59f4b8cd8861731aaf79d636766ea3d7e2dfd1e9315cf91fead2cff163e8036b

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2024 11:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59f4b8cd8861731aaf79d636766ea3d7e2dfd1e9315cf91fead2cff163e8036b_NeikiAnalytics.exe
Size

80KB
MD5

4d400dfbaab130ec306aecbad47015f0
SHA1

847f98dab85c32e4198ea4b5e8371d923b18665f
SHA256

59f4b8cd8861731aaf79d636766ea3d7e2dfd1e9315cf91fead2cff163e8036b
SHA512

0b14e32ecafb22b8a4d896531928bb31131a4b721ac552583a8744241a07208c8c8cb7ca4b788a3e5b6c0a1b162ac88daece1e2c71e9798d4fcd4111398591e0
SSDEEP

1536:VHLo9BRQfC0xyY/zU/LX2L7J9VqDlzVxyh+CbxMa:VroBRzLY7J9IDlRxyhTb7

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifjfnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjhfnccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hadkpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hippdo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haidklda.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfcpncdk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfofbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmioonpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iakaql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	59f4b8cd8861731aaf79d636766ea3d7e2dfd1e9315cf91fead2cff163e8036b_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hibljoco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipckgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imgkql32.exe

Executes dropped EXE 64 IoCs

pid	Process
2092	Hcnnaikp.exe
3264	Hbanme32.exe
3936	Hjhfnccl.exe
4284	Habnjm32.exe
2156	Hcqjfh32.exe
4712	Hfofbd32.exe
4976	Hmioonpn.exe
4516	Hadkpm32.exe
4192	Hbeghene.exe
2592	Hippdo32.exe
3980	Hcedaheh.exe
1344	Hfcpncdk.exe
2560	Hibljoco.exe
4280	Haidklda.exe
1328	Icgqggce.exe
404	Ijaida32.exe
4840	Iakaql32.exe
396	Icjmmg32.exe
2600	Ifhiib32.exe
692	Iiffen32.exe
3828	Ibojncfj.exe
4072	Ifjfnb32.exe
3676	Imdnklfp.exe
2316	Ipckgh32.exe
4180	Ibagcc32.exe
3928	Ijhodq32.exe
936	Imgkql32.exe
3496	Ibccic32.exe
2552	Ijkljp32.exe
392	Imihfl32.exe
4308	Jpgdbg32.exe
920	Jfaloa32.exe
3548	Jmkdlkph.exe
3544	Jpjqhgol.exe
4836	Jbhmdbnp.exe
1984	Jfdida32.exe
5012	Jibeql32.exe
2028	Jaimbj32.exe
2896	Jplmmfmi.exe
780	Jbkjjblm.exe
1452	Jidbflcj.exe
1624	Jmpngk32.exe
1040	Jaljgidl.exe
4544	Jdjfcecp.exe
4112	Jkdnpo32.exe
4220	Jigollag.exe
3584	Jmbklj32.exe
1056	Jdmcidam.exe
1828	Jfkoeppq.exe
5072	Jiikak32.exe
4588	Kaqcbi32.exe
1700	Kpccnefa.exe
4912	Kgmlkp32.exe
3628	Kkihknfg.exe
4172	Kilhgk32.exe
4868	Kacphh32.exe
3440	Kdaldd32.exe
3444	Kgphpo32.exe
680	Kkkdan32.exe
5104	Kmjqmi32.exe
1316	Kphmie32.exe
1652	Kbfiep32.exe
4856	Kgbefoji.exe
2240	Kipabjil.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Fojkiimn.dll	Iiffen32.exe
File created	C:\Windows\SysWOW64\Qnoaog32.dll	Jfaloa32.exe
File created	C:\Windows\SysWOW64\Qknpkqim.dll	Jdjfcecp.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Hadkpm32.exe	Hmioonpn.exe
File created	C:\Windows\SysWOW64\Ebkdha32.dll	Ibagcc32.exe
File created	C:\Windows\SysWOW64\Hehifldd.dll	Kpccnefa.exe
File opened for modification	C:\Windows\SysWOW64\Liggbi32.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Mnnkcb32.dll	Imihfl32.exe
File created	C:\Windows\SysWOW64\Jflepa32.dll	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Ofdhdf32.dll	Kkbkamnl.exe
File opened for modification	C:\Windows\SysWOW64\Lgneampk.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Jaljgidl.exe	Jmpngk32.exe
File created	C:\Windows\SysWOW64\Ggpfjejo.dll	Jkdnpo32.exe
File opened for modification	C:\Windows\SysWOW64\Lpappc32.exe	Liggbi32.exe
File opened for modification	C:\Windows\SysWOW64\Hippdo32.exe	Hbeghene.exe
File created	C:\Windows\SysWOW64\Haidklda.exe	Hibljoco.exe
File opened for modification	C:\Windows\SysWOW64\Kdhbec32.exe	Kajfig32.exe
File opened for modification	C:\Windows\SysWOW64\Kckbqpnj.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Lpappc32.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Ibccic32.exe	Imgkql32.exe
File created	C:\Windows\SysWOW64\Jmbklj32.exe	Jigollag.exe
File opened for modification	C:\Windows\SysWOW64\Kagichjo.exe	Kipabjil.exe
File created	C:\Windows\SysWOW64\Gcdihi32.dll	Kckbqpnj.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Gkillp32.dll	Ifhiib32.exe
File opened for modification	C:\Windows\SysWOW64\Ibojncfj.exe	Iiffen32.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Hjhfnccl.exe	Hbanme32.exe
File created	C:\Windows\SysWOW64\Hionfema.dll	Hippdo32.exe
File created	C:\Windows\SysWOW64\Pglanoaq.dll	Iakaql32.exe
File created	C:\Windows\SysWOW64\Leqcod32.dll	Jibeql32.exe
File created	C:\Windows\SysWOW64\Jmpngk32.exe	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Fogjfmfe.dll	Kdffocib.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Hcedaheh.exe	Hippdo32.exe
File created	C:\Windows\SysWOW64\Jbhmdbnp.exe	Jpjqhgol.exe
File created	C:\Windows\SysWOW64\Ibimpp32.dll	Jplmmfmi.exe
File created	C:\Windows\SysWOW64\Hfcpncdk.exe	Hcedaheh.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Hbanme32.exe	Hcnnaikp.exe
File opened for modification	C:\Windows\SysWOW64\Icjmmg32.exe	Iakaql32.exe
File created	C:\Windows\SysWOW64\Mkeebhjc.dll	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Kibnhjgj.exe	Kgdbkohf.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Hbeghene.exe	Hadkpm32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5652	5260	WerFault.exe	212

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iiffen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibagcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppaaagol.dll"	Kphmie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogijli32.dll"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnodhch.dll"	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehifigof.dll"	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpjljp32.dll"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jiikak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipckgh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkdeek32.dll"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hadkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifhiib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogndib32.dll"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hadkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiphogop.dll"	Imgkql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkillp32.dll"	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndninjfg.dll"	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifhiib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgdbkohf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4336 wrote to memory of 2092	4336	59f4b8cd8861731aaf79d636766ea3d7e2dfd1e9315cf91fead2cff163e8036b_NeikiAnalytics.exe	83
PID 4336 wrote to memory of 2092	4336	59f4b8cd8861731aaf79d636766ea3d7e2dfd1e9315cf91fead2cff163e8036b_NeikiAnalytics.exe	83
PID 4336 wrote to memory of 2092	4336	59f4b8cd8861731aaf79d636766ea3d7e2dfd1e9315cf91fead2cff163e8036b_NeikiAnalytics.exe	83
PID 2092 wrote to memory of 3264	2092	Hcnnaikp.exe	84
PID 2092 wrote to memory of 3264	2092	Hcnnaikp.exe	84
PID 2092 wrote to memory of 3264	2092	Hcnnaikp.exe	84
PID 3264 wrote to memory of 3936	3264	Hbanme32.exe	85
PID 3264 wrote to memory of 3936	3264	Hbanme32.exe	85
PID 3264 wrote to memory of 3936	3264	Hbanme32.exe	85
PID 3936 wrote to memory of 4284	3936	Hjhfnccl.exe	86
PID 3936 wrote to memory of 4284	3936	Hjhfnccl.exe	86
PID 3936 wrote to memory of 4284	3936	Hjhfnccl.exe	86
PID 4284 wrote to memory of 2156	4284	Habnjm32.exe	87
PID 4284 wrote to memory of 2156	4284	Habnjm32.exe	87
PID 4284 wrote to memory of 2156	4284	Habnjm32.exe	87
PID 2156 wrote to memory of 4712	2156	Hcqjfh32.exe	88
PID 2156 wrote to memory of 4712	2156	Hcqjfh32.exe	88
PID 2156 wrote to memory of 4712	2156	Hcqjfh32.exe	88
PID 4712 wrote to memory of 4976	4712	Hfofbd32.exe	89
PID 4712 wrote to memory of 4976	4712	Hfofbd32.exe	89
PID 4712 wrote to memory of 4976	4712	Hfofbd32.exe	89
PID 4976 wrote to memory of 4516	4976	Hmioonpn.exe	90
PID 4976 wrote to memory of 4516	4976	Hmioonpn.exe	90
PID 4976 wrote to memory of 4516	4976	Hmioonpn.exe	90
PID 4516 wrote to memory of 4192	4516	Hadkpm32.exe	91
PID 4516 wrote to memory of 4192	4516	Hadkpm32.exe	91
PID 4516 wrote to memory of 4192	4516	Hadkpm32.exe	91
PID 4192 wrote to memory of 2592	4192	Hbeghene.exe	92
PID 4192 wrote to memory of 2592	4192	Hbeghene.exe	92
PID 4192 wrote to memory of 2592	4192	Hbeghene.exe	92
PID 2592 wrote to memory of 3980	2592	Hippdo32.exe	93
PID 2592 wrote to memory of 3980	2592	Hippdo32.exe	93
PID 2592 wrote to memory of 3980	2592	Hippdo32.exe	93
PID 3980 wrote to memory of 1344	3980	Hcedaheh.exe	94
PID 3980 wrote to memory of 1344	3980	Hcedaheh.exe	94
PID 3980 wrote to memory of 1344	3980	Hcedaheh.exe	94
PID 1344 wrote to memory of 2560	1344	Hfcpncdk.exe	95
PID 1344 wrote to memory of 2560	1344	Hfcpncdk.exe	95
PID 1344 wrote to memory of 2560	1344	Hfcpncdk.exe	95
PID 2560 wrote to memory of 4280	2560	Hibljoco.exe	96
PID 2560 wrote to memory of 4280	2560	Hibljoco.exe	96
PID 2560 wrote to memory of 4280	2560	Hibljoco.exe	96
PID 4280 wrote to memory of 1328	4280	Haidklda.exe	97
PID 4280 wrote to memory of 1328	4280	Haidklda.exe	97
PID 4280 wrote to memory of 1328	4280	Haidklda.exe	97
PID 1328 wrote to memory of 404	1328	Icgqggce.exe	99
PID 1328 wrote to memory of 404	1328	Icgqggce.exe	99
PID 1328 wrote to memory of 404	1328	Icgqggce.exe	99
PID 404 wrote to memory of 4840	404	Ijaida32.exe	100
PID 404 wrote to memory of 4840	404	Ijaida32.exe	100
PID 404 wrote to memory of 4840	404	Ijaida32.exe	100
PID 4840 wrote to memory of 396	4840	Iakaql32.exe	101
PID 4840 wrote to memory of 396	4840	Iakaql32.exe	101
PID 4840 wrote to memory of 396	4840	Iakaql32.exe	101
PID 396 wrote to memory of 2600	396	Icjmmg32.exe	102
PID 396 wrote to memory of 2600	396	Icjmmg32.exe	102
PID 396 wrote to memory of 2600	396	Icjmmg32.exe	102
PID 2600 wrote to memory of 692	2600	Ifhiib32.exe	103
PID 2600 wrote to memory of 692	2600	Ifhiib32.exe	103
PID 2600 wrote to memory of 692	2600	Ifhiib32.exe	103
PID 692 wrote to memory of 3828	692	Iiffen32.exe	104
PID 692 wrote to memory of 3828	692	Iiffen32.exe	104
PID 692 wrote to memory of 3828	692	Iiffen32.exe	104
PID 3828 wrote to memory of 4072	3828	Ibojncfj.exe	106

C:\Users\Admin\AppData\Local\Temp\59f4b8cd8861731aaf79d636766ea3d7e2dfd1e9315cf91fead2cff163e8036b_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\59f4b8cd8861731aaf79d636766ea3d7e2dfd1e9315cf91fead2cff163e8036b_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:4336
- C:\Windows\SysWOW64\Hcnnaikp.exe
  C:\Windows\system32\Hcnnaikp.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Windows\SysWOW64\Hbanme32.exe
    C:\Windows\system32\Hbanme32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3264
  - - C:\Windows\SysWOW64\Hjhfnccl.exe
      C:\Windows\system32\Hjhfnccl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3936
    - - C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4284
      - C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4712
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4192
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3980
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1328
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:692
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3828
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4072
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3676
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2316
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4180
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        27⤵
        Executes dropped EXE
        
        PID:3928
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:936
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3496
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:392
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        32⤵
        Executes dropped EXE
        
        PID:4308
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:920
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3548
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3544
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        36⤵
        Executes dropped EXE
        
        PID:4836
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1984
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5012
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2028
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2896
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        41⤵
        Executes dropped EXE
        
        PID:780
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1452
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1040
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4544
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4112
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4220
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        48⤵
        Executes dropped EXE
        
        PID:3584
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1056
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1828
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5072
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4588
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1700
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        54⤵
        Executes dropped EXE
        
        PID:4912
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3628
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4172
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4868
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3440
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        59⤵
        Executes dropped EXE
        
        PID:3444
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:680
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1316
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4856
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2240
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:528
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        67⤵
        Drops file in System32 directory
        
        PID:468
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        69⤵
        Modifies registry class
        
        PID:4832
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4316
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3384
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        72⤵
        Drops file in System32 directory
        
        PID:2244
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1512
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        74⤵
        Modifies registry class
        
        PID:888
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2208
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:676
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4800
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2980
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4648
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        80⤵
        Drops file in System32 directory
        
        PID:4824
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        81⤵
        Drops file in System32 directory
        
        PID:316
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4224
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2448
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4556
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        85⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4160
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        87⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        88⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5176
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        91⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5316
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        93⤵
        Drops file in System32 directory
        
        PID:5364
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        94⤵
        Modifies registry class
        
        PID:5404
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        95⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        96⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        97⤵
        Drops file in System32 directory
        
        PID:5536
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        98⤵
        Drops file in System32 directory
        
        PID:5604
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5668
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        100⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        102⤵
        Drops file in System32 directory
        
        PID:5800
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5848
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        104⤵
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        105⤵
        Drops file in System32 directory
        
        PID:5936
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5976
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        107⤵
        Modifies registry class
        
        PID:6024
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6076
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6120
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        110⤵
        Drops file in System32 directory
        
        PID:4464
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2652
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        112⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        113⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        115⤵
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        117⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5592
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5680
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5840
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        121⤵
        Modifies registry class
        
        PID:5880
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5964
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        123⤵
        Modifies registry class
        
        PID:6032
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6108
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        125⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5156
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        126⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5260 -s 400
        127⤵
        Program crash
        
        PID:5652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5260 -ip 5260
1⤵
PID:5416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Habnjm32.exe

Filesize
80KB

MD5
3d0dd5c764f4c995d85afa3e04af4c83

SHA1
d599b8507b95b9ad01ca0382d0fbd3c38fb180a7

SHA256
f0123061a52c481b4f0b61f49d5ed725cb7daa1da2cc564e22ec7d6ee2cac861

SHA512
2971ccf1f187392bcca6eeba374456fc5519a5abe412a4b0939d42acdd347983a560ced17468294828b27b20496e3a5b590058944170991843aef75ded08c226

Download Submit
C:\Windows\SysWOW64\Hadkpm32.exe

Filesize
80KB

MD5
e904b1790e85c307def1c3a74336885b

SHA1
9a798006f1c167f8e6a33b4bad2eb6e1e4138dfe

SHA256
ac8a636522b6f20ff53b30f1b7029b878b56e2a7d58953b1cc858507fef49c2b

SHA512
9600dd1db528783bb5895b57e04f89ee321162a22b9a72314862f6b8c1b4689bc8f7f0d4d7b7d9c551ef5d018f5d0599ca97a0d19f75a8f970524b7b4706a63c

Download Submit
C:\Windows\SysWOW64\Haidklda.exe

Filesize
80KB

MD5
9685dc2fbc4c087ed6dc68b922725c22

SHA1
b20d265a913c6f81c8fb9d0d9453ecb8e0a509f1

SHA256
1d227822301664e5e5c6500a6bd5fe99271fa4cd6d890c0e64755aaeec6ddd16

SHA512
2f33d59fd9945ddf8d501f37bd71dac1a06c5e06b34baec619f1482ea1540f1290052ffe92b4362c75a57cef2ed52ff33f46e97e740ae91cb1cd03c1b0a2d051

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
80KB

MD5
e1750f7a3b12ed5074983d3a21c2986f

SHA1
84f5e64ae7862c878695da0d9d43838d8f18deff

SHA256
1a8902ae2fb5fad71c48f23d265ccbbc3c1e14310d38e49992439b4dde59ce0f

SHA512
99ece1da1cdb0ec67a8c3a37b584caf8e4ebe020ca87f5e09526977aa986ff89bc08a88d60c0a214980485e24f39ba51568785d8e7ea373b3d4a25f16d91e227

Download Submit
C:\Windows\SysWOW64\Hbeghene.exe

Filesize
80KB

MD5
3fd49346e4459eed0b34fb7ee718ddc2

SHA1
ec5084509fa28d2d3ef9ba5cdce91ec9b9bbef31

SHA256
44dca3464afee91dd21d4a07eeac9bdde30a0822782cc2a3007b16867df20d8a

SHA512
0b429a9f995c22c761563b51143e8b006cead346cbbc7482f03ec71902f53e752139fc99631be5ca23b428bbe862e0e8cd986f6b0db0a8f2a70f5965db2cdb7d

Download Submit
C:\Windows\SysWOW64\Hcedaheh.exe

Filesize
80KB

MD5
da0942c6bd6808add7581d97a7e7b925

SHA1
72f8b7b1b724c8490beaf29e1ded82bb0be10064

SHA256
4c8c81fb0912001e44230d7537c53c5943542e5d0c1de5e8d00df1031a152f47

SHA512
d3181ac9b3be487b254b6a059ce16128b13dfc17b3e31bd59c7d45012fa87ba08d1065e9b62ec1f732b7bd183b09c29f9d5fb23bc3809f6ededd19db243271db

Download Submit
C:\Windows\SysWOW64\Hcnnaikp.exe

Filesize
80KB

MD5
974eb743c7ca3cfeda8620cdb99ba568

SHA1
2594dcb035d265409c86db462652802306251b00

SHA256
c5400f8a35fe5a77d2b083297637d36dbb754061ab23e30ac77e1534fda0743c

SHA512
9e815cfe48c35286be6582b7e604c5f66d97e373c5bfceac11ac150156e965940dc884f207409478a4c262ab95817a39bd9b577dbaf54176af89cbd2d2b24cdd

Download Submit
C:\Windows\SysWOW64\Hcqjfh32.exe

Filesize
80KB

MD5
a806de4f7c5cd6cdd51f12207fe255ba

SHA1
c2723fe282a4bd97b9bef3a55093b81553862319

SHA256
e2a1d57a81a61ebe0cabc9d954f3a63fdd0cc4400a59239b09ccd9bdd5598853

SHA512
073e660d71ce3520f265ff21956f6d98ba7b9d5a035650b8468f77d8c27107a7ce899c78c267f42f495f58ba7d421ed54a2f06aebaed83a1f6a7fa6d4490b0c0

Download Submit
C:\Windows\SysWOW64\Hfcpncdk.exe

Filesize
80KB

MD5
715b1441b25f1c2739e47f8c92b77fa8

SHA1
61b160e5e21495422ce1cc83147e10bf341f30d1

SHA256
7aed2159bdbd42dbca14411b8714490756a89b51fc872dc46768354fbe96bad8

SHA512
e01a711300400995a4d8579427ff9c1d405030e8b269ea5ff0e0a15bcc0fa1cb24735d99115c9088fbb22e919019e5f9ae942e487488045d236a005b63b01acd

Download Submit
C:\Windows\SysWOW64\Hfofbd32.exe

Filesize
80KB

MD5
373de39373e1f52aafd6d83c0ec00d0f

SHA1
56b8a35bc270bb1e3c28184f9a6ece148c006d1f

SHA256
e4ed936e4ec9aeaab0cfdd957d93d4c89f1f4a6efe473ecfa4bfe2ba905811aa

SHA512
012f66ba68d537a1b55eba02c96cd69e6084e8d711c59fc28e1a6fa6c50f8e220bb4407fdcd5a87b247ed527a6dde98d0a5717a9eadc3d3ebbe636448c2a4ecd

Download Submit
C:\Windows\SysWOW64\Hibljoco.exe

Filesize
80KB

MD5
80138326c40e34410cb7c731ffef996e

SHA1
bd07c76e5785fb8c12971c083e5ca79b30f728a5

SHA256
23cc576125dcb09b1ddda60fb440437dbed95a472db28f8b8996d74e13c1fd5f

SHA512
e3694ff2d2feafa31d6eac087c6cd249d6dd39e307546275ec0446d704755d3a2ad94b77ebb39218f158848ff285c90a21bb97792bf71a2929be7d1b942a3b75

Download Submit
C:\Windows\SysWOW64\Hippdo32.exe

Filesize
80KB

MD5
4d6a4a51ccd9e7eb382d9bb8133cb87c

SHA1
e008075ecda94533c6accc7b7921324cbe9d712f

SHA256
fe5ecc58e9a312e1f8809662fabd6052b4f51cd9291bd0d64272fc94391f72d8

SHA512
bffd3774cfc75222c0beb76c877e936d4881f05fb459da2f969393b04bd85d357c48bbb9ce838b7a088a72b784799960d3bc1f1e8417bcafebfdbb631a168b9a

Download Submit
C:\Windows\SysWOW64\Hjhfnccl.exe

Filesize
80KB

MD5
e42faf408b3019bc5f564599a6414189

SHA1
c4ad0f5931423f660f0c4f03ce9a608072103c7e

SHA256
307fd39ca6cc038710be9dd4a108d6a1e7de643622091e591b7d6287fe52e17b

SHA512
73085dad339ce70a0deee4680d5c684a6b4f75b1c2cd490242205c9914e57c038866d9f84fc4073ff729129fdf4b0904437b72d988fe0079f7f22b5d8016281f

Download Submit
C:\Windows\SysWOW64\Hmioonpn.exe

Filesize
80KB

MD5
7e001b73832762bb559a4fa856fbb478

SHA1
99b04cbc7321797e4a2d3a771c168fc3b637ea41

SHA256
82169e9490c1e9da105e5870d18c6e3a765a68eb10ab36a5a31d9a9b22256fd0

SHA512
4d56405007e8e486f038d79e69cf1444c87246ca21f581807eab0ed45a9556c147f28471f5a31362a3e166f8cb69844d89a8a77b3ea560a40106bb51d29bdf97

Download Submit
C:\Windows\SysWOW64\Iakaql32.exe

Filesize
80KB

MD5
0fe7b852e4ee5a3ce3dd557fd4e00367

SHA1
73edc22b891aeabd818ae353de0446343a888ad5

SHA256
914fe7685eb07797fe67563d0262b2262098906f7677a1c0f68da855a75e6bde

SHA512
7e53e338a606a2403c35fe48a11647ddb99f8f7ce666f41b736e65a4eb0c0d301c224edbcbbdcb2148575f4381c4787c0aca6a8218b202220f32fe9acb6ce233

Download Submit
C:\Windows\SysWOW64\Ibagcc32.exe

Filesize
80KB

MD5
4731090a9a039001cae8966b2f31a88d

SHA1
b81757ac506f10fe9be6476559c2b495dc92a978

SHA256
3cf6badb179eba7720acc5dd5e2467435c0ca9b3f7053646cd8c112e7d04abfa

SHA512
650c6af60c287c1aa8a9bf1963caa807b60777385e9f005437e27b174a03e4957d4682a913a4d8f29fe9b4193566d56d4bd7cee63a542968db082e2e49532d09

Download Submit
C:\Windows\SysWOW64\Ibccic32.exe

Filesize
80KB

MD5
425623fa3133934bd8f81950eb98a521

SHA1
75576fc36c521a4588503d210fd6bc46543352aa

SHA256
ffd48d4fbc481ff06a4d13f2feacebfb727f0bdc982f5afea8b354b6b3f44a2a

SHA512
a8996389c2665061f61e939e64fd409570a16e637e852ab37dce92309566c2e093073f228682ac78ede138c861d35971c17a0ae8c98891bc643e17e868877caf

Download Submit
C:\Windows\SysWOW64\Ibojncfj.exe

Filesize
80KB

MD5
502865d6faa697a6d36fdf9d06ed59e2

SHA1
f40354928114322bff0bffaa447cf9fe8adefa4e

SHA256
36d67f06596626bfe58c3e17a97104158d1b216382f5398facf9679020825f43

SHA512
d7480b7c57685ae23f07fbc4110459e3c285dd9e7c8d2cec5bfb9a3df89c8963799f9f8646b68268f212114627a4a84f54b266d2ef24bb67f0bef06c3a7417a0

Download Submit
C:\Windows\SysWOW64\Icgqggce.exe

Filesize
80KB

MD5
74511159863959ac76c6c914f2337b00

SHA1
a62ff74167e1e82363b26c9fb3c4f251f6c4fd07

SHA256
d35709b9cc820db7ce1082fbc5b38d625cce2491b5516696277b93eb1c3366e3

SHA512
9fe3c9f5eda75501a9493bb92d68f08f2e80c99b757c341a782e031111cae7c68568ecc85ac0c0d5e7f0a80e67f192a4861abebfa33bca36daef642ddc9472e0

Download Submit
C:\Windows\SysWOW64\Icjmmg32.exe

Filesize
80KB

MD5
06f297cb39602fc094b368e59dc5dc84

SHA1
850a5e8719e8642f9ac585b32087ad1f6590a6fb

SHA256
2f13b490aefcc65354449d7f96cee5c2d4f4272d123bdec9fc5b1599dd8cb7f7

SHA512
5c53fcc1f535c3c107a7bf08306ec02df461ad038ec9aa2f29e7b61de26742939cb509cce2c8f63c20fe96713f29e8e60ba36c3c40bc845501187cc072639759

Download Submit
C:\Windows\SysWOW64\Ifhiib32.exe

Filesize
80KB

MD5
c0288f09383a8599e9bb0d3365af0353

SHA1
3e00c96a13a026e4ab040f9861f179c0a3c1bb42

SHA256
7d49602b18aadb46f8c308f7e470c1fc22f01a8b363cb24eea1418169ff0a1c1

SHA512
9cd8b4eb1ffc10f0fe74fba4dde0cd40386f56ea8a9d706f1e1b59e357802f2c02690f1a238b4fb3ae65a3884627366aff5faf31051d0b7539a1a0610d7e80dc

Download Submit
C:\Windows\SysWOW64\Ifjfnb32.exe

Filesize
80KB

MD5
3b37ed66916641b7e85b269c3cb0d813

SHA1
e5e3def018fd2bd3878521e6ca42a713c609e901

SHA256
8f10465c735b8ab33a13c33e2289a115f2ce917767f6ccbb2b6a56d17c03df0c

SHA512
01c39cb4821f64a0365403e04af43f096d4fcb2e4e094073755d7255251cddef11eea737763cf7b60855715307cda0b0e127ee974087044723dd060a3983479f

Download Submit
C:\Windows\SysWOW64\Iiffen32.exe

Filesize
80KB

MD5
5c2dff1192ce6b4dd00b9e490efd4714

SHA1
cc60b2b54517dd092cae0d0586055db235791829

SHA256
41890eb91576fa3b1047070ca891f89c42c3ae7e861786ece113f3d157036ca0

SHA512
14e3dcaef0740fc0ce87ea1d290bcfdac4d10a8c6b13d18295bdf0d7e3c8acf3c22d7f61c8e9f8c7413757041f5cb0d483ef81e5e0ecf9487d57732a2ba0514a

Download Submit
C:\Windows\SysWOW64\Ijaida32.exe

Filesize
80KB

MD5
013dfde9c815778eebeb554a340420d3

SHA1
c8f37f26993e2ca83e25d521320c468a28d0e74f

SHA256
dd68e8670412b5f175a8f69625a53cd825d4f637f207d6916e9c1e5eb6d85b6f

SHA512
c0ad710f5d3901c3fe87832f04a4d22ae938960a72dd205c274e3af51f18a1e46d071d921b4f7f48e215d8e7f999a22064749059fcc66a1774b5fd167782150c

Download Submit
C:\Windows\SysWOW64\Ijhodq32.exe

Filesize
80KB

MD5
fc868fa103c6c1344b6e5d44433855a2

SHA1
22b20a06e5a982999fa4c961af8f49908a81d5ec

SHA256
dc1c8d181c84b0d4406e5527fd7e428fbfeb164de71fe97a02b0af5cb0756deb

SHA512
44a036483584d1bec005806fd53e4b8049768ea1ef1780b7dfb77370864a8b82fbf9fb014ff5f0c295446cf6238c4a044983e60e0e68d6a4812bddeb0bb00da5

Download Submit
C:\Windows\SysWOW64\Ijkljp32.exe

Filesize
80KB

MD5
d8ed178c89674640e0784f49323ebeef

SHA1
dc5ca00ae5c3add354e2cbff518eb998cc81b844

SHA256
4dfafa817a5d5e719f72984e93398cfb7c05c5786d079a9b8b27ffe04310c9da

SHA512
fa99d7dbbdd96292492ecd92ce0d60658be51ff45b4192b4e706f786f15917cddd605d47b6120e06a32a6c924f5919f68c41add22a093af980e49ffd0fd89a82

Download Submit
C:\Windows\SysWOW64\Imdnklfp.exe

Filesize
80KB

MD5
2f8fe100f09241d67e6c3b800b3ab610

SHA1
ba588ab3b7efb41d1a87d89e2638561de6a4765b

SHA256
1f7fb219c75edcba99defee87a3618af7a4b69dc193d88594e96c2fc0f76a8a6

SHA512
c12fd99d2282286d1206d2007eb261a498c41a246b9c78927968a4b3ba0bc7ef8d340275ea4258d04139474b2b0f15175dcc6d0fa0113ca7d320de3f6adf8033

Download Submit
C:\Windows\SysWOW64\Imgkql32.exe

Filesize
80KB

MD5
3f089a1b01c9fb51b6248f43c8b4f451

SHA1
23173953938c3e1acfb0cb44a516091ae28f8e4c

SHA256
05a675e3b1270e5f53dc9aba325cdb756ff8ccbf8c7719fb5cc8178b7bacda87

SHA512
b22d6cbe191fc4dd246ded8622261fa85ea02273cd61b2ce7bb41b3d5a6b72ce3e2c6d99a21f675b182bb9cb5f4ccbaed19708a4e325bd91374b711a31ef0576

Download Submit
C:\Windows\SysWOW64\Imihfl32.exe

Filesize
80KB

MD5
87ba5e1cd64568f096d85beef1882f9e

SHA1
07bf408ca25dd36ec0d9441175420bb13364cb0d

SHA256
ed566fa5cb85dd746f161aaf2ceeba57857cdb16e0b30693c32bf654a840bca5

SHA512
6c9fa758b3417b9915b07e6ceaaac63bee71a0eebb5856eff6ccf931494b6cee20ff08dd58dc5afb0ab1bb35454d873cb33b55a2d7c8039a601ce1a741b6b4d7

Download Submit
C:\Windows\SysWOW64\Ipckgh32.exe

Filesize
80KB

MD5
71152bb443427aaf2a56db0af6cc0bbd

SHA1
e4b4d90aaae4e412e4869fabfbed43cdfd3d4a34

SHA256
ccb6d989fde254a6a83ef5f5a2c6edb25c9998d6709a0821364ec779142199d8

SHA512
94439f58046043cd5c9d8c701f1a16c434a60e63537a0d4f4ef3cade6d9dd49675121c20dc31c474c2f430c9305484bbc2dbaae6f0d358ea65ff9ffd92d7415f

Download Submit
C:\Windows\SysWOW64\Jfaloa32.exe

Filesize
80KB

MD5
08a299e1d17f7e21e8abbf7fced568fc

SHA1
413574b70c8238316c3d52c7193f3b61c35b07ae

SHA256
4f4ca191b29de8718d000f7fcf689ef10723c667cd2fb3d0e3ca5c150893a064

SHA512
a94a2cd123c36737f1a45d257664b47caf8f0f58e99907c074b8bdbdaf4fe2b4693ba665bbe91c3cfa744d582ee4778682758e4d3c6dd3a231967c6d9b3ea53e

Download Submit
C:\Windows\SysWOW64\Jpgdbg32.exe

Filesize
80KB

MD5
1f116f0d1e349753b234766032a3bca4

SHA1
7341fdb7b7a0734f73213d17747bf67f28c6fe12

SHA256
0298cb27623c7307f163c2c5903affdcecbe12b8ef9ba441ee4b9a3cfa2b6bd2

SHA512
dbba1cc3dcfa98a91ebf8ab85545a27392064217223f479911a9a0ca3ef28e4f05f2b20d1d6b5fcecc198371e8cee14a69e3a314ffd97129094e1747ed804b42

Download Submit
C:\Windows\SysWOW64\Kpccnefa.exe

Filesize
80KB

MD5
db80ca8e82dc269e96ff3d6c356f7870

SHA1
ede99e6ec5c0c0bc5ec88b6639de4d04b0d8f5b3

SHA256
d255e6bf6c75c8dc2cb509f52d61c22a253e1979accc3694d4813b8c82976906

SHA512
9cdc7d197b30b18a82f06ebcdbb10f11255894cb386ef2ae825760a8742cdff5eece078eae36b0d8355a2510245dba39cad54ecc1be3b4ec9528b93b1d65a15b

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
80KB

MD5
d2ba5191c91b685ee2246a0b49c54466

SHA1
36bf6dc4817de3d18483220afd31ab5f75ea7060

SHA256
5b4e3b755fae6ca1929c2374675bb8f8673980b44f71398863e7d094af699476

SHA512
d38eeef2620c11b3127148e6f8fcda8b2290933a6a9b7e2c40e541339d6f3df7214298363aad16312a0624df58d233f9b427d45b0144f50cc9b7ebf8da1935bd

Download Submit
memory/316-546-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/392-246-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/396-149-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/404-129-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/468-466-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/528-455-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/676-519-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/680-419-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/692-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/780-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/888-508-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/920-260-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/936-216-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1040-323-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1056-353-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1316-431-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1328-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1344-101-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1452-315-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1512-502-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1624-321-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1652-442-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1700-377-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1828-359-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1984-281-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2028-297-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2092-13-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2156-41-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2156-578-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2208-509-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2240-454-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2244-491-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2284-576-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2316-193-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2448-561-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2552-237-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2560-109-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2592-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2600-153-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2896-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2980-527-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3264-21-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3384-490-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3440-407-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3444-413-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3496-230-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3544-273-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3548-267-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3584-347-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3628-394-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3676-189-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3828-169-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3928-209-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3936-25-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3936-564-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3980-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4072-177-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4112-339-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4160-579-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4172-395-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4180-201-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4192-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4220-345-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4224-552-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4280-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4284-571-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4284-33-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4308-254-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4316-483-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4336-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4336-539-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4336-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4440-590-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4516-599-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4516-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4544-329-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4556-569-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4588-375-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4648-538-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4712-49-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4712-585-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4760-467-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4800-521-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4824-540-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4832-478-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4836-280-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4840-137-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4856-447-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4868-405-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4912-387-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4976-57-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4976-596-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5012-287-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5072-368-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5104-430-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5140-598-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads