97e8585b23e0f5d37982c0c15d72ef8c379d5a39bfae0b1a4887a61e1255b8f6

Analysis

max time kernel
138s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 04:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf4af0caebeec9dc25f9e5014b06d9f0_NEIKI.exe
Size

96KB
MD5

cf4af0caebeec9dc25f9e5014b06d9f0
SHA1

6e5a42a6c2f7f15a7b8aa67442626917950d5950
SHA256

97e8585b23e0f5d37982c0c15d72ef8c379d5a39bfae0b1a4887a61e1255b8f6
SHA512

db456315b85205edd5e5a003b419eeb040246ba67fa1f97bd7bae1b3795fd91667c683deb34acc26bfc9c4c598d18e851d4b8ae39748195bd1963ba22d572b54
SSDEEP

1536:WvOtmk+LUFY6OhIRGYIyKDn5b2y4okGuhDsAZI0Wyt1/BOmq7CMy0QiLiizHNQNM:ikmkEuBR/9KDhqmA6c5Om4CMyELiAHOi

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdhine32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kipabjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hfachc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hfjmgdlf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfjmgdlf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiikak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gpklpkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibmmhdhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	cf4af0caebeec9dc25f9e5014b06d9f0_NEIKI.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqkhjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	cf4af0caebeec9dc25f9e5014b06d9f0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hikfip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gjclbc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iikopmkd.exe

Executes dropped EXE 64 IoCs

pid	Process
2928	Goiojk32.exe
220	Gbgkfg32.exe
4084	Gjocgdkg.exe
4512	Gmmocpjk.exe
3252	Gpklpkio.exe
64	Gcggpj32.exe
1584	Gidphq32.exe
2080	Gqkhjn32.exe
4656	Gcidfi32.exe
4116	Gjclbc32.exe
516	Gameonno.exe
3584	Hfjmgdlf.exe
4772	Hbanme32.exe
2812	Hikfip32.exe
1356	Habnjm32.exe
3436	Hcqjfh32.exe
4432	Hfofbd32.exe
1300	Hpgkkioa.exe
3156	Hccglh32.exe
2604	Hfachc32.exe
2780	Hmklen32.exe
1452	Hpihai32.exe
412	Hibljoco.exe
4236	Ipldfi32.exe
3756	Impepm32.exe
888	Ibmmhdhm.exe
1172	Ijdeiaio.exe
4332	Icljbg32.exe
2500	Ifmcdblq.exe
1364	Iikopmkd.exe
712	Ipegmg32.exe
3592	Iinlemia.exe
1952	Jpgdbg32.exe
1220	Jbfpobpb.exe
5008	Jjmhppqd.exe
1368	Jdemhe32.exe
3380	Jfdida32.exe
2632	Jmnaakne.exe
4692	Jdhine32.exe
2448	Jfffjqdf.exe
1580	Jidbflcj.exe
1944	Jaljgidl.exe
3172	Jfhbppbc.exe
3504	Jigollag.exe
836	Jangmibi.exe
5000	Jfkoeppq.exe
808	Jiikak32.exe
4596	Kdopod32.exe
4592	Kgmlkp32.exe
4520	Kmgdgjek.exe
4868	Kdaldd32.exe
2060	Kbdmpqcb.exe
1700	Kinemkko.exe
452	Kphmie32.exe
2668	Kbfiep32.exe
2088	Kipabjil.exe
1204	Kagichjo.exe
1232	Kdffocib.exe
60	Kgdbkohf.exe
4052	Kibnhjgj.exe
4308	Kajfig32.exe
4400	Kckbqpnj.exe
4480	Lmqgnhmp.exe
4336	Lpocjdld.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Bgdnaigp.dll	Hpihai32.exe
File opened for modification	C:\Windows\SysWOW64\Jaljgidl.exe	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Gqkhjn32.exe	Gidphq32.exe
File created	C:\Windows\SysWOW64\Qbplof32.dll	Gcidfi32.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Nggqoj32.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Bpcbnd32.dll	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Goiojk32.exe	cf4af0caebeec9dc25f9e5014b06d9f0_NEIKI.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Dnplgc32.dll	Hcqjfh32.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Lgpagm32.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Ibmmhdhm.exe	Impepm32.exe
File created	C:\Windows\SysWOW64\Dendnoah.dll	Ijdeiaio.exe
File created	C:\Windows\SysWOW64\Kajfig32.exe	Kibnhjgj.exe
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Ldohebqh.exe
File opened for modification	C:\Windows\SysWOW64\Iinlemia.exe	Ipegmg32.exe
File created	C:\Windows\SysWOW64\Jidbflcj.exe	Jfffjqdf.exe
File opened for modification	C:\Windows\SysWOW64\Jiikak32.exe	Jfkoeppq.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Akihmf32.dll	Kagichjo.exe
File created	C:\Windows\SysWOW64\Lpocjdld.exe	Lmqgnhmp.exe
File opened for modification	C:\Windows\SysWOW64\Hibljoco.exe	Hpihai32.exe
File created	C:\Windows\SysWOW64\Ggpfjejo.dll	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Ojmmkpmf.dll	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Hefffnbk.dll	Kipabjil.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Hfofbd32.exe	Hcqjfh32.exe
File created	C:\Windows\SysWOW64\Jfhbppbc.exe	Jaljgidl.exe
File created	C:\Windows\SysWOW64\Ofdhdf32.dll	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Laciofpa.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Gbgkfg32.exe	Goiojk32.exe
File created	C:\Windows\SysWOW64\Ppmeid32.dll	Hfachc32.exe
File opened for modification	C:\Windows\SysWOW64\Hfachc32.exe	Hccglh32.exe
File opened for modification	C:\Windows\SysWOW64\Kbfiep32.exe	Kphmie32.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Gidphq32.exe	Gcggpj32.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Ldaeka32.exe
File opened for modification	C:\Windows\SysWOW64\Iikopmkd.exe	Ifmcdblq.exe
File opened for modification	C:\Windows\SysWOW64\Kgmlkp32.exe	Kdopod32.exe
File opened for modification	C:\Windows\SysWOW64\Gameonno.exe	Gjclbc32.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Gbajhpfb.dll	Gidphq32.exe
File created	C:\Windows\SysWOW64\Klebid32.dll	Hbanme32.exe
File opened for modification	C:\Windows\SysWOW64\Kmgdgjek.exe	Kgmlkp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5864	5944	WerFault.exe	220

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kflflhfg.dll"	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidmdfdo.dll"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiaohfpc.dll"	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdkhlo32.dll"	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocdehlgh.dll"	Gmmocpjk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jplifcqp.dll"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbajhpfb.dll"	Gidphq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gcggpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gpklpkio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdhdf32.dll"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	cf4af0caebeec9dc25f9e5014b06d9f0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibadbaha.dll"	Hmklen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehifldd.dll"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gbgkfg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odhibo32.dll"	Gjocgdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gqkhjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kipabjil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpfjejo.dll"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gpklpkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lihoogdd.dll"	Ifmcdblq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iebapp32.dll"	Goiojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Nkjjij32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 2928	1352	cf4af0caebeec9dc25f9e5014b06d9f0_NEIKI.exe	85
PID 1352 wrote to memory of 2928	1352	cf4af0caebeec9dc25f9e5014b06d9f0_NEIKI.exe	85
PID 1352 wrote to memory of 2928	1352	cf4af0caebeec9dc25f9e5014b06d9f0_NEIKI.exe	85
PID 2928 wrote to memory of 220	2928	Goiojk32.exe	86
PID 2928 wrote to memory of 220	2928	Goiojk32.exe	86
PID 2928 wrote to memory of 220	2928	Goiojk32.exe	86
PID 220 wrote to memory of 4084	220	Gbgkfg32.exe	87
PID 220 wrote to memory of 4084	220	Gbgkfg32.exe	87
PID 220 wrote to memory of 4084	220	Gbgkfg32.exe	87
PID 4084 wrote to memory of 4512	4084	Gjocgdkg.exe	88
PID 4084 wrote to memory of 4512	4084	Gjocgdkg.exe	88
PID 4084 wrote to memory of 4512	4084	Gjocgdkg.exe	88
PID 4512 wrote to memory of 3252	4512	Gmmocpjk.exe	89
PID 4512 wrote to memory of 3252	4512	Gmmocpjk.exe	89
PID 4512 wrote to memory of 3252	4512	Gmmocpjk.exe	89
PID 3252 wrote to memory of 64	3252	Gpklpkio.exe	90
PID 3252 wrote to memory of 64	3252	Gpklpkio.exe	90
PID 3252 wrote to memory of 64	3252	Gpklpkio.exe	90
PID 64 wrote to memory of 1584	64	Gcggpj32.exe	91
PID 64 wrote to memory of 1584	64	Gcggpj32.exe	91
PID 64 wrote to memory of 1584	64	Gcggpj32.exe	91
PID 1584 wrote to memory of 2080	1584	Gidphq32.exe	92
PID 1584 wrote to memory of 2080	1584	Gidphq32.exe	92
PID 1584 wrote to memory of 2080	1584	Gidphq32.exe	92
PID 2080 wrote to memory of 4656	2080	Gqkhjn32.exe	93
PID 2080 wrote to memory of 4656	2080	Gqkhjn32.exe	93
PID 2080 wrote to memory of 4656	2080	Gqkhjn32.exe	93
PID 4656 wrote to memory of 4116	4656	Gcidfi32.exe	94
PID 4656 wrote to memory of 4116	4656	Gcidfi32.exe	94
PID 4656 wrote to memory of 4116	4656	Gcidfi32.exe	94
PID 4116 wrote to memory of 516	4116	Gjclbc32.exe	95
PID 4116 wrote to memory of 516	4116	Gjclbc32.exe	95
PID 4116 wrote to memory of 516	4116	Gjclbc32.exe	95
PID 516 wrote to memory of 3584	516	Gameonno.exe	96
PID 516 wrote to memory of 3584	516	Gameonno.exe	96
PID 516 wrote to memory of 3584	516	Gameonno.exe	96
PID 3584 wrote to memory of 4772	3584	Hfjmgdlf.exe	98
PID 3584 wrote to memory of 4772	3584	Hfjmgdlf.exe	98
PID 3584 wrote to memory of 4772	3584	Hfjmgdlf.exe	98
PID 4772 wrote to memory of 2812	4772	Hbanme32.exe	99
PID 4772 wrote to memory of 2812	4772	Hbanme32.exe	99
PID 4772 wrote to memory of 2812	4772	Hbanme32.exe	99
PID 2812 wrote to memory of 1356	2812	Hikfip32.exe	100
PID 2812 wrote to memory of 1356	2812	Hikfip32.exe	100
PID 2812 wrote to memory of 1356	2812	Hikfip32.exe	100
PID 1356 wrote to memory of 3436	1356	Habnjm32.exe	101
PID 1356 wrote to memory of 3436	1356	Habnjm32.exe	101
PID 1356 wrote to memory of 3436	1356	Habnjm32.exe	101
PID 3436 wrote to memory of 4432	3436	Hcqjfh32.exe	102
PID 3436 wrote to memory of 4432	3436	Hcqjfh32.exe	102
PID 3436 wrote to memory of 4432	3436	Hcqjfh32.exe	102
PID 4432 wrote to memory of 1300	4432	Hfofbd32.exe	104
PID 4432 wrote to memory of 1300	4432	Hfofbd32.exe	104
PID 4432 wrote to memory of 1300	4432	Hfofbd32.exe	104
PID 1300 wrote to memory of 3156	1300	Hpgkkioa.exe	105
PID 1300 wrote to memory of 3156	1300	Hpgkkioa.exe	105
PID 1300 wrote to memory of 3156	1300	Hpgkkioa.exe	105
PID 3156 wrote to memory of 2604	3156	Hccglh32.exe	106
PID 3156 wrote to memory of 2604	3156	Hccglh32.exe	106
PID 3156 wrote to memory of 2604	3156	Hccglh32.exe	106
PID 2604 wrote to memory of 2780	2604	Hfachc32.exe	107
PID 2604 wrote to memory of 2780	2604	Hfachc32.exe	107
PID 2604 wrote to memory of 2780	2604	Hfachc32.exe	107
PID 2780 wrote to memory of 1452	2780	Hmklen32.exe	108

C:\Users\Admin\AppData\Local\Temp\cf4af0caebeec9dc25f9e5014b06d9f0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\cf4af0caebeec9dc25f9e5014b06d9f0_NEIKI.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Windows\SysWOW64\Goiojk32.exe
  C:\Windows\system32\Goiojk32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Windows\SysWOW64\Gbgkfg32.exe
    C:\Windows\system32\Gbgkfg32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:220
  - - C:\Windows\SysWOW64\Gjocgdkg.exe
      C:\Windows\system32\Gjocgdkg.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4084
    - - C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4512
      - C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3252
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:64
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4116
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:516
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3584
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4772
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3436
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4432
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3156
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1452
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:412
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        25⤵
        Executes dropped EXE
        
        PID:4236
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3756
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:888
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1172
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4332
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2500
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1364
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:712
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3592
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        34⤵
        Executes dropped EXE
        
        PID:1952
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1220
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5008
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1368
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        38⤵
        Executes dropped EXE
        
        PID:3380
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        39⤵
        Executes dropped EXE
        
        PID:2632
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4692
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2448
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1944
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3172
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        45⤵
        Executes dropped EXE
        
        PID:3504
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        46⤵
        Executes dropped EXE
        
        PID:836
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5000
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:808
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4596
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4592
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4520
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        53⤵
        Executes dropped EXE
        
        PID:2060
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1700
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:452
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        56⤵
        Executes dropped EXE
        
        PID:2668
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2088
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1204
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1232
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:60
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4052
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4308
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4480
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        65⤵
        Executes dropped EXE
        
        PID:4336
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        66⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1440
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        68⤵
        Modifies registry class
        
        PID:4024
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2876
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        70⤵
        Modifies registry class
        
        PID:1772
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        71⤵
        Drops file in System32 directory
        
        PID:4888
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        72⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4964
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        74⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3568
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        75⤵
        Modifies registry class
        
        PID:1884
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        76⤵
        Drops file in System32 directory
        
        PID:2348
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        77⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        78⤵
        Drops file in System32 directory
        
        PID:5020
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:868
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        80⤵
        Drops file in System32 directory
        
        PID:2856
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        81⤵
        Modifies registry class
        
        PID:3248
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        82⤵
        Modifies registry class
        
        PID:2360
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3900
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4860
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        86⤵
        Modifies registry class
        
        PID:3772
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5148
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5192
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5280
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5320
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        92⤵
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        93⤵
        Modifies registry class
        
        PID:5412
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        94⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        95⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        96⤵
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        97⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5624
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5668
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        100⤵
        Drops file in System32 directory
        
        PID:5716
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        101⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        102⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        103⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        104⤵
        Drops file in System32 directory
        
        PID:5900
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        105⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        106⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        107⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6100
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        109⤵
        Modifies registry class
        
        PID:6136
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        110⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5228
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5300
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5400
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5480
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        114⤵
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5664
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5748
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5888
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        118⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5968
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        119⤵
        Modifies registry class
        
        PID:6052
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        120⤵
        Drops file in System32 directory
        
        PID:1732
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5248
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        122⤵
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5544
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5880
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        127⤵
        Modifies registry class
        
        PID:5244
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5472
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5680
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        130⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5944 -s 412
        131⤵
        Program crash
        
        PID:5864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5944 -ip 5944
1⤵
PID:5404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gameonno.exe

Filesize
96KB

MD5
87fe6e51d2744c6a72b9e17ceb269c55

SHA1
ca16acc4438f87a7f9acc3cb2fc18a0679508e13

SHA256
fd5d54f037bd6f5d42b78ffc6485fecd511205186f35186055344bb69f373066

SHA512
7a6ae533f1102015558f4c97dff5d042712d15951c31b6fb7aeced4f5a4b4887e6cb0622889c02ceb2b702d085d8cb64275dac7f43bc19a0ccb80dfbbe4957a4

Download Submit
C:\Windows\SysWOW64\Gbgkfg32.exe

Filesize
96KB

MD5
7099a294d970433527f8c685b3387f21

SHA1
0f0b6cb199ce194421dac3a2dadc5d79f684c3c7

SHA256
ac2355a9358f294ee2ccf97099d65feb963f8bf2109fc5c513e4298dc038f06b

SHA512
8e401ff6da7b4073da012c15e96f9e875b76159f5fde42e0ec53293027ab94fa4f335f8db87ea190293df86e461713f0fe14b13d71c5f4f85c2b965bf83e0bce

Download Submit
C:\Windows\SysWOW64\Gcggpj32.exe

Filesize
96KB

MD5
c228d6f22487eeef2e7009f1dff484c7

SHA1
ea3f4746a7ee8aa7972b0e7bbb18dc227441e204

SHA256
a25e1dc1ffdced1ceed99c91afae74fa8d3d0f5124310d9c869e90d39099fdf1

SHA512
c0679447f254b1561d611b9d326a0de20e6f85ad7a4918381ec14e5d03e5363d3e6df8c55e8d01430bdcdaae3a96a2eac71e00340bc9654f4b4ab61ddd252d86

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
96KB

MD5
f6ba92cf1a8eb58d3d4aac937293695d

SHA1
c1021d172efd5d7065de561da0857fb1be829787

SHA256
d9e1910c2af6b3069126a38faf7f7a2cb6b5917507aaa8f0eda8578584b929bf

SHA512
fe8a21c846def22b144e279bde4d324624b9565eaf192e33b3913494e9b1adbbf8a47c2f09102bf4f1c8601ab6603a39320189ceb9b891ce574399fcd7bf906d

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
96KB

MD5
6f60234507c8ee75dd020ea4399eb34c

SHA1
8573400b0f2da95ea862c7ea921844e3a0518fcc

SHA256
5317ea0fe41393a00db340fd0bd7e93a0d7c695119b47077d6db0044a6f64b7a

SHA512
2a4eb246ca6882f9b6d8f71c9af88407723642933345ed19b4c13090ea7047c8627ac7b6685fa840243d3a6eafb478093920670099ce17dbb2794e601f8cbd92

Download Submit
C:\Windows\SysWOW64\Gjclbc32.exe

Filesize
96KB

MD5
04c12793307b21003a2ec1b328b4af48

SHA1
327752e99f52c19d81147380277f62ea79cedbdc

SHA256
ccafa28f42240f4c675291f40cd5a69fadcb79c53006b8398dd771160e6e441f

SHA512
492349fea3080b78c03491e71e372e00e88e4593359f89b125781bc632a7fe1e67f59299c5b2f2270848f6e5d914389ad6cdb7082464db28ab6e769c597a03e2

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
96KB

MD5
d3b213b138b46f2aa975eb47d9ee2aea

SHA1
b45e894b19569a785027fc94e019d1553a2be5a3

SHA256
b4dcb6052c73bc15eec252300ac07285d9cca145424646e8110f4d29c1425612

SHA512
748aff4cb93149a758cc622bd83a41d7d12850ddfeac837278a609b3d16802b10d41c8f5e813dfee2569c9898685d6130881e268a06a9f2709d2f33df7c8995e

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
96KB

MD5
a436bacfeb4274712a0706c8ffd8599e

SHA1
1d89d2eca848aad9605f684c3e085b3b96c20d1e

SHA256
da962463e87275194986cdad3d56785152646d76e2387de537646d238ad503cf

SHA512
1904745168b182895f8a5628c14de314367427df89763298ed5b9757632ed8c79e21197aa26fcc765e7bfa103706fd9d1c269d5232624c2fd72b16ed77455ece

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
96KB

MD5
1782d57493e89809909a035558fe6d68

SHA1
420beaeaf3deee4da0636c760fe066354f759de8

SHA256
0cac2ad7250b6d7c0272a5c853c75351e66f8443e6f079a64f02d91728915dc6

SHA512
5a96aa7264ba4fbfc2ddc729e1199a015aa60db61ef24cd051429df772214d427856d78b552ec1fc90d79327a5284f2615346d10a97dfc268acea3acb3f9653a

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
96KB

MD5
dd16ea32ec237771f6a3b18ef29e0e7f

SHA1
d82938585c368bd701f33c8fd542551139f04f0b

SHA256
5f65146b3bd2a7f982fc3c2d2df46892db417b2f5df8d638583d1e9cb084ce74

SHA512
ec73e5ebd76b2c12df01fd2590faf50c3e65314422c8aced115cff3ad64886c74015562a251986064254c51c40e5862760d61fe52388ac7d291c81f76ad38faa

Download Submit
C:\Windows\SysWOW64\Gqkhjn32.exe

Filesize
96KB

MD5
15514aed35ecf3f68454350de1f5be97

SHA1
8487c60a309c26d9c71f945032de1dcedd68a3c4

SHA256
2f24741ab728e329a3f0d0cd8e621f016f89893e5a2d58b87b7e9ca3fe114493

SHA512
73753c7da07906504e03fb19ca46bc2f0217e097b66820ff72dc0b0c58a161aad336e96726847da144181534677a0e5907e58e1f6b506c3f44cc6fb89908f42e

Download Submit
C:\Windows\SysWOW64\Habnjm32.exe

Filesize
96KB

MD5
d0b866332c3404d4f6c45e5ed4eb1f3b

SHA1
63efd5b2d39f934fd658d49f34f9618d422a9357

SHA256
e09d18fac166124d0d20344c4f2166bde3806a8a10d51de819a32700c96ce27c

SHA512
c7cf4cb4d34fa8cfafc89b26a4699f5035141cb03044f30a3723450f7a6baca9022a169fa44aed0f4f98bf674888f843e7ac651c36a19cbc050c3fd063f08309

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
96KB

MD5
f36475087750b64c370783ba89d62f49

SHA1
aa79fe0f23443d8c7917a064e45b208856f6bfaa

SHA256
2ee2f2655a21e1d6deb36c440b24e60c1b2d310c94517a2a7462d6ec8ea6ca09

SHA512
a1ee8706c0d69b3ea73547086d07a80495750b0bd878a539a77b665a6e9f8faf736217d4564aaa7a99c0b248719870d5b071773401c402772766d220005f0ddf

Download Submit
C:\Windows\SysWOW64\Hccglh32.exe

Filesize
96KB

MD5
1595c4b456cf72319b42670a0e1ef50e

SHA1
9eccd6cae79403b319553d8f3fc67b727c8d67f1

SHA256
bc8ec5e23b20a1aef936ba4301cb140ed6e2569dd48535743371f7e15a4df42f

SHA512
29b30480c2fb37b4f04bf8ae63f6171e8b861d6c47e906a1fc3cda4cb3d4b8315a54274477af0c3ea8d67ed94023c378201992abb5eade9c9f92a2cf21cf8ddd

Download Submit
C:\Windows\SysWOW64\Hcqjfh32.exe

Filesize
96KB

MD5
8ff54cd51e7b3c30ee66c25085768ee6

SHA1
89ccc71967e7ba11efc03fa92e1aa7e95717a4d9

SHA256
4349d8e88cafa7cd71983d7f9b628e5165dc6f3e7befa613ad7339f0ac275555

SHA512
8156c3709441d0f752c7ebafabac00c0f70d1b313966382f03bf4f28800d5b48b2e4c7d6b97de221974fff19e2f00ced664463acb8e5b391af7b0a904620cc73

Download Submit
C:\Windows\SysWOW64\Hfachc32.exe

Filesize
96KB

MD5
2eed754afab9335173df5417beb42269

SHA1
b3f18b7b8748663ebaafabc7aef5e288960c6c2c

SHA256
9ae788ea88da074047cce93664114cd399b769c957e491640a39d1d3cd86577f

SHA512
88f13dc5dd60856313640edcc0952b2db05eed7d8fe5de5aa6a888e997aac59efc9a4dd503c8d5bc91841128c661455ef3273d5b2aae17bae6a8171973d8439d

Download Submit
C:\Windows\SysWOW64\Hfjmgdlf.exe

Filesize
96KB

MD5
2d525d16b169380680d2a4d76ba4763b

SHA1
72c71b66c8df5cf445acde0e7fc69fdf1f836a5f

SHA256
84072ef551e818fb8e024990895f219a3c95755d236278d4f740c83a67173903

SHA512
3b57d91004050aa22b5d8f79b12cacf09f08b795665a4725b15dfd91f16c6a95471bb6afdb451ca6cc030737ff5bc0fe547732980d99558c3bf6574d3f7fffc6

Download Submit
C:\Windows\SysWOW64\Hfofbd32.exe

Filesize
96KB

MD5
5717c62618ecac15d60bf59bc9cef1c3

SHA1
b8db1cc3ef421f72c535873791427d00c75fe9cc

SHA256
953ff54b57c96c4b9260a39d9debcb20a3518011e17e69d980c7a5231aaf7cb0

SHA512
b0449941a946f5e4ba6e641809b305bc856b45467c3615a3c8f0b54166c6a328b880414e2c71b2aa957bceaed45d97437580bc11300a90e46c8e9ceee73b84db

Download Submit
C:\Windows\SysWOW64\Hibljoco.exe

Filesize
96KB

MD5
d9e20fc4e9a96f698983124a6e213729

SHA1
2e216cc95df8581575cb912595b27236bb80be86

SHA256
8b70a5d53f518c83667dc629d2df981bc1be47fa409a2ababf874728efd2232e

SHA512
466c6808f1c11d326f2d12a2d923488229b0ac5ecff31cdd35d1c7140bc1635b48646eff3541b88cb782dfc821232deb9a076cc3d4ffafe704695c67098a5570

Download Submit
C:\Windows\SysWOW64\Hikfip32.exe

Filesize
96KB

MD5
58d20e42b047d058e9b06629f74927b6

SHA1
8c87e000e9d2b7674182471d90a5cc35cc312ba2

SHA256
549d24bacf5dc4ed4ecbe2d67730101e9a7306aa808ceb92f991a667213bc53d

SHA512
f3072883c38a3f29fb6b1d51e8c4ffd50d5c1b2dfd54b179d8fbdf091d9a2afda3a4628bfed58098d659e4fbbf9defd26401cc8ede6d9774d221867c905989db

Download Submit
C:\Windows\SysWOW64\Hmklen32.exe

Filesize
96KB

MD5
23d7cfdaaf2d09aa503ae856903fca98

SHA1
2889ca44c23107a1022d67ae0c001453a15ceefd

SHA256
feb24320d6e4686b278bb1aa2880cf7fc62679e366d187d987a32c0292ed89fe

SHA512
2a9129b9044229eb27205b3e6a76f42f891195594a4f9f0ba8cdb5f9946c5c0d469e149696cb489140079316eb23200bdbb8371d71f86bbd0094842b22520337

Download Submit
C:\Windows\SysWOW64\Hpgkkioa.exe

Filesize
96KB

MD5
f2738d8f3bfde9b118d0f2efacb24191

SHA1
a227b601f40e2648f376ac0ed654ae26bece6954

SHA256
d87ba080c5f1bb47c3ec91883db1e36726baec9d5cf3e766005d3d8d4a98fc04

SHA512
ce1fdebc546f5f3f0b45de800074a3f63ae04250f099ef23164b7d2ddb64ed101554fff9bfc3ddd7daf17f308b378b34f43fdafde067e03e34d65c011276740b

Download Submit
C:\Windows\SysWOW64\Hpihai32.exe

Filesize
96KB

MD5
d9787de74b34b534c5c724330fcf3f76

SHA1
559cc5d4ff659d9ca174a9b3a13cfa2ad939c4e9

SHA256
5ac6840fda5a3b6e796e5981be0fb564aae9d82c4ff16a7bd8aeacc88a96148d

SHA512
bb7616ba391108aaa2f91ba38241b68df20cb275ac040b0ab484e76717adc12c5d36d15bbc0857953fdb8bfbc6b8041bae9b96e8d84840f54fd4e4bf8afdf7ee

Download Submit
C:\Windows\SysWOW64\Ibmmhdhm.exe

Filesize
96KB

MD5
a4c53ef566f24ad9e9b4d4510c4ca641

SHA1
514d067ec15642ace5c6fe128592dfb43ecb6c89

SHA256
ad8ff43bca0712f1a9c62f4ad832674398345cf440da7f0fdd73f6e14d47b0ba

SHA512
690c1d0f9f2c51cad0949634d52709b6276c1d4847e7623fece0a8403cc4096e9e6d386925c03b166cf1a6bb6173fdddb521c0f594dcd14b4eb560c4571a6c96

Download Submit
C:\Windows\SysWOW64\Icljbg32.exe

Filesize
96KB

MD5
abcbd97dd0325d1b68c9f926ebd0f11d

SHA1
ebea2487ca9643f38679cdd0e2a98a45b2c677e3

SHA256
765c638cad865b21f6e6201533f324cc9e344030cc2ca44a5cfe1217cc1ea2a3

SHA512
1e2fb603a2c8df0461455b46f875d75225906d0c3d4b3b1b5aa88e6ed8b3c9ec7c21d138e51992685cbaa8af6e944509d1fc660223d71ab2110eccb7d47b86d0

Download Submit
C:\Windows\SysWOW64\Ifmcdblq.exe

Filesize
96KB

MD5
3a6060fef161669d00ec96cb9e20545b

SHA1
f45ecaa4f8f7019c93943b2f9a8a22c12a1dd62a

SHA256
c92dc0ea49e0b98831c0f821da90a849e50790becdb26596a9e2da86aa049006

SHA512
056e85821b6161cc6b1475ad62baf1c6bd7dc40e431d3d9cc528c9e53c1baa89526f8efc5f9e803c38fc161148706890ecbe963099545cd7a7ec40626445da5b

Download Submit
C:\Windows\SysWOW64\Iikopmkd.exe

Filesize
96KB

MD5
d44d594be2c4e2be0e0055383b655a0c

SHA1
97b062baab2df79024f091ac87da595c9d5e65ac

SHA256
cd3939f50052406bb2b320cf6b081eee1983ae25ae6f8d387e4ee91610917e50

SHA512
b9de2a4e6c712e95eca94248587aaccfec88da07f77e6c5d64c6b37e032bd45d76e1a6287e70e33487849c8f9799cbe0a0d560ce3e095b891b009b8b95d4b12b

Download Submit
C:\Windows\SysWOW64\Iinlemia.exe

Filesize
96KB

MD5
a0b86f91a3d4cac5231cab875e2579cb

SHA1
6b1749fc9d01ff7090672d45aeda060390ce9e87

SHA256
bf9a369b618f5a233c008a61c87ccce6e46c0260dd0d1b25086745a4fc2457a7

SHA512
f809e49efa0d9ac581ee38e58ceb02c010e5ae05d98617ac4bae65fc74ff630b1fefc99d27e48aec719b20ff4bcb865cd4d73d4eb845abeec5291bffc8b58db5

Download Submit
C:\Windows\SysWOW64\Ijdeiaio.exe

Filesize
96KB

MD5
29a226fb76acdefe2a693aa09a85eeee

SHA1
d8b677eca1b3e3efac3ae6ee8fedd7061d072646

SHA256
1758da5807dc10edd7a872997164db48f1feda103d4c1e380a3356f8c68497c3

SHA512
297078cbe9b47141abe12f8e7d9b72b94ee771d8ddf16c993d95bac5117be14095b5720cc19afe33d15c9521adfc079fbf26f0ca35f5339c3c861dd76395fde7

Download Submit
C:\Windows\SysWOW64\Impepm32.exe

Filesize
96KB

MD5
30521dfad0867f5ef236ba23d2097b7b

SHA1
e6f99c447bc299b511dd6f57203697fedc18e8a9

SHA256
1167d930de1dcde3c87db24b8fe706f28cb82641d9461657bc51a49640728879

SHA512
6068c4d039a6c13fc3aacbcad67ad235a8eef57527867c39b7cc436191194864448cb4878bbf313db9ca390170d4d4e01fbabd915e59126d8597cf6b1f2f522d

Download Submit
C:\Windows\SysWOW64\Ipegmg32.exe

Filesize
96KB

MD5
c2290ae9d1bfdf6bd06ce8bd530a04e5

SHA1
14b00399f07a5f5f37b1986b2990b7718ab43391

SHA256
824b6bdcedf5cea75fc6c78f43ce89773c5e0824cabd952f54adf89fe8dba037

SHA512
dc9d5fe23a3fd617de77d32f612b4fbfd1d50288675599292973f1600019243772c03c335feebb481c1ccc928ef22d99c3c2e3da2f8d4a43f4d3d63db84b3471

Download Submit
C:\Windows\SysWOW64\Ipldfi32.exe

Filesize
96KB

MD5
37abdd2846639e32df074c5eb4aee3e3

SHA1
3b4bd4d16cdae066cb04f6a0ea9b218ad665cc35

SHA256
0456f97e0816040aec1c76fb4cbe882900b5a6f6b27b71b858cdc880da9993ea

SHA512
f2a7b13d65ef437266390f126d6e9abdffeaeabb37ab9365b553e4bdf0c5dcfc8f542e7f20bd41387861453bbe83f2f137a474ed0937c16fb52b75279bca8904

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
96KB

MD5
55683bdee4eba613c6bd07bd59b108ef

SHA1
eb7b510082a45afd094ff2f5d28c176ddd9e21ae

SHA256
2ed9ab57b827d80eab9d9267c696bdec766e86b17077696bdf3eb39da0c00268

SHA512
8a4a94fc86a30b66ff487677a15b7e71a8cb5e522589825d5ee677c51ea98db0a6d06f787dac98f88c542126ac80ccef04faea0fc5b609b849458f1fb0dd726b

Download Submit
C:\Windows\SysWOW64\Ocdehlgh.dll

Filesize
7KB

MD5
d113526e36ce797fa2a16cd867f4272c

SHA1
4165d0212168ea16ac457a393be717f7774ef4bc

SHA256
04402268a1717885999a4b15d35a7a8dc6b3f35d9cd5304ff58532516e6596dd

SHA512
41187c72c0b9d98320577ac77389104e8d0e7bb7be944fa02bbbb5c447fc2a9049405b5af49e070f1fefa0443d307f2a3718b0e2933705fc328d0640fa0c075b

Download Submit
memory/64-48-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/64-136-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/220-20-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/220-98-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/412-196-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/412-281-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/452-428-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/516-177-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/516-89-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/712-335-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/712-266-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/808-377-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/808-444-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/836-430-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/836-363-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/888-227-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1172-308-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1172-231-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1220-293-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1300-155-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1300-239-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1352-80-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1352-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1356-213-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1356-124-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1364-256-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1364-328-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1368-302-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1368-369-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1452-187-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1452-273-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1580-408-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1580-336-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1584-141-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1584-56-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1700-418-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1944-343-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1944-411-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1952-349-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1952-282-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2060-412-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2080-150-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2080-68-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2088-438-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2448-329-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2448-397-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2500-252-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2604-255-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2604-169-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2632-316-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2632-383-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2668-431-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2780-180-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2780-265-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2812-116-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2812-203-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2928-7-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2928-88-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3156-164-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3172-354-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3252-44-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3380-376-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3380-309-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3436-138-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3504-360-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3584-99-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3584-186-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3592-342-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3592-274-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3756-295-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3756-218-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4084-106-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4084-23-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4116-168-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4116-81-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4236-204-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4236-292-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4332-240-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4332-315-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4432-142-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4432-230-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4512-36-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4520-398-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4592-391-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4596-384-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4656-163-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4656-72-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4692-390-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4692-322-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4772-108-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4772-195-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4868-409-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5000-437-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5000-370-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5008-362-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5008-296-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads