77a131ad78cf5ae083c976f4f553139de22a20b6f54e3649789cb25ea827fc74

Analysis

max time kernel
136s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 09:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b1a7e4c34f12059fd877c7e36378680_NEIKI.exe
Size

182KB
MD5

3b1a7e4c34f12059fd877c7e36378680
SHA1

36eef0822102818318b0a49ff101e97194957996
SHA256

77a131ad78cf5ae083c976f4f553139de22a20b6f54e3649789cb25ea827fc74
SHA512

dd4c3568a43dfba04395dd4d309ab8ec44bbd4c6b3c2ba1ee09d9e59242e301107d7d6516dfbdde6efbac271e410c113c788ed80c7ffaeccbc37dabfbe3f91e2
SSDEEP

1536:iaZlWp1i/ezVEXORijT0EvrUUH2La7nguPw9uVgA53+RrKJs2zjFS3ldkBOLLaVd:Xro1cGB8jT0f7a7nguPnVgA53+GpOc

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpihai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3b1a7e4c34f12059fd877c7e36378680_NEIKI.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haidklda.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijdeiaio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laefdf32.exe

Executes dropped EXE 64 IoCs

pid	Process
3468	Hpihai32.exe
4768	Hjolnb32.exe
2420	Haidklda.exe
4532	Icgqggce.exe
5100	Ijaida32.exe
1500	Iakaql32.exe
3004	Ipnalhii.exe
628	Ijdeiaio.exe
3168	Iannfk32.exe
3644	Ifjfnb32.exe
4552	Imdnklfp.exe
4280	Ipckgh32.exe
2436	Ijhodq32.exe
2540	Idacmfkj.exe
3420	Ijkljp32.exe
3684	Iinlemia.exe
1056	Jdcpcf32.exe
4884	Jagqlj32.exe
5116	Jpjqhgol.exe
1956	Jjpeepnb.exe
1688	Jmnaakne.exe
924	Jplmmfmi.exe
2596	Jbkjjblm.exe
3760	Jfffjqdf.exe
4352	Jjbako32.exe
416	Jmpngk32.exe
820	Jaljgidl.exe
1760	Jbmfoa32.exe
4608	Jfhbppbc.exe
5052	Jkdnpo32.exe
4504	Jmbklj32.exe
1948	Jangmibi.exe
2748	Jpaghf32.exe
1272	Jdmcidam.exe
4416	Jbocea32.exe
2964	Jfkoeppq.exe
4396	Jkfkfohj.exe
2320	Kmegbjgn.exe
1172	Kaqcbi32.exe
760	Kpccnefa.exe
4412	Kbapjafe.exe
2980	Kgmlkp32.exe
3140	Kkihknfg.exe
4996	Kilhgk32.exe
4812	Kacphh32.exe
4344	Kacphh32.exe
1916	Kpepcedo.exe
3828	Kdffocib.exe
1420	Kgdbkohf.exe
4304	Kibnhjgj.exe
4484	Kdhbec32.exe
1628	Kckbqpnj.exe
3656	Kkbkamnl.exe
3696	Lmqgnhmp.exe
3428	Lpocjdld.exe
2432	Lgikfn32.exe
4332	Liggbi32.exe
4916	Lpappc32.exe
2288	Lgkhlnbn.exe
4848	Lkgdml32.exe
4460	Lnepih32.exe
2768	Lpcmec32.exe
4856	Lcbiao32.exe
3956	Lilanioo.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kgdbkohf.exe	Kdffocib.exe
File created	C:\Windows\SysWOW64\Jmnaakne.exe	Jjpeepnb.exe
File opened for modification	C:\Windows\SysWOW64\Jjbako32.exe	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Jbocea32.exe	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Jjblgaie.dll	Kilhgk32.exe
File opened for modification	C:\Windows\SysWOW64\Kibnhjgj.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Gcdihi32.dll	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Egoqlckf.dll	Icgqggce.exe
File created	C:\Windows\SysWOW64\Jplmmfmi.exe	Jmnaakne.exe
File created	C:\Windows\SysWOW64\Jkdnpo32.exe	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Kgmlkp32.exe	Kbapjafe.exe
File opened for modification	C:\Windows\SysWOW64\Kkihknfg.exe	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Fjkiobic.dll	Haidklda.exe
File opened for modification	C:\Windows\SysWOW64\Imdnklfp.exe	Ifjfnb32.exe
File opened for modification	C:\Windows\SysWOW64\Jbmfoa32.exe	Jaljgidl.exe
File created	C:\Windows\SysWOW64\Jkfkfohj.exe	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Eilljncf.dll	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Kacphh32.exe	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Gcgqhjop.dll	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Dngdgf32.dll	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Imdnklfp.exe	Ifjfnb32.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Jfffjqdf.exe	Jbkjjblm.exe
File created	C:\Windows\SysWOW64\Jdmcidam.exe	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Hfkkgo32.dll	Idacmfkj.exe
File created	C:\Windows\SysWOW64\Ifjfnb32.exe	Iannfk32.exe
File opened for modification	C:\Windows\SysWOW64\Idacmfkj.exe	Ijhodq32.exe
File opened for modification	C:\Windows\SysWOW64\Ijkljp32.exe	Idacmfkj.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Lgpagm32.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Ijdeiaio.exe	Ipnalhii.exe
File created	C:\Windows\SysWOW64\Mfpoqooh.dll	Jbocea32.exe
File opened for modification	C:\Windows\SysWOW64\Kgmlkp32.exe	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Lkgdml32.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Jgiacnii.dll	Iinlemia.exe
File created	C:\Windows\SysWOW64\Jangmibi.exe	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Lgkhlnbn.exe	Lpappc32.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Mjcgohig.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Cpjljp32.dll	Jkdnpo32.exe
File created	C:\Windows\SysWOW64\Omfnojog.dll	Jjpeepnb.exe
File created	C:\Windows\SysWOW64\Jbkjjblm.exe	Jplmmfmi.exe
File opened for modification	C:\Windows\SysWOW64\Jfkoeppq.exe	Jbocea32.exe
File created	C:\Windows\SysWOW64\Hehifldd.dll	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Jdcpcf32.exe	Iinlemia.exe
File created	C:\Windows\SysWOW64\Iannfk32.exe	Ijdeiaio.exe
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Hjolnb32.exe	Hpihai32.exe
File opened for modification	C:\Windows\SysWOW64\Kdffocib.exe	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Kckbqpnj.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Lpocjdld.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Hpihai32.exe	3b1a7e4c34f12059fd877c7e36378680_NEIKI.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5320	5136	WerFault.exe	198

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehifldd.dll"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iakaql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iljnde32.dll"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebkdha32.dll"	Ipckgh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdimilg.dll"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbak32.dll"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppaheqp.dll"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enbofg32.dll"	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liggbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmlgol32.dll"	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfpoqooh.dll"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogndib32.dll"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphqml32.dll"	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblgaie.dll"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijaida32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifjfnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdhdf32.dll"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpaghf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 3468	2864	3b1a7e4c34f12059fd877c7e36378680_NEIKI.exe	86
PID 2864 wrote to memory of 3468	2864	3b1a7e4c34f12059fd877c7e36378680_NEIKI.exe	86
PID 2864 wrote to memory of 3468	2864	3b1a7e4c34f12059fd877c7e36378680_NEIKI.exe	86
PID 3468 wrote to memory of 4768	3468	Hpihai32.exe	87
PID 3468 wrote to memory of 4768	3468	Hpihai32.exe	87
PID 3468 wrote to memory of 4768	3468	Hpihai32.exe	87
PID 4768 wrote to memory of 2420	4768	Hjolnb32.exe	88
PID 4768 wrote to memory of 2420	4768	Hjolnb32.exe	88
PID 4768 wrote to memory of 2420	4768	Hjolnb32.exe	88
PID 2420 wrote to memory of 4532	2420	Haidklda.exe	89
PID 2420 wrote to memory of 4532	2420	Haidklda.exe	89
PID 2420 wrote to memory of 4532	2420	Haidklda.exe	89
PID 4532 wrote to memory of 5100	4532	Icgqggce.exe	91
PID 4532 wrote to memory of 5100	4532	Icgqggce.exe	91
PID 4532 wrote to memory of 5100	4532	Icgqggce.exe	91
PID 5100 wrote to memory of 1500	5100	Ijaida32.exe	92
PID 5100 wrote to memory of 1500	5100	Ijaida32.exe	92
PID 5100 wrote to memory of 1500	5100	Ijaida32.exe	92
PID 1500 wrote to memory of 3004	1500	Iakaql32.exe	93
PID 1500 wrote to memory of 3004	1500	Iakaql32.exe	93
PID 1500 wrote to memory of 3004	1500	Iakaql32.exe	93
PID 3004 wrote to memory of 628	3004	Ipnalhii.exe	94
PID 3004 wrote to memory of 628	3004	Ipnalhii.exe	94
PID 3004 wrote to memory of 628	3004	Ipnalhii.exe	94
PID 628 wrote to memory of 3168	628	Ijdeiaio.exe	95
PID 628 wrote to memory of 3168	628	Ijdeiaio.exe	95
PID 628 wrote to memory of 3168	628	Ijdeiaio.exe	95
PID 3168 wrote to memory of 3644	3168	Iannfk32.exe	97
PID 3168 wrote to memory of 3644	3168	Iannfk32.exe	97
PID 3168 wrote to memory of 3644	3168	Iannfk32.exe	97
PID 3644 wrote to memory of 4552	3644	Ifjfnb32.exe	98
PID 3644 wrote to memory of 4552	3644	Ifjfnb32.exe	98
PID 3644 wrote to memory of 4552	3644	Ifjfnb32.exe	98
PID 4552 wrote to memory of 4280	4552	Imdnklfp.exe	99
PID 4552 wrote to memory of 4280	4552	Imdnklfp.exe	99
PID 4552 wrote to memory of 4280	4552	Imdnklfp.exe	99
PID 4280 wrote to memory of 2436	4280	Ipckgh32.exe	100
PID 4280 wrote to memory of 2436	4280	Ipckgh32.exe	100
PID 4280 wrote to memory of 2436	4280	Ipckgh32.exe	100
PID 2436 wrote to memory of 2540	2436	Ijhodq32.exe	101
PID 2436 wrote to memory of 2540	2436	Ijhodq32.exe	101
PID 2436 wrote to memory of 2540	2436	Ijhodq32.exe	101
PID 2540 wrote to memory of 3420	2540	Idacmfkj.exe	103
PID 2540 wrote to memory of 3420	2540	Idacmfkj.exe	103
PID 2540 wrote to memory of 3420	2540	Idacmfkj.exe	103
PID 3420 wrote to memory of 3684	3420	Ijkljp32.exe	104
PID 3420 wrote to memory of 3684	3420	Ijkljp32.exe	104
PID 3420 wrote to memory of 3684	3420	Ijkljp32.exe	104
PID 3684 wrote to memory of 1056	3684	Iinlemia.exe	105
PID 3684 wrote to memory of 1056	3684	Iinlemia.exe	105
PID 3684 wrote to memory of 1056	3684	Iinlemia.exe	105
PID 1056 wrote to memory of 4884	1056	Jdcpcf32.exe	106
PID 1056 wrote to memory of 4884	1056	Jdcpcf32.exe	106
PID 1056 wrote to memory of 4884	1056	Jdcpcf32.exe	106
PID 4884 wrote to memory of 5116	4884	Jagqlj32.exe	107
PID 4884 wrote to memory of 5116	4884	Jagqlj32.exe	107
PID 4884 wrote to memory of 5116	4884	Jagqlj32.exe	107
PID 5116 wrote to memory of 1956	5116	Jpjqhgol.exe	108
PID 5116 wrote to memory of 1956	5116	Jpjqhgol.exe	108
PID 5116 wrote to memory of 1956	5116	Jpjqhgol.exe	108
PID 1956 wrote to memory of 1688	1956	Jjpeepnb.exe	109
PID 1956 wrote to memory of 1688	1956	Jjpeepnb.exe	109
PID 1956 wrote to memory of 1688	1956	Jjpeepnb.exe	109
PID 1688 wrote to memory of 924	1688	Jmnaakne.exe	110

C:\Users\Admin\AppData\Local\Temp\3b1a7e4c34f12059fd877c7e36378680_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\3b1a7e4c34f12059fd877c7e36378680_NEIKI.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Windows\SysWOW64\Hpihai32.exe
  C:\Windows\system32\Hpihai32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3468
- - C:\Windows\SysWOW64\Hjolnb32.exe
    C:\Windows\system32\Hjolnb32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4768
  - - C:\Windows\SysWOW64\Haidklda.exe
      C:\Windows\system32\Haidklda.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2420
    - - C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4532
      - C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3168
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3644
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3420
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3684
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4884
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:924
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2596
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3760
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        26⤵
        Executes dropped EXE
        
        PID:4352
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:416
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:820
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1760
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4608
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5052
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4504
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        33⤵
        Executes dropped EXE
        
        PID:1948
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2748
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1272
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2320
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1172
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:760
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2980
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3140
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4996
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4812
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4344
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1916
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3828
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1420
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4304
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4484
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1628
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3656
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3696
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3428
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2432
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4332
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4916
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2288
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4848
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4460
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2768
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3956
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:576
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        67⤵
        Drops file in System32 directory
        
        PID:3116
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1976
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3436
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4660
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        71⤵
        Drops file in System32 directory
        
        PID:2816
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4100
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        73⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        74⤵
        Modifies registry class
        
        PID:3988
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4912
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4800
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4960
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        79⤵
        Modifies registry class
        
        PID:2504
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2992
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3444
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1528
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3000
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        86⤵
        Modifies registry class
        
        PID:400
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3496
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        88⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        89⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        93⤵
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        94⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        95⤵
        Drops file in System32 directory
        
        PID:5524
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        96⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        97⤵
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        98⤵
        Drops file in System32 directory
        
        PID:5656
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5700
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        100⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5848
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        103⤵
        Modifies registry class
        
        PID:5892
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        104⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        105⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5976
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6024
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        107⤵
        Modifies registry class
        
        PID:6068
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6112
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        109⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5136 -s 400
        110⤵
        Program crash
        
        PID:5320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5136 -ip 5136
1⤵
PID:5268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Haidklda.exe

Filesize
182KB

MD5
7ed24ebe02bf90a7ac2b0967bb583aeb

SHA1
855b96bc66b6d67ce8acee11cf20e9510818bc5d

SHA256
cc6e2dcdf93d95fcc1f9fa6f0b7fbba3e4b76a57971d22bdd3893c7d3a5c6282

SHA512
5dc0742afe2e31afe27cd6e751fb7997f98721e81414d3439dfa80a96fcbc4b5b276d79cf719bce4195fa185364c6e08576510923f74941b0adde9bf0d17ec36

Download Submit
C:\Windows\SysWOW64\Hjolnb32.exe

Filesize
182KB

MD5
cb5a38265ccd9a4497bd26919ecd0fb4

SHA1
f8c5e0f162090f9a888e11323b897ff12676dee2

SHA256
bcc621dec64bea137e1ae8f8570df8097b2ac195666a43bda8303bdd7f3aa067

SHA512
320cb619cdc511b231f3e94a2f404d8e82dd776eeaaed8078b6521da4c81f996660dca6711ae9f6b67914b982cbc3532dd05e1cf431041d69e9564bdd61d3266

Download Submit
C:\Windows\SysWOW64\Hpihai32.exe

Filesize
182KB

MD5
addb86eea65d7fe339d1636a572c8df4

SHA1
45b07e8dae19951829f0282a081bcb12512fee41

SHA256
65bf60e0abfb2bd9fd9d0b450cbe375820e9bf9deecc7c1be01e34ea7fb2a565

SHA512
c00fa7e9361e88c66b0af892195f3c225d696b0f195724f347cc3cc74f7625ac4efa30c1707f2ebd02ea028bf8b141b1308389925395289d7d5e073f9a074d5c

Download Submit
C:\Windows\SysWOW64\Iakaql32.exe

Filesize
182KB

MD5
e76d80e09fc0129ba53111da87db30fe

SHA1
988f2d646a019f5bc4186e02e6539731555a7ff2

SHA256
1b4963f0122cec608f9561773bee7b76c294981a7d07383e863170ec5bd61fb9

SHA512
ff999aeb0adbedc9a4258642f7bf769da4e57666dac4459bf3d9fbda8e4c1f2922af5ebc3aa782606e5cac648e6baf3b5f13b21ffd9e74232b69498573f6285e

Download Submit
C:\Windows\SysWOW64\Iannfk32.exe

Filesize
182KB

MD5
bcd4ab15e28706f429ea210cf82400ab

SHA1
922a4847d1789012f150f0504ee6272a8d6ba506

SHA256
d2b20347af89db957d07126a82238828c7ff7a195b5f6307b9b3dda6e419fe59

SHA512
ac1ddede362a2e4880583c8213b40d6fd4f05f5451caf6fb86aec1fc83d2cdf3db7c4adf00b49a061ee5bc8df7acf387372e43cc258a6d98d1f5b0fc453d4c3f

Download Submit
C:\Windows\SysWOW64\Icgqggce.exe

Filesize
182KB

MD5
28ca1b20245de80c7710e66dfc2dbe51

SHA1
41c2d876665ca668a9fc6fb2e5ae0b3af7e409b0

SHA256
6b3d6a5dabf9ccd63353b8ebb32332760f49330764e3c3b9ee98533ad194ddc8

SHA512
5ec7067b2094d5e2836d398c88cacd4eb224475f6a63afe1423957cb333f8b23731af3f7d22b023ffc8b7331939e1193bf6c9eaa5e7905f8210b24a263bc58db

Download Submit
C:\Windows\SysWOW64\Idacmfkj.exe

Filesize
182KB

MD5
3a749be4ffc38d09d74869890a0bb169

SHA1
5265e3f506feec216a61cbadd6bd8846fde64e20

SHA256
84bce7726ec0351aae4615557cac3a2230d54c5d3e96d07a67a19824a83f1c6f

SHA512
91bef04d753a4f2fe8c4f2d1a257f34e9af60c832003db89328f4c7fb1a6ec48a3f8d7213d959130b5e1d69dd7e3ee0cf540fcb6d20e822682c9ab3e121a5035

Download Submit
C:\Windows\SysWOW64\Ifjfnb32.exe

Filesize
182KB

MD5
2ceb3884848ac896b0df0b0cb2dce6cf

SHA1
15c097a0be34c61e85ff28583095669de0fb49fd

SHA256
db3f62a1f433bc22d3b41fcca9cf23ff49c0b338f90052edae84c7b788e788cf

SHA512
0890c51ade62380819ab34cf4e8d594150b3390c013d775b654f984fda167a26952bf7d70492fc5dbb0e278410535b0e7613e85632a099bb668feb0c6094f515

Download Submit
C:\Windows\SysWOW64\Iinlemia.exe

Filesize
182KB

MD5
61142f28f8833c49d374218f955bd707

SHA1
4a3cdf9c26337ccac69ae33bbea18736845454a3

SHA256
a4334c87db5db41dfc1171fb7668cf53b4f0c80e9326685a0e5ab94b970452a8

SHA512
5709ba920462d006a4c319eda3d14f1b96b4d30f2c7404e41054719331b64b723979cf30a7103a6364d998812f6dcd6d0a8bd4da895e7b4dddd9e5355064aea8

Download Submit
C:\Windows\SysWOW64\Ijaida32.exe

Filesize
182KB

MD5
1b6e96b18b2b4905fdfb1677323a76c2

SHA1
cf7d77c7e46f2d03d56e63216f051e222cff7484

SHA256
cc8d3e3e4499cea73cc6060c4dec0e424b7a10b2723a6f2ac609fa8dc453c5cb

SHA512
0659659c81b6b231d403cd1bad592e4c293db5717486cbe0c0bd531e83e398a334666e18a2039d253648886e705dc752df0d02379f0752caf9685ce812194925

Download Submit
C:\Windows\SysWOW64\Ijdeiaio.exe

Filesize
182KB

MD5
34578243af10a9c8134d02709a08a47d

SHA1
9710cab76939df4bf49e4071a95df9030976964a

SHA256
ab88655e0b99ce8f2bba0d8d28bea35c1ff021bd6f57b965955d51cda1ddf350

SHA512
ee26ab5179bfd14c2f17a56733b9923f3eaa8e4ee3c42a118117850d8a00bef05f959403471b7860d0573622b1c5eef8061a2c7b6c5a39461fd75adc83bccbf6

Download Submit
C:\Windows\SysWOW64\Ijhodq32.exe

Filesize
182KB

MD5
7f13dcaaa16a2f47ed87428568f8749b

SHA1
7e03294a820e286669353421c2e43bbf72e9e1a4

SHA256
5c1f2f6f1125bdd51c0f9056a06d8cf3c07f0e5d601faef2c24e9cf39c9f2f8c

SHA512
743a2dfb691b31edce3a8841aa3a43cf1f8789798c5998ec722194fb11af4daac66a0040a8674aab377a797bb29dd776d8b10d50a1f832225bd7eee64d1565c7

Download Submit
C:\Windows\SysWOW64\Ijkljp32.exe

Filesize
182KB

MD5
0b8bd8cb6c370a3936cd6ceb6d120034

SHA1
ed4140b8407ef5a7d9add98bbf05a5efe0ed4a7a

SHA256
c2fd7c4e1f9cddb6bff534a0bb0557f7b72bd96bf50be969321dbb15640b1f02

SHA512
1164239cea7b6aba24e0e141ba980fdd5f4adf13d8d8c86f94a902bfa5dd0b31c32468e698e7dc245b36db62162b06b58f75fea5ccd51c57122cacbb9eaac757

Download Submit
C:\Windows\SysWOW64\Imdnklfp.exe

Filesize
182KB

MD5
526bcb5f08518e1a3bb82446b9b5e961

SHA1
c0ddc8fe7e9b40210abfdb2f686ffcfbcd6970fb

SHA256
27c853edac71d58cba0b36fd27e35e7d25660cd9b4830dd3096ffe92ec218ad9

SHA512
a6f1ca8372eee2cad9e2c3c9b9c8b8cf7a38a8a1fffe067e58dde6b48d7b1295cd4a8a52832c42dfa7157076275512f79984ad95c4e87507e71bb320048cb616

Download Submit
C:\Windows\SysWOW64\Ipckgh32.exe

Filesize
182KB

MD5
961a060b9ab1f849a68ef703c2808d47

SHA1
f1779febf1c8f7020ed17f1c40bfafe4e15e0809

SHA256
ea61fa93d09a78a77c9d134b6abb11096f0a334fcf4de6dd8b21d5a1af93df9d

SHA512
46c829089e40c5ec363921a2944c04286f8f9932aeef393fe6dcbcac48740cebde99eebbb84835dc228f42f35240f30301f8aa73838271b9eb7c87cdfa869a91

Download Submit
C:\Windows\SysWOW64\Ipnalhii.exe

Filesize
182KB

MD5
76dfc9c100870583bd45d40db28043ff

SHA1
bf59fd399af089d69fbea33952f8c7d85b75864e

SHA256
8debb32aba154336b2274b6ad063effba29ac5ddbefd3f44d0e7de0862dce0bd

SHA512
aca0bbdf2c33a6092893a31c3771a7f163c5fe8205aabce6ee594f3d24cd95b9bfcb72d529bfe38e86d847692ab19c2be33efb3b84825096e01607e1f590d750

Download Submit
C:\Windows\SysWOW64\Jagqlj32.exe

Filesize
182KB

MD5
833f1b1ccb0f3a834af09a603b960b45

SHA1
a2474671032a4c0e2f38851783e6e0660922236b

SHA256
13ef26ef56b40ad7fde71bdd0d0cedcd38c90079bf681e6ee9664f76c5633414

SHA512
563107fb42366652d609b53437b347df22fd60f110532984bf8e134223a5ad2d86525dd2b9efbf2d61ebf0712e96bc02cb52911342f32ca9b5d344957e05ef4c

Download Submit
C:\Windows\SysWOW64\Jaljgidl.exe

Filesize
182KB

MD5
8ae4f2831798a1a354e8d75859299f84

SHA1
56926368ce8646721679d4e1c2284b8fcebb98e9

SHA256
d8a2908893deddebd7de8df9ac44ae5ddd6cf8b247f8100111008ba429a65d95

SHA512
5312f1297c8c8d8a4bded9cfb03ac9c01ab73f9c268b2b9ec80799ce7feb751325618ef83e159ee97662f9d1ac7bd9fb0d427c0059444e4f40b8d460bf4e0740

Download Submit
C:\Windows\SysWOW64\Jangmibi.exe

Filesize
182KB

MD5
0a93da73b8716ec49e3976b9a6d3dc48

SHA1
43cd4017671b253a491dc31f31679da082003e9f

SHA256
7bc66edcb9a26fdbd748f4d4963aa7e122b0d4b70b5e26f9cf907fa23d160f13

SHA512
c6844a98966e1c0cb6a096219210252e6ef8db298938bd489b85eca18e8b49702818195c9bfe5a2ca837c108135fa03b377ec321b639e61bd4a0c2040b756f52

Download Submit
C:\Windows\SysWOW64\Jbkjjblm.exe

Filesize
182KB

MD5
8c044ef3ff00ebd995725991dc9c1acd

SHA1
a9aa586ac1a2c4211493fce0f0893ec580389e9a

SHA256
0912582f419bb76f427ff0947e1269bd1248209fdf8e798ac9bcb4eeb315e229

SHA512
e8cd0b06b0bab8deb4bd44db29c07e12c6f27237ca52ce70a863ce292a4c420ab5fe4148111bedd7a0b1ae5ef37d01c96abfe9b1b956ff1d68b1355b2a535bb5

Download Submit
C:\Windows\SysWOW64\Jbmfoa32.exe

Filesize
182KB

MD5
7853ab549c1e6b1dc57331ed14656767

SHA1
8775c6dd8a14239b69608e6a4e229fbdd4a27f4c

SHA256
1ea2523538990e2548759324bf68b0ba07ee511694e64af87ba0cb29a8e6059b

SHA512
5cd4c551c28281fc61c8c52d5b98918c4d6c7db5b944033a61cb676a3012ffe52c4b546b3848f05ef9e8dd108c172e4b024db76c2b7b300f63bbaa53fed12fc7

Download Submit
C:\Windows\SysWOW64\Jdcpcf32.exe

Filesize
182KB

MD5
0b917d6646778201b9ffab29c3919525

SHA1
0bda4373975adc8a872a82854bdf1834921cc2cd

SHA256
4cbe8d6b2c08452f6bf5ccf4ff367f609044144d281c9c35526f2181d7e621b7

SHA512
fbdafd4277bd3fcebfbe2f52b330d893d594e8fbadab3ca7a4e79e149dd8cbea80567d58f8d907cae4bf85accfc5e58f692965df376e3a4255a44648c6c23f57

Download Submit
C:\Windows\SysWOW64\Jfffjqdf.exe

Filesize
182KB

MD5
b1161d8b7d899bf64faf87f4d046bf2e

SHA1
715ab59e9a8f4f18406480b3e195963dd8760434

SHA256
f95b766765ff7235473577ced44f3a48bd04169dec5defba1e12f7a7d9da47b3

SHA512
84751977e02114fad0e12181dd6e12779b5062ab80f24938c91b9541de98b8f11e755653a568b6f26921196c2a0593e73fd151ff94f41e3952712944b050d54f

Download Submit
C:\Windows\SysWOW64\Jfhbppbc.exe

Filesize
182KB

MD5
5383fa8e15f1c9ade89c86704c69030d

SHA1
a217e1bb0d1fd2fb56b5f7729ebb0b7f3c40dcb6

SHA256
e40851ce19345be60d68296d5e510f7d05004eac43142a222ed47a52efa65baf

SHA512
65d7de295cbf6ce9351c3ac85befb399b0fc843be8edf1c7d490a409d9a04c6d0e6cf264139cf2d199260564b03797c9400d96a36a20f9094ba09735c071f2dc

Download Submit
C:\Windows\SysWOW64\Jjbako32.exe

Filesize
182KB

MD5
45ad386115e106bc5659c02d32d5053d

SHA1
819ad0ee4f4de6f7dd1a6c7fe517a09f38fb9e1c

SHA256
c07885893d33eff9c7de427369a49fb171bc51b4139b5d9c9362a3b7ec09bde9

SHA512
bb4db370fdd42c08a3b2d6872b3ea799bbef342b243435bee028cee5f8fd250bbde387b8b44083fdbe66c202791675d8b8b936348dcef2a6977845f264827234

Download Submit
C:\Windows\SysWOW64\Jjpeepnb.exe

Filesize
182KB

MD5
b288b47af4dd394b2b90888f0e4db1d8

SHA1
fb087e70ebe054fe6ee2638128c76af1f5d0ec91

SHA256
289e322439cd650fa798fbb9e016d4e4ef3cbf3d5d4e0f1f09fa3c93ef87403c

SHA512
98add1a2136b5aa6c48c7ceee71ad9163a3842d5e4eb4f07512ca6f208f76e9abf90d74915be5d23f96abee1e72567072c24c257827a92c733d6e2844e6ace61

Download Submit
C:\Windows\SysWOW64\Jkdnpo32.exe

Filesize
182KB

MD5
32fba54920829efaf18fa72df4c91f98

SHA1
3dc22583a56433a30a09b48616d8e2f3720d7f0d

SHA256
356acafd5b39aae9d306f999f12435894938ba291f9b6dbf87919ab635ac6f30

SHA512
34b9c7927ee378c03cdb9c0e5c8bd9fd2fe2486e61efc39281a5d46bf48f0cde01d0857a82712b8333508b1db984dd882c65f1f346aff245a80d610e1cb8a9d4

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe

Filesize
182KB

MD5
602e1e713c00d58fa86f1737a37bf8cb

SHA1
8952af21980ee959a7dee2f0ceeede5f4e6e1e8d

SHA256
9a3a6c991b611d2275903e2372991d54dafa2396ccb4d790c34261c40a7d1a58

SHA512
2a41c1d7918dc5ee8dec4a20c1452ac661c9ad38e69f31215440fb470354704faf7fe6a42e981f6f1ab3c4ba5d3447895865195b89c3bcfa86d8fa2be440983c

Download Submit
C:\Windows\SysWOW64\Jmnaakne.exe

Filesize
182KB

MD5
124813db76df54afa8f59571e273d322

SHA1
262b204808f23023ffc47a360017181ad08edacd

SHA256
d14a416f130bc308331f3588aae6f8af3eafa01e99902461473ff942d0f98dd8

SHA512
abdc7fae23e2770d19ee7613df79a37a99ef948d4f10ed8e26f0867afb13e0fdb76b77628265b0930bd376c2e63999ff0d6d372cf3de8cbb4976d5c6494fed15

Download Submit
C:\Windows\SysWOW64\Jmpngk32.exe

Filesize
182KB

MD5
d3e84c7180b44405aeeb23dce171b86f

SHA1
49a7aef0b0f35bf8c1aa764e434d099eab7dd785

SHA256
a32b9ca03c51f8b1aeda6fa9bb033fa1e0bce1fd610f7b009350510cbb46f01d

SHA512
7c48a522ae65d3a36a29d841edf402565bb0520f1dde3ec982e12d9ed73125628aabe632ca3ad924216c08f878bb8351aed9eba694dd7e9d9236ddc0a22ee68f

Download Submit
C:\Windows\SysWOW64\Jpjqhgol.exe

Filesize
182KB

MD5
413481c7f95e162ff3149cb5a47bd49a

SHA1
36ef6dec0316ceaeb5a32229b0c95c8907a557e9

SHA256
530f5117f0824ca6ebef1fb4e9ebad85541ef7a8171cabfe23b136a1730790bd

SHA512
0f2438a9b0f071d7db47087659c6e6c72ee4c42f9520f05dbe0cd96111fd23e5ac09d969be60b6070341e4bcf1203083282d77e2befee80374838db4c9ae7c1a

Download Submit
C:\Windows\SysWOW64\Jplmmfmi.exe

Filesize
182KB

MD5
7c65ff0371a61f3c78618e08b63a40c3

SHA1
7911e43a44a10493757b4b5e5a1e4d3ec7dc3369

SHA256
833cfa23ea551bfff8a8205a6a32b185a758e531f5ba4580fe89350b2e7c2ab1

SHA512
86dc58d0298d0f52026fd347ebc688d3d8b70310155ff351627b797aa993a33742d2ac97eb4dc8aae80fdfe7f752b2f2a9f04a1d39f6b00811c1a841a52aea38

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
182KB

MD5
355d99ba640ddd578c60a66ad3d429c0

SHA1
66eb083a402c2231239272e7d2500ff58f937a18

SHA256
fdfea3cb77f84eebb72ace5069597d7ec17ddee89adf46e428ffcf643d2e28d9

SHA512
a61f5f29ac0590c9fc3a579cfc72e2394ed320fd72222c6fe0802c354d33f50603277283d6835e0f215ff669793b295d88bd8c9773a83816270ccb300aeb6d84

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
182KB

MD5
d026a4e04f0691dcdee7040f19f0996e

SHA1
d1c0cfa78df3ea900f49be06887931b392612c68

SHA256
c3e8e982d05dc919f1b52cbdfea59050159100cc87203a7b02fa8159063d37e8

SHA512
d03d615f9249220777b526d897ae22a5207b1fe572baa530a0ac2a38808aedce192e7f71f6de7f5011e6bbe553a3884a86fc4b8344bdd61d6998abe5dda1e3a3

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
182KB

MD5
9fd4242c70c6efe0a7a580984d2dc9d7

SHA1
77519abc0b4fc3e9d3ea64c38cf17ed64aa100ed

SHA256
4d08e83c0e9e05a967521901b084a7b19319d5db7739b3146b87375ae8444fca

SHA512
991436793bbe051cac6dadb90fb69d65931ae49490ad6972550e953bfe473d86e964be09861500577c7991e7260305308ea424a35268a6d66a68abdaf69ac36f

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
182KB

MD5
18c93dadfedbe8146094921fcbf15265

SHA1
5a18b596a9f4c110911961411d94e5b2392d10fb

SHA256
5e172eb6a7ecc5fc6e8e8ed024f78d8ab0219c513f68b5a20dc63c7753d708e1

SHA512
a78d856ed19f496f71d351aeace6fd05b85b6cae8fb46303cda988385834b69c5d19418c8a0ac97047a82c5aba67c5445490fd9fb66051e405ebcef5f0851951

Download Submit
memory/416-230-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/576-476-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/628-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/628-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/760-350-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/820-402-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/820-231-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/924-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1056-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1056-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1172-349-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1272-343-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1420-434-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1420-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1500-135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1500-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1628-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1628-454-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1688-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1760-243-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1916-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1948-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1956-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1976-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2288-435-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2320-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2420-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2420-108-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2432-420-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2436-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2436-109-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2540-122-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2596-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2748-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2768-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2864-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2864-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2864-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2964-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2980-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3004-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3004-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3116-482-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3140-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3168-166-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3168-74-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3420-131-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3428-475-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3428-410-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3468-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3468-90-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3644-175-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3644-82-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3656-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3656-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3684-361-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3684-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3696-468-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3696-403-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3760-218-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3828-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3828-427-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3956-469-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4280-214-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4280-103-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4304-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4304-442-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4332-488-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4332-421-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4344-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4352-219-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4396-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4412-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4416-344-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4460-448-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4504-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4532-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4532-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4552-91-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4552-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4608-338-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4768-99-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4768-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4812-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4848-446-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-462-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4884-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4884-154-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4916-495-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4916-428-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4996-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5052-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5100-130-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5100-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5116-167-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5136-773-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads