21bdbffcfb8ad193df67c1cbb5b734cc08b451bac781a53981034fb3c2df8ce7

Analysis

max time kernel
137s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 01:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e3180be4224727d812f2e4c3fdd7310_NEIKI.exe
Size

78KB
MD5

9e3180be4224727d812f2e4c3fdd7310
SHA1

fc99e0926aea4a22dd2d57a0bc6c6e2ea3f50965
SHA256

21bdbffcfb8ad193df67c1cbb5b734cc08b451bac781a53981034fb3c2df8ce7
SHA512

1d0429d99c25a0476c5d627f6403a97c3772614230882ea17ee5e1aadf321266d37f2d32440243b40bd4918e9084b81037a944b0f114a4a92f86835885b6f43b
SSDEEP

1536:9vI8YlZWqv9oDx16X6dyk/S4iVRyN+zL20gJi1ie:9tYP48Kdyq9iVRygzL20WKt

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijdeiaio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Himcoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iakaql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipckgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbfpobpb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipldfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijdeiaio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Haggelfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipqnahgf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gameonno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	9e3180be4224727d812f2e4c3fdd7310_NEIKI.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gifmnpnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hikfip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpgkkioa.exe

Executes dropped EXE 64 IoCs

pid	Process
4216	Gidphq32.exe
3512	Gpnhekgl.exe
4856	Gbldaffp.exe
2768	Gifmnpnl.exe
4344	Gameonno.exe
2608	Hclakimb.exe
5088	Hjfihc32.exe
4972	Hmdedo32.exe
1380	Hcnnaikp.exe
2696	Hikfip32.exe
3944	Hpenfjad.exe
2004	Hbckbepg.exe
620	Himcoo32.exe
4864	Hpgkkioa.exe
2516	Hippdo32.exe
1660	Haggelfd.exe
976	Hcedaheh.exe
3232	Ipldfi32.exe
3648	Iffmccbi.exe
4912	Impepm32.exe
2368	Iakaql32.exe
2840	Ijdeiaio.exe
3892	Ipqnahgf.exe
3132	Ifjfnb32.exe
2804	Imdnklfp.exe
2752	Ipckgh32.exe
3408	Ijhodq32.exe
4324	Iikopmkd.exe
4572	Iinlemia.exe
4532	Jaedgjjd.exe
4424	Jbfpobpb.exe
1992	Jiphkm32.exe
3668	Jagqlj32.exe
800	Jdemhe32.exe
4488	Jibeql32.exe
2728	Jdhine32.exe
928	Jbkjjblm.exe
4352	Jidbflcj.exe
1148	Jaljgidl.exe
4476	Jkdnpo32.exe
1720	Jigollag.exe
5056	Jangmibi.exe
3100	Jbocea32.exe
2208	Kmegbjgn.exe
3344	Kpccnefa.exe
3016	Kgmlkp32.exe
3924	Kmgdgjek.exe
2880	Kdaldd32.exe
4516	Kgphpo32.exe
4332	Kmjqmi32.exe
4944	Kphmie32.exe
3520	Kbfiep32.exe
4136	Kknafn32.exe
5096	Kpjjod32.exe
1972	Kcifkp32.exe
3952	Kkpnlm32.exe
2496	Kmnjhioc.exe
4228	Kckbqpnj.exe
2652	Kgfoan32.exe
540	Lmqgnhmp.exe
432	Lpocjdld.exe
388	Ldkojb32.exe
3772	Lgikfn32.exe
4976	Lkdggmlj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hmdedo32.exe	Hjfihc32.exe
File created	C:\Windows\SysWOW64\Jdemhe32.exe	Jagqlj32.exe
File created	C:\Windows\SysWOW64\Lppaheqp.dll	Jigollag.exe
File opened for modification	C:\Windows\SysWOW64\Kbfiep32.exe	Kphmie32.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Kgmlkp32.exe	Kpccnefa.exe
File opened for modification	C:\Windows\SysWOW64\Hikfip32.exe	Hcnnaikp.exe
File created	C:\Windows\SysWOW64\Ijdeiaio.exe	Iakaql32.exe
File created	C:\Windows\SysWOW64\Qngfmkdl.dll	Iakaql32.exe
File opened for modification	C:\Windows\SysWOW64\Ijhodq32.exe	Ipckgh32.exe
File opened for modification	C:\Windows\SysWOW64\Jdemhe32.exe	Jagqlj32.exe
File created	C:\Windows\SysWOW64\Jibeql32.exe	Jdemhe32.exe
File created	C:\Windows\SysWOW64\Kpccnefa.exe	Kmegbjgn.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Hcnnaikp.exe	Hmdedo32.exe
File created	C:\Windows\SysWOW64\Kijjfe32.dll	Hikfip32.exe
File created	C:\Windows\SysWOW64\Jdkind32.dll	Jbfpobpb.exe
File opened for modification	C:\Windows\SysWOW64\Kmegbjgn.exe	Jbocea32.exe
File created	C:\Windows\SysWOW64\Kgphpo32.exe	Kdaldd32.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Hcedaheh.exe	Haggelfd.exe
File opened for modification	C:\Windows\SysWOW64\Imdnklfp.exe	Ifjfnb32.exe
File created	C:\Windows\SysWOW64\Bclhoo32.dll	Jdemhe32.exe
File created	C:\Windows\SysWOW64\Ggpfjejo.dll	Jkdnpo32.exe
File created	C:\Windows\SysWOW64\Hjfihc32.exe	Hclakimb.exe
File opened for modification	C:\Windows\SysWOW64\Ipckgh32.exe	Imdnklfp.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Dngdgf32.dll	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Mahbje32.exe
File created	C:\Windows\SysWOW64\Hcedaheh.exe	Haggelfd.exe
File created	C:\Windows\SysWOW64\Ipckgh32.exe	Imdnklfp.exe
File created	C:\Windows\SysWOW64\Kbfiep32.exe	Kphmie32.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Gnbbnj32.dll	Gbldaffp.exe
File opened for modification	C:\Windows\SysWOW64\Hjfihc32.exe	Hclakimb.exe
File created	C:\Windows\SysWOW64\Pckgbakk.dll	Jaedgjjd.exe
File created	C:\Windows\SysWOW64\Jaljgidl.exe	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Dnapla32.dll	Lilanioo.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Ipqnahgf.exe	Ijdeiaio.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Hcnnaikp.exe	Hmdedo32.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Mmpfpdoi.dll	Iffmccbi.exe
File created	C:\Windows\SysWOW64\Ebkdha32.dll	Ipckgh32.exe
File created	C:\Windows\SysWOW64\Jagqlj32.exe	Jiphkm32.exe
File opened for modification	C:\Windows\SysWOW64\Lkgdml32.exe	Lcpllo32.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mpolqa32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5160	5832	WerFault.exe	215

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebkdha32.dll"	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmfdf32.dll"	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gidphq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpacnb32.dll"	Gidphq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmdedo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibimpp32.dll"	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekmihm32.dll"	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Himcoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnodhch.dll"	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclhoo32.dll"	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpkqnp32.dll"	Gpnhekgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpappc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdhdf32.dll"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkeebhjc.dll"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jplifcqp.dll"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldohebqh.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4940 wrote to memory of 4216	4940	9e3180be4224727d812f2e4c3fdd7310_NEIKI.exe	84
PID 4940 wrote to memory of 4216	4940	9e3180be4224727d812f2e4c3fdd7310_NEIKI.exe	84
PID 4940 wrote to memory of 4216	4940	9e3180be4224727d812f2e4c3fdd7310_NEIKI.exe	84
PID 4216 wrote to memory of 3512	4216	Gidphq32.exe	85
PID 4216 wrote to memory of 3512	4216	Gidphq32.exe	85
PID 4216 wrote to memory of 3512	4216	Gidphq32.exe	85
PID 3512 wrote to memory of 4856	3512	Gpnhekgl.exe	86
PID 3512 wrote to memory of 4856	3512	Gpnhekgl.exe	86
PID 3512 wrote to memory of 4856	3512	Gpnhekgl.exe	86
PID 4856 wrote to memory of 2768	4856	Gbldaffp.exe	87
PID 4856 wrote to memory of 2768	4856	Gbldaffp.exe	87
PID 4856 wrote to memory of 2768	4856	Gbldaffp.exe	87
PID 2768 wrote to memory of 4344	2768	Gifmnpnl.exe	88
PID 2768 wrote to memory of 4344	2768	Gifmnpnl.exe	88
PID 2768 wrote to memory of 4344	2768	Gifmnpnl.exe	88
PID 4344 wrote to memory of 2608	4344	Gameonno.exe	89
PID 4344 wrote to memory of 2608	4344	Gameonno.exe	89
PID 4344 wrote to memory of 2608	4344	Gameonno.exe	89
PID 2608 wrote to memory of 5088	2608	Hclakimb.exe	90
PID 2608 wrote to memory of 5088	2608	Hclakimb.exe	90
PID 2608 wrote to memory of 5088	2608	Hclakimb.exe	90
PID 5088 wrote to memory of 4972	5088	Hjfihc32.exe	91
PID 5088 wrote to memory of 4972	5088	Hjfihc32.exe	91
PID 5088 wrote to memory of 4972	5088	Hjfihc32.exe	91
PID 4972 wrote to memory of 1380	4972	Hmdedo32.exe	92
PID 4972 wrote to memory of 1380	4972	Hmdedo32.exe	92
PID 4972 wrote to memory of 1380	4972	Hmdedo32.exe	92
PID 1380 wrote to memory of 2696	1380	Hcnnaikp.exe	93
PID 1380 wrote to memory of 2696	1380	Hcnnaikp.exe	93
PID 1380 wrote to memory of 2696	1380	Hcnnaikp.exe	93
PID 2696 wrote to memory of 3944	2696	Hikfip32.exe	94
PID 2696 wrote to memory of 3944	2696	Hikfip32.exe	94
PID 2696 wrote to memory of 3944	2696	Hikfip32.exe	94
PID 3944 wrote to memory of 2004	3944	Hpenfjad.exe	95
PID 3944 wrote to memory of 2004	3944	Hpenfjad.exe	95
PID 3944 wrote to memory of 2004	3944	Hpenfjad.exe	95
PID 2004 wrote to memory of 620	2004	Hbckbepg.exe	96
PID 2004 wrote to memory of 620	2004	Hbckbepg.exe	96
PID 2004 wrote to memory of 620	2004	Hbckbepg.exe	96
PID 620 wrote to memory of 4864	620	Himcoo32.exe	98
PID 620 wrote to memory of 4864	620	Himcoo32.exe	98
PID 620 wrote to memory of 4864	620	Himcoo32.exe	98
PID 4864 wrote to memory of 2516	4864	Hpgkkioa.exe	99
PID 4864 wrote to memory of 2516	4864	Hpgkkioa.exe	99
PID 4864 wrote to memory of 2516	4864	Hpgkkioa.exe	99
PID 2516 wrote to memory of 1660	2516	Hippdo32.exe	100
PID 2516 wrote to memory of 1660	2516	Hippdo32.exe	100
PID 2516 wrote to memory of 1660	2516	Hippdo32.exe	100
PID 1660 wrote to memory of 976	1660	Haggelfd.exe	101
PID 1660 wrote to memory of 976	1660	Haggelfd.exe	101
PID 1660 wrote to memory of 976	1660	Haggelfd.exe	101
PID 976 wrote to memory of 3232	976	Hcedaheh.exe	103
PID 976 wrote to memory of 3232	976	Hcedaheh.exe	103
PID 976 wrote to memory of 3232	976	Hcedaheh.exe	103
PID 3232 wrote to memory of 3648	3232	Ipldfi32.exe	104
PID 3232 wrote to memory of 3648	3232	Ipldfi32.exe	104
PID 3232 wrote to memory of 3648	3232	Ipldfi32.exe	104
PID 3648 wrote to memory of 4912	3648	Iffmccbi.exe	105
PID 3648 wrote to memory of 4912	3648	Iffmccbi.exe	105
PID 3648 wrote to memory of 4912	3648	Iffmccbi.exe	105
PID 4912 wrote to memory of 2368	4912	Impepm32.exe	106
PID 4912 wrote to memory of 2368	4912	Impepm32.exe	106
PID 4912 wrote to memory of 2368	4912	Impepm32.exe	106
PID 2368 wrote to memory of 2840	2368	Iakaql32.exe	107

C:\Users\Admin\AppData\Local\Temp\9e3180be4224727d812f2e4c3fdd7310_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\9e3180be4224727d812f2e4c3fdd7310_NEIKI.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:4940
- C:\Windows\SysWOW64\Gidphq32.exe
  C:\Windows\system32\Gidphq32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4216
- - C:\Windows\SysWOW64\Gpnhekgl.exe
    C:\Windows\system32\Gpnhekgl.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3512
  - - C:\Windows\SysWOW64\Gbldaffp.exe
      C:\Windows\system32\Gbldaffp.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4856
    - - C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2768
      - C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4344
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:620
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:976
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3232
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3648
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2840
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3892
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3132
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2804
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2752
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3408
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        29⤵
        Executes dropped EXE
        
        PID:4324
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        30⤵
        Executes dropped EXE
        
        PID:4572
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4532
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4424
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1992
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3668
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:800
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4488
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2728
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:928
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4352
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1148
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4476
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        43⤵
        Executes dropped EXE
        
        PID:5056
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3100
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2208
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3344
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        47⤵
        Executes dropped EXE
        
        PID:3016
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        48⤵
        Executes dropped EXE
        
        PID:3924
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2880
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4516
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4332
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        53⤵
        Executes dropped EXE
        
        PID:3520
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4136
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5096
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1972
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        57⤵
        Executes dropped EXE
        
        PID:3952
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2496
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        59⤵
        Executes dropped EXE
        
        PID:4228
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2652
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        62⤵
        Executes dropped EXE
        
        PID:432
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:388
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3772
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4976
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3056
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        67⤵
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2452
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4492
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3152
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3192
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        73⤵
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        74⤵
        Drops file in System32 directory
        
        PID:2896
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2808
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        76⤵
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        77⤵
        Modifies registry class
        
        PID:692
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        78⤵
        Modifies registry class
        
        PID:2204
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3752
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        80⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        82⤵
        Modifies registry class
        
        PID:3068
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4924
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        86⤵
        Drops file in System32 directory
        
        PID:3588
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        87⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        88⤵
        Modifies registry class
        
        PID:3576
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5144
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5232
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5276
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        93⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5356
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5404
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5460
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        97⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        98⤵
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        99⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5664
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        101⤵
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        102⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        103⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5844
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        105⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        106⤵
        Drops file in System32 directory
        
        PID:5928
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5972
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6012
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        109⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        110⤵
        Drops file in System32 directory
        
        PID:4504
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        111⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        114⤵
        Drops file in System32 directory
        
        PID:5452
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        115⤵
        Drops file in System32 directory
        
        PID:5596
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        116⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        117⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        118⤵
        Modifies registry class
        
        PID:5880
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        119⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6000
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        121⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5180
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        123⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5428
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        126⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5832 -s 400
        127⤵
        Program crash
        
        PID:5160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 5832 -ip 5832
1⤵
PID:6068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gameonno.exe

Filesize
78KB

MD5
40e950c152141b5f584763be8438b3a4

SHA1
c26c678233f605fc365a4bae3d207cba2e661bbf

SHA256
887b421cc9c95a0700724180496c73756dfc3ae4aba28b264abdba5dbd214a4c

SHA512
a85d5c06078e5889c8eb51a4abad25e48b9cf45b90ccbcb32ec86b95de389d301dd34d64a212882d52ed62ac7ec955877e4c82ed10f67bb15d6c33a8009dedc4

Download Submit
C:\Windows\SysWOW64\Gbldaffp.exe

Filesize
78KB

MD5
25bf38121241a371b6b057e1b3db24f7

SHA1
82ccdb2f7b45d9893fed7c041467dda1c80a6705

SHA256
6d027de6f3bce2b9cc728b84b058cfadc96cb484bb410680783646b83ba9b92c

SHA512
fb66b5ab423894b9760e0fa79f455adf335305016ecdd703071ecc6413fb18fdedb2a69150503ce686d141747b178cc8c1d4652ece7bb459e559cdb8160c9a17

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
78KB

MD5
704d22791c23e3835748cf8744198fe3

SHA1
0e58d8550e3441fa30cf37b9387bb148d6f53a02

SHA256
f96edcbe0f7dc8f63f5bb08ab427daeaf3dc44327c14cbe7183406db9e710f74

SHA512
3b2da54dbf74065371c86e6e4280b616981d5425066d4cb92b18a04a3c0009619b843219520551bcbbd459982bbd43d8359669bf6ea3bdba1e496344bbf0540d

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
78KB

MD5
cbcc4f13671ecd5dc3550c165cce1624

SHA1
dad44af5f8b198a74a1cbeeefb665cfd9dcb3489

SHA256
42afe3274a9237d1ed961cae40e43b0735e71ef6672b56024a3b334d6281988f

SHA512
303f677b3866062fc4caa4000ccb09432d466d1099260da28832f19dfdd014510a236bd70990beda00da7ec909b3d5ca5c583b2630247556f9645fbe7a68b067

Download Submit
C:\Windows\SysWOW64\Gpnhekgl.exe

Filesize
78KB

MD5
66122e7a002f2df252c5010bdab663d9

SHA1
defeb6c7be17c6c721dfa7ef25d220eefc57baa9

SHA256
562f963feb194617ccb3dfb42cd0f57e3765256a0422fbad9d19ddacf35d653f

SHA512
a67ad4fd5b11d00585ab79a2b457a5e4aade374377f6971da6156101ee98518ccccd38a199e9778527b8d44f9e5aa9f0f0d3c2f0f67d10a5525ce2c1ff5e55d9

Download Submit
C:\Windows\SysWOW64\Haggelfd.exe

Filesize
78KB

MD5
63ae994536b198a796d1166f3d93604d

SHA1
5e4b4efe9d4f0a52267a2784ec062adbe64c49ab

SHA256
07a2fcf7fb84869e796d019ee5658225a415c3c2bec9cbfdbc03f42c6ef7ea31

SHA512
624447f4f7ef748b6822dc6b16e07df2ea40047ef461d78f970c8e298f91944805b6fd3cc97b708a92ec238af4c517dfcc118d55e05d0de9d97b4f026f97afac

Download Submit
C:\Windows\SysWOW64\Hbckbepg.exe

Filesize
78KB

MD5
fe3862f1c74489092653ef9139f03513

SHA1
970f138035a1a01c18ed34a0bcb4d2199ed99e5a

SHA256
db24f702934f226a4f747fcbb98ac4db006813a6a5bb516a4952064c42b0dcd5

SHA512
914f927511bc1de42fd7ae9e1ba679e2f167a9b6aebfcad235885417a0152fdfb6e65aac64c84ae4ffc2aac7a2414e354ff4f6c84367c483be6a0a43e7bad820

Download Submit
C:\Windows\SysWOW64\Hcedaheh.exe

Filesize
78KB

MD5
944225f4a85582256a5cefb297c4fd8c

SHA1
13f69b13ed55f1fd61aa0798616a66fc0c7d5418

SHA256
5f9a27226def90b8a2e1ea35dd8e1faa1ef86e2d6ffcef8948a85e46a6d7c237

SHA512
29b3ca4e6bf260adc5ff9e9534baec034cfa41858fb5f4046b8cdb3792657c0092ccb1f19e69953d30d3fc9234c87656e737fb3ec66f0ff1b296c280b90022d4

Download Submit
C:\Windows\SysWOW64\Hclakimb.exe

Filesize
78KB

MD5
d7cf0e95c945adb4cf126b9e956a26cf

SHA1
d7ff7ff3485b76be62687f30d8b709b60062ef02

SHA256
672e97b1956c3612632f31bf5301618739905d714e4b0760acbb437bf8124892

SHA512
6289644ec430d32dd2632a1a20647914b9e34d6385c3e6cf59ab55a8ff774c7d8b8072c72ef7cd647b6d26e39998d692186e8b7284df07f7856a62ca1ffa3079

Download Submit
C:\Windows\SysWOW64\Hcnnaikp.exe

Filesize
78KB

MD5
406c8a5d5d7adf1353a7adac87107b51

SHA1
30a53df6799f3db1576dd0712056a688e0cf894d

SHA256
0b516f78f1d3016ea8050db9685d03616869aa8fb49d70aca50126e1020e2010

SHA512
c47179602339b6f4cd1c37418839e1c378124bd6722b4fad668b8e9265bc22768c7a1547ff94aa9119daee300adc1db34f1a8e211563e294822afa5287828317

Download Submit
C:\Windows\SysWOW64\Hikfip32.exe

Filesize
78KB

MD5
34b79fcf5a0175e4a1c202f344793f3e

SHA1
9adebd3c659f30cf7e172efdebe2c7038453d937

SHA256
1a066619f35306d8c3b70c68aba64e4406d49c3e3e1fcadb9f571d3808a14280

SHA512
25e866672c61c17a0fd48f8bbf89db3ad698f0b5ba646b4a4d1c28d417f17fb242a12bb63b0c59069d219137cb5271de2db2c4ba3ff1dbc05f28f7566fa44a94

Download Submit
C:\Windows\SysWOW64\Himcoo32.exe

Filesize
78KB

MD5
0eeb5280f766169311a23af436dccc3b

SHA1
1910375033a2e330fe8580d25971dfb93c937e8d

SHA256
5bbd44b1ce126c664fa7c7842611feea950d90b9aa47e759800ccbb9cfe033b1

SHA512
bf87bf1eb485e1d4d53f9f6236ec9050aa1e9aee0ee635dd3130fd63933e93ee87ae2fab519f4d5e93d513d0c18ec76a21466c2778c8455c0392ff0ea6c14bd7

Download Submit
C:\Windows\SysWOW64\Hippdo32.exe

Filesize
78KB

MD5
916c085f2f15c2708a16a0da57c88b6e

SHA1
c1aefefba5ec11f3952a18cb85cd68616fc83882

SHA256
f6fd5ec416b80e317c739bec9e5c217faa082218e62fcb77d8dba9b11fd3266a

SHA512
50f41dafca2e6cd79097e4ba6693ccf2a9ee47f97de19c7a61a52479296126de93d56cb9b21b2bf8ab4d23a05ff376762995b651cfb52985b5d4bf2186daa2e1

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
78KB

MD5
09492766606a742831ef567d1d80f138

SHA1
66145807f51b6b1082c96c3a4ba8338bb82c035d

SHA256
285583421ccad854780fdaf3d8787b1007aad008da1eb6b95ad579267d417079

SHA512
a274b7acacc087c11f2e6e473b6ece067c9d9708c9b8df2c35299673ecdf61b862f18e03e0654b9d72f484abe613f383271ca67ea69d08f1653229643335a26d

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe

Filesize
78KB

MD5
31ee04be5e0f07274ae3f387b371d5bd

SHA1
033ccbe92fc430357a5c0e88022133c3bb637b6d

SHA256
0c4cf9347133ba64fb434edda26922a586fe2de61f71a152797a002f815f43df

SHA512
c9c32151136599f0789ac4d29d5db16f5370ab8efb2939de74a943396b9db91fe07b2287d424642928b6fc2b566fed0b57d8e8275e36584615a599b9fb40efd8

Download Submit
C:\Windows\SysWOW64\Hpenfjad.exe

Filesize
78KB

MD5
2fcc6502bb61553b1d22d1d58450208f

SHA1
714172d0bad230319bbd7bd014cbe6676c82c0cd

SHA256
51293cb88b57da93c42e16db25c66f2de84f232684814d6ed1b576201371e498

SHA512
52710520baff681244e74fd201c4ccd32fc4a0a888c28d08d768836538497b729d5c462bae9fd2fd646aa1364c4e85a9382113a157603297e3bd4e105e0fc514

Download Submit
C:\Windows\SysWOW64\Hpgkkioa.exe

Filesize
78KB

MD5
28a11115e1fec207370e9f9ac06e06ad

SHA1
2e6e1a36ceb7d0a432aedde42ee2ca405570b8a2

SHA256
dd8433a818b52380fa42a6639f1c2b498ee3353fa83ac8f01c25e73f4e1e8efe

SHA512
0eddfc78ee726539eab150de9191113c3fb817a0c74efb13f88989c75e9d19b6519554a4499527c0b6d6d920b7d52921be7581e394cc8bb70c240ae94d495a07

Download Submit
C:\Windows\SysWOW64\Iakaql32.exe

Filesize
78KB

MD5
1514cf50b8e681e541f59d17304ce128

SHA1
cfc7bf3b7977e767e891c3abe693298b67d510f5

SHA256
e5187d31c89d701276e7b95acc581cbfa3fecc5e5e2ab5f4cd174e37be0d9dfc

SHA512
5e935c37ce93700e2e782e893053de5c877ce255ec5ae81e3b9c0bb16d656606ca4aec898e0da9465cd26616d0386cf09f3d8b056d5b87b70e4722c09ff3c709

Download Submit
C:\Windows\SysWOW64\Iffmccbi.exe

Filesize
78KB

MD5
ed454972cc936641940302de623640e4

SHA1
9b93088928170d5b8520ea82213675f9e68110b0

SHA256
8687df5a2c684db2eda7ac895c634828674df83b344c8d73cb3a430d21440cce

SHA512
2b9c06dd8a92e5fd5d10604d1d2e7e1eb5641dea19bd9175de0131cb7a169bc490e0cb3dc7bf9788c8eaf85c6b6a5299e2d3e486663e0cbec64c3beb52f55a40

Download Submit
C:\Windows\SysWOW64\Ifjfnb32.exe

Filesize
78KB

MD5
8be7c2969c1c5d27c1b19704b10bdb34

SHA1
693d6cd66b064e65347649d053b258ab7749df5a

SHA256
724c00d077125ad9cfdef97210be1f95215d44abd595cf6332c106c69a3c44ce

SHA512
6fe917cc9a895c461b10835464930c0215e3849e4955b66940fcf542b32af1ce62c1e9c823244149b52c1f024857d2e00909206d832eb54a664e6ccdb3e8886a

Download Submit
C:\Windows\SysWOW64\Iikopmkd.exe

Filesize
78KB

MD5
85b0ecab2ef747db32438ae629cca2db

SHA1
dd377e0c3eccab9549d6dc70ab36bc53ef501d02

SHA256
0fe625ab01a16a2696546beb0a22bdb502511a154e184e823831b32cfaf3048b

SHA512
228a3c61e34adc174977076a57022ad86718a6ac074efbdaea789edd0540c284726cc2f35badd4b6fe8c01368c8448a5be6e84cc15034160b24708b201aca8d4

Download Submit
C:\Windows\SysWOW64\Iinlemia.exe

Filesize
78KB

MD5
f6f45a5dbbf2e03e7291751cb4f24bbd

SHA1
55b3e2833db5e355309bd2867f31d3b36bea2ae1

SHA256
1e4d7329a37521840b4a7089ff05bb2fa05b156ca2309a9d0c84a5dbdd61d39c

SHA512
4eeb5c8e8cf954f533854859096816a54fb1739d1285cd43e35fd2256d1512c61aca1b901b7d78e3e84649a431b387e961ad399feb7beb2c448b10f076d87c53

Download Submit
C:\Windows\SysWOW64\Ijdeiaio.exe

Filesize
78KB

MD5
659dbca9d412a78c816695cba9f90912

SHA1
83dd552aac129f4927803bb4f1dffc9f196c424b

SHA256
77d6fe7ab1cb92d50ce6618e3da8267ed82ea446c3ff67466d608168f41e7a71

SHA512
6b7e682e680ff5db774b5d3a35cb5e5869f7ec2412d7c2fc950198cb15492c5d9a8471ec2745d89db91c296cbc884335df20a4a234c3cf05aa7489c59a8b878f

Download Submit
C:\Windows\SysWOW64\Ijhodq32.exe

Filesize
78KB

MD5
fb5b33af7ef4e1572f8c37e5ea71e327

SHA1
7d16a4e233131541bcb96957b06f923da86a72b7

SHA256
609bf0df0174d7ec304921655a9317ba72b4a43df6dd80b74a97adc0603b90d9

SHA512
9f2ff2341203b1583e0e6e71db1d911ba2ade5e5140cea4ded430573ba1763768fc1fea6e3a5a6c59892a78dc3bdb8ff1fc0fd53406dc2941c9619e10b15848d

Download Submit
C:\Windows\SysWOW64\Imdnklfp.exe

Filesize
78KB

MD5
57060cfcd65a7e0f45a22ec478f7e142

SHA1
a42c29978da51f73e6f05e9287009b8414d344a1

SHA256
b587943b2e9d4bc981647ef12c7c09182686140e9da938660fd4e80832f4dd57

SHA512
307e29c5fc88e82b1273d92a5f05457bcf673123d7a911f5cd186f70aec7dd72ee09e4e433e6599b623c5dc22b051ac5b1bbde8ade6f6ba4ebda043d9bbf1817

Download Submit
C:\Windows\SysWOW64\Impepm32.exe

Filesize
78KB

MD5
e8c16f832144c1eef26df280dd26ab65

SHA1
6bfc069ced3ad8be6e1ac8e7c0d45de2437c7ffc

SHA256
ced08fbf8797442466cd2e5880c6b00e2a083470cc181f174f79e337f93d6a31

SHA512
1bbc61573de0672b66ab29662b1b2aab3ae97d00f291502546980e16551f1227e65d307f9877a70a59c95b067012d806da3a257924408200f79bd02b5cd38704

Download Submit
C:\Windows\SysWOW64\Ipckgh32.exe

Filesize
78KB

MD5
a64150845359475a911f569b135e45cc

SHA1
cea57132d6f29154e1c699d8e7b6016b141bc5f4

SHA256
4a458e313a07ff29f0f224cd4989ac19710be10fcd2891b533b5930b0f1ffe56

SHA512
1ce0b04e715e053d2712c771e6f4aa1101febec34e9ebb3590e52df818382321b6741999172f704895a3d410e311d57269731128239d91559cbc64bb723299b7

Download Submit
C:\Windows\SysWOW64\Ipldfi32.exe

Filesize
78KB

MD5
0d4836237bbf4dd0382409e85bfb55e8

SHA1
a0d7b9c2734e2946b6473045c1e5a0032eee2a73

SHA256
bd806650900ab6976f6c0e8a9a778bae8c84cf52ad133b14dabd832bbda4c8f7

SHA512
f563259389ba35589870ae588c188aec6e855d57fefd71ea26dd8d5be091cc820416858f05e8091a1f9176054dd08625c1bf7e37d54eab40277b776582c5ef4b

Download Submit
C:\Windows\SysWOW64\Ipqnahgf.exe

Filesize
78KB

MD5
e402cc434a348f713f5e93f3803100a8

SHA1
e38bdeacccd5848f08c2e31968d563afce275d74

SHA256
a4acd3be7818fab649f62080948eca39a800f378edd78a00296658e41aca7d88

SHA512
547720a9b189fb8edaece029aae963a7332e48f84374a350dc9d5eec65f9f27ca275d89f6ca813e3174c2dadc57c53aae89196a2dceb6f48e2d0ed6d80cf82ee

Download Submit
C:\Windows\SysWOW64\Jaedgjjd.exe

Filesize
78KB

MD5
b8c75159f9cb20648c2cbbd45de2eb33

SHA1
ddfc3384ef168b9958666995aeec4fca01446885

SHA256
9703c9ff8e4d34bf32441c382946acafd4133d03230e0037165808e177060ede

SHA512
940eeeff05100487f82b0baf620ac8db91f2cd78be1506dccab268b4784e95b0b94cff6a106e4c17c70ce14fbb0fda610e7d57779640f6668f85104c63d89f80

Download Submit
C:\Windows\SysWOW64\Jbfpobpb.exe

Filesize
78KB

MD5
441cea9793bc6b6c7cf0bfb8b79ff41c

SHA1
5a30585e4cce05f6fa2441d1a7867dfeb475924f

SHA256
55c397c3da1a9137edbdc5da1f48be2c688f9f7fb6b6ce27099f7d50ef1259a9

SHA512
fe6790998fa33ada868b8c32de276ea5a4182377bf11eb3bcc654a5a8ba8f3906212806a8975fb10c7020bb59aaaed54cf40e049cea46cf4162b0423accde126

Download Submit
C:\Windows\SysWOW64\Jigollag.exe

Filesize
78KB

MD5
cfa2e6d67f1598a598084edf9912078c

SHA1
b5daa84c311e5c076cdd049982118cde56c83ed3

SHA256
52e2448e3d8c51b09534e2d16e6c990ce009be67bf7fd3de1435620828bf276d

SHA512
e241ad8f5155e8a9913c848a0033c1d1b0f8946e8675e3b78ba7c3538ec2e3bfb922b0d6fa7d08d3ca838a2cc327f3ec02183ad78b599728bcc9e7dd20a485d2

Download Submit
C:\Windows\SysWOW64\Jiphkm32.exe

Filesize
78KB

MD5
1b44c130e323cdb1d8f32170d8057b5a

SHA1
58c661edb692cc9088d31e60fd5d1b867d4f158e

SHA256
3a229bcb36defb7c9c20a6ea588b5225e32d5251a0be0a75dca9b96f8b270e78

SHA512
f3547d6561f55970b086c285169a812629c761e22803614eaa8e8a2be63ec0f1ca81b51d84c2a07e1641ee8f166d508c1f534ccb8844d73619af4baa22b24f83

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
78KB

MD5
9405c2af60345ac5dd742aa41f76b8b6

SHA1
ae56fee647618c93b2ac8809d0376ede1e32d7ce

SHA256
58b56437e3034909b3e81f2d169675c4bcb09d912bfc45c5bd6e1dea40afd7d9

SHA512
650473579b3903250a2ab9810d5a60f0b295364599d5fe70778bf2fc48643a21bcff8cf8c54ffa311799fad3e8515e60399ae377c5566b97b18ac2a0273c4b49

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
78KB

MD5
8dd83b7a5c64bfd70105c0dbdd3a182a

SHA1
74053f078944a85a4d119269a01bd8f6b6397c67

SHA256
7dad881d98231370ea9bc4dfd81d13080a74d8109983d38296cef6e19cc7a0fd

SHA512
cc0a2b0b670321d2d3ad4dc8fd5f71cb404574b40d0a80f9d8b71d5e0d6f88f8c7e76c59a2eb0d1627eafcd24ad5193701e77b4ab3e2d5938203c620cf9899ad

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
78KB

MD5
31c308386189e71771c7aaec99f97238

SHA1
9899944a3d5fad86c210a5e588f8cd5b8ebf58ce

SHA256
3b45f41b3d2f4d116cf06353dd42c69bfc3d8cc731f7ecb7e9cecb0ee3001b1d

SHA512
2a0cfa3106ee18acec0b8d538729398f6ce1fe1a7132417e0a41726ccaff8b9853fbacbc48155a4a63c9a64431b766c41c8fb647f6980ae8f1c81d8f26bf6f32

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
78KB

MD5
e9117b6aff04367708e0487953a9249c

SHA1
3ba8c3da40cafe263b9d77783a8fc54ec5d6fcfd

SHA256
fea27e1e4dac0ca2a31619b358a533e55ec44dd7085206de79e24e6db836ef5d

SHA512
d794455552598d7f76b0f33fdd8662f02654b34b0acd798f56fb7b6472b80c845c0a8734d434f90192771c2fc7eccbd55ebe2ee98b393ca9c702874b26cfd9c5

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
78KB

MD5
2ccd21ec52a6b052b4dd168e02289f28

SHA1
0de482e428a8b9d9ec831bf15ae614bd5071a544

SHA256
9c175155b2673f2641036f3966599a1d2ff29376b12082215b3d92ab4fbc1a47

SHA512
111af3d4f1d820eb610479b9169da266d0ad2e5796af8ffb80aff104aa6eb56282aa18af6330cbf799171c61ad095e699088bc287a0762d1fbbad8dfc2a3d188

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
78KB

MD5
5206689bab02f69ba634926879de8f2d

SHA1
f7a3b1cb7a091b7c99c4d9fc8c15689102099a56

SHA256
06c866ad028f8ff22aeff61cc98c494197326ca69a59c48cc533c02a10373519

SHA512
7cfc494298ebb083fdd9b4903e3d25ae05cdb159e8c9fb9156edfaa78b16acd9b87d72ac0bf2446eb76285fb1fe218496dcd578c4c00f718feb53aa7799cac93

Download Submit
memory/620-196-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/620-109-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/800-293-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/800-362-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/928-312-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/928-379-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/976-143-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/976-238-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1148-392-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1148-326-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1380-160-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1380-74-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1660-224-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1660-135-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1720-343-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1972-432-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1992-349-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1992-279-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2004-188-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2004-100-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2208-363-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2368-180-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2368-269-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2516-220-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2516-125-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2608-134-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2608-49-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2696-170-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2696-82-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2728-310-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2728-372-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2752-225-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2752-305-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2768-37-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2804-223-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2840-189-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2840-278-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2880-386-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3016-442-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3016-377-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3100-418-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3100-352-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3132-206-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3132-292-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3232-153-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3232-239-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3344-431-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3344-366-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3408-240-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3512-21-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3512-99-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3520-412-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3648-251-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3648-161-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3668-290-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3892-198-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3892-289-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3924-380-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3944-179-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3944-91-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3952-444-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4136-419-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4216-9-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4216-90-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4324-322-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4324-243-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4332-400-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4344-45-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4344-124-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4352-323-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4424-342-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4424-270-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4476-399-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4476-332-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4488-365-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4488-299-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4516-393-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4532-265-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4572-325-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4572-252-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4856-108-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4856-24-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4864-116-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4864-205-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4912-264-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4912-171-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4940-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4940-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4940-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4944-410-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4972-152-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4972-65-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5056-350-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5088-142-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5088-57-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5096-425-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads