071023709bf46b684cae76a58879adfbc119cc541595bdfc0fdd3cdf5c1621e023775768ed9980

Download Submit
memory/60-196-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/212-385-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/220-216-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/388-533-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/412-270-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/812-467-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/880-149-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1152-277-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1200-1059-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1352-339-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1652-514-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1864-946-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1980-300-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2044-584-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2044-65-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2084-104-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2084-1075-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2084-616-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2132-472-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2160-347-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2220-964-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2244-368-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2252-485-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2252-960-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2292-428-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2360-478-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2428-393-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2432-501-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2440-455-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2512-527-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2664-539-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2664-13-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2744-208-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2796-404-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2996-287-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3008-948-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3008-508-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3016-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3016-526-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3016-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/3108-552-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3108-29-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3152-321-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3156-445-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3160-598-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3160-81-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3164-315-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3208-947-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3208-520-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3256-93-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3260-247-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3444-243-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3448-323-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3496-353-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3556-345-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3564-175-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3644-298-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3808-591-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3808-77-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4008-56-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4008-578-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4220-571-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4220-49-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4272-33-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4272-563-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4368-410-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4388-421-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4400-387-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4424-254-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4440-545-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4440-21-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4440-1097-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4500-189-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4568-623-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4568-113-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4576-120-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4576-629-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4584-128-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4584-636-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4636-161-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4640-200-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4708-426-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4720-937-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4720-546-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4724-495-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4752-97-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4752-613-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4756-434-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4836-329-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4872-224-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4920-370-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4928-643-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4928-136-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4948-564-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4948-45-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5044-153-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5128-565-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5128-943-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5176-576-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5276-585-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5276-926-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5332-592-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5488-615-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5564-617-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5652-912-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5696-630-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5740-637-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5804-644-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5892-904-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads