c8e051a9dc10ceee8745c362d3459d155f2d25d22373e7b8722f920741338831

Analysis

max time kernel
140s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20-05-2024 05:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

badd74e01cdef3cfd8029f5a6f114120_NeikiAnalytics.exe
Size

100KB
MD5

badd74e01cdef3cfd8029f5a6f114120
SHA1

fbef7b3b4fda4c31135ed501660a2a3e9045ddd8
SHA256

c8e051a9dc10ceee8745c362d3459d155f2d25d22373e7b8722f920741338831
SHA512

8ffccf460de7b8c5109313702f8dc5aa1dd063fae4ff8c2ea2af3a06312e4229603a01ae9bdc738a1a4c0c0baa057351ba5af67a054fe5ef2a881234049ef273
SSDEEP

3072:jIJ6Zvz3vf/zO0YgIRjPqNQjN0saagb3a3+X13XRzT:jy6TH/qhj1jOsaT7aOl3BzT

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ifjfnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gogbdl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibjqcd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibagcc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	badd74e01cdef3cfd8029f5a6f114120_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hclakimb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hclakimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqdbiofi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hjfihc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gqdbiofi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Imihfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkepnjng.exe

Executes dropped EXE 64 IoCs

pid	Process
3376	Gjjjle32.exe
1776	Gqdbiofi.exe
3556	Gogbdl32.exe
4040	Gbenqg32.exe
2580	Gmkbnp32.exe
4492	Gqfooodg.exe
4780	Gjocgdkg.exe
4424	Gpklpkio.exe
3940	Gjapmdid.exe
4600	Gmoliohh.exe
1164	Gcidfi32.exe
3392	Gbldaffp.exe
3992	Gifmnpnl.exe
1744	Hclakimb.exe
4500	Hjfihc32.exe
2316	Hpbaqj32.exe
1320	Hbanme32.exe
4408	Hikfip32.exe
760	Habnjm32.exe
4116	Hcqjfh32.exe
1988	Hjjbcbqj.exe
1256	Hpgkkioa.exe
4344	Hbeghene.exe
4072	Hippdo32.exe
2948	Hcedaheh.exe
3912	Hibljoco.exe
3772	Haidklda.exe
4848	Ibjqcd32.exe
2268	Ijaida32.exe
2844	Impepm32.exe
2956	Ifhiib32.exe
4388	Imbaemhc.exe
4140	Ipqnahgf.exe
3756	Ifjfnb32.exe
1984	Iiibkn32.exe
1192	Ibagcc32.exe
3092	Ijhodq32.exe
1044	Iikopmkd.exe
3192	Ipegmg32.exe
1856	Ibccic32.exe
2508	Ifopiajn.exe
2304	Imihfl32.exe
2884	Jaedgjjd.exe
4192	Jdcpcf32.exe
2324	Jjmhppqd.exe
2024	Jmkdlkph.exe
4300	Jpjqhgol.exe
312	Jbhmdbnp.exe
528	Jjpeepnb.exe
3104	Jmnaakne.exe
2900	Jaimbj32.exe
1316	Jbkjjblm.exe
3812	Jfffjqdf.exe
3472	Jaljgidl.exe
4988	Jdjfcecp.exe
4480	Jfhbppbc.exe
1724	Jmbklj32.exe
3312	Jpaghf32.exe
2964	Jbocea32.exe
4632	Jkfkfohj.exe
872	Kpccnefa.exe
3836	Kbapjafe.exe
4792	Kilhgk32.exe
3496	Kacphh32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Lijdhiaa.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Mepgghma.dll	Gqdbiofi.exe
File created	C:\Windows\SysWOW64\Habnjm32.exe	Hikfip32.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Laopdgcg.exe
File opened for modification	C:\Windows\SysWOW64\Liggbi32.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Eqbmje32.dll	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Lnjjdgee.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Mbgaem32.dll	Hjjbcbqj.exe
File created	C:\Windows\SysWOW64\Lijiaonm.dll	Hibljoco.exe
File created	C:\Windows\SysWOW64\Liekmj32.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Lmmcfa32.dll	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Gpkqnp32.dll	Gcidfi32.exe
File created	C:\Windows\SysWOW64\Lgabcngj.dll	Hclakimb.exe
File created	C:\Windows\SysWOW64\Jibpdc32.dll	Ifopiajn.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Gbenqg32.exe	Gogbdl32.exe
File created	C:\Windows\SysWOW64\Hpgkkioa.exe	Hjjbcbqj.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Jaedgjjd.exe	Imihfl32.exe
File created	C:\Windows\SysWOW64\Jmkdlkph.exe	Jjmhppqd.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Gogbdl32.exe	Gqdbiofi.exe
File created	C:\Windows\SysWOW64\Inccjgbc.dll	Hjfihc32.exe
File created	C:\Windows\SysWOW64\Jiphogop.dll	Ipegmg32.exe
File created	C:\Windows\SysWOW64\Mglppmnd.dll	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Gifmnpnl.exe	Gbldaffp.exe
File created	C:\Windows\SysWOW64\Egoqlckf.dll	Ibjqcd32.exe
File opened for modification	C:\Windows\SysWOW64\Ibccic32.exe	Ipegmg32.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Lgpagm32.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Ebkdha32.dll	Ibagcc32.exe
File opened for modification	C:\Windows\SysWOW64\Ifopiajn.exe	Ibccic32.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Ipegmg32.exe	Iikopmkd.exe
File opened for modification	C:\Windows\SysWOW64\Jfffjqdf.exe	Jbkjjblm.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Lolncpam.dll	Gqfooodg.exe
File opened for modification	C:\Windows\SysWOW64\Gbldaffp.exe	Gcidfi32.exe
File created	C:\Windows\SysWOW64\Cgkghl32.dll	Gifmnpnl.exe
File created	C:\Windows\SysWOW64\Jgiacnii.dll	Jaedgjjd.exe
File created	C:\Windows\SysWOW64\Olmeac32.dll	Jbkjjblm.exe
File created	C:\Windows\SysWOW64\Baefid32.dll	Lijdhiaa.exe
File opened for modification	C:\Windows\SysWOW64\Hibljoco.exe	Hcedaheh.exe
File created	C:\Windows\SysWOW64\Ifhiib32.exe	Impepm32.exe
File created	C:\Windows\SysWOW64\Ifopiajn.exe	Ibccic32.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Hpbaqj32.exe	Hjfihc32.exe
File created	C:\Windows\SysWOW64\Hdgpjm32.dll	Haidklda.exe
File created	C:\Windows\SysWOW64\Jbhmdbnp.exe	Jpjqhgol.exe
File created	C:\Windows\SysWOW64\Qdhoohmo.dll	Jbhmdbnp.exe
File created	C:\Windows\SysWOW64\Jfhbppbc.exe	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Hbanme32.exe	Hpbaqj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5968	5424	WerFault.exe	215

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Habnjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogijli32.dll"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbgaem32.dll"	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dempmq32.dll"	Impepm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lolncpam.dll"	Gqfooodg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbocea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifhmhq32.dll"	Hbeghene.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocdehlgh.dll"	Gjocgdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gifmnpnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hikfip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Imbaemhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpfihl32.dll"	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjobcj32.dll"	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gmoliohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ipqnahgf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jibpdc32.dll"	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehifigof.dll"	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocaapo32.dll"	badd74e01cdef3cfd8029f5a6f114120_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gjocgdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgabcngj.dll"	Hclakimb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eilljncf.dll"	Jbocea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mepgghma.dll"	Gqdbiofi.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 3376	3032	badd74e01cdef3cfd8029f5a6f114120_NeikiAnalytics.exe	82
PID 3032 wrote to memory of 3376	3032	badd74e01cdef3cfd8029f5a6f114120_NeikiAnalytics.exe	82
PID 3032 wrote to memory of 3376	3032	badd74e01cdef3cfd8029f5a6f114120_NeikiAnalytics.exe	82
PID 3376 wrote to memory of 1776	3376	Gjjjle32.exe	83
PID 3376 wrote to memory of 1776	3376	Gjjjle32.exe	83
PID 3376 wrote to memory of 1776	3376	Gjjjle32.exe	83
PID 1776 wrote to memory of 3556	1776	Gqdbiofi.exe	84
PID 1776 wrote to memory of 3556	1776	Gqdbiofi.exe	84
PID 1776 wrote to memory of 3556	1776	Gqdbiofi.exe	84
PID 3556 wrote to memory of 4040	3556	Gogbdl32.exe	85
PID 3556 wrote to memory of 4040	3556	Gogbdl32.exe	85
PID 3556 wrote to memory of 4040	3556	Gogbdl32.exe	85
PID 4040 wrote to memory of 2580	4040	Gbenqg32.exe	86
PID 4040 wrote to memory of 2580	4040	Gbenqg32.exe	86
PID 4040 wrote to memory of 2580	4040	Gbenqg32.exe	86
PID 2580 wrote to memory of 4492	2580	Gmkbnp32.exe	87
PID 2580 wrote to memory of 4492	2580	Gmkbnp32.exe	87
PID 2580 wrote to memory of 4492	2580	Gmkbnp32.exe	87
PID 4492 wrote to memory of 4780	4492	Gqfooodg.exe	88
PID 4492 wrote to memory of 4780	4492	Gqfooodg.exe	88
PID 4492 wrote to memory of 4780	4492	Gqfooodg.exe	88
PID 4780 wrote to memory of 4424	4780	Gjocgdkg.exe	89
PID 4780 wrote to memory of 4424	4780	Gjocgdkg.exe	89
PID 4780 wrote to memory of 4424	4780	Gjocgdkg.exe	89
PID 4424 wrote to memory of 3940	4424	Gpklpkio.exe	90
PID 4424 wrote to memory of 3940	4424	Gpklpkio.exe	90
PID 4424 wrote to memory of 3940	4424	Gpklpkio.exe	90
PID 3940 wrote to memory of 4600	3940	Gjapmdid.exe	91
PID 3940 wrote to memory of 4600	3940	Gjapmdid.exe	91
PID 3940 wrote to memory of 4600	3940	Gjapmdid.exe	91
PID 4600 wrote to memory of 1164	4600	Gmoliohh.exe	92
PID 4600 wrote to memory of 1164	4600	Gmoliohh.exe	92
PID 4600 wrote to memory of 1164	4600	Gmoliohh.exe	92
PID 1164 wrote to memory of 3392	1164	Gcidfi32.exe	93
PID 1164 wrote to memory of 3392	1164	Gcidfi32.exe	93
PID 1164 wrote to memory of 3392	1164	Gcidfi32.exe	93
PID 3392 wrote to memory of 3992	3392	Gbldaffp.exe	94
PID 3392 wrote to memory of 3992	3392	Gbldaffp.exe	94
PID 3392 wrote to memory of 3992	3392	Gbldaffp.exe	94
PID 3992 wrote to memory of 1744	3992	Gifmnpnl.exe	96
PID 3992 wrote to memory of 1744	3992	Gifmnpnl.exe	96
PID 3992 wrote to memory of 1744	3992	Gifmnpnl.exe	96
PID 1744 wrote to memory of 4500	1744	Hclakimb.exe	97
PID 1744 wrote to memory of 4500	1744	Hclakimb.exe	97
PID 1744 wrote to memory of 4500	1744	Hclakimb.exe	97
PID 4500 wrote to memory of 2316	4500	Hjfihc32.exe	98
PID 4500 wrote to memory of 2316	4500	Hjfihc32.exe	98
PID 4500 wrote to memory of 2316	4500	Hjfihc32.exe	98
PID 2316 wrote to memory of 1320	2316	Hpbaqj32.exe	99
PID 2316 wrote to memory of 1320	2316	Hpbaqj32.exe	99
PID 2316 wrote to memory of 1320	2316	Hpbaqj32.exe	99
PID 1320 wrote to memory of 4408	1320	Hbanme32.exe	100
PID 1320 wrote to memory of 4408	1320	Hbanme32.exe	100
PID 1320 wrote to memory of 4408	1320	Hbanme32.exe	100
PID 4408 wrote to memory of 760	4408	Hikfip32.exe	101
PID 4408 wrote to memory of 760	4408	Hikfip32.exe	101
PID 4408 wrote to memory of 760	4408	Hikfip32.exe	101
PID 760 wrote to memory of 4116	760	Habnjm32.exe	102
PID 760 wrote to memory of 4116	760	Habnjm32.exe	102
PID 760 wrote to memory of 4116	760	Habnjm32.exe	102
PID 4116 wrote to memory of 1988	4116	Hcqjfh32.exe	103
PID 4116 wrote to memory of 1988	4116	Hcqjfh32.exe	103
PID 4116 wrote to memory of 1988	4116	Hcqjfh32.exe	103
PID 1988 wrote to memory of 1256	1988	Hjjbcbqj.exe	104

C:\Users\Admin\AppData\Local\Temp\badd74e01cdef3cfd8029f5a6f114120_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\badd74e01cdef3cfd8029f5a6f114120_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\SysWOW64\Gjjjle32.exe
  C:\Windows\system32\Gjjjle32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3376
- - C:\Windows\SysWOW64\Gqdbiofi.exe
    C:\Windows\system32\Gqdbiofi.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1776
  - - C:\Windows\SysWOW64\Gogbdl32.exe
      C:\Windows\system32\Gogbdl32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3556
    - - C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4040
      - C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4492
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3392
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3992
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1320
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4408
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4116
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        23⤵
        Executes dropped EXE
        
        PID:1256
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        25⤵
        Executes dropped EXE
        
        PID:4072
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2948
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3912
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3772
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4848
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        30⤵
        Executes dropped EXE
        
        PID:2268
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4140
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3756
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1984
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1192
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        38⤵
        Executes dropped EXE
        
        PID:3092
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1044
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3192
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1856
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2508
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2304
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4192
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        47⤵
        Executes dropped EXE
        
        PID:2024
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4300
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:312
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:528
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3104
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2900
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1316
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3812
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3472
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4988
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        57⤵
        Executes dropped EXE
        
        PID:4480
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        58⤵
        Executes dropped EXE
        
        PID:1724
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        59⤵
        Executes dropped EXE
        
        PID:3312
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4632
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:872
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3836
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        64⤵
        Executes dropped EXE
        
        PID:4792
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3496
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        66⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3580
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        68⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        69⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        70⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5056
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        72⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        73⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4548
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        75⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        76⤵
        Drops file in System32 directory
        
        PID:1348
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3852
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4796
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        81⤵
        Modifies registry class
        
        PID:3344
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1356
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:740
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        84⤵
        Modifies registry class
        
        PID:4084
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2328
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5128
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        89⤵
        Drops file in System32 directory
        
        PID:5244
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5300
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5336
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        93⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5640
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        98⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        99⤵
        Drops file in System32 directory
        
        PID:5756
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        100⤵
        Drops file in System32 directory
        
        PID:5828
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        101⤵
        Modifies registry class
        
        PID:5872
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        102⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5984
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        104⤵
        Drops file in System32 directory
        
        PID:6040
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        105⤵
        Drops file in System32 directory
        
        PID:6088
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5136
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5220
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        108⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        110⤵
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        111⤵
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        112⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5628
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5736
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5848
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        116⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6016
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        118⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5200
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        120⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5436
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5556
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5704
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        124⤵
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        125⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6120
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        127⤵
        Drops file in System32 directory
        
        PID:5288
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        128⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5424 -s 240
        129⤵
        Program crash
        
        PID:5968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5424 -ip 5424
1⤵
PID:5816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gbenqg32.exe

Filesize
100KB

MD5
ccb24e7ad8cff997e03e0f2fbf6e6e0e

SHA1
6554aeea5785fd3da6edebbbe58226911ee3fe96

SHA256
570e76d8e183d49d66c1a5f6d3d58de075e91ad36fdd363bd53184cecfa3c0a8

SHA512
88beeb7b7c88fb0b90bd73d84332b5cd49c1e43f824800f9ed35dca2c5d47b698d3b6ce4d16091371871c28132ed19ff2def1ba0385f93a1111a2db70b3c25da

Download Submit
C:\Windows\SysWOW64\Gbldaffp.exe

Filesize
100KB

MD5
33325751d0d20b03c732234fee3eaaa1

SHA1
5817b1b342ea0ef81e395dffba2cbced8f29b593

SHA256
9588e4419c54fc336db7705a1015484cc02ccfaeef109adac9d6e5d238a1fee6

SHA512
2df79a18c603ffea611c224b3809a49a226337ca6dd2262a9a1e7919f03d5b874320ba100735736e5ff0d89249dfbfe2e65696e96b1ea02341d7afddaef617d4

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
100KB

MD5
35784950ce1ce6ce700f06e052899e3d

SHA1
c622f60eaf6c2a4a9273584567eebc85ad120361

SHA256
4bef6537b8a1cf3e6b16e8888d1c10ea72ef6792b1f05a079bec0d841d59550a

SHA512
7545bf61914e97b2dcb830fdf725cd2835982f0519cccac460d842199502c0b76741db5ec63b0d249a1525ceefd19e742aecb69f2a371546846b463e8946fb2a

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
100KB

MD5
33e94c69bef24ad1bddf6ae60ae8e33d

SHA1
0b7a2152c618fbcc2a86f2653621f69bb859447c

SHA256
eb8fdb8fade16c0866a0a8f0f89dd47c19869f38eff0cf0d80e821ef72ddb312

SHA512
02283e84e73867f1f88bd1cbd93aff6913ccd9813a2e43412661915f9c1f2bdecfac3ca92bad4f03390ed48263de315a09cf820b5fd7b92a2bd34c9820f0c8f7

Download Submit
C:\Windows\SysWOW64\Gjapmdid.exe

Filesize
100KB

MD5
72380722895a2c02aa5c79f586595a1f

SHA1
80cb987296e54ed55b800104e8e6b68856b7ed7f

SHA256
a8445292ca898b63af358f9477323d1a79ae113025711e461bc5986d6413444f

SHA512
b29808f4d4b324cabbcd52ba73f6e28e4e7d0cc3ec44b4db112e236e60981115af194849075504b27df04c086a400cc5b323d563d9f45fed29f4d948acc48203

Download Submit
C:\Windows\SysWOW64\Gjjjle32.exe

Filesize
100KB

MD5
f63bf7220a376f3fa55625b65c4ec85a

SHA1
d1fc04af1c03de903c455ccfadfb01847f76a4d3

SHA256
d0bf387dbd15802542762a9c66523d36b9d78d5a714d8d1578c1e1ab286e218e

SHA512
1ae6dcd36a89da347aee31abf7a88357ec265c92c542dc948d8a5592bdc99d4438a2dd84a19b1bc3e828c3b979a02907c54f8096e38c1e20c6c67cc6c0ab4b54

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
100KB

MD5
c66f383f00049032dca2c11e36afce42

SHA1
96f93fa4d3d29189064860d726c4b0ea8e727ac9

SHA256
d7ee5a1d63e2e0ec17852c24544a0a036de4f4f3d68e022be62b91c5adccec7f

SHA512
9566f1eb62cc7c01b68235ea0454f2d5110cbcca78ae4a6340d8bdbaf1ec3924d72dd98a98547d949148aa57de6f4a3d64cce1ba50ead55efc32f0addbafbb3b

Download Submit
C:\Windows\SysWOW64\Gmkbnp32.exe

Filesize
100KB

MD5
486e13bc27a3c74fd4c83915c6652655

SHA1
760d5cf1ba03311777320a62aa90ffa05a42599f

SHA256
77a97b46e9421d13c8a0be2404edee0ab5fd93a60caf6a51e15c0f8044033422

SHA512
181476753181fd62982707e9f8004da8c79ef440256e82535d9e53fd75ce0cf4d2464bd0a5fa1f1c0ab860bf234a8bfe5807cae8e73696dad2f8d246bf23230d

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
100KB

MD5
438580bd652ea6c10c3e38e1faebc7c3

SHA1
0ab7c26491ab8810e21fd23040b91900e7609867

SHA256
8d694c4988a4ca85c814fbe1acd173da995d44ebf62f9584583d46e136aebaf9

SHA512
9555c2c12a7615920130589863e082a8326ae8a54910dcdf3bbf5d79ee8fd55f7795982f18f6a11c54000a8f9516eb27143fed858a8981ad2dd292d0a86bddd0

Download Submit
C:\Windows\SysWOW64\Gogbdl32.exe

Filesize
100KB

MD5
774d7091f8d14d0eaad40a07f7f16664

SHA1
5c11826059e73110846258b17c3026ac4a46ff60

SHA256
e71b993157793c92ffc1aaae3526a9c3a647d59ba157e62826fc4d8bd627c547

SHA512
84159a8b123bb78f1d4ef85e2d0f028f342da5cc8401ff924ca1ecdb965071e79458e06c104c1c7d321d5457744149bb6bb01ba0ed46f0b9cbc718c30b480320

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
100KB

MD5
dbfd6d56f2668981be3f7a6ccc23ccde

SHA1
a29ac58bd11253f62cb634e901d9534123dadb08

SHA256
437df14ef21aec5c2f6efda857cc8adf80acb8d71965f17cec6a6916f808015f

SHA512
a1c24b387a575c21b51a328be10ac1b575a1e087ab84169a0f69cde02cd2865735f18311a9ed67a97f1bcc6e3da4e5910c90cd5621fa6892acb19d392032c103

Download Submit
C:\Windows\SysWOW64\Gqdbiofi.exe

Filesize
100KB

MD5
20b9dc7fda60ede3cb0e1c000c530a35

SHA1
c0caa91ac26f044efb44a46fd78151a597cf6539

SHA256
0e77cef04f66a112f5949497ebd79d260a22c1998fdedd2097a10bddcfa81186

SHA512
7cf7963f2ef4c25d5d41905ae947837d820600a23321fcfc50a7c988eefc64a8fe764414c8895224a9a924a0f85e9c33c73c1a20ec987e135e7c336364dac9ae

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
100KB

MD5
55f77521d7dc9fe7b4cc32defa2abf72

SHA1
a67e4f946ef6f818f073bfd2e0502ec6d084eae0

SHA256
86957ac6ad3b63b834158f0e93c8c896589bf4dae6ec6e6fec72c91b11a97d38

SHA512
8995ed9809d809b96c625406fd6ab0a63052bcc04b4fa5375088c02c8deb9a941e814e185c755649814abf3d98919bf8b193e0a7c28c6b7f02b5475669168fa5

Download Submit
C:\Windows\SysWOW64\Habnjm32.exe

Filesize
100KB

MD5
214fda9f2a309b34a8dab303df8f2458

SHA1
db7114636ba5e40666273258a3d13b8808065206

SHA256
4f156fab0690f3a0b1132dd31b01bae4423965dd310fb494c4a90318cf8ee0e9

SHA512
fcbfcd26bf3fa9012731bf696172a056143a7ed871406fc3de908acf0e276a75a2d692e8531e71a6f7b0195fea008c87deaf31c59ede865e32cfe9356678bf59

Download Submit
C:\Windows\SysWOW64\Haidklda.exe

Filesize
100KB

MD5
306ea2a36354fb84b9485f8cd609b9a2

SHA1
564c6cc0593ed1822aa7f08b16b6a419bacde33b

SHA256
aa260e94ff7bf1c08e0d8dcb4ea8a0f9fdde6dbada6d816ad6665a026bfd73f6

SHA512
ab326abcd6f1e64072468315bbea0922d5dc2f6e6f52c22a9162c1185566fc2335fd40085a3c7ee6cf2aeafca19c70bf39b9d66b8a312ed88f3bc35160e0618f

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
100KB

MD5
3f125f003f5d5943d42e7fd200559b9f

SHA1
f872686a13ee3b0b7976eee12d0d146556a47928

SHA256
6eb8bb5884c6491accd8961a9bc248ba0026317fe6cc5dba6e3fe749faeaafd0

SHA512
2c3260dc8c8c4268c7fce8df799c9388913bf35c7dd9a6db7f6e7ce5e1e4956820f3ce6fee16a4f7a55d8e2fd1699719645c84c5c0e1b8fe45b7b69ea006dcb3

Download Submit
C:\Windows\SysWOW64\Hbeghene.exe

Filesize
100KB

MD5
85d5a32aa0fc2e55c983dc0b916843ff

SHA1
600231fd22ed09e635d3be84b1981be01463e4da

SHA256
c3d07cc1c51bd176eb7e1153cfdb4c62d6e79327073595ee9fee546cf68450cc

SHA512
f3215fbb2dbf6c6ba9857b9b5dff7e583bddd8a619134034568c44458e9fd36d978097ffbb9b047085632fb3a9966265b87f6a31bb2bfa0db523d4ffe8eb1494

Download Submit
C:\Windows\SysWOW64\Hcedaheh.exe

Filesize
100KB

MD5
e20c040ab672f25ad639b1dec5021c72

SHA1
de2bead617bb431b25cbdc6b18e63c360d7f0563

SHA256
8ede46083ac206ed26eb7793ac6ca038d58b8a624d28e8fc2102c8df1ee111c9

SHA512
1924f0affb7da1b11aa929ded964c9ced3928aba40786475ca91993d8c54ff8ac3dd3aa859692cdf76283a09c86a28c3fdb8df82aac3b809f6192d6d10729385

Download Submit
C:\Windows\SysWOW64\Hclakimb.exe

Filesize
100KB

MD5
efe6781b514a8d2f74c6f37af21d6281

SHA1
fa9cd1d9b89c6bb25891718b18001899b8928016

SHA256
dc43bc2758c4e6ece0c75ab92167a18a1671179031204774ddcd6f13988e7a78

SHA512
c11f6aecba25ef824c74677ef6b40f4d986f103b797880febd3cb6e4e2d1d287969881365767bd9f8bed56522b7574a582a9d6dca73abe39cefc4fd2de990ae5

Download Submit
C:\Windows\SysWOW64\Hcqjfh32.exe

Filesize
100KB

MD5
06b601b55789339bef4e32e07ae555ce

SHA1
40a72c8b3d538b5a1b04b5cba98ea168c1874002

SHA256
95ff4c276ac842fc1381e5097a16bbb39c17522191b47c68c65db889318bc97c

SHA512
3e43c3561ffa26a9da68b6e897d5ecc6922bb815dd96de2fe132ca4e91e37946a90ab1303e7241188d8c53e676edf2494f0328c620f6388180ad1ef7689a1cde

Download Submit
C:\Windows\SysWOW64\Hibljoco.exe

Filesize
100KB

MD5
ee1f72e50fb80b3f0e26c7b230f0cb8f

SHA1
418d757e72eb22459aad27647641a8dd3a766171

SHA256
755e29abfe3e2fccfc25a7003f15092e3e16ed3a13ce780bdd75e812cf321c2d

SHA512
14845922495af11a08505ae80f4b54cd0d8e7cba63b308dd41d30676bbeabdc8a9d4b09e24cb4c348adcdfe8238fa7613e02406b206f1d13f896ec576dafeb70

Download Submit
C:\Windows\SysWOW64\Hikfip32.exe

Filesize
100KB

MD5
6af7713ab4610e80200ff0f5bbe53fdf

SHA1
99e24e7f1134cfeb795c441b54a07523dcc51804

SHA256
860ba8846ac262ee2ff4565fb387d72e1ecdba8262c04db015e4d38e2197f167

SHA512
989bd50e468a2750c3bfc73731adccdc11a4bf7f667af1925ff07c441c03f313260329be50112e7ab2b9f923fd6cdc31b917bbb70b68c3fdc34f29d35ac9b043

Download Submit
C:\Windows\SysWOW64\Hippdo32.exe

Filesize
100KB

MD5
582e5a90fda6e586fd327b4ea29bf9fd

SHA1
07360cd63ad662fad8c1a632f21122a1e2e5fe53

SHA256
7a9a450b1708cec4899ad9eac0fc1fd340f519e8482f398ad4476719ec5c8801

SHA512
56282a6f321f801996169c959446879a75f4d340a6c3a28cc0512e77e2a987906c86f8673bb25ca5a1e7b833e42a7f6bec6c4f08d1664ccb225028c9dc84cb61

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
100KB

MD5
2dd5046cc47503dc3035e0834879bea2

SHA1
fbc08b9c863dd08d9809025ab51f56b31e521c91

SHA256
eb7430fc88e8205caac67963bf5920e08ef685401c3fe9974770debc41c26ffb

SHA512
94e99f311f0cff15c107335dcdd301d3d0706ae37b1adf94b7e93605f98436d9857dbfaf2c1d733297395f97876068143f3c137ba9d5e9ce7fb4c754db499908

Download Submit
C:\Windows\SysWOW64\Hjjbcbqj.exe

Filesize
100KB

MD5
bd5feb24aed9381ad742fbdb5c64f95c

SHA1
6acbfb12dbf875fd5a00b9d7d60ab00017abd189

SHA256
5d557dfc8d9cd55b2864ba770b66a1dd4b18449ec36230583eee8f2848b28aa7

SHA512
5a517fcc22bd7ecaaeb08d565a6c92999ca0821a2946e4d99eb137725f644ec03eb2f222625e223abdbc0b77d7549bddee56795bfe0b2a70db56a71e0cfc86c6

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
100KB

MD5
6c142bda6e421b9c8a7f103267278ff6

SHA1
8792b81cf0fde31bf74909a8e328c1905256c2d8

SHA256
5104c575d079e9aeaadde1149bade6009508ab005d56afe27f9b84b2a98969af

SHA512
ab08fcd723596cc11ccfe40cb2eb44cd7917fce50e17b11fc9d264c0a174c8c60229a70e9fe9bfb6ae6abc8f2bd683650e19de9999cbb5cacaf1e27ce8f711ef

Download Submit
C:\Windows\SysWOW64\Hpgkkioa.exe

Filesize
100KB

MD5
830a6d1a2da9a969f9be0d598fb497c5

SHA1
f02a8a87960809d9a590bc8bc486aa0b0b7feb73

SHA256
05ad0cd179a7da1a694633d15895db1f81f689f33da985de15e08f3d91c31203

SHA512
6fc2026739816247416eaa94eeb7e71d289f71a2154c0e6388ae5a6d28448a46bd0fcd88c9c98c1323489b0b9941de2c1c66e8b984f3a7d328c37cdd64696caf

Download Submit
C:\Windows\SysWOW64\Ibjqcd32.exe

Filesize
100KB

MD5
c48b7a911cdb2fdfcfd0b8de82af019d

SHA1
1789bdd01311f79401d3ee96d554b1ce522b3860

SHA256
7bce42d6e1f2d9b5182abc5f55a428e49fbbd6680c66d995ef9467b4041690f6

SHA512
4788b5d1f1d1fde87912eb060b3d2acb9c7682c23191b5700bebbed4aa09c586b0309539f618591e69c99668147933e1c8d99fbf9b864d2a1ec8a82ee81722a0

Download Submit
C:\Windows\SysWOW64\Ifhiib32.exe

Filesize
100KB

MD5
1a9e647335108f8d2500041cddceea69

SHA1
7242da723f4f752751175feb1279381787fe65f3

SHA256
714fb0a5f9b120ecc941aaf1f14420f12565c34fa397b87335317c55062b4047

SHA512
449357e4fd9d0f8f8cee7ae1fbecffed4b3e484c894091d3d17cab288b47bdc6f5f9be20de9f2b96cea7ad2bb3b0b23ea6a5bb5faa9da082801c8688378d107c

Download Submit
C:\Windows\SysWOW64\Ijaida32.exe

Filesize
100KB

MD5
7e6a27a7959f32fb89d86850fb7a59e3

SHA1
4e454b207422ee98e78dd6456fb319645ce2442e

SHA256
c8e7f34473c99685fab2aa18b736368d076e12d6e7fba0eabb514aca105fad56

SHA512
043cd320a5a2b1180e87a7ad91ccc54b4ad9994ff4007a6dcf714d75dcc80fc6e9edc2b87e3d22b4df3ad650ae7f857abed400babad3517405e7d9cb60e40038

Download Submit
C:\Windows\SysWOW64\Imbaemhc.exe

Filesize
100KB

MD5
509f1f44be52274acc1e1b25e6b83241

SHA1
5d96e31177b0185003fe47b3bf69426a8b54fa97

SHA256
e228994cdd074eb8288c8f22cd74452ff968ba0689d947d8f57db97b94ad60e2

SHA512
fb91d38e162a60a91752f919051b411d9e6a78972ef54774e21f2b24bde1f86f7b6420d8e03158f70f6d3c2b5ac27f9baf392f509d02335ee3c8cc0fdcc0d9bd

Download Submit
C:\Windows\SysWOW64\Impepm32.exe

Filesize
100KB

MD5
baa6f70aee8495968e11cce52cf6c22b

SHA1
13a271b12611d2736571978bd7831ad45b0e8474

SHA256
00f1888533f5fccf9b08c42eda05ef17b8a97eb9677929067f50cf5f4fa77571

SHA512
3aeee8618821612e34c06f9661a234d5aee482d7a22071471e0ea677548e92d89d11dc4a74ff3e95b2adf9d87431e88eb9cc73487fcb711b5a18dd8cc2de9562

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
100KB

MD5
1654bd12cfbf1cf39a78d7eb32e1e95e

SHA1
accd4d92db09d7dc970d9cf7718d6f09ef7d2676

SHA256
c8bc472fe30e84a4578dba0a6bcf09014cd55efac063764493349bfc415e7c27

SHA512
caff4fe4bc0b74fbe8784a8ea405d54c30e33366ce45538af11a1533c289fbf23665ce909e7efd410a80cb7ac41c47c7aefd552ff8ce53d8810afcf1afb1ace2

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
100KB

MD5
b53de57f2ee1459e8587d2642bce0b16

SHA1
9bd2d9ddbe9450fe9f4bc302a5e5252d8595125d

SHA256
fbfd880dfb92f0b73a9098da05cdd51d75adecd0bf9b04208bb6a6764260bdef

SHA512
67710c3a64a64a12e1cc48549b066cb4cc10efd52d39075e9e7ebdd2e040aa4507e405739060c5fad9782a2fe859d5e5429a7627a71c7c9b3cafc72d3d80d5cd

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
100KB

MD5
95991ed57e4655da2351358c1cf3c0c3

SHA1
6f193a5dd956862e0a47b18aad3cc50fd5023786

SHA256
90be11f5164b62ee8b5989b6cea39c68f06e356afc2a21278636f8dc1418c395

SHA512
a5a4f1a83475bbf6e78933efcba927bddf97804107c9a52734c96102a4d4ca013a7dcce959f2d17f8f2dd3954bf1dbb89a4e9f69f2fef71e3f529c748c091f26

Download Submit
C:\Windows\SysWOW64\Pnfmmb32.dll

Filesize
7KB

MD5
f928b18112ac9a10b35d15936ad933a3

SHA1
b049bfcfce77cdb4a1f1e666edbd2f4389e027ae

SHA256
f7cea65d4c8267f1bd02394e9fd802a6a90f6fb072f9aac6758d710444ce7bdc

SHA512
3ef5040f2c856579e41d06ff93bd268a6b2a1357c65006c2b15911e31e3ce3d1f8d762740a28f04e69f776a680828e6640fa9419a1c02440460ac7694557c61b

Download Submit
memory/312-357-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/528-360-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/740-562-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/760-152-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/872-430-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1044-292-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1164-88-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1192-280-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1256-176-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1312-500-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1316-381-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1320-135-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1348-514-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1356-551-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1632-512-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1636-492-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1724-406-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1744-112-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1776-21-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1856-304-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1984-274-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1988-167-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2024-344-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2268-237-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2304-320-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2316-128-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2324-334-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2328-574-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2428-454-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2508-314-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2564-470-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2580-44-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2600-529-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2844-239-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2884-326-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2900-370-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2904-478-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2948-199-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2956-248-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2964-422-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3032-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3032-544-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3092-290-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3104-364-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3192-303-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3312-416-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3344-548-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3376-12-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3392-96-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3472-388-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3496-452-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3556-28-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3580-460-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3756-272-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3772-220-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3812-382-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3836-436-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3852-520-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3912-212-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3940-72-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3940-608-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3992-104-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4040-36-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4040-569-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4072-191-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4084-567-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4116-160-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4140-262-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4192-328-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4300-350-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4332-477-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4344-184-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4388-256-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4408-144-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4424-64-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4424-596-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4480-400-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4492-582-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4492-48-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4500-119-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4512-536-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4548-507-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4600-80-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4632-424-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4780-593-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4780-56-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4792-442-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4796-542-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4848-228-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4988-394-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5056-488-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5128-581-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5164-587-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5208-595-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5244-597-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5300-609-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads