d237057e4f111daf6ba6c2a2515de6893dd9ac4059c3271ae65a401208d7f2e3

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 05:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ddbc0c997aefae9e2d7a88b78431a490_NEIKI.exe
Size

109KB
MD5

ddbc0c997aefae9e2d7a88b78431a490
SHA1

adf2b3ded8421808f3cb40e32600ac6ff39580ba
SHA256

d237057e4f111daf6ba6c2a2515de6893dd9ac4059c3271ae65a401208d7f2e3
SHA512

adf64fa059d988819a156f035b8cb09618f015a401b6bb0e2df2969f855c7696e769c213ed527a6ce3e2c77c8005784e2f51999675e1200dad0308fd6334142a
SSDEEP

3072:bTMpHENWlgrP75cYJ9NLCqwzBu1DjHLMVDqqkSp:bCH/urFrJ9dwtu1DjrFqh

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jagqlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdopod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	ddbc0c997aefae9e2d7a88b78431a490_NEIKI.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Imihfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe

Malware Dropper & Backdoor - Berbew 64 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/memory/208-0-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x000c000000023b52-6.dat	family_berbew
behavioral2/memory/3640-7-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bb0-15.dat	family_berbew
behavioral2/memory/860-16-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bb2-22.dat	family_berbew
behavioral2/memory/3532-23-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bb4-30.dat	family_berbew
behavioral2/memory/2448-32-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0031000000023bb6-38.dat	family_berbew
behavioral2/memory/4840-40-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0031000000023bb8-47.dat	family_berbew
behavioral2/memory/4916-48-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bbb-54.dat	family_berbew
behavioral2/memory/4592-60-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bbd-62.dat	family_berbew
behavioral2/memory/2508-64-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bbf-70.dat	family_berbew
behavioral2/memory/5108-71-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bc1-78.dat	family_berbew
behavioral2/memory/1768-79-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bc3-86.dat	family_berbew
behavioral2/memory/1340-88-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bc5-94.dat	family_berbew
behavioral2/memory/3740-96-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bc7-102.dat	family_berbew
behavioral2/memory/1972-104-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bc9-110.dat	family_berbew
behavioral2/memory/5104-111-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bcb-113.dat	family_berbew
behavioral2/memory/4868-120-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bcd-126.dat	family_berbew
behavioral2/memory/3600-128-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bcf-129.dat	family_berbew
behavioral2/memory/632-136-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bd1-142.dat	family_berbew
behavioral2/memory/2032-144-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bd3-150.dat	family_berbew
behavioral2/memory/4988-151-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bd5-158.dat	family_berbew
behavioral2/memory/1424-164-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bd7-166.dat	family_berbew
behavioral2/memory/2900-172-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bd9-175.dat	family_berbew
behavioral2/memory/2932-176-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x000c000000023b9e-182.dat	family_berbew
behavioral2/memory/4960-183-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bdc-190.dat	family_berbew
behavioral2/memory/4668-191-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bdf-199.dat	family_berbew
behavioral2/memory/4508-200-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x000b000000023be1-206.dat	family_berbew
behavioral2/memory/396-208-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bea-214.dat	family_berbew
behavioral2/memory/2916-215-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0008000000023bfa-222.dat	family_berbew
behavioral2/memory/4896-228-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0009000000023c00-231.dat	family_berbew
behavioral2/memory/4460-236-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x000e000000023c05-239.dat	family_berbew
behavioral2/memory/2296-240-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0008000000023c0a-246.dat	family_berbew
behavioral2/memory/3216-247-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0008000000023c0c-254.dat	family_berbew

Executes dropped EXE 64 IoCs

pid	Process
3640	Ibccic32.exe
860	Imihfl32.exe
3532	Jdcpcf32.exe
2448	Jjmhppqd.exe
4840	Jagqlj32.exe
4916	Jpjqhgol.exe
4592	Jjpeepnb.exe
2508	Jmnaakne.exe
5108	Jdhine32.exe
1768	Jmpngk32.exe
1340	Jaljgidl.exe
3740	Jbmfoa32.exe
1972	Jkdnpo32.exe
5104	Jangmibi.exe
4868	Jbocea32.exe
3600	Kmegbjgn.exe
632	Kdopod32.exe
2032	Kkihknfg.exe
4988	Kmgdgjek.exe
1424	Kgphpo32.exe
2900	Kkkdan32.exe
2932	Kphmie32.exe
4960	Kknafn32.exe
4668	Kmlnbi32.exe
4508	Kcifkp32.exe
396	Kkpnlm32.exe
2916	Kmnjhioc.exe
4896	Kdhbec32.exe
4460	Kkbkamnl.exe
2296	Lalcng32.exe
3216	Lpocjdld.exe
4928	Lkdggmlj.exe
4064	Lpappc32.exe
3496	Lcpllo32.exe
1872	Lijdhiaa.exe
1992	Ldohebqh.exe
2424	Lcbiao32.exe
1344	Lkiqbl32.exe
2232	Lnhmng32.exe
2452	Ldaeka32.exe
1620	Lgpagm32.exe
1284	Ljnnch32.exe
1392	Laefdf32.exe
2836	Lddbqa32.exe
4952	Lcgblncm.exe
4364	Mjqjih32.exe
4876	Mahbje32.exe
2376	Mdfofakp.exe
4688	Mciobn32.exe
3888	Mkpgck32.exe
2936	Mjcgohig.exe
2324	Mpmokb32.exe
3684	Mcklgm32.exe
1472	Mgghhlhq.exe
1880	Mnapdf32.exe
760	Mpolqa32.exe
2516	Mcnhmm32.exe
4520	Mkepnjng.exe
3536	Mpaifalo.exe
3208	Mcpebmkb.exe
1292	Mkgmcjld.exe
4884	Maaepd32.exe
3348	Mpdelajl.exe
2384	Mgnnhk32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Anmklllo.dll	Jdhine32.exe
File created	C:\Windows\SysWOW64\Akanejnd.dll	Kknafn32.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Lppaheqp.dll	Jkdnpo32.exe
File opened for modification	C:\Windows\SysWOW64\Kphmie32.exe	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Jmpngk32.exe	Jdhine32.exe
File opened for modification	C:\Windows\SysWOW64\Kkpnlm32.exe	Kcifkp32.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Ihaoimoh.dll	Kphmie32.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Jjpeepnb.exe	Jpjqhgol.exe
File created	C:\Windows\SysWOW64\Kgphpo32.exe	Kmgdgjek.exe
File opened for modification	C:\Windows\SysWOW64\Kknafn32.exe	Kphmie32.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Hjobcj32.dll	Jdcpcf32.exe
File created	C:\Windows\SysWOW64\Jangmibi.exe	Jkdnpo32.exe
File created	C:\Windows\SysWOW64\Iljnde32.dll	Jbocea32.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Njljefql.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Jpjqhgol.exe	Jagqlj32.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Jagqlj32.exe	Jjmhppqd.exe
File opened for modification	C:\Windows\SysWOW64\Jmpngk32.exe	Jdhine32.exe
File created	C:\Windows\SysWOW64\Kknafn32.exe	Kphmie32.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Lcgblncm.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Jgiacnii.dll	Imihfl32.exe
File created	C:\Windows\SysWOW64\Jjpeepnb.exe	Jpjqhgol.exe
File opened for modification	C:\Windows\SysWOW64\Kdopod32.exe	Kmegbjgn.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Jdcpcf32.exe	Imihfl32.exe
File created	C:\Windows\SysWOW64\Imihfl32.exe	Ibccic32.exe
File created	C:\Windows\SysWOW64\Jibpdc32.dll	Ibccic32.exe
File opened for modification	C:\Windows\SysWOW64\Jangmibi.exe	Jkdnpo32.exe
File created	C:\Windows\SysWOW64\Kdopod32.exe	Kmegbjgn.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Kmlnbi32.exe	Kknafn32.exe
File created	C:\Windows\SysWOW64\Gjoceo32.dll	Lpappc32.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Jaljgidl.exe	Jmpngk32.exe
File created	C:\Windows\SysWOW64\Kkihknfg.exe	Kdopod32.exe
File created	C:\Windows\SysWOW64\Gcdihi32.dll	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Efhikhod.dll	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Plilol32.dll	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Jmnaakne.exe	Jjpeepnb.exe
File opened for modification	C:\Windows\SysWOW64\Jkdnpo32.exe	Jbmfoa32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2456	4948	WerFault.exe	167

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejif32.dll"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anmklllo.dll"	Jdhine32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkeebhjc.dll"	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iljnde32.dll"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaoimoh.dll"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiphogop.dll"	ddbc0c997aefae9e2d7a88b78431a490_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggcjqj32.dll"	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jangmibi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	ddbc0c997aefae9e2d7a88b78431a490_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgiacnii.dll"	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plilol32.dll"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jagqlj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghpbg32.dll"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdihi32.dll"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	ddbc0c997aefae9e2d7a88b78431a490_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbak32.dll"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Nklfoi32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 208 wrote to memory of 3640	208	ddbc0c997aefae9e2d7a88b78431a490_NEIKI.exe	83
PID 208 wrote to memory of 3640	208	ddbc0c997aefae9e2d7a88b78431a490_NEIKI.exe	83
PID 208 wrote to memory of 3640	208	ddbc0c997aefae9e2d7a88b78431a490_NEIKI.exe	83
PID 3640 wrote to memory of 860	3640	Ibccic32.exe	84
PID 3640 wrote to memory of 860	3640	Ibccic32.exe	84
PID 3640 wrote to memory of 860	3640	Ibccic32.exe	84
PID 860 wrote to memory of 3532	860	Imihfl32.exe	85
PID 860 wrote to memory of 3532	860	Imihfl32.exe	85
PID 860 wrote to memory of 3532	860	Imihfl32.exe	85
PID 3532 wrote to memory of 2448	3532	Jdcpcf32.exe	86
PID 3532 wrote to memory of 2448	3532	Jdcpcf32.exe	86
PID 3532 wrote to memory of 2448	3532	Jdcpcf32.exe	86
PID 2448 wrote to memory of 4840	2448	Jjmhppqd.exe	87
PID 2448 wrote to memory of 4840	2448	Jjmhppqd.exe	87
PID 2448 wrote to memory of 4840	2448	Jjmhppqd.exe	87
PID 4840 wrote to memory of 4916	4840	Jagqlj32.exe	88
PID 4840 wrote to memory of 4916	4840	Jagqlj32.exe	88
PID 4840 wrote to memory of 4916	4840	Jagqlj32.exe	88
PID 4916 wrote to memory of 4592	4916	Jpjqhgol.exe	89
PID 4916 wrote to memory of 4592	4916	Jpjqhgol.exe	89
PID 4916 wrote to memory of 4592	4916	Jpjqhgol.exe	89
PID 4592 wrote to memory of 2508	4592	Jjpeepnb.exe	90
PID 4592 wrote to memory of 2508	4592	Jjpeepnb.exe	90
PID 4592 wrote to memory of 2508	4592	Jjpeepnb.exe	90
PID 2508 wrote to memory of 5108	2508	Jmnaakne.exe	91
PID 2508 wrote to memory of 5108	2508	Jmnaakne.exe	91
PID 2508 wrote to memory of 5108	2508	Jmnaakne.exe	91
PID 5108 wrote to memory of 1768	5108	Jdhine32.exe	92
PID 5108 wrote to memory of 1768	5108	Jdhine32.exe	92
PID 5108 wrote to memory of 1768	5108	Jdhine32.exe	92
PID 1768 wrote to memory of 1340	1768	Jmpngk32.exe	94
PID 1768 wrote to memory of 1340	1768	Jmpngk32.exe	94
PID 1768 wrote to memory of 1340	1768	Jmpngk32.exe	94
PID 1340 wrote to memory of 3740	1340	Jaljgidl.exe	95
PID 1340 wrote to memory of 3740	1340	Jaljgidl.exe	95
PID 1340 wrote to memory of 3740	1340	Jaljgidl.exe	95
PID 3740 wrote to memory of 1972	3740	Jbmfoa32.exe	96
PID 3740 wrote to memory of 1972	3740	Jbmfoa32.exe	96
PID 3740 wrote to memory of 1972	3740	Jbmfoa32.exe	96
PID 1972 wrote to memory of 5104	1972	Jkdnpo32.exe	97
PID 1972 wrote to memory of 5104	1972	Jkdnpo32.exe	97
PID 1972 wrote to memory of 5104	1972	Jkdnpo32.exe	97
PID 5104 wrote to memory of 4868	5104	Jangmibi.exe	98
PID 5104 wrote to memory of 4868	5104	Jangmibi.exe	98
PID 5104 wrote to memory of 4868	5104	Jangmibi.exe	98
PID 4868 wrote to memory of 3600	4868	Jbocea32.exe	100
PID 4868 wrote to memory of 3600	4868	Jbocea32.exe	100
PID 4868 wrote to memory of 3600	4868	Jbocea32.exe	100
PID 3600 wrote to memory of 632	3600	Kmegbjgn.exe	101
PID 3600 wrote to memory of 632	3600	Kmegbjgn.exe	101
PID 3600 wrote to memory of 632	3600	Kmegbjgn.exe	101
PID 632 wrote to memory of 2032	632	Kdopod32.exe	102
PID 632 wrote to memory of 2032	632	Kdopod32.exe	102
PID 632 wrote to memory of 2032	632	Kdopod32.exe	102
PID 2032 wrote to memory of 4988	2032	Kkihknfg.exe	103
PID 2032 wrote to memory of 4988	2032	Kkihknfg.exe	103
PID 2032 wrote to memory of 4988	2032	Kkihknfg.exe	103
PID 4988 wrote to memory of 1424	4988	Kmgdgjek.exe	105
PID 4988 wrote to memory of 1424	4988	Kmgdgjek.exe	105
PID 4988 wrote to memory of 1424	4988	Kmgdgjek.exe	105
PID 1424 wrote to memory of 2900	1424	Kgphpo32.exe	106
PID 1424 wrote to memory of 2900	1424	Kgphpo32.exe	106
PID 1424 wrote to memory of 2900	1424	Kgphpo32.exe	106
PID 2900 wrote to memory of 2932	2900	Kkkdan32.exe	107

C:\Users\Admin\AppData\Local\Temp\ddbc0c997aefae9e2d7a88b78431a490_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\ddbc0c997aefae9e2d7a88b78431a490_NEIKI.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:208
- C:\Windows\SysWOW64\Ibccic32.exe
  C:\Windows\system32\Ibccic32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3640
- - C:\Windows\SysWOW64\Imihfl32.exe
    C:\Windows\system32\Imihfl32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:860
  - - C:\Windows\SysWOW64\Jdcpcf32.exe
      C:\Windows\system32\Jdcpcf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3532
    - - C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2448
      - C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3740
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5104
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3600
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2932
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4960
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4668
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4508
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:396
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2916
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4460
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3216
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4928
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4064
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        35⤵
        Executes dropped EXE
        
        PID:3496
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1872
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1992
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        38⤵
        Executes dropped EXE
        
        PID:2424
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1344
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2232
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2452
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1620
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1284
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1392
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2836
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4952
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4364
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        48⤵
        Executes dropped EXE
        
        PID:4876
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2376
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4688
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3888
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2936
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3684
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1472
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1880
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:760
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2516
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4520
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        60⤵
        Executes dropped EXE
        
        PID:3536
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3208
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1292
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4884
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3348
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2384
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:668
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3792
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        68⤵
        Modifies registry class
        
        PID:3360
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3680
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        71⤵
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4044
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3612
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        74⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        75⤵
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:976
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1008
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2892
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4432
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3580
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        81⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 412
        82⤵
        Program crash
        
        PID:2456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4948 -ip 4948
1⤵
PID:4864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ggcjqj32.dll

Filesize
7KB

MD5
9bcc412a3ca5ebf999286e6b86e9bdc0

SHA1
b2d3f9296147455e0f7e63fb4124332bf2478d7f

SHA256
c37349904fd434b2676821dc9830a656ed1fa4e52d97d242e224fddc3ad1dafe

SHA512
1f826fa613f928e846e9d6a95a4ac11202b859654d813e5ad69dd065339c21b474a64979a4fbd6c2227773b63a529d0b289f7d0c3020d5152ab1103ea91c7858

Download Submit
C:\Windows\SysWOW64\Ibccic32.exe

Filesize
109KB

MD5
e8e0842d2ee7fd190dc373b81a4b473a

SHA1
ee85670fed257864ef98023c7d3dec5006a537af

SHA256
2dcd31f3c8ab9e0e04ef927338686c538bdb6b90aefc559d817508a9a28d49e9

SHA512
7318c0516f5bd391a851e8b7dd35d315c32d413af8d7ab97e2ae53ce387754b07069827f69e0b6a605e01c3edc65f6b088d513b84ad279e3f42f5dff8c6cd40c

Download Submit
C:\Windows\SysWOW64\Imihfl32.exe

Filesize
109KB

MD5
727fc0d3cffef8cbda8a5fd96f359640

SHA1
723a83af8d4133c92d991c37e15b3f46b63cbfed

SHA256
67fe567ffb3947b469dc2612d9f46bbcf3905fe7f6a411cbfb918441a1552354

SHA512
50eb6d7980c9841225c06abc7465078e324d9e372613fe48226b8bd6cd3a065e1cf8d0969035bad6d90d6ac56dd905b27c40462cca22b01fcf64859f3dc41aac

Download Submit
C:\Windows\SysWOW64\Jagqlj32.exe

Filesize
109KB

MD5
5abb4fe67241928effe21b7403b399c2

SHA1
bdda0985612a50a0493019b5160b90289daddae4

SHA256
0b825ff1aaca560a46961f876a907d302ac1bf7ec3dd74de0b54e7a80b70d505

SHA512
24e4b74c196ba3b63dd07bef6d7cc93a334053e80dd073574c8dc3e62d87f499aff7b89802a23e0f50b1f869ea45be1969d73d4c1ffb12b266d35dae2c6c1815

Download Submit
C:\Windows\SysWOW64\Jaljgidl.exe

Filesize
109KB

MD5
5bdf6f457c7effa4e624ed8d8f98de63

SHA1
87c5a64a15675ce50fc323d0780ac155dc0ebfde

SHA256
e42303b6f3c330937a5af84e6bdc713a6e6b8dd3f9a231fb0719f0c517d85143

SHA512
074afd2f715461b111b77ecb840f2d44feb85758d0704c1736824ab8f37c17a9a875f92ac6862097d3f2749f8deaae36acd40ccdb957186bfd4254f9c0387a8f

Download Submit
C:\Windows\SysWOW64\Jangmibi.exe

Filesize
109KB

MD5
da9882699912e5bf6007be44a7d41a6b

SHA1
381e3693c1927e28344e40f68a464aac32dcb8af

SHA256
adda12a0e3ea054674bd81553c1112ff295fdbe343ad6f4bf98fa50ebbb735ef

SHA512
1fe6d1f729423d0b4c0538274642c5286e046c93b79cf18c7bdbaf77b3f7b79114775d10b3cca6adc3aaec6644ed10f415e65f594733e1facffd68a7aa0f1900

Download Submit
C:\Windows\SysWOW64\Jbmfoa32.exe

Filesize
109KB

MD5
a7cf84a9c1b3ef418cdd7eefd4a329a3

SHA1
0c3762ab90cbb996b75269131d4d3b29384f2bf8

SHA256
da40a0f1cd09db33e0ead54c0c13be9fe0a8e64c5fea1a438cb2b28dc7cc080f

SHA512
f6d0bfc905dbf7b8189f8394f8b732db5d2a414745268e60b3da595fc49f8e075b21d5c7f661898406825dd2d401d8cdbc83fbddafef29c7b1785fd9ec1f2eb8

Download Submit
C:\Windows\SysWOW64\Jbocea32.exe

Filesize
109KB

MD5
9f1607c6789d98361c5d5c2cdf44691b

SHA1
aceb0f038b876872735f065d1b7816b0888156f9

SHA256
cef94b5b4cd57b086c5a8b36039ed48dc53de16af69aa7062ec304aac3d5a40b

SHA512
d110439e6467d351ec18a2a9df5099aa13dbec60710fb35d990edfa39c93c7380fc235743251299f92b1d193b2a8559e814f5a6d8151b3422861e50d7e15d6e2

Download Submit
C:\Windows\SysWOW64\Jdcpcf32.exe

Filesize
109KB

MD5
ae34b94a84a364dcbb770f3c5fcfb343

SHA1
54a49ea0836ab8f12598758c658a1a1568f9af23

SHA256
e9ae70d5f200fe4a329dccc5e712b72254efa07bb4e2cdd81605283f4167e9ce

SHA512
7b91a0ee25cab13934b49fc6e59ba62ffd2c1f9c2320c3812fbf2e179c2a772fb1fb49492af83558408e8ab6d0c3a59d1218a747e7be5efa2421efcc1a7667d6

Download Submit
C:\Windows\SysWOW64\Jdhine32.exe

Filesize
109KB

MD5
36d702ca9f760771f08d9054ab62646c

SHA1
1e4421f05764ee804cd42a627001f855a9c80307

SHA256
25d44dd607161f87b4b5de0e4b93a1f3a257f9e9227817b0faa08e067fd3634b

SHA512
9d76d950c3c4bda08d37fb85b26372bee4f4b1abbd79b296166aa33722a18cc1a42f919f91b640d4cf986fb7f2766e69ba347322569d899e5075c249d265641f

Download Submit
C:\Windows\SysWOW64\Jjmhppqd.exe

Filesize
109KB

MD5
300c75e31257db322171123e7899fca0

SHA1
c1238946dfff5b5c808c783a6a36724d653c93b5

SHA256
7eac52a2c20d5a5fd10c02e4836311896295ae2d22f07913f47c450f2e618994

SHA512
7dbc2f8f3c83034e35d0aba2a0fda1fe456589439f53107c85116f49685ba431a31ac88654ab1bb90bc58508e27d961657ebfbb89a8693ad56e8a155decda8ed

Download Submit
C:\Windows\SysWOW64\Jjpeepnb.exe

Filesize
109KB

MD5
77439bb6b41302be9b7a1268e9816e7e

SHA1
bf5a97f170b5f3d7ba2661146bfec6d7a2b60b60

SHA256
94927570b8f990a810c9e71da0ac30825c93a363fbfa4f310742fd44559bf2f2

SHA512
2218106e0e323ffe60f47776f634379532f8ad69ad8c4a2174b6e1eba6ef765daa955159ac92b116a5b7180d2fcc29955069b188d757cc45185b6e1f0abee85a

Download Submit
C:\Windows\SysWOW64\Jkdnpo32.exe

Filesize
109KB

MD5
205f15da7148e3d5afc29659ebc35985

SHA1
e1964f81ed123fbdc1e89acb0a304b2b07d9b9e8

SHA256
1687d995c8d30a6318207e5b8e14bdc49f056d1b4fd4fb491c4a11e0d744743c

SHA512
4e67e05cd5f5dbdc57f1f2b318625b90cd3f6b1b4da6dfece01c3311ceafd000649b812261a109ecfcad2f27f6afc8aa3da95b88d025c49aee9911890798e580

Download Submit
C:\Windows\SysWOW64\Jmnaakne.exe

Filesize
109KB

MD5
1271c6af00e3fd937f82d80ba76ddf6c

SHA1
74cecb484cb46a4a790e9eb1f16139ce114f9135

SHA256
570ffe413fa9c4dd81db6d0cbe1da5f262168af9b61bea0b00d0bf67a99ee41d

SHA512
19336445c3040a9d413ef54fbdadd8c2f091e8b129bda193c0048b0e936d801e74c5f1b601e146e98ffabbb525c053e883dee52d57aa469cd28f82c9ecdb5525

Download Submit
C:\Windows\SysWOW64\Jmpngk32.exe

Filesize
109KB

MD5
71aae608c16eda90c01fc521ff48afad

SHA1
7ec9031952fabb84cb165428faf6fd95cb37a4f9

SHA256
3d88c60fc43072d7272e385d7aa9b4d084c9ef9f2e4cb3f56ffb66a8c6f3b9b1

SHA512
716c7fb95230a0e15d2b648187ca2fa388cb1d2e7b0d09829b887c8480739634c254a0c031625f4b9d91e28a545fe1e8d342325150f35fcc206cc7b78b740299

Download Submit
C:\Windows\SysWOW64\Jpjqhgol.exe

Filesize
109KB

MD5
d28a1f26905ddfa927a5469d08677cb0

SHA1
b2dca8879677e25f49625c62c3b1b14d1eb0c663

SHA256
2f06e3d3a680af3c0ccb5ed44c3cd56eac2dd7aa3acabe79286daba014614034

SHA512
5f1525a74e79ce7506b2ecc021103ad479e5af7574001b13fd54084065c3b738b88d808199936d3533b788b5fb7c0c5746d6ce2b47f942aeae012517a4c2bda7

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
109KB

MD5
4c3c08e4123e40848f2f5a8bceaed844

SHA1
04de51819edb50ac79dc8dbccf730811210fd3ad

SHA256
c6655fe719d66eba28ec478fed57c73253cb8ab2145edc358d4fdfc3394bcdb1

SHA512
42513c6dc50b65d868c76437d3d7e7a2c1d33e6c36ec512fad5934523a4ea042de392945771bb32a1f7c2b0d14c44b036a9c4e935c64d2f0b169d24e3cfe185f

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
109KB

MD5
2019886081b850ac6898112e8ab6d40a

SHA1
6a7ff798bdf199ff9b24d1fa27965cbcda338944

SHA256
080c22186aa141433c9c4b5180e6c6308fb09027129613fbaacda3e4e6157ff1

SHA512
302c6be05d4884c8c3de568dbfb322416be94c3448d9b5f831971574d479572252a9567da416107c83a6f4fddb36c25f2c5e52606f2f4b264f16a88a470c3061

Download Submit
C:\Windows\SysWOW64\Kdopod32.exe

Filesize
109KB

MD5
8654e54f9b596b10edb2ab8dde97133f

SHA1
2b1dbe496c09897f8ae760ce025bdf5365e8d35b

SHA256
56e70dfabaf38a0f28b531569a1fec8315194c84fb8717c4cafbf46c4cf70b4b

SHA512
84e5369be8601679810ce8bc673f4d319859aa78ed492f96189f32a2db3468b39f8909c0437c46887df9155988cbdfb15c57e057f9b6c17859f3f4615a9fc8de

Download Submit
C:\Windows\SysWOW64\Kgphpo32.exe

Filesize
109KB

MD5
3139e18ee3f02ff74925aef2b4cfcc98

SHA1
0e2f17039c213f792a04f76daa85f92cfeba61e5

SHA256
bec843967758719b97e34d0f894f735f3a9e2c12fa3f6dd508fe062b59becd7e

SHA512
fab56a348cf6a36485e7821eb37917396f506056ae517d34bc17f6d7c01a0fe7bf00ef2509f95a1d3811dd4ad596df51d4b27fbe6e15ee637a10a19756bc8299

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
109KB

MD5
d457324f995f1f7c3c6c4e9d6ab6a2a3

SHA1
30c717e1037eccb166d3368b49d3684de9c6c63c

SHA256
f2951d6e7556a8beafb3ec15636c11f8f7fd2cc19c4daef09c035d9c63a7be7f

SHA512
b6d3e81e6cbf5d95aca54eefe22a46404cba1cb8b67acaf521468c7f185ca822390a14411653d5724cbf7ce8b92c41e1f11e4f7ea16cf14a4f88b9de38d4344f

Download Submit
C:\Windows\SysWOW64\Kkihknfg.exe

Filesize
109KB

MD5
c5deed82f7a41e033d13ae5fb6910058

SHA1
c90a9bca6c70e9033beb391e3e4096ceee048c9f

SHA256
9f34c5054f7046f3166208e467a3c1d29cd14a68ea9422c4e1d405be8300d74a

SHA512
90e16cf2e4ed05ca672127dbf34db0881758f8b4fc06975c29546b41ed82c1ba4e980680994b83b1b7e737882a3f84475400bbf82b3ae1c2adb28184ab9e1bc5

Download Submit
C:\Windows\SysWOW64\Kkkdan32.exe

Filesize
109KB

MD5
2053d30a95e026c61824599c01525cd0

SHA1
aed4cd0e05a8ea15b3939998af4f09a652999c30

SHA256
af9a6822bbf75ff03f5142ef8d633bcb9bd2fd1a692bc29dd047357f66b87db7

SHA512
4e2a87f9f930980bca65c725cd9b9959a48e00ebed6a99209e613dc263230bb7297cebaf921ec784ed87f2eb41b5b938a5548dfe7f89af54be3d5f94592f6367

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
109KB

MD5
dcf9a869b1b48b3f6f6ac5a5188f4625

SHA1
d76d3a23467cbebd63f29f1e60273dc9330f121e

SHA256
9e55a5b6398ad5b1095e4e6f7e2b0ca44809957f674dfa6741dfc6e89255d884

SHA512
f7a022aca264b400ca4a881ccc2f887c920ac26d268c01be6b43b1e3f99dbb190b810405bea1032acdebb36c58caba04ce11b174cb3beba753d4e0128f2e9953

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
109KB

MD5
8da73138bc4acb4759dfde41a20c6565

SHA1
65026939768a530cd6880429d8a48b159405dd46

SHA256
78d20a7bcb2785fde61e90103decda9cc23b20f87641f698775fac0ecd4f3aa2

SHA512
26a806492176fcdf746e464ad7287334e24e8f69fd2fff094aefddfecf45a09066f134b8c0855050cc406080a81c00ad3b9ce54ce88c6dc1a4616277578392b4

Download Submit
C:\Windows\SysWOW64\Kmegbjgn.exe

Filesize
109KB

MD5
bf8566c5946b762000bfba807c043ecb

SHA1
5482dd8462c989a5c1e3bbd9c582b0ac494ca190

SHA256
fa24c433e4028b549867dc58adcddf8499d603d7f04d10de8ac1ee3b0006caab

SHA512
00a2b7a24f533282731b0a08f6be2e2a724463cb0578adf4c41e67177d64975db786ce330cd2f87527e21e71bd2d465ad8d3f053eb48ec6edfd866f513f882c0

Download Submit
C:\Windows\SysWOW64\Kmgdgjek.exe

Filesize
109KB

MD5
787f4429edfb8717c786562ec90ffba0

SHA1
21c87e77cad5eaf70083e4030e7e6cd06550aaab

SHA256
0f88a590506f3e7aa2e282b10686afefa74e61c01d8df2022cf12229573b4922

SHA512
35ba60286cd41b9ea9c8efd82181cdc7844eff07254775f6f060202fdf25972ca730e904ffd9ef9fcb1486b9e578dabbc7dae2409504c604013ae0e0119035cb

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe

Filesize
109KB

MD5
099cd77e6501372782d058852a3450dc

SHA1
4cca4d4bbe1a57ddf95ead7c78ba5541a183872b

SHA256
40a17b0810e903dd5cdf3b4aad40985c7e14f1a42bf851865000db1d9be9ddd9

SHA512
5cbff7a520a5d44d95f68ec4c849e583b6a30597789b4eb046dcdcf69509ce8792c10ad51affe3cdf7878b3e2bc177253343350eaeefa1ee27e816650e762b29

Download Submit
C:\Windows\SysWOW64\Kmnjhioc.exe

Filesize
109KB

MD5
bf4b106be5d1aa5825e4e7717d5eae5f

SHA1
cb06001474283a17ca3be8d2034d4628fb996956

SHA256
eb3c1301551a381ccd3d4e18f99c6f33c73382a8c7aec5cf7cc46ea60959504b

SHA512
bd932b2a195de99749dcf1b0e4bd863dd808b38415d395ce4586d1d7a061eb2fa6e153e460f5cc10eee47064859d74c2329e6be9fad4d9053ea1ddc158c65f1a

Download Submit
C:\Windows\SysWOW64\Kphmie32.exe

Filesize
109KB

MD5
7bfafe93c7f45f785071006b54e04300

SHA1
64b8ee1292a135fd8badc48a93d46b3f56dd6a3a

SHA256
281a38e30dd7b408260c055d6cf9fd0228c1c5cd4295053a01f107faef941e24

SHA512
6ecda2ac09a0b5b4e27455de24e1514d1931986a472c59e52099612ebc3d703a99a6ee7abdb9225e06b0220dcc48ff2c55a06b92003d73f27d85ecc462e9fbcc

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
109KB

MD5
f56a5b72e452f63c6bea25f4481545de

SHA1
f8240bb0484ad7ee8353fb7ecebdf1d077922b1c

SHA256
6efb82619870bf0dd06bf43ab72899595efaaf5a96062449f5a6a08faa93f187

SHA512
451c34acfaa630ba32c3f779e1064f24391945b8f0080faf4f753cb22a43d791b73b71110321e0380ee4c4eb5775cd073ba575e01e67f745d7af28817e58efce

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
109KB

MD5
9ae080c96971a1054558c6684150648b

SHA1
dc251499f59ad9e5322b5ba1947f705ec9950d14

SHA256
894f14ab95b8b06dcd3e0745497db546900401929340e2a487660909916d3dba

SHA512
b7cde8eec01959264251b26a2729bd02a9a82fff42a98c2eb211f03eb923631039f92ed2626e6d441f29a3334b0c3ccd4d6a38339a1c5e3b9de1eafdf675f860

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
109KB

MD5
2a3f5a261fd8c1c83d4f53979c37cc93

SHA1
2e7a564d85e02b3d4d5319da5f6b0134b2e0dab8

SHA256
611b604df0360c7cda52619f78e3537b7e4ab1fcd5f0a01f6371981266ec3ee0

SHA512
f00e1d71f02d5307eb40a9264a037da94d018f88727d845d53976d1a5f7a1ddcf842bea037e2a5971353de97b6d05f6d67ea98cb686120b471cfae2bc4e81cd3

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
109KB

MD5
301a25d2f7564e5cfba8c6af2862fce1

SHA1
9c9cbc85f35f00f6dba5f90e169908439f780d71

SHA256
16a824751900b96028f67db2c3fbf2207316839bfd1d619b900fba6c859bdf5e

SHA512
2af45516dd7271e8cb6570ce746d34fe8a76321bbfdb420db853ec44cd53a5dd7c679db830f9b4c797423f48b58d0b06664c493205221e73c43760ac0d9f5f33

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
109KB

MD5
7534e5e6c070a3fe8c9a8c6198e8d568

SHA1
3789b252378787b244b3e54fb9c84ea99cb37872

SHA256
20836be44b010b13f221d7cde6330fe0e6460f37861988b88081dfee7aeac006

SHA512
8b01e56f954378038d76acd8fdb6f8d7f072da8230ff603b29f60103c8477bc3b387928ae44042984ed2597135b79ade7abdfa1d909b403218b56896259d7f36

Download Submit
memory/208-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/208-544-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/396-208-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/464-550-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/464-508-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/632-136-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/668-459-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/760-400-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/860-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/976-549-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/976-517-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1008-524-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1284-316-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1292-558-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1292-430-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1340-88-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1344-292-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1392-322-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1424-164-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1472-388-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1620-314-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1768-79-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1864-482-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1864-553-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1872-274-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1880-398-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1952-507-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1972-104-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1992-284-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2032-144-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2232-298-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2296-240-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2324-380-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2376-357-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2384-556-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2384-448-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2424-286-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2448-32-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2452-304-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2508-64-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2516-406-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2836-332-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2892-531-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2900-172-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2916-215-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2932-176-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2936-370-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3208-559-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3208-424-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3216-247-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3348-442-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3348-557-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3360-466-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3360-554-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3496-272-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3532-23-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3536-422-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3580-541-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3580-547-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3600-128-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3612-500-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3640-7-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3680-476-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3684-382-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3740-96-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3792-464-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3792-555-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3888-368-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4044-551-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4044-493-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4064-262-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4364-340-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4432-548-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4432-532-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4460-236-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4476-484-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4476-552-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4508-200-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4520-417-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4592-60-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4668-191-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4688-363-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4840-40-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4868-120-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4876-346-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4884-440-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4896-228-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4916-48-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4928-255-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4948-545-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4948-546-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4952-338-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4960-183-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4988-151-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5104-111-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5108-71-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads