e5d93e2cbb4dfc43d3d3a1bdcaa449c5200fd7d5cb47a1cd3421da1e23b35b45

Analysis

max time kernel
132s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 10:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

add72205ac9e98bce530258fe9dd3f40_NeikiAnalytics.exe
Size

128KB
MD5

add72205ac9e98bce530258fe9dd3f40
SHA1

d0d7425b3907cb9700e08dcc796119e49c079178
SHA256

e5d93e2cbb4dfc43d3d3a1bdcaa449c5200fd7d5cb47a1cd3421da1e23b35b45
SHA512

4f30939b224d66810a97d576bf02fa8b2fee6752ad88b51680021256330a20fb03ac0eb9c95ccdc7abe7ae44742e5c9b330034f0dad83ed6cace1301c60099ee
SSDEEP

3072:xi6Nuh6SiVz4PodHyUGExoGRPxMeEvPOdgujv6NLPfFFrKP9:xizhF0z4gF7xPRJML3OdgawrFZKP

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcqjfh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hippdo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfachc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Himcoo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Himcoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	add72205ac9e98bce530258fe9dd3f40_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjfihc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hfofbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibagcc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kipabjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifmcdblq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcedaheh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hjhfnccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hippdo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ifmcdblq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibagcc32.exe

Executes dropped EXE 64 IoCs

pid	Process
3576	Gfhqbe32.exe
3512	Gifmnpnl.exe
2068	Gppekj32.exe
4236	Hboagf32.exe
4916	Hjfihc32.exe
3248	Hmdedo32.exe
4576	Hpbaqj32.exe
3792	Hjhfnccl.exe
4788	Hmfbjnbp.exe
5032	Hcqjfh32.exe
4016	Hfofbd32.exe
1920	Himcoo32.exe
1052	Hccglh32.exe
4848	Hfachc32.exe
4528	Hippdo32.exe
4024	Hcedaheh.exe
752	Hibljoco.exe
724	Haidklda.exe
4968	Ijaida32.exe
4268	Impepm32.exe
3840	Icjmmg32.exe
3196	Iiffen32.exe
2252	Ipqnahgf.exe
1232	Iiibkn32.exe
1772	Iapjlk32.exe
2012	Ibagcc32.exe
2848	Ifmcdblq.exe
4596	Ijhodq32.exe
4812	Iabgaklg.exe
2600	Ifopiajn.exe
3328	Jaedgjjd.exe
3152	Jbfpobpb.exe
2024	Jmkdlkph.exe
4600	Jjpeepnb.exe
5080	Jmnaakne.exe
4824	Jdhine32.exe
1072	Jfffjqdf.exe
1832	Jidbflcj.exe
1864	Jdjfcecp.exe
4844	Jbmfoa32.exe
4264	Jmbklj32.exe
1428	Jangmibi.exe
4272	Jfkoeppq.exe
3584	Jiikak32.exe
672	Kaqcbi32.exe
1268	Kdopod32.exe
3940	Kilhgk32.exe
4480	Kpepcedo.exe
2528	Kgphpo32.exe
4556	Kmjqmi32.exe
4340	Kbfiep32.exe
5044	Kipabjil.exe
2144	Kagichjo.exe
3136	Kdffocib.exe
4920	Kkpnlm32.exe
1336	Kmnjhioc.exe
4328	Kdhbec32.exe
2148	Kkbkamnl.exe
1436	Lmqgnhmp.exe
3184	Ldkojb32.exe
1084	Lgikfn32.exe
1440	Liggbi32.exe
4884	Lpappc32.exe
4332	Lcpllo32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Laefdf32.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Hcedaheh.exe	Hippdo32.exe
File created	C:\Windows\SysWOW64\Qnoaog32.dll	Jbfpobpb.exe
File created	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kkbkamnl.exe
File opened for modification	C:\Windows\SysWOW64\Liggbi32.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Gfhqbe32.exe	add72205ac9e98bce530258fe9dd3f40_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Jdhine32.exe	Jmnaakne.exe
File created	C:\Windows\SysWOW64\Ldobbkdk.dll	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Egoqlckf.dll	Haidklda.exe
File created	C:\Windows\SysWOW64\Gbledndp.dll	Ifopiajn.exe
File created	C:\Windows\SysWOW64\Lgikfn32.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Laefdf32.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Gkillp32.dll	Icjmmg32.exe
File opened for modification	C:\Windows\SysWOW64\Ifopiajn.exe	Iabgaklg.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Jaedgjjd.exe	Ifopiajn.exe
File created	C:\Windows\SysWOW64\Qdhoohmo.dll	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Lijiaonm.dll	Hibljoco.exe
File created	C:\Windows\SysWOW64\Lkgdml32.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Lijdhiaa.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Lgabcngj.dll	Hboagf32.exe
File created	C:\Windows\SysWOW64\Hionfema.dll	Hippdo32.exe
File created	C:\Windows\SysWOW64\Kipabjil.exe	Kbfiep32.exe
File opened for modification	C:\Windows\SysWOW64\Lijdhiaa.exe	Lkgdml32.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Diefokle.dll	add72205ac9e98bce530258fe9dd3f40_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Ibilnj32.dll	Hpbaqj32.exe
File created	C:\Windows\SysWOW64\Impoan32.dll	Ijhodq32.exe
File opened for modification	C:\Windows\SysWOW64\Jangmibi.exe	Jmbklj32.exe
File opened for modification	C:\Windows\SysWOW64\Kmnjhioc.exe	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Ghmfdf32.dll	Jmnaakne.exe
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Hibljoco.exe	Hcedaheh.exe
File opened for modification	C:\Windows\SysWOW64\Iiffen32.exe	Icjmmg32.exe
File created	C:\Windows\SysWOW64\Honcnp32.dll	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Ipmack32.dll	Iabgaklg.exe
File created	C:\Windows\SysWOW64\Lppaheqp.dll	Jmbklj32.exe
File opened for modification	C:\Windows\SysWOW64\Kipabjil.exe	Kbfiep32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6016	5832	WerFault.exe	203

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogijli32.dll"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eagncfoj.dll"	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hjfihc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hjhfnccl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnbbnj32.dll"	Gfhqbe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ipqnahgf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diefokle.dll"	add72205ac9e98bce530258fe9dd3f40_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Himcoo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkdeek32.dll"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjpdme32.dll"	Hjfihc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Impepm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plilol32.dll"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdimilg.dll"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gfhqbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bejkjg32.dll"	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qchnlc32.dll"	Hccglh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inccjgbc.dll"	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeandl32.dll"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hboagf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4200 wrote to memory of 3576	4200	add72205ac9e98bce530258fe9dd3f40_NeikiAnalytics.exe	84
PID 4200 wrote to memory of 3576	4200	add72205ac9e98bce530258fe9dd3f40_NeikiAnalytics.exe	84
PID 4200 wrote to memory of 3576	4200	add72205ac9e98bce530258fe9dd3f40_NeikiAnalytics.exe	84
PID 3576 wrote to memory of 3512	3576	Gfhqbe32.exe	85
PID 3576 wrote to memory of 3512	3576	Gfhqbe32.exe	85
PID 3576 wrote to memory of 3512	3576	Gfhqbe32.exe	85
PID 3512 wrote to memory of 2068	3512	Gifmnpnl.exe	86
PID 3512 wrote to memory of 2068	3512	Gifmnpnl.exe	86
PID 3512 wrote to memory of 2068	3512	Gifmnpnl.exe	86
PID 2068 wrote to memory of 4236	2068	Gppekj32.exe	87
PID 2068 wrote to memory of 4236	2068	Gppekj32.exe	87
PID 2068 wrote to memory of 4236	2068	Gppekj32.exe	87
PID 4236 wrote to memory of 4916	4236	Hboagf32.exe	88
PID 4236 wrote to memory of 4916	4236	Hboagf32.exe	88
PID 4236 wrote to memory of 4916	4236	Hboagf32.exe	88
PID 4916 wrote to memory of 3248	4916	Hjfihc32.exe	89
PID 4916 wrote to memory of 3248	4916	Hjfihc32.exe	89
PID 4916 wrote to memory of 3248	4916	Hjfihc32.exe	89
PID 3248 wrote to memory of 4576	3248	Hmdedo32.exe	90
PID 3248 wrote to memory of 4576	3248	Hmdedo32.exe	90
PID 3248 wrote to memory of 4576	3248	Hmdedo32.exe	90
PID 4576 wrote to memory of 3792	4576	Hpbaqj32.exe	91
PID 4576 wrote to memory of 3792	4576	Hpbaqj32.exe	91
PID 4576 wrote to memory of 3792	4576	Hpbaqj32.exe	91
PID 3792 wrote to memory of 4788	3792	Hjhfnccl.exe	92
PID 3792 wrote to memory of 4788	3792	Hjhfnccl.exe	92
PID 3792 wrote to memory of 4788	3792	Hjhfnccl.exe	92
PID 4788 wrote to memory of 5032	4788	Hmfbjnbp.exe	93
PID 4788 wrote to memory of 5032	4788	Hmfbjnbp.exe	93
PID 4788 wrote to memory of 5032	4788	Hmfbjnbp.exe	93
PID 5032 wrote to memory of 4016	5032	Hcqjfh32.exe	94
PID 5032 wrote to memory of 4016	5032	Hcqjfh32.exe	94
PID 5032 wrote to memory of 4016	5032	Hcqjfh32.exe	94
PID 4016 wrote to memory of 1920	4016	Hfofbd32.exe	95
PID 4016 wrote to memory of 1920	4016	Hfofbd32.exe	95
PID 4016 wrote to memory of 1920	4016	Hfofbd32.exe	95
PID 1920 wrote to memory of 1052	1920	Himcoo32.exe	96
PID 1920 wrote to memory of 1052	1920	Himcoo32.exe	96
PID 1920 wrote to memory of 1052	1920	Himcoo32.exe	96
PID 1052 wrote to memory of 4848	1052	Hccglh32.exe	97
PID 1052 wrote to memory of 4848	1052	Hccglh32.exe	97
PID 1052 wrote to memory of 4848	1052	Hccglh32.exe	97
PID 4848 wrote to memory of 4528	4848	Hfachc32.exe	98
PID 4848 wrote to memory of 4528	4848	Hfachc32.exe	98
PID 4848 wrote to memory of 4528	4848	Hfachc32.exe	98
PID 4528 wrote to memory of 4024	4528	Hippdo32.exe	99
PID 4528 wrote to memory of 4024	4528	Hippdo32.exe	99
PID 4528 wrote to memory of 4024	4528	Hippdo32.exe	99
PID 4024 wrote to memory of 752	4024	Hcedaheh.exe	100
PID 4024 wrote to memory of 752	4024	Hcedaheh.exe	100
PID 4024 wrote to memory of 752	4024	Hcedaheh.exe	100
PID 752 wrote to memory of 724	752	Hibljoco.exe	101
PID 752 wrote to memory of 724	752	Hibljoco.exe	101
PID 752 wrote to memory of 724	752	Hibljoco.exe	101
PID 724 wrote to memory of 4968	724	Haidklda.exe	102
PID 724 wrote to memory of 4968	724	Haidklda.exe	102
PID 724 wrote to memory of 4968	724	Haidklda.exe	102
PID 4968 wrote to memory of 4268	4968	Ijaida32.exe	103
PID 4968 wrote to memory of 4268	4968	Ijaida32.exe	103
PID 4968 wrote to memory of 4268	4968	Ijaida32.exe	103
PID 4268 wrote to memory of 3840	4268	Impepm32.exe	104
PID 4268 wrote to memory of 3840	4268	Impepm32.exe	104
PID 4268 wrote to memory of 3840	4268	Impepm32.exe	104
PID 3840 wrote to memory of 3196	3840	Icjmmg32.exe	105

C:\Users\Admin\AppData\Local\Temp\add72205ac9e98bce530258fe9dd3f40_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\add72205ac9e98bce530258fe9dd3f40_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4200
- C:\Windows\SysWOW64\Gfhqbe32.exe
  C:\Windows\system32\Gfhqbe32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3576
- - C:\Windows\SysWOW64\Gifmnpnl.exe
    C:\Windows\system32\Gifmnpnl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3512
  - - C:\Windows\SysWOW64\Gppekj32.exe
      C:\Windows\system32\Gppekj32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2068
    - - C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4236
      - C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3248
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3792
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4788
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4024
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:724
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4268
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3840
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        23⤵
        Executes dropped EXE
        
        PID:3196
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        25⤵
        Executes dropped EXE
        
        PID:1232
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        26⤵
        Executes dropped EXE
        
        PID:1772
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2012
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2848
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4596
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4812
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2600
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3328
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3152
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2024
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4600
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5080
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4824
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1072
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1832
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4844
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4264
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        43⤵
        Executes dropped EXE
        
        PID:1428
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4272
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        45⤵
        Executes dropped EXE
        
        PID:3584
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        46⤵
        Executes dropped EXE
        
        PID:672
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1268
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3940
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4480
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        50⤵
        Executes dropped EXE
        
        PID:2528
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4556
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4340
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5044
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        54⤵
        Executes dropped EXE
        
        PID:2144
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        55⤵
        Executes dropped EXE
        
        PID:3136
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4920
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1336
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4328
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2148
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1436
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3184
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1084
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        63⤵
        Executes dropped EXE
        
        PID:1440
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4884
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4332
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4908
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4412
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3256
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2192
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3308
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4624
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        74⤵
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        76⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4972
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        79⤵
        Modifies registry class
        
        PID:4720
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        80⤵
        Modifies registry class
        
        PID:668
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        81⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4632
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        84⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        85⤵
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4956
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3956
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5132
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5248
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        91⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        93⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        94⤵
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5548
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        96⤵
        Modifies registry class
        
        PID:5608
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        97⤵
        Modifies registry class
        
        PID:5676
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5720
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5764
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5812
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        101⤵
        Drops file in System32 directory
        
        PID:5860
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5908
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5960
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        104⤵
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6052
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6092
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        107⤵
        Modifies registry class
        
        PID:6136
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        108⤵
        Drops file in System32 directory
        
        PID:5180
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5256
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5356
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5456
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5508
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5660
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5756
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        115⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5832 -s 412
        116⤵
        Program crash
        
        PID:6016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5832 -ip 5832
1⤵
PID:6000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gfhqbe32.exe

Filesize
128KB

MD5
3302d4415f2ad3d3642026b302615f26

SHA1
9b67595477906a51ff3f545424ad686290648565

SHA256
e20d91db8d801a1e3c5e111bde3019ceb1ce8cddf8d60b90af1d9dafb714c55b

SHA512
a49a2160f636fe82fd4ff5fdf2a5a1eee731a9aae3a635c380cc2c4affe894f6e31fa8288d45fea32a64bc3f2bf74d7de323b9f2f14d5694b6fb9cf4d8929bf0

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
128KB

MD5
ab117f2d8b09fc1c0de0bc21576bf7d1

SHA1
e12c581035368a2ebf6c70f537010b7789c16099

SHA256
44fff91f0401a5ec469bcdeba04debd0a8a11f0ff22f956e2ba30d1525c073a2

SHA512
1e6e070952329359e64837bf9b3afdf450dcd59cd0088e97c2a58416e1fc4c10ce03a8dc3a26fee2783571e5ab4adbfc55ebd5fbe6f016e8172974d45f448eb8

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
128KB

MD5
689675734907dde8f4d4bef2230fe588

SHA1
3070e48e16f05ad7bc3761a8804b8d15c723ca56

SHA256
df105f3c4a608e71bca64262ea7d120bff00098ae32d7ce0c513c3573cce8036

SHA512
2ccf6015f88fbb5e0a3c673b9f4b7fcf84bb22bc6adbec196fb10578c3ac5fce46758d1de0ef0a61321f9c5fd59f122b5736e7913a379443e0248156422d8909

Download Submit
C:\Windows\SysWOW64\Haidklda.exe

Filesize
128KB

MD5
64419b9a4764a6819c314aa7fffc1973

SHA1
efe4cd4e1e0f95a7824f36818be39ef8f4daa185

SHA256
fe34bd931986af95e4b9e33229e46f938a4cb9f7f3cd60b991eb45308a0d02af

SHA512
8e9d7b3b3c66bcde7bb0e1c91616dc0478b9f629be23f3dd53d36e6d17afbf8d34a7b2a4ffba17cc1053970d2cf0a4a76516573189c3938c0d825fe78750133b

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
128KB

MD5
40e11b46f476b475b213cb58e139dc3d

SHA1
ca8580f65bb2d0fdd18530ec25da1bb2ce468ad1

SHA256
7b1e2346ceb5187d1b3da08a068c8c83c5f150e8c72375c6719a50bb1140991e

SHA512
e9a70cadae658d661751c93237af6ec55ae951848c66bc19999d9e9e240db778ad4123ee2f2ba98b0cba0bab81ea840f9eead14eafa85b12f07397ee46de4b9a

Download Submit
C:\Windows\SysWOW64\Hccglh32.exe

Filesize
128KB

MD5
13cafbc410edc0ccb287dea99c98b1e3

SHA1
54c978fbf8a63cb12c922991be5b7cfcd11670bb

SHA256
d050ecc88aae85709d29817f137af3a37fada86306d8e03d02928cc92f461dbd

SHA512
68716debe9973e2e9228ebe498f792a4359ba402cfc862262d9168bae7d7d9e7da2994d5a624674c7467bae9fd11d246eadd3fedc7217dbb55ddc6b0516cda73

Download Submit
C:\Windows\SysWOW64\Hcedaheh.exe

Filesize
128KB

MD5
e5409dcea827898fbbe676897474b165

SHA1
dbd55cf209d1f82e31b8b975c2a7305a894edb82

SHA256
59c94860d9cdb8694264753f0d3c367a5ae54cde96a4d320b88fd65aa65210c6

SHA512
19ef14493e2bb0bdee92cb46c6722648a907d98ecfa173158c60faffb6bf72e8b2a8bf791cfd000280763fcdc444019d85abc92d5c00bf23108e9227ef2ea573

Download Submit
C:\Windows\SysWOW64\Hcqjfh32.exe

Filesize
128KB

MD5
3bb23f7777f41a7364dcbfab978e2cd4

SHA1
f22bb23f0fe1faf8b0245b2c5ddf1502c3b34475

SHA256
ca1efd8fb3e908754a361864413e30b73b44409a31f49c3196805ca27f490dec

SHA512
e0b67df4c69eeeec3c9538e98d3018fc497aaadd42e6f0df057428ff06c3ea83e09675445e14078f5d846c040157baa36df4d92408fc9b3765043b912e66928f

Download Submit
C:\Windows\SysWOW64\Hfachc32.exe

Filesize
128KB

MD5
7ec66b20c3c8bfcfd65c46c7e71b3430

SHA1
efa886a1802eaa98a701ba26b62c5b736fc87c24

SHA256
233a10320efec4aa451f8ffc2c77997ff4f32e70a2c7a05e834e1be9e2145be4

SHA512
3e7885393235693e24666b2e05454c242a9b44c4053997a5d89f1aabdada72ba3343964d8c7a0ef8b15c96d4b1cf5a8bc3dfabdfe7d1a5993421bc7413fe278d

Download Submit
C:\Windows\SysWOW64\Hfofbd32.exe

Filesize
128KB

MD5
c7d0380b0cb4377a31c6b734b7536759

SHA1
ec5d808b3b0e8c47c7dfab7575b4529ea8d1c7df

SHA256
5702c6a1fd8e196b91442d8845d8bec1415f0d7757172dc923d5bc2379150fae

SHA512
a29596821954edc984c16a8ec94b093e6e67dae5e988d1ceb11fdf6443ec82fe319c59c7d451acb278177c881cba71b7758abc052b209614717319d53164da7a

Download Submit
C:\Windows\SysWOW64\Hibljoco.exe

Filesize
128KB

MD5
4811b3ea538ff00294882617b99b7a51

SHA1
0d44c7282972dc21c31fccf3a66e4936cebf2b8e

SHA256
802d0481630f48fe72c1d81085fef779078c0390896bc35221442df2b65d4647

SHA512
338c0d6691166095b36e10c66a35c874f2513fdb0d04b449fa6562ee81882cccdde6a88418b22baec3bf0428363efd555482ae26757e8787ecb9c2bd2a3ce5d8

Download Submit
C:\Windows\SysWOW64\Himcoo32.exe

Filesize
128KB

MD5
3cccd17047b5cf239ea7d2f0d4b2066e

SHA1
0835a835b3dc461552104f22459cfb4e0a91be94

SHA256
301db08fe6d9ec8c84755605a9f66709251656d4b6763cfe417d1ed61b6223d2

SHA512
fba63bf2c95d974f2dc56f400329d47343e418046ff1e5254b4c895774c6f5f09fa35a9aafb6324473ea0e887616d300d7bee959dca9ef17c1784749b6424e83

Download Submit
C:\Windows\SysWOW64\Hippdo32.exe

Filesize
128KB

MD5
496fe863e899c92a26399b981b09a047

SHA1
cc9c5c7e2f83e14c61a2054291d00d89359972f5

SHA256
43870ae537f93ada703049f29dbb626b572b6ec7cd307de3383f351589fdb8f4

SHA512
3fa36af1363a9da80af8a0949ab761c5620ea2933218143688a606d7a9c52a82097a379c547dc9c45448cc72e197a9a780dd0ccc60ea36d4e64a1e79bcc93c5f

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
128KB

MD5
c68c476b311192fbf0ce4ef23c7fa8d1

SHA1
84720300dacf318a01ce4d70f39d2e8f6e02878e

SHA256
e44293b6cf2c2baf40dfc5a3739499470f7e973066fd4214b4e1c2b0abb0e5cf

SHA512
174f62209bd62a533d68b4d262e2f652a580e5f1a0ed61c661aea57972e8bbf4ae65503fd584688e284e3cd28fb25d9b010a77c988a0ddc313aa675514d52af7

Download Submit
C:\Windows\SysWOW64\Hjhfnccl.exe

Filesize
128KB

MD5
bbbc927bbfe28eca18733bddfc76bfd9

SHA1
92a1f6fdba620a68902cb601ea61a72c2377db8e

SHA256
5bded4e334b3a07673031c42eff00116b3c2d0e140a78c74bc0d31ab77b06e65

SHA512
9e98185edcdf3caa39a8d21bc74f0038607e84eefd418d27abda290ae06967e33f4a32035921fa42688ba8218f2082c674e59203726a8203e0469dcf3526b23c

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe

Filesize
128KB

MD5
3f3b727ddde69b8c89fd51996549fa68

SHA1
5ecd2453fcb297bf30599c4460200f9052fe1d2e

SHA256
8ea5b7038a1d671ceb46d0145a894475d453cb07548ee538c1910acf08643fcf

SHA512
37ef7b9ad07610c6320156fc98b5df160118219a7324cb731396f9c98d63e5d9778d1388744e7e000526fbcd3d44c60c2a13f49b35d10525b8dbd025f0e6c784

Download Submit
C:\Windows\SysWOW64\Hmfbjnbp.exe

Filesize
128KB

MD5
92da977a52a484c13f6295716e2dfb02

SHA1
8e31e9d1ee0e267560fc692da1cae1dc027b435a

SHA256
f17d43b40e41219219dbbb11c382f31567f7b8683d65a5fd696d8763185f2e08

SHA512
976d75bc19a6f0f82194a60e55757a409c131454a7b1699afb236ab221417c6390f3a4cbb71457cc157635e3c168a34b89317c1c804fa8cdd36eaf2adc654953

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
128KB

MD5
2f0794829bcae37aec9131f708784c25

SHA1
f5b94995ef4569a7375d1303b1371f5d70f5f619

SHA256
3235656bfde68b017384daac6e9adb2141ac72e170d5aba8521030c7e0abd040

SHA512
e4011a8a3018fdd24478c65e4f2dd278d749108ebf88e70a891db9629f7c2203ada5f7a786b9fd244e1521aaad50399c980bb419c4db9a30e61a72a80b5c3517

Download Submit
C:\Windows\SysWOW64\Iabgaklg.exe

Filesize
128KB

MD5
3590b0472289b88f767b8d1551c8e063

SHA1
aa6ef6db8757bb01998f10eb6dbf28492328e685

SHA256
90b06527cce5a0849b7472ab49d818ccc7b8ae82dc5f9d67de208068cd06323b

SHA512
1a2f3ce58fad1c2ffab9e931ef4c35f845f57464c64d5b1bb12a225895eabdc362f4f919e720cdb607d3c52becca371edd648827ef2b5fb9da0ed7e7d65102b7

Download Submit
C:\Windows\SysWOW64\Iapjlk32.exe

Filesize
128KB

MD5
5090e3a58f3975f6465d24d9637b4b78

SHA1
90409b1a0b2dc6edc4c6162368622dd481b278f2

SHA256
be1fc962d775b94e159dc8e973dbe28a5000fc89622e674f43e2f5be9880b874

SHA512
0b9ead445df6270efa6a8ad05aab833252e8ab98b8d8b2ffa78374427244d2a1841a39aa45c8925422c353465b23d52c4836d4adf2a1cd809c3017c5ae4ba91b

Download Submit
C:\Windows\SysWOW64\Ibagcc32.exe

Filesize
128KB

MD5
d5e6b4fc22d3c3735b7004d424ee34a6

SHA1
4cebc372334472f7f97771d21bcc69c0b260048a

SHA256
a2e3d840f82a61ea9958bdfdb62f98c67b76a23c33a6b8bf7c14bd3e38bdd622

SHA512
d81de10fe9a772bf2d1fe06cbd685485f13fcf9c522b666b8decce1e5e36e3786a19c10c16db93043e1d8e4e2ebad63af53b4caa3d308aa405f44c8c013c5e14

Download Submit
C:\Windows\SysWOW64\Icjmmg32.exe

Filesize
128KB

MD5
9ad0d9fc8820ebddee8a54c153979f70

SHA1
9859863f25a4c02ee52d1dd31d4206ea2e09e0f4

SHA256
6b99abc3f97b6947913634bfa3d4b73b8a18d27c3c23827cb9459c122cf1bc5e

SHA512
64033774a6593d338843f484b040ea5a63ec56c2167fc2b1750d9188e1b3d406fa17b8cdb2ae17901aea399c1e001b9ee8768a12b29262a500f009d8f05510f9

Download Submit
C:\Windows\SysWOW64\Ifmcdblq.exe

Filesize
128KB

MD5
8ebe6e7ff7cc5670ebe90bb11bd3c55e

SHA1
2b2181058ffb4197d232d0b1beb0803c81a3eed6

SHA256
f37f592e7920b960028490ba791880e2e1824c4c691114e3f97fb08dc0b0d77f

SHA512
3b6a254c58fe01afa9329b02ea202a21c22d3e92236c3b39b051a4ba182d6824971bae86e4eedea409a91b21b08232436e05dea1ae1be405167c6d7582fc0da1

Download Submit
C:\Windows\SysWOW64\Ifopiajn.exe

Filesize
128KB

MD5
9e63b8ed171f5e4425047fcb2aa5d3a8

SHA1
4184ab235a916efddcaad9a9eaa23b9e2886cab3

SHA256
f7e3a90df3dde7a60d0dd91288c3db8b8e8593ee5efc4ab34ead88dc6ff732a8

SHA512
8f39493f51100db57cc3b14b4b2807abe080365391e54b56422e0a1c8215da0d875809c6c565f6b22520c9e3801c277e0bf1ff7d4f8995d9ced93784a99cc941

Download Submit
C:\Windows\SysWOW64\Iiffen32.exe

Filesize
128KB

MD5
1a9a35ca83d770ec708f3eeb83f63f79

SHA1
492728dfb30f1225ab9aa00e9bf2747ccc7d7866

SHA256
0a0ef569bfe21ec0ec888b3b7a2ec495f2b582abb831fbe57935bec4b0ac1d86

SHA512
d9e2ecd5fad5f6bbb73740d408b310abe956d126aceaab0fcc91ed1aa973f7f91dfa954605ccca9d3009dba8e176b4a6c608b857a78c9074dae541abf9a9d0d1

Download Submit
C:\Windows\SysWOW64\Iiibkn32.exe

Filesize
128KB

MD5
154e58e6fc2fa06243b018b658d72d69

SHA1
67f1e4a48eca5b17d94de236c77c872b84ef01a9

SHA256
0b2e5698f7fabb6f9d4f0082596cf8f4f7684bb1779bd96a9b940db5cdf379a2

SHA512
b6baa066036b1ad2757e3a400e8e52d54b63a3d835f3b04a58f86c4812740ac0f5280a4e20c31df367d2f2f0cde84de6d8da08f4b402bac7bc52dd4fcb39d176

Download Submit
C:\Windows\SysWOW64\Ijaida32.exe

Filesize
128KB

MD5
c2b23792e10cc55eda7662cfe8c8622a

SHA1
1e747b304a398615add292bde14989b3c6d66f27

SHA256
167252c0b4110efca523da79246b9aa5f77777ab6d78eee745b6702561f45b10

SHA512
5fda6897d990d12e92bba3ff87e98802fa1a3bd0827f5ac42be654a4e9d02fb9610d0fcc777b37ae175aac9ce53927581b9255e9acbfadb63db415e31495675e

Download Submit
C:\Windows\SysWOW64\Ijhodq32.exe

Filesize
128KB

MD5
3758e7ef4fa808c0f6b557fb80eb4a4d

SHA1
26b67b7b6a667f1c772a318b6baceb5e2360e860

SHA256
e001b6fb73d2e56c05fcf2bcd1ef70bccb03543fec6ce9e0558a8ccde1330032

SHA512
64cf48b670cb626054f2acb47323c35155c73899084faf04f4347a7365581c2cb65a446075b42b1eb592ce797ca3e2553d7a6157b5ff1630fefe97f6a6ea4bad

Download Submit
C:\Windows\SysWOW64\Impepm32.exe

Filesize
128KB

MD5
555e96c25d55675b9cbd2f9eabaaa7fa

SHA1
e60153ef595dbab1ba5ec8874b23f5dd2af3b376

SHA256
05523104d9692d73104c09142aead2ecefae236e0958896a8c0ef578a5b84cf0

SHA512
f127fa8c567f0ea7908bae4912b8f3bd0e550b84009b0133ece1528877b4811f3679e4d81148c89c719f3dc24e91327c83fe7d548453eba529b8b237b17a50b6

Download Submit
C:\Windows\SysWOW64\Ipqnahgf.exe

Filesize
128KB

MD5
39ce891f35f4d3578a285823d4189fbd

SHA1
6fcfc03dc64e2829cb9ecb267e39837de053cfeb

SHA256
53203212b8c92759d0c6dd016a651c68d84b72e390ac5cb8a5a98e3b263292f4

SHA512
215a33505022e38e85a274fe6dbebe9b3b4f78af55a92b88125632b026234d53e82c854b944aae6bde33d4999c35ad3174d5466a4ae6f78bf75a5dcf0573e114

Download Submit
C:\Windows\SysWOW64\Jaedgjjd.exe

Filesize
128KB

MD5
f293700866d6321f4dfd1064c85aee44

SHA1
0d9b307f8f2ae4d44688c3a3d60646dadaf9bcd5

SHA256
17fc0bb61a4f768ebcb2024c863fa2e592a0fa86d16f882edcefe1ea4a6efc4b

SHA512
b5d1951642eadb30e2fef6ab0a6aa15131318072eaae8fdb9f43cdd1275ece234035f33ea954778851be2e6dcb514067954b4f585c541f2e63e603347c50cfe4

Download Submit
C:\Windows\SysWOW64\Jbfpobpb.exe

Filesize
128KB

MD5
402478498102b83296c27117758da101

SHA1
cac32759b5ab1fc94c361fe2a47f2bccf90a0be1

SHA256
7fc875c00ac2d6f4688074e6e9cad3112d519643ea3114b4d8f5cdd7434c7a5e

SHA512
348e15b774836c0c522b05e6e06d37d74e3f9cb4bd06b0eca507ada395dbbcfb580f29a522177d5fd8e514327d0b02adf4c9691193273878462594d85b289c7f

Download Submit
C:\Windows\SysWOW64\Kbfiep32.exe

Filesize
128KB

MD5
efffff5a451729d05c6c36cfc6eb3415

SHA1
909b22fc1850a5347eb47b665251e6f9a0aa3520

SHA256
8015f7a24a40155f74886671814fca0fe0384591521309319e4400c4b732d0e5

SHA512
8a2d3c85c18a9d7b8730c23ece694cf38cc64c570eaee32d5a76b605ff3858803dc097c093b9c66da67b7750a6f3343f00a9e2a0d357d1b8e9b98da82e07cad9

Download Submit
C:\Windows\SysWOW64\Kilhgk32.exe

Filesize
128KB

MD5
33f261543b6d488a4c34f3f62a8d5937

SHA1
b4d95b32cf70dfa20bf8f9001d7ec6cc0fc5e1d8

SHA256
6ab631a2af566333f226cc40376c7e868bf79e3ab29734def8cb953e3f5e9d1f

SHA512
8c30016429b4e269e8d03396f438ca73e87391461d9eddc0ed5ca988bac04ed1889f326b58c76918a835d61869bfd9b5b2d5defc43ff8ca870bea7593f5e28dc

Download Submit
C:\Windows\SysWOW64\Lgabcngj.dll

Filesize
7KB

MD5
174105eebeb9efdce4ce010a075c753d

SHA1
80964c702662a56d87560ec9fc157eefe2ea00d7

SHA256
8c8434516143e606b2d2c3bb1b370d469c0512f5b68041b8719b30783fa7f8f3

SHA512
47236386b13c5ee9ec4709559f387da88800102e88143e14aba93543d5a1e123b624dd7cc1c59cf8a295c02048966836b06a9f46d135f176d67ab7f2cb77fc4f

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe

Filesize
128KB

MD5
ba3cb9500f78fefe5d8ba3d8776f4ec2

SHA1
aaa41d2c0bb75c28c25a5cb9e4e9e5ca9cd826b4

SHA256
c509c2689f153c05758a654c8a8621018e84b905e3c0b4697bf92ac2411068a1

SHA512
b7dd3904805a0de3a8863587fd0fb814aea2f853e219bd935a232c121c06d3fccab92a042a8a2643fecbdfe02b331358cb397d461301a896f88d16736d794fec

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
128KB

MD5
babbaac81614411284e6a96f2a1d6cf7

SHA1
1a592e3b2673f6ef7d757495a9a8907611f0a9f3

SHA256
2322a99cda2dbab6eee014bfb66999da5d4be8747a7c78e4ceca9f4f966817d5

SHA512
2fcd54df2832b9bffc65678fd7d583f14c8d080da1274ed5b0beb7c905d79901f4e66aa1b448acaf85d2aa2d725deb99c9ea0d1bd2ecc61648ccb0f9a272ba27

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
128KB

MD5
939925e6242a8d1a8b5f83e3d39244d4

SHA1
1b57d72e750fa9602c70b68fca5bd438e4f4c0fb

SHA256
ed2b3c0910911fb6864c2a91cf456bb1c782398a01391cdecbf9f0d07f64517b

SHA512
f49ae33e610ff02e90524d8b22cc791687bdbba3cad7c4316ca3999f18447cba775ae213b2850d27f1221c499cada904c7b4f6b08a185fdcc81b86e85c427e3d

Download Submit
memory/672-427-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/672-361-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/724-151-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/724-245-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/752-146-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1052-115-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1072-374-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1072-310-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1232-207-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1268-368-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1268-434-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1336-435-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1428-341-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1428-407-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1772-212-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1772-298-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1832-381-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1832-313-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1864-324-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1920-103-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2012-228-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2024-279-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2024-347-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2068-114-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2068-28-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2144-419-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2148-449-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2252-194-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2252-289-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2528-388-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2600-255-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2600-326-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2848-229-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2848-305-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3136-421-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3152-272-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3152-340-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3196-190-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3248-145-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3248-48-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3328-264-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3328-337-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3512-101-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3512-16-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3576-89-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3576-12-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3584-358-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3792-68-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3840-176-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3840-271-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3940-441-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3940-375-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4016-90-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4016-189-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4024-227-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4024-132-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4200-0-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4200-80-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4236-36-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4264-338-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4268-168-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4268-263-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4272-414-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4272-348-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4328-442-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4340-401-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4480-382-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4480-448-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4528-211-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4528-124-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4556-395-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4576-56-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4576-150-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4596-312-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4596-239-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4600-290-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4788-166-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4788-72-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4812-246-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4812-323-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4824-299-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4824-367-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4844-327-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4844-394-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4848-206-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4848-116-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4916-131-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4916-40-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4920-428-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4968-254-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4968-163-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5032-175-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5032-85-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5044-408-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5080-292-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5080-360-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads