80b9c2341b81665091bd022e7dff825ff283ce29dd4822f9bea7b2b9d0d396ce

Analysis

max time kernel
145s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17-05-2024 10:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e9ba68d9a74033a86de75bbd39a63940_NeikiAnalytics.exe
Size

299KB
MD5

e9ba68d9a74033a86de75bbd39a63940
SHA1

21de351952d292ea20c7abd1af82b9fbb580db81
SHA256

80b9c2341b81665091bd022e7dff825ff283ce29dd4822f9bea7b2b9d0d396ce
SHA512

29bf3d6ea3264cea5c8e0c0a36cb4ed3f1cbfd2b40f2c0fbd4c6459a3dee1dcb4010fb7b3c99aa8a4b34aa53f8d084d7375bba78d96554ae0f7a01dab576f31c
SSDEEP

6144:MdyetoEmilz6JrwEdGTBki5CYtI8TAokZ2EA:MdhLEdW3ztI8TpEA

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqikdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Goiojk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iakaql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpnhekgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gjclbc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haidklda.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibagcc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfofbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iiffen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hikfip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Giacca32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hjmoibog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gmaioo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gppekj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Haidklda.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Habnjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Impepm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcggpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Giofnacd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibjqcd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiffen32.exe

Executes dropped EXE 64 IoCs

pid	Process
1996	Giofnacd.exe
1948	Goiojk32.exe
3820	Giacca32.exe
3484	Gqikdn32.exe
1012	Gcggpj32.exe
3964	Gfedle32.exe
2848	Gidphq32.exe
4084	Gmoliohh.exe
2272	Gpnhekgl.exe
916	Gcidfi32.exe
3520	Gfhqbe32.exe
4644	Gjclbc32.exe
2856	Gmaioo32.exe
4704	Gppekj32.exe
4724	Hclakimb.exe
1392	Hjfihc32.exe
3584	Hapaemll.exe
3824	Hcnnaikp.exe
4788	Hfljmdjc.exe
4536	Hikfip32.exe
4064	Habnjm32.exe
1556	Hcqjfh32.exe
4784	Hfofbd32.exe
4048	Hjjbcbqj.exe
4680	Himcoo32.exe
3656	Hadkpm32.exe
3716	Hccglh32.exe
2444	Hbeghene.exe
1272	Hjmoibog.exe
1524	Hmklen32.exe
3644	Haggelfd.exe
3712	Hcedaheh.exe
3348	Hbhdmd32.exe
4220	Hjolnb32.exe
4468	Hibljoco.exe
3272	Haidklda.exe
2796	Ipldfi32.exe
4500	Ibjqcd32.exe
928	Impepm32.exe
4660	Iakaql32.exe
2496	Ibmmhdhm.exe
3372	Ifhiib32.exe
1900	Iiffen32.exe
3776	Imbaemhc.exe
4340	Ipqnahgf.exe
4416	Icljbg32.exe
5092	Ifjfnb32.exe
4244	Iiibkn32.exe
5060	Imdnklfp.exe
2800	Ipckgh32.exe
2260	Ibagcc32.exe
1944	Ijhodq32.exe
912	Iikopmkd.exe
1200	Iabgaklg.exe
1728	Ipegmg32.exe
3300	Ijkljp32.exe
1888	Imihfl32.exe
4956	Jmkdlkph.exe
3984	Jpjqhgol.exe
1924	Jbhmdbnp.exe
664	Jjpeepnb.exe
2348	Jibeql32.exe
1396	Jaimbj32.exe
760	Jdhine32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dadofijl.dll	Giofnacd.exe
File opened for modification	C:\Windows\SysWOW64\Gidphq32.exe	Gfedle32.exe
File created	C:\Windows\SysWOW64\Diefokle.dll	Gcidfi32.exe
File created	C:\Windows\SysWOW64\Giacca32.exe	Goiojk32.exe
File created	C:\Windows\SysWOW64\Hcqjfh32.exe	Habnjm32.exe
File opened for modification	C:\Windows\SysWOW64\Hjmoibog.exe	Hbeghene.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Gfhqbe32.exe	Gcidfi32.exe
File created	C:\Windows\SysWOW64\Cgkghl32.dll	Gppekj32.exe
File opened for modification	C:\Windows\SysWOW64\Hcqjfh32.exe	Habnjm32.exe
File created	C:\Windows\SysWOW64\Impepm32.exe	Ibjqcd32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Qbplof32.dll	Gfhqbe32.exe
File opened for modification	C:\Windows\SysWOW64\Hikfip32.exe	Hfljmdjc.exe
File opened for modification	C:\Windows\SysWOW64\Hadkpm32.exe	Himcoo32.exe
File created	C:\Windows\SysWOW64\Bclhoo32.dll	Jjpeepnb.exe
File opened for modification	C:\Windows\SysWOW64\Jbmfoa32.exe	Jpojcf32.exe
File opened for modification	C:\Windows\SysWOW64\Giacca32.exe	Goiojk32.exe
File created	C:\Windows\SysWOW64\Bkmdbdbp.dll	Goiojk32.exe
File opened for modification	C:\Windows\SysWOW64\Gjclbc32.exe	Gfhqbe32.exe
File created	C:\Windows\SysWOW64\Klebid32.dll	Hfljmdjc.exe
File created	C:\Windows\SysWOW64\Hadkpm32.exe	Himcoo32.exe
File opened for modification	C:\Windows\SysWOW64\Ipckgh32.exe	Imdnklfp.exe
File created	C:\Windows\SysWOW64\Gcggpj32.exe	Gqikdn32.exe
File created	C:\Windows\SysWOW64\Hfljmdjc.exe	Hcnnaikp.exe
File created	C:\Windows\SysWOW64\Eeopdi32.dll	Ifjfnb32.exe
File created	C:\Windows\SysWOW64\Hfkkgo32.dll	Ipegmg32.exe
File created	C:\Windows\SysWOW64\Jangmibi.exe	Jmbklj32.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Giofnacd.exe	e9ba68d9a74033a86de75bbd39a63940_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Gppekj32.exe	Gmaioo32.exe
File created	C:\Windows\SysWOW64\Hjfihc32.exe	Hclakimb.exe
File created	C:\Windows\SysWOW64\Eeandl32.dll	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Laefdf32.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Hbhdmd32.exe	Hcedaheh.exe
File created	C:\Windows\SysWOW64\Kflflhfg.dll	Iabgaklg.exe
File opened for modification	C:\Windows\SysWOW64\Lgneampk.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Jdmcidam.exe	Jangmibi.exe
File created	C:\Windows\SysWOW64\Eilljncf.dll	Jbocea32.exe
File opened for modification	C:\Windows\SysWOW64\Gfedle32.exe	Gcggpj32.exe
File created	C:\Windows\SysWOW64\Geekfi32.dll	Himcoo32.exe
File created	C:\Windows\SysWOW64\Ifjfnb32.exe	Icljbg32.exe
File opened for modification	C:\Windows\SysWOW64\Iiibkn32.exe	Ifjfnb32.exe
File opened for modification	C:\Windows\SysWOW64\Iabgaklg.exe	Iikopmkd.exe
File created	C:\Windows\SysWOW64\Olmeac32.dll	Jdhine32.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Ldkojb32.exe	Liekmj32.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Denfkg32.dll	Hfofbd32.exe
File created	C:\Windows\SysWOW64\Hmklen32.exe	Hjmoibog.exe
File created	C:\Windows\SysWOW64\Ipldfi32.exe	Haidklda.exe
File created	C:\Windows\SysWOW64\Mmpfpdoi.dll	Ibjqcd32.exe
File created	C:\Windows\SysWOW64\Dendnoah.dll	Ipqnahgf.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5328	5160	WerFault.exe	207

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jdhine32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkillp32.dll"	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dendnoah.dll"	Ipqnahgf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbkmec32.dll"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Giacca32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gfedle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gidphq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hfofbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gidphq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Icljbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ibagcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gfhqbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lijiaonm.dll"	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qknpkqim.dll"	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gqikdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphlemjl.dll"	Gcggpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeiooj32.dll"	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdhoohmo.dll"	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jifkeoll.dll"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gpnhekgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkageheh.dll"	Hadkpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifegaglc.dll"	Gfedle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbocjjm.dll"	Giacca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Impoan32.dll"	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hionfema.dll"	Haggelfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	e9ba68d9a74033a86de75bbd39a63940_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hifqbnpb.dll"	e9ba68d9a74033a86de75bbd39a63940_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klebid32.dll"	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adijolgl.dll"	Gpnhekgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geekfi32.dll"	Himcoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ijhodq32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4992 wrote to memory of 1996	4992	e9ba68d9a74033a86de75bbd39a63940_NeikiAnalytics.exe	83
PID 4992 wrote to memory of 1996	4992	e9ba68d9a74033a86de75bbd39a63940_NeikiAnalytics.exe	83
PID 4992 wrote to memory of 1996	4992	e9ba68d9a74033a86de75bbd39a63940_NeikiAnalytics.exe	83
PID 1996 wrote to memory of 1948	1996	Giofnacd.exe	84
PID 1996 wrote to memory of 1948	1996	Giofnacd.exe	84
PID 1996 wrote to memory of 1948	1996	Giofnacd.exe	84
PID 1948 wrote to memory of 3820	1948	Goiojk32.exe	85
PID 1948 wrote to memory of 3820	1948	Goiojk32.exe	85
PID 1948 wrote to memory of 3820	1948	Goiojk32.exe	85
PID 3820 wrote to memory of 3484	3820	Giacca32.exe	86
PID 3820 wrote to memory of 3484	3820	Giacca32.exe	86
PID 3820 wrote to memory of 3484	3820	Giacca32.exe	86
PID 3484 wrote to memory of 1012	3484	Gqikdn32.exe	87
PID 3484 wrote to memory of 1012	3484	Gqikdn32.exe	87
PID 3484 wrote to memory of 1012	3484	Gqikdn32.exe	87
PID 1012 wrote to memory of 3964	1012	Gcggpj32.exe	88
PID 1012 wrote to memory of 3964	1012	Gcggpj32.exe	88
PID 1012 wrote to memory of 3964	1012	Gcggpj32.exe	88
PID 3964 wrote to memory of 2848	3964	Gfedle32.exe	89
PID 3964 wrote to memory of 2848	3964	Gfedle32.exe	89
PID 3964 wrote to memory of 2848	3964	Gfedle32.exe	89
PID 2848 wrote to memory of 4084	2848	Gidphq32.exe	90
PID 2848 wrote to memory of 4084	2848	Gidphq32.exe	90
PID 2848 wrote to memory of 4084	2848	Gidphq32.exe	90
PID 4084 wrote to memory of 2272	4084	Gmoliohh.exe	91
PID 4084 wrote to memory of 2272	4084	Gmoliohh.exe	91
PID 4084 wrote to memory of 2272	4084	Gmoliohh.exe	91
PID 2272 wrote to memory of 916	2272	Gpnhekgl.exe	92
PID 2272 wrote to memory of 916	2272	Gpnhekgl.exe	92
PID 2272 wrote to memory of 916	2272	Gpnhekgl.exe	92
PID 916 wrote to memory of 3520	916	Gcidfi32.exe	93
PID 916 wrote to memory of 3520	916	Gcidfi32.exe	93
PID 916 wrote to memory of 3520	916	Gcidfi32.exe	93
PID 3520 wrote to memory of 4644	3520	Gfhqbe32.exe	94
PID 3520 wrote to memory of 4644	3520	Gfhqbe32.exe	94
PID 3520 wrote to memory of 4644	3520	Gfhqbe32.exe	94
PID 4644 wrote to memory of 2856	4644	Gjclbc32.exe	95
PID 4644 wrote to memory of 2856	4644	Gjclbc32.exe	95
PID 4644 wrote to memory of 2856	4644	Gjclbc32.exe	95
PID 2856 wrote to memory of 4704	2856	Gmaioo32.exe	96
PID 2856 wrote to memory of 4704	2856	Gmaioo32.exe	96
PID 2856 wrote to memory of 4704	2856	Gmaioo32.exe	96
PID 4704 wrote to memory of 4724	4704	Gppekj32.exe	97
PID 4704 wrote to memory of 4724	4704	Gppekj32.exe	97
PID 4704 wrote to memory of 4724	4704	Gppekj32.exe	97
PID 4724 wrote to memory of 1392	4724	Hclakimb.exe	98
PID 4724 wrote to memory of 1392	4724	Hclakimb.exe	98
PID 4724 wrote to memory of 1392	4724	Hclakimb.exe	98
PID 1392 wrote to memory of 3584	1392	Hjfihc32.exe	99
PID 1392 wrote to memory of 3584	1392	Hjfihc32.exe	99
PID 1392 wrote to memory of 3584	1392	Hjfihc32.exe	99
PID 3584 wrote to memory of 3824	3584	Hapaemll.exe	100
PID 3584 wrote to memory of 3824	3584	Hapaemll.exe	100
PID 3584 wrote to memory of 3824	3584	Hapaemll.exe	100
PID 3824 wrote to memory of 4788	3824	Hcnnaikp.exe	101
PID 3824 wrote to memory of 4788	3824	Hcnnaikp.exe	101
PID 3824 wrote to memory of 4788	3824	Hcnnaikp.exe	101
PID 4788 wrote to memory of 4536	4788	Hfljmdjc.exe	102
PID 4788 wrote to memory of 4536	4788	Hfljmdjc.exe	102
PID 4788 wrote to memory of 4536	4788	Hfljmdjc.exe	102
PID 4536 wrote to memory of 4064	4536	Hikfip32.exe	103
PID 4536 wrote to memory of 4064	4536	Hikfip32.exe	103
PID 4536 wrote to memory of 4064	4536	Hikfip32.exe	103
PID 4064 wrote to memory of 1556	4064	Habnjm32.exe	104

C:\Users\Admin\AppData\Local\Temp\e9ba68d9a74033a86de75bbd39a63940_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\e9ba68d9a74033a86de75bbd39a63940_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4992
- C:\Windows\SysWOW64\Giofnacd.exe
  C:\Windows\system32\Giofnacd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Windows\SysWOW64\Goiojk32.exe
    C:\Windows\system32\Goiojk32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1948
  - - C:\Windows\SysWOW64\Giacca32.exe
      C:\Windows\system32\Giacca32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3820
    - - C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3484
      - C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4084
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4644
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3584
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3824
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4788
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4536
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        23⤵
        Executes dropped EXE
        
        PID:1556
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4784
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4048
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4680
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3656
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        28⤵
        Executes dropped EXE
        
        PID:3716
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2444
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1272
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        31⤵
        Executes dropped EXE
        
        PID:1524
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3644
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3712
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        34⤵
        Executes dropped EXE
        
        PID:3348
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        35⤵
        Executes dropped EXE
        
        PID:4220
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3272
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2796
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4500
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:928
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4660
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        42⤵
        Executes dropped EXE
        
        PID:2496
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3372
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1900
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        45⤵
        Executes dropped EXE
        
        PID:3776
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4340
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5092
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4244
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5060
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2800
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2260
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1944
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:912
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1200
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1728
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3300
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1888
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        59⤵
        Executes dropped EXE
        
        PID:4956
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3984
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1924
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:664
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2348
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1396
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:760
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        66⤵
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        67⤵
        Modifies registry class
        
        PID:1252
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        69⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4392
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        71⤵
        Modifies registry class
        
        PID:2140
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2540
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4592
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        74⤵
        Modifies registry class
        
        PID:4608
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4332
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1644
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        78⤵
        
        PID:548
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        79⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        80⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        81⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3840
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        82⤵
        Drops file in System32 directory
        
        PID:3492
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4556
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        84⤵
        Modifies registry class
        
        PID:4628
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        85⤵
        Modifies registry class
        
        PID:636
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        86⤵
        Drops file in System32 directory
        
        PID:1428
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        87⤵
        Drops file in System32 directory
        
        PID:4360
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4508
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        89⤵
        Drops file in System32 directory
        
        PID:3828
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        90⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4224
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        92⤵
        Drops file in System32 directory
        
        PID:4072
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4584
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        94⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        95⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3160
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        97⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4684
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        99⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5252
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        103⤵
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        104⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        105⤵
        Modifies registry class
        
        PID:5392
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        106⤵
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        107⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5484
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        109⤵
        Drops file in System32 directory
        
        PID:5580
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        110⤵
        Modifies registry class
        
        PID:5648
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        111⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        112⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5776
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5816
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        115⤵
        Drops file in System32 directory
        
        PID:5864
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5908
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        118⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        119⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        120⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6116
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:452
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        123⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5160 -s 420
        124⤵
        Program crash
        
        PID:5328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5160 -ip 5160
1⤵
PID:5288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Emhmioko.dll

Filesize
7KB

MD5
06a1810a57bcb484e9a55e9c166fa8c0

SHA1
7e12a1adac1b3e9b1c1f32aa073d355ef58f46cb

SHA256
b6f2476369fbda49ea3ece2c4d50b0ecc0422ff32a3393100b47524275b75100

SHA512
424d1fe2406209925cee98f07c764c3d03fbdd7c79baa26680dd2dcaea6134295879ba0f34c3b3e79aa0a0f89d218aa34c45ead8c8fddfb79d81f9737150f677

Download Submit
C:\Windows\SysWOW64\Gcggpj32.exe

Filesize
299KB

MD5
28c99e2e3fd1c490e630986a0d20c2be

SHA1
7f634c792001f1b9325aa13ecb1b0c416b6a4e0d

SHA256
748ab0c5d3e1155d4fe55d16d3c7d2d5cf6049b99d229f27985fac8247e9d5a5

SHA512
855559892280009251cc45d3fbaae277c79f07d92135c819a89aa81477f61b8040f4168ddc633d4cee77835d337ea1961b34f611a15fa49a071351be432afc83

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
299KB

MD5
db85e579952118e24c9071807fac94ca

SHA1
778219d5f7f2cfd28132db27308b915557490b11

SHA256
b04ed7b9c12d7dbbbd199300ef6cce0fd28decc04fb72f02526c7bcb5ab14889

SHA512
068ec7830eb2caff11efd8ecf49487973425cbbe29c9a77bd66077caafd8144d02c4f5ab2ff6057859fceaadd13f7c15e4682a0e91bf5e507a3ed73315c82899

Download Submit
C:\Windows\SysWOW64\Gfedle32.exe

Filesize
299KB

MD5
ad78c8fc0024731bc0cb1e4d3efab5d7

SHA1
1015ceb32f1be685ea601d089dac79fe65502456

SHA256
157d18bc241031c2c1c275d5224c6eedc34d4fbc25a647b88f9b78572a3010e8

SHA512
3e82e7e932da7d76f0b4368fadfb874d95f1434a306d81488ee4d0043a6aeb71ed5cb257ae75058888e372c406cf659d4b42f85c7c4933fa5581681835b52ede

Download Submit
C:\Windows\SysWOW64\Gfhqbe32.exe

Filesize
299KB

MD5
d7d96cb352301219c1d370d4e01f1557

SHA1
18751e0ee5df22090f6be5957bd1189b6662362c

SHA256
a7a2294e06a643ce2bbcd44886ad14c884a095d343a3f82d29f1414d156416a4

SHA512
95cd673c7e3211a94462b1a454297859f2472408bff774a7f2cc00c74cd81e2a997103b5a3c57b95abeb4c7897d9e2784c016f48825ba656e1d60dfec3157e04

Download Submit
C:\Windows\SysWOW64\Giacca32.exe

Filesize
299KB

MD5
390d97623c582e3d94e373b1deaf5e46

SHA1
809156394fa2a59a4f867dab57093a107ed1e11f

SHA256
75c58f36ec879049aae8eea12d5c61a125ef6dcf27685cc074a0a4c43472a512

SHA512
309441f8dee6af02ed4804d08caed513850225aedcaa2ea1396c99885fda3fdceaa86ac537c5f7698b57f48e9714b767f58da5912192414c976ce58045746d4c

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
299KB

MD5
8a52d0f0a7bbb5e8a474df7e7a6e7b09

SHA1
aa9e6107d86e28ef61e1d02651ed026cd793f0e8

SHA256
2b41b8152119ce3492278968df9c1ed16d29935cb1d718f20abd0501b8068316

SHA512
ad3359b400b26de5ea62ab34d02efc4830830013af7df6fcce9b2f56f4e6b28fee54551f1ed34ea8e9647ec715fec28289906e5cb76735ac0a2f1dd36c61339b

Download Submit
C:\Windows\SysWOW64\Giofnacd.exe

Filesize
299KB

MD5
c416e320254b916f5f74abe3e5d7b43e

SHA1
3c58176847130343d809e329c25167f2b25e22c9

SHA256
72871f30f6a83eb75c3d3f6dec7afdb94ebbb18af7c1a5856d45310e18a73919

SHA512
dfbe6972678192c57eb623a311fe9d6335a1f296c3639918bc05628b90508935c952b5049f5b3c207c8b78097d96e9ba34e4168341c9d7912c4311f212dd1075

Download Submit
C:\Windows\SysWOW64\Gjclbc32.exe

Filesize
299KB

MD5
63249631ed2c13511d354988e5380919

SHA1
179fc13f98ea5513020161bf50eed751336dce04

SHA256
e621e37d1d319357f4e8a4a888cf3693a39a3dc763ae549aad37e4247657a048

SHA512
41ef2b6a54e66ce2d69a5caa1804721daa25d54cb2fbec39456ead0669df2cd51b9200b3e1b21536aa09a163d89591d759069b6d612696ccfe2ad435c99eec7f

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
299KB

MD5
0cf0094a884c7f5b096cb990dd814b2c

SHA1
5ed6150ace90e5fe6cf94f598a18e5310ef70727

SHA256
4c77447906c65b541f66ba9aa80f7cbf83b1dd27ec07e1111be0aa3e5b893631

SHA512
8e7573fbd049122b062953e32fa47c14bed5e31ed566db8fa5c2fed08bafd26b38a32675413f59c6ab10898663009ea6610f5d55d7b046b510a2d090a0b876a8

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
299KB

MD5
b31b11a14a47cde391d113d935a225b4

SHA1
4ce50563bc8b13f6b893380f7669d755dcebe6b6

SHA256
ae66b45dfb546e5ae11074da4aee2de35539598902b7d85874b5922f826e5c06

SHA512
c89a51ecc21da8c0e9e72dee88103e7b75b5087f1bf67126e1c63a7beafe2bf9b91f45b0657a725041e73e7d3633a37686aa3882e56da286efa59d8c0f368d6a

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
299KB

MD5
f1776f09866d49aa9ba399c5636d4b41

SHA1
2ed85a500912fd2712b7cc5ead9a237267d1fe60

SHA256
70a4811a6b6836bc3d19d25b1412bb7bd360ee0e88be47b8bad818af3158db16

SHA512
b0393843087747c67cfdf967a4d5abac2fcd21e5bc7948c30831c49fc8d4f433d6a661e11b8129264158aa45965c8a01cf2abe2e0951c38fbe475131a952f7c3

Download Submit
C:\Windows\SysWOW64\Gpnhekgl.exe

Filesize
299KB

MD5
6f90e1362c5fe89b52dccc0b3e91fed5

SHA1
2995fdca791c6fe4539889820760e58807347a71

SHA256
5f5ebcda94a97bdffc2d9a8a7f8fe7c1ee00c85267291fe17d44de6799a1791c

SHA512
5617bc17a9ef330aa10860f04bd3a9cc5a2d41c4d0afc9387b41c4cee5ed5cedbce52a0d3a7cc94edbddc44f15ef98945ba58178ad2e003a33494de4cc81dfdb

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
299KB

MD5
7e2508810ddc1985fdaed5bb119c93d8

SHA1
7ce475f99e83462ec7a4041e72f5f97488c77e71

SHA256
fcca1e42122d90a72f9b6ceb60e38c824fa31dd3efd954a349d4f655e7f1b246

SHA512
68ec5438e9972358ecfb545f9b99cc471ac7b6a3c8f07a6ae22a9bbf4d4a45023c894303b46dbd99eb9997df1adadadc7a59caba06d55c5a3bd30921c391bc99

Download Submit
C:\Windows\SysWOW64\Gqikdn32.exe

Filesize
299KB

MD5
e79eccd3a5a868d2e28ca7e2f243d4d0

SHA1
4064d7b51571b036a389df21b81a0997e7cc8f4c

SHA256
6f5aac95ba46e016d040d9e3a09bb9a5980b32e89c41c40103500d03963ca17c

SHA512
9c729886b9901522689b232bb77da2bbb1115b41539a215959a186b78b78753c8b29a36dfd48b453cd70e8cbfb97c8d5c5504086571cae7c8b3858038168f415

Download Submit
C:\Windows\SysWOW64\Habnjm32.exe

Filesize
299KB

MD5
17184ed6bae5dbf16467a4bad20b80fb

SHA1
4ddd6d2c6e5f957774dad63d9cc5e95071c83e92

SHA256
ba24b11881af57e1dd7a4055632c175cfff147fffa0175157704098c4c1f6386

SHA512
55bbed16b47bdf029be7ba5f29988c9298c9101ff661ec6057ee5f65e7808ef7774fef79db4448890f5afa67cab479aea76a6db54406b1cf3186912f0b20c5bf

Download Submit
C:\Windows\SysWOW64\Hadkpm32.exe

Filesize
299KB

MD5
430df041613f8c77aaa25671d5507717

SHA1
a5cdf3449de4ba4494e319449bf9487ce01a5bc9

SHA256
2da922527868fdbf93da97856ba503336d6e629cb7a9bfd0923474929c1f7374

SHA512
ae66e9b97def499f30d7319846b13f5601d85fd75de2c7428d337256fa91f31d86fac43c7fc27d3ab46999357235eaa98e1ba1dcf6bb48d47a01fea1896c2a68

Download Submit
C:\Windows\SysWOW64\Haggelfd.exe

Filesize
299KB

MD5
a3768b7dc5e1fca0af4139ce5e838051

SHA1
88291d43a0e20952e2594460dc60e03459da41f5

SHA256
9c0523d200314a60b99cc35a30893c8edf605edb0eb5dad59e95cd6257c63175

SHA512
a541b1b74acac459f2b2f9940c27dd18f1a1323fe95237d9885fdae760ed3fdf07153d32b9c5fff305dc23ec56e7bf4fea5e68982b97900a2314a85f44f2d99b

Download Submit
C:\Windows\SysWOW64\Hapaemll.exe

Filesize
299KB

MD5
c9a7e3c92c7ad66af35960cd44ed7e60

SHA1
7866245a9085b1cd01461383085064f6ac411b2f

SHA256
f1405fb200111f089351daf17c3503c9fb3824a83c72dd3213808cbd67f224f4

SHA512
78d5cbc6fd237166e1920d842535389f851b24b40b4832562364031a9823f4317411f8832e5ff6e0ce04f5fd2d90038f409db0087630e58df1b7239a9fd5f424

Download Submit
C:\Windows\SysWOW64\Hbeghene.exe

Filesize
299KB

MD5
f677141538845e46083a8f04a9af720e

SHA1
0cf8113f6e25cb474d03841954f2683a44f62115

SHA256
5a11919a171fda24cef6e66220336c165520662d8f356844749f585850c78b4f

SHA512
9b398fce436fa2fb800660760278f3053e9194fd0ee1e076713958e7a6294c7944922bebd7868d4a987229f4cb177f253a738dddadede377c4d493d677c60ad3

Download Submit
C:\Windows\SysWOW64\Hccglh32.exe

Filesize
299KB

MD5
6f970357bc22ca136f949ddea8642740

SHA1
7785f7b57365f184ee9407a1d3c72a8c3fe5dd16

SHA256
3f517dd43860b1af8fdbef884210da758397f523c464fd41dfb35a5b182f5551

SHA512
c70adefc02216a139c3c1f6a4067632c044919c61742b7f0ac62a94b9da70663026db67669d414b24c0977cb0f4a6e8f250171d9ffff343bb99b9adfb85ee4c4

Download Submit
C:\Windows\SysWOW64\Hcedaheh.exe

Filesize
299KB

MD5
6d1c17a68dc68938c87b8f64e524714c

SHA1
bcdde4018bf741e3d35bb02444775a4c60439548

SHA256
75d74220ee818abd1934fdd45f3006bb2d578d2c2274a236817830719ffe32d9

SHA512
cbf514f212dc6c77b39cdd86599b0e7383059026759b69d551d734fb4f9a49ac592c34feef4613073d332495e25afe62b24d2b0ee21392a8cc0d6e770c56ebf0

Download Submit
C:\Windows\SysWOW64\Hclakimb.exe

Filesize
299KB

MD5
48aac8159c9d60699b7e2096142d3b1d

SHA1
988f6b06018b2664c5ac4aa5e227ddfa8b98cc9c

SHA256
98d4f05e0938338835303e94fa1c09a17df58f9beb359b57c0c6f30562976c0f

SHA512
8020c27246de47f4ca75f0f1d1cfb3dc85574c918d311fd08fac69120d88b8825928ef7257534d620277d9008d0abc4927834b92d32cdc4b5c66f4e4b9b6f432

Download Submit
C:\Windows\SysWOW64\Hcnnaikp.exe

Filesize
299KB

MD5
16dc6a5134c395b909a55e463fbd5e3e

SHA1
f312f37e29801b61c9be972de587f8f78b26643e

SHA256
fe01e16e66e18c6f9a22db3dd76429c56ef6b29cc9f264290e3e24729258d472

SHA512
b6e53c98a48adeb38fd8da5b26d2210bf81bd6fcaf6cf68b68b85c2f3847131e76ed655010aea91a79d3ee929053b327bff69c0572bf28bb8056c511d8c62751

Download Submit
C:\Windows\SysWOW64\Hcqjfh32.exe

Filesize
299KB

MD5
d212f7907911013a824564ef0ec2772f

SHA1
bc36575f0908791fde61ac7d36939e609467c918

SHA256
28300efd9370df55b81a434ee629683d1e70b18bcc416cbedaaf21d420f9b05c

SHA512
d518d0df2965680537b15ac51903150589a614798ffa5b60bc2930a518cdd9561e684dfa5334b95e1f3c0dc8f234b9c74ce587a4cd22b4fb5771b83a7cc3f659

Download Submit
C:\Windows\SysWOW64\Hfljmdjc.exe

Filesize
299KB

MD5
e40e208e08370acdb694e37e6ade0aeb

SHA1
78bf2e8b82ae3a15ede8403bfa2b49dec8b321fb

SHA256
4818da440f5c5b0616f92d217d48df5a274ea9b8606fb1af25acbe2e64b27e0f

SHA512
32c25bed6ed57b0e9d1af9c3cd6556ab5ed975fab2df33bc902bf144cf874577d016aeace8e776178761d9be5d2c6abfb87e2ae7f5b636fb15d2ec019185154b

Download Submit
C:\Windows\SysWOW64\Hfofbd32.exe

Filesize
299KB

MD5
a534e31a6618cbcaccf4963aabd52fd7

SHA1
1cda0f39897259284245ec894f8eeb9815c42b71

SHA256
cd18fbf4e60d017ca6d37b46cd6cd94c72e2ebdba4f5a8ea7db743ac8d40e6c7

SHA512
65e3ea8988d4b7a322ba35847df39529c1af15d415781d9d329130fa0306ba1fc1c9071f227553cd5559fb5fe7009af6d5be65dc30dae450cca5945517a14f2f

Download Submit
C:\Windows\SysWOW64\Hikfip32.exe

Filesize
299KB

MD5
959c5fe695520a911103312a96d4342c

SHA1
db641560726f47aee35706afc4b75d3cf1ea82ee

SHA256
e7afb688b1f8f7cbe46a7297abe4532c31c2c539faff1fc7b2a6a42460ac0841

SHA512
c8f05e908cc421caef084ccc13063708ec583a4b58c9448554b4f4a62864152ecdb044bb25b0e84ad210770418e0402aef7d51ae2e298654ad1a6e5c792b6e4c

Download Submit
C:\Windows\SysWOW64\Himcoo32.exe

Filesize
299KB

MD5
a61b745ecfde62d0b53295a5dad18a51

SHA1
36e0c28d1cf3806bc6d431248de2e50fe1d4ca4b

SHA256
c6e2a75258b968944b853b4bc9b96ba0021a091c4acba3bcb731a286a611be09

SHA512
70da3a879c36918d79784d6736f5567be9ac11642dffa4a464889b5432388497a305ba0aef1dc86c85cb3acf0500de30852c2ef2997385319cc4c0ac2f68b617

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
299KB

MD5
be2289d1d8d3edc27bfe6c68bd2427ad

SHA1
5ba6cc4a269715af6623ec8c83d9828fe5923d13

SHA256
1810cde30cae84eccf1035e87fa9f8ff718102bfab6ea1c911408b57c14e53c6

SHA512
458b112dae2216a5d51898eefd9862566c562970c59867e098892f97db7ccc8fca453ec2f92aebd1e3a406153421b9b178cd40bc2c026afe2539a7ddb1252df4

Download Submit
C:\Windows\SysWOW64\Hjjbcbqj.exe

Filesize
299KB

MD5
f6463cdd5df8818210b777a1b1725d5e

SHA1
93531441d47f9cdb5ec8ab6e4d464f7091cdec8d

SHA256
0653fac87226a5f760493d7b768af7ebef09f8ac763f6726327485b556ffc0c6

SHA512
6f6b1ea1457f11ee8d925f357ba276ed088f18b44d87e28011a7b3464781c1cbfe1f991aac81f74743e534b75220c43d5a0b8e76cbc7c784d6f2372a149ec2dd

Download Submit
C:\Windows\SysWOW64\Hjmoibog.exe

Filesize
299KB

MD5
aa97b7bda6ded4918a3a0915f5ecdaae

SHA1
e0d50a8bdd10d36afa840af98baeaeb543b2ec1e

SHA256
9e59e458638bca27e50734995d2ec69448d522ff0a20e23ad54c8010b1a525fe

SHA512
3d5c11c1c130c944c205f45a88a741f93705859702ef181565a5256e9c87cd84750531a76135b64155e65eedfce7deb23c74f1b5a837219e15df6963cbe5f004

Download Submit
C:\Windows\SysWOW64\Hmklen32.exe

Filesize
299KB

MD5
fac7e0f0df98edacc8886265271cacfd

SHA1
3be3a23531504b2de077a6d2f1ed77d2031facae

SHA256
f726ef4f27251c9378466a3878b3e67ea5f19bd25f922c3215342776bade8766

SHA512
f600819a8d89e7b086566bae94a846e51b99be130aaf55407febbbc6841b3cb685db322277b78519a6009668cd1a3c98be7e15f329a5403366025ec293af8db0

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
299KB

MD5
b3bcca23027a2ae7256eeb92ca5fabb4

SHA1
7e9423e7ba25552485a15a2e865414dcd5d59f82

SHA256
c71b487dccb4d36f3e496267cfdf62024e4aa4d3b6c059a0c59887e85abbaceb

SHA512
db9203168e05914f0ea1001e11d41517dd79617ba264315610f416d60870f4ae75a1727452ad96d32497bd0b3ce1932a28cbbbcb1b357b6a91982403aa471351

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
299KB

MD5
5ff0f1a4b9b678e4e0338433df1b9505

SHA1
ad89fca0fe77f77143ee20c148def1da5de9c4ac

SHA256
766c83c60e167128ef326c6ba8df270a607ba1459d33aa2fdd7b28a4e31ce86a

SHA512
b48f7a6aee4d9b87ec4b1076c3cd908889ab6b62e429f5cc1b9cea16b8ec2afbe41fbe440ce5fc5c0fce2e5efca27f13621157e40b86e7660252ec718c7b6d40

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
299KB

MD5
8482df3e473fe21bcaee2c70d3fcdd00

SHA1
8a50d56dbe275b8956d47d240195e5dbe202ecdf

SHA256
d78dada840f89a6a35636c5fca159fcee3c8d155ae47f7aa5984926c8d1b3bad

SHA512
c847eec353a7a9c36dd48eeb1f83843ee1f676059239261a0d207a7a1f877c5432c6161094bcbc553f872367c683a62ef90e6747db62b0e0619db6872a5bbd0e

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
299KB

MD5
2563710d58137462e49c44cd146e4b3a

SHA1
123f99a4d57fa495ddfab2bf14984a1124080599

SHA256
471d34ad76b9f946c2db8830b6c0ca2ddab25672f92a9a93c66acf1182f3bcad

SHA512
cc423ab907349c3946c968094943267931dfa0ffe688760005b499e7c01f59ee2f164c3fffc96ed1d20bfda3b041f90fdd531e24a655dc2ea88102fdb1244e91

Download Submit
memory/548-534-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/636-568-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/664-518-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/760-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/912-402-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/916-349-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/928-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1012-44-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1028-602-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1200-403-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1252-523-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1272-368-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1392-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1396-520-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1428-579-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1520-525-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1524-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1556-361-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1624-524-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1644-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1720-543-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1724-531-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1728-404-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1888-514-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1900-391-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1924-517-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1944-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1948-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1996-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2140-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2260-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2272-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2348-519-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2444-367-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2496-386-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2540-528-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2796-381-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2800-398-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2848-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2856-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3160-638-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3272-380-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3300-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3348-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3372-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3484-36-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3492-555-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3520-350-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3584-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3644-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3656-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3712-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3716-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3776-392-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3792-535-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3820-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3824-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3828-592-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3840-544-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3964-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3984-516-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4048-363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4064-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4072-610-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4084-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4220-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4224-609-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4244-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4332-532-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4340-393-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4360-585-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4392-526-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4416-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4468-379-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4500-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4508-590-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4536-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4556-556-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4584-621-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4592-529-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4608-530-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4628-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4644-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4660-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4680-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4704-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4724-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4732-627-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4784-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4788-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4956-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4972-843-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4972-628-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4992-4-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5012-522-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5060-397-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5092-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5392-826-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5444-825-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5776-813-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5908-808-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5992-805-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads