2798329be06c67369f266a252ce738778d6efbbe1124b589bdec3d37ec003ae1

Analysis

max time kernel
143s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 21:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36f93d568b042469ede03d4e7f3d7de0_NeikiAnalytics.exe
Size

128KB
MD5

36f93d568b042469ede03d4e7f3d7de0
SHA1

0c171a248148bd333deb906c443f3a12844894fb
SHA256

2798329be06c67369f266a252ce738778d6efbbe1124b589bdec3d37ec003ae1
SHA512

d97a2ef5e12ab94aa96af58062de599e142f1b4d313cbcef0b40a74523521661e5ebcc2159ba7f6f682abb81502f8a2f8ae5330ce6443d041a5b706dbca75fd7
SSDEEP

3072:bVykq1oh/gon+4DrFDHZtOgxBOXXwwfBoD6N3h8N5Gg:bckquh/g4+w5tTDUZNSN57

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jagqlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibagcc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	36f93d568b042469ede03d4e7f3d7de0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmfbjnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpgkkioa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmdedo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbfpobpb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmdedo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jangmibi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipqnahgf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkfkfohj.exe

Executes dropped EXE 64 IoCs

pid	Process
448	Hboagf32.exe
3140	Hmdedo32.exe
3368	Hpbaqj32.exe
3596	Hjhfnccl.exe
4616	Hmfbjnbp.exe
464	Hcqjfh32.exe
3116	Hbckbepg.exe
3100	Hpgkkioa.exe
1028	Hjmoibog.exe
892	Haggelfd.exe
3576	Hbhdmd32.exe
2368	Hjolnb32.exe
3676	Ipldfi32.exe
4180	Iffmccbi.exe
2540	Iidipnal.exe
2360	Icjmmg32.exe
4456	Ifhiib32.exe
876	Imbaemhc.exe
3220	Ipqnahgf.exe
2460	Ifjfnb32.exe
2116	Iiibkn32.exe
3084	Idofhfmm.exe
1320	Ibagcc32.exe
1912	Iikopmkd.exe
3520	Imihfl32.exe
1504	Jaedgjjd.exe
2164	Jbfpobpb.exe
1716	Jjmhppqd.exe
3032	Jagqlj32.exe
2412	Jfdida32.exe
2124	Jaimbj32.exe
5108	Jbkjjblm.exe
3980	Jfffjqdf.exe
2324	Jpojcf32.exe
4732	Jbmfoa32.exe
5040	Jigollag.exe
2968	Jangmibi.exe
2296	Jdmcidam.exe
1044	Jfkoeppq.exe
4544	Jkfkfohj.exe
2952	Kmegbjgn.exe
2956	Kpccnefa.exe
5000	Kgmlkp32.exe
3056	Kilhgk32.exe
4832	Kdaldd32.exe
1644	Kgphpo32.exe
2352	Kaemnhla.exe
3192	Kbfiep32.exe
4036	Kknafn32.exe
5092	Kmlnbi32.exe
228	Kpjjod32.exe
4904	Kgdbkohf.exe
3188	Kibnhjgj.exe
1728	Kpmfddnf.exe
3380	Kckbqpnj.exe
4404	Kkbkamnl.exe
756	Lalcng32.exe
4820	Lpocjdld.exe
1928	Lcmofolg.exe
4988	Lkdggmlj.exe
692	Lmccchkn.exe
3868	Lpappc32.exe
2908	Lkgdml32.exe
704	Lnepih32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Eeopdi32.dll	Ifjfnb32.exe
File created	C:\Windows\SysWOW64\Iljnde32.dll	Jkfkfohj.exe
File opened for modification	C:\Windows\SysWOW64\Kaemnhla.exe	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Dngdgf32.dll	Lpappc32.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Aaqnkb32.dll	Ipqnahgf.exe
File opened for modification	C:\Windows\SysWOW64\Jkfkfohj.exe	Jfkoeppq.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lkgdml32.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Hpgkkioa.exe	Hbckbepg.exe
File created	C:\Windows\SysWOW64\Icjmmg32.exe	Iidipnal.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Jpojcf32.exe	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Jeiooj32.dll	Jpojcf32.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Hjolnb32.exe	Hbhdmd32.exe
File created	C:\Windows\SysWOW64\Olmeac32.dll	Jbkjjblm.exe
File created	C:\Windows\SysWOW64\Kmegbjgn.exe	Jkfkfohj.exe
File created	C:\Windows\SysWOW64\Ppaaagol.dll	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Eagncfoj.dll	36f93d568b042469ede03d4e7f3d7de0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Imbaemhc.exe	Ifhiib32.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Haggelfd.exe	Hjmoibog.exe
File created	C:\Windows\SysWOW64\Kdaldd32.exe	Kilhgk32.exe
File opened for modification	C:\Windows\SysWOW64\Lpocjdld.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Ifjfnb32.exe	Ipqnahgf.exe
File created	C:\Windows\SysWOW64\Iiibkn32.exe	Ifjfnb32.exe
File opened for modification	C:\Windows\SysWOW64\Jaimbj32.exe	Jjpeepnb.exe
File created	C:\Windows\SysWOW64\Kilhgk32.exe	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Fldggfbc.dll	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Hmdedo32.exe	Hboagf32.exe
File created	C:\Windows\SysWOW64\Idofhfmm.exe	Iiibkn32.exe
File created	C:\Windows\SysWOW64\Anjekdho.dll	Jagqlj32.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Jaimbj32.exe	Jjpeepnb.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Ibagcc32.exe	Idofhfmm.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mgidml32.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Lnjjdgee.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Kmlnbi32.exe	Kknafn32.exe
File created	C:\Windows\SysWOW64\Ceaklo32.dll	Hjmoibog.exe
File opened for modification	C:\Windows\SysWOW64\Ifhiib32.exe	Icjmmg32.exe
File opened for modification	C:\Windows\SysWOW64\Jbfpobpb.exe	Jaedgjjd.exe
File created	C:\Windows\SysWOW64\Mfpoqooh.dll	Jdmcidam.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5520	5316	WerFault.exe	199

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	36f93d568b042469ede03d4e7f3d7de0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anjekdho.dll"	Jagqlj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcbnd32.dll"	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpbaqj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipldfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imbaemhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibilnj32.dll"	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehbccoaj.dll"	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmlfmg32.dll"	Hpgkkioa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	36f93d568b042469ede03d4e7f3d7de0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hboagf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iljnde32.dll"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfogkh32.dll"	Haggelfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imbaemhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggcjqj32.dll"	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eilljncf.dll"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcqjfh32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3588 wrote to memory of 448	3588	36f93d568b042469ede03d4e7f3d7de0_NeikiAnalytics.exe	82
PID 3588 wrote to memory of 448	3588	36f93d568b042469ede03d4e7f3d7de0_NeikiAnalytics.exe	82
PID 3588 wrote to memory of 448	3588	36f93d568b042469ede03d4e7f3d7de0_NeikiAnalytics.exe	82
PID 448 wrote to memory of 3140	448	Hboagf32.exe	83
PID 448 wrote to memory of 3140	448	Hboagf32.exe	83
PID 448 wrote to memory of 3140	448	Hboagf32.exe	83
PID 3140 wrote to memory of 3368	3140	Hmdedo32.exe	84
PID 3140 wrote to memory of 3368	3140	Hmdedo32.exe	84
PID 3140 wrote to memory of 3368	3140	Hmdedo32.exe	84
PID 3368 wrote to memory of 3596	3368	Hpbaqj32.exe	85
PID 3368 wrote to memory of 3596	3368	Hpbaqj32.exe	85
PID 3368 wrote to memory of 3596	3368	Hpbaqj32.exe	85
PID 3596 wrote to memory of 4616	3596	Hjhfnccl.exe	86
PID 3596 wrote to memory of 4616	3596	Hjhfnccl.exe	86
PID 3596 wrote to memory of 4616	3596	Hjhfnccl.exe	86
PID 4616 wrote to memory of 464	4616	Hmfbjnbp.exe	87
PID 4616 wrote to memory of 464	4616	Hmfbjnbp.exe	87
PID 4616 wrote to memory of 464	4616	Hmfbjnbp.exe	87
PID 464 wrote to memory of 3116	464	Hcqjfh32.exe	88
PID 464 wrote to memory of 3116	464	Hcqjfh32.exe	88
PID 464 wrote to memory of 3116	464	Hcqjfh32.exe	88
PID 3116 wrote to memory of 3100	3116	Hbckbepg.exe	89
PID 3116 wrote to memory of 3100	3116	Hbckbepg.exe	89
PID 3116 wrote to memory of 3100	3116	Hbckbepg.exe	89
PID 3100 wrote to memory of 1028	3100	Hpgkkioa.exe	90
PID 3100 wrote to memory of 1028	3100	Hpgkkioa.exe	90
PID 3100 wrote to memory of 1028	3100	Hpgkkioa.exe	90
PID 1028 wrote to memory of 892	1028	Hjmoibog.exe	92
PID 1028 wrote to memory of 892	1028	Hjmoibog.exe	92
PID 1028 wrote to memory of 892	1028	Hjmoibog.exe	92
PID 892 wrote to memory of 3576	892	Haggelfd.exe	93
PID 892 wrote to memory of 3576	892	Haggelfd.exe	93
PID 892 wrote to memory of 3576	892	Haggelfd.exe	93
PID 3576 wrote to memory of 2368	3576	Hbhdmd32.exe	94
PID 3576 wrote to memory of 2368	3576	Hbhdmd32.exe	94
PID 3576 wrote to memory of 2368	3576	Hbhdmd32.exe	94
PID 2368 wrote to memory of 3676	2368	Hjolnb32.exe	95
PID 2368 wrote to memory of 3676	2368	Hjolnb32.exe	95
PID 2368 wrote to memory of 3676	2368	Hjolnb32.exe	95
PID 3676 wrote to memory of 4180	3676	Ipldfi32.exe	96
PID 3676 wrote to memory of 4180	3676	Ipldfi32.exe	96
PID 3676 wrote to memory of 4180	3676	Ipldfi32.exe	96
PID 4180 wrote to memory of 2540	4180	Iffmccbi.exe	97
PID 4180 wrote to memory of 2540	4180	Iffmccbi.exe	97
PID 4180 wrote to memory of 2540	4180	Iffmccbi.exe	97
PID 2540 wrote to memory of 2360	2540	Iidipnal.exe	98
PID 2540 wrote to memory of 2360	2540	Iidipnal.exe	98
PID 2540 wrote to memory of 2360	2540	Iidipnal.exe	98
PID 2360 wrote to memory of 4456	2360	Icjmmg32.exe	100
PID 2360 wrote to memory of 4456	2360	Icjmmg32.exe	100
PID 2360 wrote to memory of 4456	2360	Icjmmg32.exe	100
PID 4456 wrote to memory of 876	4456	Ifhiib32.exe	101
PID 4456 wrote to memory of 876	4456	Ifhiib32.exe	101
PID 4456 wrote to memory of 876	4456	Ifhiib32.exe	101
PID 876 wrote to memory of 3220	876	Imbaemhc.exe	102
PID 876 wrote to memory of 3220	876	Imbaemhc.exe	102
PID 876 wrote to memory of 3220	876	Imbaemhc.exe	102
PID 3220 wrote to memory of 2460	3220	Ipqnahgf.exe	103
PID 3220 wrote to memory of 2460	3220	Ipqnahgf.exe	103
PID 3220 wrote to memory of 2460	3220	Ipqnahgf.exe	103
PID 2460 wrote to memory of 2116	2460	Ifjfnb32.exe	104
PID 2460 wrote to memory of 2116	2460	Ifjfnb32.exe	104
PID 2460 wrote to memory of 2116	2460	Ifjfnb32.exe	104
PID 2116 wrote to memory of 3084	2116	Iiibkn32.exe	105

C:\Users\Admin\AppData\Local\Temp\36f93d568b042469ede03d4e7f3d7de0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\36f93d568b042469ede03d4e7f3d7de0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3588
- C:\Windows\SysWOW64\Hboagf32.exe
  C:\Windows\system32\Hboagf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:448
- - C:\Windows\SysWOW64\Hmdedo32.exe
    C:\Windows\system32\Hmdedo32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3140
  - - C:\Windows\SysWOW64\Hpbaqj32.exe
      C:\Windows\system32\Hpbaqj32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3368
    - - C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3596
      - C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4616
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:892
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3676
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4180
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3220
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3084
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1320
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        25⤵
        Executes dropped EXE
        
        PID:1912
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        26⤵
        Executes dropped EXE
        
        PID:3520
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1504
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2164
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2412
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:700
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2124
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5108
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3980
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2324
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4732
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        38⤵
        Executes dropped EXE
        
        PID:5040
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2968
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2296
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1044
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4544
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2952
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5000
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3056
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4832
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1644
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2352
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        50⤵
        Executes dropped EXE
        
        PID:3192
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4036
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5092
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:228
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4904
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3188
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        56⤵
        Executes dropped EXE
        
        PID:1728
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3380
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4404
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:756
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4820
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1928
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4988
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:692
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3868
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:704
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1800
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2476
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        69⤵
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        70⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4728
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:872
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        73⤵
        Drops file in System32 directory
        
        PID:3972
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4660
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4992
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2224
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:920
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3732
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        79⤵
        Drops file in System32 directory
        
        PID:5112
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        80⤵
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4656
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        82⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4116
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        84⤵
        Modifies registry class
        
        PID:2496
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4408
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:528
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2848
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2140
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5232
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        95⤵
        Drops file in System32 directory
        
        PID:5416
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5460
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5512
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5556
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5608
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        102⤵
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        103⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        104⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        105⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6028
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6096
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6140
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5172
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        110⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        111⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5316 -s 400
        112⤵
        Program crash
        
        PID:5520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5316 -ip 5316
1⤵
PID:5452

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:5512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Haggelfd.exe

Filesize
128KB

MD5
19a7dfb43d140686d134101fc8161ada

SHA1
6fde375a1c3319a51a5a71571174734781b998d4

SHA256
cb95be288318c6ac25150cc4823862bd3d63134dbb47bfbd7ca19eba1c384ff6

SHA512
db12c124b1e8d2cd762e5b04b19fc935b01952ac5263a7bb6deff413212bcc150889cd690cbec6842713af100fe4b6b692800f60f0e863299f9cb814407b0898

Download Submit
C:\Windows\SysWOW64\Hbckbepg.exe

Filesize
128KB

MD5
3a8fc4ff5676958fb0da7fe5ae4775bf

SHA1
d963db82d07410d916bfa456621ceb917ccd4923

SHA256
836ce5900e03e398f45180bb8ab8b9d5f00eb9b630dd9d7cfd7e08879a6a3071

SHA512
0a78237c16d175d7716c83f23ee876f01030cf232dbf4d3eeacc6bbaacde39ad6e3c1554ffa83452713205ea023c2d487bb2acb3b076b97e7d54b346f7951e1b

Download Submit
C:\Windows\SysWOW64\Hbhdmd32.exe

Filesize
128KB

MD5
e6678923dbc405b1149997b67bd98aad

SHA1
07971df8ab675342855417cb327264044c924d5d

SHA256
0612c80a6e60a2b7058ed269475154a3db2c9be55852b6c2cfe584510d23df98

SHA512
16f17ba9b8db74cb0fd38cd54b5ec74c023ac304dedda72e6666c9052fa8f5ec862d4d08c987bfe2628355d2f26521ba5e80c447b2b8c15d9393b18466b4253e

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
128KB

MD5
b2491e2092fbf1c774eb207f94931112

SHA1
9f9c14af5e8901c87bc507a30d7d972934bae2e6

SHA256
172842624e5db8cf54a149a46ef12231e9c1ffe17b126b3dfb4aec3d737d6f7a

SHA512
da7427d032f835373a2a9dcc0be7cb5933d0cb96a8e43dc99e4dcc26768701d20e6fd5a1187292f68827936d921d1c6ea4a13ad6ae4569205fa1ee7f75518f3d

Download Submit
C:\Windows\SysWOW64\Hcqjfh32.exe

Filesize
128KB

MD5
913bbffde65f64e1abea7073c6994cd2

SHA1
3b70a1e71db3a7d4468cf2b786230a2ce6957e24

SHA256
95941617acf9c18a9142ca66f02aeab1f678bd945b67d6bd781d0968b331a61a

SHA512
873b230f4471112eed942d54bde5dfd2361fd031b5d0ce654d06700cad89fdd181d53fbe0fd67ac3ed85f4dbe65b73a355eeed46d36042bf1ca2dd718bcbc6d4

Download Submit
C:\Windows\SysWOW64\Hjhfnccl.exe

Filesize
128KB

MD5
7903550e9dfded506e5b004f6e297602

SHA1
daf2de69a57446a7c0c7ac2982eec0fc39dbf75c

SHA256
bc7626a4fbc8c8ced08dc0da301a5ab8642700434b0a6c5b86251bf737f73d6a

SHA512
327d08a21728bb9c6ee2023e961deb87a214fdcb1d927fa1490a213cfadb5c6032f4e8f20444c7de5f7686bf4329ed066e8cf730bb81069b71289b137bee1592

Download Submit
C:\Windows\SysWOW64\Hjmoibog.exe

Filesize
128KB

MD5
0cb62b82b8ec6f384f683c2966f9ddeb

SHA1
1fe9dd40ae0b030537897d5a8dc27124a6897c5c

SHA256
562e2d9b3b9d572593a3aac89681b4aba2b0105329124d3f2edce5be388fe9c9

SHA512
ece244d9bee445bc5215b3786208645a7a0b2f1acff615bcc43ca43ddc83c032ec1f9da39d3d48b0ccc4d39ea653eab185e152d971fcd871ef8ce92525f28056

Download Submit
C:\Windows\SysWOW64\Hjolnb32.exe

Filesize
128KB

MD5
401825eb4718cfa8c36da477661973d9

SHA1
c50e04a94ebfe8a62c5bc94c631fcf97550ba898

SHA256
67eb28dcb7a1b74fbb728d46317166b59c901ebb7a8a4e6a94a0237cc4e817be

SHA512
483daf936e80b343cc999d74ccabc42c020a6819686d788ee8cbf252acc8aeda88c23e126d70054db4dd4622a06ab1d64e85431237c08b5363b77f4f7c5d3fd3

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe

Filesize
128KB

MD5
679024b6274c5c3ae78fea257eaef296

SHA1
4fedc59e431890ae28a3a3ffac0e0b5cdb80d19c

SHA256
c34c08b6eb5817b0756e31a0712994c9753f5ae2ccd9f51fb2c438190d2d977f

SHA512
cec5e2efad4b050761650d9ef84776acf20876e60d25e747e17345e3f60876ffbdd089907820b7f40ae2d0b143d615d268c46a2101bed5058dc668f2cec9ba09

Download Submit
C:\Windows\SysWOW64\Hmfbjnbp.exe

Filesize
128KB

MD5
fd6ca66e9d906021d8be881099571d27

SHA1
c19a5edfcbf34a8ccc469e3c1b6ce68d7653e9de

SHA256
8cab8a6c0ce73032cf21543562a89242590f4b1c2f10b233e6a3a01f7d82483a

SHA512
20e42512ef4057eb18edfa4e349d22d278a28d4c8a8b773b82ce1b5f0c7a817ea8e00a51eb1c79f82fee2a1ac8dfa55d68c9e0ba7e78d84ef176a85f902c45bd

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
128KB

MD5
eb44813ffbc999e6cbb53381b067e9d8

SHA1
d1294807b2f045aea3b195d4b0078e5474b1f296

SHA256
f8b9c6b51d47dc84d9ee8ffc5c62e91d48b0595beeddbc62ad4292b8d4d49949

SHA512
c2be25a266b480b8dc3436c4b9ef49107fe2b0db6f50bf736df910d8eafac5fc9ad640a5f3bfdabdb42079466ded58addcbfef9e482260f10bfc41dda44306d0

Download Submit
C:\Windows\SysWOW64\Hpgkkioa.exe

Filesize
128KB

MD5
2414d35dbfffa8ba602d331958226c40

SHA1
69d8dd474a327f58d5d86c5e50ad08a0274d3fa3

SHA256
940eae0179607a09026af2107378ba681fffbc024444f5e3658e2fc3478cea56

SHA512
f44cb333389c410bd78e1c06192ebdbb463928d5f403a2b914b1634920b355697fe7a738a9bb35841c9ca901f82c970953337acc1cb985f85923d89c59cf08a2

Download Submit
C:\Windows\SysWOW64\Ibagcc32.exe

Filesize
128KB

MD5
3ef0666354574c2f0182e315a1dabbc6

SHA1
93f5d37124dff4d4d87b96beedb97b8bf026f0b0

SHA256
9fdc9629230577617a570475dee083f4a654a43e192da4d60fd98b207a482f12

SHA512
0dcc16b4c72ae2427f180025064eec55f710d264c61f367f15baeaba0edd2ed11136abc2180be100bacb5bf3682100129523d74e34f3c62ee64b585a0482ec20

Download Submit
C:\Windows\SysWOW64\Icjmmg32.exe

Filesize
128KB

MD5
d03e70deb41bdf6f332342b65788c23d

SHA1
e72308414b336fde240b3cdd0c685924a1d91482

SHA256
f813f1261e32937213b741447754b47aebab3a4800a671541ef875086c7dc743

SHA512
0c9646742557b2eaa407334eb0a06411d54a944a81a8b37d14e67faa02c33f8583e01353b21728d6d1c9ce5365d036639566e38745cd134183b975c11db0b57d

Download Submit
C:\Windows\SysWOW64\Idofhfmm.exe

Filesize
128KB

MD5
692398e18bff7c74fd7593caccffed48

SHA1
f8aae58efd790d81f3e325c2b2aaaf9682fb3913

SHA256
ec6a66f21ff5f7165ed08a4406cecbd4168b2fe74c22127bf7f6765a27d35479

SHA512
c900f4e37f7da3839021aef1af7242f805030730fe6f3bd0f91793628bb36488b58a57ae2f76ff84ae18d22a57df2dac7956243038817b272597fce7b7ba1db0

Download Submit
C:\Windows\SysWOW64\Iffmccbi.exe

Filesize
128KB

MD5
875866927988d98b8fd02f07dfaab137

SHA1
0aa02a55b26846b46e4af29ce5fe9dd4e099ef73

SHA256
4ba6666ee2876d273b6b4ed05fea38780d02eb49848a5cdc7ed5822a0c571878

SHA512
8c420ad100ba384029f04dd5ea9065873a705ed0b3c9630a3cb3a6e434486f5f11fd5c0551f2912073503ac9730ab3cb519f7d1a890bdb7fbc38d919dddddf17

Download Submit
C:\Windows\SysWOW64\Ifhiib32.exe

Filesize
128KB

MD5
6df628f4be5b6617ad4eb747e5e107ad

SHA1
d75dfa4b0a0f88630dad4c9859d10622948cff05

SHA256
4c45858e634204a18f11696cf7500d30126991ae127567f2b18be799bbee540a

SHA512
7e698c570049933ecfcd1a97be62d84b706ff7b838ef8baf6c35e3abadfa6062f58b3a500705207e716365a917fe2964548e27398155803c81103a7831ccfe05

Download Submit
C:\Windows\SysWOW64\Ifjfnb32.exe

Filesize
128KB

MD5
d00a9246f38234511f776f194a03395b

SHA1
d2bb094389950182573a50ed3b6ac0aa43b7afaa

SHA256
0ffc83d9b5fca58271923ad61c29cef867757c394ee55d512633cf14f53442a1

SHA512
6fce1fe4a43460522b7072876f76c5ba25522acdc06ae4aebebeb15713ee430c0777cda1efe326ec1998e3f08c30f1d06bd66c2686416e02610c8d4f68d39b99

Download Submit
C:\Windows\SysWOW64\Iidipnal.exe

Filesize
128KB

MD5
5743ecad0faa8cede89fba2a768f6ad0

SHA1
2133cc07d0651ea676ada607b30834fbcb07c9ce

SHA256
f209cd8ae888262b76c0c41c8cbc22bf48e5e96ce8bf4eebda104b307c30ebbd

SHA512
0a4f46713419be10622ba91252b0a052222cfaaed3adee872152749a7461c80ee6f60f3215a55a686c79324cc041844e1fbcdfa02317953cdd1654a4ba2cea3c

Download Submit
C:\Windows\SysWOW64\Iiibkn32.exe

Filesize
128KB

MD5
226b8b23a43f0af928c6511f8ee8c0df

SHA1
4eb08bdc990d3c764ef7eb2ebe343431232c44fa

SHA256
0afa8923e24a8030fce33893abfd76d863504f2a55a82313848a0fe68e204254

SHA512
c04922bca434e9093787c5b538efc9b0332e2101668212cb3a6ba3eefeca9957215c32c96cce40069fd0694a31395b46ce64c768812659827e9c8187281586cb

Download Submit
C:\Windows\SysWOW64\Iikopmkd.exe

Filesize
128KB

MD5
f1b5c7a74b5aa6810271474aacd50d09

SHA1
83c343fa3383fe9e19331c47181c2796a1f90195

SHA256
936fef43b0b8e078fb3668e5964d7108fd6cf54f4d6154b8196c604bb2824a2d

SHA512
055036139ded6692941860d35fd01b8a17fc1b29ecba328a26767fe93a40d372ca65dc3e874f13e2fe46375a2b7e0ea43f69e14919175716c48917847e42d394

Download Submit
C:\Windows\SysWOW64\Imbaemhc.exe

Filesize
128KB

MD5
4ac0dc4f2e389f30a17af256955dc26b

SHA1
da1dc0f8670747604a8f92c768f063fa0a1e89c1

SHA256
5a0fc2be8d00266197e58cdb4064eb0a1e08dcda095369d6a155754653cdd9a5

SHA512
096f7f503b5fc6e4d5f152835cda6ea53ec28e4d0277e3eca43af2a4188f3a626cefa36a4e1994cf54e4bb0a35755bca13f03145d4b81b0c99a93d891d0df256

Download Submit
C:\Windows\SysWOW64\Imihfl32.exe

Filesize
128KB

MD5
5934fbb4bc0e83e16baa3f4bfd8c4a5c

SHA1
6988a506f32c5048c2e9714c3edcdb967e7e5ede

SHA256
007643aeede3c6d7b7510c6ed24ba7f98427b25f87a4327be1b4205b1f001021

SHA512
617936bee22e0031d453136ee226dc49b03ca92c9e6685217356cc91446d9903157317478d720e85d10ffee6f7ff2f2338fbba0c7018aeff090ddb1fdd993010

Download Submit
C:\Windows\SysWOW64\Ipldfi32.exe

Filesize
128KB

MD5
8fadeaafeeb4e515abc866af9632f266

SHA1
cd637659e026a71e46ad234612e7d12e1376d5cb

SHA256
f5167dcb7c9484bff97fa7a1c72765cab549cea4ddec973741ef657106a28187

SHA512
0301724d0d1571eb56f8a44bb767b060dfde790c25387c735607a642615d65b21deb0626bd5284cb327cc046d88669d0a36b210537303c0037110c24027ad6ec

Download Submit
C:\Windows\SysWOW64\Ipqnahgf.exe

Filesize
128KB

MD5
650f8ca23ba2ee446b7e89395a6eb395

SHA1
81850a0d0266624cde6bdeed2edacec33dec9a97

SHA256
1f8903ce9e5102a6a37945712afb13730a211df101e8463f5d45d564619cf3ae

SHA512
bdb2f612db953e7debbe89bdb522770d6ac97c954226641c49a4f2d596e435e96b4c4b92084d759c8d1dc36b232ee4828c823348c0631ed98bb872500ce59f02

Download Submit
C:\Windows\SysWOW64\Jaedgjjd.exe

Filesize
128KB

MD5
a04c69627f315febb7f565c8148f68ac

SHA1
ac7c28288c3f507dca2abab39a32a51eec3b0479

SHA256
249d91bb7f8bdaa94e0cfac0c0602fccb29c939d07fec0556d8e1b72411bf04f

SHA512
44c2ecd74131f7638719be9cf5acd15a9f2f8fe55898d2e0c301f6ced1ca8dd982a1143cb9cf2106f5b08f8ef0032d89b21428d280c6fa56659a14117586ad35

Download Submit
C:\Windows\SysWOW64\Jagqlj32.exe

Filesize
128KB

MD5
31152cde5ed4e26e4f5404673f4f98da

SHA1
7a0982364d8b86d807d63e21e3bf9a08b4c39502

SHA256
da6b82940137cbded372d5d9c48ea9e2409bfa05568df7e9cca133320400b020

SHA512
fb75739992ac41070f3634545542ac8b59094bd7759ab09c36aceca6af6d552b0a81d14a35d425da391013715c7ec7027ec28014c6f3db86a0a566148e0e9d96

Download Submit
C:\Windows\SysWOW64\Jaimbj32.exe

Filesize
128KB

MD5
ae462e7cd60cc8da9b4f4931c091f821

SHA1
05b444e4e5996b961544a9103650bc7773676cf9

SHA256
9179bf09faba4ff4bdaf556c491689548367b01b7fa1055346b1eea8a547ca26

SHA512
85d820e5cda74269db27cf04eb62a6e5c8f9ef2d66ab923368c0f5fd3d20a3545a94de563a98d84e928ccfd8c7af0c9ced1e9f2a5f855efaa695ecff38ae4735

Download Submit
C:\Windows\SysWOW64\Jbfpobpb.exe

Filesize
128KB

MD5
ae0bbd5ab0cc8934d092060590da89e1

SHA1
833ef53c4849c8e75a4ddf1d2a76fa0b658aff1c

SHA256
29cbea9407b13b2bd47ea81d81e5a432fdebafd012115de722b5379237642cdf

SHA512
3be2bd9694556c0233d49dac47c58e41dce2f1b28040f74e1fa91c0fe61e6792b7d1ac1618d6d3d38570c6fcda35d3ed40f486b5d041d23e1c6fd2bcf7c02cf2

Download Submit
C:\Windows\SysWOW64\Jbkjjblm.exe

Filesize
128KB

MD5
215cca355a72ab85cc07f9091c2e9428

SHA1
9bc73591b36e4974117e754018dad8088a6f7ccb

SHA256
79edd475c8f521db38832ae22e45f002670690081e48058d1e53f3f966c8bccd

SHA512
c654b944cb44d7d48ba5791715b4858aea4b789f202f841b666f708369a1d42233752ddd07800d518a584de1c0058148399ca9fa97547529f329b491616b48e0

Download Submit
C:\Windows\SysWOW64\Jfdida32.exe

Filesize
128KB

MD5
f70ea9ba491df981acb772b697e07ffa

SHA1
921ed4c6ae7ff675878bdd67bc7ee73186d3f9f7

SHA256
a06e081b2adbb2f1b95c3e2eddd1193a5d1534611dafef283561bc4c5aa28796

SHA512
16c470f58ffbf0d3af3d432553e8704a74e43792d9aec8d7bded4685a2d8ce57f82ad15f5bf9b1bf3d030afd609efdc7a2923b690c8bd8f64846f01e3f28d793

Download Submit
C:\Windows\SysWOW64\Jfffjqdf.exe

Filesize
128KB

MD5
9c1726d2d4035c99dc0d3de31dc75863

SHA1
49e9dbc27cb86ecd4e4a9ea0d40295672343fe41

SHA256
2580a3dc3e4cf7751989845954b8c7099e6a269cd3dded74c4176ae2eac15dba

SHA512
52a258cc6aa44294235f1d1dc85ee9c05511846a7787c1758a1b4a7067a0f917372855ba5f1051324194762b09b3310b271608882f424604355a3368a5c05ae8

Download Submit
C:\Windows\SysWOW64\Jigollag.exe

Filesize
128KB

MD5
e59a0e80e61457ceb7a7fd81ffbe2c19

SHA1
3e7f3b5d38cd4c7c917952991da1cba9078b4475

SHA256
ac2bb8727be9d2586b370b24a89a9d7e5e89aad011b10d0e21d4af1db8b9be6d

SHA512
05e8a4467bf75e7cc6618a2cf823083cfec2431a648d2a3f33d2c9702fed2ae3da2094f70590022e3d42adf399898ffbf28ac7ca8e3dc8ee5e0b5e3a56128e61

Download Submit
C:\Windows\SysWOW64\Jjmhppqd.exe

Filesize
128KB

MD5
b23243f4cd9d4d79d242be7f28d31dc5

SHA1
d01851f4b2c46a96d982e827ff0cc22757961c4d

SHA256
68800ed950be68b5f2ca2b7ef7bd10f6c77ce43d3508ef8f063a5a3056dc2882

SHA512
5b8ffb13de0005b0dac2eb771ae6e36ad61a0f5635e0308b0a15e173a0d405a2d766bc50fdf2424af6093267b7fbd00485fbbd158b0240399e7457dbd11437e5

Download Submit
C:\Windows\SysWOW64\Kgphpo32.exe

Filesize
128KB

MD5
d8e8778032a2b5c7546783980922db5a

SHA1
6bf8255e474d61a6a26b2e24c0d3ad78d0ea9408

SHA256
e8c4cfc5d9b29e1e6ce0f19245b3f3aee242c312adaf7f24f26599dbfd6b5fe8

SHA512
fb69a0dd1dcdf9e1a958219f16b687cfc5a556f7155f31b1eaf2b9a5d520a57962a1def1907f097bd589da71e0a10aa67fba1ae4b214b7d9b749063596cf9352

Download Submit
C:\Windows\SysWOW64\Kilhgk32.exe

Filesize
128KB

MD5
4d8549bf2051d7b9be703703e6eaf89b

SHA1
67d52416ff344bd52e76eb100fa7454bb63ec849

SHA256
d18cff53e716f20be1c3c06510ca03fbd7c15ea355daef0b46299cc7117b0451

SHA512
cc5d1ffedebcd2863815b217b0bb842c2fcbc82e43af798d54735bdc94b9e85841bd7c75269d4b8d3441e78a1f093de7e9c841691b941cc3685d3d15714d2f03

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe

Filesize
128KB

MD5
c48378f6e5aef8669e5705829216237e

SHA1
433d305488cb0ba273c0343f800a1ba3343d9f47

SHA256
66dec7045cc2a3a083990b4c491407f412e5df6d5657fd046cb35440745d63c8

SHA512
1dcf7958d5c90403d2fba817a3201a18de908935b7a5469a3f03f1535e892d0c25fdd55ef34a2248b3a208743311344aea8a839852eea6519abf2b2d9f8e3079

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
128KB

MD5
fe13943a4a63057fad35afb23121045c

SHA1
ea83e0a23dc2c02e44d5141a4628049f0dc5b3aa

SHA256
a7d7c7e3158074fde3e08caff31f9962de382eee8a2b0f204c9d82f217ac6d1c

SHA512
2ab4335dd13be137f664c604b250ea17b085e2004b7af3db2f51c6a59876db281f5d82cb187587a3cc13693c5326012d9d64716069d44b031bd9389fdfd7d40c

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
128KB

MD5
d51bad9034d8fdb1edf33feeb9f167b3

SHA1
a3b4807b63c68142daa2f0582316d2fbae9287bf

SHA256
2690e38c7a46239b2e5c75a83b8e05fa6c8c26063ed5fd270d19e656dfcc9f6a

SHA512
7bb1488f63efd3c8bdca5ad0e5fa4e60e048c11bdafcf236597bd3e3010a019846ea9aaa13a0ce4af97207ea91f3032cb728ff5ae48a2f3a9df862c1ba9cfb70

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
128KB

MD5
4e54d67bff2548bcdbfdc9784160eb1c

SHA1
3bbedb5e8962e61e0c120e6ca54ae5d4f2b1aa15

SHA256
e1e2f73a42ff3a174bfae52e0f32ea637b38dc0cbc234f5a8d25f9dd15e39b5f

SHA512
81b323f8153dffe3885787de8e07575a8c8d78ee6fed85baea769c6a9237e86fcf0e49d4fbd67e960edcb23f025c112ef0e645547ebd6af9f13c7181fb1edbec

Download Submit
memory/228-371-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/448-546-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/448-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/464-50-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/464-584-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/528-574-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/692-431-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/700-240-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/704-449-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/756-411-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/872-485-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/876-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/892-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/920-519-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1028-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1044-303-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1320-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1504-213-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1644-341-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1716-224-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1728-389-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1800-455-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1912-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1928-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2024-467-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2116-168-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2124-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2140-588-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2164-216-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2224-513-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2296-293-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2324-273-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2352-347-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2360-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2368-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2412-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2460-164-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2476-461-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2496-561-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2540-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2848-585-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2908-443-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2952-311-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2956-317-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2968-287-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3032-232-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3056-329-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3084-180-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3100-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3100-594-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3116-587-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3116-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3140-550-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3140-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3188-383-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3192-353-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3220-152-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3308-552-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3368-560-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3368-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3380-395-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3520-204-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3576-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3588-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3588-539-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3596-572-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3596-33-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3676-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3732-521-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3868-437-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3972-491-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3980-263-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4036-359-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4116-554-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4180-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4404-401-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4408-573-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4452-533-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4456-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4544-308-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4608-473-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4616-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4656-544-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4660-502-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4728-479-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4732-275-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4820-413-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4832-335-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4904-377-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4988-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4992-503-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5000-323-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5040-281-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5092-365-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5108-256-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5112-531-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5268-774-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5324-773-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads