c240e0b622f4c480e25de823468bf284cfed023ebc8c44fe3098d9f90606c9a7

Analysis

max time kernel
142s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 15:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

edf90482265a073908e15bf35ef85ea0_NeikiAnalytics.exe
Size

72KB
MD5

edf90482265a073908e15bf35ef85ea0
SHA1

cde39390e04ec72d3670d7a74e50144521a13e4d
SHA256

c240e0b622f4c480e25de823468bf284cfed023ebc8c44fe3098d9f90606c9a7
SHA512

56a958b09897e0a826742a82a315b83a2e36012598cc6b1ffbbcada7d7bceb5299fd50a929572656a2243c6d52fc2740e7a4c8e0926071f485a82b25b249a81a
SSDEEP

768:re45uH9xNA480QgYjyYgiiG/QW7DtG2JaKRGpIxHCaF/1H58NU9UiEb/KEiEixVD:9uH9qhy/VGoIDtGpEGfGbPgUN3QivEtA

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbgkfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfqjafdq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gqkhjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmdedo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbeghene.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpenfjad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfdida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe

Executes dropped EXE 64 IoCs

pid	Process
1616	Gfqjafdq.exe
2808	Gmkbnp32.exe
4012	Goiojk32.exe
2496	Gbgkfg32.exe
932	Gfcgge32.exe
1788	Giacca32.exe
1900	Gqikdn32.exe
2076	Gbjhlfhb.exe
2260	Gjapmdid.exe
4208	Gqkhjn32.exe
3328	Gcidfi32.exe
1704	Gfhqbe32.exe
4456	Gmaioo32.exe
400	Gppekj32.exe
4504	Hboagf32.exe
3616	Hmdedo32.exe
4788	Hpbaqj32.exe
4956	Hbanme32.exe
5116	Hjhfnccl.exe
2140	Hpenfjad.exe
3628	Hbckbepg.exe
1908	Hmioonpn.exe
2556	Hbeghene.exe
5096	Hjmoibog.exe
4032	Haggelfd.exe
2176	Hibljoco.exe
2684	Haidklda.exe
2320	Ipldfi32.exe
2288	Iidipnal.exe
1948	Ibmmhdhm.exe
5080	Imbaemhc.exe
3372	Ipqnahgf.exe
2476	Ijfboafl.exe
3932	Imdnklfp.exe
2184	Idofhfmm.exe
4580	Ifmcdblq.exe
8	Iabgaklg.exe
2548	Idacmfkj.exe
3824	Ibccic32.exe
3788	Ijkljp32.exe
4512	Jdcpcf32.exe
4784	Jfaloa32.exe
5056	Jmkdlkph.exe
3292	Jdemhe32.exe
964	Jfdida32.exe
3828	Kaqcbi32.exe
1652	Kdopod32.exe
2940	Kgmlkp32.exe
2428	Kilhgk32.exe
2012	Kacphh32.exe
4344	Kdaldd32.exe
4400	Kgphpo32.exe
1632	Kinemkko.exe
1384	Kphmie32.exe
2348	Kbfiep32.exe
3248	Kknafn32.exe
4604	Kpjjod32.exe
2804	Kibnhjgj.exe
2964	Kpmfddnf.exe
4048	Kgfoan32.exe
848	Liekmj32.exe
3724	Lpocjdld.exe
3644	Lcmofolg.exe
3620	Lgikfn32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Idacmfkj.exe	Iabgaklg.exe
File created	C:\Windows\SysWOW64\Ichhhi32.dll	Jfdida32.exe
File created	C:\Windows\SysWOW64\Ogijli32.dll	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Gmkbnp32.exe	Gfqjafdq.exe
File opened for modification	C:\Windows\SysWOW64\Ibccic32.exe	Idacmfkj.exe
File created	C:\Windows\SysWOW64\Kknafn32.exe	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Jjcfkp32.dll	Hmioonpn.exe
File created	C:\Windows\SysWOW64\Ibccic32.exe	Idacmfkj.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Kaqcbi32.exe	Jfdida32.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Cmafhe32.dll	Lgikfn32.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Kgphpo32.exe	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Bpcbnd32.dll	Kpjjod32.exe
File opened for modification	C:\Windows\SysWOW64\Hboagf32.exe	Gppekj32.exe
File created	C:\Windows\SysWOW64\Haggelfd.exe	Hjmoibog.exe
File opened for modification	C:\Windows\SysWOW64\Kpjjod32.exe	Kknafn32.exe
File created	C:\Windows\SysWOW64\Imppcc32.dll	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Laalifad.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Gjapmdid.exe	Gbjhlfhb.exe
File created	C:\Windows\SysWOW64\Diefokle.dll	Gcidfi32.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Maaepd32.exe
File created	C:\Windows\SysWOW64\Anjekdho.dll	Jdemhe32.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Giacca32.exe	Gfcgge32.exe
File created	C:\Windows\SysWOW64\Jmkefnli.dll	Hbckbepg.exe
File created	C:\Windows\SysWOW64\Qnoaog32.dll	Jfaloa32.exe
File created	C:\Windows\SysWOW64\Kkdeek32.dll	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Lilanioo.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mkpgck32.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Peeafpaf.dll	edf90482265a073908e15bf35ef85ea0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Hbanme32.exe	Hpbaqj32.exe
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Laalifad.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Ibilnj32.dll	Hbanme32.exe
File created	C:\Windows\SysWOW64\Kgfoan32.exe	Kpmfddnf.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Lmbocjjm.dll	Giacca32.exe
File opened for modification	C:\Windows\SysWOW64\Laalifad.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Gmkbnp32.exe	Gfqjafdq.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Ifmcdblq.exe	Idofhfmm.exe
File opened for modification	C:\Windows\SysWOW64\Kbfiep32.exe	Kphmie32.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Nklfoi32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5556	5196	WerFault.exe	212

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmioonpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppaaagol.dll"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcbnd32.dll"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbajhpfb.dll"	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diefokle.dll"	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	edf90482265a073908e15bf35ef85ea0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfqjafdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmaioo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifmcdblq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmkefnli.dll"	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdopod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmaioo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibmmhdhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggdddife.dll"	Gqikdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceaklo32.dll"	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnfmmb32.dll"	Gfqjafdq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpenfjad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbanme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipqnahgf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liekmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gfhqbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mngoghpn.dll"	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eagncfoj.dll"	Gppekj32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1824 wrote to memory of 1616	1824	edf90482265a073908e15bf35ef85ea0_NeikiAnalytics.exe	83
PID 1824 wrote to memory of 1616	1824	edf90482265a073908e15bf35ef85ea0_NeikiAnalytics.exe	83
PID 1824 wrote to memory of 1616	1824	edf90482265a073908e15bf35ef85ea0_NeikiAnalytics.exe	83
PID 1616 wrote to memory of 2808	1616	Gfqjafdq.exe	84
PID 1616 wrote to memory of 2808	1616	Gfqjafdq.exe	84
PID 1616 wrote to memory of 2808	1616	Gfqjafdq.exe	84
PID 2808 wrote to memory of 4012	2808	Gmkbnp32.exe	85
PID 2808 wrote to memory of 4012	2808	Gmkbnp32.exe	85
PID 2808 wrote to memory of 4012	2808	Gmkbnp32.exe	85
PID 4012 wrote to memory of 2496	4012	Goiojk32.exe	86
PID 4012 wrote to memory of 2496	4012	Goiojk32.exe	86
PID 4012 wrote to memory of 2496	4012	Goiojk32.exe	86
PID 2496 wrote to memory of 932	2496	Gbgkfg32.exe	87
PID 2496 wrote to memory of 932	2496	Gbgkfg32.exe	87
PID 2496 wrote to memory of 932	2496	Gbgkfg32.exe	87
PID 932 wrote to memory of 1788	932	Gfcgge32.exe	88
PID 932 wrote to memory of 1788	932	Gfcgge32.exe	88
PID 932 wrote to memory of 1788	932	Gfcgge32.exe	88
PID 1788 wrote to memory of 1900	1788	Giacca32.exe	89
PID 1788 wrote to memory of 1900	1788	Giacca32.exe	89
PID 1788 wrote to memory of 1900	1788	Giacca32.exe	89
PID 1900 wrote to memory of 2076	1900	Gqikdn32.exe	90
PID 1900 wrote to memory of 2076	1900	Gqikdn32.exe	90
PID 1900 wrote to memory of 2076	1900	Gqikdn32.exe	90
PID 2076 wrote to memory of 2260	2076	Gbjhlfhb.exe	91
PID 2076 wrote to memory of 2260	2076	Gbjhlfhb.exe	91
PID 2076 wrote to memory of 2260	2076	Gbjhlfhb.exe	91
PID 2260 wrote to memory of 4208	2260	Gjapmdid.exe	92
PID 2260 wrote to memory of 4208	2260	Gjapmdid.exe	92
PID 2260 wrote to memory of 4208	2260	Gjapmdid.exe	92
PID 4208 wrote to memory of 3328	4208	Gqkhjn32.exe	93
PID 4208 wrote to memory of 3328	4208	Gqkhjn32.exe	93
PID 4208 wrote to memory of 3328	4208	Gqkhjn32.exe	93
PID 3328 wrote to memory of 1704	3328	Gcidfi32.exe	94
PID 3328 wrote to memory of 1704	3328	Gcidfi32.exe	94
PID 3328 wrote to memory of 1704	3328	Gcidfi32.exe	94
PID 1704 wrote to memory of 4456	1704	Gfhqbe32.exe	95
PID 1704 wrote to memory of 4456	1704	Gfhqbe32.exe	95
PID 1704 wrote to memory of 4456	1704	Gfhqbe32.exe	95
PID 4456 wrote to memory of 400	4456	Gmaioo32.exe	96
PID 4456 wrote to memory of 400	4456	Gmaioo32.exe	96
PID 4456 wrote to memory of 400	4456	Gmaioo32.exe	96
PID 400 wrote to memory of 4504	400	Gppekj32.exe	97
PID 400 wrote to memory of 4504	400	Gppekj32.exe	97
PID 400 wrote to memory of 4504	400	Gppekj32.exe	97
PID 4504 wrote to memory of 3616	4504	Hboagf32.exe	98
PID 4504 wrote to memory of 3616	4504	Hboagf32.exe	98
PID 4504 wrote to memory of 3616	4504	Hboagf32.exe	98
PID 3616 wrote to memory of 4788	3616	Hmdedo32.exe	99
PID 3616 wrote to memory of 4788	3616	Hmdedo32.exe	99
PID 3616 wrote to memory of 4788	3616	Hmdedo32.exe	99
PID 4788 wrote to memory of 4956	4788	Hpbaqj32.exe	101
PID 4788 wrote to memory of 4956	4788	Hpbaqj32.exe	101
PID 4788 wrote to memory of 4956	4788	Hpbaqj32.exe	101
PID 4956 wrote to memory of 5116	4956	Hbanme32.exe	102
PID 4956 wrote to memory of 5116	4956	Hbanme32.exe	102
PID 4956 wrote to memory of 5116	4956	Hbanme32.exe	102
PID 5116 wrote to memory of 2140	5116	Hjhfnccl.exe	103
PID 5116 wrote to memory of 2140	5116	Hjhfnccl.exe	103
PID 5116 wrote to memory of 2140	5116	Hjhfnccl.exe	103
PID 2140 wrote to memory of 3628	2140	Hpenfjad.exe	104
PID 2140 wrote to memory of 3628	2140	Hpenfjad.exe	104
PID 2140 wrote to memory of 3628	2140	Hpenfjad.exe	104
PID 3628 wrote to memory of 1908	3628	Hbckbepg.exe	106

C:\Users\Admin\AppData\Local\Temp\edf90482265a073908e15bf35ef85ea0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\edf90482265a073908e15bf35ef85ea0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Windows\SysWOW64\Gfqjafdq.exe
  C:\Windows\system32\Gfqjafdq.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1616
- - C:\Windows\SysWOW64\Gmkbnp32.exe
    C:\Windows\system32\Gmkbnp32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Windows\SysWOW64\Goiojk32.exe
      C:\Windows\system32\Goiojk32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4012
    - - C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2496
      - C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:932
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4208
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3328
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3616
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4788
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3628
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1908
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2556
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5096
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        26⤵
        Executes dropped EXE
        
        PID:4032
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        27⤵
        Executes dropped EXE
        
        PID:2176
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2684
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2320
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2288
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4556
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        33⤵
        Executes dropped EXE
        
        PID:5080
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3372
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2476
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3932
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2184
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4580
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:8
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2548
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        41⤵
        Executes dropped EXE
        
        PID:3824
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3788
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        43⤵
        Executes dropped EXE
        
        PID:4512
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4784
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5056
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3292
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:964
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3828
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        51⤵
        Executes dropped EXE
        
        PID:2428
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        52⤵
        Executes dropped EXE
        
        PID:2012
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4344
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        54⤵
        Executes dropped EXE
        
        PID:4400
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1632
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1384
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2348
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3248
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2804
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4048
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:848
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3724
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3644
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3620
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4796
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3972
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        69⤵
        Drops file in System32 directory
        
        PID:4200
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        70⤵
        Drops file in System32 directory
        
        PID:2272
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3604
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1480
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:916
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        75⤵
        Modifies registry class
        
        PID:3336
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        76⤵
        Drops file in System32 directory
        
        PID:4328
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        77⤵
        Modifies registry class
        
        PID:4732
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3136
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        79⤵
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3884
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2424
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4540
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        84⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4244
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        86⤵
        Modifies registry class
        
        PID:5100
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5184
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        89⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        90⤵
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        91⤵
        Drops file in System32 directory
        
        PID:5316
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        92⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5392
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5440
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5480
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        96⤵
        Drops file in System32 directory
        
        PID:5524
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5568
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        99⤵
        Drops file in System32 directory
        
        PID:5652
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5716
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        101⤵
        Drops file in System32 directory
        
        PID:5768
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        103⤵
        Drops file in System32 directory
        
        PID:5856
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        104⤵
        Drops file in System32 directory
        
        PID:5900
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5936
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        106⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5992
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6036
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        108⤵
        Drops file in System32 directory
        
        PID:6076
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6120
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        110⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        111⤵
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        112⤵
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5400
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        114⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4508
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5692
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        118⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        119⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5976
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        121⤵
        Drops file in System32 directory
        
        PID:6108
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        122⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5196 -s 408
        123⤵
        Program crash
        
        PID:5556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5196 -ip 5196
1⤵
PID:5476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gbgkfg32.exe

Filesize
72KB

MD5
4e200a47f0892b0c7fa3611de183d7d5

SHA1
3653898b50b1aad9ada36de9bd223ac3cd54fc84

SHA256
ee0096cc5ed11ee25a2fc2155ce2b4fe1452e18ffb5d0a63af57cdea26529fa5

SHA512
dd3731d26d27031a567927a27e3cb679bc2273141afd0ac391394f01953298f0f9bf01410d178a6b1a1e53981c398d494f536e7ac321675dbc5c5632ad0e4a32

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
72KB

MD5
36a565e6e4d694f05198012a70b34aba

SHA1
027b98e489199351e4094611aa597d928a157660

SHA256
7122fd0d436b4cdeca4da20469ebd152e110bac563c79844458dc597881a3a90

SHA512
244dc608c7a064d2f4c2e647f0e4010bd20370c84b09b5f31d060e086609a90c2ae8d22b7791c050495a8364519c3469a11acb31b5d35c617d12e8c7e651121d

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
72KB

MD5
a0ff9a11c46a9f75b79c420b0eaeba52

SHA1
efde4b81b9d740f3c3f539ff9cf72a00e275c706

SHA256
8ab6f528a5a0755539d2302c3f6ddc67fc3d80519d4a3bf9a50b4ef146de8777

SHA512
19f2ce10e1d4f53c278594d0782ff2eff2b07243a58eda3d0b8fe93351788a2d1fa4fe16ee9c79eda83038bd3db0ec06c795614e0a57f1b42cfe61be55eacab8

Download Submit
C:\Windows\SysWOW64\Gfcgge32.exe

Filesize
72KB

MD5
4adbef11e1a696d5573031299c2ed0f3

SHA1
e0735893ae5fe71e23e51eff916f620f197e37b6

SHA256
b967802d969b0511c527b2b8c3b4955b61558d19db0780366d962e85b325c1a5

SHA512
9e7b8c7c4c04b27d08ec534dcdde22658a412c23742ffad595405c01b0b80fd4542573d3f2b65c28db031de2ff91f89dfaa8af2850c9f48afa1548cdebfc542f

Download Submit
C:\Windows\SysWOW64\Gfhqbe32.exe

Filesize
72KB

MD5
5ecddfcff7aa39f406de6d29c019ec70

SHA1
c52762f29e5b6fcdd17e96878f8d31fd27651760

SHA256
ad095e080f9f357039c58f332ab2c9b705974f302ab29d06631196944f5eada0

SHA512
696857623d104aad7e06e2ffdfeaaa4858446476227c00d09342fc8985a829e6cbe0e4dd538a26669352912e2f2ecc910c454e8969e100aeb7ca26d5a96c5722

Download Submit
C:\Windows\SysWOW64\Gfqjafdq.exe

Filesize
72KB

MD5
91864273e08c71defbd2b3bfc0010773

SHA1
3e99e2d234d952cf3c1cae5cacaa191219f2ee3b

SHA256
1e40ea3f8ac8ec5a884cf18aecb4ee263db9af30a6e82746fdca73188baa5f7e

SHA512
3b9b5ee504a44e982bce48f394e0baaf235093ba7bf04a8ae4f203bbc9112a826f4ff36297ffa532091bbc38af7fab286a5b8b8c3001289e18bad86002214b59

Download Submit
C:\Windows\SysWOW64\Giacca32.exe

Filesize
72KB

MD5
0505ab6d81901c5f5426817519baab05

SHA1
7c986c27fb32c71b15be6a27fab86f2de084c5c3

SHA256
44d68a10a320e707d6111013f8e69abc35397af1c8763142812489cb40d395f0

SHA512
41fd309e1e25eab125adbfbf22a089f0cf3f2309643ac3359f1b6a0da9c5a661edc0370de29aa6bd5f534c7975b5ae3fef19b38332844b0ef49da88c898793ef

Download Submit
C:\Windows\SysWOW64\Gjapmdid.exe

Filesize
72KB

MD5
a1f81922cb6243f0763fe4be9fab8a97

SHA1
80d52d439d168830a9ff7bab449ef4d6289a3bdb

SHA256
6eaaae095c3ed298099963ef86b0f229357b2f364518490ca2da3360a6ac8864

SHA512
377eaa46a15f6481c1b589b05e4008c9a8e152ecc0d7b0422e9975f4b728236a77976b1eaef6ae54a81251cfc074b50279ed8af89a576d568651375413397c1c

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
72KB

MD5
eadc5699281baece733224ebdaa9cb9b

SHA1
64fbc640ee8e0718f7956b096cbe7e177462e9b8

SHA256
5b31f12899a6e7d576afa5957fb56eb31e3e43ce0a4e2b7e383fb4e7c26ee3ec

SHA512
6e9a4cca6c1dbbbfb8c6fecdbdc5ba3cebc7e8252ff31d7aced6b5bc2f991d11598b7c5bbce0b769d006522e49276948d43868a6da50f5e66f6fd00dff105db3

Download Submit
C:\Windows\SysWOW64\Gmkbnp32.exe

Filesize
72KB

MD5
fa8bb23b4af8edd03a90d84e9c767d9a

SHA1
4f35c26d63419e188e49a89f7223cf238ef309ea

SHA256
3f25d124cf1bad4cb060141605f96446fb1e9c5e8da817aa285a8261c6aeda9a

SHA512
f5c191b52beb860594b0d04918699bb40370983c6655df49a28e2125622103a005ae6e46b55cb2261dd733a52f9e2d24cff895907d61dc70c5d228f445a1046e

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
72KB

MD5
c78ab56370187d7fa93e27961074e4a7

SHA1
df1bd2ebf4ce1abbe1b4a76106724b4ef4dc30b8

SHA256
b16bad0d72a2d140dd0fa84c08542e75b79e8aac48fe969802ce9b1f3a881e84

SHA512
c4aae412df35a45f89091aa6724f5ae33a9518ef811751a65753ae59980b36059b99e2efa22498a95331ffad2cafeaa8eab04526ec9cc202190f808c812e315e

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
72KB

MD5
45cc780e00166772b398d6da03de768f

SHA1
060c3612723d4970cddf65fccb41ba98b9182141

SHA256
e1fabbaac5448997aee11d729bcbcfb568dcc2e7e6005737b3d375a368574838

SHA512
ac5da34a13b5a353f5eee38fd2544b7c6046c1ec833f9325694bc4f124597ccebaf9f58b573b684a036d0dad2376b1d0ee81f2c8b739f3cfbcd05abc55a6294b

Download Submit
C:\Windows\SysWOW64\Gqikdn32.exe

Filesize
72KB

MD5
598c4cd37544880ccd4adbd6f639c0b0

SHA1
241be72c1f677e3058df214b6d649f4ffbeb8b26

SHA256
b97f3f6a5362eadefc9126d34e8c8d75e1f5e3993c3ddc2b74746bc0453d7078

SHA512
76696e9b3679aee8a4282ef592cfb684e4f0baa25dc52ac2ce7b11e896c3512c4bd184569e70e8782f17ba6abdc0d15b60b8461b9809507932cba212221c884c

Download Submit
C:\Windows\SysWOW64\Gqkhjn32.exe

Filesize
72KB

MD5
cf9bd80eb031907b868f4e48a8f745e8

SHA1
505bb80d55085bcd6639d881d1086b0514dcbc7f

SHA256
727bc8a87dce00b1776b7519f5347b8248bead899f293b178cda09ad4129ea32

SHA512
c726d5a2321032c78da5c0ba9169efae62c30c8eb844a7f7a51143e7163cf47314d2a540f83fa8ff4e81785129a2084e554321600d475269009cdb220c8fdd18

Download Submit
C:\Windows\SysWOW64\Haggelfd.exe

Filesize
72KB

MD5
be95e5cbafc8d553f97808a08ec56e5b

SHA1
5106bd67469254eed23e10f7ad14f9140234c4d8

SHA256
3ba252a42966c10e947f06f0957ce51049e24c2a853df3fa087300bf42a80358

SHA512
de8cb23f3182e355885c7d32d4ab6d6c11404f6ab40bd77b0ebb18b783f9af71e45fa4fafaad1400059045332010ac5c42fde6be2394b650d9d9b7a31a984fac

Download Submit
C:\Windows\SysWOW64\Haidklda.exe

Filesize
72KB

MD5
06c9efc6daf5f84bf4b9be3f3a088abd

SHA1
707f0a479605e248504bbf0d87d7dcd1ccb05dcd

SHA256
05dcd595c871b3c562afa4c2edc556bd0a34ea1f23b9c8c0d550594eb7192916

SHA512
c097a83efa3447f1ae5f8c589b636b1a6cb3ea33a2a2296b5f2bf26505230e7a787d5650cf2a798481e4915e337a4fce060c6e281cbea23252d174fb4afcb595

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
72KB

MD5
f595d449a18d46f464268fea28d8b3e2

SHA1
4910045d3c6134ba5f719e91a4870561888c5d9a

SHA256
0b9416d79ef7558bd04c2fd6365b2e45e8fc606e61de46f906e9ff35c85050f4

SHA512
5563070800f969e2fd7024a9ae25501fd035b6afadaa9e5c8d288fc87673dae71dc5b91c92fd98a264bcc22006f3d399e5528bdd08eb33f945ba96a1c79018de

Download Submit
C:\Windows\SysWOW64\Hbckbepg.exe

Filesize
72KB

MD5
4144a687456d650f683285fb356739a1

SHA1
bc11d111e13588d0aa17ec08662a722eb978b439

SHA256
e48344d859d3c04204603705d342cf7aa0342e54ea7b11308ac94f198396554a

SHA512
4b11085f36b388a45d5985a20d7d89a427c850450f79835fda6a4ba65b2aba2934abb86e2bca2b7d578d01e881f3f01b32d1d7140e9f053b56dde9788d21b4fd

Download Submit
C:\Windows\SysWOW64\Hbeghene.exe

Filesize
72KB

MD5
e52693b82ff2581910ac75928040ea44

SHA1
83feeae373b9a2767d2f443bb8a59e1b29c53322

SHA256
8e6056320a2a5cea7c8563aefda184715d68b0340f2d745045dea8501cad81fb

SHA512
d8b1cc42a72d4bb837ffb543519754672919cda49de504685cab182e1a8cb22349530c79c1370ae7edcca531683faabc147a90f7aa8b38c9289ad8df439c5d0c

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
72KB

MD5
d70e629c46dce6f190a56b419dc83240

SHA1
350cc9b5916788a25c55b1a863cc5849f619fc18

SHA256
9629cff44eee091c6310e8772154c453271906259c72baee9ac3af7bc1e3d8b4

SHA512
d3c94111a9906a7fc68d692d244f31913a7ac1461d46e8623b9964d9263262c3beeaab2cc42fbf6da3cd0db84b99d7c12850ace73ad714b6f835605c8ba39896

Download Submit
C:\Windows\SysWOW64\Hibljoco.exe

Filesize
72KB

MD5
662998d96ef087a954a222b9c8e5966f

SHA1
26e83018f12bbc3a962d92641e27917a262ba882

SHA256
65643581372a1fbd4e9eb7a0924025909d4cec819cb54ae8ab197dc026c2b71c

SHA512
efa10d8ab25be3c166a03fab6aceedc53a9c6603ef6d94ee748828660542614cd0225b162d18618f774b779b9af6bf406c5c813e3c57db576da5acea9d6c3ee7

Download Submit
C:\Windows\SysWOW64\Hjhfnccl.exe

Filesize
72KB

MD5
d6df8b3a3f82aeca0a09f741002d84c4

SHA1
6ca83e184be0a7ab8753fc213e6d08362db2dace

SHA256
c703088eaeed01d980760136a08766787319c33d3c277a039719303ac9ccc546

SHA512
dbd17412019ab909734f4465e531bab23898579c1e774150014a1419995c760def28182c4dc7744699ca6bf6617bd6e69fc003fdbd4dab6ee12e9ed42523065a

Download Submit
C:\Windows\SysWOW64\Hjmoibog.exe

Filesize
72KB

MD5
2fc7295b488d2113cdb42c30d7aa0fd3

SHA1
35621564372fb2874f562544a28e89cdefcebcb8

SHA256
67ad93265570d5c0a268fae91ae18acd501763ea270c961a12eddb644ed1e4ca

SHA512
2f302307477f7d39aa3c072e708dce9fe1345d6ed81f2ae1433ed11fd49df68b731001926c4bb919dde08690922f443d61aadb8e285026970142061d8a9d07a8

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe

Filesize
72KB

MD5
eebb1670ccc50610ebf1ce752eb158a6

SHA1
92a5b2f7b46b1e5927afb811828852132fd83182

SHA256
0008403c5272391678afca857dc1b130e24d52f3c352d7a20b4ac4eabfa1d184

SHA512
3886f026372037d4643211cb8bf39a16c4266052ac4aa9ffb8e56e1c5bb75f12dbebb4c7ce8cf0cd99990f800a38065298a312ddcb053fdb83de4672c27f3083

Download Submit
C:\Windows\SysWOW64\Hmioonpn.exe

Filesize
72KB

MD5
5b71d796bd71ebcba76d20f7235f4c65

SHA1
2b5834e6847fb745b484055e302c51c3b8f86e3b

SHA256
ecc7ec05236cac537456dbb7253c021ea226a078607f14d724952e80b59e2dde

SHA512
cbc80e84d5bea7ebabd98545534bdd187bf456ce321144a22b5124e47cd68cfe99c803a459cec957aa34cc700b1b9b36a4e21b6bf3c6505430a82029c505c798

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
72KB

MD5
3713893b12caadb0e70b4f8da2eca84e

SHA1
8558f39d92825657748f5675b0bacf9add4e6ba4

SHA256
d8da4d1cad2e07293ef84e17e397b0bb5a657120750eb3afeeeabd8bfbc477b8

SHA512
9949a053fd0318adbd5c734f7e8c11c518c1ef1c04cbbe6c240cbe0059b9942a7b1c2c6980054360ea267cbd9c4297932b25c76d4d06c263bed9879d8f3ff604

Download Submit
C:\Windows\SysWOW64\Hpenfjad.exe

Filesize
72KB

MD5
25261cdfdb4e955c42f74d5cfd679783

SHA1
d443e974b0dc81d9efe3793222932ab007d15ad3

SHA256
7a3e515e858c28a66c0718d448b97f71f2173e8bb730e51735ca01789a979487

SHA512
104bf32d2d5ebb2f3dc44da3070ab56b672bbff3a6a2db3cc02ec4003f5b178930f7bddee0c6a30890340a58c0da4be472d0c1a15b4c4e4d91b263a6f25a6e2a

Download Submit
C:\Windows\SysWOW64\Ibmmhdhm.exe

Filesize
72KB

MD5
198ed9399ddd7a591bd752d2d6f403f4

SHA1
9892926b379f0c0ee44bec7ba5df964d380a3f00

SHA256
f3f2999450cbb0b389254924ba12916c2976f507774c46bed3d3c29b04d0886d

SHA512
f06b4b09a4d0280fd459162c3e8dbe364f6854e742406593fb0f6e24da58bae12823c82186362f72f438b04627eb095d2b77dca3a9cb3d8fd28694e681402b1f

Download Submit
C:\Windows\SysWOW64\Iidipnal.exe

Filesize
72KB

MD5
ad34df8d251e67e76eec9eabfb88784c

SHA1
3882b216a407b489ce600f969116f1e294c57656

SHA256
b8ea365636e9445d3ab8dd2e4837757948edb7adaae0fd0c6c8351e5d22745d6

SHA512
abd07278826251ee441673ac0fc12edd34bbb3df59bd5501317e4d44f273532faa860e8eda1c6f631c2593487e85ba7b5d75e1a39e546c20f06d97ad1a6225c3

Download Submit
C:\Windows\SysWOW64\Ijfboafl.exe

Filesize
72KB

MD5
a946271831efca168928a4c020e457ea

SHA1
889a1f69d558c2ceaa2b327bc069ef36020a501f

SHA256
3327c20d3ed46295a3fbe5e011c0fcb2ba47eecbc6cbb02cc7668392d9a742b6

SHA512
e14b3916b6af575acd4265cff5b107a260ca199fcf8194b63604f6d06b9ca348df655838fc2fee1d507361c0a56ea8e1769869efde7415f7c32899b606ef66a5

Download Submit
C:\Windows\SysWOW64\Imbaemhc.exe

Filesize
72KB

MD5
b270951a693fa17d0675e0de8479aa81

SHA1
aacda3798b79ff39ccdabada0724647120c91cdc

SHA256
ce2a6848e22c6acf6d91c3bfeec9ef34938182027a2fcce79363c60d62c86258

SHA512
c1e6f29e910455a3d40a9c098a043fbb767a65584df7f566c1606cf346267eec6d933c4bffe4040d893d241473abc3df7552e3617adaecc91e208907a82a0ca3

Download Submit
C:\Windows\SysWOW64\Ipldfi32.exe

Filesize
72KB

MD5
85d0af7fc8d22f25838ab2734d0d8b16

SHA1
c2ed06af894a98db5394ceecbaedcf689ac5fb7c

SHA256
138cce79a096c947b1c6ce2fa566c3d8e31bd26dabc1e8e2609cecb8265cd8a0

SHA512
7b54ca76c0b604592f566640b9f395cdad728d1ea93a52c31d4ede38446948160fa831a8bf9775f395e9928304a50e7ee42e1cf9156927cbd680e0338858fecb

Download Submit
C:\Windows\SysWOW64\Ipqnahgf.exe

Filesize
72KB

MD5
fff4029710d4d90f1e8886cab2f910d8

SHA1
ce7e436452f9aad01b6fff1cf3cb40e073d5d6b0

SHA256
5354267b2794fb0a05aab6d139c167fcecfb1231104785cf4ce8f44dac97f6d2

SHA512
8699ad5a802ca47dc9cc24ed346f1678d903f926247364845c3516b8959807bee775d3c8a8d36146753e68a271945b30792876faf35ef190e5f5aced26a83823

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
72KB

MD5
3931c7866980648f517c8f8c42b56795

SHA1
7af8498dcdf546f3ecbac9581fd97722ce7d5053

SHA256
a163510ca66dbf433af7c2af649e76783f034717359c2166b5b6a71fa4bfe746

SHA512
563bbd40865907689e0bb4c136bb80a7c20f5d501de598caf07ebd206df4c0f814a6355b748f536a43bc619c2585cb40f8706e030050a972bc36aeca36d626e8

Download Submit
C:\Windows\SysWOW64\Kphmie32.exe

Filesize
72KB

MD5
ce7c931be617a44a3cd0f5615c09985c

SHA1
37b7b548120af6bb3b90e7cee5d6c552ffc1eed0

SHA256
1fbc7f6aea1f777dbf606e03a79d55d667499026e418cfacec88c1e88a1c7d26

SHA512
ea8bee798b9c17b9257cf036b6207326cad4cb306a3edcf876d0f56f79d9b95dd83f20285b19586eb8d734deca2b298be947e7b59ad92104b1b64f0af4325457

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
72KB

MD5
cbf28c21be585f399bfcbc8f12bddaa7

SHA1
d074a6a331e45def60905fe88f88dc8d4658b459

SHA256
db011e84cebabecbc300bd4dc1dfeb00a18c34aa850b4128dbb25a58e18917b2

SHA512
52e79bb7b03e243d6747d6bdd3bec668fa028a19518be3803193ac368eba9bd08976d9bff092a48d48f3f96c7cecbda321378ead1fce7cb9995fe21609dd1440

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
72KB

MD5
7a0f550c7bb4363536bfcf23ef7d1a55

SHA1
be02dbdd4b7ddcbaab3b859b59285d6e7ce6df06

SHA256
078b8aa8fc776484440066dbe96f2d9ae251002e5995c05a7ab5aeb0935e1021

SHA512
7da1342693a5e2788c8eb9fc6d43a96686dcf915323f59ddd29bf5d45bf1daf541d832f1ebb9b7acb677f7bebd959b03bc6b91bea792c067e7b3cbbb6dac9959

Download Submit
memory/8-314-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/400-115-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/400-203-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/932-39-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/932-123-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/964-429-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/964-365-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1384-427-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1616-7-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1616-97-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1632-417-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1652-378-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1652-443-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1704-98-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1704-185-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1788-52-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1824-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1824-88-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1900-55-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1900-139-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1908-190-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1908-265-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1948-257-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1948-329-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2012-397-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2076-68-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2076-148-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2140-168-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2140-251-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2176-226-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2184-300-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2184-364-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2260-161-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2260-72-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2288-320-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2288-246-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2320-243-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2320-313-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2348-430-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2428-390-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2476-283-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2476-350-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2496-38-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2548-321-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2556-195-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2556-273-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2684-302-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2684-230-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2808-106-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2808-20-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2940-384-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3248-437-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3292-362-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3328-175-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3328-89-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3372-274-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3372-348-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3616-136-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3628-177-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3628-256-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3788-396-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3788-330-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3824-327-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3828-436-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3828-372-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3932-290-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3932-361-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4012-28-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4032-213-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4032-289-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4208-79-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4208-167-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4344-404-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4400-410-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4456-107-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4456-194-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4504-124-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4504-211-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4512-403-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4512-337-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4556-252-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4580-303-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4580-371-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4604-444-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4784-349-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4788-229-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4788-141-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4956-241-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4956-150-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5056-351-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5056-416-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5080-336-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5080-266-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5096-208-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5096-282-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5116-163-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads