727f75b59255fc5b94c98f96145adb70023feae435b4ed97fa2b60f4889221c1

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
29/06/2024, 06:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

727f75b59255fc5b94c98f96145adb70023feae435b4ed97fa2b60f4889221c1_NeikiAnalytics.exe
Size

128KB
MD5

3e90f28693a15a344a5c24e1b284e320
SHA1

e7db083ba34ca2b2ba6cd83cea97a41aa9ad48ae
SHA256

727f75b59255fc5b94c98f96145adb70023feae435b4ed97fa2b60f4889221c1
SHA512

f1852fcfa43675e47f98e907d2471a3282815875b5a361636d706750dd62034085d621af397e11d7eaa70c91a538ad1fa05c635dde47fb74ca246329878ba6e3
SSDEEP

3072:KKWrYk2xXPHfRa3apKdr8EznYfzB9BSwW:Nk2x/HfRMTr8YOzLc

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gidphq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpnhekgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipqnahgf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imgkql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hfcpncdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hclakimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gfhqbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbldaffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gameonno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Impepm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kipabjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gppekj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpihai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hclakimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hmmhjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jiikak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhbppbc.exe

Executes dropped EXE 64 IoCs

pid	Process
4032	Gidphq32.exe
3712	Gpnhekgl.exe
5040	Gbldaffp.exe
4784	Gfhqbe32.exe
2900	Gifmnpnl.exe
4440	Gameonno.exe
1712	Gppekj32.exe
1700	Hclakimb.exe
3164	Hihicplj.exe
1984	Hpbaqj32.exe
1888	Hbanme32.exe
4684	Hjhfnccl.exe
1956	Habnjm32.exe
2324	Hbckbepg.exe
1476	Hjjbcbqj.exe
4504	Hadkpm32.exe
1408	Hbeghene.exe
3344	Hpihai32.exe
3100	Hfcpncdk.exe
1320	Hmmhjm32.exe
1976	Ipldfi32.exe
2316	Ijaida32.exe
4744	Impepm32.exe
4256	Ipnalhii.exe
4728	Ijdeiaio.exe
3508	Imbaemhc.exe
1972	Ipqnahgf.exe
3220	Ibojncfj.exe
1140	Iiibkn32.exe
4312	Iapjlk32.exe
3184	Idofhfmm.exe
3524	Ifmcdblq.exe
1892	Ijhodq32.exe
1200	Imgkql32.exe
3692	Ipegmg32.exe
2156	Ibccic32.exe
3572	Ijkljp32.exe
3252	Iinlemia.exe
2520	Jpgdbg32.exe
1380	Jfaloa32.exe
3696	Jjmhppqd.exe
1588	Jmkdlkph.exe
4324	Jpjqhgol.exe
4692	Jdemhe32.exe
4340	Jjpeepnb.exe
1616	Jmnaakne.exe
1824	Jplmmfmi.exe
4980	Jbkjjblm.exe
392	Jjbako32.exe
2732	Jmpngk32.exe
3740	Jdjfcecp.exe
2412	Jfhbppbc.exe
4384	Jigollag.exe
4880	Jangmibi.exe
4356	Jdmcidam.exe
444	Jfkoeppq.exe
3012	Jiikak32.exe
1764	Kaqcbi32.exe
3936	Kdopod32.exe
2540	Kbapjafe.exe
4232	Kkihknfg.exe
2568	Kacphh32.exe
5092	Kdaldd32.exe
3148	Kgphpo32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Kaemnhla.exe	Kinemkko.exe
File opened for modification	C:\Windows\SysWOW64\Kckbqpnj.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Ipnalhii.exe	Impepm32.exe
File opened for modification	C:\Windows\SysWOW64\Laalifad.exe	Lgkhlnbn.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Kbapjafe.exe	Kdopod32.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Hjhfnccl.exe	Hbanme32.exe
File created	C:\Windows\SysWOW64\Egoqlckf.dll	Ipldfi32.exe
File created	C:\Windows\SysWOW64\Ipegmg32.exe	Imgkql32.exe
File created	C:\Windows\SysWOW64\Qnoaog32.dll	Jjmhppqd.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Gppekj32.exe	Gameonno.exe
File opened for modification	C:\Windows\SysWOW64\Hpbaqj32.exe	Hihicplj.exe
File created	C:\Windows\SysWOW64\Kacphh32.exe	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Jcpkbc32.dll	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Plilol32.dll	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Kaemnhla.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Mngoghpn.dll	Gameonno.exe
File created	C:\Windows\SysWOW64\Hfcpncdk.exe	Hpihai32.exe
File opened for modification	C:\Windows\SysWOW64\Ipqnahgf.exe	Imbaemhc.exe
File created	C:\Windows\SysWOW64\Eddbig32.dll	Iapjlk32.exe
File created	C:\Windows\SysWOW64\Hjobcj32.dll	Jfaloa32.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Kacphh32.exe	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Ihaoimoh.dll	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Gfhqbe32.exe	Gbldaffp.exe
File created	C:\Windows\SysWOW64\Iiibkn32.exe	Ibojncfj.exe
File opened for modification	C:\Windows\SysWOW64\Iapjlk32.exe	Iiibkn32.exe
File opened for modification	C:\Windows\SysWOW64\Ijhodq32.exe	Ifmcdblq.exe
File created	C:\Windows\SysWOW64\Bbbjnidp.dll	Jmnaakne.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Gbldaffp.exe	Gpnhekgl.exe
File opened for modification	C:\Windows\SysWOW64\Ipegmg32.exe	Imgkql32.exe
File created	C:\Windows\SysWOW64\Ehifigof.dll	Jmpngk32.exe
File opened for modification	C:\Windows\SysWOW64\Jangmibi.exe	Jigollag.exe
File created	C:\Windows\SysWOW64\Jiikak32.exe	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Lkdggmlj.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mciobn32.exe
File created	C:\Windows\SysWOW64\Ijaida32.exe	Ipldfi32.exe
File created	C:\Windows\SysWOW64\Aqnhjk32.dll	Impepm32.exe
File opened for modification	C:\Windows\SysWOW64\Iiibkn32.exe	Ibojncfj.exe
File opened for modification	C:\Windows\SysWOW64\Jiikak32.exe	Jfkoeppq.exe
File opened for modification	C:\Windows\SysWOW64\Kdcijcke.exe	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Ifmcdblq.exe	Idofhfmm.exe
File created	C:\Windows\SysWOW64\Jpgdbg32.exe	Iinlemia.exe
File created	C:\Windows\SysWOW64\Jplmmfmi.exe	Jmnaakne.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5460	5160	WerFault.exe	216

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdhdf32.dll"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eddbig32.dll"	Iapjlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojkiimn.dll"	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jiikak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeopdi32.dll"	Ibojncfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hclakimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Denfkg32.dll"	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqjfoc32.dll"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibimpp32.dll"	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dakcla32.dll"	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	727f75b59255fc5b94c98f96145adb70023feae435b4ed97fa2b60f4889221c1_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcpkbc32.dll"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdiihjon.dll"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiaohfpc.dll"	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Habnjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejif32.dll"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gfhqbe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gidphq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jplifcqp.dll"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hfcpncdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehifigof.dll"	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaoimoh.dll"	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gifmnpnl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4068 wrote to memory of 4032	4068	727f75b59255fc5b94c98f96145adb70023feae435b4ed97fa2b60f4889221c1_NeikiAnalytics.exe	83
PID 4068 wrote to memory of 4032	4068	727f75b59255fc5b94c98f96145adb70023feae435b4ed97fa2b60f4889221c1_NeikiAnalytics.exe	83
PID 4068 wrote to memory of 4032	4068	727f75b59255fc5b94c98f96145adb70023feae435b4ed97fa2b60f4889221c1_NeikiAnalytics.exe	83
PID 4032 wrote to memory of 3712	4032	Gidphq32.exe	84
PID 4032 wrote to memory of 3712	4032	Gidphq32.exe	84
PID 4032 wrote to memory of 3712	4032	Gidphq32.exe	84
PID 3712 wrote to memory of 5040	3712	Gpnhekgl.exe	85
PID 3712 wrote to memory of 5040	3712	Gpnhekgl.exe	85
PID 3712 wrote to memory of 5040	3712	Gpnhekgl.exe	85
PID 5040 wrote to memory of 4784	5040	Gbldaffp.exe	86
PID 5040 wrote to memory of 4784	5040	Gbldaffp.exe	86
PID 5040 wrote to memory of 4784	5040	Gbldaffp.exe	86
PID 4784 wrote to memory of 2900	4784	Gfhqbe32.exe	87
PID 4784 wrote to memory of 2900	4784	Gfhqbe32.exe	87
PID 4784 wrote to memory of 2900	4784	Gfhqbe32.exe	87
PID 2900 wrote to memory of 4440	2900	Gifmnpnl.exe	88
PID 2900 wrote to memory of 4440	2900	Gifmnpnl.exe	88
PID 2900 wrote to memory of 4440	2900	Gifmnpnl.exe	88
PID 4440 wrote to memory of 1712	4440	Gameonno.exe	89
PID 4440 wrote to memory of 1712	4440	Gameonno.exe	89
PID 4440 wrote to memory of 1712	4440	Gameonno.exe	89
PID 1712 wrote to memory of 1700	1712	Gppekj32.exe	90
PID 1712 wrote to memory of 1700	1712	Gppekj32.exe	90
PID 1712 wrote to memory of 1700	1712	Gppekj32.exe	90
PID 1700 wrote to memory of 3164	1700	Hclakimb.exe	91
PID 1700 wrote to memory of 3164	1700	Hclakimb.exe	91
PID 1700 wrote to memory of 3164	1700	Hclakimb.exe	91
PID 3164 wrote to memory of 1984	3164	Hihicplj.exe	92
PID 3164 wrote to memory of 1984	3164	Hihicplj.exe	92
PID 3164 wrote to memory of 1984	3164	Hihicplj.exe	92
PID 1984 wrote to memory of 1888	1984	Hpbaqj32.exe	93
PID 1984 wrote to memory of 1888	1984	Hpbaqj32.exe	93
PID 1984 wrote to memory of 1888	1984	Hpbaqj32.exe	93
PID 1888 wrote to memory of 4684	1888	Hbanme32.exe	94
PID 1888 wrote to memory of 4684	1888	Hbanme32.exe	94
PID 1888 wrote to memory of 4684	1888	Hbanme32.exe	94
PID 4684 wrote to memory of 1956	4684	Hjhfnccl.exe	95
PID 4684 wrote to memory of 1956	4684	Hjhfnccl.exe	95
PID 4684 wrote to memory of 1956	4684	Hjhfnccl.exe	95
PID 1956 wrote to memory of 2324	1956	Habnjm32.exe	96
PID 1956 wrote to memory of 2324	1956	Habnjm32.exe	96
PID 1956 wrote to memory of 2324	1956	Habnjm32.exe	96
PID 2324 wrote to memory of 1476	2324	Hbckbepg.exe	97
PID 2324 wrote to memory of 1476	2324	Hbckbepg.exe	97
PID 2324 wrote to memory of 1476	2324	Hbckbepg.exe	97
PID 1476 wrote to memory of 4504	1476	Hjjbcbqj.exe	99
PID 1476 wrote to memory of 4504	1476	Hjjbcbqj.exe	99
PID 1476 wrote to memory of 4504	1476	Hjjbcbqj.exe	99
PID 4504 wrote to memory of 1408	4504	Hadkpm32.exe	100
PID 4504 wrote to memory of 1408	4504	Hadkpm32.exe	100
PID 4504 wrote to memory of 1408	4504	Hadkpm32.exe	100
PID 1408 wrote to memory of 3344	1408	Hbeghene.exe	101
PID 1408 wrote to memory of 3344	1408	Hbeghene.exe	101
PID 1408 wrote to memory of 3344	1408	Hbeghene.exe	101
PID 3344 wrote to memory of 3100	3344	Hpihai32.exe	103
PID 3344 wrote to memory of 3100	3344	Hpihai32.exe	103
PID 3344 wrote to memory of 3100	3344	Hpihai32.exe	103
PID 3100 wrote to memory of 1320	3100	Hfcpncdk.exe	104
PID 3100 wrote to memory of 1320	3100	Hfcpncdk.exe	104
PID 3100 wrote to memory of 1320	3100	Hfcpncdk.exe	104
PID 1320 wrote to memory of 1976	1320	Hmmhjm32.exe	105
PID 1320 wrote to memory of 1976	1320	Hmmhjm32.exe	105
PID 1320 wrote to memory of 1976	1320	Hmmhjm32.exe	105
PID 1976 wrote to memory of 2316	1976	Ipldfi32.exe	107

C:\Users\Admin\AppData\Local\Temp\727f75b59255fc5b94c98f96145adb70023feae435b4ed97fa2b60f4889221c1_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\727f75b59255fc5b94c98f96145adb70023feae435b4ed97fa2b60f4889221c1_NeikiAnalytics.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4068
- C:\Windows\SysWOW64\Gidphq32.exe
  C:\Windows\system32\Gidphq32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4032
- - C:\Windows\SysWOW64\Gpnhekgl.exe
    C:\Windows\system32\Gpnhekgl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3712
  - - C:\Windows\SysWOW64\Gbldaffp.exe
      C:\Windows\system32\Gbldaffp.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:5040
    - - C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4784
      - C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3164
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3344
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1320
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2316
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4744
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        25⤵
        Executes dropped EXE
        
        PID:4256
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        26⤵
        Executes dropped EXE
        
        PID:4728
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3508
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1972
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3220
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1140
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4312
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3184
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3524
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1892
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1200
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3692
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        38⤵
        Executes dropped EXE
        
        PID:3572
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3252
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1380
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3696
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        43⤵
        Executes dropped EXE
        
        PID:1588
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4324
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4692
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4340
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1824
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4980
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:392
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        52⤵
        Executes dropped EXE
        
        PID:3740
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2412
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4384
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        55⤵
        Executes dropped EXE
        
        PID:4880
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:444
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3012
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1764
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3936
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2540
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4232
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        63⤵
        Executes dropped EXE
        
        PID:2568
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5092
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3148
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:748
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2272
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4852
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        69⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:604
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3224
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        72⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        73⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4968
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1792
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1260
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        78⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4568
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        80⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        81⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        82⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3216
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4848
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4972
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1496
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        87⤵
        Modifies registry class
        
        PID:2948
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        88⤵
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        89⤵
        Modifies registry class
        
        PID:4984
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        90⤵
        Drops file in System32 directory
        
        PID:2844
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        91⤵
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5172
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        94⤵
        Drops file in System32 directory
        
        PID:5264
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5312
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5352
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5396
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5440
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5480
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        102⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        103⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        104⤵
        Modifies registry class
        
        PID:5696
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5736
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        106⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5780
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        107⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        108⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5908
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        110⤵
        Drops file in System32 directory
        
        PID:5952
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        111⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6044
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        113⤵
        Drops file in System32 directory
        
        PID:6084
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6132
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        115⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        116⤵
        Drops file in System32 directory
        
        PID:5248
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5340
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5404
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        119⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        120⤵
        Drops file in System32 directory
        
        PID:5520
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        122⤵
        Drops file in System32 directory
        
        PID:5640
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5728
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        124⤵
        Drops file in System32 directory
        
        PID:5792
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5932
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        127⤵
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6064
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        129⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        130⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5160 -s 424
        131⤵
        Program crash
        
        PID:5460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5160 -ip 5160
1⤵
PID:5372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gameonno.exe

Filesize
128KB

MD5
06b4ac072688b46343d32343d8150439

SHA1
5342fe878014f059a2e38958477015e6b37fcaa4

SHA256
d7fbdce4b61f3378887572f03b7200c9b01172803a79739aa78208372f9a21c0

SHA512
af00bb381e8d04fc6c9d1db408fe9d345bf857066d0b2d50a92e5327460f08a7b3bf886f4017fecd2706bc263343b6c1b62006272db98a7132f44306fb2cc9a1

Download Submit
C:\Windows\SysWOW64\Gbldaffp.exe

Filesize
128KB

MD5
3886ae7529d05dcb8baa918242d6a472

SHA1
52bb12816217a8e5393249d964a4f56e80524049

SHA256
d553757ce2634db3d48e9ed6c6572253426432a05c404d50651351c7cfbb49db

SHA512
4661aa2c737b915a562768b21ba7a702394cb0eacdb493a55065969e71e3b28dc2fab84284d9445bfb581c12d81258c97b155eb23c01a539ffe11169ec277800

Download Submit
C:\Windows\SysWOW64\Gfhqbe32.exe

Filesize
128KB

MD5
6c40724f1b1243d797828d1bbdb24584

SHA1
0070860837a2032a0f08825759fa014b4e5ce030

SHA256
e288c5422705f1e2dc1069d70679eb035604790404b7fd5bb1d92f8f4b8b6af0

SHA512
69ae2ab7f748cade88dad0eadee9892cb60e7b560c28c209ab74e1fdd0dddb82bec4b3e87a568966a65d362b23b6e9899e8abb14494933a922eb315bc50f2697

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
128KB

MD5
5cad791587970d75c7302d25954a9971

SHA1
8e167bd9c4293620b11adadd0170880818aa01f4

SHA256
bf21de181cdaccc6fef67f6048c2c8dbdf15fd34c02179d084ba517e015b659b

SHA512
bef3dbc54911a1fbde92206856efa473387a632cd1a45205e5f64895bb38ed8f3d0be477defa33e26b108f5aaa9f7dfbf3dac42f08ab87aa4f651ec715d0dba1

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
128KB

MD5
152879a2cc8ac75789ff89d6ba99ac30

SHA1
676726c939b1a41045176c896f999bd3672f04a7

SHA256
dd6405f90599a8b663b3503e26683aa0852ad900296691ca0af1123b59762fbd

SHA512
4b013baecc7d265e5c8030921c72aa17d0961c13aabf5100bf456b4b39cfebdaa29b82aba967697f993d6a40591363ee7b5cc19d4b28eb713d2b3dd0e59c986f

Download Submit
C:\Windows\SysWOW64\Gnbbnj32.dll

Filesize
7KB

MD5
8d757efd0ffa7c59533f2b7d737e73fa

SHA1
e54b3153316263c50d1cb8f33321b700b92766d6

SHA256
d9d6b75d1529b85ff4067a9b44fe9fcd5bb2e3f6797100eb2efafb73f33dd42f

SHA512
ed9f8cee0f34c1047e8b06579492290f95b439751d2b185e2b422eb84ea61e7e631cb69f622bdc7adb41f3e137bbeaf36cd8454f1e46382dde09599f82775402

Download Submit
C:\Windows\SysWOW64\Gpnhekgl.exe

Filesize
128KB

MD5
c69a3c68b3e57dd8b6e2dc5e562e72cb

SHA1
445bd0a27c01b1f477d31d869a250af3870b95f4

SHA256
43585d219c58b1765676bfcf7bb6e904fda9028a02d21e5dd0f99efa322aa61e

SHA512
8623275331727b13058ec194a84e04431fa78a7d3bfac008d75042d9c905b7626d703dceaf4f38cdcefb1e689d8d264178c5fca8f35239187a38eca72c5daefd

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
128KB

MD5
e558a7af9d3a2bf2da2db0b3d3aee75c

SHA1
fd4baeb25b06d391b2216821ec04d41ab2d70037

SHA256
b83383b4d982ccfa8da35ec1666a8c06c0cadd17dd204ccfbdcfcbd49de8e1cf

SHA512
fb3a6b89328a98331b615a4c44d8a8ee96c759a76355a7e220553b3db848613f99949397d48d4e2372c4fcf2800455c6490b26a26d5c857e8a3d37b3b9a0a579

Download Submit
C:\Windows\SysWOW64\Habnjm32.exe

Filesize
128KB

MD5
5ab4e227101694934673a4f66fa8ec81

SHA1
e7a35c9cd2dfaa4249f8cc028017c480eb71d9ee

SHA256
3f2135aabd3aaf2d1dbca5c861d4094e1b72584ffd252bac92d976db3b3a9587

SHA512
ffcaea934ab058488db9a722778c3752f7cbeefb16c09753174c54ab461e4192e2d2cbf8acf2b6798b5962b05ff601b7fa440b004e878ac54a9ae38269b1c606

Download Submit
C:\Windows\SysWOW64\Hadkpm32.exe

Filesize
128KB

MD5
844d7e23407b0163c9c97eb8d99ea372

SHA1
8475a59821c489609384ff107b1f30c6fefcd7e9

SHA256
348be97666f6b1d1f7b10e30dbc0aca93621b75f0f62b579e48e4fcbee1a19b8

SHA512
a298cbbb462eb0397886656db455a2b92f27b36e3cabab450ef5fdd4c77f838b442bec4074792334034e5240ebd99b281fc352d20087db61f8c2ca92a166a185

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
128KB

MD5
dc74f8b9a82c38736e6fb84af7e967ce

SHA1
8a7649deccea96ffd47f7a0a4acf2f6a6f94c4ef

SHA256
747eec167d0d49dbe7d007285a549c21afc93ef94ff9394d95b95d77d8fc0edd

SHA512
10e3b9db61b905380b526173455b3e00881e6a87f5eb22aa3937a65ef9b3f2e4c943cf75d41dc5555a1280f0f3aa29e60b5c7a95e4ac7a6b58dba3e785b7b703

Download Submit
C:\Windows\SysWOW64\Hbckbepg.exe

Filesize
128KB

MD5
f0342bb34c4de9472713ccbabd02eb98

SHA1
27192cab67467d4205d06035f32be6ce3f417d9a

SHA256
777e66d564dadcbfcada94b6c9c867b4f29475f3572d4b75b3e1ec5fdd028c26

SHA512
49295f53ec152d7167c24eb45c95b6c351402a66ab50490d4beab656d333713d12457e75e2210daf2047cd9acbe870559c9cf4e2426a0b35993b1e7140ddb7bc

Download Submit
C:\Windows\SysWOW64\Hbeghene.exe

Filesize
128KB

MD5
d57dfe2e448887aa0a3d7ecb3929d7dc

SHA1
f6aabed10682da008a0a3d9ce5ca8b247f50e374

SHA256
2c03e407c8ced14e87331705c14c36e5aedb9799aedf6e4b3641c669187eb272

SHA512
9171548da4defe435227d7661dd691f357baff340f63de0da7cb27ce8097bc7d98f33268a6e9396d93b030488a74e17f9b45d67c6925be18d45ab6d344aa363b

Download Submit
C:\Windows\SysWOW64\Hclakimb.exe

Filesize
128KB

MD5
adb88c5fd819c2f6368c9a28c988551c

SHA1
78258c12c73de11b298997481a6e36aaee0d3c82

SHA256
7ad3e99ec0428d803fae7dddda856e3e3f85dc86bd575016086bb4a7c50681b6

SHA512
f4661cace75c95cc0a04ad60e934869d54422d40f0a7a9b87edbc3a4bc44eda05faab54088be6234085ce36ccce099b555e9d7bb10295559a9f87384c35cfe9c

Download Submit
C:\Windows\SysWOW64\Hfcpncdk.exe

Filesize
128KB

MD5
afed4197a6eb11ab17c89bd4acd6a3cf

SHA1
50e9474581a5f1d58c88c62e7df217e04c05435f

SHA256
0d1cd4c523f82e187438494770d5fc62bf8eb93ce0c492d32c9cb4235c6ad4b4

SHA512
16a10ee75e63414774419b0c120b70f5591050864f55d50fc4997829dc46de7b5060bc75a861d89dbd829b3e66b403143cec2887a96a89823b40ed312cf2c3ad

Download Submit
C:\Windows\SysWOW64\Hihicplj.exe

Filesize
128KB

MD5
5924561bf2c6fd509313a19deb36959c

SHA1
63d664a2144ba5035337319559dca0c2f88c2a15

SHA256
0103b0da177ed3223c43c6a266d3dfde65ea2f7fef0817acc7ae9c17c4d32a0d

SHA512
5f4240e7a350234e9960106f2da5a80e88834abcd8d8d852ac03a46b5985a0ca3abe7c2656f25b444d30b53860b3142c3a968c2d89df167190de799e63cd619b

Download Submit
C:\Windows\SysWOW64\Hjhfnccl.exe

Filesize
128KB

MD5
a567d0e250409bfca2a1c364f579e323

SHA1
fb596a0ef097e5152c3afc05f568ba393bb79d9e

SHA256
edf3e738a5422d7d9f6aef730d76747e61c7f0521efb920fdfdadfeb4c99983a

SHA512
ec067f2feb75e542b728a4892f436c959a3998bbece438ca3b7469dab5e0b208606eea8df8167ba6daa45c1a6571e1d44ad4ca5908f04f9988062116d597a011

Download Submit
C:\Windows\SysWOW64\Hjjbcbqj.exe

Filesize
128KB

MD5
139660ba1cc343198846c2170a3a4269

SHA1
86cc56bab743f24bfab36fb434c99b95b0da24a5

SHA256
d603e389297ed5ddd517943f0f64da3f6365b7d39fecdc6032bf63db746f9094

SHA512
65db28566ed9ea1650bdaa2ababca80b517b6a85e8bb4e14351c02be4019ca13183b571b8eeb9c6d9d0d55810729009cda14ec7321900e098685e125933a77bc

Download Submit
C:\Windows\SysWOW64\Hmmhjm32.exe

Filesize
128KB

MD5
7c5d246b735f03a5ede1ae6539942b4e

SHA1
99efcd67b635e6520cea3768048ae5771ff9767b

SHA256
db91b11ae757ed00dea8032b93cac7f2a1dbc6e9e1117d888626da595cf1419c

SHA512
893358960a2445c6ef2e1123a834543d26c774fbcb18035399e5a63ac25d0ad474444e305956fb8f32c6c699fb5c711263dcbeaa61b54a6d8d10f26705b88428

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
128KB

MD5
7adbe4ea4940b547ddc6ede8d42e9f3a

SHA1
6d3057b5e1fbcc62eeda508213b46da360c89597

SHA256
5d54502b0c2edacb356727417d21f56c36f42e5c467aff77f8adde932a02d0a6

SHA512
c6b111d764b4d385d996e17c2430c192e041f371366707754073a6a892a97e7dacca83771be00b1e9f44ac07ea874b192073abfb19b33dd993fb854fe334bf7f

Download Submit
C:\Windows\SysWOW64\Hpihai32.exe

Filesize
128KB

MD5
337072396bd8e222f6392007e9cca6ea

SHA1
5da3b48d3d0a38ce725325efa159c830088e6c53

SHA256
84967e8ed1538d6dfbd14b272fd1a9eea01df7743ef88524d76dcba73bad1db9

SHA512
526c7affbfecc344de4d8ba09abfdc0d855e1891b6f6a84a44fc160c3511c538f5d1dc2597e4bacab8be97852aa5d97054e0c43d42f85db81514c44a89eb6eeb

Download Submit
C:\Windows\SysWOW64\Iapjlk32.exe

Filesize
128KB

MD5
3dce754f1e93f6ff910b3788435a5c03

SHA1
767f34d01b03ac37cb6a6dbd4e1ad8b6e33745b9

SHA256
731a95906164c5f69ffdd433ee7dbf974b5c52a2edcb6c814fe0e215c067e539

SHA512
3f8ac24c950df72667a4335de2eb7e5a5cffbd73dfa33827208122e4aff5bca9538d99e4d6faf55f4c44ada09826b952b6a1d9bb75ea021b41de2266d669a360

Download Submit
C:\Windows\SysWOW64\Ibojncfj.exe

Filesize
128KB

MD5
8639a8a5cce2832fc9ead09c1798b688

SHA1
170f4bf0b26b1b974baeb65c9e7a555cd2a275b6

SHA256
de7438c4c247f0452f9dd5310862d5c44c57bbcb120ec7e17949c15a4595679a

SHA512
9621b5e5f4c49854882623e5a5bdc1d513c2a106c71ab9e81269e0cff9a615d1167c85f279a38128189f29e613fb7cfd72eb1eb0c18b4ae8ac38b45f48127d4e

Download Submit
C:\Windows\SysWOW64\Idofhfmm.exe

Filesize
128KB

MD5
eb1bd623b7b5ac31ec555c2a52825f11

SHA1
f6dff5b2d89d0a6a9d9b0d1394b9c1b6ab2ab063

SHA256
167704abef2f771c55822b8b3228a680a28ee51a4786901e619a5e77ed1f358a

SHA512
a1ec4dc2029145e56d7e18689ae4a84e01c39afaa3f7658f9e3bcf093e2b2836eb6480bf372b0c8f008246b628a66ce976fc0db00918757bb99ef3d78bc4673f

Download Submit
C:\Windows\SysWOW64\Ifmcdblq.exe

Filesize
128KB

MD5
2b876516fb0a9fab8d0fbd616cc6217f

SHA1
1421b4f64526ef5efaa12ee087392a0856d48ace

SHA256
b58af96cbd7369944c4b43c111624ce5c0b1563488b9874257c25d0433462aa7

SHA512
39bbcf8094a553a3a32ba9b2956d57a40fcde7d9ce20e50bfd27c53189faf85a7f2d5249e7c1bf340bbd0c93e71d86c0f3d86ca6d1d88820b2d37bb15d9cb7d1

Download Submit
C:\Windows\SysWOW64\Iiibkn32.exe

Filesize
128KB

MD5
e45d3afe8bf397c0c0e977484165c214

SHA1
cfaed1bf735bf98336bd6618f40f77e516355bd4

SHA256
569f41fdede3caa91aa9c7ca177a1a52de33a85d9398e28ee261d671e186d45d

SHA512
7bcd99d093fae32491acd961cfee6d22ba3f92042d135b7a569e59800a9b15946cb67d4db73444e2a519bde493ad5429be569f0f0d6b73a4497439f75be5fd8f

Download Submit
C:\Windows\SysWOW64\Ijaida32.exe

Filesize
128KB

MD5
49a6b898571db0d64edf79cc0510d091

SHA1
3290cd28af52d7616a3b325ce19d73ea57289cb2

SHA256
a249d41d61df3acacba0f8025e852453392a21837d6db9faf6df0432576a5ef9

SHA512
47374c0b568cab338a66e5ad9c3144e100b0157e5ebd92bd3d7a4ce2eeea4a47f7ae7493fab2c86e63adc6161e1acc2004715d40fe6b037c3aaccd3b4a74382e

Download Submit
C:\Windows\SysWOW64\Ijdeiaio.exe

Filesize
128KB

MD5
3c124215a75969599da043e6fd227a59

SHA1
e1184ef24cb50ec61d95a1cf9c7447136b5513ab

SHA256
c4df5f0b893dc600dfa5f7273d7871fda46d0eb80fcc81121001611f4972eb2a

SHA512
b0019bbdc8f7787c846d5a013b5542e3a1dd7107c2f5b039dfce8a67056c6302376503184f62385d42f554f286b47608305446b30b861c3689db99522b5c2ae1

Download Submit
C:\Windows\SysWOW64\Imbaemhc.exe

Filesize
128KB

MD5
37ad64a197143bec6defa58b84480639

SHA1
b9d260415a123ad4331fa9772a4455931b347e73

SHA256
5270cb727589be73ac0d3af53401781c141cb235f25aa1d2727ede5a54570275

SHA512
39ef7d1263a2e90b12b658d5cfb7462d13ac8b2df752851f4396ae0f6c3d581a984c57ce10d7fd69fa62dfe546bd8a6f6477ed83ba76acdeb8687020fcb6686c

Download Submit
C:\Windows\SysWOW64\Impepm32.exe

Filesize
128KB

MD5
bc22d6a66da3b4927d8cad9b86d9d72c

SHA1
b7b95aeb228e46b4c0d09808f5c58f784ab5fedd

SHA256
d2d3ec2ebf7301eeeefd958ee16be19f5df2f046c89811e600dd6ecebb0dc1c0

SHA512
a9b381337a1821fb5d7861f0c66be317772226813284a645b708e829e20611cb2e73001a99b9f84d21677606d0afd5a0a24648f578396632612ba4c9478e80cf

Download Submit
C:\Windows\SysWOW64\Ipldfi32.exe

Filesize
128KB

MD5
464a8637bb60975fd540d878b736a0fa

SHA1
492802522d2e48591844a568ca1d63657643055e

SHA256
58ceec4298dc9bbc75042f7fe81cb797473116107734c1626732a321ea297d6f

SHA512
0a95a01400db30dc9ccd89f915771efecf6fec0eb7bdd8ec5fdc31f1f766cf46b501f9674d8ef1bb3dbbc69de7340c1caf5e155dd8608598d1dfd90bab2af24a

Download Submit
C:\Windows\SysWOW64\Ipnalhii.exe

Filesize
128KB

MD5
697f4a5908496c9ad25793355583ff6a

SHA1
dcd1b99d7126a3f0b5c15f78059b2ffce3afae27

SHA256
033db55397b98148d36ea13f420be260213e195830d3da2044a9a8c1df251731

SHA512
c16c0fd39a2d2d2f89b10f2ad29c093dfda8b9035dcf6e9865bf2d6a93ad448a2029213b33b177614d31cb96723da2b75bbf63c3e12eacf6e93aac122c125f5f

Download Submit
C:\Windows\SysWOW64\Ipqnahgf.exe

Filesize
128KB

MD5
61212a52ba0e03a4438b0340dd703788

SHA1
c22704285c276ddac458b505c68863c06927071f

SHA256
1266924a846404b1adf1e8ee58799818c053165471869e10f80b55c0ea4dbdd8

SHA512
f73901b0e827f271c066549c26c4e9bd73bd574af32c6e07681421ec6d3b3c1c375fc3c5d650477e1713ddce0e3608281c628b1452493dd7999cf98d97975030

Download Submit
C:\Windows\SysWOW64\Jdjfcecp.exe

Filesize
128KB

MD5
1bbca7dffb77245b07e23ae621ab64c9

SHA1
dab7c56f65754606d43e86ac58f8704fc24359b9

SHA256
347fbab2a074800ae82dec0059901aff6b1782917cece382e1276dcd94e25064

SHA512
ace46ef72c56e8f11dbf704230548917e9863edb5d94fbecb071f4b12400f3879708e59b5e10211d9d50b74dec57a47bfe853612642c3fda760af1fa62b4381c

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
128KB

MD5
4320da0f408a2a92aa7937cca6c3174b

SHA1
7a525a9ecd415f381d3c2dc8949c15d09bf424b7

SHA256
bfee7c755172afc32383d376168922cc1f8d463890b4e832fdcedf9ac1f66fb5

SHA512
b3d8cb988bcd5c3b68cab56307d7dc6dd49450a8f463cb3d2c12096742042c6bf78fe2f75a8a401e6488465fb498a67753a84d6878377ea125681d308ae40b5f

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
128KB

MD5
0393d3e2ddd46ff1d44e3d2c1f0dba50

SHA1
3c391903e9d1dfcceebd1ac84030a1ebd1e67af4

SHA256
72696f5bfb3af0ad66b8391dae2108f9ba1bbf1356d456ae313b717e31518739

SHA512
cb8c2660285c2bc68a07c9bce31c1a768502d6c783f7a314a3beb66e5a543490b4d91956ff32f6d13fc0a4839937b1d7840ddc10f86b2cd31df3e155e922ff85

Download Submit
memory/392-362-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/444-404-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/464-519-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/604-482-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/748-454-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1140-232-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1200-272-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1260-513-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1320-164-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1364-551-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1380-309-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1408-136-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1476-119-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1496-577-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1588-320-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1616-345-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1700-64-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1700-598-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1712-60-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1712-590-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1764-416-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1792-507-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1824-351-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1888-88-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1892-262-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1956-104-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1972-219-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1976-168-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1984-80-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2156-284-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2268-489-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2272-464-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2316-180-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2324-116-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2376-533-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2412-380-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2520-298-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2540-424-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2568-436-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2600-492-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2732-364-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2900-44-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2948-584-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3012-410-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3100-151-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3148-452-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3164-72-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3184-247-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3216-554-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3220-224-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3224-484-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3252-296-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3344-144-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3508-212-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3524-256-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3572-290-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3692-278-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3696-314-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3712-553-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3712-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3740-374-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3864-540-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3936-422-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4032-546-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4032-11-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4068-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4068-539-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4232-434-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4256-192-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4312-239-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4316-591-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4324-326-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4340-339-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4356-398-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4384-386-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4440-583-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4440-47-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4504-128-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4568-527-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4684-96-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4692-328-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4728-200-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4744-188-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4784-566-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4784-36-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4848-560-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4852-466-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4880-390-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4968-497-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4972-570-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4980-352-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4984-599-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5016-521-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5040-28-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5064-472-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5092-446-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads