b21a4f2c9e92b2c42c3efa99340d2316e2402ea6716ab277dd965c0e8e87a53e

Analysis

max time kernel
96s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 17:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b4d6c9fe53e4734e555bfafb8e716930_NeikiAnalytics.exe
Size

448KB
MD5

b4d6c9fe53e4734e555bfafb8e716930
SHA1

af37459c38b208d85cbcb325a360b969d21f2157
SHA256

b21a4f2c9e92b2c42c3efa99340d2316e2402ea6716ab277dd965c0e8e87a53e
SHA512

97158aea26fdacbeb145e86861666d051c328760f114bef463e8397d6608066d12916b19b84bc83a8444eef087994779786c928ada0313e6b175ae066c1720ac
SSDEEP

12288:lEC63aofaH5W3ybwwUb6ls2oWdeVoo8ukpeeVl:lUEH5W3Tnbc53cp6p5b

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipqnahgf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibagcc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hfofbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipqnahgf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpgkkioa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbeghene.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbfpobpb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ifhiib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hihicplj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hibljoco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Himcoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifhiib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibagcc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpgkkioa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe

Executes dropped EXE 64 IoCs

pid	Process
3432	Gfqjafdq.exe
1088	Gqfooodg.exe
3972	Gcekkjcj.exe
1448	Gfedle32.exe
1012	Gmoliohh.exe
2476	Gfhqbe32.exe
4044	Hihicplj.exe
3932	Hbanme32.exe
2348	Hjhfnccl.exe
4416	Habnjm32.exe
804	Hcqjfh32.exe
2344	Hfofbd32.exe
4456	Himcoo32.exe
4564	Hmioonpn.exe
4968	Hpgkkioa.exe
620	Hccglh32.exe
540	Hbeghene.exe
3604	Hjmoibog.exe
624	Hippdo32.exe
2464	Hmklen32.exe
4336	Hpihai32.exe
1756	Hcedaheh.exe
60	Hbhdmd32.exe
1772	Hjolnb32.exe
1856	Hibljoco.exe
1160	Haidklda.exe
5104	Ipldfi32.exe
1720	Icgqggce.exe
4420	Ibjqcd32.exe
3300	Iffmccbi.exe
1920	Iidipnal.exe
4628	Impepm32.exe
4832	Iakaql32.exe
1636	Icjmmg32.exe
4796	Ibmmhdhm.exe
4324	Ifhiib32.exe
2072	Ijdeiaio.exe
2540	Imbaemhc.exe
4012	Iannfk32.exe
4992	Ipqnahgf.exe
668	Ibojncfj.exe
4332	Ifjfnb32.exe
664	Ijfboafl.exe
2468	Imdnklfp.exe
2420	Iapjlk32.exe
1472	Ipckgh32.exe
1292	Ibagcc32.exe
1896	Iikopmkd.exe
2484	Iabgaklg.exe
2292	Idacmfkj.exe
1304	Ijkljp32.exe
1520	Imihfl32.exe
4784	Jpgdbg32.exe
1396	Jbfpobpb.exe
4476	Jfaloa32.exe
4196	Jiphkm32.exe
5096	Jmkdlkph.exe
2304	Jpjqhgol.exe
4864	Jdemhe32.exe
2924	Jfdida32.exe
3296	Jjpeepnb.exe
4292	Jibeql32.exe
752	Jaimbj32.exe
2496	Jplmmfmi.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hpihai32.exe	Hmklen32.exe
File opened for modification	C:\Windows\SysWOW64\Ibjqcd32.exe	Icgqggce.exe
File opened for modification	C:\Windows\SysWOW64\Icjmmg32.exe	Iakaql32.exe
File opened for modification	C:\Windows\SysWOW64\Ipckgh32.exe	Iapjlk32.exe
File created	C:\Windows\SysWOW64\Jmkdlkph.exe	Jiphkm32.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Hccglh32.exe	Hpgkkioa.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Gmoliohh.exe	Gfedle32.exe
File created	C:\Windows\SysWOW64\Gfhqbe32.exe	Gmoliohh.exe
File created	C:\Windows\SysWOW64\Ldooifgl.dll	Hihicplj.exe
File created	C:\Windows\SysWOW64\Iffmccbi.exe	Ibjqcd32.exe
File created	C:\Windows\SysWOW64\Dempmq32.dll	Ibmmhdhm.exe
File created	C:\Windows\SysWOW64\Pellipfm.dll	Jkfkfohj.exe
File opened for modification	C:\Windows\SysWOW64\Lpappc32.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Gfqjafdq.exe	b4d6c9fe53e4734e555bfafb8e716930_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Ibadbaha.dll	Hmklen32.exe
File opened for modification	C:\Windows\SysWOW64\Jbfpobpb.exe	Jpgdbg32.exe
File created	C:\Windows\SysWOW64\Dbcjkf32.dll	Jbmfoa32.exe
File opened for modification	C:\Windows\SysWOW64\Jpaghf32.exe	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Gqfooodg.exe	Gfqjafdq.exe
File created	C:\Windows\SysWOW64\Aaqnkb32.dll	Ibojncfj.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Ifjfnb32.exe	Ibojncfj.exe
File opened for modification	C:\Windows\SysWOW64\Ijkljp32.exe	Idacmfkj.exe
File created	C:\Windows\SysWOW64\Jjpeepnb.exe	Jfdida32.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Njljefql.exe
File created	C:\Windows\SysWOW64\Ipckgh32.exe	Iapjlk32.exe
File created	C:\Windows\SysWOW64\Ibimpp32.dll	Jplmmfmi.exe
File opened for modification	C:\Windows\SysWOW64\Hccglh32.exe	Hpgkkioa.exe
File created	C:\Windows\SysWOW64\Honcnp32.dll	Jfffjqdf.exe
File opened for modification	C:\Windows\SysWOW64\Jpojcf32.exe	Jaljgidl.exe
File created	C:\Windows\SysWOW64\Dngdgf32.dll	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Dnapla32.dll	Lgneampk.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mamleegg.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Jibpdc32.dll	Ijkljp32.exe
File created	C:\Windows\SysWOW64\Hippdo32.exe	Hjmoibog.exe
File created	C:\Windows\SysWOW64\Fjkiobic.dll	Ipldfi32.exe
File created	C:\Windows\SysWOW64\Iannfk32.exe	Imbaemhc.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Hbeghene.exe	Hccglh32.exe
File created	C:\Windows\SysWOW64\Ifhiib32.exe	Ibmmhdhm.exe
File created	C:\Windows\SysWOW64\Mlilmlna.dll	Iannfk32.exe
File created	C:\Windows\SysWOW64\Ikjmhmfd.dll	Iapjlk32.exe
File opened for modification	C:\Windows\SysWOW64\Jaljgidl.exe	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Lcpllo32.exe	Lpappc32.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Hcedaheh.exe	Hpihai32.exe
File created	C:\Windows\SysWOW64\Aajjaf32.dll	Jbfpobpb.exe
File opened for modification	C:\Windows\SysWOW64\Jmkdlkph.exe	Jiphkm32.exe
File created	C:\Windows\SysWOW64\Olmeac32.dll	Jbkjjblm.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6068	5888	WerFault.exe	208

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibilnj32.dll"	Hbanme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekmihm32.dll"	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dakcla32.dll"	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gfhqbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkageheh.dll"	Hpgkkioa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iapjlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclhoo32.dll"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	b4d6c9fe53e4734e555bfafb8e716930_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjkiobic.dll"	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hmklen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lijiaonm.dll"	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onkhkpho.dll"	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anjekdho.dll"	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honckk32.dll"	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hmklen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hfofbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gmoliohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eilljncf.dll"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ibmmhdhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ijdeiaio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hpihai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnodhch.dll"	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Imbaemhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hibljoco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iabgaklg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 3432	1224	b4d6c9fe53e4734e555bfafb8e716930_NeikiAnalytics.exe	82
PID 1224 wrote to memory of 3432	1224	b4d6c9fe53e4734e555bfafb8e716930_NeikiAnalytics.exe	82
PID 1224 wrote to memory of 3432	1224	b4d6c9fe53e4734e555bfafb8e716930_NeikiAnalytics.exe	82
PID 3432 wrote to memory of 1088	3432	Gfqjafdq.exe	84
PID 3432 wrote to memory of 1088	3432	Gfqjafdq.exe	84
PID 3432 wrote to memory of 1088	3432	Gfqjafdq.exe	84
PID 1088 wrote to memory of 3972	1088	Gqfooodg.exe	85
PID 1088 wrote to memory of 3972	1088	Gqfooodg.exe	85
PID 1088 wrote to memory of 3972	1088	Gqfooodg.exe	85
PID 3972 wrote to memory of 1448	3972	Gcekkjcj.exe	87
PID 3972 wrote to memory of 1448	3972	Gcekkjcj.exe	87
PID 3972 wrote to memory of 1448	3972	Gcekkjcj.exe	87
PID 1448 wrote to memory of 1012	1448	Gfedle32.exe	88
PID 1448 wrote to memory of 1012	1448	Gfedle32.exe	88
PID 1448 wrote to memory of 1012	1448	Gfedle32.exe	88
PID 1012 wrote to memory of 2476	1012	Gmoliohh.exe	89
PID 1012 wrote to memory of 2476	1012	Gmoliohh.exe	89
PID 1012 wrote to memory of 2476	1012	Gmoliohh.exe	89
PID 2476 wrote to memory of 4044	2476	Gfhqbe32.exe	90
PID 2476 wrote to memory of 4044	2476	Gfhqbe32.exe	90
PID 2476 wrote to memory of 4044	2476	Gfhqbe32.exe	90
PID 4044 wrote to memory of 3932	4044	Hihicplj.exe	91
PID 4044 wrote to memory of 3932	4044	Hihicplj.exe	91
PID 4044 wrote to memory of 3932	4044	Hihicplj.exe	91
PID 3932 wrote to memory of 2348	3932	Hbanme32.exe	92
PID 3932 wrote to memory of 2348	3932	Hbanme32.exe	92
PID 3932 wrote to memory of 2348	3932	Hbanme32.exe	92
PID 2348 wrote to memory of 4416	2348	Hjhfnccl.exe	93
PID 2348 wrote to memory of 4416	2348	Hjhfnccl.exe	93
PID 2348 wrote to memory of 4416	2348	Hjhfnccl.exe	93
PID 4416 wrote to memory of 804	4416	Habnjm32.exe	94
PID 4416 wrote to memory of 804	4416	Habnjm32.exe	94
PID 4416 wrote to memory of 804	4416	Habnjm32.exe	94
PID 804 wrote to memory of 2344	804	Hcqjfh32.exe	95
PID 804 wrote to memory of 2344	804	Hcqjfh32.exe	95
PID 804 wrote to memory of 2344	804	Hcqjfh32.exe	95
PID 2344 wrote to memory of 4456	2344	Hfofbd32.exe	96
PID 2344 wrote to memory of 4456	2344	Hfofbd32.exe	96
PID 2344 wrote to memory of 4456	2344	Hfofbd32.exe	96
PID 4456 wrote to memory of 4564	4456	Himcoo32.exe	97
PID 4456 wrote to memory of 4564	4456	Himcoo32.exe	97
PID 4456 wrote to memory of 4564	4456	Himcoo32.exe	97
PID 4564 wrote to memory of 4968	4564	Hmioonpn.exe	98
PID 4564 wrote to memory of 4968	4564	Hmioonpn.exe	98
PID 4564 wrote to memory of 4968	4564	Hmioonpn.exe	98
PID 4968 wrote to memory of 620	4968	Hpgkkioa.exe	99
PID 4968 wrote to memory of 620	4968	Hpgkkioa.exe	99
PID 4968 wrote to memory of 620	4968	Hpgkkioa.exe	99
PID 620 wrote to memory of 540	620	Hccglh32.exe	100
PID 620 wrote to memory of 540	620	Hccglh32.exe	100
PID 620 wrote to memory of 540	620	Hccglh32.exe	100
PID 540 wrote to memory of 3604	540	Hbeghene.exe	101
PID 540 wrote to memory of 3604	540	Hbeghene.exe	101
PID 540 wrote to memory of 3604	540	Hbeghene.exe	101
PID 3604 wrote to memory of 624	3604	Hjmoibog.exe	102
PID 3604 wrote to memory of 624	3604	Hjmoibog.exe	102
PID 3604 wrote to memory of 624	3604	Hjmoibog.exe	102
PID 624 wrote to memory of 2464	624	Hippdo32.exe	103
PID 624 wrote to memory of 2464	624	Hippdo32.exe	103
PID 624 wrote to memory of 2464	624	Hippdo32.exe	103
PID 2464 wrote to memory of 4336	2464	Hmklen32.exe	104
PID 2464 wrote to memory of 4336	2464	Hmklen32.exe	104
PID 2464 wrote to memory of 4336	2464	Hmklen32.exe	104
PID 4336 wrote to memory of 1756	4336	Hpihai32.exe	105

C:\Users\Admin\AppData\Local\Temp\b4d6c9fe53e4734e555bfafb8e716930_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b4d6c9fe53e4734e555bfafb8e716930_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Windows\SysWOW64\Gfqjafdq.exe
  C:\Windows\system32\Gfqjafdq.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3432
- - C:\Windows\SysWOW64\Gqfooodg.exe
    C:\Windows\system32\Gqfooodg.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1088
  - - C:\Windows\SysWOW64\Gcekkjcj.exe
      C:\Windows\system32\Gcekkjcj.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3972
    - - C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1448
      - C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4044
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3932
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:804
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:620
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3604
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1756
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:60
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        25⤵
        Executes dropped EXE
        
        PID:1772
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        27⤵
        Executes dropped EXE
        
        PID:1160
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1720
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3300
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1920
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4628
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4832
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4796
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4324
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2072
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2540
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4012
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4992
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:668
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        43⤵
        Executes dropped EXE
        
        PID:4332
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:664
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2468
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2420
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        47⤵
        Executes dropped EXE
        
        PID:1472
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1292
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        49⤵
        Executes dropped EXE
        
        PID:1896
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2292
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1304
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        53⤵
        Executes dropped EXE
        
        PID:1520
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4784
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1396
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4476
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4196
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        58⤵
        Executes dropped EXE
        
        PID:5096
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        59⤵
        Executes dropped EXE
        
        PID:2304
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2924
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3296
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:752
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2496
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3340
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        68⤵
        Drops file in System32 directory
        
        PID:1432
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1704
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        70⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        71⤵
        Drops file in System32 directory
        
        PID:3480
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4064
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        73⤵
        Modifies registry class
        
        PID:2220
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        74⤵
        Drops file in System32 directory
        
        PID:4904
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4508
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        76⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2336
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3212
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        79⤵
        Drops file in System32 directory
        
        PID:3516
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4776
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:116
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1392
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        83⤵
        Modifies registry class
        
        PID:4684
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        84⤵
        Modifies registry class
        
        PID:4680
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        85⤵
        Modifies registry class
        
        PID:1908
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        88⤵
        Drops file in System32 directory
        
        PID:5224
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5292
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5356
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        92⤵
        Modifies registry class
        
        PID:5436
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        93⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5524
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5568
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5608
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5704
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        99⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5808
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5856
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        102⤵
        Drops file in System32 directory
        
        PID:5908
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        103⤵
        Drops file in System32 directory
        
        PID:5948
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        104⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6036
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6076
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        107⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6116
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        108⤵
        Drops file in System32 directory
        
        PID:1272
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        109⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        110⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3824
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2352
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2856
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1524
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5364
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        119⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5600
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        122⤵
        Drops file in System32 directory
        
        PID:5688
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        123⤵
        Modifies registry class
        
        PID:5732
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        124⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        125⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5888 -s 412
        126⤵
        Program crash
        
        PID:6068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5888 -ip 5888
1⤵
PID:6012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gcekkjcj.exe

Filesize
448KB

MD5
c5e3bc8f3ce351ff298ee9b7c67cb66d

SHA1
899bda53702b71a06117afc0591509d6bb0d7874

SHA256
d0b80fddb9ea3db227b067a2905108343ec8fcd51775827f4ab3374a02b114c0

SHA512
21dbff4e1005b3c9d073b4f17c55a94164ab393269272d8c3b85410f7ff34246d6d142b00e2791472c24475d871b428f001ef5b3cb0fc4b799a078c4de3eba37

Download Submit
C:\Windows\SysWOW64\Gfedle32.exe

Filesize
448KB

MD5
04cc56492e5d2995633924be09940915

SHA1
0da8c3772a11cab33f8d9b800c3ad54a09cd84e0

SHA256
88ea3c13ccd097e58b58127ab40955580dc7d81e3d26d2f1d0574f8fcaf38e8d

SHA512
c8285c078c9ddefa346779c76359d559f7970e349d933b0ebad97d7e50216d05f28a385ecbc7652f14a9d6e04b04d9854a49902e93c1f0cc2476573d443a4637

Download Submit
C:\Windows\SysWOW64\Gfhqbe32.exe

Filesize
448KB

MD5
7f7fac91eb00d7774524b571368f5cc5

SHA1
ffc4b6ec77ce69feea4c521cd88f3684cdf00820

SHA256
e397a14486475d5979c4a4cbd43a7857bc5c51110d6a6c7f3bd5e3708373119e

SHA512
c705fa3b9c55c07f6c848c686d92701d8c78873bd0f0170aafa9ae3daeca2858d72a48e03a02352a661aff647377ea1e870b17a5667e937065a9834b4dcf2c2c

Download Submit
C:\Windows\SysWOW64\Gfqjafdq.exe

Filesize
448KB

MD5
fcce82dc0428d283be381c4f11432609

SHA1
8aa6397c2f2ca31a9cfe1a37854062f5ae9719e6

SHA256
9cda1f1029b5d480903f046d6196a459519f5484a28fdb715a5d21c6fba44192

SHA512
3303f435b3487d0b91ba7a74c09b54003062b88217f701fb4de64384613bb5b4d2a542f4894062b19d0273e8e58635220be1fd9ceffc6eb0858728cec32619e4

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
448KB

MD5
baeb5aace5f939fc3823c67cb9b48ec3

SHA1
8563c5e60d7563c3ccd77611873849306ccae8f4

SHA256
7336ae72578225e1520bde66ad6aaccee7c08a23a08e5b3d04482ca62eb56a5e

SHA512
7f71ee728fa19138c248dbb9b5e9abfda3c950b0d19d2479a934fc299ed2fba9fa62b7ca4e48a70ac152b560904700dfbded2ad268398684974a0f1e7c9debf7

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
448KB

MD5
01dc73d226ff1a11f7e67c03871d3ba9

SHA1
8151d76e0845e8037ba0a0ddb4580d9ed6b08a47

SHA256
c19cb6aa5e3ed0171303a5bcfff0473eeefc35b15df7696a922d8c2ffb85fab7

SHA512
bc77300149a3cc9e4a1de311bbd0dd677592923541d02feac8f6aa357254251e275ad5ae195ee9e7766561ac6e1d4fe2a1cd275e0b952b1482b5be6b7279711b

Download Submit
C:\Windows\SysWOW64\Habnjm32.exe

Filesize
448KB

MD5
2cbce5c91ef442d2805f716750619d6c

SHA1
fb071edb9382fb5bc388c00c7f358b433c70bd2e

SHA256
c9cecd2e656f8f65d15acd0a22f560bb2099cfff8f3e050b92d5202c5fa5710d

SHA512
a9943885123aa16876a9a4c2e99238b0c42e1a3be887ba7c527e4ca4c6f0b4f3af11c88c599483dcf12c082d5f07e6447207b0deb52083b541e913fd23d08b3c

Download Submit
C:\Windows\SysWOW64\Haidklda.exe

Filesize
448KB

MD5
f31b2fa8e4c6812c4efca3648e8107f1

SHA1
36939b297fcad041b28bb8c9ef157e97f40af58c

SHA256
a50eef798e49ab8e36ef416055447bd1d97641f65ac95c268cb2e180c286b734

SHA512
487132912d04bd9a609f79dfd1b3feb352b4ae2e9168ccb2709afd8e7fe83957c976847a06be0aac9bb7f16e55c80d7b8046cf6f7cbed5d5064f681c0ac73686

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
448KB

MD5
ac5a00796b0a9d6e1e13aae91cdf120b

SHA1
c35f8a290a91c69f22b72d8692aa45f0ca681493

SHA256
bf00af2cac75ac212e86cea8dab96fd784f494499ea29c648431d36e58932128

SHA512
54457f93bc51b75867244caffbb8f58b902ab3b3781b6a6e2d0ff1697868be4692ea3b87d8a424a17ac2c9fa72a053702fef5913ca3365541850e12492e9b12a

Download Submit
C:\Windows\SysWOW64\Hbeghene.exe

Filesize
448KB

MD5
45c287d5c28f312db1f52c5151a625a2

SHA1
bd23e7b0a117f617126c1c7cfd603fe4f7766925

SHA256
23eeb7092345264a47f895fce6a398b60949be63fc8a09cce24e296cada801c7

SHA512
87ff14515b1208b6698074ba99931ad916b4d87927a27d28847030ae6f930f2f9c7e3bfa54085b9bd05fc61c812f14395aab595284ca421cb2230034df13af87

Download Submit
C:\Windows\SysWOW64\Hbhdmd32.exe

Filesize
448KB

MD5
26a3d79c59ef96f40da6cce12d86fb7c

SHA1
45ebd9a723f9a106a3a0307f6a1994967e3f0740

SHA256
2f2e5ee3e32b61e6fb0261b37b1347234201fa7890660f71bf8fa6b41bc34535

SHA512
b4577a105fd257e73371c8c53b48816fc199fefed7aa7a1d005cb10aa2301963fa9051046f2433f7979c6ea71094a72bd07d14833860f407f95d7f4829190188

Download Submit
C:\Windows\SysWOW64\Hccglh32.exe

Filesize
448KB

MD5
3de9feb12992a3385c1fb39abad1638d

SHA1
48deaab21359e434536fda8919547101466df790

SHA256
4aa7c120146fb428658a5c5ae43d1570464ca225752a28f6cdc70fdb67698c7d

SHA512
af6caf9844daff24002023a2adf9b9a7aeb1b636887521f734180807f00a9a90c7643f36c9a1e16eb5fa55a77ad063d59c79dace516d73d4bac71219e27c86d2

Download Submit
C:\Windows\SysWOW64\Hcedaheh.exe

Filesize
448KB

MD5
b967e124178790e0bac4b9de01da59ba

SHA1
eba3ed2fd0b4853835b3334a07247616353804ea

SHA256
f2b978b4a1bef40f93737d3f9335d79d6159d7587b4340a32ee330b3206f5a18

SHA512
2c6e7fcefada31bab891ab61937d5fd047f251f360b043eccfbe6adba075f18e5b0e8ac407faea479b5240534f04e68b36243738c11ac3331dc4c7ad016db3e9

Download Submit
C:\Windows\SysWOW64\Hcqjfh32.exe

Filesize
448KB

MD5
5b224b25175f04cea62b85d6ce6d6c6c

SHA1
73362d32d25a36bcd9987f222c39a32d03768348

SHA256
86b0cd5c9f11326bb01b1263f52232f518e2a54bc0803b9dc0eee880b17ed5f3

SHA512
e74fe3f4ba4e2531104fbeef7ff7268c331b20b03bec1b0780ca18c8e64b008eb753d4c3125f41131b21cb29a26142c621a5a716e3ca2ffbbcb3737d92810c7a

Download Submit
C:\Windows\SysWOW64\Hfofbd32.exe

Filesize
448KB

MD5
69c2452ab6c5555818428ad6a6acab42

SHA1
87d26a09c7ec1972dabf6316a0f85c853b56b8c4

SHA256
6b1595e53169589e4e35aa170ac3e2976c844645911ff61d9ccb428479fb0820

SHA512
82f23991fa0c02356916ceae21e038855f03362e1036ff30e86120c314ccabbaf69f0fd78747ca8dd38a89079f2303317499e4b4009be19983a5885c80be3a6b

Download Submit
C:\Windows\SysWOW64\Hibljoco.exe

Filesize
448KB

MD5
adadd385e7c2cb0d0ac43883acb78d35

SHA1
b73dc7d4fcef93427d901d619d3185c6065e18e1

SHA256
e6f5c520f9eacf0dafc3bbd72db088a4cb2f1cbd416e2da4338a54f0297f12ab

SHA512
619ff24187af35706db191ef95fbd867a9e4c20b961719c4297a0824ffce96379c4440f736fe1d244deaabcabbeda6a9c8d53089daca823d469e38532240245f

Download Submit
C:\Windows\SysWOW64\Hihicplj.exe

Filesize
448KB

MD5
2646510669a41499fe8b65e7e2a6d648

SHA1
6823ccb022adb9b46c3580179241730281d37878

SHA256
42973a019ac25e19ef6f0357c7e569c1ca1449bd5269550a08cdc689ec782caf

SHA512
9731c7f78217970de51a59fe8b956aba34b4f32c09c30e83605ef4fe4b88db2614d7eb60a26ae2360baabf0f433f0ee108913bf06bc76a8819d58dcaebe18c3c

Download Submit
C:\Windows\SysWOW64\Himcoo32.exe

Filesize
448KB

MD5
5b9a139976689cc857cf7fa62ea4c7c6

SHA1
98bac269eb8171ce2d89f35c9f51266383f6c1d4

SHA256
400a29d18702a5899fbb6b3721501e3a4887d276cc1fe5409450e1f01c73f716

SHA512
5d790f87ed26ce10e0815ab15291c8fd9ab62822fd59f106fa4d4ad43eb57f82b537de05c20595df38fbc1a90614112fc89e5fdd047d451cd2f97fc2d05a85e4

Download Submit
C:\Windows\SysWOW64\Hippdo32.exe

Filesize
448KB

MD5
7036de8d8488351df906d998b14b3a44

SHA1
a66dca34b469d2abf7c1a4288601aa66bb360499

SHA256
242f5c44adcc91c06efe97fdf7a97a2236090ceaecd5159d778d049671382851

SHA512
9a8ba2743dec16a8b1e628ab60ea8d80559106e9f659e2851d916db54a025d0d7df3c191b5b83e86ef5295c636447cc8b4c7d46990d1a1f861f968aff0a60919

Download Submit
C:\Windows\SysWOW64\Hjhfnccl.exe

Filesize
448KB

MD5
fd32c29df0aad656f79fbba230fe38f6

SHA1
e3682d1bbaffa6bc724f13d3bea27750faaab319

SHA256
e66683b217c123e0bf33afde18d980fa3613a6024b1f10ef525ab0ce61cf8dfb

SHA512
0b9e02f80412fd82d4d348acf506e147dcfe2ac8d721da63ab6f02a1ee8135f40702db5edb4f8a6198ae4a5c7fedf8a15d3d686b5f5ceedebba38636d2b646f1

Download Submit
C:\Windows\SysWOW64\Hjmoibog.exe

Filesize
448KB

MD5
fd355563b888f5ef8f0caa3a9c37f7e0

SHA1
30a76ca5adfb0105e36e760ba1344ad7d4506eba

SHA256
0ebec6312bd3cedb602ec695536ed67d2cd4e1a605d7306bf961446bbb2ff7b4

SHA512
e7ddb98302f335a17c8ac12493fde0d64ae4aed3d47fe2f4683fd49473367339cd4f2c736534b22e994ab675f2c6760e729915b46b4354411bc89a9d6ec15edf

Download Submit
C:\Windows\SysWOW64\Hjolnb32.exe

Filesize
448KB

MD5
68d7c5b64841f3535de204d07ae94234

SHA1
1517364c6860f3aeb11e0178e587da5bac8c005d

SHA256
80be5afaea4a1a0438a152311d2afc4ea1657d772ffdb431db0ced57511fe903

SHA512
ae5085f6e7285fc3409862eada8c639ea7da81b765bfa72445af488e5e675e6983d2e2b90deab771bf43efaf7e55efa938aa4b6528a02b19f19f3dda508adfa5

Download Submit
C:\Windows\SysWOW64\Hlcqelac.dll

Filesize
7KB

MD5
e04c9267fbdc09b7a1db570407eac878

SHA1
3dc9b7de44ec4ad1beb77a4f16f885604e90a0dc

SHA256
e49438b14cfd305adfa8a0f46ca806b2257e8c3fb48b88d96a629d0f6bcca96a

SHA512
16916cd4f1e90d50adda7a27a22c630d31b3b7d632e009d411d783e6c62eac3275e3bffd5ad68a91c905d69f8ce7d888d954779bd3fb233ed68ec2d3c5b824d3

Download Submit
C:\Windows\SysWOW64\Hmioonpn.exe

Filesize
448KB

MD5
7cbae6cf7e6b7ad11cc84bdfb78bf213

SHA1
d5a6a63ac29d41e3a4a5bec616c0f99598ce9b9a

SHA256
4078eebf817f0e8ee7e016fb13976a5110c72809743320eaba599ff5450d43e1

SHA512
d989437fcbf01d2edefdb7f5fbcdeab58e9e846e8bb647846e6c0c3c71d60f84c708dfdd858280de20c5257b57d574887ecec989e7e75cb095e320d869dc1242

Download Submit
C:\Windows\SysWOW64\Hmklen32.exe

Filesize
448KB

MD5
f7b3d64f269244b47e9ec45da3781c62

SHA1
e5b53c222d573a6f4e029541419216e8e18d2df5

SHA256
0d55f1f99f9d785c2db24bd80da6cabb063d4226f9f1ef53d86bc005ca7303c6

SHA512
c7b100b650c31d19e705173c6e528c8254c95e2e4a69238aafd3b4dd8d78a14179ccca9cdea9052f2276fc8ed0b985761388aff251bcf02e1b335e4f28ceb4d4

Download Submit
C:\Windows\SysWOW64\Hpgkkioa.exe

Filesize
448KB

MD5
b0383f195ba69fceb8b855aad118e235

SHA1
44847549233a954d0014b5659281b6d7dac5c54c

SHA256
d4f12a28f01abc1cc5130b315cde7372569e77aab88c0e57e19bcb4b53c3753e

SHA512
5d030209ee6b468f4d3b2c2face5a62a605524a87df64df35b1f8c4e3057c41a7f09493705c5b8177003a186ad69a5015db83a64cc60a88ba70434591df0b9fc

Download Submit
C:\Windows\SysWOW64\Hpihai32.exe

Filesize
448KB

MD5
731b1ba32450153d0022e3ef8ba96210

SHA1
2343619ce54fcd2d9ada273f3c4ad359a1058e5e

SHA256
9f38dcbe03b1f9441ace02d3f709b70b0dde7f4095fc7e2faf86e4d8688c5dc5

SHA512
82a90bf3b24b865d97ceecd9148143100fca965778b20f07a5f15b9dcf69603b7740d5c37143eded713ed03c123349a173f13aa0890a6163d7f89fb2f61b6e24

Download Submit
C:\Windows\SysWOW64\Ibjqcd32.exe

Filesize
448KB

MD5
ba49d92cebaa1f9dd208f3d705cb40f9

SHA1
e628fe50c33efb0bfe950ddb5ef4c17c936b0228

SHA256
87566adeafc07947454f05505b4eae8cc1e18fe15499f8629d7c0a2415176c20

SHA512
dc4ce840f025726adbcf87da7e70415e1a6e4dbef3341fc93e6c2f79a4dc7f60b328e2b54d1254d03227d4aa62a21e862ac91783a734c3bfc25d2cc3f82c73bc

Download Submit
C:\Windows\SysWOW64\Icgqggce.exe

Filesize
448KB

MD5
367847207e65b67ea53c96c8bca95a9e

SHA1
98b75ce0200cdf7ba6988f19e438c8c6d4cc9b6c

SHA256
4f6ce83dc420102538ea446b69c0d14938f1b615a5cb72fb49e65699c4810ed0

SHA512
1881e5f2addef7b1479eca283f25b66e6487116b05db251b684cd47c7ff2118aadacfa0419258ea849a14c817ba500ecbceb0993ff90bda31a15379f8089e81e

Download Submit
C:\Windows\SysWOW64\Iffmccbi.exe

Filesize
448KB

MD5
81aa97711f60981fe05824ec3fefd793

SHA1
47824001d6f3d8d307ccfe797222d26a478c9693

SHA256
73f8c39a52943632aeb8af7a42edb06dc94c6bd6bfb37e1b3d7d236d3ffe1cd8

SHA512
fa18d7f41ef76c242f323afec6a13c938130224c49b2154e183849a9d0f8ce8dc233f19d81f6955123f963f7fa3ad7e7f8beafd386d8d1d7086d05492c34b815

Download Submit
C:\Windows\SysWOW64\Iidipnal.exe

Filesize
448KB

MD5
483f006b442e899a2164a84fb9a6ff70

SHA1
f7436ea33defb65f369d017a9ccd6d64f626cdbb

SHA256
432749198411bd7a25736fb2e211ef998425e2028003eeaacae0d65e208211ad

SHA512
104d9b984cf26d65f76e0cbaa52ef43ede6ad9543ef546fff9127b37c5c0730ef97138b74314137b8fcdd4a1fcca51d9b547c7a92dc74679ebdd50828ccc2ac8

Download Submit
C:\Windows\SysWOW64\Impepm32.exe

Filesize
448KB

MD5
63c5e4aa7fd14f049f2b81c1c23b6204

SHA1
5acc0443b870a33c2e5871156a2be288ce4c7e6e

SHA256
ffa5e6b1b645394f6e3effcc0b5b23979b7c8fe66581aa0627478fa232ee35ef

SHA512
b5ef10787423b9cc94096f3afc3fb587cd4f9fa07d17c173135001cd8398556c05bc3d63d52b1ab4a5dabc6f7531b3c07e272ed5820ca6730c1229e95fa74f11

Download Submit
C:\Windows\SysWOW64\Ipldfi32.exe

Filesize
448KB

MD5
b6b10cc63c3ba51646cf180889b5e90f

SHA1
1effe1bfa660f766ad6194e7ee1f13825361697d

SHA256
f6533a2bf47de7d25df89842dc9c81f1a5de6167285b9b2e57c2e56d53b0eefa

SHA512
0c02dfb5d439b0fc8d036f257b804cf755be7e28f38be7b06afbf142e85d84140f9089d38926a21576ddd685f8f0ba369dd5a5996a9d281053df45548277964d

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
448KB

MD5
e8befb31552fcd9252a7c79c76a8a1e2

SHA1
b2b31a5f6fe8bf24f779450cc8d814608a005886

SHA256
7139b552fbf53c21843d8a3172b1dfa6542e779aeb43ed0eadaf908a1d3869da

SHA512
c31ba1b4dc1b420e54d92fb5287b2cd23607338128068a5e20144e323fa54a5b0f7f08f7079a74062eb3b7b765bb926db5f9faae824206a5352ec8a49947768f

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
448KB

MD5
8f6b044fb9f5339531b81c15173bcfa0

SHA1
9933c2b442b5797f5ac3073196f6a69863608aa1

SHA256
c2a2d89c4648ca5b9d9cbe91206a3d16cec1d222a9a6eb0cd7fd97c4ea7dd81e

SHA512
104f70c5f5891483bd03c7385d7156d7fb176ee2b2cbddc069ac89f640a1ed2a25420c2e71de989fea17e069e09b2a382235d979f851b5b06f9b242721f07df8

Download Submit
memory/60-472-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/116-578-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/540-466-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/620-465-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/624-468-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/664-492-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/668-490-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/752-512-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/804-460-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1012-40-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1088-20-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1160-475-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1224-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1292-496-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1304-500-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1392-579-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1396-503-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1432-516-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1448-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1472-495-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1520-501-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1632-514-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1636-483-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1704-517-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1720-477-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1756-471-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1772-473-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1856-474-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1896-497-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1908-582-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1920-480-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2072-486-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2220-521-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2292-499-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2304-507-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2336-574-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2344-461-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2348-72-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2420-494-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2464-469-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2468-493-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2476-47-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2484-498-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2496-513-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2540-487-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2792-573-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2924-509-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3212-576-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3296-510-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3300-479-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3340-515-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3432-12-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3480-519-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3516-590-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3604-467-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3652-518-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3932-68-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3972-24-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4012-488-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4044-55-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4064-520-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4196-505-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4292-511-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4324-485-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4332-491-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4336-470-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4416-84-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4420-478-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4456-462-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4476-504-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4508-572-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4564-463-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4628-481-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4680-581-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4684-580-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4776-577-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4784-502-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4796-484-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4832-482-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4864-508-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4904-570-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4968-464-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4992-489-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5096-506-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5104-476-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5136-583-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5176-588-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5224-591-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5292-592-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5356-598-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5396-604-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5436-614-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5476-620-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5524-622-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5568-633-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5608-634-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads