942121877dd3aa4035816631d5e6789a67ff17529570d9c9b56201f95c7a7cd8

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12/05/2024, 20:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a165b333ab75ffde2e2c127db88a150_NeikiAnalytics.exe
Size

64KB
MD5

5a165b333ab75ffde2e2c127db88a150
SHA1

706876ea316be38531e7f23c78bd364393336339
SHA256

942121877dd3aa4035816631d5e6789a67ff17529570d9c9b56201f95c7a7cd8
SHA512

0c3efbb991a76e2199e9a9e7376abf726095c6a13afe98b683735cedc0a8c9ecf45fc85b70762e0a27c412572c02e48718cd39798703ec72147cd57a701bf0da
SSDEEP

1536:Ps0U3cMwBXAfyU6wWt2e+7TUNV1iL+iALMH6:jUsMw5IWwOcyV1iL+9Ma

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfjmgdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbeghene.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbhdmd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iannfk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hippdo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jangmibi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hikfip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpenfjad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfjmgdlf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmioonpn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iffmccbi.exe

Executes dropped EXE 64 IoCs

pid	Process
4352	Hclakimb.exe
3376	Hfjmgdlf.exe
5004	Hmdedo32.exe
372	Hcnnaikp.exe
612	Hikfip32.exe
4896	Hpenfjad.exe
456	Hfofbd32.exe
224	Hmioonpn.exe
2884	Hpgkkioa.exe
3760	Hbeghene.exe
3684	Hippdo32.exe
4524	Haggelfd.exe
1580	Hbhdmd32.exe
824	Hibljoco.exe
1532	Haidklda.exe
4620	Icgqggce.exe
4576	Iffmccbi.exe
3596	Impepm32.exe
1152	Ipnalhii.exe
668	Ibmmhdhm.exe
2160	Ijdeiaio.exe
2824	Iannfk32.exe
3280	Ibojncfj.exe
1012	Ijfboafl.exe
908	Iapjlk32.exe
1948	Ipckgh32.exe
3276	Ijhodq32.exe
1724	Ipegmg32.exe
4420	Ifopiajn.exe
3236	Iinlemia.exe
3696	Jpgdbg32.exe
2480	Jdcpcf32.exe
4384	Jjmhppqd.exe
2948	Jagqlj32.exe
1000	Jdemhe32.exe
3576	Jfdida32.exe
2300	Jibeql32.exe
4608	Jaimbj32.exe
2088	Jdhine32.exe
1592	Jbkjjblm.exe
2460	Jidbflcj.exe
1272	Jmpngk32.exe
5092	Jdjfcecp.exe
5036	Jfhbppbc.exe
1268	Jigollag.exe
2404	Jangmibi.exe
4600	Jkfkfohj.exe
1140	Kaqcbi32.exe
3468	Kdopod32.exe
5056	Kkihknfg.exe
4820	Kilhgk32.exe
2332	Kpepcedo.exe
468	Kgphpo32.exe
4704	Kmjqmi32.exe
3156	Kdcijcke.exe
4400	Kgbefoji.exe
4916	Kipabjil.exe
3656	Kmlnbi32.exe
4372	Kpjjod32.exe
3516	Kcifkp32.exe
4028	Kkpnlm32.exe
4964	Kajfig32.exe
3724	Kdhbec32.exe
2792	Kgfoan32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Hpenfjad.exe	Hikfip32.exe
File created	C:\Windows\SysWOW64\Kijjfe32.dll	Hikfip32.exe
File created	C:\Windows\SysWOW64\Mfogkh32.dll	Haggelfd.exe
File created	C:\Windows\SysWOW64\Gcgqhjop.dll	Lgikfn32.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mciobn32.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Hbeghene.exe	Hpgkkioa.exe
File created	C:\Windows\SysWOW64\Iinlemia.exe	Ifopiajn.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Kdopod32.exe	Kaqcbi32.exe
File opened for modification	C:\Windows\SysWOW64\Kdopod32.exe	Kaqcbi32.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Jjcfkp32.dll	Hpgkkioa.exe
File created	C:\Windows\SysWOW64\Jpgdbg32.exe	Iinlemia.exe
File created	C:\Windows\SysWOW64\Kilhgk32.exe	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Lpocjdld.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Ldkojb32.exe	Lpocjdld.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Iffmccbi.exe	Icgqggce.exe
File created	C:\Windows\SysWOW64\Ikjmhmfd.dll	Iapjlk32.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File opened for modification	C:\Windows\SysWOW64\Jdjfcecp.exe	Jmpngk32.exe
File opened for modification	C:\Windows\SysWOW64\Kmjqmi32.exe	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Kdcijcke.exe	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Kcifkp32.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Ijhodq32.exe	Ipckgh32.exe
File created	C:\Windows\SysWOW64\Ipmack32.dll	Ipegmg32.exe
File created	C:\Windows\SysWOW64\Jagqlj32.exe	Jjmhppqd.exe
File created	C:\Windows\SysWOW64\Milgab32.dll	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Baefid32.dll	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Hmioonpn.exe	Hfofbd32.exe
File created	C:\Windows\SysWOW64\Ijdeiaio.exe	Ibmmhdhm.exe
File opened for modification	C:\Windows\SysWOW64\Iapjlk32.exe	Ijfboafl.exe
File created	C:\Windows\SysWOW64\Enbofg32.dll	Kdopod32.exe
File created	C:\Windows\SysWOW64\Mdemcacc.dll	Lijdhiaa.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Pjpdme32.dll	Hfjmgdlf.exe
File created	C:\Windows\SysWOW64\Icgqggce.exe	Haidklda.exe
File created	C:\Windows\SysWOW64\Jifkeoll.dll	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Hcnnaikp.exe	Hmdedo32.exe
File created	C:\Windows\SysWOW64\Ehifigof.dll	Jmpngk32.exe
File created	C:\Windows\SysWOW64\Mbgaem32.dll	Hmioonpn.exe
File opened for modification	C:\Windows\SysWOW64\Haidklda.exe	Hibljoco.exe
File opened for modification	C:\Windows\SysWOW64\Jidbflcj.exe	Jbkjjblm.exe
File opened for modification	C:\Windows\SysWOW64\Ijhodq32.exe	Ipckgh32.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Nceonl32.exe
File created	C:\Windows\SysWOW64\Hmioonpn.exe	Hfofbd32.exe
File opened for modification	C:\Windows\SysWOW64\Impepm32.exe	Iffmccbi.exe
File created	C:\Windows\SysWOW64\Ibojncfj.exe	Iannfk32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5308	5268	WerFault.exe	203

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnnkcb32.dll"	Iinlemia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijdeiaio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncldlbah.dll"	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfogkh32.dll"	Haggelfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdopod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifopiajn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdhine32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jangmibi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeandl32.dll"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmioonpn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdhdf32.dll"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbak32.dll"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgiacnii.dll"	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmfdf32.dll"	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojkiimn.dll"	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjobcj32.dll"	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjpdme32.dll"	Hfjmgdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hclakimb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipckgh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgbefoji.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 4352	1936	5a165b333ab75ffde2e2c127db88a150_NeikiAnalytics.exe	81
PID 1936 wrote to memory of 4352	1936	5a165b333ab75ffde2e2c127db88a150_NeikiAnalytics.exe	81
PID 1936 wrote to memory of 4352	1936	5a165b333ab75ffde2e2c127db88a150_NeikiAnalytics.exe	81
PID 4352 wrote to memory of 3376	4352	Hclakimb.exe	82
PID 4352 wrote to memory of 3376	4352	Hclakimb.exe	82
PID 4352 wrote to memory of 3376	4352	Hclakimb.exe	82
PID 3376 wrote to memory of 5004	3376	Hfjmgdlf.exe	83
PID 3376 wrote to memory of 5004	3376	Hfjmgdlf.exe	83
PID 3376 wrote to memory of 5004	3376	Hfjmgdlf.exe	83
PID 5004 wrote to memory of 372	5004	Hmdedo32.exe	84
PID 5004 wrote to memory of 372	5004	Hmdedo32.exe	84
PID 5004 wrote to memory of 372	5004	Hmdedo32.exe	84
PID 372 wrote to memory of 612	372	Hcnnaikp.exe	85
PID 372 wrote to memory of 612	372	Hcnnaikp.exe	85
PID 372 wrote to memory of 612	372	Hcnnaikp.exe	85
PID 612 wrote to memory of 4896	612	Hikfip32.exe	86
PID 612 wrote to memory of 4896	612	Hikfip32.exe	86
PID 612 wrote to memory of 4896	612	Hikfip32.exe	86
PID 4896 wrote to memory of 456	4896	Hpenfjad.exe	87
PID 4896 wrote to memory of 456	4896	Hpenfjad.exe	87
PID 4896 wrote to memory of 456	4896	Hpenfjad.exe	87
PID 456 wrote to memory of 224	456	Hfofbd32.exe	88
PID 456 wrote to memory of 224	456	Hfofbd32.exe	88
PID 456 wrote to memory of 224	456	Hfofbd32.exe	88
PID 224 wrote to memory of 2884	224	Hmioonpn.exe	89
PID 224 wrote to memory of 2884	224	Hmioonpn.exe	89
PID 224 wrote to memory of 2884	224	Hmioonpn.exe	89
PID 2884 wrote to memory of 3760	2884	Hpgkkioa.exe	90
PID 2884 wrote to memory of 3760	2884	Hpgkkioa.exe	90
PID 2884 wrote to memory of 3760	2884	Hpgkkioa.exe	90
PID 3760 wrote to memory of 3684	3760	Hbeghene.exe	91
PID 3760 wrote to memory of 3684	3760	Hbeghene.exe	91
PID 3760 wrote to memory of 3684	3760	Hbeghene.exe	91
PID 3684 wrote to memory of 4524	3684	Hippdo32.exe	92
PID 3684 wrote to memory of 4524	3684	Hippdo32.exe	92
PID 3684 wrote to memory of 4524	3684	Hippdo32.exe	92
PID 4524 wrote to memory of 1580	4524	Haggelfd.exe	93
PID 4524 wrote to memory of 1580	4524	Haggelfd.exe	93
PID 4524 wrote to memory of 1580	4524	Haggelfd.exe	93
PID 1580 wrote to memory of 824	1580	Hbhdmd32.exe	94
PID 1580 wrote to memory of 824	1580	Hbhdmd32.exe	94
PID 1580 wrote to memory of 824	1580	Hbhdmd32.exe	94
PID 824 wrote to memory of 1532	824	Hibljoco.exe	95
PID 824 wrote to memory of 1532	824	Hibljoco.exe	95
PID 824 wrote to memory of 1532	824	Hibljoco.exe	95
PID 1532 wrote to memory of 4620	1532	Haidklda.exe	96
PID 1532 wrote to memory of 4620	1532	Haidklda.exe	96
PID 1532 wrote to memory of 4620	1532	Haidklda.exe	96
PID 4620 wrote to memory of 4576	4620	Icgqggce.exe	97
PID 4620 wrote to memory of 4576	4620	Icgqggce.exe	97
PID 4620 wrote to memory of 4576	4620	Icgqggce.exe	97
PID 4576 wrote to memory of 3596	4576	Iffmccbi.exe	98
PID 4576 wrote to memory of 3596	4576	Iffmccbi.exe	98
PID 4576 wrote to memory of 3596	4576	Iffmccbi.exe	98
PID 3596 wrote to memory of 1152	3596	Impepm32.exe	99
PID 3596 wrote to memory of 1152	3596	Impepm32.exe	99
PID 3596 wrote to memory of 1152	3596	Impepm32.exe	99
PID 1152 wrote to memory of 668	1152	Ipnalhii.exe	100
PID 1152 wrote to memory of 668	1152	Ipnalhii.exe	100
PID 1152 wrote to memory of 668	1152	Ipnalhii.exe	100
PID 668 wrote to memory of 2160	668	Ibmmhdhm.exe	102
PID 668 wrote to memory of 2160	668	Ibmmhdhm.exe	102
PID 668 wrote to memory of 2160	668	Ibmmhdhm.exe	102
PID 2160 wrote to memory of 2824	2160	Ijdeiaio.exe	103

C:\Users\Admin\AppData\Local\Temp\5a165b333ab75ffde2e2c127db88a150_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5a165b333ab75ffde2e2c127db88a150_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Windows\SysWOW64\Hclakimb.exe
  C:\Windows\system32\Hclakimb.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4352
- - C:\Windows\SysWOW64\Hfjmgdlf.exe
    C:\Windows\system32\Hfjmgdlf.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3376
  - - C:\Windows\SysWOW64\Hmdedo32.exe
      C:\Windows\system32\Hmdedo32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:5004
    - - C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:372
      - C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:612
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:224
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3760
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3684
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:824
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4620
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3596
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:668
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2824
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        24⤵
        Executes dropped EXE
        
        PID:3280
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1012
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:908
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3276
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1724
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3236
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3696
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2480
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4384
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        35⤵
        Executes dropped EXE
        
        PID:2948
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        36⤵
        Executes dropped EXE
        
        PID:1000
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3576
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2300
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4608
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2088
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1592
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2460
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1272
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5092
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5036
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        46⤵
        Executes dropped EXE
        
        PID:1268
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2404
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4600
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1140
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3468
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4820
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:468
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4704
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3156
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        58⤵
        Executes dropped EXE
        
        PID:4916
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3656
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4372
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3516
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        62⤵
        Executes dropped EXE
        
        PID:4028
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4964
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3724
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2792
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3868
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1472
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        69⤵
        Drops file in System32 directory
        
        PID:3820
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        70⤵
        
        PID:452
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        71⤵
        Modifies registry class
        
        PID:1840
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        72⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3228
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4064
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        76⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4956
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        78⤵
        Drops file in System32 directory
        
        PID:3024
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3756
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        80⤵
        Modifies registry class
        
        PID:3020
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        81⤵
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        82⤵
        Modifies registry class
        
        PID:3272
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        83⤵
        Modifies registry class
        
        PID:1108
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4844
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1304
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5112
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        88⤵
        Drops file in System32 directory
        
        PID:4020
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2652
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1264
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4392
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3680
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        93⤵
        
        PID:940
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3672
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        95⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        96⤵
        Drops file in System32 directory
        
        PID:5176
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        97⤵
        Modifies registry class
        
        PID:5228
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        98⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        99⤵
        Drops file in System32 directory
        
        PID:5320
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5364
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        102⤵
        Drops file in System32 directory
        
        PID:5448
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5500
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5564
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        105⤵
        Modifies registry class
        
        PID:5608
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        107⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5704
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        108⤵
        Drops file in System32 directory
        
        PID:5752
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5796
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        110⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        112⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        113⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6012
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        115⤵
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5124
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        118⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        119⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5268 -s 400
        120⤵
        Program crash
        
        PID:5308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5268 -ip 5268
1⤵
PID:3172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Haggelfd.exe

Filesize
64KB

MD5
63a9a1e3fe9245206b2bfbae46f1a00d

SHA1
96882bd80ebfa6cae8284d3618e4740036908b76

SHA256
e86b9c52e9424ce26d62423f807113381ed6ee6332cc35991338c7d932cf7aa5

SHA512
0edf837c578ebe0e605b116199d47964bcd9815f07c1f40328804f27862833f7332291af7365ac3b5c872dd2a41201cd852e83b9ab5a995caa12ded93c0481de

Download Submit
C:\Windows\SysWOW64\Haidklda.exe

Filesize
64KB

MD5
fcb3dabd7ee7b77b238a9df63b772967

SHA1
29e08ed363e019786276758d3c8819b496c603b5

SHA256
12bf782512f3e4ba14a314df1100b7487b2401b27b69ba4349b75cc8022a22eb

SHA512
f44d3d788726e13439a9002a843735f3320b782a3a5513575caba1e432f04f4628fac56036d249dab3d643b1c3cd631b09f3a2546513fca4b718aed7fde6b4a6

Download Submit
C:\Windows\SysWOW64\Hbeghene.exe

Filesize
64KB

MD5
a862f17d048a450555a62278a59b8f33

SHA1
0ce55c7976f081b5ac377cab69091387a64f18d5

SHA256
93bedba9d01c2c34160a95376be6d28a5c7eeeaf3727027ab6102c858c3ef76a

SHA512
affcabcf09c071f61c2fad2cbdef02c0e4aee89ee84d03570cbb210d9cdf80ad2be756581fd4f5e433b985f748ec5e2f14be6cdc22849f4cf3be35ebe620d875

Download Submit
C:\Windows\SysWOW64\Hbhdmd32.exe

Filesize
64KB

MD5
4d56dd7a5384ce199443b25ab9e5755d

SHA1
c99577f752ce5e6c4399fbdb5066c42735b51465

SHA256
6a99e879c41a582965280eacd6ed83a5a6ecd3888fe2143a43af116b3c336381

SHA512
c6edac69c8086f9856936ab45ff9c8f84f5acf692377b644d0fffff0c116e76de5194c42a124aa30f4d3833f70643a8a0341c254d8cfe57bbc71970240c5318d

Download Submit
C:\Windows\SysWOW64\Hclakimb.exe

Filesize
64KB

MD5
216958d3cdbbfe8776662ad140ff5f41

SHA1
32da63c100adafefa21df1a0fb14b704e1187859

SHA256
bba223011bda0f3c9a7cc31ef7e2477b81cde13f4ba0b80d2014a51313d14ed6

SHA512
c886c06cc44ae212c26bee6e53770d2e723d0133c514d75bf91650199da9d927597ae7ab036fdc79cd31f9cebfe05d8d3cc2aab93e98a0060fa575fe4c9e6063

Download Submit
C:\Windows\SysWOW64\Hcnnaikp.exe

Filesize
64KB

MD5
02adb395e2c2405dac25411545622023

SHA1
025e0c5afb550a33db1bcd6c3837cc7628518164

SHA256
26cf476d7c61e26d9643a65ddbb291817d69a2d841ba0c5417fcd69440c5e251

SHA512
f1aac96a3146414b66c7a745c229722ca28dc283ddf3966853d9ae848578ede20f9a9aaf69228c5a647b9263ebf508e48bce4a66e2f50f2859b5af2dc46b8106

Download Submit
C:\Windows\SysWOW64\Hfjmgdlf.exe

Filesize
64KB

MD5
92590929347d44eeb289298ef8447f72

SHA1
9b57f6efa2817351ea47b1a6349ddc4b86db9c7f

SHA256
9d1687cb33797efd7dcb2eac02f1ef5faf956881ce31fb736beae14cf65aa6f8

SHA512
b22028dd815fa81c965d050c61562307832c1a815d933352758b9db6c3a288e30a83acaa444d2735f158fb421be7f91dbb68445f2987f79e300adc3f7b877ae2

Download Submit
C:\Windows\SysWOW64\Hfofbd32.exe

Filesize
64KB

MD5
935b008191f07f390f04a6b959a2fe76

SHA1
6c92b2e8ae17edf5f11798180661dcd698fa87d6

SHA256
f2ac2d47337a711dd62beff2b6ef5b72397fea283d2f7de90fd375bffee1598e

SHA512
3b8f80603afac88f70760f9e6fb83c9743882a22d0f3ce98daa0ec2d03f7142007089ce3141832db58854a8692c59b4c21caa266c62fdc98ce49c49d4dcfd8eb

Download Submit
C:\Windows\SysWOW64\Hibljoco.exe

Filesize
64KB

MD5
05329e45f2543ae0392c9331d89aaa1a

SHA1
c5c7a5967dab6d93ee6a77618ef468e18e30a5e7

SHA256
f911bc348d5e1898a8dd026abc53ea619c6d75c331790ebfe07c2921ca5fc294

SHA512
14a3f901bd684c8304505f25b9247cfea7b6e5b846de74673fc0e2e6052e27e49e0d683b2eb8aa6cda4c35d4f12cb830a193bae71e5d3c6f39af42d069a76a6b

Download Submit
C:\Windows\SysWOW64\Hikfip32.exe

Filesize
64KB

MD5
ce3332073ba5d34b11479e28ce35d850

SHA1
e3c2cc6d96047f13c9bff00fd82da0e2a593fcbb

SHA256
943c563178a44ace601d27c5d747438494b174e680cd975e5b83f4d598751c3a

SHA512
a3303d4ccf90090b8d3e4b9de3a2ea1e60cc46d36b6524ca1da31d26d57b8f24d7eb5a7bdb2d639400cf838116b200d534aacf054a0857e22e097db8ca43dade

Download Submit
C:\Windows\SysWOW64\Hippdo32.exe

Filesize
64KB

MD5
f0d342dfae81840d1b2d389831b32d01

SHA1
b71cc7be52ba1ea832b60d51d03909073807bd82

SHA256
89919cb1842684c06f044d0b1c689b86202b612ff721d770f2bd2f6642974675

SHA512
850e207b1320c21bfdf81aeba07d04a31841a4a3231e0856b51fc647563a939d1ca42eec1b4be8a112f23dee832938215f8cf5865286a4ff49d14602d54c48c4

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe

Filesize
64KB

MD5
78583390f56f08a7d3a42a942b1756fb

SHA1
271848ad9c3936a0692964b0586975c144f03ea4

SHA256
fe3536b492fff11c3ee06a6b7f42ce07c4efc1603d18c87f40fbc6774de3ef83

SHA512
ef6b4ec2059d022d6df06e4d27cfab810147beeba36cedb2a899990d9cc8482d858b6173f3bd3d32107b6cbaf7824b81b8e6c8141044620f302b7323aa77076c

Download Submit
C:\Windows\SysWOW64\Hmioonpn.exe

Filesize
64KB

MD5
fd92929adfd892a1eb64f720067a9b3c

SHA1
c87e2b684167622c3c8c260bbe36b2344c9f3ac6

SHA256
53faa5620009e0fb3c17dc59dda6abb443ada5ad6b3597343f5aa8b0c23f0dde

SHA512
88aa16534c9867fad2efe3e445ff08ceaaf69b0034754e6540c8c4590b6d14127a99f3b28798bb663a09ad4756f444f181589ff4db1c00058e556f613ad2884f

Download Submit
C:\Windows\SysWOW64\Hpenfjad.exe

Filesize
64KB

MD5
311499932cfec182d110894633c9d9b4

SHA1
722cc5e898f4ffd1011f1391ccb9fd82d31b4183

SHA256
e77deadcd33fc359954b0898621ef1052c0ff852cf4647b38d8d91dba3ec0330

SHA512
0ee4c141544120ceb04b72c73ecc5776fe82e109f6e72608adca60cbee4308b4ba868ac7c66165e09e5cccfaa5fd7ada4e797e16e9cab8bbdf07a083db1c642a

Download Submit
C:\Windows\SysWOW64\Hpgkkioa.exe

Filesize
64KB

MD5
fe498dce746c54d1d179a9b5ff532808

SHA1
f4831f89580ea21529f92bca53eca269fbbe3482

SHA256
ecd5d7a38bc89264ba6e700fa00e8561b057f015cb1d3b7d56811329bd6f0c6b

SHA512
3823bab0d2108de044b3eb4e01a379195f704c21112e4c5eae977e4632d4f3c999ad924ee9301f70149df0b361fe86abbce4b886afeb5dcca5e712027b6674c7

Download Submit
C:\Windows\SysWOW64\Iannfk32.exe

Filesize
64KB

MD5
a388541e5b57783b5fd510df8ae7999f

SHA1
689d8f5a07389ea67e6f2d42f36b793d77b6c12e

SHA256
1fe991efadd8792667e4ff6612db7ce26866703731a1db06394c5be7fc4f4007

SHA512
9c0a8e8077b27fad942faeda6c19b7e0d5200be74ed496182ca7b29a3e239c184e3e24e05d5fd7888c379e0111a89d22d703cf31c6b6e45e55cb10f7853f4686

Download Submit
C:\Windows\SysWOW64\Iapjlk32.exe

Filesize
64KB

MD5
02971243049887268e7b53caa1d5714e

SHA1
0b72de2fd2417e042b7e6eb769f0cde5b41d888e

SHA256
d4b2166ab24f45286fbdf2d1ab0edc74fd76c8f17cec3ab2daf0f6f3841bf9dc

SHA512
128b5d460b9666fac224b41e3d38653436828bd7ad135eb24da256d46048f8bd234f42a558eb7dcea1db98b3d4697a41c8ad7640843732fbc65822c3d10ec73e

Download Submit
C:\Windows\SysWOW64\Ibmmhdhm.exe

Filesize
64KB

MD5
d2c2786feabbd8f7eac391dff3b7d8c9

SHA1
18289f86b0752cecf241808317698217cf7ac857

SHA256
2390b4760f6fb4f4e0516054915b584407e42b645159d63c27e473db9584e5cf

SHA512
793fa0e524d33e0b089b4d4c6218220f3c857c8f0b99183f471ba0161fc7d2f7c1ff6a0b7b82f44692b09a688d3c3493c0cabceb0e1b7f55d93b7b757bfd2734

Download Submit
C:\Windows\SysWOW64\Ibojncfj.exe

Filesize
64KB

MD5
b121b5392cbdbb1b343d1ec24425f2b5

SHA1
a45e7743e6fab3480b8b70cd0b2987e13426506e

SHA256
0c89304aea15ca4fc2a0dc68bff7e11dc05f4f9850f0388399e2247d20a4f104

SHA512
a0f9469311b5b9b99516b9c7e93aee490f3d340cdbf00748534bfa2565e901ab6aa0d737219485fd20ed9947efcfad1a595768d59926325660fe9b131324bdab

Download Submit
C:\Windows\SysWOW64\Icgqggce.exe

Filesize
64KB

MD5
c223f2e36546e09f553500448b6fd7bd

SHA1
ba469649f0cbb6263df5b691e5780e4fff6af205

SHA256
643c6ef4afd8de22c85eb7e82172c8500a1aae297d7d3af51dcf6d9b487ca8fc

SHA512
2d42001c748731da239636155670a66c78865ab839754b12445071236261856e1d713f8d029adf72208d1a9ba4c5874aef2102b13462fc7a2fb76607dc612fd5

Download Submit
C:\Windows\SysWOW64\Iffmccbi.exe

Filesize
64KB

MD5
f17ac18074c0097bf98321de7fc9710c

SHA1
5ef1e4a5b2a6612b677ec658c088370651271472

SHA256
f297f887714792cc1a3c41601581ef07400b89efa86c6e7d2877bf13094cf53f

SHA512
17ead3262525cb6c07edf2a20715d4f9a18d3a1fe5007021ac2a3b9496b3f19d397bd0b6c8dcd6196ff975876e17bf2f5f60683c81e7aa09b24b49aaeff08c88

Download Submit
C:\Windows\SysWOW64\Ifopiajn.exe

Filesize
64KB

MD5
98c10ed82bbc8c697aef30b724f7a4af

SHA1
74760f59ac07810c89ef2e0b37a937a25b92be31

SHA256
13ed73ff2a1f29ba68597f5f7ba17a8984c434b41cf4e971b35679a94449c240

SHA512
050de6449b27b9f0242cb97aa220574a52aa35e3f2f9a09ae727c308419e019c234a3a291a4349d31b95dcdb92269596e7fb10fd0602285674ab576ee9c0203e

Download Submit
C:\Windows\SysWOW64\Iinlemia.exe

Filesize
64KB

MD5
91c346ff60a428a214d8159ada70e5a8

SHA1
b5047a1ebb464d7273c7d970876e50eea6f0a45c

SHA256
dcd8a95ca2d7fb1cf113545349293942b9b9fdbef9e6d054e0e8988896f9d75b

SHA512
4a2649d00e659c7b79ea71eac076c7e877f32eca3c3b136622a032a69341bd2af1536c969e8153b5814288dcbd5926ae96d40f2f7bfd59c2e9e1ae9e69ad94c9

Download Submit
C:\Windows\SysWOW64\Ijdeiaio.exe

Filesize
64KB

MD5
672028c1365d4521b01ad7d739f68d89

SHA1
e3242a47d27850722c57fb401975368bde480898

SHA256
f4da559fcb1e6d5050d60659cd8f51eb6c6126ee319cd38a7cd4d8252256f971

SHA512
dc85028c05d3aa9fb73ea23716a21fd503e495a8d41d83cb4350c47e7c7ee6c34f941d85e9ab81c2080f3f64788b9d1ccf926f89a10574dd03ff303e98e00618

Download Submit
C:\Windows\SysWOW64\Ijfboafl.exe

Filesize
64KB

MD5
0d34a62f5c203be4507498a915b4878b

SHA1
a71bf816793c22586d5dd3c612170329a07f7211

SHA256
bf42e36aaecdcc42b393f6b178fd91c833e20c9ccbba3e6d871acd31d1915aa3

SHA512
b9a72f4814dd13b1e8464ad49d74b52b8c08be2583e1250d6b6e89efad69ecd2329c7787bcbb43415f4a2fd38c5155a1932ba4950f389ffc55c3f5c1883b98b9

Download Submit
C:\Windows\SysWOW64\Ijhodq32.exe

Filesize
64KB

MD5
5bdf3ee526a3d79581b348bdf989664f

SHA1
ab3d2c59cf2352ccd255104b1a66d5579c32d723

SHA256
bbed0eae668db996d92c409ad39c7251f248121218b03fe9984e1c544907e6f5

SHA512
7abfa5d609585c28db32409c6132a0363e4093322247651a4a4826c14183bad41b1dfc22beeab8698aaf4f1b8840ada9a954fba1d4949228096ff56df217cbef

Download Submit
C:\Windows\SysWOW64\Impepm32.exe

Filesize
64KB

MD5
8ccec397a20e64f4e8ca5b83c8932f85

SHA1
465f7c438e66922ede4dc81fa94217537a136460

SHA256
9b06ab178f5396477f7a11a369e86f6a23469a4ae5fa64b97bd2a40b8df425e6

SHA512
b8dd0cd5a6f1c4a6ff368d9898caea7c09b353483d529c7e0268e9eff340d9d8b7054016cac7aae95a9cb65a6e563b1128d64c5f43e80661f900df6faec35f1e

Download Submit
C:\Windows\SysWOW64\Ipckgh32.exe

Filesize
64KB

MD5
106ed2c23099dfae8ad1f45b26ec86d3

SHA1
2e56ac12c380b07dd70b568731caa74ca9010071

SHA256
480eaf7f8c52372625cba7b6ed7c1e6a79e822c8d868ab7de2ad25d15e74ece9

SHA512
96c23bac7154d2c39f40d35748ee3c851e444e8f81b9268c597eae7ccfcde97c3015ac8934d4c0741ddeb7ad515d6035b19ca04cfe0a94817592e557ef280d10

Download Submit
C:\Windows\SysWOW64\Ipegmg32.exe

Filesize
64KB

MD5
81b901fb2b9e5c4e3832ce9998815ad9

SHA1
03d7ff9a0d1c30155c5f993706bbae7fbd361eb9

SHA256
de204286e8338d4af7fb750b16738b71d86397d1bf616b04701dc1d0ba835f30

SHA512
7c01b8cf9a9ec52f858da8dbbad92070a7874c7aa203016bfc4b48bf2bbb78b2ed7a6c1ee7e4a15188a9adf4dc2049295e3b269cbcbf87a2f8ff954fbcdda60a

Download Submit
C:\Windows\SysWOW64\Ipnalhii.exe

Filesize
64KB

MD5
963b442ef703c818b92edf1661ca2c93

SHA1
0cabb9d853dcc8245248bd093652165ff7a5a4d4

SHA256
739b020cd1b96832c757e8080a02b2df7e56f1e1b3159ea3d31b9e5f730e27bb

SHA512
5daffa7636b2e019a46ccfce380e8f204d2187f43f029e2320f5072e2aaaf7e9eec397b2454ade846c16b2af5c3768cc755a4b6b0d7775d3ca1f326176f3a9e3

Download Submit
C:\Windows\SysWOW64\Jangmibi.exe

Filesize
64KB

MD5
0a2b36be3f95e51c2e4f62dfc499f376

SHA1
40553c992170ea20ed5a71e5b757a8add1afcc3e

SHA256
d2b848c94a7e5d5057840659a917e36bca7bd79d793f02e4724dadb4897787ae

SHA512
14cfa48d272d9b5b14161d584c39325f066455f8fe930206fcd66903c428cff86d44519502b2834440c582eb65922f2f57cc3dc46a9bb3e0740277f882cd7e0d

Download Submit
C:\Windows\SysWOW64\Jdcpcf32.exe

Filesize
64KB

MD5
69cc8515dc87792e8a9586b12ec5983a

SHA1
b64498e9622d121b6ad084fd5854591a94c74102

SHA256
6b28cecc63aabd2363fcfe5399ababccc3354de15d7ad1bc6638ab6cd45969db

SHA512
c3a4c5d46a4e8b97c7f0d609a63c68ca1373231f92457476337ee254c56aeef6d9ad320e2482c5c1b0b7bf496c1a8f8982b7b7d63a4c85c0a251fe9a9af2e7dd

Download Submit
C:\Windows\SysWOW64\Jdjfcecp.exe

Filesize
64KB

MD5
4912c0f422d58103505e38ac20cd93e4

SHA1
232547de3d289b2badf2b1883b515ac9c40f250b

SHA256
a9c65d0cc098bfe41d4ab21495f9739c94d3db72e32c493ee83915505667e555

SHA512
1d5f5bd51e55ff7ff8bd19621e431e8d3af8cd3ed9b0c7e43a9df07a7bf7a0fb1c5f9ac93d9c521f660b7892ba06a6c5c4ddc7de67cb420fd8bbbe90d0e360e8

Download Submit
C:\Windows\SysWOW64\Jpgdbg32.exe

Filesize
64KB

MD5
edafbd2fed85daead4ef5fac71485a9a

SHA1
d7d04ab9bf20506acfcf650d679272f9d33a9532

SHA256
92ef2c230286050ec50d60eb964e2769c1387054db85fd230faa03a45a155a8b

SHA512
e9b6cf9b4d0a4191247982fddd0fcf5fa8d506a5358324c181f4b0b384adeb7fa81d0f04bf0e9e375023b11cf85c91dfc5bfcedf86775664127d25075cefabbc

Download Submit
C:\Windows\SysWOW64\Kaqcbi32.exe

Filesize
64KB

MD5
3845bd6668b54e3b3ae64fe587d3de7a

SHA1
d8b95a4dc54f0fda940494554d61ebf62bf6dba2

SHA256
0415bef6763107773b16d9d0c0d0ffa0bd75df19f06cc8c6e1c9442197380d56

SHA512
6443911a2f1bcedd3701d3407b76a7a54af4442b5dd527f97840b08cb17d5aa83cc3f6ba7d5d994eff5b2e0533e5f4f753771574d13077abbf65dc46e9a903c0

Download Submit
C:\Windows\SysWOW64\Kmjqmi32.exe

Filesize
64KB

MD5
bb56c38cf9d3962a98f3e1425f7789e4

SHA1
edafe378fc43e5f0910b779d52c31c17ad81c310

SHA256
ee8a6d49b222eb20fd2d7aaf490cafacacc267c74e388655475a77c071665ebd

SHA512
5e21cb665555130b1f22367c8bada8b40f6286fd33c64393d582c73670777c120eba718775dc3eb50120d9f6a3b997924eb726521dcb0341fbb62428890ddf11

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
64KB

MD5
44551a3937543088c2a536e01c6abf8b

SHA1
c2266d667056caecf5341f637182fc40b9bd36c1

SHA256
475650e48e5cb763b5dda6020e4ca50fd0d82ac7071da38ce4432fd5c43a6733

SHA512
d50a3aaa238ae44e0f119c6835c5c66cf44616188ebec619f934111566e415ece38eb69b3ce5102d53e5e4c3c9f23f2e445572e5c74b26f2e860186195e981e9

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
64KB

MD5
6b934b7e77d6dca8992cf4dfcece0501

SHA1
c4af55e1ab457a5b627cc2e4cd63d07a6aa04784

SHA256
6366fb0440fd49b47430dc3883f78e29d21343951da86b23ad8778108b4114dc

SHA512
e0021833fe07e3f2bd02fbeb52f700bd022d3e019bf3e152bf8f7db1b14ec36ec55575f178b6a64e99beb23b3aed9971d76b0b1da91b1e1ca54be888a858fff9

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
64KB

MD5
2ebbda336c443468d9a0102d697b00c3

SHA1
96e3f85c2f92b602c5fac40df30a28e7fa7559c4

SHA256
7ed54df586c8accb1e60588a8d6ead49ce4bc41c7fca964b7e4e038b04af869a

SHA512
92cfcf778609de6649022ef4f68a06ada08be1e6e88b26e8c8624a4eaacaf27e72274ec71d8e78d4788b237f4bfa64b1dd8d5859ce2d65016af053b00a1ba99c

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
64KB

MD5
44762895773615f70c3e6988cc6df8b4

SHA1
bf7a2ba1c35b54d905dc7c62889d0cea96c5b98a

SHA256
cfab649b73d13e531bf790dd60717a098bc033de7b55813cd12212641743d13f

SHA512
d2b3085ea35276577b114d7b97845f99d5541371e38e20ef0fbcbdf44fafcd0eb11a474d048e8bed070c61b810892889b9e7d80e21c8a48df4618bba32390648

Download Submit
memory/224-603-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/224-65-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/372-572-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/372-33-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/452-479-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/456-56-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/456-592-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/468-383-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/612-45-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/612-579-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/640-501-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/668-161-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/824-112-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/908-201-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1000-275-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1012-192-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1108-559-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1140-357-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1152-153-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1268-335-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1272-317-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1304-580-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1472-471-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1532-121-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1580-105-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1592-305-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1724-225-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1840-485-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1936-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1936-539-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1936-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1948-208-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2036-573-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2088-299-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2160-169-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2300-291-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2332-377-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2404-345-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2424-546-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2460-315-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2480-257-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2792-453-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2824-177-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2884-73-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2948-269-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3020-540-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3024-531-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3156-395-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3228-507-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3236-241-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3272-553-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3276-216-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3280-189-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3376-21-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3468-359-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3516-425-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3576-281-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3596-145-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3656-413-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3684-89-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3696-249-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3724-443-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3756-537-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3760-81-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3820-477-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3868-464-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4020-593-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4028-431-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4064-514-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4352-9-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4352-552-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4372-423-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4384-263-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4396-455-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4400-405-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4420-237-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4456-520-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4524-97-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4576-137-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4600-347-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4608-293-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4620-129-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4704-389-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4820-371-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4844-566-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4864-496-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4896-53-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4916-407-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4956-521-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4964-441-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5004-565-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5004-25-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5036-329-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5056-365-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5092-323-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5112-586-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads