febf15b435af6afa7aed5e39cdcc8635c117646e8b9b36c52183e4641fb39954

Analysis

max time kernel
136s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 05:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fcd9cd52e423a7e916e9ed61455139e0_NEIKI.exe
Size

120KB
MD5

fcd9cd52e423a7e916e9ed61455139e0
SHA1

ca5acd6c890ee1f01abf072d5dc26d219b3fc0ed
SHA256

febf15b435af6afa7aed5e39cdcc8635c117646e8b9b36c52183e4641fb39954
SHA512

60419af378b40bd1fc7d7abb9638e6f88d2211bfc03f1e3db427dc64b73c91a88d3f45c2acbae07bef1950eb95a64dcd467a65f237112285e764930f7192e3c7
SSDEEP

1536:6sxj5uml85GEnybksKOeAGjXUo6Fd2ZjaV4HmOjz0cZ44mjD9r823F4:TF5uml84Eyb7KZT6Fd2ZpIi/mjRrz3C

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfdida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jjbako32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idofhfmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hfcpncdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Himcoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Idacmfkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjbako32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjmoibog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jigollag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	fcd9cd52e423a7e916e9ed61455139e0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hjmoibog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imihfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ifjfnb32.exe

Executes dropped EXE 64 IoCs

pid	Process
2392	Hcqjfh32.exe
4636	Hjjbcbqj.exe
740	Himcoo32.exe
1148	Hpgkkioa.exe
5420	Hbeghene.exe
2456	Hjmoibog.exe
4920	Haggelfd.exe
5804	Hcedaheh.exe
5168	Hfcpncdk.exe
448	Hmmhjm32.exe
5580	Ipldfi32.exe
4660	Ibjqcd32.exe
4804	Iidipnal.exe
3656	Iakaql32.exe
432	Icjmmg32.exe
3428	Ifhiib32.exe
1928	Iiffen32.exe
4768	Iannfk32.exe
5648	Icljbg32.exe
5728	Ifjfnb32.exe
5800	Imdnklfp.exe
3660	Idofhfmm.exe
860	Ifmcdblq.exe
5636	Iikopmkd.exe
824	Iabgaklg.exe
948	Idacmfkj.exe
3064	Ifopiajn.exe
1848	Imihfl32.exe
3032	Jbfpobpb.exe
2668	Jfaloa32.exe
3520	Jmkdlkph.exe
6088	Jdemhe32.exe
964	Jfdida32.exe
5052	Jmnaakne.exe
4444	Jplmmfmi.exe
5960	Jbkjjblm.exe
3020	Jjbako32.exe
2800	Jmpngk32.exe
776	Jdjfcecp.exe
4164	Jfhbppbc.exe
4844	Jigollag.exe
4956	Jpaghf32.exe
2396	Jbocea32.exe
2888	Jfkoeppq.exe
5692	Jiikak32.exe
3848	Kaqcbi32.exe
656	Kpccnefa.exe
5076	Kbapjafe.exe
796	Kgmlkp32.exe
1764	Kilhgk32.exe
4316	Kacphh32.exe
4272	Kdaldd32.exe
4424	Kgphpo32.exe
4580	Kkkdan32.exe
2992	Kmjqmi32.exe
2828	Kphmie32.exe
5980	Kdcijcke.exe
5408	Kgbefoji.exe
5272	Kipabjil.exe
2380	Kmlnbi32.exe
2320	Kpjjod32.exe
4532	Kcifkp32.exe
4476	Kgdbkohf.exe
4460	Kibnhjgj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lihoogdd.dll	Ifmcdblq.exe
File created	C:\Windows\SysWOW64\Jjbako32.exe	Jbkjjblm.exe
File created	C:\Windows\SysWOW64\Imdnklfp.exe	Ifjfnb32.exe
File created	C:\Windows\SysWOW64\Iabgaklg.exe	Iikopmkd.exe
File created	C:\Windows\SysWOW64\Kmlnbi32.exe	Kipabjil.exe
File created	C:\Windows\SysWOW64\Lkgdml32.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Ifmcdblq.exe	Idofhfmm.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	Lkgdml32.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Kpmfddnf.exe	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Iannfk32.exe	Iiffen32.exe
File created	C:\Windows\SysWOW64\Kacphh32.exe	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Kckbqpnj.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Ifjfnb32.exe	Icljbg32.exe
File opened for modification	C:\Windows\SysWOW64\Jmkdlkph.exe	Jfaloa32.exe
File created	C:\Windows\SysWOW64\Bbbjnidp.dll	Jmnaakne.exe
File opened for modification	C:\Windows\SysWOW64\Jiikak32.exe	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Ipldfi32.exe	Hmmhjm32.exe
File created	C:\Windows\SysWOW64\Hjmoibog.exe	Hbeghene.exe
File opened for modification	C:\Windows\SysWOW64\Kgphpo32.exe	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Milgab32.dll	Kdcijcke.exe
File opened for modification	C:\Windows\SysWOW64\Hbeghene.exe	Hpgkkioa.exe
File created	C:\Windows\SysWOW64\Jdjfcecp.exe	Jmpngk32.exe
File opened for modification	C:\Windows\SysWOW64\Jbocea32.exe	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Kbapjafe.exe	Kpccnefa.exe
File opened for modification	C:\Windows\SysWOW64\Kibnhjgj.exe	Kgdbkohf.exe
File opened for modification	C:\Windows\SysWOW64\Kgfoan32.exe	Kckbqpnj.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Iikopmkd.exe	Ifmcdblq.exe
File opened for modification	C:\Windows\SysWOW64\Kacphh32.exe	Kilhgk32.exe
File opened for modification	C:\Windows\SysWOW64\Kpjjod32.exe	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Pipagf32.dll	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mciobn32.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Eddbig32.dll	Imdnklfp.exe
File created	C:\Windows\SysWOW64\Gkillp32.dll	Ifhiib32.exe
File created	C:\Windows\SysWOW64\Jfkoeppq.exe	Jbocea32.exe
File opened for modification	C:\Windows\SysWOW64\Kaqcbi32.exe	Jiikak32.exe
File created	C:\Windows\SysWOW64\Ichhhi32.dll	Jiikak32.exe
File opened for modification	C:\Windows\SysWOW64\Hpgkkioa.exe	Himcoo32.exe
File created	C:\Windows\SysWOW64\Ekmihm32.dll	Ifjfnb32.exe
File opened for modification	C:\Windows\SysWOW64\Jplmmfmi.exe	Jmnaakne.exe
File opened for modification	C:\Windows\SysWOW64\Kphmie32.exe	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Kmnjhioc.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Laopdgcg.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Icjmmg32.exe	Iakaql32.exe
File created	C:\Windows\SysWOW64\Kibnhjgj.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Pellipfm.dll	Liggbi32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Kgphpo32.exe	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Ifopiajn.exe	Idacmfkj.exe
File created	C:\Windows\SysWOW64\Kphmie32.exe	Kmjqmi32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1688	3396	WerFault.exe	206

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dendnoah.dll"	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aajjaf32.dll"	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehifigof.dll"	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkillp32.dll"	Ifhiib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hcedaheh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joamagmq.dll"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opocad32.dll"	Hfcpncdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghpbg32.dll"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kipabjil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hfcpncdk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iikopmkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcpkbc32.dll"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbgaem32.dll"	Himcoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feambf32.dll"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milgab32.dll"	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmcfa32.dll"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kipabjil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jmkdlkph.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblgaie.dll"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoceo32.dll"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iakaql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ifhiib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmfdgkm.dll"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ipldfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iakaql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbfpobpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfpoqooh.dll"	Jbocea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kacphh32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2392	2876	fcd9cd52e423a7e916e9ed61455139e0_NEIKI.exe	83
PID 2876 wrote to memory of 2392	2876	fcd9cd52e423a7e916e9ed61455139e0_NEIKI.exe	83
PID 2876 wrote to memory of 2392	2876	fcd9cd52e423a7e916e9ed61455139e0_NEIKI.exe	83
PID 2392 wrote to memory of 4636	2392	Hcqjfh32.exe	84
PID 2392 wrote to memory of 4636	2392	Hcqjfh32.exe	84
PID 2392 wrote to memory of 4636	2392	Hcqjfh32.exe	84
PID 4636 wrote to memory of 740	4636	Hjjbcbqj.exe	85
PID 4636 wrote to memory of 740	4636	Hjjbcbqj.exe	85
PID 4636 wrote to memory of 740	4636	Hjjbcbqj.exe	85
PID 740 wrote to memory of 1148	740	Himcoo32.exe	86
PID 740 wrote to memory of 1148	740	Himcoo32.exe	86
PID 740 wrote to memory of 1148	740	Himcoo32.exe	86
PID 1148 wrote to memory of 5420	1148	Hpgkkioa.exe	87
PID 1148 wrote to memory of 5420	1148	Hpgkkioa.exe	87
PID 1148 wrote to memory of 5420	1148	Hpgkkioa.exe	87
PID 5420 wrote to memory of 2456	5420	Hbeghene.exe	88
PID 5420 wrote to memory of 2456	5420	Hbeghene.exe	88
PID 5420 wrote to memory of 2456	5420	Hbeghene.exe	88
PID 2456 wrote to memory of 4920	2456	Hjmoibog.exe	89
PID 2456 wrote to memory of 4920	2456	Hjmoibog.exe	89
PID 2456 wrote to memory of 4920	2456	Hjmoibog.exe	89
PID 4920 wrote to memory of 5804	4920	Haggelfd.exe	90
PID 4920 wrote to memory of 5804	4920	Haggelfd.exe	90
PID 4920 wrote to memory of 5804	4920	Haggelfd.exe	90
PID 5804 wrote to memory of 5168	5804	Hcedaheh.exe	91
PID 5804 wrote to memory of 5168	5804	Hcedaheh.exe	91
PID 5804 wrote to memory of 5168	5804	Hcedaheh.exe	91
PID 5168 wrote to memory of 448	5168	Hfcpncdk.exe	92
PID 5168 wrote to memory of 448	5168	Hfcpncdk.exe	92
PID 5168 wrote to memory of 448	5168	Hfcpncdk.exe	92
PID 448 wrote to memory of 5580	448	Hmmhjm32.exe	93
PID 448 wrote to memory of 5580	448	Hmmhjm32.exe	93
PID 448 wrote to memory of 5580	448	Hmmhjm32.exe	93
PID 5580 wrote to memory of 4660	5580	Ipldfi32.exe	94
PID 5580 wrote to memory of 4660	5580	Ipldfi32.exe	94
PID 5580 wrote to memory of 4660	5580	Ipldfi32.exe	94
PID 4660 wrote to memory of 4804	4660	Ibjqcd32.exe	95
PID 4660 wrote to memory of 4804	4660	Ibjqcd32.exe	95
PID 4660 wrote to memory of 4804	4660	Ibjqcd32.exe	95
PID 4804 wrote to memory of 3656	4804	Iidipnal.exe	96
PID 4804 wrote to memory of 3656	4804	Iidipnal.exe	96
PID 4804 wrote to memory of 3656	4804	Iidipnal.exe	96
PID 3656 wrote to memory of 432	3656	Iakaql32.exe	97
PID 3656 wrote to memory of 432	3656	Iakaql32.exe	97
PID 3656 wrote to memory of 432	3656	Iakaql32.exe	97
PID 432 wrote to memory of 3428	432	Icjmmg32.exe	98
PID 432 wrote to memory of 3428	432	Icjmmg32.exe	98
PID 432 wrote to memory of 3428	432	Icjmmg32.exe	98
PID 3428 wrote to memory of 1928	3428	Ifhiib32.exe	99
PID 3428 wrote to memory of 1928	3428	Ifhiib32.exe	99
PID 3428 wrote to memory of 1928	3428	Ifhiib32.exe	99
PID 1928 wrote to memory of 4768	1928	Iiffen32.exe	101
PID 1928 wrote to memory of 4768	1928	Iiffen32.exe	101
PID 1928 wrote to memory of 4768	1928	Iiffen32.exe	101
PID 4768 wrote to memory of 5648	4768	Iannfk32.exe	102
PID 4768 wrote to memory of 5648	4768	Iannfk32.exe	102
PID 4768 wrote to memory of 5648	4768	Iannfk32.exe	102
PID 5648 wrote to memory of 5728	5648	Icljbg32.exe	103
PID 5648 wrote to memory of 5728	5648	Icljbg32.exe	103
PID 5648 wrote to memory of 5728	5648	Icljbg32.exe	103
PID 5728 wrote to memory of 5800	5728	Ifjfnb32.exe	104
PID 5728 wrote to memory of 5800	5728	Ifjfnb32.exe	104
PID 5728 wrote to memory of 5800	5728	Ifjfnb32.exe	104
PID 5800 wrote to memory of 3660	5800	Imdnklfp.exe	105

C:\Users\Admin\AppData\Local\Temp\fcd9cd52e423a7e916e9ed61455139e0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\fcd9cd52e423a7e916e9ed61455139e0_NEIKI.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Windows\SysWOW64\Hcqjfh32.exe
  C:\Windows\system32\Hcqjfh32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Windows\SysWOW64\Hjjbcbqj.exe
    C:\Windows\system32\Hjjbcbqj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4636
  - - C:\Windows\SysWOW64\Himcoo32.exe
      C:\Windows\system32\Himcoo32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:740
    - - C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1148
      - C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5420
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5804
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5168
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5580
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4660
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3656
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:432
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3428
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4768
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5648
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5728
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5800
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3660
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:860
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5636
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:824
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:948
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3064
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1848
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2668
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3520
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:6088
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:964
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        36⤵
        Executes dropped EXE
        
        PID:4444
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3020
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        40⤵
        Executes dropped EXE
        
        PID:776
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4164
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4844
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4956
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2396
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2888
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5692
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        47⤵
        Executes dropped EXE
        
        PID:3848
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:656
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        49⤵
        Executes dropped EXE
        
        PID:5076
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        50⤵
        Executes dropped EXE
        
        PID:796
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1764
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4272
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4424
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4580
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2992
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2828
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5980
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2380
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        62⤵
        Executes dropped EXE
        
        PID:2320
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        63⤵
        Executes dropped EXE
        
        PID:4532
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4460
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        66⤵
        Drops file in System32 directory
        
        PID:3500
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3992
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1752
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        69⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2036
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        71⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        72⤵
        
        PID:876
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:968
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        75⤵
        Drops file in System32 directory
        
        PID:3112
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        76⤵
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        77⤵
        Modifies registry class
        
        PID:3340
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1828
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2576
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4280
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        81⤵
        Drops file in System32 directory
        
        PID:4192
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        83⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6016
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        85⤵
        Drops file in System32 directory
        
        PID:4772
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5236
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        87⤵
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5684
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        89⤵
        Modifies registry class
        
        PID:1000
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        90⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:832
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4432
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        93⤵
        Modifies registry class
        
        PID:3380
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5792
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        95⤵
        Drops file in System32 directory
        
        PID:5060
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        96⤵
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        97⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3576
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        99⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2748
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2104
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2228
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3540
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        104⤵
        Drops file in System32 directory
        
        PID:3612
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        105⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        106⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5208
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3104
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3828
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5336
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        111⤵
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3476
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        113⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        114⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4720
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        116⤵
        Drops file in System32 directory
        
        PID:2360
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        117⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        118⤵
        Drops file in System32 directory
        
        PID:2544
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        119⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3396 -s 412
        120⤵
        Program crash
        
        PID:1688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3396 -ip 3396
1⤵
PID:1208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Haggelfd.exe

Filesize
120KB

MD5
f3a0e20f1e685c8b122e1d82c455058c

SHA1
4251fa9a0b615963ae06d36a3ffb87d28cb05b65

SHA256
c4032eee9082f10ee634da7b61cd49e2e77ab617c6be24701b6ddc4ad7116210

SHA512
ffd0ce449ad806717708b0e73a09dad45308b1ca745c3ae7d8cb856f8e9526abfea2e1677c9f29e427fbc6a486a9aa2ca6ace5a94c089256a215322a27181758

Download Submit
C:\Windows\SysWOW64\Haggelfd.exe

Filesize
120KB

MD5
a7edcc89c1700cad9d9e579f3e78efe9

SHA1
51838c808b162507ed3f43f82b948c4f1964ea3f

SHA256
5750beb7be4ba30d5dd8656f247708a47b317de42578493575a39d9bca02236b

SHA512
99ebceeba5e5787e71dfa635d5e9f1565152b703d222a902a0ea69e0c6cc2ce1ec60ae3a23a5735805f00b991f1dea0d3b315981be2eb2187c029528d9431712

Download Submit
C:\Windows\SysWOW64\Hbeghene.exe

Filesize
120KB

MD5
6fd3481fbfe585c51ccc8c87d952eedd

SHA1
f44abcc0a79c82a4d07215d94281e1d17fcead5c

SHA256
7a0aa618051a680f1ab2d15c5054aa588be4ef32cd9f380ac30b65b6f39d3a96

SHA512
b7c7526b897cc1bc87081cdf33044017722646cc41cc02e39869a08a10a9cb2ffdcd3f486af43b338b3011b0ab256f92331634f31ee4ddc10e0f05e0d44ad361

Download Submit
C:\Windows\SysWOW64\Hcedaheh.exe

Filesize
120KB

MD5
82c381da38b924c7bbaae594dcee9040

SHA1
67895809079c7a00bbfa29a6421c8180b2108423

SHA256
5287a9c6e96e48b7ab7c39735e2d4086030e11e940374c99fd46dd797b3c1b57

SHA512
994215fbeee79291c9f96c91cf9db66e388e135fa1dd933217e96e4967361bdccda0ca78fd92cbe8ff6feb98941256d638effd271cfe11e837f015aae9b79c6d

Download Submit
C:\Windows\SysWOW64\Hcqjfh32.exe

Filesize
120KB

MD5
b3aca8f3c337b6864ad48bd1be5d5f7b

SHA1
77fc747aa3e7569002efb7035fdaa3781374ae8b

SHA256
8380da3fd0e1380925ecb0231795cc4086af3932fd243f7dd9b5c0a39fb7d8d3

SHA512
aef75107db1cf977d1b618a894851ad71190be892e440b878b330d0583d18bac3883d2e759f5b5ef056f6fb03b5fab25e58444e650c24e5fb72505349d3075f1

Download Submit
C:\Windows\SysWOW64\Hfcpncdk.exe

Filesize
120KB

MD5
8b3214ba7b1a66c717e919bca4969312

SHA1
22cce7292f69b881b7939f1ba00b3d20a4172539

SHA256
981cfd1ae922f59f9533970f19651f186f17423f0dd09e146cece3d7f82b3176

SHA512
b1d60f431222352cb88e4899da3180c4ef925f501fe1295cc0d9008b851bfcf3c74915d42d982650570414e471eb6bd1c39c0785a121e00727b0b420775acd64

Download Submit
C:\Windows\SysWOW64\Himcoo32.exe

Filesize
120KB

MD5
c07d964810f0231a4ba6f0e7e856bf71

SHA1
33a19691137ab2b259b2be266e596bf273c0c04b

SHA256
06f215649ecf3e334a963c4a8bc84a1de95b1900b1e4a838f2e1f871871aa0b3

SHA512
0a0457dbd88ef38c55877c796ea6c269959c24062e269434a68d85216b5c4de41d8d57c0eebec2c081d148076173bb924eede57ed6ebca25063a8615e356dda1

Download Submit
C:\Windows\SysWOW64\Hjjbcbqj.exe

Filesize
120KB

MD5
c29fe2830df905b48dea15037b0f5d15

SHA1
04c781a0f8cd0c7a320d48f1f9c801bc497ec2ec

SHA256
176f54b5bd5ccfd13c8b8ec9c7851212ea18a23b6fa6a4e1afdc78a176444a40

SHA512
be691f5e58c61127033f88525fe3a836fb7a00a95c801b5f6c71553e05737b6c0b64b0e3203d8698430a6e8cf53e97ac52ea7722f8ae5ba0ba4bb4c929ac0814

Download Submit
C:\Windows\SysWOW64\Hjmoibog.exe

Filesize
120KB

MD5
aa7d4e753b226439e55373a73ef577cd

SHA1
b6e9348c4a8ae3006fc37f80af230e517dd17c90

SHA256
5aaedf948ad5b9960262d1959d78713118a2d1681fef9c2912099569aee58d8a

SHA512
a176bf18100444d2451ba2b9f3afaa867ff415cfc2a98194df58bc0ff154f4beb1b68e4c8e16b0d9c9408b3d84ad9e642e82bef1f5c45d1b26a1f80cd788daef

Download Submit
C:\Windows\SysWOW64\Hmmhjm32.exe

Filesize
120KB

MD5
1de23d5026c76ff3494bf8880323ef58

SHA1
4719af91b4a7df2aa5d116a33fdf44ead75818ba

SHA256
563a77e9fe56f2a7c7a56593095d9971ebad17c8c03f2dd21c7dd7652a38b322

SHA512
4b0f310f88058c4baedbecd992cee4078756b3b5050c3f0a72e7caa7a06893674a63253197e21214b1a1f6b08916c7c04f444ff4e9b90bd1756619a52e8ce13d

Download Submit
C:\Windows\SysWOW64\Hpgkkioa.exe

Filesize
120KB

MD5
cff5b5aad78213bd302efaef94657ce5

SHA1
c7d54cfee5aba8d97f1e50188860d9a37d1dc0be

SHA256
bbb08a9be33735fc804b787e29b0d236a697db587af572c4b7f1fcfded2f74e6

SHA512
297489d805bae1f3f7b67e8375b85a0bd723060c8118c0e9f47163c03b722b4791e07d80df5ebe4fba5e2c3d10ec86414867664f415325065c4f9995e60dacf0

Download Submit
C:\Windows\SysWOW64\Iabgaklg.exe

Filesize
120KB

MD5
91744168b158abb82cfd8c864a650404

SHA1
b56c6aa0a704d0bd6cbcb8246f95f72cd7807c83

SHA256
a227537f7e0d69574687794ebf20fb1aafba85ffbdc2c9ca1d866133555d3db7

SHA512
e5ebbd8b9349f749f16f01dcf41dc90dd9bdf341d119c3ea909bb15c27b2e64d575bc880a16119e5e733001e483a36da7b42bbad8af76d0845abb4e9fcd18264

Download Submit
C:\Windows\SysWOW64\Iakaql32.exe

Filesize
120KB

MD5
c942ab9a77b739ab002f48eecf0fa831

SHA1
58647e9e136b736556e34bfc10f33015f8c9852d

SHA256
1e606097e80a9fa08bfc8b544606332a0601b720f73ef03599c200e71b4db08a

SHA512
17e7dd4afb889aa6f825de0bf9d24a478b95c2d13f8dcacce1f50b879894c441291b9ff5db03b48f63e4201b546a0acfd897977dd26ddd4d35bf98bdf1e8ddd9

Download Submit
C:\Windows\SysWOW64\Iannfk32.exe

Filesize
120KB

MD5
24e3ee5900d9ab2d45329b77b5375fd8

SHA1
c1a5804940d614ea51933f3cee07ce317d7420da

SHA256
82aeabef1f1ea5ad6691bc273e7bc424045094bbd895fc6903049755c8959e28

SHA512
4418de4fa0e62b3b792b43de6aacc1a20017687bfb7905aaec1b57a0e2f4179e87406806e8d7fc4c17d09f8ecbb28aa2083e5ad2152b2a191505db12a1135e38

Download Submit
C:\Windows\SysWOW64\Ibjqcd32.exe

Filesize
120KB

MD5
3e41a40d3abc889c011e6d05dfae1188

SHA1
74fe39305699c4106efaca41a603fce99aff6c51

SHA256
b7426919b0b092af344320075f3929d953569468fb9824e481b1335ff95c855e

SHA512
0bc68be25d145f850a757a5640ca6ac737e1addfecc63deb23e20cac83505f08d28515ce6b3fa9443a9375551feb312f748bb04a993ccc5c99d91b508852f967

Download Submit
C:\Windows\SysWOW64\Icjmmg32.exe

Filesize
120KB

MD5
b3401ea329132ee0020baeb1f08d371f

SHA1
74f0be9fd5fc7d907c28c168fbbb10bb4cd7a0d6

SHA256
ca5189e0ca4dc77496a2e2006c44da7e57af40fa03bb92c0b96523c1dcb4c9b5

SHA512
28309836a1c3ff059d3e222b7eb43a6bc2c2acdbb4e73a771688445c2bcc47d33b173f9deb2066fe4f81d2c12915beeba88dca0f53d52b2f820d408039986f99

Download Submit
C:\Windows\SysWOW64\Icljbg32.exe

Filesize
120KB

MD5
828686479d48b256646c74b22dd52f37

SHA1
91508efd4428ba0eeb329d09c7b13cb544d9fce7

SHA256
daaca9d2e13c2a56a87391d8142cb4c0ff27576a022e3e8a27fb7655f83dca1e

SHA512
426e668e1658f4b012366cb5f0f9517f9465f4a14b98522c3bbabbe7a4278e64fd5dfba8adf77f59aacaaf966160f4e06071d1009d55cae3cfdb434b2bcddf0c

Download Submit
C:\Windows\SysWOW64\Idacmfkj.exe

Filesize
120KB

MD5
dbe89f753e5e63f859209ba243cd4c2b

SHA1
006f8580857be6b8e5cb6c1e1e6a715b7a44215c

SHA256
7756f5120ffb5df48560d1d7b34b743baa32ae8e6e7ead4ec99459a1f1310c98

SHA512
ffc3bbb4676a482500b753f7fe0fc219f173c0e3713980539fea82379b7ee2c9e64ff33c562456290dc35a5f46822d48f6d491b679a405824d729d80c9948f02

Download Submit
C:\Windows\SysWOW64\Idofhfmm.exe

Filesize
120KB

MD5
dccc39db2ecddccc4fec8cb5458c20ed

SHA1
041206a2e5abea5d1e586cf2ad2fa1a048fb9d09

SHA256
beb3928fa7f42d13632f93cf9d3077600dcd70ccd95beebc97a2589570b2ef73

SHA512
d8c474b02d729bf0211a86e6077416f5155d40739027e7106fc5ddb4dea4cda2816f6ebf8ae1e3c2b6dc9ff8a2ffaf539eb4745f3eff05603ff74988348dc009

Download Submit
C:\Windows\SysWOW64\Ifhiib32.exe

Filesize
120KB

MD5
cad5abcd029939ed1cb1b10cab38a781

SHA1
b2573bdab112d1ac8d4d381bb342a4e05588e73b

SHA256
65e66bede2d2297c7887b4716c5c12a591d746263f22e7a9e0f524e7f3da7d0f

SHA512
9bdfc1dbaea2584e5c2ed36379eaa75bd57b4cadfff2af88b1b5df1ccec764c3f3fed664b972c56696ee6e7d9514570cc161e79ebea19253b16a3e6a70a3c4fd

Download Submit
C:\Windows\SysWOW64\Ifjfnb32.exe

Filesize
120KB

MD5
d8ac7b2b5c9328add394f1dcc624853d

SHA1
624b6a18bb8d3201b4282b4650bf1f7fe34861ca

SHA256
c6991ceddfff67cfa650bbf368a032be5607bdec4fb09cf2c42c34d5f0cf7ae1

SHA512
65b2ab79120dfea98bade3e2cec663121b6f9f28e236defe140ff4333416e6cdce8af69e9938473aab1264cef4824aaabe30b2a0313459e4983853993ee23209

Download Submit
C:\Windows\SysWOW64\Ifmcdblq.exe

Filesize
120KB

MD5
0cb32d611e896d1b42efcff6a5c2a076

SHA1
f79235a88c31ebf028e81d3007785c8e67924abd

SHA256
d24c2fc0bbf0a58ddbb594ae1d1c94ede4ec4d19a31ee9e2b2d4dd3c659f00b9

SHA512
de08d59640a778cc8eee81971e5e2b14d6dd20d2c7dc65ec5ae03986a990962e09ce5c74ca8ca62ac1507cc962ae99c08e877172f9c7835f46db42f46f2d39f8

Download Submit
C:\Windows\SysWOW64\Ifmcdblq.exe

Filesize
120KB

MD5
a9c976fc7b5f573e276287d2862d1322

SHA1
6655cb6263766931ed82e8338522ed38e33a428b

SHA256
30794e1a0a572e9c03222b23ed770f8a0abbe4059742ea67c9ddc393af6f93bc

SHA512
066d77267ffbcc8c2a57a191f56916f679f1c0b28e1e887169b3ebd4ffcf1e0deb144611a4c1f3ee86f726935fd5b833d6b57ef342b643122be5d780e3a06c52

Download Submit
C:\Windows\SysWOW64\Ifopiajn.exe

Filesize
120KB

MD5
2bda0f37fa4bf6a576c24c19e8cb8950

SHA1
03f2a8d63153806e564b7cfba297e3a6efc9054f

SHA256
6cf06c6359f8bd482efe1bcc88fb5aa5b7e374f1b1fffc2bdf394f42405ab00d

SHA512
a9a790b9146afd8274eaae24f76b64b5df5bbd4d474df787d78441c4aa5968612ad547fa59926defaf8fd95920b4e35bbdca51174c63599d8dbb0d941ec0567a

Download Submit
C:\Windows\SysWOW64\Iidipnal.exe

Filesize
120KB

MD5
739030cd43e9266a56e3d2c704aa3a9f

SHA1
93b5da9cc31f74a38c88f6c4cd4d1f5f41861626

SHA256
516ddbd99bdce3bb16bce827e8e93ecb5e6adbf538cb36c77bf98bb459e3f9be

SHA512
7b478c05a2bddbfe29a96425ce9ea97533bee737488cb9cc7eae0e4dda542619ccafe0d7092a915613d4fb4d6d15333558d8339c8c08c7b691cb501ed82fe5f2

Download Submit
C:\Windows\SysWOW64\Iiffen32.exe

Filesize
120KB

MD5
7c0758f77f02283dc9fca1c27ccf260f

SHA1
48700cd176b696b7ddf329ca51b6ff430178d72f

SHA256
6fd54529bf7d56735ab663e3e13a007cc8890fa52d2f27b26136ba3ae0e3ab15

SHA512
6b4acadae0f84d337c0174b78e8c6c4018b4a89c5f79dfcd71b9c75587dcbcfbb58493bd198f6ec22a30a41615be3f2aca7f0c7ac9b58d7c20d3f143f9730e66

Download Submit
C:\Windows\SysWOW64\Iikopmkd.exe

Filesize
120KB

MD5
035ef49e0404c244fe1f838d01496588

SHA1
2234e87335147d1668f9be79cd9fd41dbedea238

SHA256
7c2ad0956695173acc05518fe5280ccaeaf8dc53796c56f251927c89f3d82ee6

SHA512
03131be6662e9e8debab72a91ed6f72b02dceea2a940c31416e2a8a5e6dfb0d0a19109e921ace9652e5123472f603541a71db471d79c2def5b1fe1f48981e4c2

Download Submit
C:\Windows\SysWOW64\Imdnklfp.exe

Filesize
120KB

MD5
c5bbe99eae6621fcc0609c627f784845

SHA1
0639e82d86e6aa0e24bc6f18e5713692932bf177

SHA256
1110fc1586c5c4bd77657d4be7d9d0279d58056d605445d449e3e365a776407c

SHA512
a4fb71a67f6c3461a6c7783ca86773976c10b4455baaa71accd5babbc6bd78a5ea64fac0919adb21bb20b7e24accb995b519af99e9dfaa1d419199ddb585981c

Download Submit
C:\Windows\SysWOW64\Imihfl32.exe

Filesize
120KB

MD5
2fc4154af1ec73c749690a9c4d4c4f19

SHA1
851dc23615a9bb1de30da3c48a2dde4497237363

SHA256
fc9fec819b238d7aa68350d09ccc0e67bd258dbaa6192203156c41cbaa5c2733

SHA512
94f95393b677d14c804191a17a443143fc97eea90834f97ebfa444609f4b6a0e139d11392efc4de720a4d851c645da25e0f3235b133b655cca85412835841ab5

Download Submit
C:\Windows\SysWOW64\Ipldfi32.exe

Filesize
120KB

MD5
66fc4afb19178a9b4f0440f70d81a717

SHA1
4ad95fdd3c605d01ddd1b6757daec7bff3cb1e69

SHA256
b4c22d6ca24b545cfd92fc36d8d7f308b91a62281a95cde0df591d5abf4d6593

SHA512
119ad003a100e3bb3d9c411bf7b85b60415f526a06b04e59d09cdca46fac6545930621778bdbcb547aec12f86077b058c0f5d55a136abc078741f0e29cb5bb23

Download Submit
C:\Windows\SysWOW64\Jbfpobpb.exe

Filesize
120KB

MD5
4bfb042f4abf3f1a16d03d3fba51ff79

SHA1
b0049b961f59f18c6174d566dabfb140498fe728

SHA256
bc960fc8e9010d0825f6feb79b2505dafeb0a19872774f2e404ee06d15eb1ff1

SHA512
bb21eb74225b146f5fdeb4f94d18fc1f40afddb938c6ff5abbc1080b305fadf09e893318f25c9a485f4bea456e32fe9cece8601e7356a778ae50c7422696c07d

Download Submit
C:\Windows\SysWOW64\Jdemhe32.exe

Filesize
120KB

MD5
53ed12df69edacb9458f4f945f0bf1dc

SHA1
5df9000564c971f4f29b44bee384448776cb4a42

SHA256
cefb99bc5b4443a9c3618ab967892db5a3742b7453a9c04ade0702feaeaac0b9

SHA512
be6d63de17d9708b998539e42969cdb6bf74aeef3998b0e8fc3502941703370c4b16a6c7b4ad47b5f71daef3501b1252cfa320a4f806c37fc7f7889ee9045b18

Download Submit
C:\Windows\SysWOW64\Jfaloa32.exe

Filesize
120KB

MD5
99f4e28666bb15120dd461e11bfb1dc5

SHA1
0effcedc556be1e3ffb2e4e644e187ab24e93097

SHA256
ed44d40af1e2cbc7e3d33333a616fea21d8e695dbc93a0d16e2a503c41df4e79

SHA512
1e16f56ddd38d6626b6f18a243b92adba0cfc738b4112e813ca5f1c0b6b82f556db92cb467b227c93eec4e8e163deac02e9724e05c5ed8a585f5e17db571a351

Download Submit
C:\Windows\SysWOW64\Jjcfkp32.dll

Filesize
7KB

MD5
e113d987b6816734e2818c4219955c1a

SHA1
bdebe83f046aae114699bed909d337aab4c55a02

SHA256
d27535eea65d9b256e82abe716652c389874358aef843e1b880218cb2ca0a362

SHA512
8ceb36498c1af079d76e071c82bbffea2639fbfb4bf77836ae41e1a7d840037b4f7e0f24d7bc859679eb480e28ff1da53e01e5115167f9d60126bc8bbef6c69b

Download Submit
C:\Windows\SysWOW64\Jmkdlkph.exe

Filesize
120KB

MD5
753c80fe408cfbaa89e0b1350dc70f4b

SHA1
e9795b884bbbafcf9b8dfdcab9be9b51f02e21da

SHA256
f45310323e0a6ce1b7371415bad2d2063ba376ffb544a0963d3a6e1d5de289aa

SHA512
4bf6b0bf3d759cba17a743a323d22707bd453d176de52218f624c60e5e92d314854ab09afbe3b9b8e55a7cd41c81e663f3a5b12ee5897fd50f33a7e72bd64d8c

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
120KB

MD5
477f9af91046b6eff3f710608902d939

SHA1
cd5501953d671d04d8d1a5e736233c20028314fa

SHA256
4d473597348d71935910bb78886640cb91146e59719c1aea5695ace82dc5cea5

SHA512
619ae66120786da84b650a6b7ddb7241240aafe86ca42ae9327a3801b480b82ebdb62f6812ab5cf2b16e3e4a3896c5573fd4c96d384ec77d6a053d2d93617858

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
120KB

MD5
db0fb107fbdac8ad3e0867f806ed1e33

SHA1
96343a0acee05f63d883e7a2163788bc4e1184f9

SHA256
aeda278f52dd51e878c0016305b624bda56523133c3e44d6e87cd70305794c51

SHA512
68c9fa151716468ac8001dd59f78515cdaff58a5da72bec53e4034b5f2e705c4fde26f89d3126357dd5729e80f8a39346708cb8fb6288d5484d4d89a143a9e2b

Download Submit
memory/432-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/448-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/656-351-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/740-26-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/740-571-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/776-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/796-363-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/824-204-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/860-186-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/876-492-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/948-212-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/964-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/968-501-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1148-578-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1148-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1524-518-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1752-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1764-368-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1828-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1848-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1928-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2036-482-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2320-434-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2380-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2392-562-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2392-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2396-326-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2456-592-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2456-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2576-536-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2668-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2800-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2828-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2876-550-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2876-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2888-332-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2992-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3020-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3032-236-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3064-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3112-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3340-524-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3428-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3500-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3520-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3656-115-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3660-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3848-345-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3936-476-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3992-464-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4164-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4184-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4192-548-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4272-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4280-538-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4316-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4424-386-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4444-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4460-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4468-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4476-446-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4532-440-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4580-392-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4636-568-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4636-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4660-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4768-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4772-576-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4804-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4844-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4920-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4920-599-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4956-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5052-272-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5060-846-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5076-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5128-551-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5168-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5236-583-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5272-422-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5396-586-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5408-416-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5420-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5420-585-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5580-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5620-563-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5636-196-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5648-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5684-593-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5692-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5728-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5800-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5804-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5960-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5980-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6016-570-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6088-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads