0f1093f97880e91086014e430586e5e042cc61d3cfdb07cd193cd996cc0e7840

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
13/05/2024, 20:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f050a7be38cf33aaaf2ac1283d945c0_NeikiAnalytics.exe
Size

640KB
MD5

0f050a7be38cf33aaaf2ac1283d945c0
SHA1

f2d08da0bdd86d16af07c8535b7d4efebf595f8d
SHA256

0f1093f97880e91086014e430586e5e042cc61d3cfdb07cd193cd996cc0e7840
SHA512

12a6bf47f920780caed91e1cb4a9c6abd8f7d0adc9abb0cb112f0233c822ba7ab7f3d650941b7e51a3733084fa293ff3ce40f59b55b209333891ce2c84610b30
SSDEEP

12288:BdXHaINIVIIVy2oIvPKiK13fS2hEYM9RIPk:BdXHfNIVIIVy2jU13fS2hEYM9RIPk

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gqikdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibmmhdhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdopod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcqjfh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibjqcd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibmmhdhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjhfnccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmclmabe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fflaff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdhine32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibagcc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iinlemia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idofhfmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcqjfh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibjqcd32.exe

Malware Dropper & Backdoor - Berbew 38 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/files/0x000b0000000232f0-7.dat	family_berbew
behavioral2/files/0x0007000000023421-15.dat	family_berbew
behavioral2/files/0x0007000000023423-23.dat	family_berbew
behavioral2/files/0x0007000000023425-32.dat	family_berbew
behavioral2/files/0x0007000000023427-39.dat	family_berbew
behavioral2/files/0x0007000000023429-47.dat	family_berbew
behavioral2/files/0x000700000002342b-55.dat	family_berbew
behavioral2/files/0x000700000002342d-63.dat	family_berbew
behavioral2/files/0x000700000002342f-72.dat	family_berbew
behavioral2/files/0x0007000000023431-79.dat	family_berbew
behavioral2/files/0x0007000000023433-87.dat	family_berbew
behavioral2/files/0x0007000000023435-95.dat	family_berbew
behavioral2/files/0x0007000000023436-103.dat	family_berbew
behavioral2/files/0x0007000000023438-111.dat	family_berbew
behavioral2/files/0x000700000002343a-119.dat	family_berbew
behavioral2/files/0x000700000002343c-127.dat	family_berbew
behavioral2/files/0x000700000002343e-136.dat	family_berbew
behavioral2/files/0x0007000000023440-143.dat	family_berbew
behavioral2/files/0x0007000000023443-146.dat	family_berbew
behavioral2/files/0x0007000000023445-159.dat	family_berbew
behavioral2/files/0x0007000000023447-167.dat	family_berbew
behavioral2/files/0x0007000000023449-176.dat	family_berbew
behavioral2/files/0x000700000002344b-183.dat	family_berbew
behavioral2/files/0x000a000000023385-192.dat	family_berbew
behavioral2/files/0x000700000002344e-199.dat	family_berbew
behavioral2/files/0x00030000000229cb-207.dat	family_berbew
behavioral2/files/0x0007000000023455-231.dat	family_berbew
behavioral2/files/0x000700000002345b-254.dat	family_berbew
behavioral2/files/0x0007000000023459-248.dat	family_berbew
behavioral2/files/0x0007000000023457-239.dat	family_berbew
behavioral2/files/0x0007000000023453-223.dat	family_berbew
behavioral2/files/0x0007000000023451-216.dat	family_berbew
behavioral2/files/0x000700000002348c-402.dat	family_berbew
behavioral2/files/0x00070000000234a3-468.dat	family_berbew
behavioral2/files/0x00070000000234aa-492.dat	family_berbew
behavioral2/files/0x00070000000234b5-528.dat	family_berbew
behavioral2/files/0x00070000000234c3-570.dat	family_berbew
behavioral2/files/0x00070000000234e6-678.dat	family_berbew

Executes dropped EXE 64 IoCs

pid	Process
4832	Fbioei32.exe
1852	Fcikolnh.exe
2996	Fbnhphbp.exe
4844	Fmclmabe.exe
60	Fobiilai.exe
3448	Fflaff32.exe
2536	Gqdbiofi.exe
4820	Giofnacd.exe
3504	Goiojk32.exe
4140	Gqikdn32.exe
4020	Gjapmdid.exe
3772	Gjclbc32.exe
1096	Hclakimb.exe
5060	Hmdedo32.exe
2776	Hjhfnccl.exe
1404	Habnjm32.exe
1000	Hcqjfh32.exe
4216	Hpgkkioa.exe
4864	Hmklen32.exe
4516	Hbhdmd32.exe
920	Ibjqcd32.exe
3008	Ijaida32.exe
4300	Ipnalhii.exe
2724	Ibmmhdhm.exe
5032	Iannfk32.exe
2384	Ijfboafl.exe
1488	Imdnklfp.exe
4288	Idofhfmm.exe
2672	Ibagcc32.exe
1120	Iabgaklg.exe
3460	Ibccic32.exe
2564	Ifopiajn.exe
3596	Iinlemia.exe
4496	Imihfl32.exe
1312	Jpgdbg32.exe
4744	Jfaloa32.exe
4152	Jiphkm32.exe
1548	Jagqlj32.exe
732	Jdemhe32.exe
3260	Jfdida32.exe
2908	Jjpeepnb.exe
2680	Jmnaakne.exe
3200	Jaimbj32.exe
3684	Jdhine32.exe
4944	Jfffjqdf.exe
2472	Jidbflcj.exe
4504	Jpaghf32.exe
2420	Jkfkfohj.exe
3560	Kaqcbi32.exe
4652	Kdopod32.exe
2096	Kgmlkp32.exe
228	Kmgdgjek.exe
3696	Kpepcedo.exe
4352	Kkkdan32.exe
4808	Kmjqmi32.exe
4656	Kdcijcke.exe
4424	Kknafn32.exe
2052	Kmlnbi32.exe
1056	Kdffocib.exe
3028	Kgdbkohf.exe
2488	Kmnjhioc.exe
4088	Kdhbec32.exe
760	Kkbkamnl.exe
3208	Lmqgnhmp.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Goiojk32.exe	Giofnacd.exe
File opened for modification	C:\Windows\SysWOW64\Ibccic32.exe	Iabgaklg.exe
File opened for modification	C:\Windows\SysWOW64\Jfaloa32.exe	Jpgdbg32.exe
File opened for modification	C:\Windows\SysWOW64\Kknafn32.exe	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Mfogkh32.dll	Hmklen32.exe
File created	C:\Windows\SysWOW64\Egoqlckf.dll	Ibjqcd32.exe
File created	C:\Windows\SysWOW64\Cmafhe32.dll	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Ppmeid32.dll	Hpgkkioa.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Hifqbnpb.dll	Gqdbiofi.exe
File opened for modification	C:\Windows\SysWOW64\Goiojk32.exe	Giofnacd.exe
File created	C:\Windows\SysWOW64\Hjhfnccl.exe	Hmdedo32.exe
File created	C:\Windows\SysWOW64\Jdkind32.dll	Jfaloa32.exe
File created	C:\Windows\SysWOW64\Mjlcankg.dll	Jagqlj32.exe
File opened for modification	C:\Windows\SysWOW64\Jpaghf32.exe	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Fbioei32.exe	0f050a7be38cf33aaaf2ac1283d945c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Jagqlj32.exe	Jiphkm32.exe
File created	C:\Windows\SysWOW64\Mghpbg32.dll	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Ogdimilg.dll	Kmnjhioc.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Jfffjqdf.exe	Jdhine32.exe
File created	C:\Windows\SysWOW64\Kgmlkp32.exe	Kdopod32.exe
File opened for modification	C:\Windows\SysWOW64\Imihfl32.exe	Iinlemia.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Hmdedo32.exe	Hclakimb.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kkbkamnl.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Ijaida32.exe	Ibjqcd32.exe
File opened for modification	C:\Windows\SysWOW64\Ijaida32.exe	Ibjqcd32.exe
File created	C:\Windows\SysWOW64\Ncldlbah.dll	Ifopiajn.exe
File created	C:\Windows\SysWOW64\Kgdbkohf.exe	Kdffocib.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Akihmf32.dll	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Gqdbiofi.exe	Fflaff32.exe
File created	C:\Windows\SysWOW64\Qbplof32.dll	Gjapmdid.exe
File created	C:\Windows\SysWOW64\Jaimbj32.exe	Jmnaakne.exe
File created	C:\Windows\SysWOW64\Ldobbkdk.dll	Kmgdgjek.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Gqdbiofi.exe	Fflaff32.exe
File created	C:\Windows\SysWOW64\Idofhfmm.exe	Imdnklfp.exe
File created	C:\Windows\SysWOW64\Ipmack32.dll	Ibccic32.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Eddbig32.dll	Imdnklfp.exe
File created	C:\Windows\SysWOW64\Kaqcbi32.exe	Jkfkfohj.exe
File opened for modification	C:\Windows\SysWOW64\Kmgdgjek.exe	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Oimhnoch.dll	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Jidbflcj.exe	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Kmjqmi32.exe	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mciobn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5136	5988	WerFault.exe	190

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkbjnl32.dll"	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipmack32.dll"	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honckk32.dll"	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akihmf32.dll"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjapmdid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdopod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Goiojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Giofnacd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcqjfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akanejnd.dll"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djmdfpmb.dll"	Gqikdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jibpdc32.dll"	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	0f050a7be38cf33aaaf2ac1283d945c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbgaem32.dll"	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcod32.dll"	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jagqlj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hihjpn32.dll"	Fcikolnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imdnklfp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 644 wrote to memory of 4832	644	0f050a7be38cf33aaaf2ac1283d945c0_NeikiAnalytics.exe	83
PID 644 wrote to memory of 4832	644	0f050a7be38cf33aaaf2ac1283d945c0_NeikiAnalytics.exe	83
PID 644 wrote to memory of 4832	644	0f050a7be38cf33aaaf2ac1283d945c0_NeikiAnalytics.exe	83
PID 4832 wrote to memory of 1852	4832	Fbioei32.exe	84
PID 4832 wrote to memory of 1852	4832	Fbioei32.exe	84
PID 4832 wrote to memory of 1852	4832	Fbioei32.exe	84
PID 1852 wrote to memory of 2996	1852	Fcikolnh.exe	85
PID 1852 wrote to memory of 2996	1852	Fcikolnh.exe	85
PID 1852 wrote to memory of 2996	1852	Fcikolnh.exe	85
PID 2996 wrote to memory of 4844	2996	Fbnhphbp.exe	86
PID 2996 wrote to memory of 4844	2996	Fbnhphbp.exe	86
PID 2996 wrote to memory of 4844	2996	Fbnhphbp.exe	86
PID 4844 wrote to memory of 60	4844	Fmclmabe.exe	87
PID 4844 wrote to memory of 60	4844	Fmclmabe.exe	87
PID 4844 wrote to memory of 60	4844	Fmclmabe.exe	87
PID 60 wrote to memory of 3448	60	Fobiilai.exe	88
PID 60 wrote to memory of 3448	60	Fobiilai.exe	88
PID 60 wrote to memory of 3448	60	Fobiilai.exe	88
PID 3448 wrote to memory of 2536	3448	Fflaff32.exe	90
PID 3448 wrote to memory of 2536	3448	Fflaff32.exe	90
PID 3448 wrote to memory of 2536	3448	Fflaff32.exe	90
PID 2536 wrote to memory of 4820	2536	Gqdbiofi.exe	92
PID 2536 wrote to memory of 4820	2536	Gqdbiofi.exe	92
PID 2536 wrote to memory of 4820	2536	Gqdbiofi.exe	92
PID 4820 wrote to memory of 3504	4820	Giofnacd.exe	93
PID 4820 wrote to memory of 3504	4820	Giofnacd.exe	93
PID 4820 wrote to memory of 3504	4820	Giofnacd.exe	93
PID 3504 wrote to memory of 4140	3504	Goiojk32.exe	94
PID 3504 wrote to memory of 4140	3504	Goiojk32.exe	94
PID 3504 wrote to memory of 4140	3504	Goiojk32.exe	94
PID 4140 wrote to memory of 4020	4140	Gqikdn32.exe	96
PID 4140 wrote to memory of 4020	4140	Gqikdn32.exe	96
PID 4140 wrote to memory of 4020	4140	Gqikdn32.exe	96
PID 4020 wrote to memory of 3772	4020	Gjapmdid.exe	97
PID 4020 wrote to memory of 3772	4020	Gjapmdid.exe	97
PID 4020 wrote to memory of 3772	4020	Gjapmdid.exe	97
PID 3772 wrote to memory of 1096	3772	Gjclbc32.exe	98
PID 3772 wrote to memory of 1096	3772	Gjclbc32.exe	98
PID 3772 wrote to memory of 1096	3772	Gjclbc32.exe	98
PID 1096 wrote to memory of 5060	1096	Hclakimb.exe	99
PID 1096 wrote to memory of 5060	1096	Hclakimb.exe	99
PID 1096 wrote to memory of 5060	1096	Hclakimb.exe	99
PID 5060 wrote to memory of 2776	5060	Hmdedo32.exe	100
PID 5060 wrote to memory of 2776	5060	Hmdedo32.exe	100
PID 5060 wrote to memory of 2776	5060	Hmdedo32.exe	100
PID 2776 wrote to memory of 1404	2776	Hjhfnccl.exe	101
PID 2776 wrote to memory of 1404	2776	Hjhfnccl.exe	101
PID 2776 wrote to memory of 1404	2776	Hjhfnccl.exe	101
PID 1404 wrote to memory of 1000	1404	Habnjm32.exe	102
PID 1404 wrote to memory of 1000	1404	Habnjm32.exe	102
PID 1404 wrote to memory of 1000	1404	Habnjm32.exe	102
PID 1000 wrote to memory of 4216	1000	Hcqjfh32.exe	103
PID 1000 wrote to memory of 4216	1000	Hcqjfh32.exe	103
PID 1000 wrote to memory of 4216	1000	Hcqjfh32.exe	103
PID 4216 wrote to memory of 4864	4216	Hpgkkioa.exe	104
PID 4216 wrote to memory of 4864	4216	Hpgkkioa.exe	104
PID 4216 wrote to memory of 4864	4216	Hpgkkioa.exe	104
PID 4864 wrote to memory of 4516	4864	Hmklen32.exe	105
PID 4864 wrote to memory of 4516	4864	Hmklen32.exe	105
PID 4864 wrote to memory of 4516	4864	Hmklen32.exe	105
PID 4516 wrote to memory of 920	4516	Hbhdmd32.exe	106
PID 4516 wrote to memory of 920	4516	Hbhdmd32.exe	106
PID 4516 wrote to memory of 920	4516	Hbhdmd32.exe	106
PID 920 wrote to memory of 3008	920	Ibjqcd32.exe	107

C:\Users\Admin\AppData\Local\Temp\0f050a7be38cf33aaaf2ac1283d945c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0f050a7be38cf33aaaf2ac1283d945c0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:644
- C:\Windows\SysWOW64\Fbioei32.exe
  C:\Windows\system32\Fbioei32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4832
- - C:\Windows\SysWOW64\Fcikolnh.exe
    C:\Windows\system32\Fcikolnh.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1852
  - - C:\Windows\SysWOW64\Fbnhphbp.exe
      C:\Windows\system32\Fbnhphbp.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2996
    - - C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4844
      - C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:60
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3448
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3504
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4140
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4020
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3772
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1096
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1000
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4216
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:920
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3008
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4300
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2724
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        26⤵
        Executes dropped EXE
        
        PID:5032
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        27⤵
        Executes dropped EXE
        
        PID:2384
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1488
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4288
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2672
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1120
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3460
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2564
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3596
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1312
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4744
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4152
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1548
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:732
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        41⤵
        Executes dropped EXE
        
        PID:3260
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2680
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3200
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3684
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2472
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4504
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2420
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3560
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4652
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2096
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:228
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3696
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4352
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4808
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4656
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4424
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2052
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1056
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2488
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4088
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:760
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3208
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1796
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4628
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3640
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        70⤵
        
        PID:220
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2708
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3092
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        73⤵
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2200
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        75⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3728
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3744
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1104
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1808
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1048
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        81⤵
        Modifies registry class
        
        PID:2136
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1976
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        83⤵
        Modifies registry class
        
        PID:4268
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1356
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        86⤵
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5240
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        88⤵
        Drops file in System32 directory
        
        PID:5284
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        89⤵
        Drops file in System32 directory
        
        PID:5328
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        90⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        92⤵
        Drops file in System32 directory
        
        PID:5456
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5536
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5668
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5708
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        100⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5876
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5924
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        103⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5988 -s 408
        104⤵
        Program crash
        
        PID:5136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5988 -ip 5988
1⤵
PID:6076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fbioei32.exe

Filesize
640KB

MD5
3ebc1c0a58205ce1dee212f4d50f821c

SHA1
f130de742492e0eda43495ed1d05c95bc7bb531c

SHA256
bc7d568e46017cfcfcc65d26f0dfedccfeca956810e5406a94bc5f983da91026

SHA512
cae8dedad73f7e8b6de0e2605a0ab365feb28ae4c352dcf3938453774e09ec80bebad076440a64dd2c135cc44a0be4d641b0931519eb3abe9b7229b2b5f8f433

Download Submit
C:\Windows\SysWOW64\Fbnhphbp.exe

Filesize
640KB

MD5
5610f6a20cb0118de8165581310843bf

SHA1
f0972b53b1a66eae50579f1d4b6552b294b981d1

SHA256
032e5a2d26873d7c16e7f27898b696505194f1574471c9497c19226cf90833cb

SHA512
31514e0756ac49870defc171c2b023df2cde7065b91147dd8c9c6f96a25fbe65a9f8e0098084118c392194bf35379f1d181fef800c08684f368d1e0876b2ced3

Download Submit
C:\Windows\SysWOW64\Fcikolnh.exe

Filesize
640KB

MD5
e140e2288f27e22c2e22087163f9d805

SHA1
80e77a6891a56a8d602c0404ab7bee64c900f80e

SHA256
a1655808f7eb42d8a94f8d0202388fc6d032b46a56b3175f82dd69866ec8aba2

SHA512
e9031bb6844080030b98ef85978bb31694fca2dc5fafffaba0652515a8695baa69e3a4e331dd445e6577dab7f338c71819b3c43e36db835bfb3ef0858b3b0c9f

Download Submit
C:\Windows\SysWOW64\Fflaff32.exe

Filesize
640KB

MD5
fd283fbb9bad50619b78df7659f05199

SHA1
6416f1090bf1f6f37a5cb8a70b64369d39a67623

SHA256
ccbe175507f482cac5a6b5f215813e98addc11377be5e9e8eadbad3affe51485

SHA512
e293c336a06c2b0857598394ba4cf1d8ffb5fc70328b19c89b90973fdeda88487938d0c67fbb0bd98240e33ff8139982f4f141bde1ed2f1d9a315973f0a52b59

Download Submit
C:\Windows\SysWOW64\Fmclmabe.exe

Filesize
640KB

MD5
9eb5a9dbd57fe057c9dbf613764d9627

SHA1
e28d2eb81c076555e3a716ab62af801953781055

SHA256
8e6212ae3b43fa126c490900b9f4bb9729a98b4b1045d1ddd2f23832aae86bf0

SHA512
cbbb40969e0777a2e23a0d4a16049cd0fd64b68911adfc579bb8fa94f15ec7cf938f90bc2ac187ea699b2fb8fdb0afae4d27b59141fa513f647cccbf6ba90046

Download Submit
C:\Windows\SysWOW64\Fobiilai.exe

Filesize
640KB

MD5
9b4fd7a4607a73fff06543b334804565

SHA1
ab408f84c09ebca4e1e4b211ab6173d2653990af

SHA256
dd4e4308ddda8e074808b7bd96564f6f39960b48d034b364307b778d8b26b9e8

SHA512
d0abd52095ce0053327ff2e872fff36a2695d4de51acb9b19f4789f3c23811a6dafbf718539446854ce3af11101f1b008f9ecd08fd7a420680723929b31ee85c

Download Submit
C:\Windows\SysWOW64\Giofnacd.exe

Filesize
640KB

MD5
8979d5115e592b283413a15c6260e9f9

SHA1
bef21433496f430d0a418e3abf73c058b4bfc42a

SHA256
99df558b127ad8cd492c65e41b4541dc7979a7ce360df3c1023a7010d0e26499

SHA512
f41ae2cd377d2a577630f950225079991745af37db7948f3f7874bb627111f5365f12a4e8fa91e16e05cff623a095e0ad2bc99aeed84d2781472f55c4e7fd38f

Download Submit
C:\Windows\SysWOW64\Gjapmdid.exe

Filesize
640KB

MD5
532acfd5f0b84dbbf3f58b797950d52c

SHA1
77a3d19580d8ff979f732a89656a04b909144b24

SHA256
c6c05d8075e3df4c9978bbeed3b75138efe7fd5785f8daea1b532d37398e2e1d

SHA512
7ca4ed77a6838253dac265b6b500516e298337255d0a3e08c20fb26f2cb045e496e4d13e36f5bf1d36273f584a634bd9f7fbb1640596e4e48ce580e8f5adb91d

Download Submit
C:\Windows\SysWOW64\Gjclbc32.exe

Filesize
640KB

MD5
929544f068f6670757c609bea045ac31

SHA1
02f08ea30dee80f2d5844469241bf96c834569df

SHA256
75cbd4037dc149f62d7f67d771530bc2102b7cfef7047466d0b321d8ab9bafb3

SHA512
75dd219c3eef1baaecefb02bffe8a1cb4dcdf08eea531dd27b17d662f6a26d602028d19ebb0c4b9e259b798f052563fbb3adcea6ef034aeb65cfcace15bf3934

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
640KB

MD5
f245407f41db5d396ac7d53cd955a136

SHA1
e4c255ec67bd73884d2ab669d9fa70fdf72c0688

SHA256
fab76231e6c6bb3c842bfe7f7fda86e558124829699966ebda85f3324a26ab11

SHA512
5a73da484f078ba29515bbfc23cdc3025736ceab2e462ca858536deddac51d53784d88fbe7a07caa532dafd1efcdc2c367d363a890d8c6019675f2f7b52c1f59

Download Submit
C:\Windows\SysWOW64\Gqdbiofi.exe

Filesize
640KB

MD5
dba0537149e2c476352193f6a91e44d6

SHA1
2fc10f0376b35c76d8d4f49f9b83c6f604d652e6

SHA256
905047ccf5c8f3002ee95e122708ff11f71c814128d8c1702be31427a9c7a4e6

SHA512
00699ad737b48e12f5d47041233458e296f146f2995dc4ead212b701dc6b6a667d2d9082c67d1929d8d663d93f140508a75ecd5181aff494c790b98645fe8243

Download Submit
C:\Windows\SysWOW64\Gqikdn32.exe

Filesize
640KB

MD5
dc08b845778ee73c78c4d6077400432e

SHA1
7271b818e3acdccd9451001bb13c93fc4173f6dd

SHA256
d2e7c635d1c223d53a53f14badf27d37b521e8784e5946ade9e66fe381a77444

SHA512
657fcc62a72b6530823d3b3caa6697ab08f045f01807843644b17f2c9f9ad8b5bf21a4921b1bac04a92291a1a1839890c3c487090d852df9f68079f53a46ebb8

Download Submit
C:\Windows\SysWOW64\Habnjm32.exe

Filesize
640KB

MD5
f3ccb3f81f00d6c7405184618f73f638

SHA1
f9e5b515d90fad0435bde45ed3c8385cb4a14d38

SHA256
aec6e4a9a70396c2acd7c786d3dc09b0d7606b72f12985f27059e723d6862b1e

SHA512
a321cf56e99a6d5356cd2bf9db0903e1d6be5c3eef6eb8f23df8524d462faf980bf069102babb8867d07f4e401751ad17733e56f255553a521c941b346bc4ce5

Download Submit
C:\Windows\SysWOW64\Hbhdmd32.exe

Filesize
640KB

MD5
7311c5f74a598d9b481ec34ee6e3f69c

SHA1
2cb18ffec6eadf0c482ebd358265992fd3c3725a

SHA256
82d239433fcede1a8402838f3f01de9805f579d494a6025c3c06d1983f077027

SHA512
40763d70fc4f523306186e78d1c47f0ac32396e6626d68ffe7c31bd4a65ff7dddea7ee8af39ba9e30c27a5eea4440bc37129ebca239fee02ecb354d4fba493dd

Download Submit
C:\Windows\SysWOW64\Hclakimb.exe

Filesize
640KB

MD5
084e3e280d5ad95e3c64ec07ea4088ed

SHA1
15283579afa3f7a9c8585d0e91ce94b25f809e63

SHA256
b155be9ab8ba408e48ed704c900a23ac732004c9044724ab0e4351d5ae97aad2

SHA512
141c3bf5b7f34be717e02d57c8a419d63bf2370e402007f5b93445bdab79b40015fdd9558171c7f0173a78d553d423b7e0e5592c4cc618a6386569d2f590a549

Download Submit
C:\Windows\SysWOW64\Hcqjfh32.exe

Filesize
640KB

MD5
234227eed4abd24e4bbf6df24a616688

SHA1
39d47aef18e7f95b44c384f2f5c8277f5c526200

SHA256
1b8f2dc16e650d95cb1589f35fffb5a89e92b6adc09347b3fd9c9dd7006a6715

SHA512
e6d9804ef9470d0cfc4509facf57c81bd6c4cfd270526f453fefd7308ccdf892ce6fe79a902e59d4c22bbf0dc0ab9960c7a1e25f9cd9f0853ea33d45f83b3738

Download Submit
C:\Windows\SysWOW64\Hjhfnccl.exe

Filesize
640KB

MD5
ff06b3f22e482e91380575679d4f0564

SHA1
5ee4087cc6016ac4ac72a09831736a28e5f78cb3

SHA256
92c11979d92fffe6706dce25c3431755651a60ccc991cd2be96cebad7217be6c

SHA512
47c476d6eaa463dbeefb5552158e1a38bddfb70269e8b5dbc89d46ab03b6643abd5597cec5330d112925e448f7792beaabccca8e5115dfa9b8bee55e7d557970

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe

Filesize
640KB

MD5
c12b2dc12c6db44d59c3dfe75f7244f0

SHA1
9009b1f549de15b7d196692644f76f433753f3cd

SHA256
d1c9364ead1540fcb86b54345c52d272badf9a8faf6ea68bc381894520c0a34d

SHA512
06abff55cf97c15e9a81e295041b48160c7f7ee2ec5edd131b6dae102efccb6d55cc11ea218b61bfeeef863df6506f1ad04d3a06725d9f4232987be4d4d87049

Download Submit
C:\Windows\SysWOW64\Hmklen32.exe

Filesize
640KB

MD5
3c30f71254c56e2c2e7e25fab79b2de0

SHA1
fd2679dc054321662e977044f299a6559a668d36

SHA256
ee5c8a50cb1702db9c05aa02c838b19049d086d1ef5b40206f7a6ba71ef53824

SHA512
4483b2edeecc552efb6210567b85725b8414e2ae89d496802169f2f8745046f0a43efd7272b5e6051cc98b51b4d932e2e8d703104db49460216b15bc2329a059

Download Submit
C:\Windows\SysWOW64\Hpgkkioa.exe

Filesize
640KB

MD5
372c0edf05eb771499183243164111da

SHA1
a283942d78df72523445ee8678fd59e18ecf9675

SHA256
b5686b8eb05d5e34c7e2f20f1cb2f5d7b4a67e0a069cbed8e4c78bb374f39dd8

SHA512
6837d8374883d4ab706eeb9adb3fc7361417d00a99a9f06dac92b965da460cc61d39e9797fd5f32a4c87bbbd1cc3adb7c19175cde3bbaf052394af01a54535b3

Download Submit
C:\Windows\SysWOW64\Iabgaklg.exe

Filesize
640KB

MD5
695be60c18700a2d89f448e2f2a96864

SHA1
00162ae74a7ee95f05ddc042421ab9d946c27611

SHA256
29dc3d4aed3f0fafdd69017e968a7da06747f23cde404935112f1b698bc1219b

SHA512
671182cbd2496433e935b52b729bab9c273ea258bb7834404a50a3f427e3808594fb9d9a843e45851eb0f02806406faa6cf72c2dacfdf30df80808ce8b1a33af

Download Submit
C:\Windows\SysWOW64\Iannfk32.exe

Filesize
640KB

MD5
1d7034aae3d4194bbaeb63cb1b5aa05e

SHA1
6d719254b65e47da8ec71b3e83dd3472ef64bb86

SHA256
a436400ad3dd1948fcc8b39a292e2cfa45c856067bf6f5603ef245491968c6b4

SHA512
c5d2b384a5ecd4d2646d16b7416952a48535443008105a63c47ecbeaf764c7dcd86f2d2a03891ced7775c5d0276a951ebdfead45d5677f65a107d11a37f0e39f

Download Submit
C:\Windows\SysWOW64\Ibagcc32.exe

Filesize
640KB

MD5
e6639a3d5dddacff6ca6d1a69370624c

SHA1
7f3b91db4e0a22acc35ce7c8546d78d2d57affca

SHA256
90311f040e8441bbb4e88cbdc4837d8620fff745734e335c8e23cc9c2370c7c8

SHA512
5e8636f6974b0187113ea246227fc1fb2bdee2400e54f97f6366d6f37cea05a59696fa6a04fec75a41ecbae439abfcb46103f5c16cbf6fba3c99e08fd338e725

Download Submit
C:\Windows\SysWOW64\Ibccic32.exe

Filesize
640KB

MD5
f338bff961f0e8369c77de356dd01924

SHA1
2cbd35e7d7df4a68b1cca22a01a7656823d4857c

SHA256
dd364613eaad6fed61fc0289033f9aa393fc8fd7d4451264a833f907641b5572

SHA512
03b1ad177b9bd34c101c0aa094cc70487cece6d937c99e4cb2168c54da251c08c4e8c867dec47297f55d904fc653a743950b9eb17696018da9c22a9250ce39e3

Download Submit
C:\Windows\SysWOW64\Ibjqcd32.exe

Filesize
640KB

MD5
7988e15604e6f46560ce8898f6f432cb

SHA1
7fe265905be3d27a28473fe2436bb8ddaef4feca

SHA256
8adce292cfc667ef64f248e208acf26aef7e79fe868eb4f18871ef95c11bd95f

SHA512
58c3c93ed11c7982d60cd3eabe25c84702ac65759960d75cee18cc4187cf716007badd14a9f3251a3ac952595fbdbcb6abe8a413a80350dd43fd43856c423428

Download Submit
C:\Windows\SysWOW64\Ibmmhdhm.exe

Filesize
640KB

MD5
6e995303009caa35ee0a98103bbb7f3d

SHA1
5fcecf68d6985ffe4e3f1d9de41dc5b92eb2d150

SHA256
1aa7868d4276283d2c45d63bac97800d39a2161246effa19bffb6823c41d657e

SHA512
c22b1d6c7b7c861cc397ef40a73834da024d8dc7d26103817d023a30f2aa00287acfaa8abf60c26083e8a07634aec4cbe8050663eadbbb79ceb245a472c9cbca

Download Submit
C:\Windows\SysWOW64\Idofhfmm.exe

Filesize
640KB

MD5
85dbaf5c60e82696baf1d1f6e7d5b9d5

SHA1
28caf88674847541c1877fef8beee780efffcbd9

SHA256
4e00b0f7ecc0fc415a9aae3e59803f4b42d3ec2798b77474289981f602c6bf92

SHA512
818dd58f02596e1c0a808d148427f771f6940941202018d2716f3235341045a4e280653672a411ed04ab8506e75779a28d28a136f050236a33d86dcd857bed24

Download Submit
C:\Windows\SysWOW64\Ifopiajn.exe

Filesize
640KB

MD5
8770a558486591225390d8676198a401

SHA1
fe851bb6b55487980de68c95a9f27fa6ecc728d8

SHA256
b035e52e2c9e0cffe1b3c29dd90f2abb7906d76a0364e84fd97159a823e4ddcd

SHA512
0a8ec144cb4c69cdc3ace9246c204e26ae1071a5c5653856dc7f48ce1ca35edcfb873697e3ee34aaf6d9c03fca898c16ead9fa6801bfbfeb61ff5dd33c87e522

Download Submit
C:\Windows\SysWOW64\Ijaida32.exe

Filesize
640KB

MD5
2483de591b67110560d0f0219b6b6d03

SHA1
093d1b55d7cc4b5680aa0d81c4e85d5390b76455

SHA256
ceb18628708a9085b80de54dbfc741b699d76061f710e91862fc8080b1fa1cc7

SHA512
330a49af5c2af3114930a02081f1b6e1e0915ec8ab833e84e67df24161815e0f1c4b4b12cd739b54062dd17a6b73daf45873d3b4631483a58c301bc5a710e92d

Download Submit
C:\Windows\SysWOW64\Ijfboafl.exe

Filesize
640KB

MD5
7f827092090f2d10aeaecdb5da7d016e

SHA1
3e8b35449f870172f8734852f4301cbaa4c8e284

SHA256
9b9d8f1e92bd1c4b172ca6705b41e1265a4da3271e52bc32d118c7983019e615

SHA512
6bea661cd0a51626cc23e15800d973ba5fe7e3ccf2f9c140fa62003c48e026dd815d9911c7919c7b5d4be73265d742c938faba0da527fe41286795c65e98083f

Download Submit
C:\Windows\SysWOW64\Imdnklfp.exe

Filesize
640KB

MD5
aaef3827c65e0bdabf4219acb4b860cd

SHA1
5feb2959b03ab11aa297dce81ba32aa907e7d3c7

SHA256
c8fccfbb996d8552a9c452883637d80069652f03f47eb3aec7e5c0596b46efdb

SHA512
ad5779f81ff722b0e83ce51c4f2d505582e40e2c31338f855dd3fb82a5662bfe8ab4fc284ccd6ae8b575e91deb233c37c0dad866a3691eef3ffd676987c245cf

Download Submit
C:\Windows\SysWOW64\Ipnalhii.exe

Filesize
640KB

MD5
a04fd769de3be18603065420f339d8a4

SHA1
f89adb293ab44b716adba33f9bd5a6cb3f14e313

SHA256
3c455236bb143d5baf9d7709b930bd73660c3420917d5b57f4932f82431147ae

SHA512
cb9ce81e75e194334eef8eae793e8500f201eeca00ad102b2098789ba32c67adf496a143d648914fe934a947012513ba96fadfd4390a7e645aa22856376f049a

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
640KB

MD5
15c053ff7b9a8ad8a261e4c6f261df20

SHA1
4d6cf54d540d909a7dc362e79c8710b92fc0e9f9

SHA256
6c72d14f343fdeca08a13e4c79a3bfcf5b607838fea6679c95a9f861e3eee098

SHA512
8842945cd9ee96ce49e1e1052744971c36fbdc59f40040c4e661cacb663c207a82c9060974845df173bc768ef7b7cb29036b1bf57798cc865b772e7803d0f85c

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
640KB

MD5
c7a4b290f270f050cae2275f94cabcba

SHA1
24a8235e6612fda604e37c191f37c2c9f301f3b9

SHA256
8ccc55c10774beecf80352f98baf1e28077daf25714bac72e098daa1906b7e32

SHA512
9b5547c0412dd23084cadf8595e3670f62d4b928517e802c7133a4834145dcc207de3cd15926faad2408b2790df6fb6bdefc5a96fdd5166b45f28c759634bad7

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
640KB

MD5
56f236557cebcd228ac255d9ab130a21

SHA1
79d27dff2b47296155a92bc05a1992f24cd4fddf

SHA256
e34c318794599fcf7f63303a58a2e80f0f54221cfaa3a73e29d63ecaf01b5932

SHA512
92e7af1ef2c4c71a1c2c2a8b16e626c4fdf3e8801feb05fc09fd9f84c3e5808fa29cc32db83ff68c3c4b151eb4996c86fa4eb20788bef82df04c7d599d47c9dc

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
640KB

MD5
bbe4f56c453ac7929b2a3fa8b678c6a5

SHA1
9f47b636eb5e909623350e9f09d11e584cba576c

SHA256
64255cd0173ab9d54e4f7a178a18006cb8acf6b22d2d35d09f54fdac986e4e69

SHA512
165428d30c9dd7e7f8d6f5a8bac5fe7800fb9d2e2d50fdc298282afd2d40eab38894090e7ea4b3a04b9f98bcba7cb1f68e15c4fd20a6605de60116729d3db573

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
640KB

MD5
72c71f02885299098ee86f525da18ffd

SHA1
bae03142a01fecdd65e309ab1439787cf9e0dabf

SHA256
aa5eadb34d4f37c3a9274d72545064c5e79eae98635e59e0b1470ec210876319

SHA512
b93fc9984b100be448bbddc00a116ff4ef8fa015c23efa409d79bce3c78981ff04a7073b91d5ff0ed78b4c1629012b2b56260e74e084b74bd08042577dd6d765

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
640KB

MD5
efba1e11fd5c0f793b20cd18b4047474

SHA1
d4718cd950c15abd664c25e298444d49d1e87576

SHA256
6bc3489e6206a2c0f6a91234b9d6d5e1ddbe9c29588fed16d1da06efce52c855

SHA512
ddccd2ad47d786accf1ee76d6690d63d9843817aef2ce6a762f0b30402b91adc4a7d019f2e77445c1e77319fafcedf3aa58ded1b521c703082f5339b12edd213

Download Submit
memory/60-41-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/220-479-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/228-382-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/644-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/644-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/732-328-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/760-448-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/920-169-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1000-137-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1048-543-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1056-423-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1096-104-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1104-527-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1120-246-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1312-324-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1356-567-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1404-129-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1488-229-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1548-327-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1796-461-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1808-537-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1852-16-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1976-551-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2052-415-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2096-371-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2136-549-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2200-507-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2292-497-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2384-214-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2420-353-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2472-346-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2488-431-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2536-57-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2564-321-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2672-244-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2680-331-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2708-489-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2724-200-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2776-125-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2908-330-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2996-25-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3008-177-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3028-425-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3092-491-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3200-332-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3208-449-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3260-329-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3448-48-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3460-320-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3504-73-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3560-359-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3596-322-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3640-477-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3684-333-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3696-383-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3728-515-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3744-525-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3772-97-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4020-88-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4040-509-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4088-437-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4140-81-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4152-326-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4216-145-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4268-559-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4288-230-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4300-190-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4352-393-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4424-407-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4496-323-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4504-347-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4516-160-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4628-467-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4652-365-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4656-401-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4744-325-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4808-395-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4820-65-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4832-9-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4844-33-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4864-153-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4872-455-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4944-335-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5032-201-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5060-113-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5148-569-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5196-579-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5240-585-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5284-591-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5328-597-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5376-603-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5416-608-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5456-615-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5496-617-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5536-627-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5572-629-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads