4dc0da2b2063d13008a1543d8813edfeaad02b26afaa9d7ddda11ab795cdf6ff

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
24-06-2024 07:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4dc0da2b2063d13008a1543d8813edfeaad02b26afaa9d7ddda11ab795cdf6ff_NeikiAnalytics.exe
Size

125KB
MD5

b0426859cd58c37c8b7862cd45092ce0
SHA1

090fb07359ed419798006438e2c067a837ab55af
SHA256

4dc0da2b2063d13008a1543d8813edfeaad02b26afaa9d7ddda11ab795cdf6ff
SHA512

0f35f537976baf2eb9a7662f0a71cf3bff98c9b90850248df716fe0de86b312640891b650e5d21f378851c818666242c4401a7b48c168476b6bd38ddb7786e37
SSDEEP

3072:O4UnietAUpRMtFbmdghHMt9gO8Lce1WdTCn93OGey/ZhJakrPF:LUNAUpAdmaKwcVTCndOGeKTaG

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Icljbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibagcc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmioonpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hmdedo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icjmmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hihicplj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbldaffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Haggelfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hboagf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbeghene.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gjclbc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijkljp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpgkkioa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lilanioo.exe

Executes dropped EXE 64 IoCs

pid	Process
2844	Gbldaffp.exe
3232	Gjclbc32.exe
2744	Gmaioo32.exe
3484	Gppekj32.exe
3324	Hboagf32.exe
4792	Hjfihc32.exe
1580	Hihicplj.exe
3288	Hmdedo32.exe
428	Hpbaqj32.exe
4844	Hbanme32.exe
2548	Habnjm32.exe
2384	Hcqjfh32.exe
4800	Hjjbcbqj.exe
2656	Hmioonpn.exe
4820	Hpgkkioa.exe
1692	Hbeghene.exe
2352	Hjmoibog.exe
4968	Haggelfd.exe
3980	Hcedaheh.exe
3096	Hfcpncdk.exe
3444	Hibljoco.exe
4588	Ipldfi32.exe
3512	Ibjqcd32.exe
2724	Ijaida32.exe
3024	Impepm32.exe
3680	Icjmmg32.exe
3032	Ifhiib32.exe
364	Ijdeiaio.exe
4240	Iannfk32.exe
700	Icljbg32.exe
2092	Iiibkn32.exe
3176	Ibagcc32.exe
2448	Imgkql32.exe
1780	Ibccic32.exe
2056	Ijkljp32.exe
612	Imihfl32.exe
4008	Jpgdbg32.exe
3616	Jdcpcf32.exe
5068	Jiphkm32.exe
4680	Jagqlj32.exe
1516	Jpjqhgol.exe
1604	Jfdida32.exe
3048	Jjpeepnb.exe
4964	Jmnaakne.exe
4188	Jplmmfmi.exe
5000	Jjbako32.exe
2364	Jaljgidl.exe
4484	Jbmfoa32.exe
4804	Jangmibi.exe
3712	Jfkoeppq.exe
4552	Kaqcbi32.exe
4544	Kpccnefa.exe
1956	Kbapjafe.exe
2060	Kgmlkp32.exe
4452	Kmgdgjek.exe
3732	Kdaldd32.exe
4112	Kgphpo32.exe
3040	Kinemkko.exe
840	Kmjqmi32.exe
4044	Kphmie32.exe
3456	Kgbefoji.exe
3084	Kknafn32.exe
4768	Kmlnbi32.exe
3592	Kpjjod32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kmjqmi32.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Bpcbnd32.dll	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Laefdf32.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Hcqjfh32.exe	Habnjm32.exe
File opened for modification	C:\Windows\SysWOW64\Ifhiib32.exe	Icjmmg32.exe
File opened for modification	C:\Windows\SysWOW64\Imgkql32.exe	Ibagcc32.exe
File created	C:\Windows\SysWOW64\Ajgblndm.dll	Kinemkko.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Eagncfoj.dll	Gppekj32.exe
File created	C:\Windows\SysWOW64\Bekppcpp.dll	Hibljoco.exe
File created	C:\Windows\SysWOW64\Hehifldd.dll	Kbapjafe.exe
File opened for modification	C:\Windows\SysWOW64\Kgdbkohf.exe	Kdffocib.exe
File opened for modification	C:\Windows\SysWOW64\Kckbqpnj.exe	Kajfig32.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Laalifad.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Kbmebabl.dll	Ijdeiaio.exe
File created	C:\Windows\SysWOW64\Jmnaakne.exe	Jjpeepnb.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Bclgpkgk.dll	Ibagcc32.exe
File opened for modification	C:\Windows\SysWOW64\Kknafn32.exe	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Joamagmq.dll	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Ldmlpbbj.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Hbeghene.exe	Hpgkkioa.exe
File opened for modification	C:\Windows\SysWOW64\Ijdeiaio.exe	Ifhiib32.exe
File created	C:\Windows\SysWOW64\Jiphogop.dll	Imgkql32.exe
File created	C:\Windows\SysWOW64\Jagqlj32.exe	Jiphkm32.exe
File created	C:\Windows\SysWOW64\Jjbako32.exe	Jplmmfmi.exe
File created	C:\Windows\SysWOW64\Kibnhjgj.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Hjmoibog.exe	Hbeghene.exe
File opened for modification	C:\Windows\SysWOW64\Hibljoco.exe	Hfcpncdk.exe
File created	C:\Windows\SysWOW64\Jifkeoll.dll	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Lppaheqp.dll	Jbmfoa32.exe
File opened for modification	C:\Windows\SysWOW64\Kphmie32.exe	Kmjqmi32.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Majopeii.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Hboagf32.exe	Gppekj32.exe
File opened for modification	C:\Windows\SysWOW64\Jangmibi.exe	Jbmfoa32.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Hionfema.dll	Haggelfd.exe
File created	C:\Windows\SysWOW64\Ijdeiaio.exe	Ifhiib32.exe
File created	C:\Windows\SysWOW64\Egoqlckf.dll	Ibjqcd32.exe
File created	C:\Windows\SysWOW64\Jdkind32.dll	Jdcpcf32.exe
File created	C:\Windows\SysWOW64\Kaqcbi32.exe	Jfkoeppq.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Hjmoibog.exe	Hbeghene.exe
File opened for modification	C:\Windows\SysWOW64\Ipldfi32.exe	Hibljoco.exe
File created	C:\Windows\SysWOW64\Cqncfneo.dll	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Jfkoeppq.exe	Jangmibi.exe
File created	C:\Windows\SysWOW64\Lbhnnj32.dll	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Lpocjdld.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Haggelfd.exe	Hjmoibog.exe
File created	C:\Windows\SysWOW64\Jbmfoa32.exe	Jaljgidl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6000	5740	WerFault.exe	208

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfpoqooh.dll"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hmioonpn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jplifcqp.dll"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdihi32.dll"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjpdme32.dll"	Hihicplj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hcqjfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hihicplj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbak32.dll"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogjfmfe.dll"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honckk32.dll"	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndninjfg.dll"	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jfdida32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Haggelfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclgpkgk.dll"	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbbjnidp.dll"	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gbldaffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eagncfoj.dll"	Gppekj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hbanme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpfihl32.dll"	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpgdbg32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 2844	2040	4dc0da2b2063d13008a1543d8813edfeaad02b26afaa9d7ddda11ab795cdf6ff_NeikiAnalytics.exe	83
PID 2040 wrote to memory of 2844	2040	4dc0da2b2063d13008a1543d8813edfeaad02b26afaa9d7ddda11ab795cdf6ff_NeikiAnalytics.exe	83
PID 2040 wrote to memory of 2844	2040	4dc0da2b2063d13008a1543d8813edfeaad02b26afaa9d7ddda11ab795cdf6ff_NeikiAnalytics.exe	83
PID 2844 wrote to memory of 3232	2844	Gbldaffp.exe	84
PID 2844 wrote to memory of 3232	2844	Gbldaffp.exe	84
PID 2844 wrote to memory of 3232	2844	Gbldaffp.exe	84
PID 3232 wrote to memory of 2744	3232	Gjclbc32.exe	85
PID 3232 wrote to memory of 2744	3232	Gjclbc32.exe	85
PID 3232 wrote to memory of 2744	3232	Gjclbc32.exe	85
PID 2744 wrote to memory of 3484	2744	Gmaioo32.exe	86
PID 2744 wrote to memory of 3484	2744	Gmaioo32.exe	86
PID 2744 wrote to memory of 3484	2744	Gmaioo32.exe	86
PID 3484 wrote to memory of 3324	3484	Gppekj32.exe	87
PID 3484 wrote to memory of 3324	3484	Gppekj32.exe	87
PID 3484 wrote to memory of 3324	3484	Gppekj32.exe	87
PID 3324 wrote to memory of 4792	3324	Hboagf32.exe	88
PID 3324 wrote to memory of 4792	3324	Hboagf32.exe	88
PID 3324 wrote to memory of 4792	3324	Hboagf32.exe	88
PID 4792 wrote to memory of 1580	4792	Hjfihc32.exe	89
PID 4792 wrote to memory of 1580	4792	Hjfihc32.exe	89
PID 4792 wrote to memory of 1580	4792	Hjfihc32.exe	89
PID 1580 wrote to memory of 3288	1580	Hihicplj.exe	90
PID 1580 wrote to memory of 3288	1580	Hihicplj.exe	90
PID 1580 wrote to memory of 3288	1580	Hihicplj.exe	90
PID 3288 wrote to memory of 428	3288	Hmdedo32.exe	91
PID 3288 wrote to memory of 428	3288	Hmdedo32.exe	91
PID 3288 wrote to memory of 428	3288	Hmdedo32.exe	91
PID 428 wrote to memory of 4844	428	Hpbaqj32.exe	92
PID 428 wrote to memory of 4844	428	Hpbaqj32.exe	92
PID 428 wrote to memory of 4844	428	Hpbaqj32.exe	92
PID 4844 wrote to memory of 2548	4844	Hbanme32.exe	94
PID 4844 wrote to memory of 2548	4844	Hbanme32.exe	94
PID 4844 wrote to memory of 2548	4844	Hbanme32.exe	94
PID 2548 wrote to memory of 2384	2548	Habnjm32.exe	96
PID 2548 wrote to memory of 2384	2548	Habnjm32.exe	96
PID 2548 wrote to memory of 2384	2548	Habnjm32.exe	96
PID 2384 wrote to memory of 4800	2384	Hcqjfh32.exe	97
PID 2384 wrote to memory of 4800	2384	Hcqjfh32.exe	97
PID 2384 wrote to memory of 4800	2384	Hcqjfh32.exe	97
PID 4800 wrote to memory of 2656	4800	Hjjbcbqj.exe	98
PID 4800 wrote to memory of 2656	4800	Hjjbcbqj.exe	98
PID 4800 wrote to memory of 2656	4800	Hjjbcbqj.exe	98
PID 2656 wrote to memory of 4820	2656	Hmioonpn.exe	99
PID 2656 wrote to memory of 4820	2656	Hmioonpn.exe	99
PID 2656 wrote to memory of 4820	2656	Hmioonpn.exe	99
PID 4820 wrote to memory of 1692	4820	Hpgkkioa.exe	100
PID 4820 wrote to memory of 1692	4820	Hpgkkioa.exe	100
PID 4820 wrote to memory of 1692	4820	Hpgkkioa.exe	100
PID 1692 wrote to memory of 2352	1692	Hbeghene.exe	101
PID 1692 wrote to memory of 2352	1692	Hbeghene.exe	101
PID 1692 wrote to memory of 2352	1692	Hbeghene.exe	101
PID 2352 wrote to memory of 4968	2352	Hjmoibog.exe	103
PID 2352 wrote to memory of 4968	2352	Hjmoibog.exe	103
PID 2352 wrote to memory of 4968	2352	Hjmoibog.exe	103
PID 4968 wrote to memory of 3980	4968	Haggelfd.exe	104
PID 4968 wrote to memory of 3980	4968	Haggelfd.exe	104
PID 4968 wrote to memory of 3980	4968	Haggelfd.exe	104
PID 3980 wrote to memory of 3096	3980	Hcedaheh.exe	105
PID 3980 wrote to memory of 3096	3980	Hcedaheh.exe	105
PID 3980 wrote to memory of 3096	3980	Hcedaheh.exe	105
PID 3096 wrote to memory of 3444	3096	Hfcpncdk.exe	106
PID 3096 wrote to memory of 3444	3096	Hfcpncdk.exe	106
PID 3096 wrote to memory of 3444	3096	Hfcpncdk.exe	106
PID 3444 wrote to memory of 4588	3444	Hibljoco.exe	107

C:\Users\Admin\AppData\Local\Temp\4dc0da2b2063d13008a1543d8813edfeaad02b26afaa9d7ddda11ab795cdf6ff_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4dc0da2b2063d13008a1543d8813edfeaad02b26afaa9d7ddda11ab795cdf6ff_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\SysWOW64\Gbldaffp.exe
  C:\Windows\system32\Gbldaffp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\SysWOW64\Gjclbc32.exe
    C:\Windows\system32\Gjclbc32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3232
  - - C:\Windows\SysWOW64\Gmaioo32.exe
      C:\Windows\system32\Gmaioo32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3484
      - C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3324
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3288
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:428
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4800
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3980
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3096
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3444
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        23⤵
        Executes dropped EXE
        
        PID:4588
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3512
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2724
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        26⤵
        Executes dropped EXE
        
        PID:3024
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3680
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:364
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        30⤵
        Executes dropped EXE
        
        PID:4240
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:700
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3176
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2448
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        35⤵
        Executes dropped EXE
        
        PID:1780
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2056
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        37⤵
        Executes dropped EXE
        
        PID:612
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4008
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3616
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5068
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4680
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3048
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4964
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4188
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5000
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2364
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4484
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4804
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3712
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4552
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        53⤵
        Executes dropped EXE
        
        PID:4544
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1956
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2060
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        56⤵
        Executes dropped EXE
        
        PID:4452
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3732
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4112
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3040
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:840
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        61⤵
        Executes dropped EXE
        
        PID:4044
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3456
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        63⤵
        Executes dropped EXE
        
        PID:3084
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4768
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3592
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2860
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3772
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        70⤵
        Modifies registry class
        
        PID:3840
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2224
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1152
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        74⤵
        Modifies registry class
        
        PID:1928
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        75⤵
        Modifies registry class
        
        PID:5092
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4480
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        77⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        78⤵
        Drops file in System32 directory
        
        PID:3200
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        79⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4668
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        81⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:864
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        82⤵
        Drops file in System32 directory
        
        PID:2496
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4404
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        84⤵
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        85⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        86⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4976
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        88⤵
        Drops file in System32 directory
        
        PID:4572
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        89⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4472
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5184
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5236
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5280
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5328
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        97⤵
        Drops file in System32 directory
        
        PID:5392
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        98⤵
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5484
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        100⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        102⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5700
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        105⤵
        Modifies registry class
        
        PID:5744
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        106⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        107⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        108⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5880
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        109⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5968
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6008
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6056
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6100
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        114⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5232
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        116⤵
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5376
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        119⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        120⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        121⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5740 -s 416
        122⤵
        Program crash
        
        PID:6000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5740 -ip 5740
1⤵
PID:5932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Eagncfoj.dll

Filesize
7KB

MD5
37bf7bec88c06ec66a1eecc151fd8e9a

SHA1
13b2b82e919e897efeb3aed2efbdd6d5fe04e76a

SHA256
3f636278f8f9e9097cffbd016b2a5217ffbfd9bc6d582d7751b32f2ae1c01bae

SHA512
956b9a8d7d4151bffde22bbe989959df9cf4138e1d9c3fc4276e7c0c599122d80f15a559c68b164f64d4b181da001889c085b7dde3b6acb76cadb83424997109

Download Submit
C:\Windows\SysWOW64\Gbldaffp.exe

Filesize
125KB

MD5
a498122c02de6874f36db6f1b5c61f96

SHA1
991dccfeba0606c191e614cf8849a36476186df9

SHA256
fd0c704c9da32ba7a8996f439ae660024432af6cba94c6162b1c842038182fdf

SHA512
771d914ce97d13e304ed13ef8bc4c9eab7801612aeb291d9272e94ccc6033fafdc3cdf2355154df96ed2e4010e385d2f8d926f9965a1e9649ccf563c7dd8caa3

Download Submit
C:\Windows\SysWOW64\Gjclbc32.exe

Filesize
125KB

MD5
fffcdc42b18904035336abd2db025d76

SHA1
dadf4eed3e577d530cfbe981ea7870160ae4e428

SHA256
f706055a3f27077d701a88f8589fdc65904c9fb3787fac6011db6bc611b85004

SHA512
422081982dd394901e282cafdc9b8d7ee1ecbefe2b0895cf7dfa6b9b304222d8dbf01a77801ed854705c69ab116b791e4d9c18950841c0ab23be750a26083f70

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
125KB

MD5
42dff76453ba08fae5d9224ddf8b2122

SHA1
09a205339812a83417eb26777718812156af1163

SHA256
ae9b6aa9bc160bb0fca97e2192e61854a22568cdb618d6188ca4be69c8eab11d

SHA512
e1483dd34210439581fd428019ee68b6a62d23c6dbab35ef3aad0070643bfc2c91b8cf3d2ecedc1aef0e73286021e6bdc35d36a760a03c37fa5a306aa1418f18

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
125KB

MD5
84f727845a5bc4b1a308391f8dbebb37

SHA1
ae08b95af3db89b00412f13078338cb09ab373f6

SHA256
09c22b3e80ce8fc84b638e15188f70427828e56f05f87b50fefe416a589ed488

SHA512
0264d6f3aa463ed830e570fcb09d158f12542cb9f67748f5731e3d3ddec484ee9b664380f6913ff26a0dec6de5047eb5c878482b7aee60df240b9154f049a89c

Download Submit
C:\Windows\SysWOW64\Habnjm32.exe

Filesize
125KB

MD5
a772c3aea3af21495ba5cc6830209254

SHA1
ade5568ed4cb5a78bd70c35867a01d1784b0657a

SHA256
9fc1b8e375758e12899806878094a86d5277cda1e5ffce15ad8dc24922713e18

SHA512
6e5a9bd532abcf3cb53fc882928bb73046df7f4abbb53eb68a637585a89c428f6c6b0bee1be64b53dff03fdcc1c476d9cdd39569e592d3faeaf1a643316f931d

Download Submit
C:\Windows\SysWOW64\Haggelfd.exe

Filesize
125KB

MD5
565aa9f617090f690071052360136d6a

SHA1
8ecafcb65c80a59c400e61fc30998fc978eacfe9

SHA256
ef51e0a7f75c5d22e73c066f9234e8b6637adf65da5a856d4a786181b8e33109

SHA512
a6cd0b167a4b6dcc7ee6e03df81075d3520cc6e2d64510d266ad63aa62b561f9af602d24ae583f8294c966af86f26e0c8c59a94440a42811cfe6e9b99d690215

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
125KB

MD5
1fe91ad9ffcadcab3a95977f055a0fa3

SHA1
47fd4d3c27aaf34abeceacdbff791a419be7cdb7

SHA256
f15cc90152f3a7a231e0b3fcda4ea79d869af90d3b77530e49aaeccc74d31d28

SHA512
4f869994d996e0fb5d6f7c57daf03d5deffbb52bac4e812d772e422f3f77f831b25c6a0520fa07de5af32acc06696023027f63bf3e932052c35497771f56ba68

Download Submit
C:\Windows\SysWOW64\Hbeghene.exe

Filesize
125KB

MD5
159ac443e32e92fd477baf760db97a5f

SHA1
9ee5a32889e96c2f4d34721afa7f3ebf950223af

SHA256
878714ab0170f5ec305f2de04a8629525a9673b6a4605e41e4b66aa1c0737271

SHA512
30f25688d5558472e06bc36f960296b4be356b221debf47b13ea7cff0d98652cf3f17a7ded3597bc08ac46634b1aa807950d29ae4e6b501054daf24f2510337b

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
125KB

MD5
212e559ee7721120d0d63281a0ba00da

SHA1
db7878b97acb3e8e8a860fe8dc99944ed7add443

SHA256
baaa4cf23866e46c73dbfa1f4c29d2991b88e36f0c9566a7cf1a1eb65b7ad589

SHA512
d26224bdfda0e5b8f8a68cafece8d0a5ffbaef1e7915586bfa5150ac801a7f134a5621290c437bf5b5a0192ffc6afabca35c789d5dc9cd7c5c48497b45c15e2a

Download Submit
C:\Windows\SysWOW64\Hcedaheh.exe

Filesize
125KB

MD5
4a4620f858317872f36ee3b90ef55bec

SHA1
ba7a3ba279a224ffa79e79a423780c8394c2d6dc

SHA256
397b98c7bc1a37d64bbc0dc90bcb8d27ebc32d675d863082f39e361485727397

SHA512
9b83296aeb0e17861f9a867e8aeb105959fe8ed586bf60d1eea061ff0029677fa5587e0f7353652582c829f5f2af98f1bffbda8256aad2680d0131ff76b04bad

Download Submit
C:\Windows\SysWOW64\Hcqjfh32.exe

Filesize
125KB

MD5
07044ec6478e5ad47bb0c01ed2c1833a

SHA1
c929140f63781f9be852906e2ef0970fd0b86767

SHA256
6304f01308aef875ee4c82107e232a9f80699e732dae7cda7e4ba22974e6303e

SHA512
e6dafb7ba59453ef3489dcdc40fb4c95b0dbc131bc8aaff0d811fb1dc8d4ea1df03482ec90e36621f0a14631003dddc7a4e1fb0b10e6f007493f3bed11a3cb47

Download Submit
C:\Windows\SysWOW64\Hfcpncdk.exe

Filesize
125KB

MD5
0a4a9c1382fca796f45e29dd9fe4db87

SHA1
424c2a0626ce55479db4007df311715c3c1a57db

SHA256
a166c5713c8c80f4147c6dda94507e9ee75ba6bd8946fd0c9d06acc773aa6408

SHA512
d49c475022ad364cc5793c5127efa47ddafd24bd25b62fdf2cafd23ef1443e6e87564e9bc37afbe43e003ae40db121e1555a29d6eb3e64837b01d17f80282ad7

Download Submit
C:\Windows\SysWOW64\Hibljoco.exe

Filesize
125KB

MD5
afc4a620e9620691833c787d6fbd4244

SHA1
dd829d032bd39ca50b33e7c6fc7265c958827162

SHA256
7b1d14e9c1c13f8914ae83329684710b05b2f78b50f3c9790bb501569f0d9744

SHA512
95c3eb54d4b92663613261802f8b07968fb52ad83fb544cfa044bd3f0ed7d271def36ab0466effb3600ae8d4e78dbb0416feb5e67be900a2485d6218a6adc521

Download Submit
C:\Windows\SysWOW64\Hihicplj.exe

Filesize
125KB

MD5
7868122ac8482908992164244bb26ceb

SHA1
3d4099c9c28e055f4acbd673bae7ca617f773100

SHA256
a82957d5dff42952b6818a982c7ffe3f38ef9288d6c0aeee475bfff5c3d749df

SHA512
f74e1840e8eadcfa34e8d6e87de7158d10ab89fe722959cbc07c2ccd0f69c2bfbd154011cacf2c3adfc8f90042b0e870a172ae88043f3a9f8de17282cac2bc1f

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
125KB

MD5
a3ebd2e601dc87e462c0669798df6148

SHA1
9e73756369cab6582de59810bcc13506599d8f0d

SHA256
53fef4b64c8414a391499d3ae26d2c8d051fde7c1edde5a27d6c1f129ac292ce

SHA512
bbf1278d46f670ba2f25699912c9abc383454bce21828106e79d130ad017e1fe94fa530d19f27fc8047317763d9ee50ad840020a2543c6f9d84a7c322be7ceb7

Download Submit
C:\Windows\SysWOW64\Hjjbcbqj.exe

Filesize
125KB

MD5
e72014b0e9dba645e60e2d3db70d2682

SHA1
56c6f03006318a9bc7e89ac82a780a559524043c

SHA256
9b1cf999bb496041e72d4fdc3500b3408679183a504b915cd098bf2b4414a006

SHA512
70ac09ddb96143a9d2f6e8a4d3b30385cdc8212a729ce0df397936f65b47255f24645540cfbf4697ccaf8a81c1212b7e5b8bded1a4da931b32f57586a22d24fa

Download Submit
C:\Windows\SysWOW64\Hjmoibog.exe

Filesize
125KB

MD5
4dc5b436fbd37fc690c0a7752e3db48f

SHA1
0792d3c7eccd14afd4c07cab2373bf5bfad9c6b6

SHA256
eaf11a60bff8d51e305e0a5eda71339f99c07da2d822c8dfccde761d6e75469c

SHA512
d75c176156de98a1fa9e7b558c6351ceee09e4d72d657b787e91d7cfc0634e7be7fe2852a14c8945a88a4721a8f8eaf9d1bdf491dcc79f8210fe51d5ebf60591

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe

Filesize
125KB

MD5
fbfd130b839e9d4e92d4cc5dc86f6fdb

SHA1
3ac1fe8ea5c7cdf6264edfe6041de4f976a942ba

SHA256
94b11e028f2049c3cd9f9dccfe75e9ea9ba6df3ab0eaa43c8756673d23b877f8

SHA512
9d5725dfb9021029aa8f3981f30131cf800e958cf50dbb2c0a9fe6634d29b038327f256756ed47149f92bb7695c3c09a625088ded2f54489c61d99adcfa4d831

Download Submit
C:\Windows\SysWOW64\Hmioonpn.exe

Filesize
125KB

MD5
2c70cbbd34712e76784ac8d0da35b41f

SHA1
5a55bc3a5c5b9cc14b0b7e704d64954faad967c3

SHA256
16efab0529a12b8353c10b5f9a0eb556f2504f4519c647644230916447109621

SHA512
89ac1411943157829302d529a9ebd86f06a2d5763b2e088c9a0d063533db80f078d9aa629e8075cda2041146f2d07adbec55bd2deb50c8159ca9e587617caa29

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
125KB

MD5
c2bd54e2a5f5551358c67e868ee8d6df

SHA1
e4d9a8656531d3ff853d01a78e7a2a43e24a6aaa

SHA256
5036451c2c1b60f11b2b0475668d927d7d0a0ba59b285cb0edd695342ffb6fe3

SHA512
4515244759902d2e12c84eaeaf31659772ffd883964e01ff388191704dbb84931a3f4149b063f3e282a3f9c859dd8ac44ab65ab0d345567e0818c54b98843774

Download Submit
C:\Windows\SysWOW64\Hpgkkioa.exe

Filesize
125KB

MD5
7edf6e37e625ee7184b4683709e791f8

SHA1
f96f3abe64ffe30c9479e318c02bd817b3fea7ef

SHA256
ad90802e56480a1d4ddcf5e986dbc019a8261fee1fd95715e66deb26b2efccd8

SHA512
7462f87b336d86cc13b9e69b0ff230140410e38ad8d699b0865866e2124a8dd6b85166d3c65ade4aedf9869c79928c29a19b645169613e52213d6bb3eb91bfde

Download Submit
C:\Windows\SysWOW64\Iannfk32.exe

Filesize
125KB

MD5
37d284245dfeb00d514fcc78099895a8

SHA1
58c1ef101780ea04f362c35aa7cdf855d47fda8c

SHA256
3d07e495959d2990f392db1fb6eeb4ebc411226a9d0219904d33ba9e074eb542

SHA512
d15639678a7f7e8729f3b7653bbed3abed7adfd7c25bb375d78ed4788d0e3bb06174e37b3eec724009baf93e4c55121479a3f7711ad62a5b42125c5ac3ccf543

Download Submit
C:\Windows\SysWOW64\Ibagcc32.exe

Filesize
125KB

MD5
4b61490d610cfe83250a863da0a0a93a

SHA1
1ec892cfcb40801bb639af21ccbbfd35004eb6b1

SHA256
34e65f5953558c9d1f23c92d80649a414c1483742cd880c086d1073cd0540dbb

SHA512
f7c3367bba798f8bab3e6ef8890feb992b584154cd554fc38ba36b4ad93285496ecda36e1835a82aceee08789ff1748c86269fc7f4b0822d91cf79ebc4f7d6c4

Download Submit
C:\Windows\SysWOW64\Ibjqcd32.exe

Filesize
125KB

MD5
8fa7cd22a37d56386e49afe4bedb208b

SHA1
ef1e23de2c687419611cf76f31535d29ab98792d

SHA256
a8b818cd62a81ac65affa4ccec4eea236ae283999e32d270cfa61743b7b53ae5

SHA512
fea891dc2d75606569e7e0f61df4b70063733909ccd858cbe40a30820dc8127490b668ab3c0ae2f134dd8bd43787a96a17fb8c1d336a8db5b5abe86dc6ceb372

Download Submit
C:\Windows\SysWOW64\Icjmmg32.exe

Filesize
125KB

MD5
33c22855bf79efc458edca30e408039a

SHA1
ec3fc3be86c6ebca15d76f464869d921a5828d75

SHA256
731da262634fef78a5a0293c2c04896d4c272b7d11ffb06447b9bba2034773ac

SHA512
93aba9d6051891edb1ef323afb261efd88f5907ee01e683c4f05bdec6c19ff2a242c18fea2e6abbb75fa3e842a8867d66a10561d3265c05ef653795ef94f2932

Download Submit
C:\Windows\SysWOW64\Icljbg32.exe

Filesize
125KB

MD5
280a843795ff11b94b6430e36e5d57a8

SHA1
28a02632fbf86dd7b4dbc1bdae428047776351e1

SHA256
e55e4b24208215e17f60bd006b813c9fa4ecdab4b26017ddf457505688247940

SHA512
fca3dcbc35598b6f70fe920225491936c79959a7b192b7813bf725b11034c1024eeb0d8d44f2fec77f52e06d4d0805481607e474ae31713856f9c2850a55119f

Download Submit
C:\Windows\SysWOW64\Ifhiib32.exe

Filesize
125KB

MD5
4f42a1d1beb1f4a0d8cf3c58eb675977

SHA1
d347eb6e8c89c7fe0f50e66e1c71f3125ea3bd34

SHA256
f41ea04f8bb2c962d019b7142044d9ff0e15273a612bd7e4697b1fccc9a21e6b

SHA512
21801bc0127b1567fc6993f39025c47f3aeab8676d060d1ff8c135551baf2e042f61bc17573d21227483a0ab9ce04c84e4524b39cb0c5775462f06c4e0b60bd6

Download Submit
C:\Windows\SysWOW64\Iiibkn32.exe

Filesize
125KB

MD5
d6d023be8d290319361ffe3bf54eb3c0

SHA1
9ee140f7f5bfa161a914dfbb4e21398434879373

SHA256
83bb47911370146c6e3027b773eef8a2bdd48b70c7a090fbd6b68e2377a6d3ee

SHA512
b1ec3de99a6ee17de78db1bda90bb0c4af97be3df2e61d527a3ae4f1ddfca0fc25a3d4a15b677e5e6f495be57eed93568611f0e9ba4b9d217411410810e67504

Download Submit
C:\Windows\SysWOW64\Ijaida32.exe

Filesize
125KB

MD5
0e02d059d2497b1c5b57a8c12e0ec40f

SHA1
9f666a26761b576036decfee64adf8d5f0b1dbb4

SHA256
2e968fbbc078e92cac5eb3016575121c5ab6b0bd078d00c516eb159771eef195

SHA512
3d5f198d5c79e256bf3af96ebf37c97713aca42f679e273706de0351bb8f3ff351fafa582419e6008cbd0ce29e397a199361b2c50014ef7c04f00c8d4c104c0a

Download Submit
C:\Windows\SysWOW64\Ijdeiaio.exe

Filesize
125KB

MD5
25d4fbfb63d1a098e5a0db6b546e7a7c

SHA1
6655ba306e592826aedf1dd2eb442504f141fc7f

SHA256
35d2d164e683e3e0043463dae606df6f87f21818dc812cd1d937c0aa619f039f

SHA512
283b8c2569f89c1fd4ec5e52f61ed8fce9121b97823a5ff2244f362e33cd1becd838204802b53ac58899985f01dc6ef96397d707c88e749cab1503cb92ef4893

Download Submit
C:\Windows\SysWOW64\Impepm32.exe

Filesize
125KB

MD5
61994e8f42c32c499114b9b785d1e4a5

SHA1
815843dc24494427cf03c97c14d9848cf0b416b5

SHA256
f44dfd25160d6b117dd9b94e4cebfdca9919b4adfedce9884ae3257821465d2a

SHA512
c83b7087ce27d029a4b5bccb33ac14646ae88d386e26effe9608cd50fb9b85f79f531b1fb63bd5db2429cc8698dc664f1a8f3f21851c73e9020a583d31eeb97a

Download Submit
C:\Windows\SysWOW64\Ipldfi32.exe

Filesize
125KB

MD5
376bb7114a98e7a45a35b527c3631cfa

SHA1
756786006b739938572a2b3dc94a93dd36973c25

SHA256
52aaade6f4d5816f26313f7dbbbffb025881ed6a0c33dbe344ae1690f6a927f3

SHA512
2b79fc92099199fc0eac6ef46fd3ad5d8575bec177fee38131c382d83059075919d440a2f25b65dfc4b48e9480302425ff800b438d57394238d383a3de5b6a79

Download Submit
C:\Windows\SysWOW64\Jfdida32.exe

Filesize
125KB

MD5
43ad2ba37a04f28844435c2c62f2d5a3

SHA1
8ed67af99bd63080a8ad88323129c0fc90a54020

SHA256
61aeaafeaccd45b14c08c8534461b40cf7465bec5ddc279ce49e83d1df015703

SHA512
202882ec24487f8a36b1767f0970c6fccad3b066c3de8cbaa407b4c0486c1b1e9c3420c1daf55291c45ab2a4594799ae90325b5fb465635f87176fac9eadc744

Download Submit
C:\Windows\SysWOW64\Jjbako32.exe

Filesize
125KB

MD5
dc09b3d49d30a70d2e983b7a84a296f2

SHA1
49619064209976cdf1f7d47065b7ec0423d851e2

SHA256
1a6f954923e29f3ed06f1f5225e966f118a9a1d6659b0370d6c3e1bc61a96080

SHA512
355aacee0bbf8ab6b8628288e1008e460bc5697ae21e6b117be9ebef0083238a1558faa8c0db5d1b08f48bf98f480ab094d16df7552d5bb6d0665e4a8f148ea7

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
125KB

MD5
4fbdcad22b81685a9438fb01f1cd99ac

SHA1
2c960636da68d2da6810120e5e2ea61227566816

SHA256
8bcd6d7f4f2319c8aa7eef1753b175687e120286f8a7b21b6ed6ebe18aee86eb

SHA512
72a86b9b3c920b62815b7b4f2cf01227a5051236591674d8f4ada17cfc5d2b9d158b28dc7f6e94333d68807a18d1eb2e3045ce231a4e69622a148e1dda103bdd

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
125KB

MD5
1b95ff5bfe4a0026150b233bfea3180c

SHA1
3b59e8537e2617863d23679972081db9be53de14

SHA256
8c9d4ce1a2624e318130595a8d4391eb8fc3482fdef951869868e0c616b84930

SHA512
81f2cb9b51b607f69c8693dc2b76a487ee4d7327adf44e04cbe80aac61b7dd7041bd2d7b00bc29c3a9f81cf4c54c5dac45af9f7fcbe2abc5b5bfcf1c733c4f7d

Download Submit
memory/364-228-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/428-76-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/612-280-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/700-240-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/840-423-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/864-545-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1072-525-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1108-603-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1152-501-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1484-470-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1516-310-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1580-60-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1604-316-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1692-128-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1760-537-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1780-272-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1928-506-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1956-382-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2040-0-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2040-544-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2056-274-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2060-388-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2092-248-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2224-488-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2324-477-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2352-135-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2364-346-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2384-96-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2448-266-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2496-552-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2548-92-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2656-112-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2724-194-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2744-570-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2744-23-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2844-551-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2844-7-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2860-458-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3024-200-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3032-216-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3040-416-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3048-326-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3084-436-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3096-160-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3176-255-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3200-526-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3232-16-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3232-558-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3288-598-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3288-64-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3324-579-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3324-39-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3444-168-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3456-434-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3484-32-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3484-572-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3512-184-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3592-452-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3616-292-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3680-208-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3712-364-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3732-400-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3772-460-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3840-480-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3908-573-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3980-155-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4008-286-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4044-424-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4112-406-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4188-334-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4240-236-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4356-580-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4396-490-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4404-559-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4452-394-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4480-518-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4484-352-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4544-380-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4552-370-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4572-597-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4584-571-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4588-175-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4668-538-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4680-304-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4768-446-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4792-52-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4800-104-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4804-358-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4820-120-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4844-80-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4964-332-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4968-148-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4976-590-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5000-340-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5068-303-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5092-508-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads