b3156448de0a7c6b6be19750c5259d1cf0557e7e3ff1b7bc60f89333c93f798f

Analysis

max time kernel
137s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 07:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00cbc673ba3b5a997b5e6d4558302610_NEIKI.exe
Size

124KB
MD5

00cbc673ba3b5a997b5e6d4558302610
SHA1

7406acd39240f183e84089781346957c76be8a91
SHA256

b3156448de0a7c6b6be19750c5259d1cf0557e7e3ff1b7bc60f89333c93f798f
SHA512

40a7c7180b36f8ab75c88c5ec7dc6f8f0e411a11b40b588cc7d5c54d8dfdb026225761bb699ae81f92acbce3e467280fc9bf0198b63bfca17689a7d7ccd8a5e5
SSDEEP

3072:in7ZquS+vFRRRRRRRCa0j6+JB8M6m9jqLsFmsr:UZqJ+GZj6MB8Mhjwszr

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffjdqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gqdbiofi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcbnejem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	00cbc673ba3b5a997b5e6d4558302610_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmmhjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpihai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hapaemll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmklen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fobiilai.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gifmnpnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbfpobpb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giacca32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imbaemhc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjlfbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe

Executes dropped EXE 64 IoCs

pid	Process
2812	Fqmlhpla.exe
2844	Ffjdqg32.exe
2080	Fihqmb32.exe
816	Fobiilai.exe
3404	Fbqefhpm.exe
3232	Fqaeco32.exe
2800	Gcpapkgp.exe
2352	Gjjjle32.exe
4232	Gqdbiofi.exe
3932	Gcbnejem.exe
184	Gjlfbd32.exe
2000	Giofnacd.exe
4812	Gbgkfg32.exe
316	Giacca32.exe
3832	Gqikdn32.exe
4696	Gbjhlfhb.exe
2700	Gidphq32.exe
3192	Gqkhjn32.exe
2216	Gfhqbe32.exe
4876	Gifmnpnl.exe
5032	Gppekj32.exe
1956	Hclakimb.exe
4636	Hihicplj.exe
4652	Hapaemll.exe
4272	Hbanme32.exe
3860	Hjmoibog.exe
2632	Hmklen32.exe
1244	Hpihai32.exe
3076	Hfcpncdk.exe
4332	Hmmhjm32.exe
2172	Ipldfi32.exe
4440	Iffmccbi.exe
2056	Iidipnal.exe
5048	Ipnalhii.exe
4552	Ijdeiaio.exe
2196	Imbaemhc.exe
5080	Ipqnahgf.exe
4656	Ibojncfj.exe
4880	Ifjfnb32.exe
3948	Iiibkn32.exe
1252	Ipckgh32.exe
2620	Ibagcc32.exe
1416	Ijhodq32.exe
4428	Iikopmkd.exe
3508	Ipegmg32.exe
4084	Ifopiajn.exe
3568	Ijkljp32.exe
3236	Jaedgjjd.exe
3604	Jbfpobpb.exe
4112	Jjmhppqd.exe
3692	Jiphkm32.exe
552	Jpjqhgol.exe
3412	Jbhmdbnp.exe
628	Jjpeepnb.exe
3968	Jdhine32.exe
2140	Jbkjjblm.exe
3048	Jidbflcj.exe
1000	Jpojcf32.exe
3400	Jfhbppbc.exe
4488	Jigollag.exe
4376	Jangmibi.exe
2676	Jbocea32.exe
2412	Jkfkfohj.exe
4892	Kaqcbi32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Kcifkp32.exe	Kdffocib.exe
File opened for modification	C:\Windows\SysWOW64\Gcpapkgp.exe	Fqaeco32.exe
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Gbledndp.dll	Ijkljp32.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Lcmofolg.exe	Lalcng32.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Gjjjle32.exe	Gcpapkgp.exe
File created	C:\Windows\SysWOW64\Dbcjkf32.dll	Jpojcf32.exe
File created	C:\Windows\SysWOW64\Gcgqhjop.dll	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Ibadbaha.dll	Hmklen32.exe
File created	C:\Windows\SysWOW64\Iffmccbi.exe	Ipldfi32.exe
File opened for modification	C:\Windows\SysWOW64\Jjpeepnb.exe	Jbhmdbnp.exe
File created	C:\Windows\SysWOW64\Laopdgcg.exe	Liggbi32.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Hihicplj.exe	Hclakimb.exe
File opened for modification	C:\Windows\SysWOW64\Ipegmg32.exe	Iikopmkd.exe
File created	C:\Windows\SysWOW64\Kagichjo.exe	Kknafn32.exe
File opened for modification	C:\Windows\SysWOW64\Kdffocib.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Efhikhod.dll	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Fbqefhpm.exe	Fobiilai.exe
File created	C:\Windows\SysWOW64\Ikjmhmfd.dll	Iiibkn32.exe
File opened for modification	C:\Windows\SysWOW64\Ijhodq32.exe	Ibagcc32.exe
File created	C:\Windows\SysWOW64\Eqbmje32.dll	Laopdgcg.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Ijkljp32.exe	Ifopiajn.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Fihqmb32.exe	Ffjdqg32.exe
File created	C:\Windows\SysWOW64\Gqdbiofi.exe	Gjjjle32.exe
File created	C:\Windows\SysWOW64\Hmklen32.exe	Hjmoibog.exe
File created	C:\Windows\SysWOW64\Hfcpncdk.exe	Hpihai32.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Hmklen32.exe	Hjmoibog.exe
File opened for modification	C:\Windows\SysWOW64\Kknafn32.exe	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Kdhbec32.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Gidphq32.exe	Gbjhlfhb.exe
File opened for modification	C:\Windows\SysWOW64\Jigollag.exe	Jfhbppbc.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Pckgbakk.dll	Jaedgjjd.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Kacphh32.exe	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Laefdf32.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Gifmnpnl.exe	Gfhqbe32.exe
File opened for modification	C:\Windows\SysWOW64\Jpojcf32.exe	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Jjblgaie.dll	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Dngdgf32.dll	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Imbaemhc.exe	Ijdeiaio.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Gnbbnj32.dll	Gfhqbe32.exe
File created	C:\Windows\SysWOW64\Hpihai32.exe	Hmklen32.exe
File opened for modification	C:\Windows\SysWOW64\Ibojncfj.exe	Ipqnahgf.exe
File opened for modification	C:\Windows\SysWOW64\Kmnjhioc.exe	Kkpnlm32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6384	6284	WerFault.exe	231

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Giofnacd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjlfbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adakia32.dll"	Hclakimb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbcjkf32.dll"	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichhhi32.dll"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcbnejem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hihicplj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lihoogdd.dll"	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fqaeco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppaaagol.dll"	Kphmie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeopdi32.dll"	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipmack32.dll"	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fihqmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppaheqp.dll"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmfdf32.dll"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ffjdqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hclakimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndninjfg.dll"	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojkiimn.dll"	Ipqnahgf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fobiilai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbqefhpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeecjqkd.dll"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gqikdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opocad32.dll"	Hfcpncdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqnhjk32.dll"	Iidipnal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qngfmkdl.dll"	Ipnalhii.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3420 wrote to memory of 2812	3420	00cbc673ba3b5a997b5e6d4558302610_NEIKI.exe	83
PID 3420 wrote to memory of 2812	3420	00cbc673ba3b5a997b5e6d4558302610_NEIKI.exe	83
PID 3420 wrote to memory of 2812	3420	00cbc673ba3b5a997b5e6d4558302610_NEIKI.exe	83
PID 2812 wrote to memory of 2844	2812	Fqmlhpla.exe	84
PID 2812 wrote to memory of 2844	2812	Fqmlhpla.exe	84
PID 2812 wrote to memory of 2844	2812	Fqmlhpla.exe	84
PID 2844 wrote to memory of 2080	2844	Ffjdqg32.exe	85
PID 2844 wrote to memory of 2080	2844	Ffjdqg32.exe	85
PID 2844 wrote to memory of 2080	2844	Ffjdqg32.exe	85
PID 2080 wrote to memory of 816	2080	Fihqmb32.exe	86
PID 2080 wrote to memory of 816	2080	Fihqmb32.exe	86
PID 2080 wrote to memory of 816	2080	Fihqmb32.exe	86
PID 816 wrote to memory of 3404	816	Fobiilai.exe	87
PID 816 wrote to memory of 3404	816	Fobiilai.exe	87
PID 816 wrote to memory of 3404	816	Fobiilai.exe	87
PID 3404 wrote to memory of 3232	3404	Fbqefhpm.exe	88
PID 3404 wrote to memory of 3232	3404	Fbqefhpm.exe	88
PID 3404 wrote to memory of 3232	3404	Fbqefhpm.exe	88
PID 3232 wrote to memory of 2800	3232	Fqaeco32.exe	89
PID 3232 wrote to memory of 2800	3232	Fqaeco32.exe	89
PID 3232 wrote to memory of 2800	3232	Fqaeco32.exe	89
PID 2800 wrote to memory of 2352	2800	Gcpapkgp.exe	90
PID 2800 wrote to memory of 2352	2800	Gcpapkgp.exe	90
PID 2800 wrote to memory of 2352	2800	Gcpapkgp.exe	90
PID 2352 wrote to memory of 4232	2352	Gjjjle32.exe	91
PID 2352 wrote to memory of 4232	2352	Gjjjle32.exe	91
PID 2352 wrote to memory of 4232	2352	Gjjjle32.exe	91
PID 4232 wrote to memory of 3932	4232	Gqdbiofi.exe	92
PID 4232 wrote to memory of 3932	4232	Gqdbiofi.exe	92
PID 4232 wrote to memory of 3932	4232	Gqdbiofi.exe	92
PID 3932 wrote to memory of 184	3932	Gcbnejem.exe	93
PID 3932 wrote to memory of 184	3932	Gcbnejem.exe	93
PID 3932 wrote to memory of 184	3932	Gcbnejem.exe	93
PID 184 wrote to memory of 2000	184	Gjlfbd32.exe	94
PID 184 wrote to memory of 2000	184	Gjlfbd32.exe	94
PID 184 wrote to memory of 2000	184	Gjlfbd32.exe	94
PID 2000 wrote to memory of 4812	2000	Giofnacd.exe	96
PID 2000 wrote to memory of 4812	2000	Giofnacd.exe	96
PID 2000 wrote to memory of 4812	2000	Giofnacd.exe	96
PID 4812 wrote to memory of 316	4812	Gbgkfg32.exe	97
PID 4812 wrote to memory of 316	4812	Gbgkfg32.exe	97
PID 4812 wrote to memory of 316	4812	Gbgkfg32.exe	97
PID 316 wrote to memory of 3832	316	Giacca32.exe	98
PID 316 wrote to memory of 3832	316	Giacca32.exe	98
PID 316 wrote to memory of 3832	316	Giacca32.exe	98
PID 3832 wrote to memory of 4696	3832	Gqikdn32.exe	99
PID 3832 wrote to memory of 4696	3832	Gqikdn32.exe	99
PID 3832 wrote to memory of 4696	3832	Gqikdn32.exe	99
PID 4696 wrote to memory of 2700	4696	Gbjhlfhb.exe	100
PID 4696 wrote to memory of 2700	4696	Gbjhlfhb.exe	100
PID 4696 wrote to memory of 2700	4696	Gbjhlfhb.exe	100
PID 2700 wrote to memory of 3192	2700	Gidphq32.exe	101
PID 2700 wrote to memory of 3192	2700	Gidphq32.exe	101
PID 2700 wrote to memory of 3192	2700	Gidphq32.exe	101
PID 3192 wrote to memory of 2216	3192	Gqkhjn32.exe	102
PID 3192 wrote to memory of 2216	3192	Gqkhjn32.exe	102
PID 3192 wrote to memory of 2216	3192	Gqkhjn32.exe	102
PID 2216 wrote to memory of 4876	2216	Gfhqbe32.exe	104
PID 2216 wrote to memory of 4876	2216	Gfhqbe32.exe	104
PID 2216 wrote to memory of 4876	2216	Gfhqbe32.exe	104
PID 4876 wrote to memory of 5032	4876	Gifmnpnl.exe	105
PID 4876 wrote to memory of 5032	4876	Gifmnpnl.exe	105
PID 4876 wrote to memory of 5032	4876	Gifmnpnl.exe	105
PID 5032 wrote to memory of 1956	5032	Gppekj32.exe	106

C:\Users\Admin\AppData\Local\Temp\00cbc673ba3b5a997b5e6d4558302610_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\00cbc673ba3b5a997b5e6d4558302610_NEIKI.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:3420
- C:\Windows\SysWOW64\Fqmlhpla.exe
  C:\Windows\system32\Fqmlhpla.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\SysWOW64\Ffjdqg32.exe
    C:\Windows\system32\Ffjdqg32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Windows\SysWOW64\Fihqmb32.exe
      C:\Windows\system32\Fihqmb32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2080
    - - C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:816
      - C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3404
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3232
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4232
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3932
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:184
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4812
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:316
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3832
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3192
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4636
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4652
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4272
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3860
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2632
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1244
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3076
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4332
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2172
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        33⤵
        Executes dropped EXE
        
        PID:4440
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2056
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5048
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4552
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2196
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        39⤵
        Executes dropped EXE
        
        PID:4656
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4880
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3948
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        42⤵
        Executes dropped EXE
        
        PID:1252
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2620
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1416
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4428
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3508
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4084
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3568
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3236
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3604
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4112
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3692
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        53⤵
        Executes dropped EXE
        
        PID:552
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3412
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:628
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        56⤵
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3968
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        58⤵
        Executes dropped EXE
        
        PID:2140
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3048
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1000
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3400
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4488
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        63⤵
        Executes dropped EXE
        
        PID:4376
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        64⤵
        Executes dropped EXE
        
        PID:2676
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2412
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4892
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3872
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1192
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3748
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:868
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        71⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        72⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        73⤵
        Modifies registry class
        
        PID:2976
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3704
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        75⤵
        Drops file in System32 directory
        
        PID:4920
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        76⤵
        Drops file in System32 directory
        
        PID:4968
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4528
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        78⤵
        Modifies registry class
        
        PID:452
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        79⤵
        Drops file in System32 directory
        
        PID:2856
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        80⤵
        Modifies registry class
        
        PID:4152
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        81⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3620
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        82⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        83⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        84⤵
        Drops file in System32 directory
        
        PID:1068
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:632
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3988
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        87⤵
        Drops file in System32 directory
        
        PID:1304
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        89⤵
        Drops file in System32 directory
        
        PID:5168
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5228
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        91⤵
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5320
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        93⤵
        Drops file in System32 directory
        
        PID:5364
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        95⤵
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5544
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5592
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        99⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5680
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        101⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        102⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        103⤵
        Drops file in System32 directory
        
        PID:5816
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5856
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5900
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        106⤵
        Drops file in System32 directory
        
        PID:5960
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6044
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        109⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5132
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        111⤵
        Drops file in System32 directory
        
        PID:5212
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5292
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5372
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        114⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        115⤵
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5624
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5720
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        118⤵
        Drops file in System32 directory
        
        PID:5804
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        119⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        120⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        121⤵
        Modifies registry class
        
        PID:6088
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        122⤵
        Drops file in System32 directory
        
        PID:2124
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        124⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5404
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        125⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5688
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        127⤵
        Modifies registry class
        
        PID:5868
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        128⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        129⤵
        Drops file in System32 directory
        
        PID:412
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5396
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        131⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5836
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        133⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6060
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5316
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5852
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5164
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        138⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5984
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6156
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        141⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6204
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6248
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        143⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6284 -s 400
        144⤵
        Program crash
        
        PID:6384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6284 -ip 6284
1⤵
PID:6352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fbqefhpm.exe

Filesize
124KB

MD5
70c5838a02877431772260453b66a514

SHA1
3d8ec06cdc21bef9cab5aa7182f81f3600876cad

SHA256
7e8fa4ebe656550980c2d8829aebb7d2d8434a49df57123e850e38374dacd3ff

SHA512
a03a699e6e490c080264d4fc173544285a91a8c24d85fe115e50f1aef9fbec3c0c6c1d5d7737510672786e0a874fadcbedbb95d98ae9d7b36fb8c85952fb381b

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
124KB

MD5
9f560d3a5be076ad09fc61f25d005944

SHA1
806298e85471a7612f8d536476dd23be9dd09344

SHA256
7426a382517cafc045778d0f173f65890d690335efa971bb456528c0ef40064d

SHA512
14f5d99edce0a84b466e44a210d1a31b2e92b23ef41ccf7c745f202c1254d16502fa1076d2ae5e289d59dd04bfeaf9388a36e161450a5c199d9d133c503750e5

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
124KB

MD5
5fe6f03758b424c33dc592d27ae07e7b

SHA1
2a0098656e0ae03d589ac9a236d49fbb00dea434

SHA256
20edbf4bf98e175996bed21e43b7cddd0708a7f97e1e467de411a010fc423b6f

SHA512
5e39fe78f4b6c4df974fb10f178368233e899663f168eda9ce8c75996ea5644850ac8d4cddcf227f4c13fc14c41a9e584835402aa4266631038c1851b2d06729

Download Submit
C:\Windows\SysWOW64\Fobiilai.exe

Filesize
124KB

MD5
191b35492e9d53992425a8aceee17c74

SHA1
c8ac24ae17ab51708aa4a175d6711c7df29c8920

SHA256
a9999685ccce17bfd300639e714259a460aee4fd7a496dde2af800d82c1abf22

SHA512
92677dbe174d965785786012246977dd0acb72a0b03f056038f3f41d195db9e97bf0e44c79ff395a7ba19bb54527112d5224f26191a9612f1092f2c0e0662ab9

Download Submit
C:\Windows\SysWOW64\Fqaeco32.exe

Filesize
124KB

MD5
80e2475349b1671f265c2457aa68b1cb

SHA1
124393836d228dfca191b9db61b0f646907c77f2

SHA256
ad067c4f044ff9f73b4eb4091ba1042f60760f7faa3960c8b612dd4f0a76ccb1

SHA512
5f8601afd2b53c24490ee94e5f9687c41251e46d82bd6081ffad548f00f79f1db8933afb7efe4309ba0595d978ef4f4957c326196592a7f1b2b33ec2c3c1a4e4

Download Submit
C:\Windows\SysWOW64\Fqmlhpla.exe

Filesize
124KB

MD5
8804e142fab49171a32f763476305636

SHA1
60c717429b32d7297d3bc3220ed15a24edee9d44

SHA256
b6e8134b00c830bdab70f69ef96c5d2dd945c1ee9a05128692837fdb52f40add

SHA512
4f834611f8baeceabf1ca8f06c26aaf7049adcccda6458902c69ed95f80b7bda0165a20659b722e703615ed8755bb21cb5706dde9d4b6e3371232d2f6e02e342

Download Submit
C:\Windows\SysWOW64\Gbgkfg32.exe

Filesize
124KB

MD5
dd2d8de5ac9ca00f502a7c4374596a45

SHA1
8d567b67ef97ca0716222965f89fe90ee0612e08

SHA256
b9a6f931ec6145ef0e059a01e80a2b894d504a325c30fe8dc6c8d05455dc43d7

SHA512
b35ab1e843eb8e965e31ff59e55ee5f581e0a1bad96d46dd86d1743645ca9a47283675b5e57007bc4f3d42c4feeafbe5f9f394c3fb2cc3481e98f97ef9e05707

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
124KB

MD5
fb8014063cb227389b87a9a2bfa8b98d

SHA1
dceb710c87d07508fb2c07a31e0581a29f9efdb8

SHA256
833f463287b0bbc3d4ad510ceddfe4243ac57d1de3da5267a58f46634a63fbba

SHA512
6c5399ad0a41fc24e72cf3492a7134999adb610e16032fc1876ba5ccb3b5b57e2321a9c5cd8d6c3926bca0e969b9938827fa53e8ba221baeaf90ed2b5b145567

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
124KB

MD5
9b2ee5e64ae88ede73d97aef37f829e3

SHA1
d17dfe4ba6091bb80f411c2083aa4bd8907f7cc5

SHA256
c24b75de09e22a75e64dd1832052f57b984f20626be419a13ced719e32d88724

SHA512
16e64707111635ade7eff42ce48800e3219853553ae4bc9b005d80db3d3824b93e2e6ee151cd921c6da262f1ed955e6bc81e11735eba6be8ac1fbdba40e2a585

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
124KB

MD5
2991610440b55622b123aefc31c2ff8d

SHA1
eeb7cf7117cdaa9e65126269834df8493f8678f4

SHA256
bf04c583bfef6abb8a91b5885d88be1dd0100ffc3368a11b54cb88d97ed96323

SHA512
d9203f370a674a9b6d0ea1e0fd380a7a53642e6c68aadd34912f2d7e65455343169d93ea9d30b21c5d5ab79f31087236f78c326aa4bde71ad844cee67ad9a8dd

Download Submit
C:\Windows\SysWOW64\Gfhqbe32.exe

Filesize
124KB

MD5
a99c105e36ce45a21f6e6e156051a8af

SHA1
fec0299a70e484ca1c0b6fa8569c75ebf781ea28

SHA256
ca749f7a21548a7ed1b3faa20a34f1feb1fe62f84e5b7bb4535e9b0cfb44b807

SHA512
7b9f9da06c44e4ecacaf215c2aaf956e0f86bc5348840e453e1bbdbe4aab174ca778ee0ecda449eb022e9bd2a2a93d16e069a11c03143f4dd28d6d4520bd9810

Download Submit
C:\Windows\SysWOW64\Giacca32.exe

Filesize
124KB

MD5
760008be5ffeec59e5c6b88c0e66d5bb

SHA1
cf8f0c938a88665f425e2b03c959ee1626661e91

SHA256
3e906121ea6578e78d897f3b891ec857eb8b9ca22c1693c7db14bd11a015624c

SHA512
784775d166c69a09a40e3ffb232a537c0828e53d95047d0204cc11d7067fd5e7aea556b4e91189187804389125bc64bf0e0551ea46204d2bd3157905f487c6f7

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
124KB

MD5
d66b41bfae8cba85a3f2e1964c3b4925

SHA1
8b515a826bfe0e9ee0cfb74d31d1e370ccdb79c0

SHA256
20b0ca7ae88ca6e5427d983681476071b9608bc2162d73a861c14655ab97b7e1

SHA512
21b1e53c1a4c0a497d753498bf2bfb24b715794c698436998205377018afa7e2d13d3977fa9f8ab4685cfaf6ae8d8cdcfd2d2afaa2b371c2b07c3e3783bb847b

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
124KB

MD5
9ac008117109c5e06d77df42d4fe2a27

SHA1
b74ed6560626805fecbce06eeaf32c76a9d3373d

SHA256
68848c2501e74c67ce0136c63b46290c1b84fe7fb54eb84e280ff352dcc48583

SHA512
d554290ce966ce8b1e1560fc8eb49bf84def308bb42796824423049b0eb6110ff831a180a0568e43fd8da3cb88529dacffd617e43c93b17a54ab55d7441aa8d2

Download Submit
C:\Windows\SysWOW64\Giofnacd.exe

Filesize
124KB

MD5
4ade3ed848857f48e27c17e94125bd63

SHA1
a9658a59c6946ee0d96c67320b6046325ddec0d8

SHA256
fb7f91ba6d0db43f3559be3daf1015612685dc5850142f06f7bc875d2f5961f7

SHA512
85a3209abb30188e6dfb82330ab5ec2bb4aeae2e59c44b3536718027a470fea41e81b3b0242545914ba976093b4da54806ceca8a8e572654134adf8866dcc1a2

Download Submit
C:\Windows\SysWOW64\Gjjjle32.exe

Filesize
124KB

MD5
02a48635fd9b9e13a5adeb6a93896d79

SHA1
42f3201885544d8fa109119e793152619ae90bf4

SHA256
c16ed6e24ac08d1c4f4b01d47bccce91b227251d397b25936f1c34a36f3ea663

SHA512
1a0608cb209ea344303631ee6c44964c640318e410eeccf80b1a8bfbabee5b7a56193398fe5028042c7a202e5ef59d936897d51b6b8d87b9ce38384a72c52641

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
124KB

MD5
5be1490142fa6ac8b52258eff271ec3f

SHA1
22f3dd60c1849c75698d0146c71f1c52f6014f68

SHA256
d965fb08e42c33db31dfeb18f31ee77889dc28f9b12cb7e3ba4a3618de665171

SHA512
ff8f55d38969a9801377b8bf9f72648f5d4537609fbfaca67d18db593cc00b024d68dd820943a5875da115fcec48ad91f70c3bd63bd9c0a0c1f65679bb3db46a

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
124KB

MD5
ae5a1bb5541f61698a818ca5b9324c34

SHA1
701c0ee860647365e4c529c0d2f5abb7416e4e7f

SHA256
f8077c976a0c1b8d3af93d3fa312c2a06bc1e8efb6db79553acad7ef1f226790

SHA512
f83b22c5cc7a001bb948b919cc926e8c44e3639bf40f8572669d170b8e8cc5411617840f6ec00b7ab8d2d6c90890e4fa97105c0cec9f6c079add631873363390

Download Submit
C:\Windows\SysWOW64\Gqdbiofi.exe

Filesize
124KB

MD5
ccd1ece82e90fe1cbeee7693cc49ddc3

SHA1
596f50edfcf7e0561bd2671f540b9c49c67237b5

SHA256
585886359a96eebd46aa08d00d1d0f6f23b1bd2f6d2482fc5d1f41f324dbbba0

SHA512
563fb8ad49a3aeab86fbef268173cbfd23cdb858a1be52389189cc0da156a89a87d338994a147a3264d101214c2a629e471b9bea95b1c749bc19a54e7b24911f

Download Submit
C:\Windows\SysWOW64\Gqikdn32.exe

Filesize
124KB

MD5
e7756340d3ae962220061065ecb23807

SHA1
17875db55c36dd17a1a5a982df827257e7f46e8c

SHA256
897473fda82ee805b75d542d488b2ae350168dca6cafebcf01d376a9e6f73b51

SHA512
c8e9c4bbba7bfbef8043f750a5a36aac66e44865298310f1e089baed91178e10c557b0bf871f113773bb63a96b0b050c57ef58e9fa12bf3dfcbb0356716ab1bb

Download Submit
C:\Windows\SysWOW64\Gqkhjn32.exe

Filesize
124KB

MD5
74c57fed5979971565f3b178e61aaf0d

SHA1
a160a02962c565c18a8cf2d4d592d1ce8bdbda36

SHA256
109f418d27584a7f283744afd36b60a8993b8ed57c52f1badc4e1b4b0663c7ca

SHA512
c641f8bf0fb86b3d1d2a687f53d8a97bb306565668965130a3f7659691382e4ca73e168a6dc48a60bb31cebc3bd41d6b4129e5a546aabee61adf510869a2e43f

Download Submit
C:\Windows\SysWOW64\Hapaemll.exe

Filesize
124KB

MD5
ae5f6e28661f4bf21f4da52e856c64a0

SHA1
60c8b770068a55f03a34079444a314a6ff935417

SHA256
b5c37e102394173299bca963a9a0e70dd8dbde637e44de2188abbdc28d5611e7

SHA512
3991a7223c6cf01b0d2263fa811fdc2df4440e585a084444a5a9d0f684f1f9c1e3acc46f7a51f12b80df6abfbaee79b75a14b96990e2f3b626bfeccf3f499f76

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
124KB

MD5
1e6252f030b1239f018d3a96af27d29f

SHA1
6146758eebaae27d693e833c538be0ae7e78c0ce

SHA256
dbf47937e649823f3940b35b3bb5407fb9ffce3489f32d31d827ec0e21078751

SHA512
719a9bd3d754f714774485f2a224aa4df64ab50457f229018d22e21acc49cb73afcd3edbd757f3444ed5fbf46c88fcbafbaeb3f79b48530b6aed31222d21cd9d

Download Submit
C:\Windows\SysWOW64\Hclakimb.exe

Filesize
124KB

MD5
9dfd55f80696f4958cb9684da40112ec

SHA1
4c861a2fbc3af0c0816b0ca791b97a6aa89d3e93

SHA256
3066563d7c063b1898f219fe4424c841cce1513337edd551df2a6e4213cf87dc

SHA512
540068c708968d1c754c029d987836577ff0d6b50006c5bed4774205fb44ea0b3460de2ba2f6762db280deb421b58cf94f445c9512434b44ab8d21aaafcbbb44

Download Submit
C:\Windows\SysWOW64\Hfcpncdk.exe

Filesize
124KB

MD5
2765aa78e9e53d7393b9db9ac31d9b37

SHA1
1106db05e8ca1046b614a02a6d283bdffecc8193

SHA256
db3fa2251b4fe5a79cfab28e2212a98d8aa9e9e5f21886a2ffe69c50f4c29077

SHA512
6e3daf232671eca5d40a99a9ddc2182259cec0d5b078a0be6832afd0ab227c2d7c632fa85373ebb421e5a0f3847233889df17373a7b894cacdb2dd1e909c2c42

Download Submit
C:\Windows\SysWOW64\Hihicplj.exe

Filesize
124KB

MD5
94c0b107f4abfef2a5c8e8f4a60e9c14

SHA1
ae19409d356774be48d7f2de05d7c04118023c26

SHA256
e370500bd262d02bd60c1678d86ac26440b7f0592241cf7efc7953d8037ae815

SHA512
b6c65396fd928707393e387721091e0e2ddd85488f2a6a1027ddedf5725ebe0b401d46260903b734dd3f45d6d44c311ce483049d75724fccb792569afe06d69a

Download Submit
C:\Windows\SysWOW64\Hjmoibog.exe

Filesize
124KB

MD5
eb94151cd38e92af1ba4595a25930ce6

SHA1
48b31a6e809c5b3902090509781341e22ad7f754

SHA256
02d7a6cdf93ef31e7fee3b2b51c2eaaada6762cd1adae97ac4c7103348cd87c1

SHA512
20736f06ae684eead6e9ab8530bd1e345b12fbee77bb41ced157e5b26626b90b51ad1ecbe9c4584a1665fd4c1769e47d76dc8dacbdd3f562e0cbbcb9632c5b42

Download Submit
C:\Windows\SysWOW64\Hmklen32.exe

Filesize
124KB

MD5
511f916330472488220e481a51ac7dc6

SHA1
71c93eb833e240b5443f5aabbb4debe0af320553

SHA256
d40be1c81721fd7513e15aa4ec0c2550fd3a0799e92ce420f8aa67aa6372dc06

SHA512
1f6fa30c4c6de10437c40696c000f43cacee16863478809c1735c5b80693a79358615379db60e8ca1f8a2780e222765ef334a3e18dec9ab7ddab6ded1473f25a

Download Submit
C:\Windows\SysWOW64\Hmmhjm32.exe

Filesize
124KB

MD5
ec81f149da1285c41dd051399e279dc9

SHA1
c7eb88191a429c0bfa7119f5ba87387c150d1ab7

SHA256
5d3701aa462e9e6a9c20bd658cf207b5f82dac36fca3ef1d7d1541069b3285f5

SHA512
d326812c2268ef0b4854d06ed0a6f94b940facac788725e6846cfe81faaf398726c4f4c8372a1c44dd26b0452a3ff02d63390be5e91f597ddc1a0b3b8b1e7870

Download Submit
C:\Windows\SysWOW64\Hpihai32.exe

Filesize
124KB

MD5
6fa2948bc73d2a82d17ede46073eed52

SHA1
4ea67c95d025010329592bf92e3a008e21baa288

SHA256
b0b92c8ff731958d8490d94c8165cc7fe46b7e670474845e9119b2edd72dc528

SHA512
8aec5f4abcb8d3d1f7dd28e7f7a300ceb799a4b69c3c2ea2ade356049d4034f0d1c1b4d3f06d7e5251f157aca60e70d36c3812edb928c2446c923c9528668ea9

Download Submit
C:\Windows\SysWOW64\Iffmccbi.exe

Filesize
124KB

MD5
a2d270407b778ebeb84153bd2adf221a

SHA1
fa9b30c66ab58a6e96b740881282c67ed45fa3e9

SHA256
3459cc99f774bc8f74803c2212738318d509a417d77851ed1b5500902b2ba4d0

SHA512
bdf4665bd41f36325c5469e5331a0cbb6128775ab48b6eea7ef91af6c389dabba848b85bd405ac1b3922f17438432c342ca672c13b5e1226c18129cfd104dd2b

Download Submit
C:\Windows\SysWOW64\Ipldfi32.exe

Filesize
124KB

MD5
6af8a417f02039cb362a264441a5e946

SHA1
ebe67ed46b384d1ecdb993ff428fefa14be0ebc0

SHA256
6a3b05dc1d98919056fd0043d9ca21342aa673455fbdbdc4c2338f6bd3b3603c

SHA512
fd58d5ba14372e2ad0551d5c13f2f11efddea052b8fa8d6e2ed6153831fecd2959c4948ca178c9c3d87c35fd6f67e3e4e48529fad00f57b5be919f7d7b59b654

Download Submit
C:\Windows\SysWOW64\Kilhgk32.exe

Filesize
124KB

MD5
846b7c251d80468518942eeac290e67c

SHA1
49726c95d8e6dceeaa9ecc907754fb7f893eba7d

SHA256
4e78a90a96a6c8662545704a328d9b392ffde2836b035ed447bf6917cfc5c03b

SHA512
ace2da7ea582452b7566063566f6ee79416c051dfc68d3db9b399a4e7a13680b3cbc5dea990f1f86c11fb9d7671ec9e6707c5411d21028f90ffbcbe7a3bde282

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
124KB

MD5
b143c18b6300c771768cbb6540dbd50c

SHA1
cd7c0a2475e51767b6f8ac19fcac0c8a31ee405d

SHA256
ea96357eee626018c0611669500274c70d08b164111c26b8d056b79742a87028

SHA512
b6618ab354e62cb3f47c2bf26b85210be7f23d37fc115f2cff060c67924df503bbb19e0c39263055b3b44bb0d035c3f97de144eef1cd9675527fa3b9bcada5cb

Download Submit
memory/184-89-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/316-112-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/452-527-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/552-377-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/628-389-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/632-571-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/816-579-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/816-33-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/868-474-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1000-414-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1068-563-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1192-462-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1200-485-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1244-225-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1252-311-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1304-584-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1416-327-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1956-177-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2000-96-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2016-552-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2056-263-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2080-566-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2080-30-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2140-406-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2172-253-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2196-281-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2216-152-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2304-546-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2348-486-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2352-65-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2412-444-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2620-317-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2632-222-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2676-438-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2700-136-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2800-57-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2812-558-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2812-9-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2844-565-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2844-17-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2856-528-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2976-497-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3048-408-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3076-245-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3192-144-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3232-49-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3232-593-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3236-353-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3400-420-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3404-40-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3404-586-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3412-387-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3420-5-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3420-6-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/3508-335-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3568-347-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3604-363-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3620-540-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3692-376-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3704-498-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3748-473-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3832-121-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3860-213-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3872-460-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3932-80-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3948-305-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3968-396-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3988-576-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4084-341-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4112-369-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4152-539-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4232-73-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4272-200-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4332-246-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4336-390-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4376-432-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4428-329-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4440-262-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4488-430-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4528-516-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4552-275-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4636-185-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4652-193-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4656-298-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4696-128-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4812-105-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4876-161-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4880-299-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4892-450-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4920-504-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4968-514-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5032-173-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5048-269-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5080-287-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5124-591-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5168-594-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads