c55d3074a66baa485988502b089875d03269f5e85cadd6abe4a14829142e2780

Analysis

max time kernel
130s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 17:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e78f70c52871708876e3c19119abf010_NEAS.exe
Size

81KB
MD5

e78f70c52871708876e3c19119abf010
SHA1

c63691c1cc103bb289dcac3c3e8e6def88e1e987
SHA256

c55d3074a66baa485988502b089875d03269f5e85cadd6abe4a14829142e2780
SHA512

16f615b2e61a46cab26007ca03f091975cd78664e5e3273ff7d1a7b5718ea3d176a5d32d7e1786e9244ca2b8aea87a2a78a4c6a94ad157330d25fba24468391a
SSDEEP

1536:BRiJbLm5me5v38YRzF7QmijDRSjn4mGVPzsR7m4LO++/+1m6KadhYxU33HX0L:LULm5N8GzFVijDOnIVgR/LrCimBaH8U8

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibjqcd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iffmccbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iffmccbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiikak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijkljp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imihfl32.exe

Executes dropped EXE 64 IoCs

pid	Process
4144	Hfcpncdk.exe
4092	Hibljoco.exe
440	Haidklda.exe
5104	Ipldfi32.exe
4780	Ibjqcd32.exe
4896	Iffmccbi.exe
4768	Ipnalhii.exe
4564	Ifhiib32.exe
4912	Imbaemhc.exe
3668	Icljbg32.exe
1788	Ifjfnb32.exe
2228	Iiibkn32.exe
412	Iapjlk32.exe
4164	Idofhfmm.exe
432	Ijhodq32.exe
2172	Imgkql32.exe
2604	Idacmfkj.exe
2248	Ijkljp32.exe
1928	Imihfl32.exe
5036	Jpgdbg32.exe
3576	Jjmhppqd.exe
2344	Jagqlj32.exe
1544	Jdemhe32.exe
3748	Jjpeepnb.exe
4128	Jaimbj32.exe
4372	Jdhine32.exe
3996	Jfffjqdf.exe
4776	Jidbflcj.exe
312	Jpojcf32.exe
4320	Jbmfoa32.exe
2308	Jmbklj32.exe
668	Jangmibi.exe
2636	Jpaghf32.exe
4064	Jfkoeppq.exe
1208	Jiikak32.exe
2848	Kaqcbi32.exe
2652	Kdopod32.exe
1984	Kbapjafe.exe
1048	Kkihknfg.exe
3948	Kmgdgjek.exe
3428	Kacphh32.exe
2340	Kbdmpqcb.exe
3228	Kkkdan32.exe
888	Kmjqmi32.exe
1836	Kaemnhla.exe
3540	Kdcijcke.exe
1860	Kbfiep32.exe
3088	Kipabjil.exe
4680	Kagichjo.exe
4576	Kpjjod32.exe
1640	Kcifkp32.exe
5028	Kibnhjgj.exe
1468	Kmnjhioc.exe
2852	Kdhbec32.exe
2560	Kgfoan32.exe
4024	Lmqgnhmp.exe
4384	Lalcng32.exe
3752	Ldkojb32.exe
2416	Lkdggmlj.exe
2184	Lmccchkn.exe
64	Laopdgcg.exe
1320	Lcpllo32.exe
116	Lkgdml32.exe
2304	Lnepih32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Lcbiao32.exe	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Jbmfoa32.exe	Jpojcf32.exe
File created	C:\Windows\SysWOW64\Ghiqbiae.dll	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Plilol32.dll	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Ijkljp32.exe	Idacmfkj.exe
File created	C:\Windows\SysWOW64\Kdcijcke.exe	Kaemnhla.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Cpjljp32.dll	Jkdnpo32.exe
File created	C:\Windows\SysWOW64\Lalcng32.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Iiibkn32.exe	Ifjfnb32.exe
File opened for modification	C:\Windows\SysWOW64\Kmjqmi32.exe	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Jmbklj32.exe	Jkdnpo32.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Ojmmkpmf.dll	Kacphh32.exe
File created	C:\Windows\SysWOW64\Jcpkbc32.dll	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mnocof32.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Aaqnkb32.dll	Icljbg32.exe
File created	C:\Windows\SysWOW64\Enbofg32.dll	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Jjblgaie.dll	Kmgdgjek.exe
File opened for modification	C:\Windows\SysWOW64\Laopdgcg.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Ipnalhii.exe	Iffmccbi.exe
File created	C:\Windows\SysWOW64\Olmeac32.dll	Jdhine32.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Jbmfoa32.exe	Jpojcf32.exe
File created	C:\Windows\SysWOW64\Kpjjod32.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Lalcng32.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Lmmcfa32.dll	Kdopod32.exe
File opened for modification	C:\Windows\SysWOW64\Kkkdan32.exe	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Oimhnoch.dll	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Jdemhe32.exe	Jagqlj32.exe
File created	C:\Windows\SysWOW64\Fbkmec32.dll	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Eddbig32.dll	Iapjlk32.exe
File created	C:\Windows\SysWOW64\Jdhine32.exe	Jaimbj32.exe
File created	C:\Windows\SysWOW64\Kmgdgjek.exe	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mamleegg.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Njacpf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5560	5420	WerFault.exe	203

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoceo32.dll"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejif32.dll"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfkkgo32.dll"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jagqlj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdopod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dempmq32.dll"	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kipabjil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lijiaonm.dll"	Hibljoco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addjcmqn.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeopdi32.dll"	Ifjfnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	e78f70c52871708876e3c19119abf010_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbkmec32.dll"	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqnhjk32.dll"	Iffmccbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpjljp32.dll"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefncbmc.dll"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebkdha32.dll"	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipldfi32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3484 wrote to memory of 4144	3484	e78f70c52871708876e3c19119abf010_NEAS.exe	85
PID 3484 wrote to memory of 4144	3484	e78f70c52871708876e3c19119abf010_NEAS.exe	85
PID 3484 wrote to memory of 4144	3484	e78f70c52871708876e3c19119abf010_NEAS.exe	85
PID 4144 wrote to memory of 4092	4144	Hfcpncdk.exe	86
PID 4144 wrote to memory of 4092	4144	Hfcpncdk.exe	86
PID 4144 wrote to memory of 4092	4144	Hfcpncdk.exe	86
PID 4092 wrote to memory of 440	4092	Hibljoco.exe	87
PID 4092 wrote to memory of 440	4092	Hibljoco.exe	87
PID 4092 wrote to memory of 440	4092	Hibljoco.exe	87
PID 440 wrote to memory of 5104	440	Haidklda.exe	88
PID 440 wrote to memory of 5104	440	Haidklda.exe	88
PID 440 wrote to memory of 5104	440	Haidklda.exe	88
PID 5104 wrote to memory of 4780	5104	Ipldfi32.exe	89
PID 5104 wrote to memory of 4780	5104	Ipldfi32.exe	89
PID 5104 wrote to memory of 4780	5104	Ipldfi32.exe	89
PID 4780 wrote to memory of 4896	4780	Ibjqcd32.exe	90
PID 4780 wrote to memory of 4896	4780	Ibjqcd32.exe	90
PID 4780 wrote to memory of 4896	4780	Ibjqcd32.exe	90
PID 4896 wrote to memory of 4768	4896	Iffmccbi.exe	91
PID 4896 wrote to memory of 4768	4896	Iffmccbi.exe	91
PID 4896 wrote to memory of 4768	4896	Iffmccbi.exe	91
PID 4768 wrote to memory of 4564	4768	Ipnalhii.exe	92
PID 4768 wrote to memory of 4564	4768	Ipnalhii.exe	92
PID 4768 wrote to memory of 4564	4768	Ipnalhii.exe	92
PID 4564 wrote to memory of 4912	4564	Ifhiib32.exe	93
PID 4564 wrote to memory of 4912	4564	Ifhiib32.exe	93
PID 4564 wrote to memory of 4912	4564	Ifhiib32.exe	93
PID 4912 wrote to memory of 3668	4912	Imbaemhc.exe	94
PID 4912 wrote to memory of 3668	4912	Imbaemhc.exe	94
PID 4912 wrote to memory of 3668	4912	Imbaemhc.exe	94
PID 3668 wrote to memory of 1788	3668	Icljbg32.exe	95
PID 3668 wrote to memory of 1788	3668	Icljbg32.exe	95
PID 3668 wrote to memory of 1788	3668	Icljbg32.exe	95
PID 1788 wrote to memory of 2228	1788	Ifjfnb32.exe	96
PID 1788 wrote to memory of 2228	1788	Ifjfnb32.exe	96
PID 1788 wrote to memory of 2228	1788	Ifjfnb32.exe	96
PID 2228 wrote to memory of 412	2228	Iiibkn32.exe	97
PID 2228 wrote to memory of 412	2228	Iiibkn32.exe	97
PID 2228 wrote to memory of 412	2228	Iiibkn32.exe	97
PID 412 wrote to memory of 4164	412	Iapjlk32.exe	98
PID 412 wrote to memory of 4164	412	Iapjlk32.exe	98
PID 412 wrote to memory of 4164	412	Iapjlk32.exe	98
PID 4164 wrote to memory of 432	4164	Idofhfmm.exe	99
PID 4164 wrote to memory of 432	4164	Idofhfmm.exe	99
PID 4164 wrote to memory of 432	4164	Idofhfmm.exe	99
PID 432 wrote to memory of 2172	432	Ijhodq32.exe	100
PID 432 wrote to memory of 2172	432	Ijhodq32.exe	100
PID 432 wrote to memory of 2172	432	Ijhodq32.exe	100
PID 2172 wrote to memory of 2604	2172	Imgkql32.exe	101
PID 2172 wrote to memory of 2604	2172	Imgkql32.exe	101
PID 2172 wrote to memory of 2604	2172	Imgkql32.exe	101
PID 2604 wrote to memory of 2248	2604	Idacmfkj.exe	102
PID 2604 wrote to memory of 2248	2604	Idacmfkj.exe	102
PID 2604 wrote to memory of 2248	2604	Idacmfkj.exe	102
PID 2248 wrote to memory of 1928	2248	Ijkljp32.exe	103
PID 2248 wrote to memory of 1928	2248	Ijkljp32.exe	103
PID 2248 wrote to memory of 1928	2248	Ijkljp32.exe	103
PID 1928 wrote to memory of 5036	1928	Imihfl32.exe	104
PID 1928 wrote to memory of 5036	1928	Imihfl32.exe	104
PID 1928 wrote to memory of 5036	1928	Imihfl32.exe	104
PID 5036 wrote to memory of 3576	5036	Jpgdbg32.exe	106
PID 5036 wrote to memory of 3576	5036	Jpgdbg32.exe	106
PID 5036 wrote to memory of 3576	5036	Jpgdbg32.exe	106
PID 3576 wrote to memory of 2344	3576	Jjmhppqd.exe	107

C:\Users\Admin\AppData\Local\Temp\e78f70c52871708876e3c19119abf010_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\e78f70c52871708876e3c19119abf010_NEAS.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3484
- C:\Windows\SysWOW64\Hfcpncdk.exe
  C:\Windows\system32\Hfcpncdk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4144
- - C:\Windows\SysWOW64\Hibljoco.exe
    C:\Windows\system32\Hibljoco.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4092
  - - C:\Windows\SysWOW64\Haidklda.exe
      C:\Windows\system32\Haidklda.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:440
    - - C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5104
      - C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4768
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:412
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4164
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:432
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1544
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        25⤵
        Executes dropped EXE
        
        PID:3748
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4128
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4372
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3996
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4776
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:312
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        32⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:336
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        33⤵
        Executes dropped EXE
        
        PID:2308
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        34⤵
        Executes dropped EXE
        
        PID:668
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2636
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        36⤵
        Executes dropped EXE
        
        PID:4064
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1208
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2848
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2652
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1984
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1048
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3948
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3428
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2340
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3228
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        46⤵
        Executes dropped EXE
        
        PID:888
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1836
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3540
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        49⤵
        Executes dropped EXE
        
        PID:1860
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3088
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4680
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4576
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        53⤵
        Executes dropped EXE
        
        PID:1640
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5028
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        56⤵
        Executes dropped EXE
        
        PID:2852
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2560
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4024
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        59⤵
        Executes dropped EXE
        
        PID:4384
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3752
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2416
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2184
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:64
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1320
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:116
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        66⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2304
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        67⤵
        Drops file in System32 directory
        
        PID:764
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4644
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        69⤵
        Drops file in System32 directory
        
        PID:1328
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1412
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4880
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        73⤵
        Drops file in System32 directory
        
        PID:2296
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1680
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2932
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2676
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1828
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3684
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        79⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5052
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2508
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4500
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        83⤵
        Modifies registry class
        
        PID:4348
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        84⤵
        Modifies registry class
        
        PID:4544
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3040
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        90⤵
        Drops file in System32 directory
        
        PID:5224
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        91⤵
        Drops file in System32 directory
        
        PID:5268
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5312
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5356
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5392
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        96⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5528
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        99⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5712
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        102⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        106⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        107⤵
        Drops file in System32 directory
        
        PID:6020
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        109⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        110⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5156
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5204
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        113⤵
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5340
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        115⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5420 -s 400
        116⤵
        Program crash
        
        PID:5560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5420 -ip 5420
1⤵
PID:5512

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:5800

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:5444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Haidklda.exe

Filesize
81KB

MD5
c957c49e3e18bc50541977a2ca5dbbf9

SHA1
65f41a8caa16c4dae8a2829656a4f7a83de5c081

SHA256
61dadd4c2991ec1855a7e22839ed38ec03c481cb1426fbf7ad5f59b04e5f6809

SHA512
4232445ca80c4831201d75537a7193e4d26b2c39363cc99c83dbd27260f0f8752fe2d237a30f0ff9f9e32c52562876d5bb6cf06aac4145417aa2c50fa982e283

Download Submit
C:\Windows\SysWOW64\Hfcpncdk.exe

Filesize
81KB

MD5
82585be6a93c33b224ceb984d1d4b64a

SHA1
36551394d46fb1f04d38597012cc780c601bdf53

SHA256
110e247f6ef9376f31cb2f7bf8421c063b1e949975bc78d6b760f01e10f00a49

SHA512
f877dbf2d519a17c3a3188fbdfc11e85310dc8af7ed9e760d3a0f23ca4ea5da700743f0827e4099d09d6f50a05524e4803856ce8224b91735d6532aaa11a8b13

Download Submit
C:\Windows\SysWOW64\Hibljoco.exe

Filesize
81KB

MD5
b69d1f20f8e6a46df4360cb9c8b05ca2

SHA1
c0a808d6d44e6a4d59fd54ef86004151d1254a24

SHA256
38198b4cd6432b09867965614dd2071fccd0e0c6106ad0972c8e9c27dfe4fe84

SHA512
79cbfee70b132a204693e238b025986471fcf3d46535894a9cbae8f8c50c66a1b6f9d03b6ae5f142e8f3dbe5ea6e403e536c6eee797bbbb2cb7affd50bf15c7f

Download Submit
C:\Windows\SysWOW64\Iapjlk32.exe

Filesize
81KB

MD5
fb524d02f9aaa8789fecbea57f31250e

SHA1
c295b0c2353efef7ff21803fd6e11c8692516ee2

SHA256
64bec22a789d242b29a84c1b81e273eb5b228b4aa23ef9882a83dc9ae88594ef

SHA512
196910f2c14fdb3b9fadd3f4ad14074e450e4da6268bece4f8321a222dc974a63add28252c62f9884570f16dfff12008dc9d31732ffac4943b749708420b9519

Download Submit
C:\Windows\SysWOW64\Ibjqcd32.exe

Filesize
81KB

MD5
ca4ae475e36ebea2560db220b2b23e16

SHA1
55e6399f9097569a647ec3db9cff851b203b5df7

SHA256
48e39c5d69391799442f422a868a58e26c30843187cb3e078859e70a12a99393

SHA512
e0ced2c357457e5c706e4e991ee97b803568bc220c7536cb9d5542d1f08179e55dd3c5236e5d07e254a4daa5f57779e504cf0998ef626880935086d43be8200d

Download Submit
C:\Windows\SysWOW64\Icljbg32.exe

Filesize
81KB

MD5
87c00a7a958adf6d45b6134215595a5c

SHA1
5fc7a9c1c707e7f16cbe97267834926afc25edda

SHA256
4651ecffd7c254c3d5e433e96b259479ee5493fec869d2f8ad36e9f7f4a7d526

SHA512
05754ae315e8960da5c616937353bc1a377af65af9a34bd2a5a622cd4457eb43969c4ee91bc344d18f1e6e6ad0e4f9fd32317f677e27128e55c61c5f59209c5f

Download Submit
C:\Windows\SysWOW64\Idacmfkj.exe

Filesize
81KB

MD5
cf69b852dfca77d2399f71e8e2be63d2

SHA1
22e13fbaa1a8da6ebc1ddc6dee7ce73ff3ee90f6

SHA256
9695b5a35a132b268eca08a5e114a4f91b06daf96e0a01da715b9c99979ace3b

SHA512
69881e2a998400bc86c039e8b2788028e3c09ed6ff8285c7d87fee255473888b74935b50442030a7f203c2a2dab70e5549a48eb23dd3807822d943e1c06ef3c6

Download Submit
C:\Windows\SysWOW64\Idofhfmm.exe

Filesize
81KB

MD5
8ed2d777cd38fa978444bfb6d2b8f99f

SHA1
8ab6b8c029a8b6fb506b159d793ea90ceb5a735c

SHA256
54a73b6bfaffedbb40f826e99bdda5daa51824f1b2b737c751153517661d6913

SHA512
26a12b9ad27ed844f3a4c09c17e8f8289d90c14f6072e71690835ca45843440fded5b56c901e7f1960b499f26472485e7e762e12819efcd18456c8459a69fc27

Download Submit
C:\Windows\SysWOW64\Iffmccbi.exe

Filesize
81KB

MD5
31f1bf162740e64d0fc799116aabb838

SHA1
1c8f89de059847f6a1a2a368e82a1902e664039a

SHA256
87d9f12b3b2586f715023f04c740947d2b2841e2205c9009821aa8b1cc57fed7

SHA512
6c479ae8e6a1e85a43d2b22c91416ac069ab6c24c264ff1475f45d2fcfee69e2b8ce45a3840dc5070ba39ef5de094ee510224b5430bc0dfa736543b40a82d11f

Download Submit
C:\Windows\SysWOW64\Ifhiib32.exe

Filesize
81KB

MD5
ab3d8b890a383a43f3835145c0755fc5

SHA1
20302d2b69a7b6b710f740214ba72698f4df6259

SHA256
bfc3dd8123bd22da75d574892143149b0c1a14f80309d93f49ec3036c0c0d2bb

SHA512
dc6b510621fd9f2cb805ef9779c2877f3bb7959cf16dea256c089aaa28af19ca3ba33b6bbf92118d8d7fc05427d6f4dd56dd900a6ad6a3f9d1ca88799d92db8f

Download Submit
C:\Windows\SysWOW64\Ifjfnb32.exe

Filesize
81KB

MD5
c470d9a2d50b958626881f75ceecd0e7

SHA1
db510619574de67fd514cb2f5a6a4a3eb7676fae

SHA256
2057d54ab92906bd8cfb86eb7114e1f87c9f3229fe493ad30f2a96b068143222

SHA512
07ff53c174f541031ac67c739baabbf59d0239da4d8136639f6e11dada1ec96cd40a049aad14a51ad6c65ea88bcf3442e790e925dfb23db338bdc19da734997d

Download Submit
C:\Windows\SysWOW64\Iiibkn32.exe

Filesize
81KB

MD5
3af9785a1ad07b0c0626ba491ea18a9c

SHA1
745ca0c4d757c2187e5764a13c071d8378fc7f75

SHA256
b7e16fa0ebbc888554f149244477f32fe679b4bcf1395d925e99fa959d10617c

SHA512
98fdceff3a47e9845fb4de9a2899dcbf502493bf35bffc8929f0f47bfd21a1f4a5f5f555748375b2620967445fcdd5d124a7b9b02c73ab74e0648c3006ca1b59

Download Submit
C:\Windows\SysWOW64\Ijhodq32.exe

Filesize
81KB

MD5
6ff26b26ff969f84631279f88d189f3d

SHA1
160aea176f5a6712b94464ac9ace0999c16b693f

SHA256
13a35cee29e94fe7ac4ea4c5ace518be8438131eb5aedd3f67bd73ce16a95017

SHA512
863f5aa9b4659f9bffd705d09379a0b6b9242bfdf84dab9a8a13ff5c0c68d14e27636c5787459fccdcf678ef73f5ca947e39197cd8ad1aebefd94fb1700e8bd9

Download Submit
C:\Windows\SysWOW64\Ijkljp32.exe

Filesize
81KB

MD5
7151d8513586ef187a32cac3ee2d7bb5

SHA1
6f0c92eabd04949cf754b71ac61b70a4f0298f91

SHA256
fe661aac5b22cda93260b3ee9910fdde159959ded88cea25c4a2b4f6698b5254

SHA512
0d05b67222bb56d6fd1c39cef18b4a59408b0da082c21659b1dcb7d590f396e66a9c5b0a24279f2581c8c86765835ef874bd94895f2c95835f8aaa591baf8846

Download Submit
C:\Windows\SysWOW64\Imbaemhc.exe

Filesize
81KB

MD5
127e112b91cc50f671ac6d7edbd79234

SHA1
b67236dea0a3ec2398e50ddecdf25eb7d6dabb50

SHA256
7de178cce5febef7553a2609dc97dd76bb12ac03dc9579aee2a810cc12548d7b

SHA512
d250bb9614d49ba37f2dcc6997ed6c64c8932de17ea4c9c922546ff3533770d0736c8d3fba8e3bbe863dbcd09200cefa4b7c4771c45a2249818b5927084b9786

Download Submit
C:\Windows\SysWOW64\Imgkql32.exe

Filesize
81KB

MD5
24edfc797d933e8e2d4d5936599906f1

SHA1
63c0c53fc340dfd6af79b649e80c9348dbd0743c

SHA256
bf1daa988fe71c01d819528f7bc0a3bf84e9aa2ed55da1b2245d5689db6568a6

SHA512
5cae1368fd48f55f434511a7a4449cbde14b1677775bbe1ae6832236b89744da8a07a00d840af570e461bb7cff26d442cf66d1d458134520693abea232a57b6b

Download Submit
C:\Windows\SysWOW64\Imihfl32.exe

Filesize
81KB

MD5
6fd5195f184e03913f58a93ea491f1cc

SHA1
75d2a2b1d776f46d0a2ee4473fe61f3e38f66e70

SHA256
79e81d60e462bf15d87fc5dc69cdebf9e53186160c80d3085c2e2e35a50284c0

SHA512
24d217fa33f986a22c2319613189113387e14605e0c2723abc9624dbc88c8592c119fadeb0eebad91ff236e7b4718644d928c0fa0da25996b80a245f52fe40bf

Download Submit
C:\Windows\SysWOW64\Ipldfi32.exe

Filesize
81KB

MD5
ed7b21f2d168cc888d9a674e74ba3b77

SHA1
a0ce31830c2d47d029f4848342a3e39ff40b70a3

SHA256
14157dae56938074b2cc4285b17993eadae69451d08e84dacc468cef7d0c3327

SHA512
48a0f0d4a53d695097a233d90e531dcb0b7886bf32498fc8ca56ad1774960e70a4f135513c4b2045f1589c9cdc04a436ff805bb87ff044e9094699a2dad66d56

Download Submit
C:\Windows\SysWOW64\Ipnalhii.exe

Filesize
81KB

MD5
f9032d1908b862ca25fdf84cb8471175

SHA1
2b5d1610afa6aeb6934d92cc3d5a8ac302e208f6

SHA256
0f95fd68a23a5133f2007f85b05057cba282d045b8fb0a53be8125da673fb1dc

SHA512
71553d4fa0c37f7f8d74f8d08acd718c67f109bf1d05216d4662ee32ee3d02385799d73d13b3a31b09783e11694249bdecdfa0a07dd2b0fefa97fcbc3b47a716

Download Submit
C:\Windows\SysWOW64\Jagqlj32.exe

Filesize
81KB

MD5
65cfbed0e64e972656f5277dce937582

SHA1
bfc8c17f752d6b2abaf00d62521c08d2746b95ce

SHA256
572690669bf4d11bad677ecadbfdef4c87d3e8d7cc63f457daee4f16a7d680c2

SHA512
accf49346d059e8fde4c9a5dedda94678c21dd26553fb0cd51eda372bbdfcc8a4cdc07fbc9648e69c924805a740ac387c36938bc7302e41d95e2990e4b9824cb

Download Submit
C:\Windows\SysWOW64\Jaimbj32.exe

Filesize
81KB

MD5
1f0414d4ab938d5c0e3be3982764ddca

SHA1
c52bac0801a5eddbead91cef81e3bf0ed80a591a

SHA256
45078d63e827ad1817ba8e12d81dc4f269a53b287e61e1ad47ec9d5dfe73c63b

SHA512
a5212da6a9fccc956c01b94ab7307a5ed8aa56dfcc24ab2ec748e6c9b6f311f142cdfd9c6dc992830199d361750223344bdcc6da7c034007c32a3450521871d8

Download Submit
C:\Windows\SysWOW64\Jangmibi.exe

Filesize
81KB

MD5
8150cb31bc3601cbc71579fb37317412

SHA1
0df0e6e63812840c7a4d144d76aacd3b82fe8d68

SHA256
529e5a30ce6c96fc777ad18e600cc81ce7890a3beb53c26437d58b055ddfacc1

SHA512
a1b44a08a32bc010914818171668758a7b9e86b6101f0d1171f93b6e370cc766bc9a749a9175ccc6c85231d38b6acc6fe7269ecad869891f75c0a6172aa45637

Download Submit
C:\Windows\SysWOW64\Jbmfoa32.exe

Filesize
81KB

MD5
0dc343de62f263bc333c550415992b53

SHA1
6b1bafffbfa72c4b7a7e09cb7955e290569484eb

SHA256
614681eb4a7a20a1514c82f4eef2ccaa5f1210a065839faac901cfa21826069e

SHA512
7a44ef1c4951f0cad80c66b0db4292ce0ec159191631ca752b289acf1ecfd24567733e9bb64e965920eb2bcce889485acfe8b621a3cf0381f4d88261860e1234

Download Submit
C:\Windows\SysWOW64\Jdemhe32.exe

Filesize
81KB

MD5
cbd759847bf97e95ccf9e055b98e9567

SHA1
37bf840af4e1114a0e5a5f25351a2f641adbc97a

SHA256
e6e00dd51beb57750195997df7e8cb5a4061c0d3d04f13726065db62d0ddc5df

SHA512
a29f41857d4e1cdc5fcb817bf279f994e35014d820b0bded6107ab08bebc7624575150596d5455c7b574d3a423dc7d12d810748f5a06bace72a946da9cf1eb0c

Download Submit
C:\Windows\SysWOW64\Jdhine32.exe

Filesize
81KB

MD5
9f1a2096ebb6c6c7e2e42fb39b71e732

SHA1
c5e7c942de4769ab87ea455c733509c23b82eef2

SHA256
3e5dd381f7eb5d4cbfd3ed5f45d187d8d1efcf983ec011976b017a5d14f22bd0

SHA512
4e3ce7bc57096574879fe506165b90429f691a5b961f44aa74265597b9058ccdc1c270d26cd354ec68fc08adc232911dd1d9152cd87e12ac5d779a4d50cac096

Download Submit
C:\Windows\SysWOW64\Jfffjqdf.exe

Filesize
81KB

MD5
19e1e918bf97822f7a3cab49728bdf3e

SHA1
742f0b332eacd75ea1604b8e1150fcc95bdfc983

SHA256
176a7f002c4cae5ccb25313c22d25ab9c6be3073bc3b03bd743f17987975277b

SHA512
86cc1bb7a4fec735771586937c803a9161f4b2527da585b4587a56334f7ee2e231dba746afcbc0a585e00cdb694ba5ca7e76eeff85a0d24f746c2f922897e434

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe

Filesize
81KB

MD5
2c4c64ecefa3d02494d195a85182d94f

SHA1
467eedb5a74ad3f0c4b8dfe22a5261ebcb9acd0b

SHA256
552ff636065f83566f31041051ec5ca1c7cb4a1cb39383b0623771fe4df16be9

SHA512
ffc9594b4b9ec4ab52116287ff7cd3749d6dd3e59508103b98d55240f80b8d204325e37ff122cb8f4353304b823c02bd424eba0bb9d61cfb9c198ae9d7cbd6aa

Download Submit
C:\Windows\SysWOW64\Jiikak32.exe

Filesize
81KB

MD5
815ed77199df499838541e9add7afeab

SHA1
cd65faeb15050dbcabb5a4b32ca61f76fc4b3539

SHA256
d98d34ba81268355841df71a8f2e4473841e2a7081efd3a4fe8ba6879472c0d1

SHA512
aee4cf5b7bf70ed65c1a01bf129a017036ff3c9e9e07ebc5254c1db19d8b9e17c22d5d6f8008f41a519f4b6744512f38510f165d249e9bc5069d96559ced36c2

Download Submit
C:\Windows\SysWOW64\Jjmhppqd.exe

Filesize
81KB

MD5
a79edfb155dfc5b5eaee4b0051d1ea9a

SHA1
7b4506ec0f2e8c9ffdc5fc935a637f5090bdd357

SHA256
7e0a3bfcf2a1e771315ec51d66c102ea0ccfdd26aed78bc28ffc2914aa0f24ca

SHA512
4a03901b4f3ed5a705834cfcd53551bcc11dc7598c92ac0ff29fb0325aa317318ffee086032d8e81f9cc9690d927644ea292cc1a19f5847e6f0aac3515dcfd39

Download Submit
C:\Windows\SysWOW64\Jjpeepnb.exe

Filesize
81KB

MD5
d6d62b0d1a2041ccd2cbd58516752e70

SHA1
65215c9cd2bc70605c25a88dc716aa75efdcaedb

SHA256
01f0ccfc493d990e1a417d974720f7a9fffa6b73f4950a5afd57219c24df4244

SHA512
a086a2dfd3d66b0c8bde446022c3d2d5d7d0375a43efa100af704e52cb45eaad6cd35771a329648900b66ce103cba60cd9414def9382b98a9638ae212367c69c

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe

Filesize
81KB

MD5
2b42d252c545667a917a480324bd0f2e

SHA1
299a2835b165cec9e791547f242c4e073b50d1c7

SHA256
9edc808a98214fd64bdb6e3d3dc41a7b86693bb30ae9f9a54465a353fd0aeb19

SHA512
1e48e6f84889579713def9d25cdfc25f8fe5d5406049184e27b69859efa7568f890bb650a44ce558f5e33815e7cb5ba5e056e6760415231a8b481371a9e5340a

Download Submit
C:\Windows\SysWOW64\Jpaghf32.exe

Filesize
81KB

MD5
8a255d9c540c2b603e10180e5d6a65cc

SHA1
8d0f493d123b163a488f80b377777b91a958717b

SHA256
7bcd4d657c956a28106caa84cc598665b36200678aac476af68af77bf977d236

SHA512
c9599c21e23b210dc526be0ec5e3d147ea2fbca39b27fefe540c42a61d71c50e178b32edcb277f687fc70fafcf8829821f5cc1c9c4d4da8a42b81cc331a14f81

Download Submit
C:\Windows\SysWOW64\Jpgdbg32.exe

Filesize
81KB

MD5
13c9bf87364d9d6ba864932fbcbbb1f1

SHA1
c23d5f47eecc05f5d38f7a8bb83b87ecb248f602

SHA256
bb6bf18c9273d83b23b68f935ef8ae5185e09a7aca2a59d2aadf3cf0ae8425db

SHA512
6bac1b032cd0cea8e3cdff4927f0afeb6074bd38355042a7d72ab2c5f7e2c45722eef658f42ac67392382c3214a8345315f4637340081f17d418995b74358e17

Download Submit
C:\Windows\SysWOW64\Jpojcf32.exe

Filesize
81KB

MD5
d63331392266a1271a4e76d70aa48d48

SHA1
f7eb776b45b5c499bbf6790b4d57584e89bf6b3d

SHA256
11e8cbdfd39746ea3b1be2442b91834f4b06218f78cee8d218a11efa68d2a86f

SHA512
7ad57dd14fc9e5b7eac3bfc9c8b492dffa9eadf7c5833c3a2c0d60af9ef900ea528f9646475feb95eda10cb89413a43dfbe2e819aa4a71e601c4351af9bf47b0

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
81KB

MD5
a91f6b119a73488bef7aa845fc3455f9

SHA1
066a074561cde12d32ec06233a7a2533c89ab2d0

SHA256
f548459e28929b187e7dc4f6afa81adc814f50f8d69e55eb61764a74e05b6c90

SHA512
efc963cc31d827e343cf2d6249d8063836e3f221ed9508f576138bca638c55cf0290e4ad975dc317cba6ff3722081327b39d09574abe57d49c75d73409db5057

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
81KB

MD5
45622bab827fedf5010ebc1543b8e1c6

SHA1
c278bde2bf92e5a59bf4edb488d1212658027c63

SHA256
362972cfd1d9feb9e66680de8ccf2025396d94cfa85db2df8d433620b76905a9

SHA512
5764075bd41e71b7e5aa369973284dd14904bfd30379eaa5a9d695d43e87878b0a0b6054f6a66658a2f1817f0271bb33ed782d6af369827c4e971370ec0d7dfe

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
81KB

MD5
01f77ba267fc47d701f4252360c97bb0

SHA1
009d563bed3c92d2e67e6234dfac3c401c8520d8

SHA256
95697b658350b03c0734dc2d5a1fac6d0da69be58aa5a6aa6e6921d4cd48f00f

SHA512
2f2ed1f8f75c0ff3150f4632e8874a526ea5c63f766c215150abd4eef6e7e8f4224a8e4a66ac70c00958bd5a9698d951e8514e60e274008cd722b507d2987e9e

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
81KB

MD5
9331bd91829e889f66a6901d931fb7e1

SHA1
d77dee1d5a1af950aac1c3daf4941111ca17994c

SHA256
eb3052e45a3f63d4dbc167ddb8064bac89412a45f6f9c50f33f00cb1d0a63816

SHA512
f19566e899228300af4f41277a17168260463dcb8312d2c7b171d0cd15ad417baeeb84915a6c4b0add457ab0e618f243a5b00a0f72fd5e029f738d271956494b

Download Submit
memory/64-432-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/116-444-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/312-237-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/336-241-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/412-105-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/432-121-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/440-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/440-561-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/668-261-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/764-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/888-330-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1048-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1208-276-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1320-438-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1328-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1412-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1468-384-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1508-576-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1544-185-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1640-372-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1680-498-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1788-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1828-516-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1836-336-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1860-348-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1928-157-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1984-294-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2172-133-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2184-426-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2228-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2248-145-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2296-495-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2304-450-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2308-249-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2340-318-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2344-177-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2416-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2508-541-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2560-396-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2604-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2636-264-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2652-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2676-510-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2848-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2852-390-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2904-533-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2932-504-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3040-574-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3088-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3228-325-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3428-312-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3484-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/3484-534-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3484-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3540-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3576-169-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3668-81-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3684-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3748-193-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3752-414-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3948-306-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3996-217-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4024-402-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4064-270-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4092-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4092-554-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4128-201-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4144-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4144-547-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4164-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4320-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4348-555-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4372-209-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4384-408-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4500-548-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4508-588-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4544-566-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4564-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4576-366-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4644-462-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4680-365-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4768-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4768-593-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4776-225-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4780-575-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4780-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4880-480-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4896-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4896-586-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4912-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5028-379-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5036-161-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5052-535-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5068-486-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5104-573-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5104-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5224-821-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads