11faaadaa5d621aeea8ca22b7be3ac3dc050da25b239eb5e2be4bd37fa40fc2b

Analysis

max time kernel
114s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
17/06/2024, 00:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

221fb124d99db121484db7e82e0fc410_NeikiAnalytics.exe
Size

344KB
MD5

221fb124d99db121484db7e82e0fc410
SHA1

c8b2587dd758f0f68c7e0ee02514befd290e9167
SHA256

11faaadaa5d621aeea8ca22b7be3ac3dc050da25b239eb5e2be4bd37fa40fc2b
SHA512

7288d74faaebb5bf9d3c34015e92f49015f7b27e5b396bd1446c6a44e156e7dbfdc03c6a5dac3fa6fa5f5009e10f398912bcb833f83a5fa4a0c3869304782fba
SSDEEP

6144:VyWhpdzBCpX2/mnbzvdLaD6OkPgl6bmIjlQFn:Vyopd9CpXImbzQD6OkPgl6bmIjKn

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kakmna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jocnlg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jafdcbge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjggal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mbgeqmjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	221fb124d99db121484db7e82e0fc410_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Noppeaed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oonlfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nciopppp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfqnbjfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofckhj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcaipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jemfhacc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lomjicei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqoefand.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppdbgncl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibcjqgnm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjggal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfenglqf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocgkan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfccogfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Joqafgni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omalpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oonlfo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hldiinke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhldbh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omalpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjaleemj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jahqiaeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mofmobmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfnamjhk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pafkgphl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieagmcmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jllhpkfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipihpkkd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lakfeodm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mledmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ommceclc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppgomnai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcapicdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oblhcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pakdbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kamjda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmhbqbae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjlcjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pafkgphl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhckcgpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Loacdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhldbh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjnnbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iondqhpl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oophlo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhenai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kocgbend.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpnjah32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kocgbend.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbphglbe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbjddh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iialhaad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcdeeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojqcnhkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klggli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lakfeodm.exe

Executes dropped EXE 64 IoCs

pid	Process
3864	Hldiinke.exe
4188	Haaaaeim.exe
5100	Ipbaol32.exe
4508	Ibqnkh32.exe
3556	Iogopi32.exe
4492	Ibcjqgnm.exe
4880	Ieagmcmq.exe
4556	Ilkoim32.exe
4608	Iahgad32.exe
4648	Ipihpkkd.exe
1880	Iialhaad.exe
4120	Iondqhpl.exe
1704	Jidinqpb.exe
5072	Joqafgni.exe
2920	Jhifomdj.exe
4036	Jocnlg32.exe
1672	Jemfhacc.exe
3932	Joekag32.exe
3112	Jikoopij.exe
904	Jafdcbge.exe
4312	Jllhpkfk.exe
2524	Jahqiaeb.exe
3848	Klndfj32.exe
2512	Kakmna32.exe
3204	Kplmliko.exe
1504	Kamjda32.exe
3548	Kpnjah32.exe
3720	Kekbjo32.exe
2492	Kocgbend.exe
2036	Klggli32.exe
2464	Kcapicdj.exe
2720	Likhem32.exe
1948	Lindkm32.exe
1452	Lojmcdgl.exe
3964	Laiipofp.exe
4440	Llnnmhfe.exe
696	Lomjicei.exe
4964	Lakfeodm.exe
2504	Lhenai32.exe
5076	Lplfcf32.exe
984	Lfiokmkc.exe
1124	Llcghg32.exe
4184	Loacdc32.exe
3764	Mjggal32.exe
2148	Mledmg32.exe
4320	Modpib32.exe
1896	Mablfnne.exe
4876	Mhldbh32.exe
2540	Mofmobmo.exe
2072	Mcaipa32.exe
5080	Mjlalkmd.exe
3712	Mpeiie32.exe
2372	Mcdeeq32.exe
2324	Mbgeqmjp.exe
4916	Mjnnbk32.exe
464	Mlljnf32.exe
4104	Mokfja32.exe
824	Mfenglqf.exe
3164	Mhckcgpj.exe
1616	Mqjbddpl.exe
2260	Nciopppp.exe
4844	Nfgklkoc.exe
2416	Noppeaed.exe
5128	Nbnlaldg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kcapicdj.exe	Klggli32.exe
File created	C:\Windows\SysWOW64\Caecnh32.dll	Modpib32.exe
File created	C:\Windows\SysWOW64\Nmcpoedn.exe	Njedbjej.exe
File opened for modification	C:\Windows\SysWOW64\Kpnjah32.exe	Kamjda32.exe
File opened for modification	C:\Windows\SysWOW64\Lfiokmkc.exe	Lplfcf32.exe
File opened for modification	C:\Windows\SysWOW64\Ofckhj32.exe	Ooibkpmi.exe
File opened for modification	C:\Windows\SysWOW64\Hldiinke.exe	221fb124d99db121484db7e82e0fc410_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Lodabb32.dll	Omalpc32.exe
File created	C:\Windows\SysWOW64\Nhoped32.dll	Pmhbqbae.exe
File created	C:\Windows\SysWOW64\Ppgomnai.exe	Pmhbqbae.exe
File opened for modification	C:\Windows\SysWOW64\Pfccogfc.exe	Pcegclgp.exe
File opened for modification	C:\Windows\SysWOW64\Haaaaeim.exe	Hldiinke.exe
File opened for modification	C:\Windows\SysWOW64\Iondqhpl.exe	Iialhaad.exe
File created	C:\Windows\SysWOW64\Mjggal32.exe	Loacdc32.exe
File opened for modification	C:\Windows\SysWOW64\Nciopppp.exe	Mqjbddpl.exe
File created	C:\Windows\SysWOW64\Njedbjej.exe	Nbnlaldg.exe
File created	C:\Windows\SysWOW64\Hapfpelh.dll	Kekbjo32.exe
File created	C:\Windows\SysWOW64\Likhem32.exe	Kcapicdj.exe
File opened for modification	C:\Windows\SysWOW64\Mqjbddpl.exe	Mhckcgpj.exe
File opened for modification	C:\Windows\SysWOW64\Nqcejcha.exe	Nimmifgo.exe
File created	C:\Windows\SysWOW64\Qidpon32.dll	Njgqhicg.exe
File created	C:\Windows\SysWOW64\Oqoefand.exe	Ofjqihnn.exe
File created	C:\Windows\SysWOW64\Pplhhm32.exe	Pmmlla32.exe
File created	C:\Windows\SysWOW64\Picoja32.dll	Ieagmcmq.exe
File opened for modification	C:\Windows\SysWOW64\Iahgad32.exe	Ilkoim32.exe
File created	C:\Windows\SysWOW64\Jidinqpb.exe	Iondqhpl.exe
File opened for modification	C:\Windows\SysWOW64\Mhldbh32.exe	Mablfnne.exe
File created	C:\Windows\SysWOW64\Nbphglbe.exe	Nmcpoedn.exe
File created	C:\Windows\SysWOW64\Ieicjl32.dll	Jocnlg32.exe
File created	C:\Windows\SysWOW64\Nmjfodne.exe	Nfqnbjfi.exe
File created	C:\Windows\SysWOW64\Pjphcf32.dll	Ofckhj32.exe
File opened for modification	C:\Windows\SysWOW64\Jemfhacc.exe	Jocnlg32.exe
File opened for modification	C:\Windows\SysWOW64\Lojmcdgl.exe	Lindkm32.exe
File opened for modification	C:\Windows\SysWOW64\Pbcncibp.exe	Ppdbgncl.exe
File opened for modification	C:\Windows\SysWOW64\Mofmobmo.exe	Mhldbh32.exe
File created	C:\Windows\SysWOW64\Oblhcj32.exe	Oonlfo32.exe
File created	C:\Windows\SysWOW64\Gcilohid.dll	Pakdbp32.exe
File opened for modification	C:\Windows\SysWOW64\Joekag32.exe	Jemfhacc.exe
File opened for modification	C:\Windows\SysWOW64\Jllhpkfk.exe	Jafdcbge.exe
File opened for modification	C:\Windows\SysWOW64\Kocgbend.exe	Kekbjo32.exe
File created	C:\Windows\SysWOW64\Laiipofp.exe	Lojmcdgl.exe
File opened for modification	C:\Windows\SysWOW64\Lomjicei.exe	Llnnmhfe.exe
File created	C:\Windows\SysWOW64\Ihjoke32.dll	Iialhaad.exe
File created	C:\Windows\SysWOW64\Lomjicei.exe	Llnnmhfe.exe
File opened for modification	C:\Windows\SysWOW64\Mjnnbk32.exe	Mbgeqmjp.exe
File opened for modification	C:\Windows\SysWOW64\Njedbjej.exe	Nbnlaldg.exe
File opened for modification	C:\Windows\SysWOW64\Ojhiogdd.exe	Opbean32.exe
File opened for modification	C:\Windows\SysWOW64\Pjlcjf32.exe	Pbekii32.exe
File created	C:\Windows\SysWOW64\Chjjqebm.dll	Pcegclgp.exe
File opened for modification	C:\Windows\SysWOW64\Ipbaol32.exe	Haaaaeim.exe
File created	C:\Windows\SysWOW64\Jcoiaikp.dll	Jidinqpb.exe
File created	C:\Windows\SysWOW64\Bjmkmfbo.dll	Kplmliko.exe
File opened for modification	C:\Windows\SysWOW64\Laiipofp.exe	Lojmcdgl.exe
File created	C:\Windows\SysWOW64\Oophlo32.exe	Omalpc32.exe
File opened for modification	C:\Windows\SysWOW64\Ommceclc.exe	Ofckhj32.exe
File created	C:\Windows\SysWOW64\Hnekbm32.dll	Lomjicei.exe
File created	C:\Windows\SysWOW64\Glllagck.dll	Lakfeodm.exe
File created	C:\Windows\SysWOW64\Khlaie32.dll	Mofmobmo.exe
File created	C:\Windows\SysWOW64\Lnpckhnk.dll	Nmcpoedn.exe
File created	C:\Windows\SysWOW64\Gipbmd32.dll	Ncpeaoih.exe
File opened for modification	C:\Windows\SysWOW64\Nmfmde32.exe	Njgqhicg.exe
File created	C:\Windows\SysWOW64\Pfigmnlg.dll	Nmfmde32.exe
File created	C:\Windows\SysWOW64\Gaaklfpn.dll	Pciqnk32.exe
File created	C:\Windows\SysWOW64\Aglafhih.dll	Ipihpkkd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5804	5600	WerFault.exe	197

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmgjnl32.dll"	Ppdbgncl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibcjqgnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jikoopij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlqeenhm.dll"	Kakmna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilnjmilq.dll"	Mbgeqmjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpenlneh.dll"	Nbphglbe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncpeaoih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkjfaikb.dll"	Ocgkan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pplhhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	221fb124d99db121484db7e82e0fc410_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lojmcdgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjggal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcaipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lodabb32.dll"	Omalpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfnamjhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjjfdfbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipbaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npakijcp.dll"	Mhldbh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjnnbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaadlo32.dll"	Nfgklkoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Noppeaed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmhbqbae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klndfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emlmcm32.dll"	Lojmcdgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpeiie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcejdp32.dll"	Mlljnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imqpnq32.dll"	Mhckcgpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njgqhicg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofckhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	221fb124d99db121484db7e82e0fc410_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnjiffif.dll"	Iondqhpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klggli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Likhem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mledmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mfenglqf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iondqhpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knnele32.dll"	Kocgbend.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aglafhih.dll"	Ipihpkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeeaodnk.dll"	Laiipofp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llcghg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pbekii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pafkgphl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjaleemj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjiqkhgo.dll"	Iahgad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipihpkkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jhifomdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jhifomdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mqjbddpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfccogfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eapjpi32.dll"	Pplhhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jemfhacc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Joekag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kamjda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbnpn32.dll"	Mpeiie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcegclgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaaklfpn.dll"	Pciqnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hldiinke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncbegn32.dll"	Lfiokmkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfigmnlg.dll"	Nmfmde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Joqafgni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jahqiaeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcndmiqg.dll"	Loacdc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcdeeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egcpgp32.dll"	Mfenglqf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 3864	2308	221fb124d99db121484db7e82e0fc410_NeikiAnalytics.exe	90
PID 2308 wrote to memory of 3864	2308	221fb124d99db121484db7e82e0fc410_NeikiAnalytics.exe	90
PID 2308 wrote to memory of 3864	2308	221fb124d99db121484db7e82e0fc410_NeikiAnalytics.exe	90
PID 3864 wrote to memory of 4188	3864	Hldiinke.exe	91
PID 3864 wrote to memory of 4188	3864	Hldiinke.exe	91
PID 3864 wrote to memory of 4188	3864	Hldiinke.exe	91
PID 4188 wrote to memory of 5100	4188	Haaaaeim.exe	92
PID 4188 wrote to memory of 5100	4188	Haaaaeim.exe	92
PID 4188 wrote to memory of 5100	4188	Haaaaeim.exe	92
PID 5100 wrote to memory of 4508	5100	Ipbaol32.exe	93
PID 5100 wrote to memory of 4508	5100	Ipbaol32.exe	93
PID 5100 wrote to memory of 4508	5100	Ipbaol32.exe	93
PID 4508 wrote to memory of 3556	4508	Ibqnkh32.exe	94
PID 4508 wrote to memory of 3556	4508	Ibqnkh32.exe	94
PID 4508 wrote to memory of 3556	4508	Ibqnkh32.exe	94
PID 3556 wrote to memory of 4492	3556	Iogopi32.exe	95
PID 3556 wrote to memory of 4492	3556	Iogopi32.exe	95
PID 3556 wrote to memory of 4492	3556	Iogopi32.exe	95
PID 4492 wrote to memory of 4880	4492	Ibcjqgnm.exe	96
PID 4492 wrote to memory of 4880	4492	Ibcjqgnm.exe	96
PID 4492 wrote to memory of 4880	4492	Ibcjqgnm.exe	96
PID 4880 wrote to memory of 4556	4880	Ieagmcmq.exe	97
PID 4880 wrote to memory of 4556	4880	Ieagmcmq.exe	97
PID 4880 wrote to memory of 4556	4880	Ieagmcmq.exe	97
PID 4556 wrote to memory of 4608	4556	Ilkoim32.exe	99
PID 4556 wrote to memory of 4608	4556	Ilkoim32.exe	99
PID 4556 wrote to memory of 4608	4556	Ilkoim32.exe	99
PID 4608 wrote to memory of 4648	4608	Iahgad32.exe	100
PID 4608 wrote to memory of 4648	4608	Iahgad32.exe	100
PID 4608 wrote to memory of 4648	4608	Iahgad32.exe	100
PID 4648 wrote to memory of 1880	4648	Ipihpkkd.exe	101
PID 4648 wrote to memory of 1880	4648	Ipihpkkd.exe	101
PID 4648 wrote to memory of 1880	4648	Ipihpkkd.exe	101
PID 1880 wrote to memory of 4120	1880	Iialhaad.exe	103
PID 1880 wrote to memory of 4120	1880	Iialhaad.exe	103
PID 1880 wrote to memory of 4120	1880	Iialhaad.exe	103
PID 4120 wrote to memory of 1704	4120	Iondqhpl.exe	104
PID 4120 wrote to memory of 1704	4120	Iondqhpl.exe	104
PID 4120 wrote to memory of 1704	4120	Iondqhpl.exe	104
PID 1704 wrote to memory of 5072	1704	Jidinqpb.exe	105
PID 1704 wrote to memory of 5072	1704	Jidinqpb.exe	105
PID 1704 wrote to memory of 5072	1704	Jidinqpb.exe	105
PID 5072 wrote to memory of 2920	5072	Joqafgni.exe	106
PID 5072 wrote to memory of 2920	5072	Joqafgni.exe	106
PID 5072 wrote to memory of 2920	5072	Joqafgni.exe	106
PID 2920 wrote to memory of 4036	2920	Jhifomdj.exe	107
PID 2920 wrote to memory of 4036	2920	Jhifomdj.exe	107
PID 2920 wrote to memory of 4036	2920	Jhifomdj.exe	107
PID 4036 wrote to memory of 1672	4036	Jocnlg32.exe	109
PID 4036 wrote to memory of 1672	4036	Jocnlg32.exe	109
PID 4036 wrote to memory of 1672	4036	Jocnlg32.exe	109
PID 1672 wrote to memory of 3932	1672	Jemfhacc.exe	110
PID 1672 wrote to memory of 3932	1672	Jemfhacc.exe	110
PID 1672 wrote to memory of 3932	1672	Jemfhacc.exe	110
PID 3932 wrote to memory of 3112	3932	Joekag32.exe	111
PID 3932 wrote to memory of 3112	3932	Joekag32.exe	111
PID 3932 wrote to memory of 3112	3932	Joekag32.exe	111
PID 3112 wrote to memory of 904	3112	Jikoopij.exe	112
PID 3112 wrote to memory of 904	3112	Jikoopij.exe	112
PID 3112 wrote to memory of 904	3112	Jikoopij.exe	112
PID 904 wrote to memory of 4312	904	Jafdcbge.exe	113
PID 904 wrote to memory of 4312	904	Jafdcbge.exe	113
PID 904 wrote to memory of 4312	904	Jafdcbge.exe	113
PID 4312 wrote to memory of 2524	4312	Jllhpkfk.exe	114

C:\Users\Admin\AppData\Local\Temp\221fb124d99db121484db7e82e0fc410_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\221fb124d99db121484db7e82e0fc410_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Windows\SysWOW64\Hldiinke.exe
  C:\Windows\system32\Hldiinke.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3864
- - C:\Windows\SysWOW64\Haaaaeim.exe
    C:\Windows\system32\Haaaaeim.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4188
  - - C:\Windows\SysWOW64\Ipbaol32.exe
      C:\Windows\system32\Ipbaol32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5100
    - - C:\Windows\SysWOW64\Ibqnkh32.exe
        
        C:\Windows\system32\Ibqnkh32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4508
      - C:\Windows\SysWOW64\Iogopi32.exe
        
        C:\Windows\system32\Iogopi32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3556
        
        C:\Windows\SysWOW64\Ibcjqgnm.exe
        
        C:\Windows\system32\Ibcjqgnm.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4492
        
        C:\Windows\SysWOW64\Ieagmcmq.exe
        
        C:\Windows\system32\Ieagmcmq.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\SysWOW64\Ilkoim32.exe
        
        C:\Windows\system32\Ilkoim32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\SysWOW64\Iahgad32.exe
        
        C:\Windows\system32\Iahgad32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Windows\SysWOW64\Ipihpkkd.exe
        
        C:\Windows\system32\Ipihpkkd.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4648
        
        C:\Windows\SysWOW64\Iialhaad.exe
        
        C:\Windows\system32\Iialhaad.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\SysWOW64\Iondqhpl.exe
        
        C:\Windows\system32\Iondqhpl.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4120
        
        C:\Windows\SysWOW64\Jidinqpb.exe
        
        C:\Windows\system32\Jidinqpb.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\SysWOW64\Joqafgni.exe
        
        C:\Windows\system32\Joqafgni.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\SysWOW64\Jhifomdj.exe
        
        C:\Windows\system32\Jhifomdj.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\Jocnlg32.exe
        
        C:\Windows\system32\Jocnlg32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4036
        
        C:\Windows\SysWOW64\Jemfhacc.exe
        
        C:\Windows\system32\Jemfhacc.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\SysWOW64\Joekag32.exe
        
        C:\Windows\system32\Joekag32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3932
        
        C:\Windows\SysWOW64\Jikoopij.exe
        
        C:\Windows\system32\Jikoopij.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3112
        
        C:\Windows\SysWOW64\Jafdcbge.exe
        
        C:\Windows\system32\Jafdcbge.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:904
        
        C:\Windows\SysWOW64\Jllhpkfk.exe
        
        C:\Windows\system32\Jllhpkfk.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        C:\Windows\SysWOW64\Jahqiaeb.exe
        
        C:\Windows\system32\Jahqiaeb.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Klndfj32.exe
        
        C:\Windows\system32\Klndfj32.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3848
        
        C:\Windows\SysWOW64\Kakmna32.exe
        
        C:\Windows\system32\Kakmna32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2512
        
        C:\Windows\SysWOW64\Kplmliko.exe
        
        C:\Windows\system32\Kplmliko.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3204
        
        C:\Windows\SysWOW64\Kamjda32.exe
        
        C:\Windows\system32\Kamjda32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1504
        
        C:\Windows\SysWOW64\Kpnjah32.exe
        
        C:\Windows\system32\Kpnjah32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3548
        
        C:\Windows\SysWOW64\Kekbjo32.exe
        
        C:\Windows\system32\Kekbjo32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3720
        
        C:\Windows\SysWOW64\Kocgbend.exe
        
        C:\Windows\system32\Kocgbend.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Klggli32.exe
        
        C:\Windows\system32\Klggli32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\Kcapicdj.exe
        
        C:\Windows\system32\Kcapicdj.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2464
        
        C:\Windows\SysWOW64\Likhem32.exe
        
        C:\Windows\system32\Likhem32.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Lindkm32.exe
        
        C:\Windows\system32\Lindkm32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1948
        
        C:\Windows\SysWOW64\Lojmcdgl.exe
        
        C:\Windows\system32\Lojmcdgl.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1452
        
        C:\Windows\SysWOW64\Laiipofp.exe
        
        C:\Windows\system32\Laiipofp.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3964
        
        C:\Windows\SysWOW64\Llnnmhfe.exe
        
        C:\Windows\system32\Llnnmhfe.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4440
        
        C:\Windows\SysWOW64\Lomjicei.exe
        
        C:\Windows\system32\Lomjicei.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:696
        
        C:\Windows\SysWOW64\Lakfeodm.exe
        
        C:\Windows\system32\Lakfeodm.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4964
        
        C:\Windows\SysWOW64\Lhenai32.exe
        
        C:\Windows\system32\Lhenai32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2504
        
        C:\Windows\SysWOW64\Lplfcf32.exe
        
        C:\Windows\system32\Lplfcf32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5076
        
        C:\Windows\SysWOW64\Lfiokmkc.exe
        
        C:\Windows\system32\Lfiokmkc.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:984
        
        C:\Windows\SysWOW64\Llcghg32.exe
        
        C:\Windows\system32\Llcghg32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1124
        
        C:\Windows\SysWOW64\Loacdc32.exe
        
        C:\Windows\system32\Loacdc32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4184
        
        C:\Windows\SysWOW64\Mjggal32.exe
        
        C:\Windows\system32\Mjggal32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3764
        
        C:\Windows\SysWOW64\Mledmg32.exe
        
        C:\Windows\system32\Mledmg32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2148
        
        C:\Windows\SysWOW64\Modpib32.exe
        
        C:\Windows\system32\Modpib32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4320
        
        C:\Windows\SysWOW64\Mablfnne.exe
        
        C:\Windows\system32\Mablfnne.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1896
        
        C:\Windows\SysWOW64\Mhldbh32.exe
        
        C:\Windows\system32\Mhldbh32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\Mofmobmo.exe
        
        C:\Windows\system32\Mofmobmo.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2540
        
        C:\Windows\SysWOW64\Mcaipa32.exe
        
        C:\Windows\system32\Mcaipa32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2072
        
        C:\Windows\SysWOW64\Mjlalkmd.exe
        
        C:\Windows\system32\Mjlalkmd.exe
        52⤵
        Executes dropped EXE
        
        PID:5080
        
        C:\Windows\SysWOW64\Mpeiie32.exe
        
        C:\Windows\system32\Mpeiie32.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3712
        
        C:\Windows\SysWOW64\Mcdeeq32.exe
        
        C:\Windows\system32\Mcdeeq32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\Mbgeqmjp.exe
        
        C:\Windows\system32\Mbgeqmjp.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Mjnnbk32.exe
        
        C:\Windows\system32\Mjnnbk32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4916
        
        C:\Windows\SysWOW64\Mlljnf32.exe
        
        C:\Windows\system32\Mlljnf32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Mokfja32.exe
        
        C:\Windows\system32\Mokfja32.exe
        58⤵
        Executes dropped EXE
        
        PID:4104
        
        C:\Windows\SysWOW64\Mfenglqf.exe
        
        C:\Windows\system32\Mfenglqf.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:824
        
        C:\Windows\SysWOW64\Mhckcgpj.exe
        
        C:\Windows\system32\Mhckcgpj.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3164
        
        C:\Windows\SysWOW64\Mqjbddpl.exe
        
        C:\Windows\system32\Mqjbddpl.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Nciopppp.exe
        
        C:\Windows\system32\Nciopppp.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2260
        
        C:\Windows\SysWOW64\Nfgklkoc.exe
        
        C:\Windows\system32\Nfgklkoc.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4844
        
        C:\Windows\SysWOW64\Noppeaed.exe
        
        C:\Windows\system32\Noppeaed.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2416
        
        C:\Windows\SysWOW64\Nbnlaldg.exe
        
        C:\Windows\system32\Nbnlaldg.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5128
        
        C:\Windows\SysWOW64\Njedbjej.exe
        
        C:\Windows\system32\Njedbjej.exe
        66⤵
        Drops file in System32 directory
        
        PID:5172
        
        C:\Windows\SysWOW64\Nmcpoedn.exe
        
        C:\Windows\system32\Nmcpoedn.exe
        67⤵
        Drops file in System32 directory
        
        PID:5216
        
        C:\Windows\SysWOW64\Nbphglbe.exe
        
        C:\Windows\system32\Nbphglbe.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Njgqhicg.exe
        
        C:\Windows\system32\Njgqhicg.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5300
        
        C:\Windows\SysWOW64\Nmfmde32.exe
        
        C:\Windows\system32\Nmfmde32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5332
        
        C:\Windows\SysWOW64\Ncpeaoih.exe
        
        C:\Windows\system32\Ncpeaoih.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Nfnamjhk.exe
        
        C:\Windows\system32\Nfnamjhk.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5412
        
        C:\Windows\SysWOW64\Nimmifgo.exe
        
        C:\Windows\system32\Nimmifgo.exe
        73⤵
        Drops file in System32 directory
        
        PID:5468
        
        C:\Windows\SysWOW64\Nqcejcha.exe
        
        C:\Windows\system32\Nqcejcha.exe
        74⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\Nfqnbjfi.exe
        
        C:\Windows\system32\Nfqnbjfi.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5548
        
        C:\Windows\SysWOW64\Nmjfodne.exe
        
        C:\Windows\system32\Nmjfodne.exe
        76⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Ooibkpmi.exe
        
        C:\Windows\system32\Ooibkpmi.exe
        77⤵
        Drops file in System32 directory
        
        PID:5632
        
        C:\Windows\SysWOW64\Ofckhj32.exe
        
        C:\Windows\system32\Ofckhj32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Ommceclc.exe
        
        C:\Windows\system32\Ommceclc.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5712
        
        C:\Windows\SysWOW64\Ocgkan32.exe
        
        C:\Windows\system32\Ocgkan32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Ojqcnhkl.exe
        
        C:\Windows\system32\Ojqcnhkl.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5792
        
        C:\Windows\SysWOW64\Oonlfo32.exe
        
        C:\Windows\system32\Oonlfo32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5836
        
        C:\Windows\SysWOW64\Oblhcj32.exe
        
        C:\Windows\system32\Oblhcj32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5880
        
        C:\Windows\SysWOW64\Omalpc32.exe
        
        C:\Windows\system32\Omalpc32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5924
        
        C:\Windows\SysWOW64\Oophlo32.exe
        
        C:\Windows\system32\Oophlo32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5964
        
        C:\Windows\SysWOW64\Ofjqihnn.exe
        
        C:\Windows\system32\Ofjqihnn.exe
        86⤵
        Drops file in System32 directory
        
        PID:6012
        
        C:\Windows\SysWOW64\Oqoefand.exe
        
        C:\Windows\system32\Oqoefand.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6052
        
        C:\Windows\SysWOW64\Opbean32.exe
        
        C:\Windows\system32\Opbean32.exe
        88⤵
        Drops file in System32 directory
        
        PID:6096
        
        C:\Windows\SysWOW64\Ojhiogdd.exe
        
        C:\Windows\system32\Ojhiogdd.exe
        89⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\Ppdbgncl.exe
        
        C:\Windows\system32\Ppdbgncl.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Pbcncibp.exe
        
        C:\Windows\system32\Pbcncibp.exe
        91⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\Pjjfdfbb.exe
        
        C:\Windows\system32\Pjjfdfbb.exe
        92⤵
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Pmhbqbae.exe
        
        C:\Windows\system32\Pmhbqbae.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Ppgomnai.exe
        
        C:\Windows\system32\Ppgomnai.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5544
        
        C:\Windows\SysWOW64\Pbekii32.exe
        
        C:\Windows\system32\Pbekii32.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Pjlcjf32.exe
        
        C:\Windows\system32\Pjlcjf32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5680
        
        C:\Windows\SysWOW64\Pafkgphl.exe
        
        C:\Windows\system32\Pafkgphl.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Pcegclgp.exe
        
        C:\Windows\system32\Pcegclgp.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5832
        
        C:\Windows\SysWOW64\Pfccogfc.exe
        
        C:\Windows\system32\Pfccogfc.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5892
        
        C:\Windows\SysWOW64\Pmmlla32.exe
        
        C:\Windows\system32\Pmmlla32.exe
        100⤵
        Drops file in System32 directory
        
        PID:5944
        
        C:\Windows\SysWOW64\Pplhhm32.exe
        
        C:\Windows\system32\Pplhhm32.exe
        101⤵
        Modifies registry class
        
        PID:6028
        
        C:\Windows\SysWOW64\Pbjddh32.exe
        
        C:\Windows\system32\Pbjddh32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6104
        
        C:\Windows\SysWOW64\Pjaleemj.exe
        
        C:\Windows\system32\Pjaleemj.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5160
        
        C:\Windows\SysWOW64\Pakdbp32.exe
        
        C:\Windows\system32\Pakdbp32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5308
        
        C:\Windows\SysWOW64\Pciqnk32.exe
        
        C:\Windows\system32\Pciqnk32.exe
        105⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        106⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5600 -s 400
        107⤵
        Program crash
        
        PID:5804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5600 -ip 5600
1⤵
PID:5740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4056,i,8447163055677043976,7218082390179600880,262144 --variations-seed-version --mojo-platform-channel-handle=4584 /prefetch:8
1⤵
PID:6024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Haaaaeim.exe

Filesize
344KB

MD5
6507b4fb94d89fec56419054ec312adf

SHA1
fa6723cd54fe7968ad7a499bc93a5b1113865c0a

SHA256
acb1fcdd78e506dd9e876c24432b95b21ac06207d35f5c9922481f4dd79beb39

SHA512
55779154f50ae1422f4fb2d2a250e111657200539ce6aa02edda21e24da95a9f8dceaa509b28cf0368d79a2d59321edc2bb279d50db267e306221b6840beddeb

Download Submit
C:\Windows\SysWOW64\Hldiinke.exe

Filesize
344KB

MD5
494ddd72d2aba07a6c4f2fdc38f54882

SHA1
07ec3236a85cd513268fd013cda04ecc8f100a04

SHA256
6958b1f8e5b0d74d780f7ffc379f361f4db4e9bd2308c71d111d3b46b7add723

SHA512
c368850d0f3955305dc1a0ee1c8d6c285db1acd2b05f29c8035f00f85e3e09f47dcf49baac5bb9823a5120e20f13664c3b1ad3258ea011b0328f082d54b5a921

Download Submit
C:\Windows\SysWOW64\Iahgad32.exe

Filesize
344KB

MD5
7e92f6f3af556acd4c32802ebc432d8b

SHA1
1037dda2e8befd825d6bd88823ab308338c26215

SHA256
32e243ce993cd817627f5eb6fadbf8228c9e3da741062f75d7cd9f530fc51ac6

SHA512
f5e98ed0835c9df0de62385fac509dbd6f08e97986bdf8b06d6773a754fc6e822b122e37f5cf2e7a890227fd292ead90855704ddc8e46b28737f69c2218fec66

Download Submit
C:\Windows\SysWOW64\Ibcjqgnm.exe

Filesize
344KB

MD5
bd0f38672a981521268a969e182332b8

SHA1
e9582526ec75512cc476e0896ab5a3291ca190f9

SHA256
775aae5ccc85aec4599145684799152cba67fbbfa40623550236d98b18509f37

SHA512
259b77def8035b5e80cb6e5aca082892216c98299a85850fbf96c8c07332c5748f8258d54258910f4c47747e1f111562067f68d2d29793e83e25f0798d199847

Download Submit
C:\Windows\SysWOW64\Ibqnkh32.exe

Filesize
344KB

MD5
5c936217741ce7e13dbfd77b2b6b0109

SHA1
a14048879bc6ca3f377fe8082da4215801e8dce6

SHA256
925c35e7945afa7754dd4aa16d6f4a011de943fb60568ec6408b86dccd24586f

SHA512
8e0dae985680c55958e83556c4d355644fd9de1a83d0a1d42d7f717861d904029e022caf5b862e50ecb160d74b4e71ded48e7dd033283fc06a7fb6afbb180fd3

Download Submit
C:\Windows\SysWOW64\Ieagmcmq.exe

Filesize
344KB

MD5
36a382727b0630e8b67c5e144c1b058f

SHA1
126d6c22a103a9d2970f9d5ce0c5ed49c5b9514d

SHA256
a8cdb0d03595a17f72075eaac4a58f9ba204a5932e6b2d341a7fd07acc027e95

SHA512
7af9d2473734381355f1b3989eb2c5ce83cc2798401862f4b263973f1004eb5f51a607ec192d391a35e21cfbd30c6254808efdb4b31b6407952100f105563454

Download Submit
C:\Windows\SysWOW64\Iialhaad.exe

Filesize
344KB

MD5
da537a7a3f3d44b2d9f529923f613b7f

SHA1
cb5b2fde2e2a8e4ff79b684669ae9aec82fed88d

SHA256
c054f8c8409db14f2bf1467995a379f22cba74834644da2a5662b241ce8600c7

SHA512
68b302607661454146ed348641a2a74af399bcd9f4c3c68af5e29ea0592d21cdf8660eecd0846a7138ed814423471d8716228e85a0a4f41fbe8a6426a7c95513

Download Submit
C:\Windows\SysWOW64\Ilkoim32.exe

Filesize
344KB

MD5
a54fe17f70b253b9f63c48fe640c037c

SHA1
358136ff028262e4f0615c714b0dbfcace66b9e8

SHA256
f33c2fb95e1d137699fbda8a4def9e16c13a65001cdf93328a56466752376556

SHA512
a4ff9ae0c8f676820c5da8f75168231744a6c8ee99e389f4ca175e66c3dc51c81b3a75b5feddb5ca804fcf0222bb727e1a568700c9f92f703043bf1be2b231a5

Download Submit
C:\Windows\SysWOW64\Iogopi32.exe

Filesize
344KB

MD5
c218ae63f70cf539f150e9ccf1bf6042

SHA1
353da9cda03b4c83d405e99fbab9dc157611dee2

SHA256
e4bd2ec39cab3af15851c2846ad218d9147369836c19b60163ae7b55ebd93b79

SHA512
5a1725bc5409649360f5aca22b5a6eee80e36b26b9dd00b2371b8abe2c3b12c825917ba0850eddbe3e2200bf7445560350e05043f1bb38c0827b8b634751cc98

Download Submit
C:\Windows\SysWOW64\Iondqhpl.exe

Filesize
344KB

MD5
8dba4971d248f361100f19c8e4775189

SHA1
cec6a42707e8cd9520960e9f3c6cf31b09e938de

SHA256
fb382cfcfb82e287fdb07fd2c2334cda016b7e1a5f3ca01ef18d9c563b68877f

SHA512
536deee66fe26caa7cec7d3dd1c7d19864ba9b2c0184cedc3c6408bb667a7795fe1ce4e302adab4e28a9714eed1722e73c141313a6745ee1bc26cf2e5fefb712

Download Submit
C:\Windows\SysWOW64\Ipbaol32.exe

Filesize
344KB

MD5
673c4f8ea63fc7692d4892cf43c1ba3e

SHA1
add16aeeaf129a3c14771a6bd8e6c1dbe3ac8a0d

SHA256
14dcbb06d9c3dd0137b908ff1e9cecb7b493a36ff95fd21074d810b27a8ecc3c

SHA512
3fd9e2ba9309634444e347c971bf112f719feae95463386caf0c8a56f9f274b8368399f81bd218eb7451157605ac9c72246dc24c6c5c49dcc79ddc01c2f433c7

Download Submit
C:\Windows\SysWOW64\Ipihpkkd.exe

Filesize
344KB

MD5
19d8a09b3b59be92109a4c764ad1fbd2

SHA1
3baad2befc2ef992161bfdf05f8cbf845087c438

SHA256
e6876a4cf50804f34d7abf5c4f12020e09e4600ead3d1c901d9cc1db9e5582ec

SHA512
0981f78854500adb850296c1274ee067cd58347e882fef0aff82ee6c143699f488fc457913c0873107b84f586ba013e75af95b38880dcf9e5cbcf6fc168b2880

Download Submit
C:\Windows\SysWOW64\Jafdcbge.exe

Filesize
344KB

MD5
4c4606aa75082686bb085af97548d4aa

SHA1
055ad1ea3514afe7bf3b6db39232b515cef16d0d

SHA256
e33f9553a9dec9683d55772a839e67d56aa2f4ae45b034c7cffb671bbdc7101f

SHA512
6bd7fa253be09cd84fd0697b38e28101977d6e7eec7830771690f94e6d194f4dbe478c979417da8b378ed5436b4d04c0e12b56aa71996141ab1745a28aca28fe

Download Submit
C:\Windows\SysWOW64\Jahqiaeb.exe

Filesize
344KB

MD5
4e2041c9107b12fed12d2e5844ad93ec

SHA1
c80b097296e70faebec3f168d3bfd9563e423a9b

SHA256
d02d48c6e80c954efa3f2908a8db9c3f07fc7929d71631d676e5cdea1f85c9fd

SHA512
cf5419f24a6bdd6dcc0310bfd703db02b5e5e98e813bbfbc0c6827c738f3cafe69b9867772a0c12487a4d92560d8430a23ba85ddb6186f3c2eb8ceee71bb333a

Download Submit
C:\Windows\SysWOW64\Jemfhacc.exe

Filesize
344KB

MD5
986cc724e07c8373233bbdd030fe1042

SHA1
dd0b6df07cec92f83849ba4c0e4521d3d1abafb9

SHA256
8decd08ea9a727e5950e8af1eb31dbeabe42aa907158fbf0a2148555ca149586

SHA512
592cb52652eb6da33ae920a5a14c33cdef5f3714bb42262c6df5deb9f7bf9c6d5ebc87cc89ce6beff37e460c7f8b81fc9fbe4cdc53eef5cf9cebc2085eeb8674

Download Submit
C:\Windows\SysWOW64\Jhifomdj.exe

Filesize
344KB

MD5
ba9956e92a56eb9c13c7a38282347bff

SHA1
41dc6ded88cc85f393665d2e4bcbcc19527b43b8

SHA256
e4088ce95a0fb5aeddfa5b621242bc9d952a215c503031cc4a3b3785c8c13e05

SHA512
2b522ec120519a4c5dab9e262039a961eb51a23d2582ee5b737a010cf24f97bdde5376a6ec25e668cff84efc48cdccde2ee284b28a3701ed452b59855ffc3cc4

Download Submit
C:\Windows\SysWOW64\Jidinqpb.exe

Filesize
344KB

MD5
0d917e480bad19aa32d189c4a4adc103

SHA1
31ef176f3b672d4b6fdf5aad94ca495041c5b1ca

SHA256
22fceca300b3141d65de2048b9075e786f007a60bddd503a7e62c94166fbf433

SHA512
201dc9bd525058c2ff130721f6925ded1a1cd2a6ccea928690600be1eb873d42fe41d731b39f7fdcddb81b5ac382196680698f5f325199d4d01cd94cc6518026

Download Submit
C:\Windows\SysWOW64\Jikoopij.exe

Filesize
344KB

MD5
d9d5492b0de8a8b822de5e1b1a464c1b

SHA1
e20c95a1c07539981485b8c4d253889bf7af181a

SHA256
37b0860b1efec1277b59355dd4bced477ac8600c7e9f2e3f845615478f97674d

SHA512
b874faf48b70e197ee508cd8c2c0d7a6300f764ca58e31c46164064e1eed0686f20d4695dcd2bd5522c1452fe3759dca98a5d283aa3b9e16ea4a67ef68b69c8e

Download Submit
C:\Windows\SysWOW64\Jllhpkfk.exe

Filesize
344KB

MD5
b873c53fb44ba4c729db08e2a617ae67

SHA1
500d6160311c39b7383b288d4d6f1a6454173e66

SHA256
1ea0f632056d87b33e8bf4c10e946c3f72baf0c6211c23461db8c05397bfb7e6

SHA512
b684262dfe9c7e92b875409bc4eccf607f3f6166796a27e713ef9f1c4074ac32a39ef367d95fd93010f262bae854c2a7c94a355e725a9dfa6dd33a3f40a394bb

Download Submit
C:\Windows\SysWOW64\Jocnlg32.exe

Filesize
344KB

MD5
cb1ff09cf7b72e3991c2af925d814ecf

SHA1
55eb8e5c033e8f5761676460cbaed79fcc63db94

SHA256
0d97b40d6ac3fc419934cc3a00c23f954a32fd46900a97e39e192b5fedbac91c

SHA512
898c48fc8ee4f235ac5619aab90f052502c49f5ae47d2ac5fd9d3bba66256bdf0f45086186c489cbccba5e199e1d3221d3c85df1a0948977c9855c79be4cbb44

Download Submit
C:\Windows\SysWOW64\Joekag32.exe

Filesize
344KB

MD5
c4a52144d5a5fd50216971b0521078e6

SHA1
7e1a60cfc4c9fa493d89fca2cbcf9b4798d8b8d1

SHA256
8a19b290bb6b0ca729319a53e92eeaa79596666da4241859f90278e4c87cc305

SHA512
a5c02b9963e4ea2e659833e791a0df72be239ff1b8b9c122a080b853cfb5695d822598f30b5135eb7f0ed8640eec4b625a1a05bf95d95d707ee5c942af96d5c5

Download Submit
C:\Windows\SysWOW64\Joqafgni.exe

Filesize
344KB

MD5
2d255f216eae22a03bb38bf590f5665a

SHA1
f56393f7f2f5f77bd822eca6c51a3b1d8ae7f9a4

SHA256
7f940e252b1c026000bf6e73a3d8b510ce6a376c45a1cb87202d0f3895c97412

SHA512
441df75bc249f55f70ba4e8b2ac0aaba01b95b0a6fb2880290150f06f6e5bfd9ae74ceb6bc35328a9aa00d8dc633e189295293b28a6644df566ff538527c61f3

Download Submit
C:\Windows\SysWOW64\Kakmna32.exe

Filesize
344KB

MD5
eb802b7b1b239a0f8fcb7b4461f5d134

SHA1
50b7889b871a69ccd525583661d7d68de6f29260

SHA256
a8e91309caab8d3325b3252a0f2ebfb9dcd7946c81f89f3f769fc97c46ac7c66

SHA512
4be874cfb6a105851fbface7664e766f13ef88da5dc66e3c3bfd3181424cb777993f8b461482228469218212e66e95b250b906bf5cae0c0c15547b5d4555c245

Download Submit
C:\Windows\SysWOW64\Kamjda32.exe

Filesize
344KB

MD5
e183e4b703fa9497ce6d37a7632acd29

SHA1
35255535ca3a768c772add5ed5b4f167f9074b0d

SHA256
1c011c088a9c9bd9a2dc884f847d3788e7a490df3da7501df6a5bb4406da9835

SHA512
a1a14695312f858df3338f791ee61216c7b510d5453b2e8c3ddb4cce3c6feb131285775a277d22566b9a76e9b777cd6b5fef59c7a17343ee6d29874c3fcefb89

Download Submit
C:\Windows\SysWOW64\Kcapicdj.exe

Filesize
344KB

MD5
5115c578fc83b75b6dc1d862170a23c2

SHA1
4d55f4979705274497a5ce7c6d71c5e2ad0b62c3

SHA256
e486965fed407db7d3ce9b0183ff6aa5e81ec3abe428bad7d9594f2a5d07bbf9

SHA512
65603d01a02df4c40e1967220740c6037bfbb1b773012949e394af7c008b60553085bc444dca22877a088c97631b028988affbc2da95a02d166559887831c273

Download Submit
C:\Windows\SysWOW64\Kekbjo32.exe

Filesize
344KB

MD5
2fcbf302a9afd4f76624298827d26f00

SHA1
b5d9614a6eb9eb0cad5840ea9b0b30d6ef351dd2

SHA256
efd1350e0a99fe5d148fc30b78664b6426a68f4ef08fa38e6ff7afff14082a7b

SHA512
627c881f804bad2594da7b3d0d15e31f7c8e3ed061d9af702f3d32a654e9535d7c31318b6cfa44a282fb098f06f6112635772648dff6baca196a439a78b28309

Download Submit
C:\Windows\SysWOW64\Klggli32.exe

Filesize
344KB

MD5
53ac6e33de963355168dd8d923b91e14

SHA1
7b45c3ecd60ba2e32e4016b85d76e51542dfff45

SHA256
6558a0176c1fc04f051e70b5cde6632214339e0bc611e4f4e71fa65a11cb60c3

SHA512
4017699d814739aa0b9431488c637811fed50e0b6bd7ae547752ef89379adfc44af788da60cc9431f02102ce41ed1541fd5e2d07ec977e73fc8a6969f042b154

Download Submit
C:\Windows\SysWOW64\Klndfj32.exe

Filesize
344KB

MD5
df6f72bcabab5ad9a98a392a3ffa8c9f

SHA1
31a7c669d51655fbf99ea2985f32ec9225c37ecb

SHA256
1ead64869885308b157bc52972f6415a81bbe943cf82bb67c15bd3a8cda6d273

SHA512
044cc89ffc37729f2389ed9976105718bd485eea9f24c859bb0087ad2110ed00244c535c0d0e7a5600a0cbffe0526c2991cbc94d8f1da148674a68732a935f1f

Download Submit
C:\Windows\SysWOW64\Kocgbend.exe

Filesize
192KB

MD5
63549c176f8defdae84186a02574e030

SHA1
9c85bf4c95ed86447bb0ae5b499ad6353eaa602d

SHA256
d45d4e10c1ccd7caf79159603a38d70aa4a228a29a00ab3a21feb7ee3041eed5

SHA512
2cc2b6bbbafeb1a99c47b95641a8d5f214c3c247064d6851b311be3902e50b02d7861ae0ec8e82fca7a1ed1fb56c5d40b7c299ff9e37a56af6f0e0f16fb6f1d5

Download Submit
C:\Windows\SysWOW64\Kocgbend.exe

Filesize
344KB

MD5
87e5c883f9e40d6195d2d66a00181825

SHA1
b26a01354b2b2aaf4dbdd612c1ce93815c113c3d

SHA256
d5e920536564f6b3c486acdd0deb898fa90574201a65dc130d3783c573e51efb

SHA512
5d3da179a0c1fa1b447a008181f03b8204134f7df817a653703c989c39079e55228a9fcb5d87f9f5c3aaf81449c7f3ee7604e5db10303387353a82b296201c68

Download Submit
C:\Windows\SysWOW64\Kplmliko.exe

Filesize
344KB

MD5
a51cae5d5e207ff1e01e2726e230ad9a

SHA1
16669e3bc1493f2ec07868711850f1033f139542

SHA256
3d494def9bce476bd9c50f19828117eac5489d591af16ee54d0f8025fd09c8ac

SHA512
6451cf50e762ddee7ec99cc468774fba32a3d44e4dfd0006f303f474393d274e173b4e796608f094273f2fb5a0b747fa8e59a9fbf2a14dc8d901c8e2a585d163

Download Submit
C:\Windows\SysWOW64\Kpnjah32.exe

Filesize
344KB

MD5
bb99e0acacf9ce69371d020f51693825

SHA1
78975a6713d3f89211ab95a2e6d92c4f308851c2

SHA256
fda3fda0bfcfce5fad186d37f2cef73e1872f81e1ab7d0c8791c4c45d857ce73

SHA512
72adde05eb32f4cdcf2948f36d7ec6b3b479da5c5386e7eb60a348daa58a92e608be9b699a5f3c73c462caf7f61ca9d8b7eea8046c5f80753c69760e03e72cb0

Download Submit
C:\Windows\SysWOW64\Likhem32.exe

Filesize
344KB

MD5
6cd0e60f7ed7744361797110b89d0ba8

SHA1
e28ee9f313c661851e6ab714da0ec94906fdda09

SHA256
ea9487d4ead4f9aaa62d35bba5d2f64ad13395611c86d5d26755669963a93e46

SHA512
71c99762df41c8f96d8af789a8244b841f01ce09313b0501e3ec965100c4bf5113838b3a40693052885051faa825282cc1956e2949ddfd503557e8f36bd5e5ab

Download Submit
C:\Windows\SysWOW64\Lojmcdgl.exe

Filesize
344KB

MD5
3fb4281097f632e65144f73f91d5ecb0

SHA1
975b866994cb8d75fdcd19652217e0b5f8a39d9d

SHA256
a4d4f3541f2fe918e83d3394ebc48fb2d69b9e6964416080ac2142494d49b942

SHA512
29f9a1c574ad256f6f0464c7e8d76a1443caac1634e7681eb27b9a3b375080ced3549a405bd7056f9fdb685056914ec6e195d73eb72d7928818d5e4bdbd8bb47

Download Submit
C:\Windows\SysWOW64\Mokfja32.exe

Filesize
344KB

MD5
5c98fefdca03531965c21e4b9ff6d140

SHA1
5b437b9be03ce919370231c9c2d7e14c36e0cdca

SHA256
6c0c9bcd5aef959d8196e97a7e24e48ca99dafb433e62489277c11a0e61eabd2

SHA512
0124ac7c0cb344c28060b09b980f9242a41313eadb23ce22f4a840049fb3001b104a047fd20fc6de13dfc77801c31249e8ed744cd92d6ca32f14cb1191a4af1f

Download Submit
C:\Windows\SysWOW64\Ncpeaoih.exe

Filesize
344KB

MD5
12705108a7a3062122a36c3e050f4afb

SHA1
f9f5fbbca387aeb4a23d8456e9ce399a02339193

SHA256
fce6a84b6895405896d67c06e10808be83a50d16f94b9af642044881c7b91917

SHA512
3354e1a7a593391e46330727577b991cd931c9f8060b0526204001381587a9a6fb2f82daa675dee095fbc818ddcefcad417c9ad74bf8b9dbe80aa0f70c544602

Download Submit
C:\Windows\SysWOW64\Nimmifgo.exe

Filesize
344KB

MD5
972bd3441e979d1ea1ea71e027d5d0ba

SHA1
4cbfdbacdb39e89b3bfcf46bec9d331cecd335cd

SHA256
b46d68500b44cd0343a90e93b3704bc0d580a4b5410a42773e4bbc7f0cc218ff

SHA512
0f3ba78a13608bfdc744ee9cf084d163644f97d3382df5a9828557f6b696cd776074e184aa4f89f59a90aeca3fc3afb5e728bd4a3a855854c2119e591855ef2d

Download Submit
C:\Windows\SysWOW64\Njedbjej.exe

Filesize
344KB

MD5
2dfb71df5041ec2fb6f5d5bf97aa53d5

SHA1
028f072940ef5eee65c5477c96d792320369f90f

SHA256
3b7fe667d2d432ec4526767de7de891ac43a26a351125752b0c34ad2ea63a2c7

SHA512
47236b3ec91d0677a9cdf24c5d0c6c79dc0cdd318b410d2b160a4c09cfe72a28cdabaa6598d9102ef37624f8aa9bb7ea1f9bc2efeed9815c39d8fd63ed7fb426

Download Submit
C:\Windows\SysWOW64\Ocgkan32.exe

Filesize
344KB

MD5
09db75f732d359bc7e4a1ac973114e99

SHA1
79ef0a92118be2efc8b10ca7c94d15246c9135b6

SHA256
58cbd431c64b4fc346a279098dccc51243d055f98ec0767e2d11a17db04a69d2

SHA512
9bbd984524d06ad27548baf5896828e429c659418cbc43d43107ac8af7005ef479b119dc9051807046bb57f157dc98ceb990562bfd06b262d8bf09adaba98838

Download Submit
C:\Windows\SysWOW64\Ofckhj32.exe

Filesize
344KB

MD5
049fb12bb2ac352a358b041d4ca22bdf

SHA1
94f4e47bf8d96fb6388f469b29d1e52a995934b1

SHA256
d2d17dbf3ebabc2436c23afbfe16e25e8e19e79d5c685c750e70949e5e468acb

SHA512
667d5c0c22fa2355623a9cf4ebd937f7c99b0960aa1c5f635f227525ae0ed1b843affffc0aa1747ef23c48eb036d34f40a0ee83bc1ccdc23b3d9b09d88e0c24a

Download Submit
C:\Windows\SysWOW64\Pafkgphl.exe

Filesize
344KB

MD5
cf22d719146cecea3480da8f99888c7b

SHA1
e3020661098bbac23f2b7b455917b8716633e7ac

SHA256
8375376947499287c92d95f8df9d917ddfe6e39fff6212b4f0fb32deb896a364

SHA512
99bfae021476f6203f67aa207c21a81927d7bf070025e12c303a243a9003d8a86316bd25eed50003367861546996dba6375f4e3b81d90ea74efec5fa752c9bae

Download Submit
C:\Windows\SysWOW64\Pififb32.exe

Filesize
344KB

MD5
8e8de2eb84da7819a1e6aae5b255c774

SHA1
bdbcff054e4a01ee029391ceeaa6976f2f205242

SHA256
0faaa6963faad116cdb24aabd96aa3023aa7a6b2c4867dde76079064b374ea55

SHA512
dddc65ad8da82bb5c212324df34adfdc1c7702e128ee111c564311eff58f538733e5553a1cbf32c3be474fbb91be467a82e025084cac628c467416f2db5f7653

Download Submit
memory/464-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/696-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/824-412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/904-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/984-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1124-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1452-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1504-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1616-427-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1672-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1704-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1880-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1896-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1948-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2036-240-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2072-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2148-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2260-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2308-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2308-544-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2324-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2372-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2416-447-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2464-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2492-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2504-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2512-192-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2524-176-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2540-362-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2720-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2920-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3112-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3164-420-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3204-200-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3548-216-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3556-44-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3712-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3720-224-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3764-332-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3848-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3864-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3864-551-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3932-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3964-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4036-133-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4104-410-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4120-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4184-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4188-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4188-558-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4312-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4320-344-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4440-284-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4492-589-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4492-52-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4508-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4508-572-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4556-599-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4556-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4608-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4648-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4844-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4876-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4880-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4880-592-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4916-398-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4964-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5072-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5076-308-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5080-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5100-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5100-565-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5128-448-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5172-458-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5216-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5260-469-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5300-476-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5332-478-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5380-488-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5408-721-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5412-490-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5468-496-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5512-506-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5548-508-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5592-514-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5632-520-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5672-526-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5712-532-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5752-538-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5792-545-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5836-552-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5880-559-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5924-570-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5964-575-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5964-753-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6012-579-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6052-590-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6096-594-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads