441c1fc85522bda7821207537ad3638ea10b9387970d5c0ec7bcf3f974b33368

Analysis

max time kernel
138s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 08:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25dd7e478b07ea4f896af50449378220_NEIKI.exe
Size

266KB
MD5

25dd7e478b07ea4f896af50449378220
SHA1

744ccce259b70a0792d11b528cd7eefbceeb3df0
SHA256

441c1fc85522bda7821207537ad3638ea10b9387970d5c0ec7bcf3f974b33368
SHA512

8c2e1a1e5d4570c773d1dda0f0e66ab05e716393c44efab9c9b459e2a9f3f06c1446a03c966b6d9a863ba160ecf0bce7ad83a235b7d7870beb2335f86424623b
SSDEEP

6144:WLRbGGV2N/v0wQO+zrWnAdjhDe0AQjttQO+zrWnAdi:Jv//+zrWAZXrH/+zrWAI

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jjbako32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijkljp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jangmibi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfdida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifopiajn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiikak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jibeql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	25dd7e478b07ea4f896af50449378220_NEIKI.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibccic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipabjil.exe

Executes dropped EXE 64 IoCs

pid	Process
2284	Iiibkn32.exe
1488	Imdnklfp.exe
2928	Ijhodq32.exe
3892	Iikopmkd.exe
2824	Idacmfkj.exe
3500	Ibccic32.exe
2444	Ifopiajn.exe
2892	Ijkljp32.exe
2256	Imihfl32.exe
868	Jaedgjjd.exe
4600	Jpgdbg32.exe
2644	Jdcpcf32.exe
5068	Jbfpobpb.exe
2832	Jfaloa32.exe
1840	Jjmhppqd.exe
4944	Jiphkm32.exe
4740	Jmkdlkph.exe
2408	Jagqlj32.exe
4308	Jpjqhgol.exe
456	Jdemhe32.exe
3868	Jbhmdbnp.exe
5016	Jfdida32.exe
1692	Jjpeepnb.exe
3996	Jibeql32.exe
1796	Jmnaakne.exe
4132	Jaimbj32.exe
4952	Jplmmfmi.exe
3912	Jdhine32.exe
3536	Jbkjjblm.exe
1132	Jfffjqdf.exe
2776	Jjbako32.exe
5008	Jidbflcj.exe
4772	Jmpngk32.exe
4020	Jaljgidl.exe
1300	Jpojcf32.exe
5104	Jdjfcecp.exe
4260	Jbmfoa32.exe
5036	Jfhbppbc.exe
4324	Jkdnpo32.exe
1764	Jmbklj32.exe
2372	Jangmibi.exe
3020	Jpaghf32.exe
1208	Jdmcidam.exe
3016	Jbocea32.exe
2820	Jfkoeppq.exe
764	Jiikak32.exe
2500	Kmegbjgn.exe
2864	Kaqcbi32.exe
1224	Kpccnefa.exe
4928	Kdopod32.exe
3440	Kbapjafe.exe
4964	Kgmlkp32.exe
1368	Kkihknfg.exe
2916	Kilhgk32.exe
1628	Kmgdgjek.exe
2000	Kacphh32.exe
3488	Kpepcedo.exe
3588	Kdaldd32.exe
4900	Kgphpo32.exe
5072	Kkkdan32.exe
1028	Kinemkko.exe
2848	Kmjqmi32.exe
672	Kaemnhla.exe
220	Kphmie32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bbbjnidp.dll	Jaimbj32.exe
File created	C:\Windows\SysWOW64\Jbmfoa32.exe	Jdjfcecp.exe
File opened for modification	C:\Windows\SysWOW64\Kmjqmi32.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Iikopmkd.exe	Ijhodq32.exe
File opened for modification	C:\Windows\SysWOW64\Jpjqhgol.exe	Jagqlj32.exe
File created	C:\Windows\SysWOW64\Jfkoeppq.exe	Jbocea32.exe
File created	C:\Windows\SysWOW64\Lihoogdd.dll	Ijhodq32.exe
File created	C:\Windows\SysWOW64\Mnnkcb32.dll	Jaedgjjd.exe
File created	C:\Windows\SysWOW64\Jagqlj32.exe	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Jkdnpo32.exe	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Jaimbj32.exe	Jmnaakne.exe
File created	C:\Windows\SysWOW64\Eplmgmol.dll	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Mjqjih32.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Imdnklfp.exe	Iiibkn32.exe
File created	C:\Windows\SysWOW64\Nilhco32.dll	Jangmibi.exe
File opened for modification	C:\Windows\SysWOW64\Kdopod32.exe	Kpccnefa.exe
File opened for modification	C:\Windows\SysWOW64\Kkkdan32.exe	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Jfaloa32.exe	Jbfpobpb.exe
File created	C:\Windows\SysWOW64\Bnckcnhb.dll	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Jfffjqdf.exe	Jbkjjblm.exe
File created	C:\Windows\SysWOW64\Kdaldd32.exe	Kpepcedo.exe
File opened for modification	C:\Windows\SysWOW64\Kaqcbi32.exe	Kmegbjgn.exe
File created	C:\Windows\SysWOW64\Mkeebhjc.dll	Kaemnhla.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Eeopdi32.dll	25dd7e478b07ea4f896af50449378220_NEIKI.exe
File created	C:\Windows\SysWOW64\Jdmcidam.exe	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Hehifldd.dll	Kbapjafe.exe
File opened for modification	C:\Windows\SysWOW64\Kilhgk32.exe	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Gncoccha.dll	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Kpmfddnf.exe	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Bgllgqcp.dll	Jdemhe32.exe
File created	C:\Windows\SysWOW64\Honcnp32.dll	Jjbako32.exe
File opened for modification	C:\Windows\SysWOW64\Jpojcf32.exe	Jaljgidl.exe
File created	C:\Windows\SysWOW64\Qknpkqim.dll	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Bdiihjon.dll	Kkkdan32.exe
File opened for modification	C:\Windows\SysWOW64\Kpjjod32.exe	Kagichjo.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Iikopmkd.exe	Ijhodq32.exe
File created	C:\Windows\SysWOW64\Jaedgjjd.exe	Imihfl32.exe
File created	C:\Windows\SysWOW64\Jiphkm32.exe	Jjmhppqd.exe
File opened for modification	C:\Windows\SysWOW64\Jfhbppbc.exe	Jbmfoa32.exe
File created	C:\Windows\SysWOW64\Ajgblndm.dll	Kinemkko.exe
File created	C:\Windows\SysWOW64\Ppaaagol.dll	Kphmie32.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Jfaloa32.exe	Jbfpobpb.exe
File opened for modification	C:\Windows\SysWOW64\Jjmhppqd.exe	Jfaloa32.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Iiibkn32.exe	25dd7e478b07ea4f896af50449378220_NEIKI.exe
File created	C:\Windows\SysWOW64\Imihfl32.exe	Ijkljp32.exe
File created	C:\Windows\SysWOW64\Gbledndp.dll	Imihfl32.exe
File created	C:\Windows\SysWOW64\Jfdida32.exe	Jbhmdbnp.exe
File created	C:\Windows\SysWOW64\Jdjfcecp.exe	Jpojcf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5816	5724	WerFault.exe	199

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjobcj32.dll"	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jdhine32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghpbg32.dll"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jdhine32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jiikak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	25dd7e478b07ea4f896af50449378220_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jmkdlkph.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpjljp32.dll"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iljnde32.dll"	Jiikak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jjbako32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmfdgkm.dll"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnoaog32.dll"	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joamagmq.dll"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflepa32.dll"	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgiacnii.dll"	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclhoo32.dll"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehifldd.dll"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldobbkdk.dll"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mkepnjng.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1400 wrote to memory of 2284	1400	25dd7e478b07ea4f896af50449378220_NEIKI.exe	83
PID 1400 wrote to memory of 2284	1400	25dd7e478b07ea4f896af50449378220_NEIKI.exe	83
PID 1400 wrote to memory of 2284	1400	25dd7e478b07ea4f896af50449378220_NEIKI.exe	83
PID 2284 wrote to memory of 1488	2284	Iiibkn32.exe	84
PID 2284 wrote to memory of 1488	2284	Iiibkn32.exe	84
PID 2284 wrote to memory of 1488	2284	Iiibkn32.exe	84
PID 1488 wrote to memory of 2928	1488	Imdnklfp.exe	85
PID 1488 wrote to memory of 2928	1488	Imdnklfp.exe	85
PID 1488 wrote to memory of 2928	1488	Imdnklfp.exe	85
PID 2928 wrote to memory of 3892	2928	Ijhodq32.exe	86
PID 2928 wrote to memory of 3892	2928	Ijhodq32.exe	86
PID 2928 wrote to memory of 3892	2928	Ijhodq32.exe	86
PID 3892 wrote to memory of 2824	3892	Iikopmkd.exe	87
PID 3892 wrote to memory of 2824	3892	Iikopmkd.exe	87
PID 3892 wrote to memory of 2824	3892	Iikopmkd.exe	87
PID 2824 wrote to memory of 3500	2824	Idacmfkj.exe	88
PID 2824 wrote to memory of 3500	2824	Idacmfkj.exe	88
PID 2824 wrote to memory of 3500	2824	Idacmfkj.exe	88
PID 3500 wrote to memory of 2444	3500	Ibccic32.exe	89
PID 3500 wrote to memory of 2444	3500	Ibccic32.exe	89
PID 3500 wrote to memory of 2444	3500	Ibccic32.exe	89
PID 2444 wrote to memory of 2892	2444	Ifopiajn.exe	90
PID 2444 wrote to memory of 2892	2444	Ifopiajn.exe	90
PID 2444 wrote to memory of 2892	2444	Ifopiajn.exe	90
PID 2892 wrote to memory of 2256	2892	Ijkljp32.exe	91
PID 2892 wrote to memory of 2256	2892	Ijkljp32.exe	91
PID 2892 wrote to memory of 2256	2892	Ijkljp32.exe	91
PID 2256 wrote to memory of 868	2256	Imihfl32.exe	92
PID 2256 wrote to memory of 868	2256	Imihfl32.exe	92
PID 2256 wrote to memory of 868	2256	Imihfl32.exe	92
PID 868 wrote to memory of 4600	868	Jaedgjjd.exe	93
PID 868 wrote to memory of 4600	868	Jaedgjjd.exe	93
PID 868 wrote to memory of 4600	868	Jaedgjjd.exe	93
PID 4600 wrote to memory of 2644	4600	Jpgdbg32.exe	94
PID 4600 wrote to memory of 2644	4600	Jpgdbg32.exe	94
PID 4600 wrote to memory of 2644	4600	Jpgdbg32.exe	94
PID 2644 wrote to memory of 5068	2644	Jdcpcf32.exe	95
PID 2644 wrote to memory of 5068	2644	Jdcpcf32.exe	95
PID 2644 wrote to memory of 5068	2644	Jdcpcf32.exe	95
PID 5068 wrote to memory of 2832	5068	Jbfpobpb.exe	96
PID 5068 wrote to memory of 2832	5068	Jbfpobpb.exe	96
PID 5068 wrote to memory of 2832	5068	Jbfpobpb.exe	96
PID 2832 wrote to memory of 1840	2832	Jfaloa32.exe	97
PID 2832 wrote to memory of 1840	2832	Jfaloa32.exe	97
PID 2832 wrote to memory of 1840	2832	Jfaloa32.exe	97
PID 1840 wrote to memory of 4944	1840	Jjmhppqd.exe	98
PID 1840 wrote to memory of 4944	1840	Jjmhppqd.exe	98
PID 1840 wrote to memory of 4944	1840	Jjmhppqd.exe	98
PID 4944 wrote to memory of 4740	4944	Jiphkm32.exe	99
PID 4944 wrote to memory of 4740	4944	Jiphkm32.exe	99
PID 4944 wrote to memory of 4740	4944	Jiphkm32.exe	99
PID 4740 wrote to memory of 2408	4740	Jmkdlkph.exe	100
PID 4740 wrote to memory of 2408	4740	Jmkdlkph.exe	100
PID 4740 wrote to memory of 2408	4740	Jmkdlkph.exe	100
PID 2408 wrote to memory of 4308	2408	Jagqlj32.exe	101
PID 2408 wrote to memory of 4308	2408	Jagqlj32.exe	101
PID 2408 wrote to memory of 4308	2408	Jagqlj32.exe	101
PID 4308 wrote to memory of 456	4308	Jpjqhgol.exe	102
PID 4308 wrote to memory of 456	4308	Jpjqhgol.exe	102
PID 4308 wrote to memory of 456	4308	Jpjqhgol.exe	102
PID 456 wrote to memory of 3868	456	Jdemhe32.exe	103
PID 456 wrote to memory of 3868	456	Jdemhe32.exe	103
PID 456 wrote to memory of 3868	456	Jdemhe32.exe	103
PID 3868 wrote to memory of 5016	3868	Jbhmdbnp.exe	104

C:\Users\Admin\AppData\Local\Temp\25dd7e478b07ea4f896af50449378220_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\25dd7e478b07ea4f896af50449378220_NEIKI.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Windows\SysWOW64\Iiibkn32.exe
  C:\Windows\system32\Iiibkn32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Windows\SysWOW64\Imdnklfp.exe
    C:\Windows\system32\Imdnklfp.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1488
  - - C:\Windows\SysWOW64\Ijhodq32.exe
      C:\Windows\system32\Ijhodq32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2928
    - - C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3892
      - C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3500
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4308
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3868
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5016
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1692
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3996
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1796
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4132
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4952
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3912
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3536
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1132
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2776
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        33⤵
        Executes dropped EXE
        
        PID:5008
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4772
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4020
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1300
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5104
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4260
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5036
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4324
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        41⤵
        Executes dropped EXE
        
        PID:1764
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2372
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3020
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        44⤵
        Executes dropped EXE
        
        PID:1208
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:764
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2500
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        49⤵
        Executes dropped EXE
        
        PID:2864
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1224
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4928
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3440
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4964
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1368
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        55⤵
        Executes dropped EXE
        
        PID:2916
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3488
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3588
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4900
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5072
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1028
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2848
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:672
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:220
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1592
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        68⤵
        Modifies registry class
        
        PID:4980
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4416
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2816
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2840
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4128
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        74⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4524
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1532
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1440
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2296
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:968
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4636
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        81⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:808
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        83⤵
        Modifies registry class
        
        PID:2360
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2764
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        85⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        86⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4848
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        88⤵
        Drops file in System32 directory
        
        PID:3164
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        89⤵
        Drops file in System32 directory
        
        PID:544
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        90⤵
        Modifies registry class
        
        PID:3908
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1096
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        92⤵
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3924
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        95⤵
        Modifies registry class
        
        PID:4140
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        96⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1964
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        98⤵
        Modifies registry class
        
        PID:3664
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        99⤵
        Drops file in System32 directory
        
        PID:5032
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        100⤵
        
        PID:836
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5148
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5188
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        103⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        105⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5400
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        108⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        109⤵
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        110⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5516
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5560
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        112⤵
        Drops file in System32 directory
        
        PID:5600
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        113⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        114⤵
        Modifies registry class
        
        PID:5684
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        115⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5724 -s 412
        116⤵
        Program crash
        
        PID:5816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5724 -ip 5724
1⤵
PID:5784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bpqnnk32.dll

Filesize
7KB

MD5
f408afdd3f25a6ebc2463bfb2a4847bd

SHA1
543c2ddfb6b44afaf4cf247db22976066acc7341

SHA256
c203a6d118c08b0b368ef798e50aecc2fd78f459595267b0041133d296afaffa

SHA512
fcb23cd3f025d0e743b886322885a1a08d81c96408eb0f6801953755ccd91a6963a6a5b950800aec42c26ba28b50e959f0261011be53ce2f3cba176d24bb893b

Download Submit
C:\Windows\SysWOW64\Ibccic32.exe

Filesize
266KB

MD5
bd11e90908aa97148ee894d43796e545

SHA1
67dc9b7e99399875cfdbcfbe45c57b9a615e408d

SHA256
38c54e168714a5c7fe0697df71bdd9ac8fcaea5905c763adb6257b2a103ec5d3

SHA512
40cb768782a3146a67cf90226f1d543a8f2e57f319d8b7f8847b1961e232721bcd769b573e97e025882e48ccf9f38da269b8063081f4d16bc1731b227b9f66e2

Download Submit
C:\Windows\SysWOW64\Idacmfkj.exe

Filesize
266KB

MD5
7bcdff8bfb078ea566103a1547f71f1d

SHA1
08eac261fc16975e4a25d15c4c5ff48031063466

SHA256
79b896784fee452e965a28e9e461addd737dfdb50bebec62996958bfcae5c68a

SHA512
9ec9e5bebfbecce16d20f14e7a5ddf58bc388d05eaefcfecd9f4ea6372a638f051e5ad102e2e07f82849e76d7cfe656abc524b5ce56c1581ecefc93e73da28af

Download Submit
C:\Windows\SysWOW64\Ifopiajn.exe

Filesize
266KB

MD5
7b9a499331d6f2d4da1d96523c88693c

SHA1
ce3e9064bb4984ccea9725cdbed881ff3460ff6b

SHA256
70ab4ef1ffadf00ad19f32b8605b26d44e5d344a716dc3744049124594cb7912

SHA512
f83bf83eaec4acc9c47c458c21734260962c222780f183ed8f1691a5720593b54b41827f753bc7f35e152df7324f53312d0cf834ccb1ad0c0f8f0a1c2e01cc1d

Download Submit
C:\Windows\SysWOW64\Iiibkn32.exe

Filesize
266KB

MD5
abcaf084c47bf541d141eee17848e0b3

SHA1
7b88c35f5bf871d02b28b995f202e3f5ae94d711

SHA256
f75d66d330200ce3e0c63a9dd9a5f477aacf827f126c6dd7cb9dae591b274c7e

SHA512
22543d0e7f0743ab6f4d30184bc60c3f9550bdf022979a03a434a352087d7664898df1f38716c0573b4b2f1c4c7511622719cdb9781610a18d9afd6ce4ad0355

Download Submit
C:\Windows\SysWOW64\Iikopmkd.exe

Filesize
266KB

MD5
4fd59c2c7e0c65e2588d854f20de137a

SHA1
f821c24b2f93dedac339b0bd916b228d10992920

SHA256
c8f8a0918d6f82d67386eaa763f5b52369a02954b55a568c9b27a3e502184aea

SHA512
cf8ecfec84da932b0200a60c3da1c2c6d258f18109a123567afe37f85a20ed6190845a2532fede6d6327c6ec7f6416568882ff3b28722100e09c99dafb7839d5

Download Submit
C:\Windows\SysWOW64\Ijhodq32.exe

Filesize
266KB

MD5
a6c9ed22cde9b271e785bbe93e2f58dc

SHA1
f7590817e5455e313aa156cce869cc936db61bff

SHA256
bb1d50b68fd4339d9b7ebb04c2bc995e0186b00bfcf08ae24e488f987b933640

SHA512
cdbf8a869abe51ed2fb96da9dd520eb4c0aed85f044073784b4827183737d32d5703b9335ff7482438921b961c57a3285e7c7f2af0956e02634c83cf1fe1591e

Download Submit
C:\Windows\SysWOW64\Ijkljp32.exe

Filesize
266KB

MD5
5006be5289203aeccb2fd11b9989e077

SHA1
ccde2311cc3c23e5e5d5fdba4a694e16e287954d

SHA256
163b3c6e245c96fee7e1bd8d64f6755049e61d0ec14670599e112d2b9db7fc78

SHA512
d079ca88e9b1e47336e1be7640d92da991cbcbadb716fafe4522f8c06760784252082e9aa3aabac7ec842812703c6ed7cb4be1f5f1ceb99f1bf4cf03351b82f6

Download Submit
C:\Windows\SysWOW64\Imdnklfp.exe

Filesize
266KB

MD5
a7f1db10d824a0c85bc181d9b6aaac98

SHA1
e6686b18bc93677c664548f33de1b9c0821d1f77

SHA256
bd1dafedd55ba6e067573621fe4edb0c910b70e9899e32959375db028b729030

SHA512
91726ae745a588b0c889a6e020366f71856b05c526f97a2246b02731b57f391b8356c4cb88d81cbf9dcb428d81bbed4ee39ee553686db71501190cf8d0fbe2c1

Download Submit
C:\Windows\SysWOW64\Imihfl32.exe

Filesize
266KB

MD5
feeb672ebc166cae283cced664e2a2a0

SHA1
0f908bbb3fefdf352ffa86cd944dcb95cbf6a825

SHA256
db372739ea9acdc3a44bcf5cb53d26cf0c5268748d21f21a824634fcdf5671df

SHA512
2231d6c7f1f99663c9123f4b8db84e5864fa6428adade1a8897f038887a458bfc769488f428d77159650b1406c7f3e3641546256e825d4af277e0b974d686293

Download Submit
C:\Windows\SysWOW64\Jaedgjjd.exe

Filesize
266KB

MD5
7ac11c6853ec66720b26bb90e843f558

SHA1
e1f071d98589b5cae6545695744ba7a0cf4a4b2c

SHA256
f74539bec200e5d626f3e95fde596cad0e758687b4e8ac53680d51ffbb21bf86

SHA512
b5b26c278b746f1b48c0ea34875ddb1d80ab3a83ee9196b712484b33d62b23a0640110af26a2affa9fe6f28f903a3ff815dac6b89e0cbd67b3e4de32c340a89e

Download Submit
C:\Windows\SysWOW64\Jagqlj32.exe

Filesize
266KB

MD5
82c81839e89f3cc6b42ec4a5d48c3d2f

SHA1
c3384a68009b23d7418128ad809ba957e1b9ca25

SHA256
32e24b35ff634bc9097d467f980605ad0ce71f99b05d6bb987b462b6b65e8011

SHA512
0d1242a76431808156b9e4461fe1fe48bd97bfa1317c76f58c18b168aecfa72456a5d9836f35ec21c6473b355f2e00487747f6e2a3ccde290b0d43d33a715211

Download Submit
C:\Windows\SysWOW64\Jaimbj32.exe

Filesize
266KB

MD5
49b7851ec1e0f95bf376e7c30726cd58

SHA1
4a123050e5f3abaf58013f7ba6dcb4dcf66ec156

SHA256
9ca8b434b904d0ad697a4a917bb7d0d106910d49efe1f7e76c6dbe5254023738

SHA512
f4b5d03dbf26a5ffdd1a38d53d4cf612b8dd3aa09032dde3710bb06f48d9a08886f97ffbe003917857ee80fa37c023720b383e9274bdf0c5793e2862ac2b7d74

Download Submit
C:\Windows\SysWOW64\Jbfpobpb.exe

Filesize
266KB

MD5
ea52ecbea1494ad80b80dc4f943e285f

SHA1
b6708edd081bc85e00ad120d7fbe2ad829e1f681

SHA256
637f39de3e62fa79ebd7ab5c8879ff5a6913e0ea61eba2cf2cc1f4102834e82c

SHA512
f2ff6fd8c5373c8052e0ba9a4daf5c929330f67e6c59dc263359408799dd6a7b21df169b56a116098c2f51ea4c12514c0c8f955a0a87e06e97f514ed5e4c4234

Download Submit
C:\Windows\SysWOW64\Jbhmdbnp.exe

Filesize
266KB

MD5
c058415acfae1567d63397d8bb7ae77c

SHA1
84b5c18b7ecd68674b1feacb28ae64e437886fb3

SHA256
44764e8a1dece5cfbfcfba88e68ec512d6f75c98dace258d0709a099433173bd

SHA512
98e2bf930cf08863bb18305d72d8d457624f2c68b5ed059333b872c45301a0c3905c7e73128abc5b58a3b4d7c3eb8c37f9f61b86596e70c1f51ad2c1dd240ad6

Download Submit
C:\Windows\SysWOW64\Jbkjjblm.exe

Filesize
266KB

MD5
1b5770cce1c5813ceaabcb32a9b02251

SHA1
c1015f59180d36ef4f8adb1c90fec310e3a67f39

SHA256
34aeb310c4b8638fa42824350e31c9896e5bd425514b406b3517c28b6d47908f

SHA512
0f86fad15a2dcb95df0ee20ebbc9fe686ee1364b2c32e6e9c76dc72f67fa162767810c5f3fa032550f95cb9fbdc5167762f8721be6a769b448a03ac1604bd9b3

Download Submit
C:\Windows\SysWOW64\Jdcpcf32.exe

Filesize
266KB

MD5
e27bb473e569d1fb8ea38d2daa4d6ef2

SHA1
4c74f94d61d7dd4d9b4b8da8b48ca4774d2d3daa

SHA256
623357b7ad9b8b61e06b5c6c3b3853210e8d118b7efd4701bfc7055d20e64a4e

SHA512
9e8b128a72e3e8e79eb82b1be1c5133bc10d0b71d6d27a7001f53c25197cd391d8677052d1494ccbedc3ed2032243a111dff72cddd49d89adc0f9200b77a7664

Download Submit
C:\Windows\SysWOW64\Jdemhe32.exe

Filesize
266KB

MD5
3603bd54e0c15f05cc2e1a7c28319f2a

SHA1
7b4f21ec24956966475ffe3a444193781913b198

SHA256
59f406903217eb2834ee139ed9bcce1bd7a3335b6e3ce81b4c8a0930a37c4040

SHA512
0f61188729a39c3b812bbd96eab1ff8b2d0f26d13d41e0f895dbc5c30f0651f68af7e92b4361178bb7875d9eaadd6d3dcc7d37ed5c7b57d37ee406646d6001d8

Download Submit
C:\Windows\SysWOW64\Jdhine32.exe

Filesize
266KB

MD5
d150f907be0af1109cc5148537891a24

SHA1
8240036a7e7559ec0920daa5bc10f58debc11da7

SHA256
a6e3778e545818f7fde347c99d43fec9d6faa36dd84c61d5409308e6c284928f

SHA512
137d7cd743792bd86ba516450246a966a8a6390cdd1c7f696d45ad6163ceebea3f910e3bc6cc9eab163606dfabb10db7fc0b933b27ac4ebf7002af2de670c63d

Download Submit
C:\Windows\SysWOW64\Jfaloa32.exe

Filesize
266KB

MD5
47cdaba321423b24568239f0ff32d2af

SHA1
85392451983aca58bc5c66cfed03009816d6dde5

SHA256
5a6295f6d60a31f0f2e5ad68838364052ff870642432b5a7c5402a6ba4e9c4dd

SHA512
e8474deb6d6bf1670885d9145438ff7a778684951d799ed15f4fdb66b5be940b9a5db27e90402cd3178efbb767f261058c08469ef3350bf745d7fc096210b682

Download Submit
C:\Windows\SysWOW64\Jfdida32.exe

Filesize
266KB

MD5
e0ea49d132ded048f0ee0537c9a5f025

SHA1
207dd9556bb7622921b90e193f6551c687319d6b

SHA256
67e6740773cc712d88ed7b4093f58598634e92b68b3f4da7851840353de5cd95

SHA512
e86f07ddfb39fe6679d372e0c7164f6903c948d4b48315981c8f271172ae2a08a483b50c8c977ee123034d5e441a8ddb323940e1a608cf063b13b0018953e669

Download Submit
C:\Windows\SysWOW64\Jfffjqdf.exe

Filesize
266KB

MD5
9c9a7289d8d5f7c0bbf05d79286ebe7b

SHA1
729543843afce61d155dc3ec2854d261fa401934

SHA256
5ac984bdd4d3659de9cd0c3f9dc6c9c7d29a59d215191c59768d3d92143e944b

SHA512
7dec63ce40c5a0070261292884134dc1c4a6af3c73f3f2a61f4b0a187aa59fe44f7c97104794305eaf41804825f24b61312fdfc4ff837e0284ce1295567245d5

Download Submit
C:\Windows\SysWOW64\Jibeql32.exe

Filesize
266KB

MD5
5ce6714eb0989a1f41f5d5aa6c36785a

SHA1
f13f1dad7cf36ae0a8a84afb4055deb21b6e482d

SHA256
0c6850962ff114adbc46c39e068d5224ae7dfb58a77cd5faf7325a461606c391

SHA512
8b3dcdd9009cbcf02ee9dac7ff579875e28fc58711457cd109385e573390d26041a0863e27bc6e8885585465b0ec9dc39c2e62fb714a9fa073cb7a89130e524e

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe

Filesize
266KB

MD5
0ac3b06316092ec5089a65ab9a943863

SHA1
4a6922d4e787d0116b42d6574a56c28416522ac8

SHA256
a8c82f7faf240e5b5d1f7b236e932031f420e6a058dd31085e3cc7d6cadb6d1a

SHA512
fbff2d239e3d69d94b92fd8da74d1fa8809162328489798ba0a06e6fc85af6f017cd2936ccf92f7b718a4248c2f19fdc82c9a7df3323d1e778bcc69f0572190c

Download Submit
C:\Windows\SysWOW64\Jiphkm32.exe

Filesize
266KB

MD5
d7705ec4817691196a03a7cfdaa115a9

SHA1
aff00e6864717f86888eee2791f97f4542186553

SHA256
bc3989a25f5d9893de463a77b067c4875f665e70edc5cd47c4ec85d797266c14

SHA512
b535cacad5abfb95134f8b6a9c7bd95945d38de8213f1220be1f61820ac45f46f61149f206cb91533928fb86db4a4cd144eb49c99b7d615f8b75b1f9956ba00f

Download Submit
C:\Windows\SysWOW64\Jjbako32.exe

Filesize
266KB

MD5
cf9255cca7a2b787f247b6335aeec198

SHA1
94992aa1be199b85bb51303638173d222ee32259

SHA256
05e4abafc65b1769a031287e6160dc9cd9c0eba9413702e1b209373dfcc80c5c

SHA512
6d2a7e053de4bf031466575a4001521cfd2e5d0834fb971a20d48250cedcacc612fc5526cc9ecf6c8a5862727fc8959ed9666d277840db010ad8cc321e0756b9

Download Submit
C:\Windows\SysWOW64\Jjmhppqd.exe

Filesize
266KB

MD5
16912092807639f90945a1acb9f4ab95

SHA1
d76e029ba90fc065ef4cfd4ce89872f0ee1279d3

SHA256
2d6236ca48f8526d0a9431e5de63b4704a2a46b1ad3166f6d19da92b459e72ed

SHA512
54ae7d82a69a2d866381a5a59b9adaa1646cfc909cd3756884fd390e8881b9a045955445bbf60e1ca75fe0a16d22a925a9e449fa2a66424312cbae7f9add5bfa

Download Submit
C:\Windows\SysWOW64\Jjpeepnb.exe

Filesize
266KB

MD5
3d33408c62351bb45009e37036c4458c

SHA1
cd687c0c9a006c719c49ba1f24e59eca5d3cc7d1

SHA256
050f63f0f90326db74de9e0aa13d1124b5858d0f6fe8c85f23464016828a3c7d

SHA512
b0d848e989866a213b63b4c76f3fe731d7f8b38c70b7220c9759a8015e6e5f6158c924e0950d49d4b51f13bd56b79ee47855f1f62cdd14699ab028d46ca2fa76

Download Submit
C:\Windows\SysWOW64\Jmkdlkph.exe

Filesize
266KB

MD5
4542bec28dd37bb35285aaf46914a851

SHA1
e4d79a73e1486424475330f93dd36e18082e90a4

SHA256
08c920da8abe02b1ff9fa8c9b6da0164739acbdb6f0839b0862d379eb7709ac0

SHA512
31a892ded12bff4593aac47e6cf751523dfb91ed88b301b5c064bd0c8b5b42ab787b46544165f4d51760246d13c7d0f68c82f25c16ff0ac9ccce61edc1bed04a

Download Submit
C:\Windows\SysWOW64\Jmnaakne.exe

Filesize
266KB

MD5
7f1b5bef5ba5acbc5917d9a5282ebc5e

SHA1
b4431e2360903b3f44ccb9877d8c0f3ba5f4d950

SHA256
e8762ebd75cb6bb026c0ba51605d6c494dca3875ecbd2ed2223368e4aefeec75

SHA512
84fa111e970b0b41b00e7f3e021c46fc29f96c46dea4dce8809b7840cc6ff792fa9f2019178d66d213b2c14ebaf26b205b17eae58a7e1eea044f1aa6dded0c33

Download Submit
C:\Windows\SysWOW64\Jpgdbg32.exe

Filesize
266KB

MD5
d5ca669dfa0fea9b690ebfd1fdddde90

SHA1
be3d0022f3774565184f4802009d48c3d6509fbf

SHA256
1ed4b6e4b2b4cd14fe1f5f53fa0263c8dd85cf4f2e44fad8e5fe8ed5382ff7d7

SHA512
08c89bbd74ec708ce7bef80ccd110b4b4b0bdd2eb10cb8e83925538d0136279f838803703e4d31a0b8e9c852cb6804bed3fa1c61c6aa193fdf1a621d5ae9d174

Download Submit
C:\Windows\SysWOW64\Jpjqhgol.exe

Filesize
266KB

MD5
5c0f084bac17bfb11c40fe1729b6b4ed

SHA1
c5a4344c84d4969129d2176660c2af09a6e0ff14

SHA256
9ab1f1ea87f606c9be684157d9bb3b65805a9d2386cbf477dd4d1596fb2c3a61

SHA512
f42bfaed49f937ec811705f94f23dcc7c3ec55f8a177c07bb5709dae4268c6c39ec7b172b043e7563b29168c7fe51a631074caaa2c36fc970eebc1feb011141d

Download Submit
C:\Windows\SysWOW64\Jplmmfmi.exe

Filesize
266KB

MD5
2cd52525f2ba23f0fa7e0a2a7a03a406

SHA1
3571da6ba0b2a75d83ad9b9253b513cfcf6b2285

SHA256
eac4e2830145c7d5310572b729e49057f8062cc58bc671f218a545871b39a818

SHA512
5e048f4032b740e1baf5bda17f3c731b9b96a3ede9e532a67eca09716a2c901f9fad7f70aef76852fd09b8491009bbc3c4d8dd2ab9cae61dd854bb12279c78e1

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
266KB

MD5
b2ecd45b9c45fba2d49330873edbdedc

SHA1
044b42cabd89da405c4aa16176ce0910e2c71fa1

SHA256
7fb610d4532d6039dc7a252e927904db062b22de4fe7d0f7503ff266c679fad6

SHA512
8ad48af536e5d496595cdf6a48320b5fa04db8a68373e5f3693b4fdf2ee91ec94f445f9a6b2184d035daf1e061d0f63b795d659e1467981a0290c87cf949fc3c

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
266KB

MD5
3546d8b613d8daf173a8d956387737e2

SHA1
b8ac4c1a6806ad8e4284aff83734a4cc721cd22b

SHA256
6759ca33b9677beab8cdca9d30a848ebc927e76d5c5b4b8e04d57b3fe8af2519

SHA512
8ce7c1c49272f32a67983484a979dd8adfbf4ea3343f90cb56d1c4014eeb9d1ce023f2fb87a4a903154b148cb21a74a54bfd32a1cfe64ff6ce6932aeec3b7fdf

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
266KB

MD5
4ca07cfdafc53628c482e9daf5a6349b

SHA1
57e459ae9c3f2744f4e8049952b4b11b79360675

SHA256
afe5074569040e3eda7f0cecdf40e8691e59256bb017162285021ad68ff1277a

SHA512
d4d48dee16cec0f723f7a623b64b8e1bef83716f8f6d7fad5e06bfe3497bebea56dfc39de5de85b375872cb2945dbfbe10cde63a21c62776b736d122aca82b7a

Download Submit
memory/220-503-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/456-439-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/544-587-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/672-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/764-475-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/808-560-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/868-429-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/968-557-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1028-499-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1096-599-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1132-449-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1176-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1208-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1224-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1300-459-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1368-486-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1400-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1440-524-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1488-20-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1532-510-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1592-505-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1628-488-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1692-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1764-468-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1796-444-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1840-434-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2000-489-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2232-622-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2256-428-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2284-12-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2296-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2360-561-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2372-470-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2408-437-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2444-426-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2500-476-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2580-569-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2644-431-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2764-562-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2776-450-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2800-513-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2816-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2820-474-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2824-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2832-433-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2840-509-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2848-500-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2856-605-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2864-477-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2892-427-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2916-487-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2928-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3016-473-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3020-471-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3164-581-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3440-480-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3488-491-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3500-53-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3536-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3588-492-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3868-440-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3892-37-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3908-598-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3912-447-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3924-611-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3996-443-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4020-458-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4128-512-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4132-445-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4140-623-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4260-465-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4308-438-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4324-467-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4416-507-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4448-775-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4448-629-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4452-504-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4508-563-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4524-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4600-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4636-558-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4740-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4772-457-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4848-575-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4900-494-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4912-511-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4928-479-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4944-435-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4952-446-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4964-483-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4980-506-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5008-455-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5016-441-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5036-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5068-432-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5072-498-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5104-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads