4a4528f8e4e420c768e7d723aba313312ccf64f3299108868aa976264ea15b1b

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
03/06/2024, 00:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

889f0cdfcb92f42dc5ec3ed33848eec0_NeikiAnalytics.exe
Size

64KB
MD5

889f0cdfcb92f42dc5ec3ed33848eec0
SHA1

3cf6d6a915e00998b624e65a5648279052bb989c
SHA256

4a4528f8e4e420c768e7d723aba313312ccf64f3299108868aa976264ea15b1b
SHA512

eed17e6b0a819f9ae62f10858bfb5380eafaf2fd56eefe796748540840794e4641c5a20861b38fcd54d4d144ae6ccd60c21c18ee32bfb0675194d43b5be448c2
SSDEEP

1536:19Fd/E9s57LjuqJEm5IlqBbt4+UXruCHcpzt/Idn:/FEs57LjuYEmWqBbtNpFwn

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gameonno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbfpobpb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiffen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjbako32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imgkql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	889f0cdfcb92f42dc5ec3ed33848eec0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Haggelfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe

Executes dropped EXE 64 IoCs

pid	Process
508	Gameonno.exe
512	Hboagf32.exe
2504	Hjfihc32.exe
2216	Hmdedo32.exe
2652	Hcnnaikp.exe
3624	Hfljmdjc.exe
1728	Habnjm32.exe
220	Hpenfjad.exe
3904	Hjjbcbqj.exe
2892	Hadkpm32.exe
2072	Hccglh32.exe
1852	Hjmoibog.exe
4444	Haggelfd.exe
5052	Hcedaheh.exe
4480	Hibljoco.exe
4024	Ibjqcd32.exe
1860	Iidipnal.exe
4720	Icjmmg32.exe
1912	Iiffen32.exe
732	Ipqnahgf.exe
2596	Icljbg32.exe
3336	Ijfboafl.exe
4980	Iiibkn32.exe
3352	Ipckgh32.exe
3760	Ibagcc32.exe
536	Ijhodq32.exe
968	Imgkql32.exe
1080	Idacmfkj.exe
2592	Ijkljp32.exe
4904	Jdcpcf32.exe
4788	Jbfpobpb.exe
4316	Jjmhppqd.exe
3664	Jpjqhgol.exe
3764	Jjpeepnb.exe
444	Jmnaakne.exe
3964	Jaimbj32.exe
4924	Jbkjjblm.exe
3012	Jjbako32.exe
4396	Jaljgidl.exe
1768	Jdjfcecp.exe
1280	Jmbklj32.exe
4220	Jdmcidam.exe
3540	Jfkoeppq.exe
3756	Jiikak32.exe
3140	Kaqcbi32.exe
1516	Kpccnefa.exe
4032	Kgmlkp32.exe
4124	Kilhgk32.exe
4920	Kacphh32.exe
460	Kgphpo32.exe
3832	Kinemkko.exe
4792	Kphmie32.exe
4804	Kdcijcke.exe
1748	Kknafn32.exe
1640	Kmlnbi32.exe
2076	Kpjjod32.exe
2124	Kgdbkohf.exe
1412	Kibnhjgj.exe
1916	Kdhbec32.exe
1828	Kkbkamnl.exe
4616	Lmqgnhmp.exe
716	Lalcng32.exe
4928	Ldkojb32.exe
3340	Lgikfn32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gkillp32.dll	Icjmmg32.exe
File opened for modification	C:\Windows\SysWOW64\Kacphh32.exe	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Ibagcc32.exe	Ipckgh32.exe
File opened for modification	C:\Windows\SysWOW64\Kdcijcke.exe	Kphmie32.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Hcnnaikp.exe	Hmdedo32.exe
File opened for modification	C:\Windows\SysWOW64\Kknafn32.exe	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Icljbg32.exe	Ipqnahgf.exe
File opened for modification	C:\Windows\SysWOW64\Jmnaakne.exe	Jjpeepnb.exe
File opened for modification	C:\Windows\SysWOW64\Jdmcidam.exe	Jmbklj32.exe
File opened for modification	C:\Windows\SysWOW64\Kilhgk32.exe	Kgmlkp32.exe
File opened for modification	C:\Windows\SysWOW64\Kdhbec32.exe	Kibnhjgj.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Ldaeka32.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Hjfihc32.exe	Hboagf32.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Njljefql.exe
File created	C:\Windows\SysWOW64\Bclgpkgk.dll	Ijhodq32.exe
File opened for modification	C:\Windows\SysWOW64\Kphmie32.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Kmlnbi32.exe	Kknafn32.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Plilol32.dll	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Honckk32.dll	Hfljmdjc.exe
File created	C:\Windows\SysWOW64\Icjmmg32.exe	Iidipnal.exe
File created	C:\Windows\SysWOW64\Bpqnnk32.dll	Imgkql32.exe
File created	C:\Windows\SysWOW64\Cpjljp32.dll	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Kgphpo32.exe	Kacphh32.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Qekdppan.dll	Jjbako32.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Lgpagm32.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Hccglh32.exe	Hadkpm32.exe
File created	C:\Windows\SysWOW64\Haggelfd.exe	Hjmoibog.exe
File created	C:\Windows\SysWOW64\Mgblmpji.dll	Ibjqcd32.exe
File created	C:\Windows\SysWOW64\Idacmfkj.exe	Imgkql32.exe
File created	C:\Windows\SysWOW64\Ndninjfg.dll	Jjmhppqd.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lgkhlnbn.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Jjmhppqd.exe	Jbfpobpb.exe
File created	C:\Windows\SysWOW64\Jdjfcecp.exe	Jaljgidl.exe
File created	C:\Windows\SysWOW64\Kgdbkohf.exe	Kpjjod32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5952	5868	WerFault.exe	199

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebkdha32.dll"	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpqnnk32.dll"	Imgkql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdhdf32.dll"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eagncfoj.dll"	Gameonno.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlilmlna.dll"	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehifigof.dll"	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaoimoh.dll"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdimilg.dll"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeopdi32.dll"	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hibljoco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dendnoah.dll"	Ipqnahgf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehifldd.dll"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcbnd32.dll"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnepih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndninjfg.dll"	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Haggelfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpfihl32.dll"	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibjqcd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imgkql32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 508	2204	889f0cdfcb92f42dc5ec3ed33848eec0_NeikiAnalytics.exe	81
PID 2204 wrote to memory of 508	2204	889f0cdfcb92f42dc5ec3ed33848eec0_NeikiAnalytics.exe	81
PID 2204 wrote to memory of 508	2204	889f0cdfcb92f42dc5ec3ed33848eec0_NeikiAnalytics.exe	81
PID 508 wrote to memory of 512	508	Gameonno.exe	82
PID 508 wrote to memory of 512	508	Gameonno.exe	82
PID 508 wrote to memory of 512	508	Gameonno.exe	82
PID 512 wrote to memory of 2504	512	Hboagf32.exe	83
PID 512 wrote to memory of 2504	512	Hboagf32.exe	83
PID 512 wrote to memory of 2504	512	Hboagf32.exe	83
PID 2504 wrote to memory of 2216	2504	Hjfihc32.exe	84
PID 2504 wrote to memory of 2216	2504	Hjfihc32.exe	84
PID 2504 wrote to memory of 2216	2504	Hjfihc32.exe	84
PID 2216 wrote to memory of 2652	2216	Hmdedo32.exe	85
PID 2216 wrote to memory of 2652	2216	Hmdedo32.exe	85
PID 2216 wrote to memory of 2652	2216	Hmdedo32.exe	85
PID 2652 wrote to memory of 3624	2652	Hcnnaikp.exe	86
PID 2652 wrote to memory of 3624	2652	Hcnnaikp.exe	86
PID 2652 wrote to memory of 3624	2652	Hcnnaikp.exe	86
PID 3624 wrote to memory of 1728	3624	Hfljmdjc.exe	87
PID 3624 wrote to memory of 1728	3624	Hfljmdjc.exe	87
PID 3624 wrote to memory of 1728	3624	Hfljmdjc.exe	87
PID 1728 wrote to memory of 220	1728	Habnjm32.exe	88
PID 1728 wrote to memory of 220	1728	Habnjm32.exe	88
PID 1728 wrote to memory of 220	1728	Habnjm32.exe	88
PID 220 wrote to memory of 3904	220	Hpenfjad.exe	89
PID 220 wrote to memory of 3904	220	Hpenfjad.exe	89
PID 220 wrote to memory of 3904	220	Hpenfjad.exe	89
PID 3904 wrote to memory of 2892	3904	Hjjbcbqj.exe	91
PID 3904 wrote to memory of 2892	3904	Hjjbcbqj.exe	91
PID 3904 wrote to memory of 2892	3904	Hjjbcbqj.exe	91
PID 2892 wrote to memory of 2072	2892	Hadkpm32.exe	92
PID 2892 wrote to memory of 2072	2892	Hadkpm32.exe	92
PID 2892 wrote to memory of 2072	2892	Hadkpm32.exe	92
PID 2072 wrote to memory of 1852	2072	Hccglh32.exe	93
PID 2072 wrote to memory of 1852	2072	Hccglh32.exe	93
PID 2072 wrote to memory of 1852	2072	Hccglh32.exe	93
PID 1852 wrote to memory of 4444	1852	Hjmoibog.exe	94
PID 1852 wrote to memory of 4444	1852	Hjmoibog.exe	94
PID 1852 wrote to memory of 4444	1852	Hjmoibog.exe	94
PID 4444 wrote to memory of 5052	4444	Haggelfd.exe	95
PID 4444 wrote to memory of 5052	4444	Haggelfd.exe	95
PID 4444 wrote to memory of 5052	4444	Haggelfd.exe	95
PID 5052 wrote to memory of 4480	5052	Hcedaheh.exe	96
PID 5052 wrote to memory of 4480	5052	Hcedaheh.exe	96
PID 5052 wrote to memory of 4480	5052	Hcedaheh.exe	96
PID 4480 wrote to memory of 4024	4480	Hibljoco.exe	98
PID 4480 wrote to memory of 4024	4480	Hibljoco.exe	98
PID 4480 wrote to memory of 4024	4480	Hibljoco.exe	98
PID 4024 wrote to memory of 1860	4024	Ibjqcd32.exe	99
PID 4024 wrote to memory of 1860	4024	Ibjqcd32.exe	99
PID 4024 wrote to memory of 1860	4024	Ibjqcd32.exe	99
PID 1860 wrote to memory of 4720	1860	Iidipnal.exe	100
PID 1860 wrote to memory of 4720	1860	Iidipnal.exe	100
PID 1860 wrote to memory of 4720	1860	Iidipnal.exe	100
PID 4720 wrote to memory of 1912	4720	Icjmmg32.exe	101
PID 4720 wrote to memory of 1912	4720	Icjmmg32.exe	101
PID 4720 wrote to memory of 1912	4720	Icjmmg32.exe	101
PID 1912 wrote to memory of 732	1912	Iiffen32.exe	102
PID 1912 wrote to memory of 732	1912	Iiffen32.exe	102
PID 1912 wrote to memory of 732	1912	Iiffen32.exe	102
PID 732 wrote to memory of 2596	732	Ipqnahgf.exe	103
PID 732 wrote to memory of 2596	732	Ipqnahgf.exe	103
PID 732 wrote to memory of 2596	732	Ipqnahgf.exe	103
PID 2596 wrote to memory of 3336	2596	Icljbg32.exe	104

C:\Users\Admin\AppData\Local\Temp\889f0cdfcb92f42dc5ec3ed33848eec0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\889f0cdfcb92f42dc5ec3ed33848eec0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\SysWOW64\Gameonno.exe
  C:\Windows\system32\Gameonno.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:508
- - C:\Windows\SysWOW64\Hboagf32.exe
    C:\Windows\system32\Hboagf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:512
  - - C:\Windows\SysWOW64\Hjfihc32.exe
      C:\Windows\system32\Hjfihc32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2504
    - - C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2216
      - C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3624
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3904
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1852
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4024
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4720
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:732
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3336
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4980
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3352
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3760
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:536
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:968
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1080
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4904
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4788
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3664
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3764
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:444
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3964
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        38⤵
        Executes dropped EXE
        
        PID:4924
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3012
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1768
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1280
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4220
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3540
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3756
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3140
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4032
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4124
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4920
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:460
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3832
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4792
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4804
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1748
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        56⤵
        Executes dropped EXE
        
        PID:1640
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2076
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1412
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1916
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1828
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4616
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        63⤵
        Executes dropped EXE
        
        PID:716
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        64⤵
        Executes dropped EXE
        
        PID:4928
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3340
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        66⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4892
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4852
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4600
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1848
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        72⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5056
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        74⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        75⤵
        Drops file in System32 directory
        
        PID:888
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        76⤵
        Drops file in System32 directory
        
        PID:4424
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2588
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        78⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2212
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        81⤵
        Drops file in System32 directory
        
        PID:1296
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2580
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        83⤵
        Modifies registry class
        
        PID:404
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:936
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        85⤵
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4448
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2708
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        88⤵
        Drops file in System32 directory
        
        PID:1460
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        89⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        90⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3260
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3744
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1652
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2288
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        95⤵
        Drops file in System32 directory
        
        PID:2604
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3532
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4232
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1484
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        99⤵
        Modifies registry class
        
        PID:4092
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        100⤵
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5168
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        102⤵
        Drops file in System32 directory
        
        PID:5244
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        104⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5424
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5492
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        108⤵
        Drops file in System32 directory
        
        PID:5616
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        109⤵
        Drops file in System32 directory
        
        PID:5648
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        110⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5708
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        112⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        113⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5868 -s 400
        114⤵
        Program crash
        
        PID:5952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5868 -ip 5868
1⤵
PID:5928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gameonno.exe

Filesize
64KB

MD5
20bd2a49a05c5eef07bc9eac4d368a47

SHA1
7843e9864f14622548bc6f328863b13afa32abc2

SHA256
e32acee148eb0561b7fffb1a22c10c97ece8bfbf6a859bcf8e55a3c5b5f74e06

SHA512
2cc20e7e40ab0c40dc1c52e4dd606a476a2999a328bb8d476b0b2aba7633dba18f9b3ba10c1e40e44e2d70b540e5910611d8ff50a828966f92316f4260b69f7d

Download Submit
C:\Windows\SysWOW64\Habnjm32.exe

Filesize
64KB

MD5
c8faf69a75e539d92e70577edc0e2418

SHA1
23da9a56cf4c6dd268051be619325ef645276a56

SHA256
6d010e8c1a932863501c50dc938d9911e29cf5c9e079536ae00085ff75ab518d

SHA512
b2b6ee89943d9a26710f40a5c47c60a5a78c45cc033db4f96568ad7e0effeccfa9c860c13fc1087334a9b47d2759db16ccd3980e2161919b06a2bd139962e59f

Download Submit
C:\Windows\SysWOW64\Hadkpm32.exe

Filesize
64KB

MD5
43f1b05b284c126e73fc0a19968d83a2

SHA1
3bf7f1ecb84d2c92d35c13f7147aecc6b9efe598

SHA256
c1dff69e47e041d5443f216af7f6dd4bd317f7a3912541ab38da00b836ce82b4

SHA512
6b06b19cc896f97e77fba204bad422696400a1b27e374edc1966312904602885e8f60d2a8b2e242ef0371337b799c4c24459cc5d2f72e092b3d69fbd49c360b5

Download Submit
C:\Windows\SysWOW64\Haggelfd.exe

Filesize
64KB

MD5
8912d12a9cff78c1b9fbab1919a114ef

SHA1
8e9bd6b07c24a18f5ae331c1903e18c6527e9e6c

SHA256
36248f5847fdad1cc1f12a15b46f301332b54a1bf3b44c569e3950b726430eb3

SHA512
fd3c2202ac2e3a52803f1679a8d9315b70c7627f3edb1d39d6391892c93b8b2fbf65a23928e38a05b1ad4350995c4416b7deed746b261942145cd6b6c8b1c169

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
64KB

MD5
c124816a0592f6fa2386c1e07f4aec33

SHA1
2244b9f395115b3d2ba34ba26928f96f1a70ae69

SHA256
9668a62f34df82658d33090caed3448e9d89b4d16f0800f16536555f8e9d9bda

SHA512
10a4422de360e9082cad2076c74b6da7c128fb587fdfda9d29f41b024e8848b5985159dee77ec3d7670dca42019b7bd266395418a6df85d3afd5ec1ba504739b

Download Submit
C:\Windows\SysWOW64\Hccglh32.exe

Filesize
64KB

MD5
3e22836d7b0d9555bb0889597f45c111

SHA1
ab39c99bf422ef3044ea30acddbdd3ecae6fcfed

SHA256
4826e9dec83233f76ae93d8ce3e68e017bbd49880fe45b4d036a3423161d593c

SHA512
646e146ee25b6a1d17f203deee870e871a73ae86d4100b1ec69dc9dfc4042c2407d7390f1be1143a676dca426ce396269555b8446d7ed7ad9ef9ca1ef9a30fb6

Download Submit
C:\Windows\SysWOW64\Hcedaheh.exe

Filesize
64KB

MD5
c2cc07e7e92db6fd6244bf58b3295247

SHA1
952b9bbbe1a3c12213f63d8b8d9f2bf4cd4645fc

SHA256
a6214869f50d147d4914d5fa3a9f587447046da99dc24d46d6d5fc11e42c26c4

SHA512
a61a6cb7bf9eb733704a8aa54d9e80296658ad3ebe1dd096062ae38b68e0d72f5cf1416e90030fbde952e6390762751292a33eb888f89970ba3b00c70c8638d9

Download Submit
C:\Windows\SysWOW64\Hcnnaikp.exe

Filesize
64KB

MD5
69c93331d6b674479f3269f379aea741

SHA1
8c6b5583776c25e91e217dc80634e320f348efb1

SHA256
6bdbaa5d02fbdbdc56c7fd44986a7db079c167cd6bd1b2dfe7922004b2ce7a93

SHA512
fd04db8729fb92840cefe05e6c23b437afe3e1153870f9e2606b9afc075c3324cd973353cc9543347a80f7adaf92b6aabad059e679cb51c80ca069339bc3451e

Download Submit
C:\Windows\SysWOW64\Hfljmdjc.exe

Filesize
64KB

MD5
fcd99922f32efcaaa49457a7441aedcd

SHA1
0781272f1b07ec1d56d0e7b0067c997806475c82

SHA256
f37a7623fe49bf2fbb50f839396063bced377eda16266cf17afcdc75e72cef39

SHA512
37bc8bd635da195deeb756a88e231f1cf8aeba4a3b37ec0209d2cc6ed59be699d96d138c306e788f4e4d32ca9dcf3ba6f7e7342bda42dfca97e8a4d04ef86ba7

Download Submit
C:\Windows\SysWOW64\Hibljoco.exe

Filesize
64KB

MD5
648b38571346832f6bc9e8226bd174ef

SHA1
939b0c51b1f3fce42f004f9eab08c8adf61860ec

SHA256
afc311463fd277dbed26784a6f16539820725b262298f197dacc456c5e8ddedc

SHA512
889ccf31341c1e3c35ec63a8b230223868eaac3f21da1f5b866f48f7e98eb589477e0ce9faf7a7e6dd6d2b8031a1f29c089ad5670cc22ea7c09a5048e5aa35b7

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
64KB

MD5
251805f73b0f40e8b81f608b169424db

SHA1
91ee5933e6d5dd3acc9f6f7f2f0bebbe3255ca0d

SHA256
95e836e4cda2d61cd2601624e6ac2e475876bb62fbb6363dadaec4a9be8a51ba

SHA512
dfbd9904dcfd8920afa54c7ab19bd8e3119c00547bb5cc9275a7d89564848b2dc8412f2ce9bcf07f8a23b2888ee4b232e79960aca6ee2d262b718d23db6f0316

Download Submit
C:\Windows\SysWOW64\Hjjbcbqj.exe

Filesize
64KB

MD5
4a5b96c6a5c09a57cc8034d7774d22bd

SHA1
3aec15c35ffb11aa0502f0a2d18640e00e8b61a2

SHA256
6fb352757125c657e0c0df6dc9d4578a37fa9d37135d19b8aebb0bbe9f043f90

SHA512
7d14a13848744ea6ec8bb95fc8d81b157ed86452515e350d69cccaab6f9e145d4e9a379c76fc903247b36c2492e4253d9fd273b1d907fdfa510394d8ed9ab89f

Download Submit
C:\Windows\SysWOW64\Hjmoibog.exe

Filesize
64KB

MD5
45a3fa88bf637748fcbfe6e3488558c5

SHA1
caac375e810c8c8fe1fbc72a44bdd50427e0fe75

SHA256
aeb4978b853def9f4330066f375b9478a98954b9dc46b3c76737d8ce8c314716

SHA512
47087ffc2a72eecde6611245486cbe7284a2d8995b01caafcc8e5ae248eeb2289346b7a54dd284383e0241311632c81c4ac58be94ecf8067b31ae415166cd34e

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe

Filesize
64KB

MD5
c15eb894976f3fcb42dc9c013c91a1d9

SHA1
b4847ae8496ab408e3dbf541da9619f3dc7f6451

SHA256
a8bf7d2bd798c74118d528bd39478dda2cc614685a848351634d161ffc1ccfbb

SHA512
f33c0290869f34aed2b671afafe97c036fe4fe8a5613b5526d5cf7bc1b160f2ed91f6f9776f01e8b7ad6cd9f4507a509e744e656c5ca50a58555c0ee013a3965

Download Submit
C:\Windows\SysWOW64\Hpenfjad.exe

Filesize
64KB

MD5
46bd0e73cdf300987f9b953aa8707d8b

SHA1
a4597c7dc8129a0da0b968fe3f2e87c0c304c200

SHA256
2e1b5a7df1e8f37e25b97ac9d5b43e2e07d2b5e5007209d96ee269068eb489a3

SHA512
50fa188827f5d0f7ff9e2f1e8c37b826565b2ad07f956511bfd093cc832b4d82f50e2e937c3d49221b32fe0455b26b65ebea856a14b3b9f5e2ba1119b2bbe676

Download Submit
C:\Windows\SysWOW64\Ibagcc32.exe

Filesize
64KB

MD5
6b9c38d78e07c78f592350cf8eb5a098

SHA1
73a66fab9af285ada32e28585f206c19a39cfd13

SHA256
b40c80cd27f70da0b037fee37244e4ba373a11824ddc8b3941cda7d4f6494a6f

SHA512
0db5d560201b30f27fad3fc65bafe6ffbf3062d5b2b16da5b9f3831732005d2b19e3f762fecc7dd380bf96a83e3ddb9785114a8640ca6d1bc4b976ad4a3a1975

Download Submit
C:\Windows\SysWOW64\Ibjqcd32.exe

Filesize
64KB

MD5
fa16f2b5da45f09b821ee93dfa952b81

SHA1
87c79c15519991c7446da7178e97c5c7740aa533

SHA256
042d6074234636ac6071841ca94621c5dcbb49dbd79d536d9456486e476b1aae

SHA512
00135b8994ef2503146e0ff87547a10f4d42f1edad7f307f155340acd667db0833bf73ca327058a71e152e32961d8d629836f16e7fc9002625dfce758037180d

Download Submit
C:\Windows\SysWOW64\Icjmmg32.exe

Filesize
64KB

MD5
ffc4805ea27efc5c9ae133721be66033

SHA1
37e444dbfaf18224fec264b3aff0b389f95be15b

SHA256
8893a419a6a7d0dff97cec47532bb496d1919d97f1aaf58899fdaea0765204a8

SHA512
a9647d612f06d0e60cf0b8afbc57ebc800ae408368a896b7a23223714868de58caaf054cd2e12ebff43285ce20d0c424806db4aac35987c2b5c7159bcb1d5dbc

Download Submit
C:\Windows\SysWOW64\Icljbg32.exe

Filesize
64KB

MD5
84e4205f1c71786194337636315e61d6

SHA1
0e4465eb5c3d723fbaaccdce4d2ef411356feb9a

SHA256
1c33a2121a2d9d3815fbabd1951d5b9e2317e323a64f69b07114a5bb60dcb191

SHA512
0978c8de6faa0cdd9ae7bca117d5f7d709afd22d531770c9850fa6ff7afb36521ac2fab2f69445127cf5739cb700ab45d647dd54d865a97c6b635d93bed72892

Download Submit
C:\Windows\SysWOW64\Idacmfkj.exe

Filesize
64KB

MD5
6f8acea9908f14c9745dd6e1c20a2f3e

SHA1
e19a4a9e27a662d20fdf47d876ba42bedd0ea10f

SHA256
596fd504fc623dc2fda4e7a4dd1526cb4b59d1f068e2fc09592a94a374ae4469

SHA512
6b95024d857aad75de1e6bee7c634e9ad98079119b8e0698009fc7d2819f22e796f73ce61e33e4c75b337df9e758ff0a3e15d55ebbf62d20827a377d07b3d58d

Download Submit
C:\Windows\SysWOW64\Iidipnal.exe

Filesize
64KB

MD5
08dacfa3ba3af191552634358bf14dda

SHA1
00aa9a56919d739e571323f6aba08029a21b18b1

SHA256
93f7369105cbf2e4ec675ddcedadd708a438bd672b0d8a92cc7643dabbe570c6

SHA512
5396184f211ece32bb8aaddd430fdcc98a311e351d28f4906e78ab2786a4de00f673a20dd9424df77fdd73b02cf754e0e6519eb8ea3a8b05d280f51ac7c6cdf2

Download Submit
C:\Windows\SysWOW64\Iiffen32.exe

Filesize
64KB

MD5
5ded0a74059ee888b4b17a2e0b6b0230

SHA1
7d17d5e053425986650ddffef1344de0305bd0be

SHA256
d0d93192c333393bdee7dedae113d815e8a88f6d4d540f49bc680d98ae6f97f9

SHA512
811a0dd143bbdc0cd4971f86e0b9fc6e24d567e1bcdd708a4e6a23f694130795ab23fbc4b912dbf17612235fa0aef5b5dee81ce86a4e5a2597527d60d267a03d

Download Submit
C:\Windows\SysWOW64\Iiibkn32.exe

Filesize
64KB

MD5
7ed27584e1bb8ff4fd6a64a29b383dbb

SHA1
926a9f4343bc8f7049d38bed5bf1db999a47c8ea

SHA256
e6a65a969bd7c8b23c7b30fbf554dc4b57b8fdd9fe7698a6461c9f1e63b68bae

SHA512
c16df6fa2dfc4028a75d0d93a277817b1b64861eb58142b63ec6cccad76825780484b0695fb97f480ada4ab576bb6a3a057df5b7de83637eaa3c69c0d81b177e

Download Submit
C:\Windows\SysWOW64\Ijfboafl.exe

Filesize
64KB

MD5
c0e9d3515922cf2833e8f405166c0b81

SHA1
0c20ba3958a5db0974d78cb862ffcf74449c772a

SHA256
c1df02d4ef2461555b820477a1f120828b88a9b47b9576e6bf0b5c2065441e70

SHA512
427aff1488d503b3934c12b3a11f763ec7c3f0458833f7bf9bb79a6ff538e93cdc4c54da6473fe3858f9d65b3bab77a0d8b3aca43a762b17badae589f58739f8

Download Submit
C:\Windows\SysWOW64\Ijhodq32.exe

Filesize
64KB

MD5
75e505d67b7b3640ea1a53bde4b8ad1f

SHA1
83bcf394eb83dc8bccb93127e262b25e7e00cfcd

SHA256
284ba8f9f1f94936bd1b4514b08c2a9e5fdf70bdba987894296e5d8b7fac3d15

SHA512
b63fcadc21e69aea3d4be7a54b0e5fb2a57602fa406f17d9c71cb7f7c1f32ebacd8c4a8e50b737d96536bf7402ceb556b7d246cffe8ebfd77785f125d6c64517

Download Submit
C:\Windows\SysWOW64\Ijkljp32.exe

Filesize
64KB

MD5
e52ffb5b394ae0d149e9cbbfc8f249f4

SHA1
d89fdbdfc5807e2a10f218fabca10d7d0146da90

SHA256
fa426277b8c08aaf5c521936234348c4fdd3de0810861307d0bb3aab07913aae

SHA512
37648fad241dbdd9f35cd6baa06bceb1967146b05f7cc6e5696d782b239bb1cc89c4021e9c0f08e3b16105e0391df25796c54c64d71013c5e75943682862078e

Download Submit
C:\Windows\SysWOW64\Imgkql32.exe

Filesize
64KB

MD5
92299f9837794a9a8fd8525533c7a7ae

SHA1
df0fb4a0be3a6845576d306f34f1867cddd6ec59

SHA256
fdb0699c030b6f40445da214db6daf0a39bf2cb5892a679c9c4a7c1578592ce6

SHA512
f1e8e54b25f12b2c44beedbc2b87458c5f5f61275602f1dd7dff9cd768e736ecbfef0b96c4723c4a6020ccdbd2e75a35e5cb3f2e9da7f5beb99e572a14d2e2d4

Download Submit
C:\Windows\SysWOW64\Ipckgh32.exe

Filesize
64KB

MD5
1d219bc1d170f5a3802d973b73967e9c

SHA1
4585a92f24cf6562f3617168b351b0d0a41fb491

SHA256
26bb22e8b3dc973e50343351139b043df54d802fff149e0d86fca7917d144c06

SHA512
b7acdb1d7c7284b96858d328153615c528a00d154c67e01b3196986ce9329956b605a0f2b71a1e809f852cbac79161e8e8b914486f00db212a0643bd11a0c46a

Download Submit
C:\Windows\SysWOW64\Ipqnahgf.exe

Filesize
64KB

MD5
d87dbed4fddcd19fd0327aff9c8d0602

SHA1
44da80e99cb78b2f9809cd19b72970f3e76c090b

SHA256
3b62c9741ea85a24bf71477114162b22696fd76703950abba5e18ce528a79453

SHA512
50d97babe58951d2cd4e47721fb5531ad95407c10665a54f20b0816637a11b81ccf68e35dc235d823f4450a15be8a192a1412e044b44f6ac021591c7465f3cbc

Download Submit
C:\Windows\SysWOW64\Jbfpobpb.exe

Filesize
64KB

MD5
81f6a2837622aa81ba13b0882270006b

SHA1
2ba0bd174ebf3e223fd5abdbfa7eb9f38b5f7c17

SHA256
7f917c571aa286049ae46e913657798bf46a836ed26dd9878f6fa9b2de8ea03c

SHA512
12b97899a51750c49342153e7d8df7919df111370dc5c6f34afcf166716925f469fb2dcf601ac30ec8886022657dfbd7688165d2abe2febb1072d6a6b1d9c484

Download Submit
C:\Windows\SysWOW64\Jdcpcf32.exe

Filesize
64KB

MD5
a96bfa3fa843ec6bffb6da30d8168cb4

SHA1
80845a89c0a58840e963256eb648c89c2a901fa9

SHA256
14a46552f70fd6d24f9d2a51d7d100afdb943f532f0769cb62ae9345f8767392

SHA512
815fb595fd9bed9e2a5c5e1be2fa55fa55fcf9ea601436deaed8e593f008d1386bc31da7b1ddeb9057c67fc117bf34f4b60e52efe2dfa15f307b6ff3ae1f0b0b

Download Submit
C:\Windows\SysWOW64\Jjmhppqd.exe

Filesize
64KB

MD5
fbfb5fe31f4687b5eea355e2487c0001

SHA1
9d2f45ffcaedc063db2ebfeab08d62aaa2298159

SHA256
738ee8d13e94038989374ec90b0981a8c65a4d40ebc08d9af2b91413a7b5d9b8

SHA512
f95b4acc1e3a6587d56880bc01ca93fd1be21d12fabe8f1d54c28425f8369677716b3fe6505f33661b5dac6ab5aa900a46f54570554adeee6eddd6f01b855be1

Download Submit
C:\Windows\SysWOW64\Kgphpo32.exe

Filesize
64KB

MD5
a1a697cc9489ff3312e53ed97b0055b3

SHA1
92438ce02b60a0b1d9008ced0d19bfedff6d842d

SHA256
4e04d726f11824eca1313c4973ec3ac27fb8922bbfa93884a6366ba46b959a37

SHA512
4420261a7cfa9a358cc60d5d41e5a81def253ecca0b0f5dc0ac5cc806688605558bd771185e938a3fcedd730954c2298d02ec3354d8c0284036ed73836b530f5

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
64KB

MD5
31278b3d07645e8900780bed3a04977a

SHA1
2260cfd1cee7e7df36e8733fa97732f09778ec05

SHA256
a5bcd3158802645985beaa1e7d524c4acd9e712525a6c963e57742fd3cc1d41f

SHA512
e8361e538309df23bfd2b8468c6fcf07418cb331c75ef07e66498e66a5843130d40befc49aaa04f1e9e312282231a7132ff4a400acaf38560694636ae36c4418

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
64KB

MD5
fab8cff8aff08dce5b1f646a924ba0e9

SHA1
2524a720325a6ec4bbefc1aa8d3dbaaf24d2b197

SHA256
ade34e80a0ff35bef20453bf1d4dcc2f259c61070eaa43cf7ffc07defd95dd36

SHA512
c5972b34ee3f616803dbd6995898ec6fbf450919f8ec72c117cc9e25e49059a279be284dbc37d90861c8bc1eb7b5650223cfbb6a839a08a6230f16bb8336a2e1

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
64KB

MD5
d9080ec6c84229014b42079b8e8fbfe2

SHA1
9a95c95b64d7ed00e76f2c96d21180698d34fbef

SHA256
f61fc91e0aafaafbba634f3ba741420bfb4ff3e18436a467800cb9d0356491ed

SHA512
727301360207c6566d0547ec771e81a64d6961b9d90d8c0dbcc65720848660d0e9d5baf4e7928e50d9d4399ca14cfdba709e79ad00af90547a303f05f4912095

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
64KB

MD5
b06c5531cc2e145454abbc88538bddf8

SHA1
2fdfbeb8a470fbe83d65f59e8a5318d59aae5b7f

SHA256
f41234bde8b8a840ea2bc763adb6868d1b724fd819c06c06c08e0295e976c782

SHA512
3d154f93a98bce644ae0246b718762342c5c20d7f1c228d2c40e1c5656fb524a64d82e231629cd0ef965ded2ed39150d7ffcdb8a86f6c6c2f6d0575e93a87e7f

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
64KB

MD5
4875733f9aecce45a8f800bb9ab8321e

SHA1
0110853a12908a3d416fa46e20ff82c9c4d86156

SHA256
ee3fdfbe4399c323d86170975240d88c5ca5bd363b3bd6b85eb633db7c3a321b

SHA512
228268666285818caa6c3059f97cd072b3a5b5b479b874c15e1dac96ebdb41e61f7bd5ebea247ec60cb47e1a5d9610a2bc469c5539fb723f3beccca412e0b520

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
64KB

MD5
45603cc722e8ee3d6f76fb454bc3b843

SHA1
a914654230437e9c436daf7cea364ac916532a7c

SHA256
d568db9538698409c564220c0bc8eac60cc00eb8e2ffe835d4457eb122dba9a0

SHA512
c23168475ff757efa1d960ba9b8a593fa85405c6218b9acc47cff4ce7718324596c85603f9cafe8828bdc72b31a4cfe6b64d7f94154e81a825124d4ccb5558d9

Download Submit
memory/220-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/220-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/444-297-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/460-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/508-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/508-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/512-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/512-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/536-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/536-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/732-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/968-236-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1080-312-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1080-241-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1280-405-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1280-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1516-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1516-367-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1640-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1728-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1728-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1748-427-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1768-327-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1768-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1852-99-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1852-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1860-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1860-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1912-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2072-179-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2072-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2076-437-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2124-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2204-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2204-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2216-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2216-116-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2504-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2504-107-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2592-319-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2592-250-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2596-273-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2596-180-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2652-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2652-125-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2892-85-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2892-174-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3012-380-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3012-313-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3140-363-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3140-429-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3336-193-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3352-210-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3540-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3540-415-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3624-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3624-134-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3664-348-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3664-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3756-426-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3756-354-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3760-222-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3764-291-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3832-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3904-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3904-166-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3964-300-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3964-366-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4024-235-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4024-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4032-374-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4032-447-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4124-381-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4220-408-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4220-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4316-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4316-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4396-387-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4396-320-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4444-201-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4444-108-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4480-221-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4480-126-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4720-249-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4720-153-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4788-266-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4788-333-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4792-409-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4804-416-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4904-258-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4904-326-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4920-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4924-373-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4924-306-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4980-202-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5052-121-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads