Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 14:13
Behavioral task
behavioral1
Sample
5741d2e06daaa7ed43efd799b56e2690_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5741d2e06daaa7ed43efd799b56e2690_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
5741d2e06daaa7ed43efd799b56e2690_NeikiAnalytics.exe
-
Size
96KB
-
MD5
5741d2e06daaa7ed43efd799b56e2690
-
SHA1
57b290616fa16e244054741e292b88c3674fb682
-
SHA256
800187b8a94e4e023cd914824c9cb670da61bfa2bd2214e84d7c5cbfd253a511
-
SHA512
ceb01592003f151fba15ca05e08632e6766ca02d654edb6e5db59b355eb69cd2a4548d0e0877b8946faa80c7bce59ba26975ee3e6b9b4da8cacfee7c88d441ca
-
SSDEEP
1536:mRWZ8Ir0MkMdrtOwVrfuyTN86TA2LVaIZTJ+7LhkiB0MPiKeEAgH:mR+8rR2VrTT+gxVaMU7uihJ5
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgnnhk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibmmhdhm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgfoan32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lphfpbdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcbahlip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpkbebbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnepih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgnnhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hapaemll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdjfcecp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjeddggd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbkjjblm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkgdml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laciofpa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipnalhii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldkojb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnlfigcc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldohebqh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpdelajl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iiffen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lddbqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnolfdcn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpenfjad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpcmec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpfijcfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngcgcjnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpdelajl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpihai32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icljbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdjfcecp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdopod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Himcoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcpebmkb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcklgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkgmcjld.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipegmg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jidbflcj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lilanioo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcgblncm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdmegp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kacphh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmlnbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpjjod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpmokb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfjmgdlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgdbkohf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcklgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnjjdgee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbhdmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkdnpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgphpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kajfig32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gppekj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfkoeppq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nacbfdao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nceonl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjfihc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maaepd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njacpf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imdnklfp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibagcc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kacphh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldaeka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldmlpbbj.exe -
Malware Dropper & Backdoor - Berbew 45 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0008000000022f51-7.dat family_berbew behavioral2/files/0x0007000000023410-15.dat family_berbew behavioral2/files/0x0007000000023412-23.dat family_berbew behavioral2/files/0x0007000000023414-31.dat family_berbew behavioral2/files/0x0007000000023416-39.dat family_berbew behavioral2/files/0x0007000000023418-47.dat family_berbew behavioral2/files/0x000700000002341a-56.dat family_berbew behavioral2/files/0x000700000002341c-63.dat family_berbew behavioral2/files/0x000700000002341e-73.dat family_berbew behavioral2/files/0x0007000000023420-80.dat family_berbew behavioral2/files/0x0007000000023422-88.dat family_berbew behavioral2/files/0x0007000000023424-97.dat family_berbew behavioral2/files/0x0007000000023426-105.dat family_berbew behavioral2/files/0x0007000000023428-114.dat family_berbew behavioral2/files/0x000700000002342a-123.dat family_berbew behavioral2/files/0x000700000002342c-132.dat family_berbew behavioral2/files/0x000700000002342e-141.dat family_berbew behavioral2/files/0x0007000000023430-151.dat family_berbew behavioral2/files/0x0007000000023432-159.dat family_berbew behavioral2/files/0x0007000000023434-169.dat family_berbew behavioral2/files/0x0007000000023436-177.dat family_berbew behavioral2/files/0x0007000000023438-187.dat family_berbew behavioral2/files/0x000700000002343a-195.dat family_berbew behavioral2/files/0x000800000002340d-203.dat family_berbew behavioral2/files/0x000700000002343d-212.dat family_berbew behavioral2/files/0x000700000002343f-222.dat family_berbew behavioral2/files/0x0007000000023441-226.dat family_berbew behavioral2/files/0x0007000000023443-240.dat family_berbew behavioral2/files/0x0007000000023445-252.dat family_berbew behavioral2/files/0x0008000000023447-258.dat family_berbew behavioral2/files/0x000700000002344a-268.dat family_berbew behavioral2/files/0x000700000002344c-276.dat family_berbew behavioral2/files/0x0007000000023454-301.dat family_berbew behavioral2/files/0x000800000001e92c-357.dat family_berbew behavioral2/files/0x0008000000023391-384.dat family_berbew behavioral2/files/0x0007000000023465-410.dat family_berbew behavioral2/files/0x000700000002346c-431.dat family_berbew behavioral2/files/0x0007000000023472-452.dat family_berbew behavioral2/files/0x0007000000023485-503.dat family_berbew behavioral2/files/0x000700000002348d-528.dat family_berbew behavioral2/files/0x000700000002349a-584.dat family_berbew behavioral2/files/0x00070000000234cb-760.dat family_berbew behavioral2/files/0x00070000000234d7-801.dat family_berbew behavioral2/files/0x00070000000234d9-808.dat family_berbew behavioral2/files/0x00070000000234e5-848.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 716 Gppekj32.exe 3580 Hfjmgdlf.exe 3212 Hjfihc32.exe 3008 Hapaemll.exe 2992 Hbanme32.exe 3536 Hikfip32.exe 4204 Hpenfjad.exe 1528 Hbckbepg.exe 4120 Himcoo32.exe 3740 Hadkpm32.exe 1272 Hbeghene.exe 2004 Hmklen32.exe 4816 Hpihai32.exe 3016 Hbhdmd32.exe 2200 Hmmhjm32.exe 628 Ibjqcd32.exe 2132 Impepm32.exe 860 Ipnalhii.exe 4704 Ibmmhdhm.exe 2872 Iiffen32.exe 3020 Icljbg32.exe 4820 Ifjfnb32.exe 2152 Imdnklfp.exe 1688 Ibagcc32.exe 5072 Ipegmg32.exe 1252 Imihfl32.exe 2136 Jdcpcf32.exe 3012 Jmkdlkph.exe 3228 Jfdida32.exe 4380 Jmnaakne.exe 2636 Jbkjjblm.exe 4640 Jidbflcj.exe 2436 Jpojcf32.exe 4800 Jdjfcecp.exe 4228 Jkdnpo32.exe 3332 Jangmibi.exe 4872 Jfkoeppq.exe 3352 Jiikak32.exe 5080 Kaqcbi32.exe 3688 Kdopod32.exe 2404 Kgmlkp32.exe 4604 Kmgdgjek.exe 3140 Kacphh32.exe 3060 Kbdmpqcb.exe 3984 Kgphpo32.exe 1780 Kinemkko.exe 4828 Kaemnhla.exe 920 Kknafn32.exe 3188 Kmlnbi32.exe 3804 Kpjjod32.exe 2560 Kgdbkohf.exe 4932 Kkpnlm32.exe 3508 Kajfig32.exe 4804 Kpmfddnf.exe 796 Kgfoan32.exe 5052 Liekmj32.exe 1592 Lmqgnhmp.exe 1036 Ldkojb32.exe 4032 Lgikfn32.exe 1532 Lkdggmlj.exe 2956 Lmccchkn.exe 2516 Ldmlpbbj.exe 4836 Lcpllo32.exe 1960 Lkgdml32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hbeghene.exe Hadkpm32.exe File created C:\Windows\SysWOW64\Mfpoqooh.dll Jangmibi.exe File created C:\Windows\SysWOW64\Kbdmpqcb.exe Kacphh32.exe File created C:\Windows\SysWOW64\Kajfig32.exe Kkpnlm32.exe File created C:\Windows\SysWOW64\Nceonl32.exe Nacbfdao.exe File created C:\Windows\SysWOW64\Pkckjila.dll Njacpf32.exe File opened for modification C:\Windows\SysWOW64\Icljbg32.exe Iiffen32.exe File created C:\Windows\SysWOW64\Qnoaog32.dll Jdcpcf32.exe File created C:\Windows\SysWOW64\Lkdggmlj.exe Lgikfn32.exe File opened for modification C:\Windows\SysWOW64\Ngcgcjnc.exe Nqiogp32.exe File created C:\Windows\SysWOW64\Ndidbn32.exe Nnolfdcn.exe File created C:\Windows\SysWOW64\Lddbqa32.exe Lphfpbdi.exe File created C:\Windows\SysWOW64\Jflepa32.dll Jfkoeppq.exe File created C:\Windows\SysWOW64\Kgdbkohf.exe Kpjjod32.exe File created C:\Windows\SysWOW64\Gjoceo32.dll Ldmlpbbj.exe File opened for modification C:\Windows\SysWOW64\Ldmlpbbj.exe Lmccchkn.exe File created C:\Windows\SysWOW64\Mpkbebbf.exe Mnlfigcc.exe File opened for modification C:\Windows\SysWOW64\Mnapdf32.exe Mjeddggd.exe File created C:\Windows\SysWOW64\Pdgdjjem.dll Mjeddggd.exe File opened for modification C:\Windows\SysWOW64\Nacbfdao.exe Nkjjij32.exe File created C:\Windows\SysWOW64\Lmbnpm32.dll Ngcgcjnc.exe File created C:\Windows\SysWOW64\Bbamkcqa.dll Hjfihc32.exe File created C:\Windows\SysWOW64\Anjekdho.dll Jmkdlkph.exe File opened for modification C:\Windows\SysWOW64\Jkdnpo32.exe Jdjfcecp.exe File created C:\Windows\SysWOW64\Ofdhdf32.dll Liekmj32.exe File created C:\Windows\SysWOW64\Jpgeph32.dll Lphfpbdi.exe File opened for modification C:\Windows\SysWOW64\Hbanme32.exe Hapaemll.exe File created C:\Windows\SysWOW64\Geekfi32.dll Himcoo32.exe File created C:\Windows\SysWOW64\Lppaheqp.dll Jkdnpo32.exe File opened for modification C:\Windows\SysWOW64\Kmgdgjek.exe Kgmlkp32.exe File created C:\Windows\SysWOW64\Bdiihjon.dll Kgphpo32.exe File created C:\Windows\SysWOW64\Mpmokb32.exe Majopeii.exe File created C:\Windows\SysWOW64\Nacbfdao.exe Nkjjij32.exe File created C:\Windows\SysWOW64\Legdcg32.dll Nkjjij32.exe File opened for modification C:\Windows\SysWOW64\Hpenfjad.exe Hikfip32.exe File opened for modification C:\Windows\SysWOW64\Ipegmg32.exe Ibagcc32.exe File opened for modification C:\Windows\SysWOW64\Kgfoan32.exe Kpmfddnf.exe File created C:\Windows\SysWOW64\Kijjfe32.dll Hikfip32.exe File opened for modification C:\Windows\SysWOW64\Kaqcbi32.exe Jiikak32.exe File created C:\Windows\SysWOW64\Oedbld32.dll Mkpgck32.exe File opened for modification C:\Windows\SysWOW64\Mkepnjng.exe Mgidml32.exe File opened for modification C:\Windows\SysWOW64\Nceonl32.exe Nacbfdao.exe File opened for modification C:\Windows\SysWOW64\Hapaemll.exe Hjfihc32.exe File created C:\Windows\SysWOW64\Kgphpo32.exe Kbdmpqcb.exe File opened for modification C:\Windows\SysWOW64\Kpjjod32.exe Kmlnbi32.exe File created C:\Windows\SysWOW64\Ldkojb32.exe Lmqgnhmp.exe File opened for modification C:\Windows\SysWOW64\Mjqjih32.exe Lgbnmm32.exe File created C:\Windows\SysWOW64\Mnocof32.exe Mkpgck32.exe File created C:\Windows\SysWOW64\Odegmceb.dll Mnapdf32.exe File created C:\Windows\SysWOW64\Ppmeid32.dll Hbeghene.exe File created C:\Windows\SysWOW64\Jkdnpo32.exe Jdjfcecp.exe File created C:\Windows\SysWOW64\Bgcomh32.dll Lpcmec32.exe File created C:\Windows\SysWOW64\Hbocda32.dll Ldohebqh.exe File opened for modification C:\Windows\SysWOW64\Mpkbebbf.exe Mnlfigcc.exe File opened for modification C:\Windows\SysWOW64\Hjfihc32.exe Hfjmgdlf.exe File created C:\Windows\SysWOW64\Hadkpm32.exe Himcoo32.exe File created C:\Windows\SysWOW64\Hpihai32.exe Hmklen32.exe File created C:\Windows\SysWOW64\Impepm32.exe Ibjqcd32.exe File created C:\Windows\SysWOW64\Gmbkmemo.dll Ipnalhii.exe File created C:\Windows\SysWOW64\Kinemkko.exe Kgphpo32.exe File created C:\Windows\SysWOW64\Lbhnnj32.dll Kkpnlm32.exe File opened for modification C:\Windows\SysWOW64\Mnlfigcc.exe Mjqjih32.exe File opened for modification C:\Windows\SysWOW64\Jangmibi.exe Jkdnpo32.exe File created C:\Windows\SysWOW64\Kmlnbi32.exe Kknafn32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6088 6004 WerFault.exe 203 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imppcc32.dll" Kgfoan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkiqbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjfihc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kaemnhla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll" Mnocof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nacbfdao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njacpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbamkcqa.dll" Hjfihc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kajfig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpolqa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjjmog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdcpcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Majopeii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpjjod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkgdml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfpoqooh.dll" Jangmibi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflepa32.dll" Jfkoeppq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgpagm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hikfip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibadbaha.dll" Hmklen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll" Lgbnmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll" Mpkbebbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpmokb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdopod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmgdgjek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnolfdcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpkbebbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Maohkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnlfigcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll" Mgekbljc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll" Mdmegp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmmhjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfkoeppq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll" Mkbchk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll" Ncihikcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdgpjm32.dll" Hmmhjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmkdlkph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jiikak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmlnbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgneampk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lilanioo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldaeka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgekbljc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaqnkb32.dll" Icljbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honcnp32.dll" Jbkjjblm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mncmjfmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll" Maohkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kacphh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Liekmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll" Lcpllo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldohebqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll" Lphfpbdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll" Mcnhmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 5741d2e06daaa7ed43efd799b56e2690_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibjqcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjjmog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgmlkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmqgnhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljnnch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnocof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpdelajl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 5741d2e06daaa7ed43efd799b56e2690_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfogkh32.dll" Hpihai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblgaie.dll" Kmgdgjek.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2496 wrote to memory of 716 2496 5741d2e06daaa7ed43efd799b56e2690_NeikiAnalytics.exe 81 PID 2496 wrote to memory of 716 2496 5741d2e06daaa7ed43efd799b56e2690_NeikiAnalytics.exe 81 PID 2496 wrote to memory of 716 2496 5741d2e06daaa7ed43efd799b56e2690_NeikiAnalytics.exe 81 PID 716 wrote to memory of 3580 716 Gppekj32.exe 82 PID 716 wrote to memory of 3580 716 Gppekj32.exe 82 PID 716 wrote to memory of 3580 716 Gppekj32.exe 82 PID 3580 wrote to memory of 3212 3580 Hfjmgdlf.exe 83 PID 3580 wrote to memory of 3212 3580 Hfjmgdlf.exe 83 PID 3580 wrote to memory of 3212 3580 Hfjmgdlf.exe 83 PID 3212 wrote to memory of 3008 3212 Hjfihc32.exe 84 PID 3212 wrote to memory of 3008 3212 Hjfihc32.exe 84 PID 3212 wrote to memory of 3008 3212 Hjfihc32.exe 84 PID 3008 wrote to memory of 2992 3008 Hapaemll.exe 85 PID 3008 wrote to memory of 2992 3008 Hapaemll.exe 85 PID 3008 wrote to memory of 2992 3008 Hapaemll.exe 85 PID 2992 wrote to memory of 3536 2992 Hbanme32.exe 87 PID 2992 wrote to memory of 3536 2992 Hbanme32.exe 87 PID 2992 wrote to memory of 3536 2992 Hbanme32.exe 87 PID 3536 wrote to memory of 4204 3536 Hikfip32.exe 88 PID 3536 wrote to memory of 4204 3536 Hikfip32.exe 88 PID 3536 wrote to memory of 4204 3536 Hikfip32.exe 88 PID 4204 wrote to memory of 1528 4204 Hpenfjad.exe 90 PID 4204 wrote to memory of 1528 4204 Hpenfjad.exe 90 PID 4204 wrote to memory of 1528 4204 Hpenfjad.exe 90 PID 1528 wrote to memory of 4120 1528 Hbckbepg.exe 91 PID 1528 wrote to memory of 4120 1528 Hbckbepg.exe 91 PID 1528 wrote to memory of 4120 1528 Hbckbepg.exe 91 PID 4120 wrote to memory of 3740 4120 Himcoo32.exe 92 PID 4120 wrote to memory of 3740 4120 Himcoo32.exe 92 PID 4120 wrote to memory of 3740 4120 Himcoo32.exe 92 PID 3740 wrote to memory of 1272 3740 Hadkpm32.exe 93 PID 3740 wrote to memory of 1272 3740 Hadkpm32.exe 93 PID 3740 wrote to memory of 1272 3740 Hadkpm32.exe 93 PID 1272 wrote to memory of 2004 1272 Hbeghene.exe 94 PID 1272 wrote to memory of 2004 1272 Hbeghene.exe 94 PID 1272 wrote to memory of 2004 1272 Hbeghene.exe 94 PID 2004 wrote to memory of 4816 2004 Hmklen32.exe 96 PID 2004 wrote to memory of 4816 2004 Hmklen32.exe 96 PID 2004 wrote to memory of 4816 2004 Hmklen32.exe 96 PID 4816 wrote to memory of 3016 4816 Hpihai32.exe 97 PID 4816 wrote to memory of 3016 4816 Hpihai32.exe 97 PID 4816 wrote to memory of 3016 4816 Hpihai32.exe 97 PID 3016 wrote to memory of 2200 3016 Hbhdmd32.exe 98 PID 3016 wrote to memory of 2200 3016 Hbhdmd32.exe 98 PID 3016 wrote to memory of 2200 3016 Hbhdmd32.exe 98 PID 2200 wrote to memory of 628 2200 Hmmhjm32.exe 99 PID 2200 wrote to memory of 628 2200 Hmmhjm32.exe 99 PID 2200 wrote to memory of 628 2200 Hmmhjm32.exe 99 PID 628 wrote to memory of 2132 628 Ibjqcd32.exe 100 PID 628 wrote to memory of 2132 628 Ibjqcd32.exe 100 PID 628 wrote to memory of 2132 628 Ibjqcd32.exe 100 PID 2132 wrote to memory of 860 2132 Impepm32.exe 101 PID 2132 wrote to memory of 860 2132 Impepm32.exe 101 PID 2132 wrote to memory of 860 2132 Impepm32.exe 101 PID 860 wrote to memory of 4704 860 Ipnalhii.exe 102 PID 860 wrote to memory of 4704 860 Ipnalhii.exe 102 PID 860 wrote to memory of 4704 860 Ipnalhii.exe 102 PID 4704 wrote to memory of 2872 4704 Ibmmhdhm.exe 103 PID 4704 wrote to memory of 2872 4704 Ibmmhdhm.exe 103 PID 4704 wrote to memory of 2872 4704 Ibmmhdhm.exe 103 PID 2872 wrote to memory of 3020 2872 Iiffen32.exe 104 PID 2872 wrote to memory of 3020 2872 Iiffen32.exe 104 PID 2872 wrote to memory of 3020 2872 Iiffen32.exe 104 PID 3020 wrote to memory of 4820 3020 Icljbg32.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\5741d2e06daaa7ed43efd799b56e2690_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5741d2e06daaa7ed43efd799b56e2690_NeikiAnalytics.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Gppekj32.exeC:\Windows\system32\Gppekj32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:716 -
C:\Windows\SysWOW64\Hfjmgdlf.exeC:\Windows\system32\Hfjmgdlf.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\SysWOW64\Hjfihc32.exeC:\Windows\system32\Hjfihc32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Windows\SysWOW64\Hapaemll.exeC:\Windows\system32\Hapaemll.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Hbanme32.exeC:\Windows\system32\Hbanme32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Hikfip32.exeC:\Windows\system32\Hikfip32.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Windows\SysWOW64\Hpenfjad.exeC:\Windows\system32\Hpenfjad.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Windows\SysWOW64\Hbckbepg.exeC:\Windows\system32\Hbckbepg.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\Himcoo32.exeC:\Windows\system32\Himcoo32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Windows\SysWOW64\Hadkpm32.exeC:\Windows\system32\Hadkpm32.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Windows\SysWOW64\Hbeghene.exeC:\Windows\system32\Hbeghene.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\Hmklen32.exeC:\Windows\system32\Hmklen32.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Hpihai32.exeC:\Windows\system32\Hpihai32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Windows\SysWOW64\Hbhdmd32.exeC:\Windows\system32\Hbhdmd32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Hmmhjm32.exeC:\Windows\system32\Hmmhjm32.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Ibjqcd32.exeC:\Windows\system32\Ibjqcd32.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\SysWOW64\Impepm32.exeC:\Windows\system32\Impepm32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Ipnalhii.exeC:\Windows\system32\Ipnalhii.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\Ibmmhdhm.exeC:\Windows\system32\Ibmmhdhm.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Windows\SysWOW64\Iiffen32.exeC:\Windows\system32\Iiffen32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Icljbg32.exeC:\Windows\system32\Icljbg32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Ifjfnb32.exeC:\Windows\system32\Ifjfnb32.exe23⤵
- Executes dropped EXE
PID:4820 -
C:\Windows\SysWOW64\Imdnklfp.exeC:\Windows\system32\Imdnklfp.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Ibagcc32.exeC:\Windows\system32\Ibagcc32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1688 -
C:\Windows\SysWOW64\Ipegmg32.exeC:\Windows\system32\Ipegmg32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5072 -
C:\Windows\SysWOW64\Imihfl32.exeC:\Windows\system32\Imihfl32.exe27⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Jdcpcf32.exeC:\Windows\system32\Jdcpcf32.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2136 -
C:\Windows\SysWOW64\Jmkdlkph.exeC:\Windows\system32\Jmkdlkph.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3012 -
C:\Windows\SysWOW64\Jfdida32.exeC:\Windows\system32\Jfdida32.exe30⤵
- Executes dropped EXE
PID:3228 -
C:\Windows\SysWOW64\Jmnaakne.exeC:\Windows\system32\Jmnaakne.exe31⤵
- Executes dropped EXE
PID:4380 -
C:\Windows\SysWOW64\Jbkjjblm.exeC:\Windows\system32\Jbkjjblm.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2636 -
C:\Windows\SysWOW64\Jidbflcj.exeC:\Windows\system32\Jidbflcj.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4640 -
C:\Windows\SysWOW64\Jpojcf32.exeC:\Windows\system32\Jpojcf32.exe34⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Jdjfcecp.exeC:\Windows\system32\Jdjfcecp.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4800 -
C:\Windows\SysWOW64\Jkdnpo32.exeC:\Windows\system32\Jkdnpo32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4228 -
C:\Windows\SysWOW64\Jangmibi.exeC:\Windows\system32\Jangmibi.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3332 -
C:\Windows\SysWOW64\Jfkoeppq.exeC:\Windows\system32\Jfkoeppq.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4872 -
C:\Windows\SysWOW64\Jiikak32.exeC:\Windows\system32\Jiikak32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3352 -
C:\Windows\SysWOW64\Kaqcbi32.exeC:\Windows\system32\Kaqcbi32.exe40⤵
- Executes dropped EXE
PID:5080 -
C:\Windows\SysWOW64\Kdopod32.exeC:\Windows\system32\Kdopod32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3688 -
C:\Windows\SysWOW64\Kgmlkp32.exeC:\Windows\system32\Kgmlkp32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2404 -
C:\Windows\SysWOW64\Kmgdgjek.exeC:\Windows\system32\Kmgdgjek.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:4604 -
C:\Windows\SysWOW64\Kacphh32.exeC:\Windows\system32\Kacphh32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3140 -
C:\Windows\SysWOW64\Kbdmpqcb.exeC:\Windows\system32\Kbdmpqcb.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3060 -
C:\Windows\SysWOW64\Kgphpo32.exeC:\Windows\system32\Kgphpo32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3984 -
C:\Windows\SysWOW64\Kinemkko.exeC:\Windows\system32\Kinemkko.exe47⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Kaemnhla.exeC:\Windows\system32\Kaemnhla.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:4828 -
C:\Windows\SysWOW64\Kknafn32.exeC:\Windows\system32\Kknafn32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:920 -
C:\Windows\SysWOW64\Kmlnbi32.exeC:\Windows\system32\Kmlnbi32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3188 -
C:\Windows\SysWOW64\Kpjjod32.exeC:\Windows\system32\Kpjjod32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3804 -
C:\Windows\SysWOW64\Kgdbkohf.exeC:\Windows\system32\Kgdbkohf.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Kkpnlm32.exeC:\Windows\system32\Kkpnlm32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4932 -
C:\Windows\SysWOW64\Kajfig32.exeC:\Windows\system32\Kajfig32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3508 -
C:\Windows\SysWOW64\Kpmfddnf.exeC:\Windows\system32\Kpmfddnf.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4804 -
C:\Windows\SysWOW64\Kgfoan32.exeC:\Windows\system32\Kgfoan32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:796 -
C:\Windows\SysWOW64\Liekmj32.exeC:\Windows\system32\Liekmj32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5052 -
C:\Windows\SysWOW64\Lmqgnhmp.exeC:\Windows\system32\Lmqgnhmp.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1592 -
C:\Windows\SysWOW64\Ldkojb32.exeC:\Windows\system32\Ldkojb32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Lgikfn32.exeC:\Windows\system32\Lgikfn32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4032 -
C:\Windows\SysWOW64\Lkdggmlj.exeC:\Windows\system32\Lkdggmlj.exe61⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Lmccchkn.exeC:\Windows\system32\Lmccchkn.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2956 -
C:\Windows\SysWOW64\Ldmlpbbj.exeC:\Windows\system32\Ldmlpbbj.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2516 -
C:\Windows\SysWOW64\Lcpllo32.exeC:\Windows\system32\Lcpllo32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:4836 -
C:\Windows\SysWOW64\Lkgdml32.exeC:\Windows\system32\Lkgdml32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1960 -
C:\Windows\SysWOW64\Lnepih32.exeC:\Windows\system32\Lnepih32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4472 -
C:\Windows\SysWOW64\Lpcmec32.exeC:\Windows\system32\Lpcmec32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3276 -
C:\Windows\SysWOW64\Ldohebqh.exeC:\Windows\system32\Ldohebqh.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:956 -
C:\Windows\SysWOW64\Lgneampk.exeC:\Windows\system32\Lgneampk.exe69⤵
- Modifies registry class
PID:4172 -
C:\Windows\SysWOW64\Lkiqbl32.exeC:\Windows\system32\Lkiqbl32.exe70⤵
- Modifies registry class
PID:4504 -
C:\Windows\SysWOW64\Lilanioo.exeC:\Windows\system32\Lilanioo.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4224 -
C:\Windows\SysWOW64\Laciofpa.exeC:\Windows\system32\Laciofpa.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1004 -
C:\Windows\SysWOW64\Lpfijcfl.exeC:\Windows\system32\Lpfijcfl.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2052 -
C:\Windows\SysWOW64\Ldaeka32.exeC:\Windows\system32\Ldaeka32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2792 -
C:\Windows\SysWOW64\Lgpagm32.exeC:\Windows\system32\Lgpagm32.exe75⤵
- Modifies registry class
PID:2212 -
C:\Windows\SysWOW64\Ljnnch32.exeC:\Windows\system32\Ljnnch32.exe76⤵
- Modifies registry class
PID:4512 -
C:\Windows\SysWOW64\Lnjjdgee.exeC:\Windows\system32\Lnjjdgee.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2388 -
C:\Windows\SysWOW64\Lphfpbdi.exeC:\Windows\system32\Lphfpbdi.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2368 -
C:\Windows\SysWOW64\Lddbqa32.exeC:\Windows\system32\Lddbqa32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4196 -
C:\Windows\SysWOW64\Lcgblncm.exeC:\Windows\system32\Lcgblncm.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4940 -
C:\Windows\SysWOW64\Lgbnmm32.exeC:\Windows\system32\Lgbnmm32.exe81⤵
- Drops file in System32 directory
- Modifies registry class
PID:4656 -
C:\Windows\SysWOW64\Mjqjih32.exeC:\Windows\system32\Mjqjih32.exe82⤵
- Drops file in System32 directory
PID:3788 -
C:\Windows\SysWOW64\Mnlfigcc.exeC:\Windows\system32\Mnlfigcc.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Mpkbebbf.exeC:\Windows\system32\Mpkbebbf.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3248 -
C:\Windows\SysWOW64\Mdfofakp.exeC:\Windows\system32\Mdfofakp.exe85⤵PID:2252
-
C:\Windows\SysWOW64\Mgekbljc.exeC:\Windows\system32\Mgekbljc.exe86⤵
- Modifies registry class
PID:3868 -
C:\Windows\SysWOW64\Mkpgck32.exeC:\Windows\system32\Mkpgck32.exe87⤵
- Drops file in System32 directory
PID:1172 -
C:\Windows\SysWOW64\Mnocof32.exeC:\Windows\system32\Mnocof32.exe88⤵
- Modifies registry class
PID:4216 -
C:\Windows\SysWOW64\Majopeii.exeC:\Windows\system32\Majopeii.exe89⤵
- Drops file in System32 directory
- Modifies registry class
PID:3768 -
C:\Windows\SysWOW64\Mpmokb32.exeC:\Windows\system32\Mpmokb32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2476 -
C:\Windows\SysWOW64\Mcklgm32.exeC:\Windows\system32\Mcklgm32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2088 -
C:\Windows\SysWOW64\Mkbchk32.exeC:\Windows\system32\Mkbchk32.exe92⤵
- Modifies registry class
PID:4400 -
C:\Windows\SysWOW64\Mjeddggd.exeC:\Windows\system32\Mjeddggd.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5096 -
C:\Windows\SysWOW64\Mnapdf32.exeC:\Windows\system32\Mnapdf32.exe94⤵
- Drops file in System32 directory
PID:3744 -
C:\Windows\SysWOW64\Mpolqa32.exeC:\Windows\system32\Mpolqa32.exe95⤵
- Modifies registry class
PID:2236 -
C:\Windows\SysWOW64\Mcnhmm32.exeC:\Windows\system32\Mcnhmm32.exe96⤵
- Modifies registry class
PID:4528 -
C:\Windows\SysWOW64\Mgidml32.exeC:\Windows\system32\Mgidml32.exe97⤵
- Drops file in System32 directory
PID:2220 -
C:\Windows\SysWOW64\Mkepnjng.exeC:\Windows\system32\Mkepnjng.exe98⤵PID:5140
-
C:\Windows\SysWOW64\Mncmjfmk.exeC:\Windows\system32\Mncmjfmk.exe99⤵
- Modifies registry class
PID:5184 -
C:\Windows\SysWOW64\Maohkd32.exeC:\Windows\system32\Maohkd32.exe100⤵
- Modifies registry class
PID:5220 -
C:\Windows\SysWOW64\Mdmegp32.exeC:\Windows\system32\Mdmegp32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5268 -
C:\Windows\SysWOW64\Mcpebmkb.exeC:\Windows\system32\Mcpebmkb.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5312 -
C:\Windows\SysWOW64\Mkgmcjld.exeC:\Windows\system32\Mkgmcjld.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5356 -
C:\Windows\SysWOW64\Mjjmog32.exeC:\Windows\system32\Mjjmog32.exe104⤵
- Modifies registry class
PID:5396 -
C:\Windows\SysWOW64\Maaepd32.exeC:\Windows\system32\Maaepd32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5440 -
C:\Windows\SysWOW64\Mpdelajl.exeC:\Windows\system32\Mpdelajl.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5484 -
C:\Windows\SysWOW64\Mcbahlip.exeC:\Windows\system32\Mcbahlip.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5528 -
C:\Windows\SysWOW64\Mgnnhk32.exeC:\Windows\system32\Mgnnhk32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5572 -
C:\Windows\SysWOW64\Nkjjij32.exeC:\Windows\system32\Nkjjij32.exe109⤵
- Drops file in System32 directory
PID:5616 -
C:\Windows\SysWOW64\Nacbfdao.exeC:\Windows\system32\Nacbfdao.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5656 -
C:\Windows\SysWOW64\Nceonl32.exeC:\Windows\system32\Nceonl32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5700 -
C:\Windows\SysWOW64\Nqiogp32.exeC:\Windows\system32\Nqiogp32.exe112⤵
- Drops file in System32 directory
PID:5744 -
C:\Windows\SysWOW64\Ngcgcjnc.exeC:\Windows\system32\Ngcgcjnc.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5788 -
C:\Windows\SysWOW64\Njacpf32.exeC:\Windows\system32\Njacpf32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5828 -
C:\Windows\SysWOW64\Ncihikcg.exeC:\Windows\system32\Ncihikcg.exe115⤵
- Modifies registry class
PID:5872 -
C:\Windows\SysWOW64\Nnolfdcn.exeC:\Windows\system32\Nnolfdcn.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5916 -
C:\Windows\SysWOW64\Ndidbn32.exeC:\Windows\system32\Ndidbn32.exe117⤵PID:5960
-
C:\Windows\SysWOW64\Nkcmohbg.exeC:\Windows\system32\Nkcmohbg.exe118⤵PID:6004
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6004 -s 408119⤵
- Program crash
PID:6088
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6004 -ip 60041⤵PID:6064
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD5b48f7dbbec120c822f221590416c7576
SHA13ba1ed105c3cda877d0df0a7a4ca3e93f2c93bd2
SHA25650feaad847c126e275f0e1d0dd777308ce499e675c97da9e8d24ced420d2cd90
SHA512a4213009508e4f3719f5c26166f930c7cc6ca2ab7b115937e4211211379fca61c3d302f7a47ff0a3e0879a5f03edf89430e8c5318d09ae592b5368928d030333
-
Filesize
96KB
MD59c76fac0260c8fb2a22bcf463f236ad1
SHA157ed0bc686626f4cc12edf17abf5f3aecd423d42
SHA2565bb718282d0fec0c4d10917554fb46ce64c53a16090a9b40302976089c8853f0
SHA5128aa1c8d5327076305f133ea7736ab8714a811710b71f83426f02148997d6fe82e7570b259ac3e8ba27678ba97b127926e80c4f1429822bce4fde2231ea5ab85c
-
Filesize
96KB
MD5acecb1720f6b25bccabe2a3ee8e567f9
SHA18dc6a7d5b423eac25982ba6f503c10704a727ada
SHA256196d1d25e4829ed6d2ba6c2377fac9b1b77edd3b5b8cf079688136711872cf59
SHA512efb6d23ea7079438c07730489726d60ab19626b469f2879bd58cc53b476142def681b82020da6bf7b056ee404d9e3724d24a653de468ca80d19c7bacc1b4a587
-
Filesize
96KB
MD5f7e3d216aed45707220400de17de2112
SHA18650167053b0209b307c8861ae64eac1d87897fb
SHA256dba9701dd17df381be1c50ee0f93f0338f286f3a59e90d379fea9cff652ef8ec
SHA512afad5ef9b269ef40d105a41727ace154902ca1db294de66f762b4924476f550654c132c7eb06ee0c72d12d8d685dbc2fd7f749d1d5251a421c1fb280cd5e8c38
-
Filesize
96KB
MD59b5ba5ddb40565a21857b6ccff70c67c
SHA15aa76ff13666aaf647cd0e0c9909bfa075b3ebe1
SHA256f34c6132f51fc72ba8507f5204abf0d3fee106fd254080a70f3ab3b056e25c8e
SHA51201452fccdae4fd3cefd30711bf06cbabce69eb4b9ec1d9690047ba2de38b29722f6c54f7fb20d903bfa5964b101dacd6f42a4d086910b7fa05e7a77eb819cfbf
-
Filesize
96KB
MD58e398790e9ebffcb3ababbb807c8d182
SHA10a66be445598a9169b7f8f6bd6329f4cd72b5517
SHA256a79adfe8fac42489a0956b68590785ea70ca338c0d988e1c67fe6086cc0b0749
SHA512989b9e06dceea98ef5015cb83b9cba718e9155bb849e6e957dd59571716a39cba9465051b272f7deb6d6b7b58fbce8cba3de5c65c8ddb7d26edc0d369fafe298
-
Filesize
96KB
MD54a55b91ec5e99492ef9960d04928a5a7
SHA1e12ffbede2a3dd4ca8925032450b72d1f9ed972f
SHA256fc1c622d7e8a08c3cf369f8ad9788f4b28962cd64b5b9104feafd7433e7d7fea
SHA512fc84b5f2a77ca947b0d998a6fa48ec7a47a0bf5e9d266538492cea54c6177cbdb9d801013426a38f64635f2a188d23cc6c3c3d8236946b74e728a102712165cf
-
Filesize
96KB
MD59b5ec0e86699cd3e1fcdb4ede45b7563
SHA1f242f96354e17f4fc2e6f22f68390c2cf1889c80
SHA256c8a397b90c70c2fb2740f826e4e1f73f29a25173833a06e4f92ba788687b7bea
SHA512799d336c672c251bfd8181cfe4e31b4793ddfc3ca0bd50c94bba805b6f01e84125684e108ff6af129dd09a1ae2772a49e32cd5ee379c0be859e44ad060bf493f
-
Filesize
96KB
MD5a26c1d93226d0f15ad36103f27511108
SHA1d0da547a96d972a3eb1b7dc0fcaf9eaaee028e39
SHA256b90f9f77fc3d8ecb4ec02743771f5d409340ae07c416e6a9ff12dccd735ce889
SHA5124d94294627f245637eb43e425c42993efe152bce346a6450a90f393073966a3c789a7be8d3fcb4a3e11909db37ae3fbdca58f6cbdded2bd634499b9df05a9106
-
Filesize
96KB
MD55533e19eafd31aa4e1c02303634379a1
SHA1759ddad4d3fcaa5bb3c16dd541ae92fc21a7219d
SHA256335bc1261b8dab426aa31b8c5d950ce3575d2c3de0dc5ef4a02a8efb59e1ecb1
SHA5129a43fc59a858d780fc83b87194a1e3e6c3a54fc7800afdc560b70a6e7c9ecf87e259af8ac29b3a43b907acb782f2fc410fe002cfad7a0d373c66abd5e689746c
-
Filesize
96KB
MD5cf1dbdcac894c9769780b0d7427e6ba3
SHA1924f08a71c5ab9b7673dc571ab59b5f2d183edc9
SHA2568ba27f6bdca1ec1f2b651c64534d2809540a7b3df99c0998e74b59126cbb57c2
SHA51218ffe73b64bb6d21d0f86d5c1c2f344bad3057d21499079b73b014cea3262a0365e8bbd91e4b9ab4c7f3fa9f7c465e3c66831a18e1847d598f865dea0e5474f8
-
Filesize
96KB
MD5a7b07bc7ce59205403000d4124e66683
SHA1d74d38d8d3b1eff5274c2aa6d6059c1487d05b43
SHA256a044d49ea670eca1b1654b67729fc413aa843a5b586535bca70f9cceabbeeff1
SHA51272d44abccf23c460119c1ec65f435c7ec8e4b8c2d20507f06c7d4e3d5161eff7bc2f90590b9c297f58e87ec41d4b5b41a1f6c40573640d4bd563910e985063fe
-
Filesize
96KB
MD5bd287a7f5abe2b9449ac7b38f9a706e6
SHA13123ea7ca7db103994eb2b580cf06639399e115e
SHA256d3d01c8e73e28fde18f367ff2c7793c03d756f31cd6ced449b03ed1d47505c5a
SHA5122bbd9a03cf5913ae8480c384fb3e383ac3486861d3ecb58dc27c917dba1b36c5e1c7e8a1a7eddc72902efb03d76024ded084b97fa8259c465e6e7a1fffc73ac3
-
Filesize
96KB
MD5c25fec62424cc838b008ad11ab8d0ee0
SHA1da98dffa996c2b4fd13ca6fa3f582d8b11d85a5d
SHA256faf792d2017ebfda1d7e1004c967843eeeda37829608f52255a6575cff4ae047
SHA512047f87086aa4dc18d0e9d851214d0199e9c89f909da09d02bf45a23956c371ad3fb29928ad1fa7771bba72ba53e4ad5e9c4dcb6809dd9b43dfd798f168aa6e05
-
Filesize
96KB
MD5b40342473108bd27de801cda07f2c65a
SHA1fb45d6d9c8e7f0b651ebec7b6966e3e76093b420
SHA2569df4bb4448d5664db1c0ba717af4aae5e1eb29b4be7212ee07edaff9eace6cec
SHA5120ffd8481686a3973edb44e5883082718971acea9b837e0a0f4ea5a3272f6e3605c137c682b0af0b299d6aaf51a1a7fc1accdf452e3f0a788ab5628f2e01b46a0
-
Filesize
96KB
MD55374eb67c71e152418ed3acec22b6090
SHA1b75501f87947634b50881034ccd971fc4d2c7a59
SHA256e3d3ca9b74c1b299825ea1fe6a68e509ffbcf7e73edfc63d0583752fa99d846f
SHA512e7693cfabb1bd7723a52a4cea81ce4d2bb5d21cf3df98b2fa921412746ba4a4eab614a49a0c427b972c2fa9bf6418be13d09bdc8f7785355d7f9fd2b356a0710
-
Filesize
96KB
MD5a888224d67715dae015256980579c061
SHA1e97548db403fbe92a2682a8014ffe0a31334ae74
SHA2561e3aee3b17d7731e7a55958ca8fd84624b1442ce93430686ae8f26c529e54d68
SHA51271dc3e65e74ca94836e13f15371f3c5f788dd73080f88978b9e8f27abaf9bc54686f92d6322fca5d5c490e07cf3274d1e45a9007b24bbb73b02e37491c2de5b5
-
Filesize
96KB
MD52f71955b564466dcc46e374e293b0cc1
SHA1d7d8222c26604a8a1b2471ab61478413cef35c7f
SHA2561419ec41a133c7b025dc8b03c8ae06b4777d6e7c4893bc29c749568a9ebb7c75
SHA512843bbbd382b9a76fa650acb45ec7a0d9f4533644384f3214ddc14f9589b9ce316b83bdb31d067c733b838172c9362c8519b391f06adab40e4350c18574158474
-
Filesize
96KB
MD554ad19a20c6d9df15eb234ee25d55a0f
SHA1c55935c68543ee79ec6f4b39b441f7972fc802d5
SHA2564f8fc9896033f25b364a8b9dfa98d8abeaba203987011a8578a658afdb7d2fa4
SHA51230e4c635ddd66c5149a5b6f48e352c158723c6a4174df171a50b6528a25c4130b6285334198b94bb3e2f5519dfda78b2eb62666678fe23173bceb364862b7bbb
-
Filesize
96KB
MD56743375c446e0a9c57a52203617d7f44
SHA173af79754a0a02b64ed1db8fc48790cad9e14325
SHA25612744ca19753254ccf2fe49213d7d72f6974b8cb3a7189c7b84abdb10f49ae07
SHA512a43bc20042ce8e8c1e8cf2d0ba32e84de0262155227c6014da9e05d5429dd0488ee7917e88de62cf9cd1da24aa39c4588cfaf0905fc8aa5c31af4a06d40466d4
-
Filesize
96KB
MD5d4eabd6d788a77acd5380dcb8b618ae1
SHA15447606ecac165541520e9818a5a6550fb044239
SHA2566fd32cbbe5eda6841c97a8fce5db443078dd4a05a15e669bf482132fbc70c995
SHA512c354e6fed250f2b8c48011dde19788d1b2b24663c413280eda50e9b1c2e0f391ac355f79335bfa50cf926ee6fd00820e6fd288e07ca2877004cc5ef9bbb4489a
-
Filesize
96KB
MD530f1cb6aa6c17f482b4cc11ed6b9df97
SHA117e7428c0f7d54fe7b36a2cc6e88ece1cbf16095
SHA2568cbc750d2efb87bb1c621daa6cd30e05bb233b6dea5e7daf038a1c6ab41aec4c
SHA5121d6aa3f6296bd9f3b3dc749752c0c5ff301bc4520e5a2c42d92886cfdf159d5350a0d3c0052d22a9a9678ef4958ba46d1771af3ae4d567bc752c5835c180c20e
-
Filesize
96KB
MD51ee6d8a4ab324cec2ba80ce42f75fc1b
SHA1b78c3881b9ad9110568521d0358a4463c9d50de3
SHA256a01e60b35cd2217d5357c062c971e09e1b4094b00177888b545d0a7b6441a7ab
SHA512ecd4637b14356c0e8cd70b68bff35cc716faf023ceb9958fb1141e65dc19e96ae1c932717395769b5f9f4c87b51f71cdb720e24b8f5497c57e189296c978cc07
-
Filesize
96KB
MD55bfc9d7b160db43c49f0ba8a275b5483
SHA17ec433722ee21f949cd69b4b258383ba7b546cc3
SHA2567321e5d4dc34246f9cfa969136a7acd732659292f71a791a1ac932dd7bbf8cea
SHA51272f880cf48f0386c6eeac26be4f1d70d901de11f1992f9dc1a8d39fe0d07b68ca630aa9eebe44e5e8514baadfddadc4451199f99f3f14472e07e976d2fd18784
-
Filesize
96KB
MD5a945fe3b2eb14f797a40335d13db20ce
SHA13d8e5f2f3b454f39c54b46ef0b269adb9298faad
SHA256556ad3b60bc4d150903b5875d5ca141a0d95a8add1295d13e53f9c9a6f5c9a41
SHA5128ebc64eefbe401821dee7f09e1094dc3a6f38d1fbbb5d0b6d103be31066e07ac3e92bf5d8e9c09e693e9a75d6646ca35d174cef06a07d13be755a1c861eac461
-
Filesize
96KB
MD57da17f8f29caaef8b65b4616ab512c1f
SHA1c41f4d1e2ceaff70d4edbdefc6b5f7f77f2bfb22
SHA25654748ebc1fc1e5f9acccba3f47c610451a565f2df5933f8cd219230d3db1c444
SHA51233cb6d8b1719c94023c561671654f0f8a004ea2155ae5f148a63360d747ec81325bb4fae2109ed16f68b0e78c7e11083da424fa593e21381e5b4a656ff4342bd
-
Filesize
96KB
MD5922373366a636ec5a3e07e84ff41ef96
SHA1143e74192cdb9eb3faf34898078a2c6d2aa53849
SHA2565861976b201552a33516cbc6aa10b091d8136275dd3dddc57206b4d39acb7b3f
SHA5129e8d2a4b26779cf8883c9175049d208039e4d4f35680e00ade8ad0610e591db29b747fc6685d3741d295b3c34e643506f7f4b7341c6ab1cf81319072fe1668dd
-
Filesize
96KB
MD55147260db4ef1f0f3b69d3777cca25cd
SHA1e2e121cc1ab8ea445b3b581804eb6568181d5310
SHA25677050d429cd91e58c45e23fca5bc139e72053619038caefd4be5f8f4d4865550
SHA512f3e968ad8e3397530076bf78e0fede18f0919e0c22eb3e3d9f7858e65bebee96e209d85705575efeaeef35fd04a5c62b676eafb33c7319ff078b9b61a2dd0321
-
Filesize
96KB
MD5f5078953eaea9e22cda2b4d922c152ab
SHA1ab1a3ff1caeac9491a7119611b3b7868567281c3
SHA2563cc73b9eded92bceb33c75c8d69ab1cdcd14764feea4b103b595a3b4553922c9
SHA512207086ae1f3be8862a205c06cd0a2b2a873819b4dac6ae4b19160e5e86212bbf8624f5fcd986a113e55d9bf12f8317d8fe85269693c62365e75cec4f6f8782af
-
Filesize
96KB
MD5b0c54b6abd438fb0b19b361bb75e6720
SHA1e9f9331890991c405f3091b7e424ff5b2b1f046e
SHA2563adf7fe29c0af788196e1f2ef3e0b353ecccb71e98b6be39133ba8d97e8a2da1
SHA512bcf624d215f3dd69aba9547552f96f23e04f7114e1588887e46c564c2cefa6edb8dfa8e67894bbf3ac70df8d57f37a8662fbe000fccd7045751eaffa6b988499
-
Filesize
96KB
MD5390eca616bc7529677992fa25095bb9c
SHA177af33900d1d96afb6320d9a07ff277b603cd256
SHA2561b205c6141f7522c06c467d9b3ed0db5b2dca73b72a91c5011002d9e074c9dd8
SHA5126be7b36de8c653d9d5113d962bed15d5d05c7a63b57efe76aaf61f96a0278fb2102dd4d8d82084bb4220b9e676c5ce1aa6984f83542de1df3f409b925cb1b885
-
Filesize
96KB
MD57869de08f66c91e74938e26cd49a60f3
SHA12b58033019eaeab661bae4b4cd32f514c0ebcd40
SHA25683dad8203814d48f66431d8597f70416e7b2b94576a644a8ff2569469fdd02e2
SHA512e5957b97986c3a930ea68ae8db3a24eed892fba42cf4cc62701136237fc7e185854c13a24c2df3abc0d90a04d9487f79b5b8042279d87ab5284f294dd2a02077
-
Filesize
96KB
MD5def44f34ac9a67aab60b4afa17dd1be9
SHA1f111d72a5b48da51c81b62b5f668f700c69e0596
SHA2567089ed3e574e37770c15aaeef31816a09bfaf48d7fcc646731d47d4a670b1dac
SHA512a7b416fa25ca9618b92dbe23f9fc0c4bab40f80ac7e96538b499647ce99d89e307bdf8514628c67f4303b6545d8cd80bff634f27d7b5dd7e44a5c35528ba3671
-
Filesize
96KB
MD597de936eaaca07b26e1c0984257446d8
SHA16de50938c93fcb24ad3462b331fe230e93e3296e
SHA256802a7c28e60f07c87dbe0df639c5ad383f90d6dc3d0771137bf74ff2dd3918fc
SHA51261198b3c98c4852bdcd93bd3e8e20fce847e538833a6c1e4084ae8e534c05f9f51b8a69b81bbbbdbdd0fb9c0ce848cc6efe872d23a0c069e6ab394f44e4fee8e
-
Filesize
96KB
MD51a56835f324541ec79e5a1e377c8e1cc
SHA1b8a202eb065039cbd389c2287292fdcfdb5a99b1
SHA25672ce235beb89a2f918f9e991a15e780708229fb564341ece14f3887d9c6d829a
SHA51218021ef6c60342bf2bfa56e24addaf943e719434dbe436217663687b23c3ae831e6dea516ca2f0fc53473c039c9d0bb1d51dc81da02390d633059631f39742ce
-
Filesize
96KB
MD5b6cb17f89339d7bc69b7eaa077f0c2ec
SHA1aa959b7930c85839e09ac26862f1c6f10d4162a6
SHA256f8fe460b3bfd381bd82fd343ddf18e0bae8701d23dc7e588418952bddf8771f3
SHA512e9b85db7f37f607fc1e022970727f77d29b3bf25382dfc76ee9ecdda95f0c26478303b856b484d290b91bf124b1d673d695ac3a32fa8aca36ef374fead02fa44
-
Filesize
96KB
MD5e531964856e9bdb78c500697d62857e9
SHA1ef94ba14ca446aef99dcda438b0a1c58bbddff57
SHA25638456d445da9bd6f69ce337e4c9fcb65a6708bdeef8197df8b80e233fd120f48
SHA5128155e3e9ad5b85a9d19a0228c5179c72674148a2090dd5aee083238e7fac5bc4367aa940d31c9c7f122d8e16c2611591ae90805bd52a8e1405a1a5994efb37e5
-
Filesize
96KB
MD5796b7d3fdc32bac4e9c284fe6e08e6c5
SHA1412a7212e20d924208ec5d2c2890501e9f983da7
SHA25624434577c6c00cddd820dea767b714388a9207f383689231ed8f65eab032e573
SHA512ecc13fa482acaf4cc0d836ad8658761dbc5f09e93121be70bc150de3641a99d6dc704c0791c7eed8d161bab51c7f6ca732432f0ba961e772b7432d2dafbe6947
-
Filesize
96KB
MD510a05b049b7d0e569fa4f1ea26c90341
SHA109f837cc75973257b25723b4876b6c5e720a640d
SHA256cf5a4ecca7bdd035d6befc7d84a56e2ed80a947ac91d9f645427b4469637f2dc
SHA5124f1be4e26f9df9bd9b317fadc9c01811f73f17b26500f330c4d8d5b40ed714661a7537b7558c93f05db0ea981938802b8d47ec4d98a1c8e27b74e91d589e6bf2
-
Filesize
96KB
MD5db662dc3f0739b8a643168b3a97caaad
SHA1465dfdc94a19625901b487e9140327c985b92845
SHA256f01b8a1df1b802a8c53363f02999aac679754a2489b875ec3ab761e1bef30011
SHA512f6df31967dae44595cdc9ac6bc226a52215b8c8fe88f703e1a6e6263efd8260d5733972a4542072920d40d5f58adfe4c7dc97729eb6112ee3d9f892560bf9898
-
Filesize
96KB
MD5c24f1767e6f82f9468465959f2c11c63
SHA1f4fa6fbdac4fc2427c44088658f542a639d2f542
SHA2569d21f04849bf87004d8d284aceedb4a1ab362d70cb3900b4e85b24b0371f8a1b
SHA5120f84d5bc5faa641c33a5d867dfb11be7b53ac5f505794f342c5e653e1933a0a10b32111a4e91dbd8cf2beee16a33f0366b0db243b878d12bcba91b00b3b81a26
-
Filesize
96KB
MD5a94f4ffa614224028c6c16be731bda52
SHA1ff3f990f987534d0e3c71712a266e2ecb8023b4f
SHA256c4a57a2aef81432eb32dc8ddf0df43e50b235baf4bb7019008b057127cd3d817
SHA5123250ed733d00a1f16ffda2ebb2dd916d32dec48af039e062c8533f9957514e2d646a9c8a2e7df30998d32abdafe7f4f3296683ef0c6c1e1b23307229c51d4d71
-
Filesize
96KB
MD5d196c98e439444c26d111b97a8c82a4b
SHA1d1ff0b11224452e22b43b3c1b8ccd4e6ebde7f2e
SHA25612701cb2b53042e2e825d3eaafcf958c419514eedaa34c70ee3d7b3662a83ea8
SHA512a2ae4470eee222410b4805042ce925eac82a16936316f13acabf868720aab91fb47a1bdef9af440567b8ab949584ec27d61be9a65a97b8ab4454599b6a86d3dd
-
Filesize
96KB
MD518b61b3deea6400cd9551708c7a11670
SHA15af359772662109deee6a0e87ca59781ae7cbfd7
SHA256df5ef6ee66cd3a0ca602cced833cedfcee2bbb1ce63f8643b61e4b4af8304125
SHA512d9a36da02833ce6b5e97a1f1c8970ea718e6cbe84a6cd742c1e939b77ef6260db4b6878863fe15cb640220a43ff85648aecb53dc2ae27d3541b4fa01ca42d701
-
Filesize
96KB
MD58423a512b3ef071ca3ed2a93b1a7c415
SHA1f75d31a39323e0bb6327bcfdb8e493fa6efab36d
SHA256828ce1c8921d13851cc7f57b81a7afb19466da6f1ffe0b3c1e8a46f96627ea00
SHA5120ee0e5640368437740e45d9d1e8b3e1ca9117a08e7f623e7cf0c15a126289d7a3bb388de54d8a34d4296e2136c3095e8082dc52af993fedde5b59f7693bb3e39