5744d016529e37aac7db5799e03de7b3ca7d0989da47d46d2cdf558868afcf98

Analysis

max time kernel
132s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 19:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4aa404811f4558048fac546f3e8dc840_NeikiAnalytics.exe
Size

94KB
MD5

4aa404811f4558048fac546f3e8dc840
SHA1

93dfb48c8a081d4c111f1195553612eac4f54156
SHA256

5744d016529e37aac7db5799e03de7b3ca7d0989da47d46d2cdf558868afcf98
SHA512

e718e2daa945075bec8bd5ad5039385269567f063c10ab46d5d0e993aee9af35d6f38d22fbaccbec7cf57a9961d8aa19ef3aea2fc39f111a780109841208bc6f
SSDEEP

1536:3dBo07QGzznS1+7zt8nM1husJf8ziwZRIngiNGMQgIp7BR9L4DT2EnINs:UDuS1ORCIYYIp6+ob

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iakaql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hcedaheh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iapjlk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hmmhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipegmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcedaheh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnhmng32.exe

Executes dropped EXE 64 IoCs

pid	Process
2108	Hcedaheh.exe
384	Hjolnb32.exe
1144	Hibljoco.exe
4720	Hmmhjm32.exe
1164	Icgqggce.exe
1132	Iffmccbi.exe
3048	Ijaida32.exe
4704	Iakaql32.exe
3276	Icjmmg32.exe
3860	Ifhiib32.exe
4512	Iiffen32.exe
2380	Iannfk32.exe
1212	Icljbg32.exe
3512	Ifjfnb32.exe
840	Iiibkn32.exe
3648	Iapjlk32.exe
2884	Ibagcc32.exe
1536	Ijhodq32.exe
3852	Imgkql32.exe
2284	Ipegmg32.exe
1204	Ibccic32.exe
2912	Ijkljp32.exe
3836	Jaedgjjd.exe
5016	Jdcpcf32.exe
2724	Jfaloa32.exe
3704	Jmkdlkph.exe
2148	Jbhmdbnp.exe
3300	Jjpeepnb.exe
4608	Jaimbj32.exe
892	Jdhine32.exe
4352	Jjbako32.exe
1624	Jidbflcj.exe
3896	Jdjfcecp.exe
4748	Jfhbppbc.exe
1748	Jmbklj32.exe
2660	Jpaghf32.exe
396	Jdmcidam.exe
4984	Jkfkfohj.exe
4368	Kmegbjgn.exe
4584	Kaqcbi32.exe
1084	Kdopod32.exe
4508	Kbapjafe.exe
908	Kilhgk32.exe
1464	Kacphh32.exe
3616	Kdaldd32.exe
1352	Kgphpo32.exe
4476	Kkkdan32.exe
984	Kmjqmi32.exe
4888	Kphmie32.exe
3688	Kdcijcke.exe
3456	Kgbefoji.exe
2744	Kknafn32.exe
2688	Kipabjil.exe
3592	Kagichjo.exe
2772	Kcifkp32.exe
3172	Kkpnlm32.exe
1384	Kibnhjgj.exe
2152	Kajfig32.exe
2952	Kdhbec32.exe
2980	Kgfoan32.exe
3640	Liekmj32.exe
232	Lmqgnhmp.exe
2308	Ldkojb32.exe
3012	Liggbi32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pipagf32.dll	Kdhbec32.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Jdmcidam.exe	Jpaghf32.exe
File opened for modification	C:\Windows\SysWOW64\Kdaldd32.exe	Kacphh32.exe
File created	C:\Windows\SysWOW64\Mghpbg32.dll	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Jdjfcecp.exe	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Kaqcbi32.exe	Kmegbjgn.exe
File created	C:\Windows\SysWOW64\Eplmgmol.dll	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Kipabjil.exe	Kknafn32.exe
File opened for modification	C:\Windows\SysWOW64\Kipabjil.exe	Kknafn32.exe
File opened for modification	C:\Windows\SysWOW64\Hmmhjm32.exe	Hibljoco.exe
File opened for modification	C:\Windows\SysWOW64\Ifhiib32.exe	Icjmmg32.exe
File created	C:\Windows\SysWOW64\Eeopdi32.dll	Ifjfnb32.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Imgkql32.exe	Ijhodq32.exe
File created	C:\Windows\SysWOW64\Cpjljp32.dll	Jfhbppbc.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Hibljoco.exe	Hjolnb32.exe
File created	C:\Windows\SysWOW64\Dempmq32.dll	Icjmmg32.exe
File created	C:\Windows\SysWOW64\Iiibkn32.exe	Ifjfnb32.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Jfaloa32.exe	Jdcpcf32.exe
File opened for modification	C:\Windows\SysWOW64\Jmkdlkph.exe	Jfaloa32.exe
File opened for modification	C:\Windows\SysWOW64\Jjpeepnb.exe	Jbhmdbnp.exe
File opened for modification	C:\Windows\SysWOW64\Jmbklj32.exe	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Ogdimilg.dll	Kajfig32.exe
File opened for modification	C:\Windows\SysWOW64\Liekmj32.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Bgdnaigp.dll	Hjolnb32.exe
File opened for modification	C:\Windows\SysWOW64\Lcdegnep.exe	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Lnjjdgee.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Jmbklj32.exe	Jfhbppbc.exe
File opened for modification	C:\Windows\SysWOW64\Kdhbec32.exe	Kajfig32.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Ifjfnb32.exe	Icljbg32.exe
File created	C:\Windows\SysWOW64\Hefffnbk.dll	Kipabjil.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Ijhodq32.exe	Ibagcc32.exe
File created	C:\Windows\SysWOW64\Gbledndp.dll	Ijkljp32.exe
File opened for modification	C:\Windows\SysWOW64\Kdopod32.exe	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Jidbflcj.exe	Jjbako32.exe
File created	C:\Windows\SysWOW64\Honcnp32.dll	Jjbako32.exe
File created	C:\Windows\SysWOW64\Pellipfm.dll	Liggbi32.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Jgiacnii.dll	Jaedgjjd.exe
File opened for modification	C:\Windows\SysWOW64\Kmegbjgn.exe	Jkfkfohj.exe
File opened for modification	C:\Windows\SysWOW64\Kacphh32.exe	Kilhgk32.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Iannfk32.exe	Iiffen32.exe
File opened for modification	C:\Windows\SysWOW64\Kilhgk32.exe	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Lgkhlnbn.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Liggbi32.exe	Ldkojb32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5424	5228	WerFault.exe	199

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Liggbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgiacnii.dll"	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiphogop.dll"	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nilhco32.dll"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dempmq32.dll"	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclgpkgk.dll"	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	4aa404811f4558048fac546f3e8dc840_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milgab32.dll"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfkkgo32.dll"	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcpkbc32.dll"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehifigof.dll"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdimilg.dll"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kflflhfg.dll"	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmcfa32.dll"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	4aa404811f4558048fac546f3e8dc840_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dendnoah.dll"	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdhdf32.dll"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iljnde32.dll"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hibljoco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Imgkql32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4712 wrote to memory of 2108	4712	4aa404811f4558048fac546f3e8dc840_NeikiAnalytics.exe	82
PID 4712 wrote to memory of 2108	4712	4aa404811f4558048fac546f3e8dc840_NeikiAnalytics.exe	82
PID 4712 wrote to memory of 2108	4712	4aa404811f4558048fac546f3e8dc840_NeikiAnalytics.exe	82
PID 2108 wrote to memory of 384	2108	Hcedaheh.exe	83
PID 2108 wrote to memory of 384	2108	Hcedaheh.exe	83
PID 2108 wrote to memory of 384	2108	Hcedaheh.exe	83
PID 384 wrote to memory of 1144	384	Hjolnb32.exe	84
PID 384 wrote to memory of 1144	384	Hjolnb32.exe	84
PID 384 wrote to memory of 1144	384	Hjolnb32.exe	84
PID 1144 wrote to memory of 4720	1144	Hibljoco.exe	85
PID 1144 wrote to memory of 4720	1144	Hibljoco.exe	85
PID 1144 wrote to memory of 4720	1144	Hibljoco.exe	85
PID 4720 wrote to memory of 1164	4720	Hmmhjm32.exe	86
PID 4720 wrote to memory of 1164	4720	Hmmhjm32.exe	86
PID 4720 wrote to memory of 1164	4720	Hmmhjm32.exe	86
PID 1164 wrote to memory of 1132	1164	Icgqggce.exe	87
PID 1164 wrote to memory of 1132	1164	Icgqggce.exe	87
PID 1164 wrote to memory of 1132	1164	Icgqggce.exe	87
PID 1132 wrote to memory of 3048	1132	Iffmccbi.exe	88
PID 1132 wrote to memory of 3048	1132	Iffmccbi.exe	88
PID 1132 wrote to memory of 3048	1132	Iffmccbi.exe	88
PID 3048 wrote to memory of 4704	3048	Ijaida32.exe	89
PID 3048 wrote to memory of 4704	3048	Ijaida32.exe	89
PID 3048 wrote to memory of 4704	3048	Ijaida32.exe	89
PID 4704 wrote to memory of 3276	4704	Iakaql32.exe	90
PID 4704 wrote to memory of 3276	4704	Iakaql32.exe	90
PID 4704 wrote to memory of 3276	4704	Iakaql32.exe	90
PID 3276 wrote to memory of 3860	3276	Icjmmg32.exe	91
PID 3276 wrote to memory of 3860	3276	Icjmmg32.exe	91
PID 3276 wrote to memory of 3860	3276	Icjmmg32.exe	91
PID 3860 wrote to memory of 4512	3860	Ifhiib32.exe	92
PID 3860 wrote to memory of 4512	3860	Ifhiib32.exe	92
PID 3860 wrote to memory of 4512	3860	Ifhiib32.exe	92
PID 4512 wrote to memory of 2380	4512	Iiffen32.exe	93
PID 4512 wrote to memory of 2380	4512	Iiffen32.exe	93
PID 4512 wrote to memory of 2380	4512	Iiffen32.exe	93
PID 2380 wrote to memory of 1212	2380	Iannfk32.exe	94
PID 2380 wrote to memory of 1212	2380	Iannfk32.exe	94
PID 2380 wrote to memory of 1212	2380	Iannfk32.exe	94
PID 1212 wrote to memory of 3512	1212	Icljbg32.exe	95
PID 1212 wrote to memory of 3512	1212	Icljbg32.exe	95
PID 1212 wrote to memory of 3512	1212	Icljbg32.exe	95
PID 3512 wrote to memory of 840	3512	Ifjfnb32.exe	96
PID 3512 wrote to memory of 840	3512	Ifjfnb32.exe	96
PID 3512 wrote to memory of 840	3512	Ifjfnb32.exe	96
PID 840 wrote to memory of 3648	840	Iiibkn32.exe	97
PID 840 wrote to memory of 3648	840	Iiibkn32.exe	97
PID 840 wrote to memory of 3648	840	Iiibkn32.exe	97
PID 3648 wrote to memory of 2884	3648	Iapjlk32.exe	98
PID 3648 wrote to memory of 2884	3648	Iapjlk32.exe	98
PID 3648 wrote to memory of 2884	3648	Iapjlk32.exe	98
PID 2884 wrote to memory of 1536	2884	Ibagcc32.exe	99
PID 2884 wrote to memory of 1536	2884	Ibagcc32.exe	99
PID 2884 wrote to memory of 1536	2884	Ibagcc32.exe	99
PID 1536 wrote to memory of 3852	1536	Ijhodq32.exe	100
PID 1536 wrote to memory of 3852	1536	Ijhodq32.exe	100
PID 1536 wrote to memory of 3852	1536	Ijhodq32.exe	100
PID 3852 wrote to memory of 2284	3852	Imgkql32.exe	101
PID 3852 wrote to memory of 2284	3852	Imgkql32.exe	101
PID 3852 wrote to memory of 2284	3852	Imgkql32.exe	101
PID 2284 wrote to memory of 1204	2284	Ipegmg32.exe	102
PID 2284 wrote to memory of 1204	2284	Ipegmg32.exe	102
PID 2284 wrote to memory of 1204	2284	Ipegmg32.exe	102
PID 1204 wrote to memory of 2912	1204	Ibccic32.exe	103

C:\Users\Admin\AppData\Local\Temp\4aa404811f4558048fac546f3e8dc840_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4aa404811f4558048fac546f3e8dc840_NeikiAnalytics.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4712
- C:\Windows\SysWOW64\Hcedaheh.exe
  C:\Windows\system32\Hcedaheh.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Windows\SysWOW64\Hjolnb32.exe
    C:\Windows\system32\Hjolnb32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:384
  - - C:\Windows\SysWOW64\Hibljoco.exe
      C:\Windows\system32\Hibljoco.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1144
    - - C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4720
      - C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3276
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3860
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4512
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:840
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3648
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1536
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3852
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3836
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5016
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2724
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        27⤵
        Executes dropped EXE
        
        PID:3704
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2148
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3300
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4608
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:892
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4352
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3896
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4748
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2660
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:396
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4984
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4368
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4584
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1084
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4508
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:908
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1464
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        46⤵
        Executes dropped EXE
        
        PID:3616
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1352
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:984
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3688
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3456
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2744
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2688
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        55⤵
        Executes dropped EXE
        
        PID:3592
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2772
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3172
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1384
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2152
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2952
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2980
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3640
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:232
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2308
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3012
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        66⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        68⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2432
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        70⤵
        Modifies registry class
        
        PID:2172
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1740
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        72⤵
        Modifies registry class
        
        PID:2360
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4020
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4544
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        75⤵
        Drops file in System32 directory
        
        PID:4428
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3256
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:320
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        78⤵
        Drops file in System32 directory
        
        PID:4328
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        79⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        80⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        81⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1664
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3872
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        84⤵
        Drops file in System32 directory
        
        PID:5024
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1404
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:388
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        87⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4796
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1264
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        91⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        92⤵
        Modifies registry class
        
        PID:5244
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        93⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5328
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5368
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        96⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        97⤵
        Drops file in System32 directory
        
        PID:5452
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5508
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        99⤵
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        101⤵
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        102⤵
        Drops file in System32 directory
        
        PID:5680
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5732
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5764
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        105⤵
        Drops file in System32 directory
        
        PID:5816
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5856
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        107⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        108⤵
        Drops file in System32 directory
        
        PID:5948
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        109⤵
        Modifies registry class
        
        PID:5992
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6040
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6128
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        113⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        114⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5228 -s 412
        115⤵
        Program crash
        
        PID:5424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5228 -ip 5228
1⤵
PID:5364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fjkiobic.dll

Filesize
7KB

MD5
1b6168374da51a7a8c068c9b9e4b5ea7

SHA1
b4bc5557a2b8765447576cbe6b3039804f4e3a8a

SHA256
8d8679c1edeada62a40e92ae991e914aab1e68ff5da922fc04d6e23a971ebd9f

SHA512
39942d03c6c8c59179a945c8a10bd163e374b6f29793e15799a9011b898a3caba0d9038b4b26484fe8262089227337a9a4501d1ff2f849cd775c5838f0034028

Download Submit
C:\Windows\SysWOW64\Hcedaheh.exe

Filesize
94KB

MD5
f5f2e0391aa81758c63a6b0149d8b264

SHA1
13a67670e322bcf6e0969c66401531eb41388d8e

SHA256
902da379546f6ce726d25d345c6afcc002669d429ad14144b0dfc5aa467d2cf3

SHA512
e6cd87a6ee25469941892f441c65a857909db93f491bca00c9578f7402c6260c53f649535566b649a8bef62c4ed59dfe498b52062ce0a68ba2caf0eed66f1b8a

Download Submit
C:\Windows\SysWOW64\Hibljoco.exe

Filesize
94KB

MD5
3373aff83f78993d5e175b497578847a

SHA1
c95ad0821db546b6a16f909d3646fa115dde281e

SHA256
df5d66a9595dfea05a4edc8e5c16a9a7767a5861aabcce9f678f7023a893c8b2

SHA512
dc62bfb5c6a9fecbb72e495871b2e3e28e656941643e538c37632a266c29946e9f16b69ff3a6e1e07b41598be9434ccc5dfd03b4d17c649b7d98c2e6fc9cddd7

Download Submit
C:\Windows\SysWOW64\Hjolnb32.exe

Filesize
94KB

MD5
5ce44178a3ecd6a81737d5fe0940e8eb

SHA1
734d1ef33de8e43cff1a606de2b97b1b08a66b39

SHA256
d17e38581a88dd9a656b15a0da48d9b32643200afabb44b1a0c370c881536a90

SHA512
2daf0cdd3111b649ca3a6ba350804d7545ae306103c642ff3cfbdee6b88cbeec195ccf295caac5d02977043c7136090ff97d9e4f7fc66f4906642c7a1ab8f71e

Download Submit
C:\Windows\SysWOW64\Hmmhjm32.exe

Filesize
94KB

MD5
d1f0a69e49987d1fece38c113fcc63da

SHA1
628a0a007c6ff6273073554fc4eb9a3e2ff9604b

SHA256
38d489b345f455b7521feb0b2652278fbf94be5e7e7e19c1cc026a9fe9d2f01e

SHA512
c0a5f3182cbaa75eb25c75ba18d1b761c186ac95486bc9eead1c21f48c18c81528ef04711f05550993af216f805014eb74be3cbc111f269984101598950af68a

Download Submit
C:\Windows\SysWOW64\Iakaql32.exe

Filesize
94KB

MD5
7b61631bb8e17d10b42c634b08c3a6ad

SHA1
6a46e5ba28a647c8fcdff78ca397835c63477cf5

SHA256
35525ce5e2f648966e228f3269a0f521f431f3c8c2ff17c5c084073e93cc6ab8

SHA512
69e6366a9b83a627fdbf25de8066cdbfd0075528fd9f67bb99f71f6137e83c6f3e3ea0ae0d54b03237e94a602c43ed5ebce4d19dc7c8a8e0c0a4cca0cd5bd84c

Download Submit
C:\Windows\SysWOW64\Iannfk32.exe

Filesize
94KB

MD5
6c37451e9959bb1971ab75f5a3cca930

SHA1
3eb63968d2c27bc645fbf67a9893dae8c92a4765

SHA256
301f8ac5c2ce3f5f92d0e0a6ca630e37649fca84107dd1421b97b70907e25b39

SHA512
e837b2372934a5bf1f6ce55ac7a9e13e829df22ca73ae0d1e911162712c4275add280d572fe5ccf38ed7ede2a5d4ec9f677e48afc125a08feb36433eadd618ea

Download Submit
C:\Windows\SysWOW64\Iapjlk32.exe

Filesize
94KB

MD5
e745713670512a34fa17fee463249fe8

SHA1
a07a3683f5013a06a150d4124a80c2ada61bfcb3

SHA256
603a274d843d0b53a9dd7e80f470421c8fe8819b9f97b76c7a3206c48a09a144

SHA512
ffcad1824f63658b5a644eed3942b614e29f3357c975d815eab8cbcd37a70fe3f4bd7a04468eaea3f9caaab9a30ce7a3e8e847adb76b1f20f26f32c742e4ad82

Download Submit
C:\Windows\SysWOW64\Ibagcc32.exe

Filesize
94KB

MD5
9f6add302f7e8ac95b2dcd236662f70d

SHA1
33b5956698e412f473f37a099241357f5f5db95e

SHA256
7d0613c6babe0ea8eb20adbad8df390c57ee21c894bacfaa57c0b78c5c8597f4

SHA512
d0d5dde73471d8e96b50139bdb1c235635aee16fb6a6def7dad54c53eb047a1265e84bd48a77f7303fb47ec8575ca990be2124de8cf252a743850d35199d19d6

Download Submit
C:\Windows\SysWOW64\Ibccic32.exe

Filesize
94KB

MD5
3a40dc8470c1814b721193eea7b751d9

SHA1
ca2b23bc80ba23fa3961d222c1eeac43652d7c3f

SHA256
2edecb652f84654f07a90ff0dd26e903f77fd2d71b57377d9a92ad2ba695bd16

SHA512
00949bb701850276eb69c0b1a8496523d218fd6cc4b6d1c13de1714daa6e6dbf526f9e4204a413f2479d4002118227a539aad2a46f4c9a402eb182103cee473b

Download Submit
C:\Windows\SysWOW64\Icgqggce.exe

Filesize
94KB

MD5
3e5cc5eaf091a4ed47bd289992cde0a0

SHA1
7e73f67c5f8996aad793ba2f818d659eddbcaa66

SHA256
4eb77cb36241d6e11c08e4c4d53d59fad5eeee5aed082e12e7a140e85351960e

SHA512
a61fdea3b291612941fdccca7ba378edf2094ea7a1d4b8f7550b4a7bef9313d3f1ea823a75871627fe4a2950424c414f82cd202872d5f4490ace6b0a37a8d8aa

Download Submit
C:\Windows\SysWOW64\Icjmmg32.exe

Filesize
94KB

MD5
69bfafd6cb7da58df6a89c98d8ca9891

SHA1
fe20f85ff13057299d26c4d37c361b6dc3720773

SHA256
a488de3eadbe8b79eda85dbae4b01028f76ce76da3e37345c30715b245dc9856

SHA512
1151c43415630f4ca0fcb05eb698eda36864fc4c390d313a49ce031edf448670894904ab9bdee09f75e2e251ef0e791fb9c35253228a1db5755dad5f252eed50

Download Submit
C:\Windows\SysWOW64\Icljbg32.exe

Filesize
94KB

MD5
429d6b0e2cf17195eefe8f08db4b5c04

SHA1
c0296bc2bc4e414861e23efcb62f6fe24ad9db7b

SHA256
bc89fb1cfc9b5e97893f57f61bba283a88c864e722be3bf52efbfeaabc3b0944

SHA512
3c62aa29e3b7ae54fbe972552ae434e7f6f7cc3f76fb863e69f4b8388e03f6fcb28b2b22f85009f4c938f874c9ce2c1b0100a2c3f6ec7caecf44a94a83ee5075

Download Submit
C:\Windows\SysWOW64\Iffmccbi.exe

Filesize
94KB

MD5
cc1f038d461c47d9703e2745a3a3e8a4

SHA1
03a297fc2d0369c58820ddfecc49393518c6a138

SHA256
f41b0b05b337d6110fc727286d49b4aabed6620a1970ffa92ea3d5386509c67d

SHA512
4fb79e0e0f5705e43f71cfa45a29ea0b64547ccb27212a32460e2a161bb66ea1c83a43564d196c733e6fa30fb2ab6eadc9a4820e7443fd39f03375f643881e25

Download Submit
C:\Windows\SysWOW64\Ifhiib32.exe

Filesize
94KB

MD5
2bde126b8b170ae7945c58442f7056bf

SHA1
b324682c472dca8657a8d062e77c6cda260e38dd

SHA256
e2c0c978cec72ebc927908e6a6d1e472275ad0607273c717bde78d8c1af23336

SHA512
55a1fc37942eec52116cc12fa20f6c356ce9919ac3e5891a915e4681d9577bc53ca50b36b0d38ef9532e2bf2889d51dc09829391dd67fbee4462756d684e3bc2

Download Submit
C:\Windows\SysWOW64\Ifjfnb32.exe

Filesize
94KB

MD5
4fb3c724301bb7efb6d72420b7bcef80

SHA1
c5a3ffe5542ebe46e76a6bb328290f14a36fa8c6

SHA256
4aa5c87a0c8cc7d7d02cc5bed5b0faf22ba80d9fa723254dd656b66857f833a5

SHA512
ce33f44cfcc623f7f132b95298a281fa44a0a6397501d8f9dc2e251d7254a0e2e6e7ceabe01c578b8acbd5e3cca24b51d1b145d86eafba2234837b49b210b885

Download Submit
C:\Windows\SysWOW64\Iiffen32.exe

Filesize
94KB

MD5
9209cdba96e506096bb0d9f8b9b64060

SHA1
1b3b7f814a9b6cb0b26a3c767a487f4de838d45b

SHA256
23e39d110a160d0ce0960c2a370c1d7ee67d51ad73ee572b2b24513b350fb0dc

SHA512
31c492a69187744924871ef67967b8dc3f47d06a5380b373411abfb831a58c919cfbd2f6cd72660de080aa44759c24e86659175da79d20e0f71e6b1852f31b2e

Download Submit
C:\Windows\SysWOW64\Iiibkn32.exe

Filesize
94KB

MD5
a30832ecb0b688c3b54a4590508b8ffd

SHA1
b92cb913d2ac4247b618c9a9d33f62dd718e58ae

SHA256
919358328673e87100936dc53ebd0be82560d1d753edf0fcbd9c50b7fc0bda34

SHA512
5a855e1ddbb8d72ec76f2a4b5d1d956172aaf71328b4c44c93a8e5ebaf1ee39b1f7a56b1df1db1ad5a3ad37ca90fceea5bfd4e44282b780d2e94575ef91d73f1

Download Submit
C:\Windows\SysWOW64\Ijaida32.exe

Filesize
94KB

MD5
dc04723831921118137e0767fe575b77

SHA1
8ee7cdc82c6538b0f0a5a3894bf4744761f66006

SHA256
df7fba3ebe2aa636406c34a57c2395ab11b9a6c8222b8b82b9dbcbaa3e65e71d

SHA512
f40bfbe1e5b63ab71d6124e4a41aaaabbdeb0e41bf31359a9acdbd6c3c6d2c38d8a40d412744ec34675aa0211fe6a8536d17f4074cfd29a3bd9a3532f0b21261

Download Submit
C:\Windows\SysWOW64\Ijhodq32.exe

Filesize
94KB

MD5
11f0acaac33f7125136f7a5df3c23caa

SHA1
72b5f0aa484490e3e3eaaaee0775763cc5100951

SHA256
3bcb83651fa90873ee22a835cf1f2b42f8a610b08b64740e8acfdaf4af8533ee

SHA512
5bab9c62788b8dce852df5d09d5714bb1f5b1ac712ce096b2d4d344fb1268451b9a6e359cbee3f1d4c7950178d442f06bb4f7121c4e9e78027de9d59a7553cb3

Download Submit
C:\Windows\SysWOW64\Ijkljp32.exe

Filesize
94KB

MD5
d738a4e8b41fb2f87d280bcd05550a6f

SHA1
ff019426a241b8fbe04d03fca65e89c588346def

SHA256
fe183de4d2afba891c8baec4380eb6110cc7334688ab31fece97748cf86e39b7

SHA512
fa8c6583311a4028abc8f5c1af79208daeaa71a79b5f8f666938f96d01bc51da40ddd347fc03a6331bf1949876f02f4c55971f326a57137d7a4c4ee69cfaffae

Download Submit
C:\Windows\SysWOW64\Imgkql32.exe

Filesize
94KB

MD5
198972ef20bb768d7ad25c1a7c30b274

SHA1
3fb68854b86b00d3ed1b33d378a4c7dbcde6b534

SHA256
0ec69a310c1bfa7a240637cf47ab82d7f42346352acc92bd46aa9b31d8409d52

SHA512
5872ce8088acb85176ca16293e008f096b8482effffbf9b2d8a54d8733c9cd870712b02989139afe126b1373f0a47f8b14668ed65d13971b7e32503f79bf43ee

Download Submit
C:\Windows\SysWOW64\Ipegmg32.exe

Filesize
94KB

MD5
f87786fddb2b834d5f72e9cfec18bd47

SHA1
30d77c17495e1c4a35b9bcfaeab9d0771df6169a

SHA256
e958dc060f912b7cfac588c50d3d0c9af142e57dd67677dd9184f18ed07087e2

SHA512
cb3b929829a46e3bdb38932a2ef362486a5869254729522cd662b367ff333a02416b31121275f4ef19ac8f1e2955e5f837058587502cbe23abe31b36449eb70e

Download Submit
C:\Windows\SysWOW64\Jaedgjjd.exe

Filesize
94KB

MD5
0311beccd7b7266366da28274d87714b

SHA1
ce9855e0304db2b8ffb12492c98254ab91dc600d

SHA256
fc1efdb57e9e411835cb4d98328723848fd07c86f8649dad1d7620dd6727bcb7

SHA512
77d6957ff262af1a17369a580f5d78ed434448a4a77e41a655922724d6f9b32f557cff26638e9d3d005db7ef4084eb18dcc4c6453cfd973d59b66b466b53267e

Download Submit
C:\Windows\SysWOW64\Jaimbj32.exe

Filesize
94KB

MD5
9595ab854deb85bf80fecfafaed903d6

SHA1
f5546ed93a16a9410635af534f811cfdad973621

SHA256
c26526d6b1bebb664cc7e04564f65aeb8efc38636988e251141223167fe00ddb

SHA512
0f8758c80629b3877e0da64cd5f29176fcec3f938f18ab403d3f6c9fcc255f575243f63da08e3216f89518371ed3c52cd715e9562403bfc2a194236a10a3dbf4

Download Submit
C:\Windows\SysWOW64\Jbhmdbnp.exe

Filesize
94KB

MD5
f22d051b381b8e183a176c77670263cf

SHA1
1bf8f2f2eb3681f0a5d58dd70705bb411fa61900

SHA256
1d61a573167806982f843d48b7b99f0c54a31f8fb7abab78cf5f91679fc7f135

SHA512
a288728c95488fbe2b366dded8fd2161008cc0a5ff61f78bcec0cedeee6b551834760cfa3175843801f2f66c54b0b807c60518519c6c43d1a49e5a92916386f7

Download Submit
C:\Windows\SysWOW64\Jdcpcf32.exe

Filesize
94KB

MD5
da8c652804d110649a9231f33636d162

SHA1
456669739162335f8dd07b73be850ea8a38383e4

SHA256
31e424e2bfffee60b1160681877fa3cd795805eadd68b9690af1a493f17e98a0

SHA512
a5cfe9cb4874a7049829a0c4c673008ba19e91bc40ce9913ddfe51d80764f7b68cd7387bb426c898a41324d62fa200ad90ec6852eb1373fddb18ce337263c177

Download Submit
C:\Windows\SysWOW64\Jdhine32.exe

Filesize
94KB

MD5
c3d7b5980fbdc5a977a35b12d8cc2878

SHA1
e9493b65c3c1f6e9db615dcf901687eecabe97c9

SHA256
4d04cbdb70c814de52d9fc5182b2cca58f017958e2d111864bb164cd34a4ec30

SHA512
ed55d31c1a4c940def21fecf1696c06d74afa770fb48264b066cbbfe435bdd6e2fad0c540c272f2b77ed2d0a6e2e10113d373589fce50e6b024d432aa086cc20

Download Submit
C:\Windows\SysWOW64\Jfaloa32.exe

Filesize
94KB

MD5
29305fdfab7d78ec2d1953bd1cc54669

SHA1
395b47d77562261a24c0b49d79d5becb440a41c8

SHA256
42b0b3f7df49fff1789da32bd7936eeb401107780c855a1787cad6cef76c0179

SHA512
fcc3aca3f115ba6d73adc720c07494894406344fd1b1b2aa390a7f751e541c46fffb8d69f6e4ba44439c408e31431d3c30f0d71b6620859f9f0ee894aba2ecb1

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe

Filesize
94KB

MD5
5e5326a26807cd4fdeb2b1d473bdad65

SHA1
cae46455f349dfa46b717f5b89ce1e3c192b5de5

SHA256
6a3a938bd9ea6eccad24009634450a93b1ed74c77807639828bc8310dfddf0c1

SHA512
9d65dade06997f947e3045bd449802b826307a0e33e25df28953ddbf76ec93a13c0a8e3acc7e36a47c84558c087fcdc5013ccb39993d2933b03ea039bd54485e

Download Submit
C:\Windows\SysWOW64\Jjbako32.exe

Filesize
94KB

MD5
ff2d1cc1cd07711e3c051942f5016a3e

SHA1
6d72bb5ff00d1444ecf40754f7c2beda9601991d

SHA256
545ff51ce69c5c58a8a0444e3b5cdbaec559b36d83c50741a7e4c73fab2f3b8e

SHA512
2efa4235d8f0ca61b074e1ab0788deb1dd78ddcede411df1923c48a1ead88d6d1d3c700ee4305dc8e3a14230e012fed342768aca384b1a17a207fc787f85bbb3

Download Submit
C:\Windows\SysWOW64\Jjpeepnb.exe

Filesize
94KB

MD5
1a1084a5280891f9460879c7b4a881c8

SHA1
4eaae76d451294b534bafd71deb0a194e8f80459

SHA256
95387909093b366ae3dc6aff27994e19176534b40183269296043a9841ebd7cc

SHA512
1154c69de5661bd5059a0ebea2c434e3529179952efbac18949e2324c81e9de40ba14aa8f682ac184fb1301a8aa2b00158cad197b303e26fdedc71dffc754577

Download Submit
C:\Windows\SysWOW64\Jmkdlkph.exe

Filesize
94KB

MD5
e5ec7b4f8bbf548f0869c1de9f2681c2

SHA1
a48c5bd95625e41250accfbfe26bf08f061cb053

SHA256
6d4e7fc77cd681bbbd5eb5f0cda157ab7cd87e0cfda11529cbdd8831f40526a4

SHA512
895abe9ab43dc767ded52128ff93b4332bca034c7947a2acd7ad1088c1f8d6571527af91ab6fef9d0fd8474ff3503a12625e26167d70df5f3e0ccd3f98d936da

Download Submit
C:\Windows\SysWOW64\Kibnhjgj.exe

Filesize
94KB

MD5
eaaab7e61909f38c60e6aea71c965b97

SHA1
20717f130dc21e138e432e050d940d0bd2828c61

SHA256
117eeb9e37f88228d4468ba8c385bac94a9438c0102de510698a6d97e7f07c86

SHA512
077ccfb2e6cc675cf2bc9af2f69a8ee17f6313239d05a6b3209f42d332762ffe387968f58278421524ee2c5e093e5b93db2622f7709a881c91630b0c30b6114d

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
94KB

MD5
7312ea3753e15189d2abf3d267f1ea8f

SHA1
b2acdf6d7a1fb1576bc421d6f4683feff8210514

SHA256
be31336641f5786a9387295896b2a3c2ae3ca704d9312777773f9248dfae3465

SHA512
531c156d44cc1c0dad6f53a32500096642f7cf5e5f8f6c4e80fc1e600417bbb2fb4d5175a3a51b48cb13c4fa26a2ae0a1f40357de0dd6531212f8c8c358ceb26

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
94KB

MD5
3a7b514c52bba1307e0729e5e164044d

SHA1
d8c4cb22a42aac0d4df90142b6b974a8973ef64f

SHA256
ed51c9244ac62b9a5a688f4615919dedf20079af728803d5305352a440926472

SHA512
1cf0efae154a5c32110d500b69ae1e8bf25be014836d6dec233b143c0d2e161206f390821e1fa7b0848766588c14dbcfad6fa28082ece13cadd62f6247c17396

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
94KB

MD5
a611f414a9257b31ca614faa17214d56

SHA1
9ccaac4469541ec9d172d8f4f0274f698406f4b9

SHA256
6164a4ca6c8a277308a75c7e55f100e088f0831f4201d9aeb6d989f5c070b67b

SHA512
bfdd26ec7ec0c707c14d09e363f292469a74dd5b7461c5c8d2fa6a6684d470dae0ea7f7dc66cc464482553372e9a1a0bd8cddc7bd59339eff92794bfbae20b61

Download Submit
memory/232-436-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/320-520-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/384-568-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/384-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/388-583-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/396-290-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/840-120-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/892-239-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/908-322-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/984-352-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1084-315-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1132-592-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1132-48-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1144-24-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1144-571-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1164-39-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1164-585-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1204-168-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1212-108-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1352-345-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1384-406-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1404-572-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1464-332-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1536-143-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1624-255-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1664-557-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1740-484-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1748-274-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2108-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2108-556-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2148-216-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2152-416-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2172-483-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2284-160-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2308-442-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2360-495-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2380-96-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2424-460-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2432-473-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2660-280-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2688-382-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2724-200-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2744-381-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2772-398-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2884-135-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2912-175-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2952-418-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2980-428-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3012-448-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3048-599-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3048-55-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3172-404-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3256-519-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3276-72-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3292-470-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3300-224-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3368-532-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3456-375-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3512-112-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3592-388-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3616-334-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3640-434-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3648-127-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3688-368-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3704-207-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3836-188-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3852-152-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3860-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3872-558-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3896-262-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4016-542-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4020-496-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4296-458-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4328-530-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4352-248-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4368-302-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4388-549-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4428-512-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4476-351-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4508-316-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4512-88-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4544-502-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4560-590-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4584-304-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4608-232-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4704-63-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4712-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4712-544-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4720-578-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4720-32-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4748-268-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4796-593-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4888-363-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4984-296-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5016-192-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5024-570-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads