4247838cb974cd5e41abc1af0d7d8995d063d182cc7a8fec0b3bbd07439ebe3d

Analysis

max time kernel
136s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 08:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4247838cb974cd5e41abc1af0d7d8995d063d182cc7a8fec0b3bbd07439ebe3d_NeikiAnalytics.exe
Size

59KB
MD5

a2943e9fe9fae8e9e17e3cb7840d13f0
SHA1

d1b5c591769ca5d727c5c50b7094e0ce38cffaa0
SHA256

4247838cb974cd5e41abc1af0d7d8995d063d182cc7a8fec0b3bbd07439ebe3d
SHA512

e7299cf2ccc718ee8c64532a35f8ff21257df74ddd787a8165cb87ff7fb002d3da5709fbe5f84027e3102d7000d8d0637082aea88f863b12341d063830834d7a
SSDEEP

768:CiCvnxUebsMP4gLyc69OgrIptyLpHafeJOVpTZ/1H585nf1fZMEBFELvkVgFRo:Ci7uAgIOgrIptwp6faOv6NCyVso

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiikak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iinlemia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Haggelfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibmmhdhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icgqggce.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifmcdblq.exe

Executes dropped EXE 64 IoCs

pid	Process
624	Haggelfd.exe
4744	Hbhdmd32.exe
3272	Hjolnb32.exe
4376	Hmmhjm32.exe
2952	Icgqggce.exe
2508	Ibjqcd32.exe
1940	Ijaida32.exe
2376	Iakaql32.exe
3680	Ibmmhdhm.exe
2200	Iiffen32.exe
1516	Iannfk32.exe
4488	Ibojncfj.exe
4972	Ijfboafl.exe
4448	Imdnklfp.exe
4960	Ipckgh32.exe
2884	Ifmcdblq.exe
2740	Iikopmkd.exe
4536	Iabgaklg.exe
4952	Idacmfkj.exe
936	Ibccic32.exe
3688	Iinlemia.exe
2964	Jaedgjjd.exe
3972	Jpgdbg32.exe
1028	Jfaloa32.exe
2712	Jjmhppqd.exe
2764	Jmkdlkph.exe
2696	Jbhmdbnp.exe
4588	Jibeql32.exe
4024	Jplmmfmi.exe
4004	Jbkjjblm.exe
3356	Jjbako32.exe
1008	Jidbflcj.exe
1528	Jaljgidl.exe
2800	Jpojcf32.exe
1716	Jdjfcecp.exe
3648	Jfhbppbc.exe
4512	Jkdnpo32.exe
3500	Jmbklj32.exe
2576	Jpaghf32.exe
1864	Jbocea32.exe
2268	Jkfkfohj.exe
2984	Jiikak32.exe
2972	Kaqcbi32.exe
4020	Kpccnefa.exe
400	Kdopod32.exe
2396	Kkihknfg.exe
3540	Kilhgk32.exe
3652	Kmgdgjek.exe
3548	Kdaldd32.exe
1888	Kgphpo32.exe
3928	Kkkdan32.exe
2632	Kmjqmi32.exe
4472	Kphmie32.exe
2936	Kbfiep32.exe
3748	Kipabjil.exe
1232	Kmlnbi32.exe
1084	Kdffocib.exe
4784	Kgdbkohf.exe
3004	Kibnhjgj.exe
3212	Kajfig32.exe
2592	Kdhbec32.exe
3160	Kgfoan32.exe
1348	Lmqgnhmp.exe
5024	Lpocjdld.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Kdffocib.exe	Kmlnbi32.exe
File opened for modification	C:\Windows\SysWOW64\Iakaql32.exe	Ijaida32.exe
File created	C:\Windows\SysWOW64\Ibmmhdhm.exe	Iakaql32.exe
File created	C:\Windows\SysWOW64\Imdnklfp.exe	Ijfboafl.exe
File created	C:\Windows\SysWOW64\Jbhmdbnp.exe	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Bgllgqcp.dll	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Jibeql32.exe	Jbhmdbnp.exe
File opened for modification	C:\Windows\SysWOW64\Jiikak32.exe	Jkfkfohj.exe
File created	C:\Windows\SysWOW64\Lbhnnj32.dll	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Iannfk32.exe	Iiffen32.exe
File created	C:\Windows\SysWOW64\Nqjfoc32.dll	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Kkkdan32.exe	Kgphpo32.exe
File opened for modification	C:\Windows\SysWOW64\Lgneampk.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Jaedgjjd.exe	Iinlemia.exe
File opened for modification	C:\Windows\SysWOW64\Jbkjjblm.exe	Jplmmfmi.exe
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	Laopdgcg.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Gkillp32.dll	Ibmmhdhm.exe
File created	C:\Windows\SysWOW64\Nilhco32.dll	Jmbklj32.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Fojkiimn.dll	Iannfk32.exe
File created	C:\Windows\SysWOW64\Jmkdlkph.exe	Jjmhppqd.exe
File opened for modification	C:\Windows\SysWOW64\Kmjqmi32.exe	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Pellipfm.dll	Liggbi32.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Jmkdlkph.exe	Jjmhppqd.exe
File opened for modification	C:\Windows\SysWOW64\Jplmmfmi.exe	Jibeql32.exe
File created	C:\Windows\SysWOW64\Pipagf32.dll	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Jiikak32.exe	Jkfkfohj.exe
File created	C:\Windows\SysWOW64\Nphqml32.dll	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Kkdeek32.dll	Kkihknfg.exe
File opened for modification	C:\Windows\SysWOW64\Idacmfkj.exe	Iabgaklg.exe
File created	C:\Windows\SysWOW64\Lpocjdld.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Haggelfd.exe	4247838cb974cd5e41abc1af0d7d8995d063d182cc7a8fec0b3bbd07439ebe3d_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Iikopmkd.exe	Ifmcdblq.exe
File opened for modification	C:\Windows\SysWOW64\Jpojcf32.exe	Jaljgidl.exe
File created	C:\Windows\SysWOW64\Jpaghf32.exe	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Ichhhi32.dll	Jiikak32.exe
File opened for modification	C:\Windows\SysWOW64\Kajfig32.exe	Kibnhjgj.exe
File opened for modification	C:\Windows\SysWOW64\Kgfoan32.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Ceaklo32.dll	4247838cb974cd5e41abc1af0d7d8995d063d182cc7a8fec0b3bbd07439ebe3d_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Qknpkqim.dll	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Jbocea32.exe	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Ipckgh32.exe	Imdnklfp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5664	5524	WerFault.exe	204

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phogofep.dll"	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifmcdblq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfogkh32.dll"	Haggelfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iikopmkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdgpjm32.dll"	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflepa32.dll"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcbnd32.dll"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmlgol32.dll"	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogjfmfe.dll"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iiffen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdimilg.dll"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmmhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnckcnhb.dll"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekmihm32.dll"	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogijli32.dll"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	4247838cb974cd5e41abc1af0d7d8995d063d182cc7a8fec0b3bbd07439ebe3d_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibccic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceaklo32.dll"	4247838cb974cd5e41abc1af0d7d8995d063d182cc7a8fec0b3bbd07439ebe3d_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enbofg32.dll"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgblndm.dll"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmegp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4768 wrote to memory of 624	4768	4247838cb974cd5e41abc1af0d7d8995d063d182cc7a8fec0b3bbd07439ebe3d_NeikiAnalytics.exe	83
PID 4768 wrote to memory of 624	4768	4247838cb974cd5e41abc1af0d7d8995d063d182cc7a8fec0b3bbd07439ebe3d_NeikiAnalytics.exe	83
PID 4768 wrote to memory of 624	4768	4247838cb974cd5e41abc1af0d7d8995d063d182cc7a8fec0b3bbd07439ebe3d_NeikiAnalytics.exe	83
PID 624 wrote to memory of 4744	624	Haggelfd.exe	84
PID 624 wrote to memory of 4744	624	Haggelfd.exe	84
PID 624 wrote to memory of 4744	624	Haggelfd.exe	84
PID 4744 wrote to memory of 3272	4744	Hbhdmd32.exe	85
PID 4744 wrote to memory of 3272	4744	Hbhdmd32.exe	85
PID 4744 wrote to memory of 3272	4744	Hbhdmd32.exe	85
PID 3272 wrote to memory of 4376	3272	Hjolnb32.exe	86
PID 3272 wrote to memory of 4376	3272	Hjolnb32.exe	86
PID 3272 wrote to memory of 4376	3272	Hjolnb32.exe	86
PID 4376 wrote to memory of 2952	4376	Hmmhjm32.exe	87
PID 4376 wrote to memory of 2952	4376	Hmmhjm32.exe	87
PID 4376 wrote to memory of 2952	4376	Hmmhjm32.exe	87
PID 2952 wrote to memory of 2508	2952	Icgqggce.exe	88
PID 2952 wrote to memory of 2508	2952	Icgqggce.exe	88
PID 2952 wrote to memory of 2508	2952	Icgqggce.exe	88
PID 2508 wrote to memory of 1940	2508	Ibjqcd32.exe	89
PID 2508 wrote to memory of 1940	2508	Ibjqcd32.exe	89
PID 2508 wrote to memory of 1940	2508	Ibjqcd32.exe	89
PID 1940 wrote to memory of 2376	1940	Ijaida32.exe	90
PID 1940 wrote to memory of 2376	1940	Ijaida32.exe	90
PID 1940 wrote to memory of 2376	1940	Ijaida32.exe	90
PID 2376 wrote to memory of 3680	2376	Iakaql32.exe	91
PID 2376 wrote to memory of 3680	2376	Iakaql32.exe	91
PID 2376 wrote to memory of 3680	2376	Iakaql32.exe	91
PID 3680 wrote to memory of 2200	3680	Ibmmhdhm.exe	92
PID 3680 wrote to memory of 2200	3680	Ibmmhdhm.exe	92
PID 3680 wrote to memory of 2200	3680	Ibmmhdhm.exe	92
PID 2200 wrote to memory of 1516	2200	Iiffen32.exe	93
PID 2200 wrote to memory of 1516	2200	Iiffen32.exe	93
PID 2200 wrote to memory of 1516	2200	Iiffen32.exe	93
PID 1516 wrote to memory of 4488	1516	Iannfk32.exe	94
PID 1516 wrote to memory of 4488	1516	Iannfk32.exe	94
PID 1516 wrote to memory of 4488	1516	Iannfk32.exe	94
PID 4488 wrote to memory of 4972	4488	Ibojncfj.exe	95
PID 4488 wrote to memory of 4972	4488	Ibojncfj.exe	95
PID 4488 wrote to memory of 4972	4488	Ibojncfj.exe	95
PID 4972 wrote to memory of 4448	4972	Ijfboafl.exe	96
PID 4972 wrote to memory of 4448	4972	Ijfboafl.exe	96
PID 4972 wrote to memory of 4448	4972	Ijfboafl.exe	96
PID 4448 wrote to memory of 4960	4448	Imdnklfp.exe	97
PID 4448 wrote to memory of 4960	4448	Imdnklfp.exe	97
PID 4448 wrote to memory of 4960	4448	Imdnklfp.exe	97
PID 4960 wrote to memory of 2884	4960	Ipckgh32.exe	98
PID 4960 wrote to memory of 2884	4960	Ipckgh32.exe	98
PID 4960 wrote to memory of 2884	4960	Ipckgh32.exe	98
PID 2884 wrote to memory of 2740	2884	Ifmcdblq.exe	99
PID 2884 wrote to memory of 2740	2884	Ifmcdblq.exe	99
PID 2884 wrote to memory of 2740	2884	Ifmcdblq.exe	99
PID 2740 wrote to memory of 4536	2740	Iikopmkd.exe	100
PID 2740 wrote to memory of 4536	2740	Iikopmkd.exe	100
PID 2740 wrote to memory of 4536	2740	Iikopmkd.exe	100
PID 4536 wrote to memory of 4952	4536	Iabgaklg.exe	101
PID 4536 wrote to memory of 4952	4536	Iabgaklg.exe	101
PID 4536 wrote to memory of 4952	4536	Iabgaklg.exe	101
PID 4952 wrote to memory of 936	4952	Idacmfkj.exe	103
PID 4952 wrote to memory of 936	4952	Idacmfkj.exe	103
PID 4952 wrote to memory of 936	4952	Idacmfkj.exe	103
PID 936 wrote to memory of 3688	936	Ibccic32.exe	104
PID 936 wrote to memory of 3688	936	Ibccic32.exe	104
PID 936 wrote to memory of 3688	936	Ibccic32.exe	104
PID 3688 wrote to memory of 2964	3688	Iinlemia.exe	105

C:\Users\Admin\AppData\Local\Temp\4247838cb974cd5e41abc1af0d7d8995d063d182cc7a8fec0b3bbd07439ebe3d_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4247838cb974cd5e41abc1af0d7d8995d063d182cc7a8fec0b3bbd07439ebe3d_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Windows\SysWOW64\Haggelfd.exe
  C:\Windows\system32\Haggelfd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:624
- - C:\Windows\SysWOW64\Hbhdmd32.exe
    C:\Windows\system32\Hbhdmd32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4744
  - - C:\Windows\SysWOW64\Hjolnb32.exe
      C:\Windows\system32\Hjolnb32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3272
    - - C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4376
      - C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3680
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4536
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:936
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3688
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        23⤵
        Executes dropped EXE
        
        PID:2964
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3972
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1028
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2712
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2764
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2696
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4588
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4024
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4004
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        32⤵
        Executes dropped EXE
        
        PID:3356
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1008
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1528
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        35⤵
        Executes dropped EXE
        
        PID:2800
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1716
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3648
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4512
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3500
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2576
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        41⤵
        Executes dropped EXE
        
        PID:1864
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2984
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2972
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4020
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:400
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2396
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3540
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3652
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3548
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1888
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3928
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        53⤵
        Executes dropped EXE
        
        PID:2632
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        54⤵
        Executes dropped EXE
        
        PID:4472
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2936
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3748
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1232
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1084
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4784
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3004
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3212
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2592
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3160
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1348
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5024
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        66⤵
        Drops file in System32 directory
        
        PID:4496
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        67⤵
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        68⤵
        Drops file in System32 directory
        
        PID:628
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3616
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4264
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        71⤵
        Modifies registry class
        
        PID:4696
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3312
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        73⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1496
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1724
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        76⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        77⤵
        Modifies registry class
        
        PID:3220
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        78⤵
        Modifies registry class
        
        PID:1000
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        79⤵
        Modifies registry class
        
        PID:452
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3584
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        81⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        82⤵
        Drops file in System32 directory
        
        PID:2436
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        83⤵
        Modifies registry class
        
        PID:2812
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        84⤵
        Modifies registry class
        
        PID:4224
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        85⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        86⤵
        Drops file in System32 directory
        
        PID:752
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        87⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3960
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        89⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1436
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5184
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        94⤵
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        96⤵
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5400
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        99⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        100⤵
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5616
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        103⤵
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        104⤵
        Drops file in System32 directory
        
        PID:5700
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        106⤵
        Drops file in System32 directory
        
        PID:5784
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5836
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        108⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5880
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5924
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5972
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        111⤵
        Modifies registry class
        
        PID:6012
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6056
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        113⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3716
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5180
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        116⤵
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5296
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        118⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5468
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        120⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5524 -s 408
        121⤵
        Program crash
        
        PID:5664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5524 -ip 5524
1⤵
PID:5600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:5260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Haggelfd.exe

Filesize
59KB

MD5
c2094b870ab0916731c203367102ab1e

SHA1
c067b6ad1ca7ac2dd8fe6c01620e1ab6c957aaa5

SHA256
1ae4dcff906cf87540ed742f57101e5e18a3380f12fd050b40f5779146e8fd1d

SHA512
ed0ec269d9614a1a88b6d7a7ffd89f19341f2751c9c640387dad060c6141eb9ad7d29d13cde01e4c16c5d26e9ee885cb1c6d67c985dcf8c714dc87fc0628b9e9

Download Submit
C:\Windows\SysWOW64\Hbhdmd32.exe

Filesize
59KB

MD5
d6af2c5a1b519533906a29df93f62ad8

SHA1
5b3e38669960f0e62155fb43df1b2ded0f225678

SHA256
8d31f3fc6d716392fda50fffe73f61877238b13656955d87488841de209171e5

SHA512
f93a060eaee38f6f1f44acb07ecddf1a324fe33cc760033f545702c3c80c6a8157455ec1c0c30ff826b08108b5f6ec3312a9599958fd786638f8b33306b48d4f

Download Submit
C:\Windows\SysWOW64\Hjolnb32.exe

Filesize
59KB

MD5
16e50f1a7b6088507de2f135c5455b3b

SHA1
fe56fa354afdfb960c9a4f48c1f17c88d0f19564

SHA256
5a725ac1f4867aa3488b2c516c1ef6e2123346ff2a8b61669f1dc0a76f37ab24

SHA512
35e32e7f74db5ba732d675aaf3543a70cac13aa970f2bbf3ffe846b3f79ee626a896aad8650c219c549314d55c2bc379fc5903a319f7010a11b0384bca04e3c5

Download Submit
C:\Windows\SysWOW64\Hmmhjm32.exe

Filesize
59KB

MD5
55e97f20870fc87a57dc53e7547e11eb

SHA1
d3b8b106334ed7105c667a1bf3dc070bb4f86526

SHA256
38438f1eb2f919e63ec0d8d3d6b23d7b29888c90d37b96fe37d2bf193d72a75c

SHA512
f7e00e8fc46c37421896f18ce9730e895072c71feb158f1b313270b876c6b83db8bd77368e24d6fa4f132fa61a98e6dff6880d83aa173fb5cb2492d81f70d079

Download Submit
C:\Windows\SysWOW64\Iabgaklg.exe

Filesize
59KB

MD5
e77bcb0f607a8560264bc55b4aa492f7

SHA1
886f254344edecb6210e5f51fd9215a5cd5d843a

SHA256
ce7744ff4a494a4b6d2c8901284f5683724d7b647da65541a9ffd84eccd24308

SHA512
09ecf7f94d341e0fae5830f0da30a7b40fdb5e94ebf4ec402bbdb876be868803a44cf0e6f233638ea044cb75725aa94d5e7220044d43980933d58762472e7638

Download Submit
C:\Windows\SysWOW64\Iakaql32.exe

Filesize
59KB

MD5
1271385d3f184b5be47b7dce39c10e74

SHA1
843cd27238cc0e046da88d58c92f5630f6e8f260

SHA256
031448f0e456d1a9ee7a18a9c425f495310cbdcfaeb6c2c37de6e985bd1ddb89

SHA512
7971990de9544d7badb57504640ef30fb778abed975549fcd2a3bf5c4a2fff1875782c5a3ebfed53a47eb51ee09dfe3ed5c04730ddd259adba4374e150239367

Download Submit
C:\Windows\SysWOW64\Iannfk32.exe

Filesize
59KB

MD5
58cce4bb4283c2fd8d6f5288a58b45eb

SHA1
0a7bf7454d77166fb10f7d35f691eed5d6b75233

SHA256
42af0b66400e997befe04ab621d87a895665def38d2bf9fd5ab10716cdf944e9

SHA512
fa4a7af5e7ac40af9bece8cae234b8eaecd79107b1b340d6941f4f658cb4629abf3cb195e70fbbace6795da48bc112f2e823c845ed8ebe8045f01e8ad2de2139

Download Submit
C:\Windows\SysWOW64\Ibccic32.exe

Filesize
59KB

MD5
a4529484588731a8d220121d2c78abc5

SHA1
29f33fffda0f7f058106108386105fee4ec5754f

SHA256
2ed9e48c407af1f036a614c44ef1e59e6b2bd956bf3e3c70e8554b409135b7b3

SHA512
3c7267d4046540dc56d086fc0765c168e61f138a6836e04cc3a3c177f370ffcdf57f625285ed4654076e3e685e759a26e2014980a89fb9e7ef656cf179d9e783

Download Submit
C:\Windows\SysWOW64\Ibjqcd32.exe

Filesize
59KB

MD5
040f5a02c806f59fcc6327252b3bf8d4

SHA1
009b9d590c337f717e53fec955d853c34a43007c

SHA256
58a9afb8680248c3cd7483d68b23a5ad14cdc3076db68a7ab375924824f32000

SHA512
2d6449a208dfa1ceb5dc3b43d54c6645a1d420eb673d0b89f4029119f4cab9d92b041137c5ffde4adae2c4ec8c8b09883cb2f06bbc63ebcd5eed218b86820321

Download Submit
C:\Windows\SysWOW64\Ibmmhdhm.exe

Filesize
59KB

MD5
37200a11fa4f07a1380e8a9eb7568a00

SHA1
663252ca904725c43a3d178b820c7680854edf3b

SHA256
330031063e1edcc2f2221e49189702a502e9eaa5e9911d0dd9720680fec6cedb

SHA512
fa4c8ed1bb8b139497de98dadf76f2ae309f42d884e8cf472f4f68ba194caf04a6c3740e9d0b3b11ea3b290869284a966d7e7908af6645c1f6ade8c0b9515ea7

Download Submit
C:\Windows\SysWOW64\Ibojncfj.exe

Filesize
59KB

MD5
b58573b6338b29a76f5a38e975ce6449

SHA1
c095882b2c8a06beb86c14ab529c23af1b63783c

SHA256
57d0ac9c07c9086e4753f919589fc82faf03975327e4e1a8d394d206376d780b

SHA512
958e105d2b2f394da5faa720240ba058072afb8bc00173df3d08d8529774be20d1af545581a9408b704dc5d9627620b1bd7f32954294772539cb9320856c42f4

Download Submit
C:\Windows\SysWOW64\Icgqggce.exe

Filesize
59KB

MD5
9e45c45b8b44c2fcd9a6dc56f8d097b9

SHA1
33e5253e87c77b52079e0baf4096ed8851013e36

SHA256
99ab8a7289d559877b52f08290cbbff5ece337a901580f4022d60d78a9320ef2

SHA512
29da2875d727e068160db94d3c67cc63afcf4380261ecb448ca9b4cc457e8eb704e5107954427ff54cbf80c99cef5a207646f42e109ae67d3b59d0e6fa452bfb

Download Submit
C:\Windows\SysWOW64\Idacmfkj.exe

Filesize
59KB

MD5
bd37725849fea8420729d235fc1b8b15

SHA1
ad0721251560520f8d1e02e3bdb78db33b4466b1

SHA256
624fe2d0c9c923673fd876bcf61ead4e7fa3ccc28f71409595df31ab51317a74

SHA512
eb5d2237444015be750dbbd8146cad672499644e841da09546698b96ba29bbb09e40a8dfd0bee75038067e6d72c8f33fa444c5aa63faf4a42e798074e3cafafa

Download Submit
C:\Windows\SysWOW64\Ifmcdblq.exe

Filesize
59KB

MD5
21300506d1bcb43a4cd5f8e566ac0b24

SHA1
7d67f11f9b04aa0ab83b83346f413516556fafc4

SHA256
ae7c176ba0902a25775a7b74e6c39edf5b6a5057cb6af1732086e60066caab98

SHA512
6a9c4a50043708f6d74477d206d57646eb4ab9aa017564dd50e56c0b278bb84b9e5cd0328f1f2220ab1e1a7e847663057816a99df4a14d426b36ff1c6a7ba3ba

Download Submit
C:\Windows\SysWOW64\Iiffen32.exe

Filesize
59KB

MD5
03f8ac97a876490e17453a5ff1e21ab4

SHA1
75fafd2e239b7188b18c4509007d3a0e69031fdd

SHA256
c716dbe40772a6d2824b0561d3500fedecf583ee86f55717ca645fdea8a21914

SHA512
7360ae5ed454b1526ee45db73a1c46c2c759fb24055966fbd46ce0cebd1d94e5cb032be6f3e1d8a05c0c11ce32e90a68f2ce3a1e331d3454a6d45d0eee75b12b

Download Submit
C:\Windows\SysWOW64\Iikopmkd.exe

Filesize
59KB

MD5
7a2e07acb1db870458aeebe2ab5fb0d7

SHA1
10c03eb5827d24c41a91143f5df270befb30b5fd

SHA256
606e967b1f10115da5cef6ac7e5563709d4792980f6e7a01c2427dd423f3585a

SHA512
da3332fae3529577e90c830ac9d691fa5fed781c80f2fd3cb5ea5d154cd22b7c0c37310165b0c40f80357fecad65d1f19ebdd95b9d8a724369bd3b5a91741ff4

Download Submit
C:\Windows\SysWOW64\Iinlemia.exe

Filesize
59KB

MD5
a06c0aa5ee5f93937a1efc1c12fbad0b

SHA1
7e94a8fa245ff05cacfce6d15e32788fdcc7a1cb

SHA256
1aabeda2a441a312b61bbd45c2ea99a7ee26173a03cb884786d6eecf54502c27

SHA512
f8cb98860c2a101a90b2a95a1e76b4214767222f7dd23ce660a469cab1effc86854ddc60b5712158dccf1babd8ecbcd4fd942906bb6b9c0904af20f3c0b5cce3

Download Submit
C:\Windows\SysWOW64\Ijaida32.exe

Filesize
59KB

MD5
f32dfe8026dd2221d2037515c43bf636

SHA1
a6eccb24687ca2583397193a5938c438b550a399

SHA256
46d3d5bd7a47215e6d85e03e70356f30a2d0b0bd59f99e3f7926a9157c1b10a2

SHA512
46034913fbba5079576920e0f786422ef804bb3f46d03bb96aa9a46929c7dc5abac5ecba9071b7754ccc5509fcc472f3e645ba3324d5edf9b311cb1015e58f1a

Download Submit
C:\Windows\SysWOW64\Ijfboafl.exe

Filesize
59KB

MD5
e6e775e8ecc5d8a6664b8aee3da92b25

SHA1
82ae576d6a6f097f31d7fee60672afb7fe2ad2a2

SHA256
5b7bb130666027f23fff7d2e468a4756203f9b0071d694596c54a38f4193d66d

SHA512
7529af488e142ba378b071e67bb6f738982a7ea1689b4d4dbc5365072ce2f1da0e594e70f44934b238c9fc28f84c33b406eee5e2cbb18f972e6d748be23d7de8

Download Submit
C:\Windows\SysWOW64\Imdnklfp.exe

Filesize
59KB

MD5
2bde3afe104d56ad9bbe4f4dfc173066

SHA1
ec65de299d593cc687be8e5c46530ac60d99696a

SHA256
f6a804f50811c392e8bb97613e7e52423ee6aafc16646d0985cac8ba38b236df

SHA512
7dd8e8202b6fb02c607dc4bc7ebaa3cbab5569109ef6aadc8f55397a20d9262a9d05ddf2fd95fc3fab6a5fc4d664684fd01e4aaca7348cdaaa2786348831a170

Download Submit
C:\Windows\SysWOW64\Ipckgh32.exe

Filesize
59KB

MD5
231cea471d4a2798c4cdca5a688b5b84

SHA1
22c44e8be0d3d7521c0c1fac5e3c47b8dfeb273c

SHA256
d0209b394d246ca6fa8d82b5413b8ea5b855cbeed1585a879d220f07c7c92757

SHA512
a2fde9d537894168f0cd07d808638b481c22aed4fc31f40a3dfed6fb18514138dd97cf7cb40fd1384ecadd65b76d66c1d482f91b2eacfcba660c69cd157e4515

Download Submit
C:\Windows\SysWOW64\Jaedgjjd.exe

Filesize
59KB

MD5
7ac685a34a4f24e4028f46137d47d1e8

SHA1
76bc457eabdef82e449dd4420bebfcb6f1822fbf

SHA256
99bffa168a1d7a55adaac58b41f53a8a7be90323334c3aba8ccf3204e2e14a0f

SHA512
7d3e4ba3ecaac2d97bbab0dada39ef0b5bf62199b6a5332216df0684a4b921db55e505ef98046d8be2236033479a3ebfa03c25f9fb89b40a6350eb6f15d4f035

Download Submit
C:\Windows\SysWOW64\Jbhmdbnp.exe

Filesize
59KB

MD5
7d083c5987c34c9971f69b49c732e150

SHA1
e8e682d32b74a9b3281f22947e83e393573cddd7

SHA256
72622373a3aa632176f60c81fe5ae3e568b11335af653b16e2b23c2263e56ea8

SHA512
eaf39e37b34d93a678bdec6309ca7d7ce7c7fdfb5de8a1465ab109c08920359ee2cf66abb7b715c9918f56cad3e52704932b20bc4ab156c4ec335cc0b8965ff6

Download Submit
C:\Windows\SysWOW64\Jbkjjblm.exe

Filesize
59KB

MD5
c5838c5755512a7de046b16a426f0126

SHA1
b5eb9ca1255d59bb9754f4bc5274e2498f0d5d96

SHA256
356f2379a6cd361c60427c7aa87e957cdacd79d09d44cb8825bd9160f9786a2f

SHA512
865878faa278b0d4424182b9be4d2246bb79e4e635055638825f8ffb74b360e4f53838a029c7739c7fcaff5f6542ebd884aa21b3a08476ca4affc89a2ff007c5

Download Submit
C:\Windows\SysWOW64\Jfaloa32.exe

Filesize
59KB

MD5
ced26f8f530bdbbd4cb22d57863645a1

SHA1
81ed925ae5bd1d074d32b10da9e27fea2a3898f8

SHA256
b2c70ec43787a2f7356f78e0e68a8c1de59dedaa04b4bb3a28f92a341036dc9c

SHA512
97edb0590edf619da8ac8edfdae0dd58b56013958f62f7ed454979dc2c07489facc2e63291e2bd330b0a39fd6e29df55737c38d656ddb155a1e5459f9da05ab4

Download Submit
C:\Windows\SysWOW64\Jibeql32.exe

Filesize
59KB

MD5
1bc712fae81ec08fa504aaad50c618ba

SHA1
3fc926ff0a51b70b0f6caebdc53c3f8d145850b8

SHA256
56e88a15eb63c64b08fd11682d73ad7e1ebfdd8607df642e925c5cd8f856715c

SHA512
276ec80aec8c1778e520dcbac166dcee323abe247b866d4f56ff30900123116124a2053b2a9ea14455ae5b380f8447eaa0564652b21a5105680fc2de64068502

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe

Filesize
59KB

MD5
b487a55ad6589ba76ea2179ef7024de3

SHA1
edb4ea23f39d528ca9a328ea48539fb4febbaf42

SHA256
323eb55150ea94adf48d09c1e427a9555d82758d5685a6ac89fff7233d5e52e1

SHA512
8d28adeb7dabb6d34d757cd0b94192e46d7bb5815708cae966728a96f6686a579069117023714e8c6db9596b82a554c6a0c346ea9643320e7353b7e9d2da91e2

Download Submit
C:\Windows\SysWOW64\Jjbako32.exe

Filesize
59KB

MD5
4c13913b7be1432cb6309c4772af1a23

SHA1
c205191b35482a5c6b3c1da7339bc3c43c01b578

SHA256
540825849bb9bc9381bc29d045658d3e4b7430bdc15dcf46dbdecc99926c2a88

SHA512
47d75de65bc013dd5bb92490d8f803f8f090e762acbd04f4e2d3e11db8c3f06eecfd871c0a6602ef7e648790afd48d338f02008be0417664fc9e6ff6f26a9490

Download Submit
C:\Windows\SysWOW64\Jjmhppqd.exe

Filesize
59KB

MD5
736cd90c049b35fedeaaa435bf754368

SHA1
6da301071ee3b07b952c772ddc2f00caf73d5920

SHA256
c683cff86a3d535432d52292a150502bd87f0985feeb2b94cc6cb8d4308e48e4

SHA512
6c03cd50cd9d376b8cf71dcd21db6a4ce476f40a43637fcc31fbb03d117f0c9d81297b31aad12e4c43462e6818be46c8bad1b34c922437e4fa21b236d6d94061

Download Submit
C:\Windows\SysWOW64\Jkdnpo32.exe

Filesize
59KB

MD5
68cd3a8060d26ba5a60ab584bcf6928a

SHA1
9f7ea7110b0a88ecceeb030ba8692796dd96e33d

SHA256
1f742b765d7d8f192e11942c74eff1a7aa1580464adb177dfc22b866832048ed

SHA512
06fa3950a9c8a7d435278c0ab86adc2b356766e5b60669b5a734e2bd5ae55c3d855593349bac2c16804bad1eb768a76a058fbd5b48b73ee2f4f5fd912f00ab47

Download Submit
C:\Windows\SysWOW64\Jmkdlkph.exe

Filesize
59KB

MD5
6e2040a36aac8c279730e3a5afe81abf

SHA1
aa165c79e1323d7e70570173806431055fe2b9ba

SHA256
ca434d79470e4181540bf345d3f781e3ed14d676fc78b68660c1307f05940b63

SHA512
30d08030ed34703d6ff82c6b77f99c100c026ebc44d0faf4c6c07c64942c63c99954ec1f87a2eba969f4220e448cbf973044801355eaa4b5a0fe59e86b1f6650

Download Submit
C:\Windows\SysWOW64\Jpgdbg32.exe

Filesize
59KB

MD5
7e75731efd3a9a7bae9a85c127e54899

SHA1
af290a42e0263ccb67af640e5979b92996453f60

SHA256
03cc17da8fb8b5b1e1eb6be92db12d5ee42458e2030b8f59445ac36f2906d98b

SHA512
bd56d962c71211e0111fc982b3332fbdf927af66987b19bc792d0ca89fee1821c16d7caa910434552c062cf7c90bffc3bd02519ba1baf69717020ff0591d97d9

Download Submit
C:\Windows\SysWOW64\Jplmmfmi.exe

Filesize
59KB

MD5
34b287418da68cfd08b3afe18c85a786

SHA1
5af12f318b3731b0d2da4e2ac62b767bd041b374

SHA256
46facb65dc79532fe59df047db4a1a7d2f685281b1853de0a9aeb64af91a8346

SHA512
13e2c15712034c00aca15a3e8067e11bbf71fbbc4cfd772261274d80aaf90bfb1f3e3f9673b881a1dbe037f02cfe712cb43f9d613f52a8b7f6ab4a67098e8cf9

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
59KB

MD5
29a9cd948f5873cea10c7517ff320f0b

SHA1
4fc18510c45ebd8663d70f864883647841db8c97

SHA256
5e2068f463370b8f3ba65e753acdfe16c051421dfb4536c506e856d2c1ce0c30

SHA512
beb12ae4bb7762a693405445cce920b6bcc0319c5a2a6c697e8bbdbe54d4b99ea69d03839dba6c2a2c6d0972c047a0db75c70889ae813289e4344f24ccde4a27

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
59KB

MD5
0f92d707458bf00336660aa2b738c74d

SHA1
e8dc33d25d9202a0943646a01a63ac34d7faba02

SHA256
397d36c690f40dd0251122a9642f614fae8c168357309da3fe4b2658d0c81b8e

SHA512
778630550a28bced968cccfb050e647fafe378b42f998fe7e98fd51d6061008a5715804331581f20babb888d981af3b0a9552893b3ac61875d7de5ee99ee1400

Download Submit
memory/400-329-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/452-520-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/624-7-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/624-539-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/628-457-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/936-160-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1028-195-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1084-399-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1436-592-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1516-604-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1516-88-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1528-264-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1716-275-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1724-502-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1864-301-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1888-362-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1940-578-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1940-55-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2200-598-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2200-79-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2268-312-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2376-64-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2376-586-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2396-335-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2436-540-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2508-48-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2508-572-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2576-295-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2592-423-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2632-370-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2696-215-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2712-199-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2740-139-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2740-642-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2764-206-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2812-547-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2884-635-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2884-132-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2936-386-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2952-566-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2952-40-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2964-175-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2984-313-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3004-415-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3064-533-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3160-429-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3212-421-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3220-514-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3272-28-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3272-553-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3312-481-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3356-247-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3412-590-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3500-289-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3528-489-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3540-345-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3584-526-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3616-463-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3648-277-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3652-347-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3680-72-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3680-591-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3748-392-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3928-364-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3972-182-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4004-239-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4024-231-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4088-560-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4264-469-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4376-559-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4376-31-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4448-627-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4448-112-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4472-376-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4488-96-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4488-611-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4512-283-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4536-648-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4536-144-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4552-455-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4588-227-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4696-475-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4744-546-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4744-19-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4768-532-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4768-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4784-405-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4952-152-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4960-120-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4960-633-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4972-108-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4972-617-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5024-444-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5184-605-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5400-640-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5484-649-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads