1c956286a450d4c3c557c0018be509cf63190816f68ed6755e47d98d8b05aa34

Analysis

max time kernel
139s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
08-05-2024 08:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32ec212e3b36b30a2ac14d2bcfdf3230_NEIKI.exe
Size

406KB
MD5

32ec212e3b36b30a2ac14d2bcfdf3230
SHA1

961873a37569588880e38a058f34799c9de1f7b4
SHA256

1c956286a450d4c3c557c0018be509cf63190816f68ed6755e47d98d8b05aa34
SHA512

57e5208e1564a8e85760a92893c26712917971bdb12aa793cace5c6036786a20885d0178004e8665d72991f0832c065a01f82ec628639f7600ce04335e583670
SSDEEP

12288:Gez+4Mw8YsQtAU4MwEo8g0YsQkIcAU4MwEo8g0YsQkIcAU4MwEo8g0YkIlxdpVhS:Gu+4Mw8YsQtAU4MwEo8g0YsQkIcAU4MN

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iinlemia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmclmabe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbhdmd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfhqbe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmficqpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iinlemia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmapha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmoliohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibccic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbgkfg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hibljoco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijaida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giofnacd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjjjle32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jigollag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jibeql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijdeiaio.exe

Executes dropped EXE 64 IoCs

pid	Process
2068	Fmapha32.exe
4868	Fckhdk32.exe
2828	Ffjdqg32.exe
3764	Fjepaecb.exe
1124	Fmclmabe.exe
3252	Fmficqpc.exe
1604	Gbcakg32.exe
1740	Gjjjle32.exe
4528	Gfqjafdq.exe
4372	Giofnacd.exe
3532	Gbgkfg32.exe
2748	Gjocgdkg.exe
3292	Gmmocpjk.exe
4252	Gjapmdid.exe
3004	Gmoliohh.exe
1104	Gfhqbe32.exe
3760	Gppekj32.exe
2356	Hfjmgdlf.exe
4412	Hpbaqj32.exe
3356	Hcnnaikp.exe
4008	Hcqjfh32.exe
4080	Hjjbcbqj.exe
1196	Hccglh32.exe
2244	Hfachc32.exe
4980	Hippdo32.exe
4520	Hbhdmd32.exe
4568	Hibljoco.exe
4708	Icgqggce.exe
4440	Ijaida32.exe
4588	Icjmmg32.exe
3120	Ijdeiaio.exe
1012	Icljbg32.exe
1332	Iiibkn32.exe
1544	Ipckgh32.exe
2420	Ijhodq32.exe
3544	Iabgaklg.exe
2472	Ipegmg32.exe
4996	Ibccic32.exe
3276	Iinlemia.exe
4932	Jaedgjjd.exe
3976	Jpgdbg32.exe
4596	Jfaloa32.exe
2764	Jiphkm32.exe
4452	Jpjqhgol.exe
1560	Jdemhe32.exe
1268	Jibeql32.exe
764	Jmnaakne.exe
2480	Jplmmfmi.exe
4272	Jdhine32.exe
4052	Jjbako32.exe
1736	Jmpngk32.exe
4380	Jpojcf32.exe
2476	Jbmfoa32.exe
3828	Jigollag.exe
4592	Jangmibi.exe
5108	Jdmcidam.exe
516	Jfkoeppq.exe
2412	Jkfkfohj.exe
3632	Kaqcbi32.exe
1088	Kgmlkp32.exe
4268	Kilhgk32.exe
1640	Kacphh32.exe
3596	Kdaldd32.exe
3736	Kinemkko.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Hippdo32.exe	Hfachc32.exe
File created	C:\Windows\SysWOW64\Iiibkn32.exe	Icljbg32.exe
File opened for modification	C:\Windows\SysWOW64\Jfkoeppq.exe	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Kdcijcke.exe	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Oimhnoch.dll	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Qchnlc32.dll	Hccglh32.exe
File created	C:\Windows\SysWOW64\Jjbako32.exe	Jdhine32.exe
File created	C:\Windows\SysWOW64\Hehifldd.dll	Kaqcbi32.exe
File opened for modification	C:\Windows\SysWOW64\Kdcijcke.exe	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Jiphogop.dll	Ipegmg32.exe
File created	C:\Windows\SysWOW64\Baefid32.dll	Lijdhiaa.exe
File opened for modification	C:\Windows\SysWOW64\Jmnaakne.exe	Jibeql32.exe
File opened for modification	C:\Windows\SysWOW64\Jplmmfmi.exe	Jmnaakne.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Fmclmabe.exe	Fjepaecb.exe
File created	C:\Windows\SysWOW64\Gmmocpjk.exe	Gjocgdkg.exe
File opened for modification	C:\Windows\SysWOW64\Hfjmgdlf.exe	Gppekj32.exe
File opened for modification	C:\Windows\SysWOW64\Icjmmg32.exe	Ijaida32.exe
File created	C:\Windows\SysWOW64\Giofnacd.exe	Gfqjafdq.exe
File created	C:\Windows\SysWOW64\Odhibo32.dll	Gjocgdkg.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Lpocjdld.exe
File opened for modification	C:\Windows\SysWOW64\Jangmibi.exe	Jigollag.exe
File opened for modification	C:\Windows\SysWOW64\Jkfkfohj.exe	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Kibnhjgj.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Eqbmje32.dll	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Ifhmhq32.dll	Hfachc32.exe
File opened for modification	C:\Windows\SysWOW64\Ibccic32.exe	Ipegmg32.exe
File opened for modification	C:\Windows\SysWOW64\Jfaloa32.exe	Jpgdbg32.exe
File opened for modification	C:\Windows\SysWOW64\Jmpngk32.exe	Jjbako32.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Laopdgcg.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Ahgndd32.dll	Fmclmabe.exe
File opened for modification	C:\Windows\SysWOW64\Hcqjfh32.exe	Hcnnaikp.exe
File created	C:\Windows\SysWOW64\Ikjmhmfd.dll	Iiibkn32.exe
File created	C:\Windows\SysWOW64\Mnnkcb32.dll	Jaedgjjd.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Mfpoqooh.dll	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Jjblgaie.dll	Kilhgk32.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Fmapha32.exe	32ec212e3b36b30a2ac14d2bcfdf3230_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\Gjocgdkg.exe	Gbgkfg32.exe
File created	C:\Windows\SysWOW64\Jkageheh.dll	Hjjbcbqj.exe
File opened for modification	C:\Windows\SysWOW64\Jdemhe32.exe	Jpjqhgol.exe
File created	C:\Windows\SysWOW64\Bbbjnidp.dll	Jmnaakne.exe
File created	C:\Windows\SysWOW64\Kcifkp32.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Lgkhlnbn.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Hofddb32.dll	Fckhdk32.exe
File created	C:\Windows\SysWOW64\Denfkg32.dll	Hcqjfh32.exe
File created	C:\Windows\SysWOW64\Ijhodq32.exe	Ipckgh32.exe
File created	C:\Windows\SysWOW64\Kflflhfg.dll	Iabgaklg.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Icgqggce.exe	Hibljoco.exe
File created	C:\Windows\SysWOW64\Anmklllo.dll	Jjbako32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6012	5832	WerFault.exe	199

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjlcankg.dll"	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkageheh.dll"	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diefokle.dll"	Gmoliohh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfjmgdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmfdf32.dll"	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichhhi32.dll"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnckcnhb.dll"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdihi32.dll"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmapha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfhqbe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijdeiaio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipegmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfpoqooh.dll"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbgkfg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndninjfg.dll"	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djmdfpmb.dll"	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfjmgdlf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pglanoaq.dll"	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebkdha32.dll"	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghiqbiae.dll"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pellipfm.dll"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmddeh32.dll"	32ec212e3b36b30a2ac14d2bcfdf3230_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmapha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fckhdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkbjnl32.dll"	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kflflhfg.dll"	Iabgaklg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdiihjon.dll"	Kdaldd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4872 wrote to memory of 2068	4872	32ec212e3b36b30a2ac14d2bcfdf3230_NEIKI.exe	83
PID 4872 wrote to memory of 2068	4872	32ec212e3b36b30a2ac14d2bcfdf3230_NEIKI.exe	83
PID 4872 wrote to memory of 2068	4872	32ec212e3b36b30a2ac14d2bcfdf3230_NEIKI.exe	83
PID 2068 wrote to memory of 4868	2068	Fmapha32.exe	84
PID 2068 wrote to memory of 4868	2068	Fmapha32.exe	84
PID 2068 wrote to memory of 4868	2068	Fmapha32.exe	84
PID 4868 wrote to memory of 2828	4868	Fckhdk32.exe	85
PID 4868 wrote to memory of 2828	4868	Fckhdk32.exe	85
PID 4868 wrote to memory of 2828	4868	Fckhdk32.exe	85
PID 2828 wrote to memory of 3764	2828	Ffjdqg32.exe	86
PID 2828 wrote to memory of 3764	2828	Ffjdqg32.exe	86
PID 2828 wrote to memory of 3764	2828	Ffjdqg32.exe	86
PID 3764 wrote to memory of 1124	3764	Fjepaecb.exe	87
PID 3764 wrote to memory of 1124	3764	Fjepaecb.exe	87
PID 3764 wrote to memory of 1124	3764	Fjepaecb.exe	87
PID 1124 wrote to memory of 3252	1124	Fmclmabe.exe	88
PID 1124 wrote to memory of 3252	1124	Fmclmabe.exe	88
PID 1124 wrote to memory of 3252	1124	Fmclmabe.exe	88
PID 3252 wrote to memory of 1604	3252	Fmficqpc.exe	89
PID 3252 wrote to memory of 1604	3252	Fmficqpc.exe	89
PID 3252 wrote to memory of 1604	3252	Fmficqpc.exe	89
PID 1604 wrote to memory of 1740	1604	Gbcakg32.exe	90
PID 1604 wrote to memory of 1740	1604	Gbcakg32.exe	90
PID 1604 wrote to memory of 1740	1604	Gbcakg32.exe	90
PID 1740 wrote to memory of 4528	1740	Gjjjle32.exe	92
PID 1740 wrote to memory of 4528	1740	Gjjjle32.exe	92
PID 1740 wrote to memory of 4528	1740	Gjjjle32.exe	92
PID 4528 wrote to memory of 4372	4528	Gfqjafdq.exe	93
PID 4528 wrote to memory of 4372	4528	Gfqjafdq.exe	93
PID 4528 wrote to memory of 4372	4528	Gfqjafdq.exe	93
PID 4372 wrote to memory of 3532	4372	Giofnacd.exe	94
PID 4372 wrote to memory of 3532	4372	Giofnacd.exe	94
PID 4372 wrote to memory of 3532	4372	Giofnacd.exe	94
PID 3532 wrote to memory of 2748	3532	Gbgkfg32.exe	95
PID 3532 wrote to memory of 2748	3532	Gbgkfg32.exe	95
PID 3532 wrote to memory of 2748	3532	Gbgkfg32.exe	95
PID 2748 wrote to memory of 3292	2748	Gjocgdkg.exe	96
PID 2748 wrote to memory of 3292	2748	Gjocgdkg.exe	96
PID 2748 wrote to memory of 3292	2748	Gjocgdkg.exe	96
PID 3292 wrote to memory of 4252	3292	Gmmocpjk.exe	98
PID 3292 wrote to memory of 4252	3292	Gmmocpjk.exe	98
PID 3292 wrote to memory of 4252	3292	Gmmocpjk.exe	98
PID 4252 wrote to memory of 3004	4252	Gjapmdid.exe	99
PID 4252 wrote to memory of 3004	4252	Gjapmdid.exe	99
PID 4252 wrote to memory of 3004	4252	Gjapmdid.exe	99
PID 3004 wrote to memory of 1104	3004	Gmoliohh.exe	100
PID 3004 wrote to memory of 1104	3004	Gmoliohh.exe	100
PID 3004 wrote to memory of 1104	3004	Gmoliohh.exe	100
PID 1104 wrote to memory of 3760	1104	Gfhqbe32.exe	101
PID 1104 wrote to memory of 3760	1104	Gfhqbe32.exe	101
PID 1104 wrote to memory of 3760	1104	Gfhqbe32.exe	101
PID 3760 wrote to memory of 2356	3760	Gppekj32.exe	102
PID 3760 wrote to memory of 2356	3760	Gppekj32.exe	102
PID 3760 wrote to memory of 2356	3760	Gppekj32.exe	102
PID 2356 wrote to memory of 4412	2356	Hfjmgdlf.exe	103
PID 2356 wrote to memory of 4412	2356	Hfjmgdlf.exe	103
PID 2356 wrote to memory of 4412	2356	Hfjmgdlf.exe	103
PID 4412 wrote to memory of 3356	4412	Hpbaqj32.exe	104
PID 4412 wrote to memory of 3356	4412	Hpbaqj32.exe	104
PID 4412 wrote to memory of 3356	4412	Hpbaqj32.exe	104
PID 3356 wrote to memory of 4008	3356	Hcnnaikp.exe	105
PID 3356 wrote to memory of 4008	3356	Hcnnaikp.exe	105
PID 3356 wrote to memory of 4008	3356	Hcnnaikp.exe	105
PID 4008 wrote to memory of 4080	4008	Hcqjfh32.exe	106

C:\Users\Admin\AppData\Local\Temp\32ec212e3b36b30a2ac14d2bcfdf3230_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\32ec212e3b36b30a2ac14d2bcfdf3230_NEIKI.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4872
- C:\Windows\SysWOW64\Fmapha32.exe
  C:\Windows\system32\Fmapha32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Windows\SysWOW64\Fckhdk32.exe
    C:\Windows\system32\Fckhdk32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4868
  - - C:\Windows\SysWOW64\Ffjdqg32.exe
      C:\Windows\system32\Ffjdqg32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2828
    - - C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3764
      - C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1124
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3252
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3532
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3292
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4252
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1104
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3760
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3356
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4008
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4080
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1196
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2244
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        26⤵
        Executes dropped EXE
        
        PID:4980
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4520
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4568
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4708
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        31⤵
        Executes dropped EXE
        
        PID:4588
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3120
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1012
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1332
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1544
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        36⤵
        Executes dropped EXE
        
        PID:2420
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3544
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2472
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4996
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3276
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4932
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3976
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4596
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2764
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        46⤵
        Executes dropped EXE
        
        PID:1560
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1268
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:764
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2480
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4272
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4052
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1736
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2476
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3828
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4592
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5108
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:516
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2412
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3632
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1088
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4268
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3596
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3736
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4180
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        67⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2920
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:888
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4104
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4992
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        72⤵
        Drops file in System32 directory
        
        PID:628
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        73⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4376
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        75⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        76⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        77⤵
        Drops file in System32 directory
        
        PID:4556
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        78⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5184
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5236
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        83⤵
        Drops file in System32 directory
        
        PID:5324
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5368
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5468
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5552
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5596
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        90⤵
        Modifies registry class
        
        PID:5644
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5688
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5724
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        93⤵
        Drops file in System32 directory
        
        PID:5772
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        94⤵
        Modifies registry class
        
        PID:5808
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5856
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        96⤵
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        97⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5980
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        99⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        100⤵
        Drops file in System32 directory
        
        PID:6064
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        101⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3960
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5132
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        104⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5304
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5456
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        107⤵
        Drops file in System32 directory
        
        PID:5544
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5604
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5684
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        110⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5720
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        112⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5832 -s 404
        113⤵
        Program crash
        
        PID:6012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 5832 -ip 5832
1⤵
PID:5968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fckhdk32.exe

Filesize
406KB

MD5
43521838ca93b437380e8dba14748d68

SHA1
c13e09fc70f12462252ead1bf3ce9f53fffff2aa

SHA256
34607821613c932cebaddcdb6784b31308b7da76fb2dbae7aab23954efed306d

SHA512
9968c390aedbed364b52173e4f83add2b2f3ce1c8dd8b51fd353c93c789508b03f0fc3dee9edfe7270293a910c45977d9fe01142c546e4c5d1069041e14b480c

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
406KB

MD5
ac6a7400c9bda7ea479bef757e919b60

SHA1
9fb98ca8efdfec801169906ae76fb960622baf37

SHA256
19103e0b7478c116bb39652f6e5ae514da37a6d9cf495b7b9776b4b333e5e086

SHA512
39f72a072f936c8deb3f0ae463ab82cd87116c4b86322272cff9517f24858abf0213bf050ce9d6953f1909bc69ac41eed9d4f63b3acba230a9816599f6d2d80d

Download Submit
C:\Windows\SysWOW64\Fjepaecb.exe

Filesize
406KB

MD5
72b79e2f0ef2e64f206386693678256e

SHA1
dec5552de788c7700d8a4e09b984cbac1f184d47

SHA256
a383e5cdafea0ca1b39e0943e4cb944cac3cb84053927187cf4f0e660848d826

SHA512
2e96aecc68119b7e5a613b228f06e6d299c4a3a4fb789b6a7cdd4d5d6c7f9e08b5cbb386b1a022e9173fd5368149dfc36d09cfe3ea11f0f47ae41998e9ab73f4

Download Submit
C:\Windows\SysWOW64\Fmapha32.exe

Filesize
406KB

MD5
e3a645b655d327502916a34b0c8686d5

SHA1
82cf6125440564a3408431c3409814533a674612

SHA256
e9477035fa31cfd8f335833c4048b6a3dd5f4d9ff339b51617d7e66e3168b4fc

SHA512
931df8ba9df11ff4dbc2a752c86b814cf91d4975fa926aa659f0fad46b5188022fc6fb667780b3d9a9dbb83c3602af6155bc2501980925a1db1fe504011b7bf0

Download Submit
C:\Windows\SysWOW64\Fmclmabe.exe

Filesize
406KB

MD5
01b17821326e7a3215c294a717523b0c

SHA1
3e1921207a23212afc12d126e1021d9bba38db2d

SHA256
0e2729d1b22f24fa9a42206f8036c448049ea101d90ed28400210cf085ccd203

SHA512
c602051fc94af57e6b936652afe2b90c12d19bfb85b7be18cb858153cc300e6a65bfe61d98aee6e18bc7931f9c86f9e11fa03905581065d0f6d2d1919c4d33d2

Download Submit
C:\Windows\SysWOW64\Fmficqpc.exe

Filesize
406KB

MD5
b437fc4b058e776c62ca304de8e18719

SHA1
39cd04a4ca4a53996fe4513edc5b5ce23f46683c

SHA256
a3bb8d379e14b86ada08d7799c49a58012aac37f7fe10273d9bfae47e750f70c

SHA512
c68377fb4942864b25176531dce7c3e704e79c2b80308b9edad5fa5716f6454a6547ff1396183c43d4e9336484cf127e0e5767dbd0dbbc3009fa8b9cac2de01a

Download Submit
C:\Windows\SysWOW64\Gbcakg32.exe

Filesize
406KB

MD5
2b1a2a36a961b5fe1ef23cacd93c061c

SHA1
9029dbcf58877046b06811ef0667f3b31b70b9c8

SHA256
fc63d9e524910b106944d9cbc22e835b6b51cfca3999f6a6d8ff1a6a0ec7961f

SHA512
164c4c073f73a30380e25360a5bb0ab9d043b6ae9d739f41998ba41e7da586dbbf8b86cd1a705979080f188b9fe821ed5cd3282a03be02cc49c372e3185561e7

Download Submit
C:\Windows\SysWOW64\Gbgkfg32.exe

Filesize
406KB

MD5
056fe616a60d3c4d14b3e6e13ccb476f

SHA1
2d3c7253190fc3b7659220ef50ea8423b61e7707

SHA256
23922b9184d6717e1fdf163043c2bdfbf107659b15a8250537f774470395fa55

SHA512
786988ced1b899d2c4864de2766b08a8faea13bb879a1913e342ef5a0f320213f9bbb1be812ab19a43441509ca08694ce420cf946c6498acbec6517d5338d51d

Download Submit
C:\Windows\SysWOW64\Gfhqbe32.exe

Filesize
406KB

MD5
1503a3a9ab7426182df5754582151dbc

SHA1
16c4f03096005126a99e06a7e107cb72c5a1aed2

SHA256
5f485de351d2a1b393b2ab99ac0103c3ab65d9c80af9627d00765b472b43b8c3

SHA512
465681e02011c943fccd30e830324ef43a37da31d0a582daa52c6b644e4bacfbff1f4f94d60fe394e6e4fea2121d1c6520c39309d6a854ceeb9038c7f89145f0

Download Submit
C:\Windows\SysWOW64\Gfqjafdq.exe

Filesize
406KB

MD5
763fe0e353c7c25c4d54df37c4afeb70

SHA1
1582d4b300fdc0112a1c9d4b3397a1901e1afe32

SHA256
4f41e02a0d51662064b22c23b9e29c73476b59f583de7b2fa1bcc761572e569f

SHA512
985b2225c119bac58369c90ad3833148b31d11970182999a14befc85fcecac3b415c0aad58044dcd1a678485e4c761b7306a0073b61bc4debff1e53b907e3285

Download Submit
C:\Windows\SysWOW64\Giofnacd.exe

Filesize
406KB

MD5
8f30694826382c65189f7781ec7899d1

SHA1
acf1490736e3b4c318fbf3c356c4d461fb3c27b3

SHA256
aa17af882827dace5288230fca75614814f20858d6cef7b4f811acc38d8ec94a

SHA512
3285d942c4675569902d446cc38bc3959bae670bb4bcef880cfd1a8798eb0c7b361cc2d607f966d8bef1f8ca7e984cc1a8f64f6744e582a30f935842d29b0dc9

Download Submit
C:\Windows\SysWOW64\Gjapmdid.exe

Filesize
406KB

MD5
bfd2139a318d427cf2b59f67951da482

SHA1
23cab73077b93ecdd384661388f5f5674ab3e243

SHA256
ec675351c86464b7ff8ac055744dc9fcfb797f2da47f93872a52960c92290dcc

SHA512
e9e9f4d1622da3eda9a5995693e71bd837ec13497ae4db2b71caa7fc5ff6c73f30074a2d14f18a8cae8e8d2d53e782154280e68ddba54c6fab1ec8feed84cda2

Download Submit
C:\Windows\SysWOW64\Gjjjle32.exe

Filesize
406KB

MD5
ace3c785746dfefadc02e21a6b25c12a

SHA1
5ce9a0a02bef4f2839d5c720360cf497b40f8a79

SHA256
438b189e26bd2445e2456cc39a68ae4476343a1bcfc8eaaf1a04469f78fd2583

SHA512
9a4ea938105ad51970247697238280163fe4e4d79d75ad5a15408c6dd0da0ebf9dd0f89d7eab0898ed97c3878bad6776e23c1755cb34aa5e270c58baf5dbf83d

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
406KB

MD5
57d25e552675eee229b4c2954764e45c

SHA1
cf35cc844e75db28c9123656057d3646e91203f9

SHA256
e92a2aec8a4c623e8493287a496e3a304fcad803ab85a8f5a05c9236ca8e6b81

SHA512
414385fd77dfa220983e0756b6c686685c5819ca76ce97961de5d57d4af7a9436b85336b61474efd1687f7c84fd6b14d5420669a20426a9b237dcf7dab8f8b99

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
406KB

MD5
b62561976e6f2c1dcdd20ee8cbc8ca34

SHA1
cfe40ef9d21f588e22b39331627a82fbba3ee3ad

SHA256
4295ec12902571b856ee6f87c2356383bcd5d3ddb53f07b890c7bf2057b88033

SHA512
90d18779afe0502acb92f8507acd65415dc52ec294596632d880693d3fe0da6cb9c91c04ffb10f9da7bedfde88f15184ca928cc49cf756ce344e3a33514ce265

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
406KB

MD5
feae35a29c934741aedb319e020d3d8f

SHA1
8cda96504a06e4fcbbb2cc38a149f6b47a8d2b47

SHA256
1f7eeb163edd9af8fc267e5c9d1549027b6a7e9888be6ec57c3175fd4d6d7292

SHA512
567fbfbb8b7f75d4b072bc200b0e4fc011c91e1e86bce4cab53d3a5e3f98a2020f200cccc2729b2b456e8178b6b5df685ec7f5a6769ff63d2ef3a263b6bc65b2

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
406KB

MD5
d301c4e2ee73cb514d64577b6cad6d44

SHA1
262f4833cef2c1033037249862f3bae1c75bf96f

SHA256
29c220921f26f0299b28f61a84f885dd375fd46467d0636e0a7b88c73420cde7

SHA512
e690b84522ca414afb9304e9848d248c63e12bc1901c967d4af47586375f0fa2536c7a014fdcb92b8b41f26cc6f731bb582cc3022e7cff078345abcb13919d6b

Download Submit
C:\Windows\SysWOW64\Hbhdmd32.exe

Filesize
406KB

MD5
e2f8b84283990fbb346f31af84ec7b30

SHA1
b1714c0685452d4c4774f9193dbe2d815f325560

SHA256
9951ff9be5ea96dff76698837f2890cf2256265da306004f62bcd51732353470

SHA512
d13ce7d624f6f7373ceb173bff7db0bee921d64dcd158ab51ab5cfec604a39b0efb396c6dab4c880f866df4bed70793d86c7ba3af8454d6277708bb22860fbee

Download Submit
C:\Windows\SysWOW64\Hccglh32.exe

Filesize
406KB

MD5
8a210b41ddbbc918c7e77f8913950938

SHA1
84166b50e0dcf3356cb3c42b0bbb83204589c2ad

SHA256
571ead7cefb9b9e28d8964ba4c4e17adf515fe6f22c21edf8073e18b203a428f

SHA512
db265a1140ac69702a4584af8d927241671505326090a938486f4300cb15df7e5cca0f56ea56c63da53d7d050a5fe0cd8afecda231e3d4a3d0563b1a00d4fca9

Download Submit
C:\Windows\SysWOW64\Hcnnaikp.exe

Filesize
406KB

MD5
342c2bb7b8120545e3f134f9b6ff5f0b

SHA1
4ddf14023dff45d6dd044410bdd0f8d2a4eaa271

SHA256
aed51bee191394cab5d7d38a5c8c6071123635630233e2819b7718cb877f5961

SHA512
eeae6117b9ff6a2e93f89e827100b4a69c16d3d33dd4b1e0b3d7fc707b3ff0ec394607b859f33bfcfdecc7e479c82c55a7ee136e66d4b4357163908835a62bde

Download Submit
C:\Windows\SysWOW64\Hcqjfh32.exe

Filesize
406KB

MD5
1d482695728de0e03bcdf8693a55fffc

SHA1
dca79d95ecf4b9c4973d5e6b2807d360958158ab

SHA256
4af0c8e8fb2772fca4245f885a353ccba3a014515cd576997fbd805d3156e5a7

SHA512
39d7cc603c8741c296ce55bc3268495b69f92508e7592913fa68e077a882952db7e43cd08e8a9395041c0b59bdd551a1a948333ba6c678b6ec401cbe30e311f5

Download Submit
C:\Windows\SysWOW64\Hfachc32.exe

Filesize
406KB

MD5
826648f36224a76e8a654d241ea48b23

SHA1
8e0f57f45477c8cbb4f606e14df247665a4ca688

SHA256
f750864ddf17ba32c82844c72b2ecce379d5dd803638502229c2747e53d7ef0a

SHA512
cdacd972156d5707a8d86fffd9837a70660c0dedb1204fc275cf0123c0d5f4666e8b152c1415368ef1de5ca58418c8bdd9bae071ec5636313310a0cfc717a8b1

Download Submit
C:\Windows\SysWOW64\Hfjmgdlf.exe

Filesize
406KB

MD5
8eb1cce8d4661e18fd499ea112060379

SHA1
51c69a6c9b2ea6da8e1d891b3a49c79ef680b8b1

SHA256
51fa341f62a7a9ceaca5ea446ddf0e8141230c1feae6c4c10d783efa00f31ca9

SHA512
709fe4aa4a3c56575d5003d4a12639f002e465cc2d22e91510f5fdf6b00015cb42b705a32bf9d23664a7de74ed57ccdb6a32e46973a54705ea10269e057dc7a7

Download Submit
C:\Windows\SysWOW64\Hibljoco.exe

Filesize
406KB

MD5
7387c85758256df6f53376648dca1e66

SHA1
78a38913117bf36e766c97586422300cb03ba66d

SHA256
a84a115c1f85c9325085d4ceff43a2373682d842706c2bad338d5e594a544dac

SHA512
b371c8baaa6ef72a0a09260e8a9c560b8357a0db09e996d4657c854dc62c90beba44524d29048cf8a9164bd396f34fb78a2f5b980980c526b3862dd75dfe63e1

Download Submit
C:\Windows\SysWOW64\Hippdo32.exe

Filesize
406KB

MD5
d3f9d2ceb923d2b9f2ea07cdf3457f93

SHA1
a8b7f5f7776f177910a2492199a65abf7e1727cf

SHA256
44f897f5644f24ecc0eb2fd3b1e6fc75743aba577a13880414a01ae04ba64ab1

SHA512
b155d6e9f879bfe529a69219985e4d21f489c5a0b00b725a0cca4ef19d49ac69ebb5318f8a546195087b406ac93eb72c27fab38d624e561c8231a46bce0e8770

Download Submit
C:\Windows\SysWOW64\Hjjbcbqj.exe

Filesize
406KB

MD5
517b8a9e4e8f83d6e09e6522269853b5

SHA1
0988f2bc9b9d2e31886dc41cbab93b2531cb1fdf

SHA256
99a5344ad732b81ff3a130a9eece11982e107ffbaaa4bd3a8b8f59dd19456e4b

SHA512
373d0de7a7d9f72720723a39b1cbfcc5b3a6882e30a3906bbe34bead29e39fdd970527b8bc8283a85b7afcf973d51188a5bf426a2847892e3b17de6c0bf36f19

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
406KB

MD5
3778af9cbc241be4a3a1688a57d54d9f

SHA1
ae55176757ad6cf7999cec424a54193d4470098b

SHA256
9c60df8f64f5b86dee03679b70ad893f01a9b2331287b2c2aaff1540eb727dc5

SHA512
72d7cb226e074402db8f8d1ad02c449f785493f2942ce8fdd0b455efb364b0f70d68e7b2ac93fd0581e0f49170892a77587a50661948198a9c2124664327818c

Download Submit
C:\Windows\SysWOW64\Icgqggce.exe

Filesize
406KB

MD5
f918f2a996c8b7a7dc0a766cd518d82f

SHA1
f8bed5e466bcc90af40cdea4c9078a563f67cbfd

SHA256
23d9a58d4957be6c7e503ada04855454835c202b6b055f1d0246c47a311a1696

SHA512
430d324147b4e697d66956ebd0063c6293cd45ec5545a94f8940840cb88bafc321a3ae83457036fcc67d6eb318fa05d30c485ca71ba115a63db57c70abcb8ef4

Download Submit
C:\Windows\SysWOW64\Icjmmg32.exe

Filesize
406KB

MD5
54496fe0ab53b953dacaa19d8af27ba9

SHA1
024d44c4772baa7a9a8e98f654f8b5a85d3e84d7

SHA256
077b9567d8370c21d29dfa3f8379e5db58b3cb67107e7a925fa9993888ad047c

SHA512
de04b9eecc1cbac2c65f2f595832095ae06f98b749492a5b6029934d9b127f2fb7af48ec2634062ec388f3ffcca486730746cad12eec8cdc9ad416ab5d1f922f

Download Submit
C:\Windows\SysWOW64\Icljbg32.exe

Filesize
406KB

MD5
55c65e489d0ea162ece68c73252f1b89

SHA1
7f0c5d886d2d695a82928cfaa88721c938e4bb6e

SHA256
b1273ca238a5c242fd12219e969c9affa744e1674a8e79de5cc45f59fc922ca1

SHA512
06d9b717dc82bfae95c6e73a32ac4389f568618aa9f3d605d21b7bba53f9b745c96ecb406feb0590e7b4f9ebec146a4923d7441030ac74823874b5fa353d256c

Download Submit
C:\Windows\SysWOW64\Ijaida32.exe

Filesize
406KB

MD5
0307d451049e92540ed409566f9ebe79

SHA1
3861e77d175d286f48154c25e359114d5a703c66

SHA256
1eac012e2f96efc9b402a3b2f17b9f40aa30890fff70275b20b584c78cf4d302

SHA512
549933b947015d640268325f96392e90c104c548a1071d5d99c8c9206a85ec3ab889d9c252ddfd9973de86a02ef8dc7295a332e53cb5d61f01ea1dd018bdef55

Download Submit
C:\Windows\SysWOW64\Ijdeiaio.exe

Filesize
406KB

MD5
0db7c3aa45999f9490cae02baf2cc2fd

SHA1
7f8bfe79f46ee1ab18c7c06a8043b16754d3a61a

SHA256
222836b2250cb213681c20d68ca037cc04ce1f5cdb2cbc12960197ca49eab1c1

SHA512
bdabd80ee71678ffd016464877e2128b68f6fe0d83d8c8a5b0adb9fcba6f6680288df643b8630cfff6db526bcc2bd723e91ac66b0566881002dddb07654d236d

Download Submit
C:\Windows\SysWOW64\Ijhodq32.exe

Filesize
406KB

MD5
4e49e989e5a896daf039d9233f06e400

SHA1
7ffe2128ebe85045c5741692724d869d3e5c0ed8

SHA256
89115147d211ccc37a55fc99c1e3d19078a2ec6d3d62f53a4d9f2ff8fab5faaf

SHA512
8ca194217637e880a211d93ba72aeb0f3c6f38322223b2e1fd27952ca8138ab6b7a614d46f580e01c0a9e76c99776a60f16da9374e0ecd906e882545b09f60e5

Download Submit
C:\Windows\SysWOW64\Jkfkfohj.exe

Filesize
406KB

MD5
01b46c6c1f077cdb870e2230f4d97ede

SHA1
6f2b20d42dd045fdec3b46efb1e31c2d4103a83c

SHA256
9238bf550b5011c4d8b3ef1784622cdb3f6aabc8c94fe233fb9f3702141424be

SHA512
5f09d13797d303acde1579db0a94c5b0f947456c893beba309a18d372635078a27957178e35fcf70a4ca0e9eff97dbee28fdc84f3b6b3988ddf14b6572e65560

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
406KB

MD5
2e70207f92b36806545106a2bbe1a213

SHA1
198f358ce3c9f374da4fec1beacfe6be0343730f

SHA256
c332df288e51443c052a4e75286a4f68247c8b7dd54d000a828985a435a85473

SHA512
4efb3d304c13cd146e564a1256e5558247f4559dc80dd9bc42d7c98ce6b9b6996c47b2452e67b6ff8f71633f2ac9a264181144935cdca07672cc5d7434fa837a

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
406KB

MD5
9a007ff9b0fdc0cbed5c9a4bb3770447

SHA1
c668db3c97793dc797458ad8c7caacaa6de79df4

SHA256
66326356971c0672d3464a4f787605b3bffc538598fc8e70a2418d767f90b66f

SHA512
40b2512af6ce8a0568ff85867ded7b28b7a0bdb047b667ee4fcb6f42baaf0bc5fe844ef9936e9a1b49105baa2dd5b09cedfb315be8ffca4b846f81d1fb80b73b

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
406KB

MD5
77569f78ec0984fe2c6e875a37714513

SHA1
4de9b6b723b219831398bb2aa86bae7fe2cb1e2d

SHA256
7e675eebea56a63be91509a76f937305366ab2da6e6719d82983e8b2c70b0b8e

SHA512
a617f79d400c59bea289b6d5796d937894e0fc88613adbcab3e61a2dd35569b91fe4611a09278ed1e7486c2997410f3294f5a143e2fe73db7e9e6287df7933ca

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
406KB

MD5
efe74489d79c669ecc721d23367b5fbd

SHA1
19dbeead51754cdd4eaeae145a5b9598f003be58

SHA256
d7896a89f02ccc33cebbc782a2e9a5b2b47cd4b980872745742ef663be6eaf31

SHA512
0b0e73cef0b7020359b30eb8c944d4c15afc6b0c7863da6aaa49303dd97f388b54d128488529d6160cbd975cd9574243845f4b251fbc11820f360e360f390ccc

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
406KB

MD5
2afeac184bbaebbb3ed617e933b1e84d

SHA1
6abc12c1a553e0e40b844ce9b09c8643579bdb60

SHA256
af2e837d97c0b6b0e2e48ae20b9df3415f33bedf16ff887895758326015d9a82

SHA512
24855330ac39c2f8f3e3c2ef8246884161d8b2327d129e166da451560ef268ec88f9e87bbbb171f5357a31445df3d39fa92e12c57c390eb643147d6b0b700496

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
406KB

MD5
1724399419afc2801ae7139f9d106dfe

SHA1
4be5ca66d367884e9f05dc1e6592416d6418e158

SHA256
ff34a429bc44c78d66642f0235270c47260d2569345973a697489b06bb10e1f3

SHA512
a93432e4410504fb5d3809304f1240c6bc546eaefbb492f6ebec2aa9390313cb409806e7ef02e1975f633be557924da4a46daa632eae3d52068f85e4f47ae75e

Download Submit
memory/516-399-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/628-485-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/764-344-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/888-463-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1012-260-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1088-420-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1104-633-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1124-562-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1124-41-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1196-188-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1332-261-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1544-267-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1560-330-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1604-61-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1604-575-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1640-428-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1736-850-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1736-364-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1740-582-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1740-65-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2068-9-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2068-538-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2244-191-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2356-143-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2356-646-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2412-405-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2472-284-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2476-376-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2748-609-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2748-100-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2764-866-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2828-550-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2828-30-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2876-518-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2920-461-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3004-627-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3004-124-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3120-247-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3132-486-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3164-507-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3252-569-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3252-49-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3268-804-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3268-497-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3292-105-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3292-615-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3356-158-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3356-658-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3532-602-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3532-89-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3544-278-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3596-434-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3736-440-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3760-135-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3760-639-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3764-556-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3764-37-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3828-382-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3960-664-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3976-307-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4008-167-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4052-358-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4080-175-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4080-908-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4180-450-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4252-621-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4268-422-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4272-352-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4372-596-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4372-81-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4380-374-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4412-156-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4412-652-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4440-235-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4452-329-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4520-207-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4528-589-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4528-934-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4528-73-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4568-214-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4588-239-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4592-392-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4596-313-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4708-895-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4708-223-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4868-544-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4868-17-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4872-4-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4872-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4872-520-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4932-305-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4980-199-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4992-474-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4996-293-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/5184-531-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/5236-536-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/5468-563-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/5552-579-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/5596-583-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/5644-590-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/5724-603-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/5980-640-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads