eb759109e926473c3147d0fe7e30c479a2e13c7bc88b7f51a55788bfaf85f1b8

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 06:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

977068b9dab090982797f879762dde90_NeikiAnalytics.exe
Size

128KB
MD5

977068b9dab090982797f879762dde90
SHA1

cf7095e1d0bf439a3487d1bf9975f08148ae99ea
SHA256

eb759109e926473c3147d0fe7e30c479a2e13c7bc88b7f51a55788bfaf85f1b8
SHA512

9731d14c027dd602bb8fb5179ff2e63bb619876388da6b4fc749fa5eb148f22912f2dba537952f22ad22c2cca1412584aaab107129b63c0247a640035a8412a4
SSDEEP

3072:2dCtFiNoTdiDmx/Sb2ZdgIJXHmW2wS7IrHrYj:/uNMXd7J3mHwMOHm

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hibljoco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	977068b9dab090982797f879762dde90_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjmoibog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imbaemhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfdida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdhine32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hihicplj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	977068b9dab090982797f879762dde90_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hmklen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpccnefa.exe

Malware Dropper & Backdoor - Berbew 32 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/files/0x0008000000022f51-6.dat	family_berbew
behavioral2/files/0x0007000000023410-14.dat	family_berbew
behavioral2/files/0x0007000000023412-23.dat	family_berbew
behavioral2/files/0x0007000000023414-30.dat	family_berbew
behavioral2/files/0x0007000000023416-39.dat	family_berbew
behavioral2/files/0x0007000000023418-46.dat	family_berbew
behavioral2/files/0x000700000002341a-54.dat	family_berbew
behavioral2/files/0x000700000002341c-62.dat	family_berbew
behavioral2/files/0x000700000002341e-70.dat	family_berbew
behavioral2/files/0x0007000000023420-78.dat	family_berbew
behavioral2/files/0x0007000000023422-86.dat	family_berbew
behavioral2/files/0x0007000000023424-94.dat	family_berbew
behavioral2/files/0x0007000000023426-103.dat	family_berbew
behavioral2/files/0x0007000000023428-110.dat	family_berbew
behavioral2/files/0x000700000002342a-118.dat	family_berbew
behavioral2/files/0x000700000002342c-126.dat	family_berbew
behavioral2/files/0x000700000002342e-134.dat	family_berbew
behavioral2/files/0x0007000000023430-143.dat	family_berbew
behavioral2/files/0x0007000000023432-150.dat	family_berbew
behavioral2/files/0x0007000000023434-158.dat	family_berbew
behavioral2/files/0x000800000002340d-166.dat	family_berbew
behavioral2/files/0x0007000000023437-174.dat	family_berbew
behavioral2/files/0x0007000000023439-182.dat	family_berbew
behavioral2/files/0x000700000002343b-190.dat	family_berbew
behavioral2/files/0x000700000002343d-198.dat	family_berbew
behavioral2/files/0x000700000002343f-206.dat	family_berbew
behavioral2/files/0x0007000000023441-214.dat	family_berbew
behavioral2/files/0x0007000000023443-222.dat	family_berbew
behavioral2/files/0x0007000000023445-230.dat	family_berbew
behavioral2/files/0x0007000000023447-238.dat	family_berbew
behavioral2/files/0x0007000000023449-246.dat	family_berbew
behavioral2/files/0x000700000002344b-255.dat	family_berbew

Executes dropped EXE 64 IoCs

pid	Process
1968	Hihicplj.exe
4804	Hpbaqj32.exe
1992	Hbanme32.exe
2384	Habnjm32.exe
3732	Hcqjfh32.exe
3340	Hfofbd32.exe
2388	Hccglh32.exe
3240	Hjmoibog.exe
5104	Hmklen32.exe
2248	Hcedaheh.exe
2052	Hibljoco.exe
2004	Ipldfi32.exe
8	Ibjqcd32.exe
2608	Impepm32.exe
1028	Icjmmg32.exe
1444	Ifhiib32.exe
2108	Imbaemhc.exe
860	Ibojncfj.exe
4704	Ijfboafl.exe
3060	Iapjlk32.exe
448	Ijhodq32.exe
4348	Ipegmg32.exe
2696	Ifopiajn.exe
696	Jaedgjjd.exe
920	Jbfpobpb.exe
2380	Jmkdlkph.exe
1252	Jpjqhgol.exe
4864	Jfdida32.exe
3272	Jmnaakne.exe
1132	Jdhine32.exe
4484	Jjbako32.exe
5048	Jmpngk32.exe
1220	Jdjfcecp.exe
2988	Jfhbppbc.exe
740	Jmbklj32.exe
4800	Jdmcidam.exe
5052	Jiikak32.exe
4560	Kpccnefa.exe
2876	Kkihknfg.exe
964	Kilhgk32.exe
4296	Kpepcedo.exe
4816	Kgphpo32.exe
2928	Kinemkko.exe
4576	Kphmie32.exe
2032	Kgbefoji.exe
4512	Kipabjil.exe
396	Kagichjo.exe
2120	Kcifkp32.exe
4404	Kibnhjgj.exe
4796	Kajfig32.exe
1540	Kgfoan32.exe
1060	Lalcng32.exe
2116	Lgikfn32.exe
1264	Liggbi32.exe
556	Lpappc32.exe
2532	Lgkhlnbn.exe
3944	Laalifad.exe
1300	Lilanioo.exe
4064	Laciofpa.exe
1836	Ldaeka32.exe
2644	Lgpagm32.exe
5092	Lnjjdgee.exe
3992	Lphfpbdi.exe
624	Lcgblncm.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kphmie32.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Kgfoan32.exe	Kajfig32.exe
File created	C:\Windows\SysWOW64\Cdcbljie.dll	Ifhiib32.exe
File created	C:\Windows\SysWOW64\Jpjqhgol.exe	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Bdiihjon.dll	Kgphpo32.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Ldaeka32.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Jdhine32.exe	Jmnaakne.exe
File created	C:\Windows\SysWOW64\Hefffnbk.dll	Kipabjil.exe
File opened for modification	C:\Windows\SysWOW64\Kcifkp32.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Jjbako32.exe	Jdhine32.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Ijfboafl.exe	Ibojncfj.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Mnapdf32.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Adakia32.dll	977068b9dab090982797f879762dde90_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Hjmoibog.exe	Hccglh32.exe
File created	C:\Windows\SysWOW64\Lgikfn32.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Hbanme32.exe	Hpbaqj32.exe
File opened for modification	C:\Windows\SysWOW64\Hmklen32.exe	Hjmoibog.exe
File opened for modification	C:\Windows\SysWOW64\Kpccnefa.exe	Jiikak32.exe
File opened for modification	C:\Windows\SysWOW64\Jfdida32.exe	Jpjqhgol.exe
File created	C:\Windows\SysWOW64\Ehifigof.dll	Jmpngk32.exe
File created	C:\Windows\SysWOW64\Jiikak32.exe	Jdmcidam.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Hccglh32.exe	Hfofbd32.exe
File created	C:\Windows\SysWOW64\Hjmoibog.exe	Hccglh32.exe
File opened for modification	C:\Windows\SysWOW64\Ifopiajn.exe	Ipegmg32.exe
File created	C:\Windows\SysWOW64\Kibnhjgj.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Kflflhfg.dll	Ijhodq32.exe
File created	C:\Windows\SysWOW64\Anmklllo.dll	Jjbako32.exe
File created	C:\Windows\SysWOW64\Kpccnefa.exe	Jiikak32.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Ldooifgl.dll	Hpbaqj32.exe
File opened for modification	C:\Windows\SysWOW64\Habnjm32.exe	Hbanme32.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Hcedaheh.exe	Hmklen32.exe
File created	C:\Windows\SysWOW64\Gbledndp.dll	Ifopiajn.exe
File created	C:\Windows\SysWOW64\Nqjfoc32.dll	Kpepcedo.exe
File opened for modification	C:\Windows\SysWOW64\Kphmie32.exe	Kinemkko.exe
File opened for modification	C:\Windows\SysWOW64\Lgikfn32.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Ghiqbiae.dll	Kagichjo.exe
File opened for modification	C:\Windows\SysWOW64\Kibnhjgj.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Jmkdlkph.exe	Jbfpobpb.exe
File opened for modification	C:\Windows\SysWOW64\Jmbklj32.exe	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Jdmcidam.exe	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Hcqjfh32.exe	Habnjm32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5300	5180	WerFault.exe	178

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hmklen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hbanme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Imbaemhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hccglh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	977068b9dab090982797f879762dde90_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdgpjm32.dll"	Ipldfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hfofbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Icjmmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflepa32.dll"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldobbkdk.dll"	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milgab32.dll"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jmkdlkph.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdemcacc.dll"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	977068b9dab090982797f879762dde90_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hbanme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldooifgl.dll"	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecppdbpl.dll"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnplgc32.dll"	Hcqjfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 1968	1664	977068b9dab090982797f879762dde90_NeikiAnalytics.exe	81
PID 1664 wrote to memory of 1968	1664	977068b9dab090982797f879762dde90_NeikiAnalytics.exe	81
PID 1664 wrote to memory of 1968	1664	977068b9dab090982797f879762dde90_NeikiAnalytics.exe	81
PID 1968 wrote to memory of 4804	1968	Hihicplj.exe	82
PID 1968 wrote to memory of 4804	1968	Hihicplj.exe	82
PID 1968 wrote to memory of 4804	1968	Hihicplj.exe	82
PID 4804 wrote to memory of 1992	4804	Hpbaqj32.exe	83
PID 4804 wrote to memory of 1992	4804	Hpbaqj32.exe	83
PID 4804 wrote to memory of 1992	4804	Hpbaqj32.exe	83
PID 1992 wrote to memory of 2384	1992	Hbanme32.exe	84
PID 1992 wrote to memory of 2384	1992	Hbanme32.exe	84
PID 1992 wrote to memory of 2384	1992	Hbanme32.exe	84
PID 2384 wrote to memory of 3732	2384	Habnjm32.exe	85
PID 2384 wrote to memory of 3732	2384	Habnjm32.exe	85
PID 2384 wrote to memory of 3732	2384	Habnjm32.exe	85
PID 3732 wrote to memory of 3340	3732	Hcqjfh32.exe	86
PID 3732 wrote to memory of 3340	3732	Hcqjfh32.exe	86
PID 3732 wrote to memory of 3340	3732	Hcqjfh32.exe	86
PID 3340 wrote to memory of 2388	3340	Hfofbd32.exe	87
PID 3340 wrote to memory of 2388	3340	Hfofbd32.exe	87
PID 3340 wrote to memory of 2388	3340	Hfofbd32.exe	87
PID 2388 wrote to memory of 3240	2388	Hccglh32.exe	88
PID 2388 wrote to memory of 3240	2388	Hccglh32.exe	88
PID 2388 wrote to memory of 3240	2388	Hccglh32.exe	88
PID 3240 wrote to memory of 5104	3240	Hjmoibog.exe	89
PID 3240 wrote to memory of 5104	3240	Hjmoibog.exe	89
PID 3240 wrote to memory of 5104	3240	Hjmoibog.exe	89
PID 5104 wrote to memory of 2248	5104	Hmklen32.exe	91
PID 5104 wrote to memory of 2248	5104	Hmklen32.exe	91
PID 5104 wrote to memory of 2248	5104	Hmklen32.exe	91
PID 2248 wrote to memory of 2052	2248	Hcedaheh.exe	92
PID 2248 wrote to memory of 2052	2248	Hcedaheh.exe	92
PID 2248 wrote to memory of 2052	2248	Hcedaheh.exe	92
PID 2052 wrote to memory of 2004	2052	Hibljoco.exe	93
PID 2052 wrote to memory of 2004	2052	Hibljoco.exe	93
PID 2052 wrote to memory of 2004	2052	Hibljoco.exe	93
PID 2004 wrote to memory of 8	2004	Ipldfi32.exe	94
PID 2004 wrote to memory of 8	2004	Ipldfi32.exe	94
PID 2004 wrote to memory of 8	2004	Ipldfi32.exe	94
PID 8 wrote to memory of 2608	8	Ibjqcd32.exe	95
PID 8 wrote to memory of 2608	8	Ibjqcd32.exe	95
PID 8 wrote to memory of 2608	8	Ibjqcd32.exe	95
PID 2608 wrote to memory of 1028	2608	Impepm32.exe	97
PID 2608 wrote to memory of 1028	2608	Impepm32.exe	97
PID 2608 wrote to memory of 1028	2608	Impepm32.exe	97
PID 1028 wrote to memory of 1444	1028	Icjmmg32.exe	98
PID 1028 wrote to memory of 1444	1028	Icjmmg32.exe	98
PID 1028 wrote to memory of 1444	1028	Icjmmg32.exe	98
PID 1444 wrote to memory of 2108	1444	Ifhiib32.exe	99
PID 1444 wrote to memory of 2108	1444	Ifhiib32.exe	99
PID 1444 wrote to memory of 2108	1444	Ifhiib32.exe	99
PID 2108 wrote to memory of 860	2108	Imbaemhc.exe	100
PID 2108 wrote to memory of 860	2108	Imbaemhc.exe	100
PID 2108 wrote to memory of 860	2108	Imbaemhc.exe	100
PID 860 wrote to memory of 4704	860	Ibojncfj.exe	101
PID 860 wrote to memory of 4704	860	Ibojncfj.exe	101
PID 860 wrote to memory of 4704	860	Ibojncfj.exe	101
PID 4704 wrote to memory of 3060	4704	Ijfboafl.exe	103
PID 4704 wrote to memory of 3060	4704	Ijfboafl.exe	103
PID 4704 wrote to memory of 3060	4704	Ijfboafl.exe	103
PID 3060 wrote to memory of 448	3060	Iapjlk32.exe	104
PID 3060 wrote to memory of 448	3060	Iapjlk32.exe	104
PID 3060 wrote to memory of 448	3060	Iapjlk32.exe	104
PID 448 wrote to memory of 4348	448	Ijhodq32.exe	105

C:\Users\Admin\AppData\Local\Temp\977068b9dab090982797f879762dde90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\977068b9dab090982797f879762dde90_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Windows\SysWOW64\Hihicplj.exe
  C:\Windows\system32\Hihicplj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Windows\SysWOW64\Hpbaqj32.exe
    C:\Windows\system32\Hpbaqj32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4804
  - - C:\Windows\SysWOW64\Hbanme32.exe
      C:\Windows\system32\Hbanme32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1992
    - - C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2384
      - C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3732
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3340
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3240
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5104
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:8
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:860
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4348
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2696
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:696
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:920
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2380
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1252
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4864
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3272
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1132
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4484
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5048
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1220
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2988
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:740
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4800
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4560
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:964
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4296
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4816
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2928
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4576
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        46⤵
        Executes dropped EXE
        
        PID:2032
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:396
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2120
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4404
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4796
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        52⤵
        Executes dropped EXE
        
        PID:1540
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1060
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        54⤵
        Executes dropped EXE
        
        PID:2116
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1264
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:556
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3944
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        59⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1300
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4064
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1836
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        63⤵
        Executes dropped EXE
        
        PID:2644
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5092
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3992
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:624
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        67⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3984
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:392
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3660
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        71⤵
        Modifies registry class
        
        PID:3520
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4176
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        74⤵
        Drops file in System32 directory
        
        PID:2520
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4608
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3744
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        77⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        78⤵
        Modifies registry class
        
        PID:1964
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2140
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        80⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:528
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3784
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3932
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3252
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4784
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        87⤵
        Drops file in System32 directory
        
        PID:2640
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5036
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:952
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4472
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:868
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3280
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        95⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5180 -s 420
        96⤵
        Program crash
        
        PID:5300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5180 -ip 5180
1⤵
PID:5256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Habnjm32.exe

Filesize
128KB

MD5
e02a87aa2ef0bd0ea401a735330e0ee0

SHA1
96c12efaad933cc0b570fce7acb3a1a59f905b09

SHA256
ad226a7e8053b1520f2982dd4f58a31495f24b9b54219ddc16f2b6a35c42afe3

SHA512
494009acbc85c6b2a19eeafe567ce4fbfd78af2972d3382fc11144dd777a0845ccf34264b369b8dc12ae7a76ae6055c032d9cf31cf3f1ffeb0e1939e2e57573e

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
128KB

MD5
28e61e4a61d6b04d52f1496740e9b340

SHA1
5e03dbf9e5db3784c50ea2722c98968c09690f5e

SHA256
f7bd8d8083fbe54196836f0228486781ea6d6ee1b5f408ee3889dfdd95309ec2

SHA512
3560c3b96155a65175f74df5691222da09d35963e16bed3ed1369e70d732f6c9ad2997e531ca6f4ad3d9a58c5a0da6497da700aa48e31fd6b16eb891d95eaaf6

Download Submit
C:\Windows\SysWOW64\Hccglh32.exe

Filesize
128KB

MD5
efcd7244d2124753d713139d4442eaea

SHA1
6ea4a7c4795d10bbd5d7cc75c9a2b384c765319b

SHA256
dbf7b14583963b47c5feb05873bc2aa6c6e94e8a1de3fbc1affa2451026b1551

SHA512
52d0281798b193d6784c6ac22ba4d2234cf64b4cab26ebab92becac5c7a9ba56dcf14b39ee19370f89a9cf899460e56dc22dfb4bb29e7f739510d4a4648cfeeb

Download Submit
C:\Windows\SysWOW64\Hcedaheh.exe

Filesize
128KB

MD5
3d14ad64938851b79ac5227cf2df3985

SHA1
6219ce43db5ada565bbe2196bac4c4c9c2424fc4

SHA256
7eca458b93f5d65c9f4042823208fe5e023d8278448f221ec68b813f32df87c5

SHA512
c4eb7ce4653ee185daa4a1e6f33766d5bf08bc07d4068bd1d9217803528d47799bda6b6e80a4e63e9a68312cefb396fb14812ad8878df7a319dd451f8ec1a720

Download Submit
C:\Windows\SysWOW64\Hcqjfh32.exe

Filesize
128KB

MD5
89cdc7a9e6b4043ec53bba9c331f0914

SHA1
2eec2f8d029e4df32cb821b39041215168a54476

SHA256
364a3a63dd6eca34cfc44f2dcb844cd704f500f7054a7dc063d381ef14b5ee9b

SHA512
fc23836c7bd5f2fe4aebbbc201a5205eadfc37a2ae14629364a43bce820933c880bcbddd0a7cb44d9c67748caf2857a51f751364f5c2d875e0396ee79422515b

Download Submit
C:\Windows\SysWOW64\Hfofbd32.exe

Filesize
128KB

MD5
bb559511002b01f6e7001a26a7630c20

SHA1
ac159ae9d10386b3f236ec287ea7bdb1c91361c9

SHA256
235a2f8c7991b1381b943f05764d7b884bb0d5c1c68bced3126b067f640f2d6e

SHA512
1e4db33d74eaaad5bfae659da21899ac9050797a2442a7a1bdb15301a2ee33626b3f0ae302e06dce01a05bb4e1034fff3e2037383b0bf4c3b358927cb45962a2

Download Submit
C:\Windows\SysWOW64\Hibljoco.exe

Filesize
128KB

MD5
b0bd0a4ed0f069e2a65747793c70037d

SHA1
1e29bddf7ef448f479a8b4bf2c7d10d35f9ed68a

SHA256
1af8ebfe3487195b3bef3fd2987198804862fa08a166fb42520246c191ee5185

SHA512
3202a388e630912384768041417c18073bb4d0b8c89671f8ecf6ce0b5d5e98d974ec2b41af56434fe8b9abfa4567ae9f199a94186fffb968697b00f0f72d19f1

Download Submit
C:\Windows\SysWOW64\Hihicplj.exe

Filesize
128KB

MD5
198a4bb2a61b08c62999fd505e58c86a

SHA1
c4fd476bf2538735a129cad2418cbf3891420563

SHA256
6ec7ba8f3ead28729998062171b9970682d3222d3c113f1f0be818b55eafa951

SHA512
9a047e7dac2e0a21ffa817f118305eb01e80b301a90052edd2689d21e07e560699e4360be4cb46fa17f899c5b6db2749b6a75c10cdcb068ede8dd8579e4b2981

Download Submit
C:\Windows\SysWOW64\Hjmoibog.exe

Filesize
128KB

MD5
6b4c546a33468137285a7295bc87b4cc

SHA1
bd7367bfcc2cf943baff737b05977965b1809aed

SHA256
d011a713f4adb6328b1a49d218b66e8f8c9f6548107e336fcba44c04836cd91c

SHA512
fa6655e438d170b729de05446482d93d64eadaa56d1684dc5a70afa591a9ffea70d1fe54394724ba30d1c5aee0ec2b748636c3e28a20a3f7959cf89b9149df3a

Download Submit
C:\Windows\SysWOW64\Hmklen32.exe

Filesize
128KB

MD5
281780fe56051e54b8316bc5e17c97b0

SHA1
e90691b1bae7868abb1d94b22a60853d654f0780

SHA256
d0f28ac387b42e9bff2042fda124c61d6d4cc8ee287f85d1162462fc9b2232f5

SHA512
1ffe3ea420bdb259e8237cc95092cc8380dc20172638a4050fe9ad6c732d04cfda4ad88beb797a70028c9284165f7d0756e9fa49b2601ef0e966c4aa0be719af

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
128KB

MD5
8bc168ba9b72bb69581e0896cbada935

SHA1
118970b5a9530c288e5ff5e27d00c941a5a843de

SHA256
609a48cdfc2f333f64fe256485bec4c3f701a82c682c3f7773ec2606cc60546e

SHA512
30dacaa66bd043456b577d3a5c6274b2a7259a3a0f5ee74514f3429cf89ace937421e0b6a52a47a60dd202c972959601058bb3faf537c97f63797ac0d4b09282

Download Submit
C:\Windows\SysWOW64\Iapjlk32.exe

Filesize
128KB

MD5
219169de0035a8455d5f6be504d47bbe

SHA1
6828de7b0252667d8380c2302d2a0502af74b3aa

SHA256
ce6ec8698f2fee7468a4e3a40c1f2f16e3485c2b9bfea5708f137f555255abd9

SHA512
61f8b895385b4d21d4fbde8ae74bc469b27deef93f741a5a83c6e177f92c39a8950bb735603e71b7e1179b07c0b4c576fd79be363969264c72eaea58d67ffc66

Download Submit
C:\Windows\SysWOW64\Ibjqcd32.exe

Filesize
128KB

MD5
afa8dec965ce4510d1edbe4fb053be54

SHA1
8adc337d0ca09d03b0e3e2e3458ec60eb6b236c1

SHA256
ef0e28ec1a46c58ebc043193056a6b9c6d30ecc1a98552790d9dda072fc458af

SHA512
9567d2adf05697d523de6e9786071ec079e5cfbf4cc829ec4376582340c082df8f954995e2737c130032e2a6a9d8cd7e14f7610c25559bfdf7eb2f7bf8361327

Download Submit
C:\Windows\SysWOW64\Ibojncfj.exe

Filesize
128KB

MD5
f835b38c4e2189bff35ee38bc4d690ad

SHA1
583531822344cf0140a43b74c6860fb0986e18f5

SHA256
619f168ebd4b9c0882dfc5e84a4f94a47b61c5944eb208314aa2c1f72211c324

SHA512
7c0ec5be603b7138854ddb89e055fe183e611170096e4802b43b7c01f15a9ccc8a38a5a3cc53d04ed33e5bba1d6f062e366d3f2bdc63a5d0b615126a13418a37

Download Submit
C:\Windows\SysWOW64\Icjmmg32.exe

Filesize
128KB

MD5
45cc8102fff7bad5ddfa9cbe58ac47c2

SHA1
e1340e380c2d503ff866846855499431c46abac6

SHA256
1bb3ca5e38c700210c7a2300a851f4c4273dc58890cd8d6e2215317a36c91169

SHA512
fd6a682ada3df51fb1332d375800e125de67ecc6aa2373d31b4e26a720a3ff182fd87edda3e401cf7ac3d6f49eee9fe021a605f9b5ffbcb4e0e270e34b015249

Download Submit
C:\Windows\SysWOW64\Ifhiib32.exe

Filesize
128KB

MD5
dcb1a50a609fb1c3c26ad181cda7dad6

SHA1
dbf03134df0aee90c267d723c28af2977b495e9f

SHA256
1e3e4593e0e132eb9876765e8ad8bce193a25ebbd3ad4e180c9d52bd4317f5c4

SHA512
c6c3f98824d8e5870df3264a01c286cc4453cff8b5d35432908d2e7ae12c43ab39dcd9650e6dccd48cacb25392cfc33ed677ddc17e9b515351182f6ad3ae7a3b

Download Submit
C:\Windows\SysWOW64\Ifopiajn.exe

Filesize
128KB

MD5
8f7086d12845eae879499ee5eab67d0f

SHA1
aff38d72cf101ad2cf2cbd3af03e2bd8bdf7e87e

SHA256
68fee593e082d316532d100d41a740c586b23aa13250f49a768f26353863ad7f

SHA512
aad0b5cd87efe2b37e7711c78401f2fb613bf6a24afc82c6d1079e7da345ba0dc597ec75d0129f2e7eae4cd43b6080cd22a86f195d85bb52dce1e112526e2b42

Download Submit
C:\Windows\SysWOW64\Ijfboafl.exe

Filesize
128KB

MD5
b6bf6b346bef227b692ee903b29485dc

SHA1
e5e4a0538015b7f2dc72f04fc05d73b0e8610d9b

SHA256
13a6aa9b8561ae72c84aed71d96e23607108f8d6d3f141ac68bcb2125df9f327

SHA512
c0ed18dedca5dbd298650d0a00be6084c191eb7b60a59a78e02d55c99f0e64f1d56cb6d9d06c59e56dce9ba9f1bc2a4d7a9f2baaa613314d987cadb1cb0b5ae8

Download Submit
C:\Windows\SysWOW64\Ijhodq32.exe

Filesize
128KB

MD5
ea4b0087bdedc343c11fb01e912ce039

SHA1
d63e82c1ccd6fa051ace16a691639a2b80688009

SHA256
0b41ed6efc1eeb802462a5d8fb1fa3e0cadb0863f241068cb4974981f0182044

SHA512
54b8e28b14d78a3bfa5474efebe46a015c6e3d1a2fa4390bd43f19685d7e089f231ad79a143bbdf5928fcf9e2c946890e500eff4a8f3948053d31364dcd08750

Download Submit
C:\Windows\SysWOW64\Imbaemhc.exe

Filesize
128KB

MD5
46b87ac364d334b6a1c01b7bf88af989

SHA1
a247a02ec0da21eabf27aa45e8fa4f31af78a3ec

SHA256
49db094562ae19ce34ee574be764df3c11f8b1b922fdc4c811d16182e773c06f

SHA512
482d9f24574d5eb5feb370143bb27fc4faba05cb82d5f07e857e210e62a53ec3019eeabfb66981eb78a03b29ea8dfc51bb2e34cc54976ed5308b32fe6695522d

Download Submit
C:\Windows\SysWOW64\Impepm32.exe

Filesize
128KB

MD5
6076376d46d434f9dd61863694817585

SHA1
c413ec45c12d468ccd3fd7bcda7e973e6b6de9b9

SHA256
d7de338ff39588cfc443c91d3c64bb7f5d7e98ee7d5a586740f32214daec8c58

SHA512
b2abdd4e9c44628a24eed01c088ed52484918d91d6ca80b607e582888a673a40fcf2da709aa4e1f3de707f5c8607305bf1bf1879b25666f34930d7d2d3695201

Download Submit
C:\Windows\SysWOW64\Ipegmg32.exe

Filesize
128KB

MD5
966cf7a72b33b1f5b0379b4b8881a5be

SHA1
ad18c86101011a4e75a9d3e19a415bb2b8585673

SHA256
735fdebe3089f1233ab71db8d3eef8eb746a498f99b540efbe50ae745ace3afb

SHA512
af4ca7f4e67e94af1c5ee402dbe64d77fe6cea11798ea9d91e1d502ead70411cee007c1622981be1a5307f8015d06c9be84987a971da0c43ad999c3ff1ce8b13

Download Submit
C:\Windows\SysWOW64\Ipldfi32.exe

Filesize
128KB

MD5
32ae399001dbd3be88844a77bd338f4b

SHA1
4bbe1cbe47ff6223a42bf0b3f668084fdb07ec47

SHA256
aeb4dad997e4f6fc7627a3ddea175b3dee728a34f8114d6ec31b28ea1a0fdf88

SHA512
c19b4cbe47862fdb735e9e3a01a93999a4921122cfc5bae3211e59ce32fdada479b744bf418b4de8d3c4d06e6d643a71dee1cff9d830554a518e63f25165bc6c

Download Submit
C:\Windows\SysWOW64\Jaedgjjd.exe

Filesize
128KB

MD5
cc42554c1ad11dbc831d3504d6ab6e72

SHA1
3ae3d8ec084094df10c6ba7071e0ad5d25f90669

SHA256
a360e34c214236caafd33e54b1401159536cb41d7f025bbbc3bb2a2e9650dc81

SHA512
28334e9eb4aae110205b306795712f2e5f7f9c3ddbbb7199d7a79fd1bf0f5ce23e393619e895ea26068223f81fa830aaf323513139a74122165dc105aec16269

Download Submit
C:\Windows\SysWOW64\Jbfpobpb.exe

Filesize
128KB

MD5
98d15bd4d7eb1de1a04868fd29abff5e

SHA1
83c61d6de23fcc04c137e98166c4b84822a6d543

SHA256
6e33d5bd8555ed2c1b688a4d9de2236d0517157319db942be9175a1bc1078fc6

SHA512
725306a051dd82d09c0ac2c01087b16357e039421612629e5676ea889dd59306b688a444ca76f4a6232943766b314657e31d936e90889982809cfb698c61fa37

Download Submit
C:\Windows\SysWOW64\Jdhine32.exe

Filesize
128KB

MD5
7389cb79228d220f46232d3169b0999d

SHA1
deadac63318006c2ac6939d05c743b45b41b19f8

SHA256
dc27762be27f0119417de41c834355b4f0ed7ca0e1bfa9d1e02a1ce1bbb84244

SHA512
294e524093178560d282138f9bf94370b29afcc8738c83318f03886c0a523035095e452b4e252d4be557ec7ab002eac411f33c0ce97b8e699163e9f341409c29

Download Submit
C:\Windows\SysWOW64\Jfdida32.exe

Filesize
128KB

MD5
a6623b0f1b51e272461c032cd392e306

SHA1
97b9fb53ff2c5b559222a4b3d8a4d73bf9585708

SHA256
5501d3ece762bdbee6d79b2d9ae5559ee6282527cde25a045b5ac9a3ce959d6a

SHA512
a78ec34dfc1c52162e0bb338757a6e66eea0771c25f9cd50cc5c5710662e5003f640c606ddee82f72a8bf1ddc3703d5da04f82cfd830ae2b0b0a77a20846ae65

Download Submit
C:\Windows\SysWOW64\Jjbako32.exe

Filesize
128KB

MD5
f6b8cc8d80f930d512703fcad8674bd9

SHA1
c98eafb7b73a1eca4610b38661cdb68d1866939c

SHA256
3d92a0fa40b642e03855fde4c0309da8c110dec39f532ee7a393f1a92587cc20

SHA512
ed16de3cfefa171299af374629449f1b81a4b17aeeaff606815ed22da31391a779d71ef2545d27f444191cca6251be06ed7cec4096124c7779219c500df05996

Download Submit
C:\Windows\SysWOW64\Jmkdlkph.exe

Filesize
128KB

MD5
b93bef528669b1c072ce2d88d9c141de

SHA1
80adb5acbe10c6fc98705c6ba1170d3706a9b353

SHA256
7d94a9283d3ef5b5028f951d5dbb1dfae858d7829d342a177c8b16895c5743e6

SHA512
bf48716923bbbad4c4aac6ffe3788e7497accb90abc8f89ba1b48a8a4b183014352b5aeb952b014aaf5c9c623ad167261e08fe9f8b215f53779136759f14528a

Download Submit
C:\Windows\SysWOW64\Jmnaakne.exe

Filesize
128KB

MD5
894e26e3117b01dc4099d25002e6892a

SHA1
37e7fd41ff424bcc6dd3699a6f7198a4fd86afe2

SHA256
9bbee166005528a3abbfeec60190a9519b0a9b144be7fb7e30fe1d9b406a8838

SHA512
0d23b51e65aacc6de45d3c40505c7a4f5de225d8b04ce3b5e871774c5315e41cbd581d980a9b1812c9a3a881c42f1d3ca2835a4448f4e787e3ffc0ce85b755bb

Download Submit
C:\Windows\SysWOW64\Jmpngk32.exe

Filesize
128KB

MD5
00e3e1d02867af95a8c91f523877bd74

SHA1
c6431e04dec6a580678d74dfc0f6e596cf6bdb13

SHA256
df52ad39fc12983438f853d33943fba4356da569d9f7f48d93a31537996616ec

SHA512
5bc9ee5056c59c0ae9859c6d90dfeccbfdec5946348c565776f4c471dc66ef0fdafe86eda6e85bb3e2c3aad8e49757ea88b464c6005f852e76e4d3605621aca1

Download Submit
C:\Windows\SysWOW64\Jpjqhgol.exe

Filesize
128KB

MD5
2aa7ccefcbe610911bb51b4a683c334f

SHA1
5ea37b786bbc57eaf96792e84fcdc1a0a8bde2ac

SHA256
43a6055abf82d7da428c1a11433856b59e2ed95209758af6e68f5c3c901a5dd8

SHA512
03f76a2c1c8b0c878729f08f4ce7be4c0970a3ffcc77b4b7abba764876d2e25c482ac4da133b0519cb95cdddffcd32fa7adb70ac0f0569f78ad62d5c567b8750

Download Submit
C:\Windows\SysWOW64\Pkbjnl32.dll

Filesize
7KB

MD5
cd77b228f8f0ce9df53e56f22b81caef

SHA1
8a5fbeaa3569307ec13fae8009f9db0fe235d37f

SHA256
4c66ceac942a361f77654a6c42e8ad8eae4ee37bd07251e8fd58e5ec67957378

SHA512
20e4a07e68686e097148feaff4346e885e8d7321757f48780111d81fd0d14c03f3eac4ead49c03b6645117b5d11d0d2a89e283b7114b83bc0fce91058a2e259e

Download Submit
memory/8-104-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/392-467-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/396-346-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/448-167-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/528-550-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/556-394-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/624-453-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/696-192-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/740-274-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/860-148-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/920-199-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/964-308-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1028-120-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1060-376-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1132-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1220-262-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1252-216-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1264-388-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1300-417-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1444-128-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1456-533-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1540-370-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1664-539-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1664-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1836-425-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1964-521-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1968-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1968-546-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1992-560-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1992-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2004-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2032-334-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2052-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2108-135-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2116-386-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2120-352-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2140-531-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2248-79-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2380-212-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2384-567-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2384-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2388-588-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2388-58-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2520-501-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2532-400-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2608-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2640-587-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2644-435-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2664-455-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2696-183-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2876-298-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2928-322-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2988-268-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3016-515-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3060-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3240-63-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3252-568-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3272-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3340-581-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3340-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3520-483-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3660-477-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3732-574-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3732-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3744-511-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3784-558-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3932-561-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3944-406-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3984-461-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3992-447-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4064-419-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4176-496-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4296-310-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4348-175-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4380-407-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4404-358-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4420-485-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4484-252-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4512-340-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4560-292-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4576-328-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4608-505-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4704-157-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4784-575-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4796-364-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4800-280-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4804-557-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4804-15-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4816-321-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4864-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5036-589-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5048-256-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5052-286-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5092-437-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5104-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5112-540-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads