5f446baa2e4f54c9b038964822977363e6c18ffa3008458767f68ad94b04409e

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
24/06/2024, 09:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5f446baa2e4f54c9b038964822977363e6c18ffa3008458767f68ad94b04409e_NeikiAnalytics.exe
Size

250KB
MD5

d47f19d3b896ab35ce3649bab0ed99f0
SHA1

d4cf211b4aad06cdf0863485a2bd6853b98eeb81
SHA256

5f446baa2e4f54c9b038964822977363e6c18ffa3008458767f68ad94b04409e
SHA512

67caeabbc77ff180e5c3391e378ef7823246bdde415c2657872adfe992a2bc9aad62544451bccce45df8b123c7a660e071bf2b3535f3c14d2d08b49399b9c6c9
SSDEEP

6144:HZWylvCvfmZ7KRRRGBCvfmZ7KFpNlJTBCvfmZ7d:5k

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibagcc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmkdlkph.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipegmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	5f446baa2e4f54c9b038964822977363e6c18ffa3008458767f68ad94b04409e_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iinlemia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe

Executes dropped EXE 64 IoCs

pid	Process
3220	Haidklda.exe
2964	Iffmccbi.exe
3260	Iidipnal.exe
1908	Ibmmhdhm.exe
2712	Imbaemhc.exe
2348	Ipqnahgf.exe
2876	Icljbg32.exe
3160	Ifjfnb32.exe
4940	Iiibkn32.exe
4700	Iapjlk32.exe
1204	Ipckgh32.exe
4992	Ibagcc32.exe
2728	Ijhodq32.exe
2172	Imgkql32.exe
2844	Iabgaklg.exe
4148	Ipegmg32.exe
1592	Idacmfkj.exe
3908	Ifopiajn.exe
4128	Ijkljp32.exe
784	Iinlemia.exe
2700	Imihfl32.exe
1304	Jaedgjjd.exe
1508	Jpgdbg32.exe
2064	Jdcpcf32.exe
3212	Jfaloa32.exe
4484	Jjmhppqd.exe
1400	Jiphkm32.exe
3076	Jmkdlkph.exe
4444	Jpjqhgol.exe
5000	Jdemhe32.exe
2900	Jbhmdbnp.exe
2356	Jfdida32.exe
3004	Jjpeepnb.exe
3544	Jibeql32.exe
4328	Jaimbj32.exe
620	Jplmmfmi.exe
1356	Jdhine32.exe
860	Jbkjjblm.exe
2272	Jfffjqdf.exe
2768	Jidbflcj.exe
2536	Jmpngk32.exe
4856	Jaljgidl.exe
3832	Jdjfcecp.exe
2260	Jbmfoa32.exe
5036	Jfhbppbc.exe
3368	Jkdnpo32.exe
316	Jigollag.exe
1372	Jangmibi.exe
2012	Jdmcidam.exe
3472	Jbocea32.exe
4816	Kacphh32.exe
632	Kdcijcke.exe
1320	Kagichjo.exe
4140	Kcifkp32.exe
3240	Kkpnlm32.exe
1168	Kckbqpnj.exe
1076	Liekmj32.exe
5032	Lpocjdld.exe
2740	Ldkojb32.exe
2784	Liggbi32.exe
5016	Lpappc32.exe
1568	Ldmlpbbj.exe
4204	Lgkhlnbn.exe
4744	Lnepih32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Jdemhe32.exe	Jpjqhgol.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Iabgaklg.exe	Imgkql32.exe
File created	C:\Windows\SysWOW64\Ipmack32.dll	Idacmfkj.exe
File created	C:\Windows\SysWOW64\Hjobcj32.dll	Jfaloa32.exe
File opened for modification	C:\Windows\SysWOW64\Jmkdlkph.exe	Jiphkm32.exe
File created	C:\Windows\SysWOW64\Jbhmdbnp.exe	Jdemhe32.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lgkhlnbn.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Lijiaonm.dll	5f446baa2e4f54c9b038964822977363e6c18ffa3008458767f68ad94b04409e_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mlilmlna.dll	Imbaemhc.exe
File created	C:\Windows\SysWOW64\Kcifkp32.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Lnepih32.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Gmbkmemo.dll	Iidipnal.exe
File created	C:\Windows\SysWOW64\Kflflhfg.dll	Iabgaklg.exe
File created	C:\Windows\SysWOW64\Ggpfjejo.dll	Jkdnpo32.exe
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Ifopiajn.exe	Idacmfkj.exe
File created	C:\Windows\SysWOW64\Jjpeepnb.exe	Jfdida32.exe
File opened for modification	C:\Windows\SysWOW64\Jangmibi.exe	Jigollag.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Ijhodq32.exe	Ibagcc32.exe
File created	C:\Windows\SysWOW64\Jfffjqdf.exe	Jbkjjblm.exe
File created	C:\Windows\SysWOW64\Kckbqpnj.exe	Kkpnlm32.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Jjmhppqd.exe	Jfaloa32.exe
File opened for modification	C:\Windows\SysWOW64\Jjpeepnb.exe	Jfdida32.exe
File created	C:\Windows\SysWOW64\Qdhoohmo.dll	Jfdida32.exe
File created	C:\Windows\SysWOW64\Liekmj32.exe	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Imppcc32.dll	Kckbqpnj.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Hfkkgo32.dll	Ifopiajn.exe
File opened for modification	C:\Windows\SysWOW64\Jdmcidam.exe	Jangmibi.exe
File created	C:\Windows\SysWOW64\Kkpnlm32.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Liggbi32.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Ijhodq32.exe	Ibagcc32.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Imgkql32.exe	Ijhodq32.exe
File created	C:\Windows\SysWOW64\Gmlgol32.dll	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Majopeii.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Iffmccbi.exe	Haidklda.exe
File created	C:\Windows\SysWOW64\Jdemhe32.exe	Jpjqhgol.exe
File opened for modification	C:\Windows\SysWOW64\Lpocjdld.exe	Liekmj32.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Jdkind32.dll	Jjmhppqd.exe
File created	C:\Windows\SysWOW64\Jplmmfmi.exe	Jaimbj32.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mahbje32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5868	5740	WerFault.exe	194

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	5f446baa2e4f54c9b038964822977363e6c18ffa3008458767f68ad94b04409e_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmlgol32.dll"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jibeql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dendnoah.dll"	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kflflhfg.dll"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Idacmfkj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcpkbc32.dll"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikjmhmfd.dll"	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncldlbah.dll"	Ijkljp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclhoo32.dll"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	5f446baa2e4f54c9b038964822977363e6c18ffa3008458767f68ad94b04409e_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdcbljie.dll"	Ibmmhdhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfkkgo32.dll"	Ifopiajn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlilmlna.dll"	Imbaemhc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Impoan32.dll"	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndninjfg.dll"	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebkdha32.dll"	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclgpkgk.dll"	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgllgqcp.dll"	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibimpp32.dll"	Jdhine32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 928 wrote to memory of 3220	928	5f446baa2e4f54c9b038964822977363e6c18ffa3008458767f68ad94b04409e_NeikiAnalytics.exe	82
PID 928 wrote to memory of 3220	928	5f446baa2e4f54c9b038964822977363e6c18ffa3008458767f68ad94b04409e_NeikiAnalytics.exe	82
PID 928 wrote to memory of 3220	928	5f446baa2e4f54c9b038964822977363e6c18ffa3008458767f68ad94b04409e_NeikiAnalytics.exe	82
PID 3220 wrote to memory of 2964	3220	Haidklda.exe	83
PID 3220 wrote to memory of 2964	3220	Haidklda.exe	83
PID 3220 wrote to memory of 2964	3220	Haidklda.exe	83
PID 2964 wrote to memory of 3260	2964	Iffmccbi.exe	84
PID 2964 wrote to memory of 3260	2964	Iffmccbi.exe	84
PID 2964 wrote to memory of 3260	2964	Iffmccbi.exe	84
PID 3260 wrote to memory of 1908	3260	Iidipnal.exe	85
PID 3260 wrote to memory of 1908	3260	Iidipnal.exe	85
PID 3260 wrote to memory of 1908	3260	Iidipnal.exe	85
PID 1908 wrote to memory of 2712	1908	Ibmmhdhm.exe	86
PID 1908 wrote to memory of 2712	1908	Ibmmhdhm.exe	86
PID 1908 wrote to memory of 2712	1908	Ibmmhdhm.exe	86
PID 2712 wrote to memory of 2348	2712	Imbaemhc.exe	87
PID 2712 wrote to memory of 2348	2712	Imbaemhc.exe	87
PID 2712 wrote to memory of 2348	2712	Imbaemhc.exe	87
PID 2348 wrote to memory of 2876	2348	Ipqnahgf.exe	88
PID 2348 wrote to memory of 2876	2348	Ipqnahgf.exe	88
PID 2348 wrote to memory of 2876	2348	Ipqnahgf.exe	88
PID 2876 wrote to memory of 3160	2876	Icljbg32.exe	89
PID 2876 wrote to memory of 3160	2876	Icljbg32.exe	89
PID 2876 wrote to memory of 3160	2876	Icljbg32.exe	89
PID 3160 wrote to memory of 4940	3160	Ifjfnb32.exe	90
PID 3160 wrote to memory of 4940	3160	Ifjfnb32.exe	90
PID 3160 wrote to memory of 4940	3160	Ifjfnb32.exe	90
PID 4940 wrote to memory of 4700	4940	Iiibkn32.exe	91
PID 4940 wrote to memory of 4700	4940	Iiibkn32.exe	91
PID 4940 wrote to memory of 4700	4940	Iiibkn32.exe	91
PID 4700 wrote to memory of 1204	4700	Iapjlk32.exe	92
PID 4700 wrote to memory of 1204	4700	Iapjlk32.exe	92
PID 4700 wrote to memory of 1204	4700	Iapjlk32.exe	92
PID 1204 wrote to memory of 4992	1204	Ipckgh32.exe	93
PID 1204 wrote to memory of 4992	1204	Ipckgh32.exe	93
PID 1204 wrote to memory of 4992	1204	Ipckgh32.exe	93
PID 4992 wrote to memory of 2728	4992	Ibagcc32.exe	94
PID 4992 wrote to memory of 2728	4992	Ibagcc32.exe	94
PID 4992 wrote to memory of 2728	4992	Ibagcc32.exe	94
PID 2728 wrote to memory of 2172	2728	Ijhodq32.exe	95
PID 2728 wrote to memory of 2172	2728	Ijhodq32.exe	95
PID 2728 wrote to memory of 2172	2728	Ijhodq32.exe	95
PID 2172 wrote to memory of 2844	2172	Imgkql32.exe	96
PID 2172 wrote to memory of 2844	2172	Imgkql32.exe	96
PID 2172 wrote to memory of 2844	2172	Imgkql32.exe	96
PID 2844 wrote to memory of 4148	2844	Iabgaklg.exe	97
PID 2844 wrote to memory of 4148	2844	Iabgaklg.exe	97
PID 2844 wrote to memory of 4148	2844	Iabgaklg.exe	97
PID 4148 wrote to memory of 1592	4148	Ipegmg32.exe	98
PID 4148 wrote to memory of 1592	4148	Ipegmg32.exe	98
PID 4148 wrote to memory of 1592	4148	Ipegmg32.exe	98
PID 1592 wrote to memory of 3908	1592	Idacmfkj.exe	99
PID 1592 wrote to memory of 3908	1592	Idacmfkj.exe	99
PID 1592 wrote to memory of 3908	1592	Idacmfkj.exe	99
PID 3908 wrote to memory of 4128	3908	Ifopiajn.exe	100
PID 3908 wrote to memory of 4128	3908	Ifopiajn.exe	100
PID 3908 wrote to memory of 4128	3908	Ifopiajn.exe	100
PID 4128 wrote to memory of 784	4128	Ijkljp32.exe	101
PID 4128 wrote to memory of 784	4128	Ijkljp32.exe	101
PID 4128 wrote to memory of 784	4128	Ijkljp32.exe	101
PID 784 wrote to memory of 2700	784	Iinlemia.exe	102
PID 784 wrote to memory of 2700	784	Iinlemia.exe	102
PID 784 wrote to memory of 2700	784	Iinlemia.exe	102
PID 2700 wrote to memory of 1304	2700	Imihfl32.exe	103

C:\Users\Admin\AppData\Local\Temp\5f446baa2e4f54c9b038964822977363e6c18ffa3008458767f68ad94b04409e_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5f446baa2e4f54c9b038964822977363e6c18ffa3008458767f68ad94b04409e_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:928
- C:\Windows\SysWOW64\Haidklda.exe
  C:\Windows\system32\Haidklda.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3220
- - C:\Windows\SysWOW64\Iffmccbi.exe
    C:\Windows\system32\Iffmccbi.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2964
  - - C:\Windows\SysWOW64\Iidipnal.exe
      C:\Windows\system32\Iidipnal.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3260
    - - C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1908
      - C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3160
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4700
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4148
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3908
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4128
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:784
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        23⤵
        Executes dropped EXE
        
        PID:1304
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2064
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3212
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4484
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1400
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3076
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4444
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5000
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        32⤵
        Executes dropped EXE
        
        PID:2900
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2356
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3004
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3544
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4328
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:620
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1356
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:860
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2272
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        41⤵
        Executes dropped EXE
        
        PID:2768
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        42⤵
        Executes dropped EXE
        
        PID:2536
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4856
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3832
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        45⤵
        Executes dropped EXE
        
        PID:2260
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5036
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3368
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:316
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1372
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3472
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4816
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:632
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1320
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4140
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3240
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1168
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1076
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        59⤵
        Executes dropped EXE
        
        PID:5032
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2740
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2784
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5016
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4204
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4744
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1332
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1896
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2248
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1624
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3152
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4012
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        72⤵
        Modifies registry class
        
        PID:3924
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:384
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        74⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4428
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        75⤵
        Modifies registry class
        
        PID:3268
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4072
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4080
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3164
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5028
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3712
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        81⤵
        Drops file in System32 directory
        
        PID:4424
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        82⤵
        Drops file in System32 directory
        
        PID:4956
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        83⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4068
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        85⤵
        Drops file in System32 directory
        
        PID:2020
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        86⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3120
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4796
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2428
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1548
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        91⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        92⤵
        
        PID:372
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1764
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        94⤵
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        95⤵
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5168
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        97⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        98⤵
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        99⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5376
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5412
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5452
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5608
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        107⤵
        Modifies registry class
        
        PID:5648
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        109⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5740 -s 408
        110⤵
        Program crash
        
        PID:5868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5740 -ip 5740
1⤵
PID:5808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Haidklda.exe

Filesize
250KB

MD5
ac411f72f5b3adfc8ea093dc97fead78

SHA1
bae9f4b2ffb235e32a7c5616cb41063660c3ce84

SHA256
60237db6134c4556208ba0e720577340c760059ba2b8cf785066d33db63a4c4d

SHA512
27cc9b436628fd003612b2c83bd9a2e587c641565d8539309722398fc8b4acc0c45f681eb9b19bbae3be2e4bfa79ee53da0e27328f2317a375ca406a1c5b4d60

Download Submit
C:\Windows\SysWOW64\Iabgaklg.exe

Filesize
250KB

MD5
571af1c02ad5c53340714e13f56299bd

SHA1
cd33903a74fb6edd8771c93e5b21ee2721d7256a

SHA256
4bc11257651225c5658ca6ca19fe6e2c0a15e556396c3961b65df9eee56fbdd6

SHA512
f5af7998acc96cf1095e2032088eceb6b0a2f02276a0a1c85c52aaee5525036e1ead39d342120fa87e3763812af2b93f8e32096f2db479815252dd15852d9e27

Download Submit
C:\Windows\SysWOW64\Iapjlk32.exe

Filesize
250KB

MD5
bed26f54891324ecd3f08a7d2678fe1d

SHA1
2eaa338d758bc13312758c3fc146cf10f1b31f49

SHA256
3c7a0939a41f1adbf02a015085a31e753e835f44e29e4d7730abe30ca6190564

SHA512
270b30a902d403f4903407832ba0206fe526a263440746574dbe30b62e644e2b2d62e51e5bcb4c3644c76630c4820a3fcd992bf09fbafb9cb705c63aa0680b9b

Download Submit
C:\Windows\SysWOW64\Ibagcc32.exe

Filesize
250KB

MD5
c849eadb0f124f984881b5f6a432341e

SHA1
8231f2178fa691b24024fec9ad76598974cb9fa9

SHA256
82d01c89abf64b5366dc78ab2ef93a1ee826421aa33dc8431eb864e4e4624d12

SHA512
3758966f6cc77876cc103a6317eda18e298b48e25f735a0c8b6305d5e1be6c28b14dc4c0fd3d721d4c2b93f63099fc5975845359e5ecc7e7ef0406e5fd1179ce

Download Submit
C:\Windows\SysWOW64\Ibmmhdhm.exe

Filesize
250KB

MD5
2374cedd0d5f9459ae3957e8a2f043fe

SHA1
ae7e997c96fe76a2a1adf3a2e5ae7583d8dde4af

SHA256
f8a2cb9c1a8d641282bb0e16f388ae162f8f175795f11cdc935e3b08b6a09d9b

SHA512
d03b8009e81af49855d5d78f63efc1e4b7e63236039f1d5f3d8ab689f089beccadd4ed7165773859ae1e68a4a62f1f1a71bf19e8d6d0e6a6735a5abe43af0cb3

Download Submit
C:\Windows\SysWOW64\Icljbg32.exe

Filesize
250KB

MD5
e4535d9a787751ccc125fd3831606e4e

SHA1
fdc697cf330e8ac57ea3640247b82a0472f7f9d5

SHA256
979c193b07df94b267fdb0e11f8671479173f360013e65eb8b5290f79bedcb19

SHA512
887ea757cf40f8503baa07d253da476feff971f0089f2eba527c147e8834372d7ebf36a56a0278c688ad2cce3ca3e30f8b32b6ac9e58008a179a16558bf00ea5

Download Submit
C:\Windows\SysWOW64\Idacmfkj.exe

Filesize
250KB

MD5
647276c105c1467d8e8f10b39075d577

SHA1
dbeb75fb82eb8dfe99693d914d80e6e335d3eb6e

SHA256
f8304db28d92a26d0520659604bfcdf546c7e1202b53305e5e5dabc309482314

SHA512
de3998d92564f65e076ad173aeea5619f8ac4db4374c979d030c4229dcb7be056a9d4c1fd50ee383d8be051f42b7ed7a5ef9a3c017b569c021632175554ae605

Download Submit
C:\Windows\SysWOW64\Iffmccbi.exe

Filesize
250KB

MD5
ad5e2d780db3a3e3a59e7fc10c95ab6f

SHA1
3e212c13b582b6f746825d0ff79a8bea03f49af6

SHA256
c2fd0dc0fa02cdc01e2e839e0e0777aeac2d2b1ef898a0d76bf86df49c570a64

SHA512
ed46bc0d219209d7d6d9cb7b537dfebfc1d2033ab7f871c01255332c3ebb1ce735935c284410a7b1a05bbbe714703423d605671394e31af1c29c98a3386f70f8

Download Submit
C:\Windows\SysWOW64\Ifjfnb32.exe

Filesize
250KB

MD5
5d46b2552d60e2bee8374dd096d4f2da

SHA1
a6349f505cbeed95f9de57e01506bd36494900e1

SHA256
bc5975d7772d3e2a1ce35138691f705204ec5dcf2fea0c712a26db314e4e96a4

SHA512
67b8ec47853e23d728ed077089debcedc3255a44b865ec20e7fc4aa91046fe98bd8b552e8687743f09b06fa886d5b71a526a7c4353072211f36fc66ccbe3662c

Download Submit
C:\Windows\SysWOW64\Ifopiajn.exe

Filesize
250KB

MD5
f567cb1a5cdd663b2309e17d085c8420

SHA1
f9948e3ce39e1710f8f3e4f2ff755d874bc2ce37

SHA256
8566c17659f95e89bf5974a8b4b37c9d7a5d9f42e642143033b1b5fcd5647b52

SHA512
d997027444cce8c865d2c598ccc2d101eebab6b93dfa0bfe44a66819b77297e6c125581d29b407dd9342f73e88b88c5a8e4bf8afac0a1542fba95ca38a2aa070

Download Submit
C:\Windows\SysWOW64\Iidipnal.exe

Filesize
250KB

MD5
90827dca48a9efe5c1c30e5eee3e96e3

SHA1
77835f5650a417c786f1d52c53824b3e65786531

SHA256
4ea3b99795632b838fb1e2ab9121efa0efd7908a856d01c4f3d15802b634a30a

SHA512
37999b877db7ad8f8795e97fd994efd31289a2e8f0839042045a41e4b91134754053545da2c3f67213140f6eba9cbd8b9e62fb242becbf51c26ddbcc861c7c21

Download Submit
C:\Windows\SysWOW64\Iiibkn32.exe

Filesize
250KB

MD5
0804504b583d11384937f04f90ce8da2

SHA1
6664e974564b78e6ea4aedeb2bf909089095e4a3

SHA256
b919bf18f732a1243a4300ce667d6756e4dee8d0174bfd78d7d944b52f37f0d9

SHA512
11f76d4e083713f7b269ac2f3d43a0b4f39d32fe997a78a485e9151a66b6a17e215d735552c0fdcdfc310b832b08ee230ce817cb489a24ad9ffe2efe03acdeef

Download Submit
C:\Windows\SysWOW64\Iinlemia.exe

Filesize
250KB

MD5
58a88f05df9b64833fe4a88e400dc9f7

SHA1
c08eae1d58251417e1bec7607f9546d225a47c20

SHA256
ada85fbf95c908b86ea2db5c90c6b2c10a8d5c23c0c7817646da0722298f6191

SHA512
f888affb112da58959abdf50f2a62287daabfeebd49ee3b2eb404375d84d148598866117da58a40ee9d49ebe21b86ea1339d6596756b4b52333ed028f138b5cb

Download Submit
C:\Windows\SysWOW64\Ijhodq32.exe

Filesize
250KB

MD5
6ebe6dbb80418dc86c4841b3938e421c

SHA1
6af0f1b08abec488654030f2a6e23ebd3d77e3a5

SHA256
d0de16d87776ea1c9f891fd9a15ec8fb29992f303a13f27bf31b5afa0d774b18

SHA512
670cf58bd16924a60aeaf3586c610efe4058ebed77ef7235b31c86ce359a5a186aac11ced5e330573e9699dca7f140b948984345cb47bd97cf540ead9727021a

Download Submit
C:\Windows\SysWOW64\Ijkljp32.exe

Filesize
250KB

MD5
34c60f334731000629bf62526c2b914e

SHA1
27456cb4b42391a05ad1eb95ec3275fbb7f002b9

SHA256
01494da47e0dcde3cf2c9ff7473691462a08b1735396e3ac61471f1ad7719ea7

SHA512
4def9ed2f6a61998ff641810c35d1e7ce87822c3a716646466f06b0867f79ccfeaa0dd450b402aac93536f2c15315d6cd87ad49eee8ba2643af9ccef33e9d285

Download Submit
C:\Windows\SysWOW64\Imbaemhc.exe

Filesize
250KB

MD5
00760e47a7935ec0601d406ce98fc71e

SHA1
773167f4e5e0b13dca0b57c064645aa3176c701f

SHA256
9b6e1fd00c9f2e5acc632e35b936c450de7d5ed80d69b127653c2bf2e6e5e72d

SHA512
44817a67fd16e6d89e3b81eeff52db7ec264e353b310ba4a9f0f105cb3e523ef5eef6e400384e8a4126d16a4b94b26b75e0632dd170ca6ef8367df79446815c5

Download Submit
C:\Windows\SysWOW64\Imgkql32.exe

Filesize
250KB

MD5
cddc1323185b9367c9fce49f116d266c

SHA1
4f24c7b3875bb053b704169e59cadcdcd676c6ab

SHA256
c3fc9dafb5b9a707e70dc7dd96254e17caf0d47b6037a8fb669a2442b3b39ea7

SHA512
474960f4ba6e376597e6bd280a46629047b80360b122c26b55784f90103f1ae3f58dd1ea608fa3c64ea6a3db2b8507aed32669381c8fc928a8ac22fec6f6c1ae

Download Submit
C:\Windows\SysWOW64\Imihfl32.exe

Filesize
250KB

MD5
a3021a0969000ee24f22493b3310353e

SHA1
38267153a921f2c6e231823ebd0676826ac52b7a

SHA256
c67dd7f5b01b3c19a28670d8c7281abfa93d3aa4349c275c8aab8b8842147352

SHA512
766cf468659b43ce24ae0e2185196bd0bb4910f81563efa2e09a6155623492c515396b9aee4e904643adeec521a8523ed18fe4855b7efb20612e181372e19388

Download Submit
C:\Windows\SysWOW64\Ipckgh32.exe

Filesize
250KB

MD5
d1525e67b7d9a8634d7cfa656f4801fe

SHA1
341dedac30f89e072ae38993e289a9ab4810a317

SHA256
d990feeb6d8f4184f0dbcc83ec1f71236a3cd4be17fefb5dfab33beda1491fd2

SHA512
2fb7d5111564e8a4c29bf5321978192ce4709a6ce4ea52d3a1e6efdd7e387504728ff341eaadafe242934be6f43b490b1823d965569170270b37dea2f7f40899

Download Submit
C:\Windows\SysWOW64\Ipegmg32.exe

Filesize
250KB

MD5
842f4b5c2210e9575c19adbca20cbfc7

SHA1
1069b3bb5d45b32cea90523d4e889d17e6fef3dd

SHA256
49f9eff3a18b2f7c478e46c5fa01a646d218c9f5d6f339e319bd15a4a2178768

SHA512
836fc08b8b4f6f5085bdc870b2eadc9b884b10cfa4684499a934f5fcaa453b45f84ba4637669783f92cbf43ac59812a2700ebfeccd106d619dcdcc54b56b3aa6

Download Submit
C:\Windows\SysWOW64\Ipqnahgf.exe

Filesize
250KB

MD5
a5bc2663c40f3952afb1df0b6ebb9fd6

SHA1
032974ef839e30985d370eb49eb77e7711e1f1ff

SHA256
d95d594b8c8909ec2c102068d83d32515b421fc150bf696e6c60b24a213cdfd9

SHA512
6e6e31f941bb865aadc5bf55505ba80ccc3ebcc1c951033d69a493d7d614e44ccd18cdc3c58cc761fe9c784f91f98d391347e1a34f520606c173f2b61f5d6467

Download Submit
C:\Windows\SysWOW64\Jaedgjjd.exe

Filesize
250KB

MD5
6bcd50adf12c59e8dbfa9eae9c6496be

SHA1
0cda203cc6caf38983abb127466155d2ce88af1c

SHA256
704e41bc426b112eae4620d008becdaf833e820d1f9180e49172b320cbd97b7a

SHA512
e87b7e5dbaae9b0e0968b17778843d2d9213ad3c729b0ee5d1a36137d21f7a9cf2b120cdee3608f12ae4e2083e19a02ca5edc8ddbe7c32f0270fad62675d6c5b

Download Submit
C:\Windows\SysWOW64\Jbhmdbnp.exe

Filesize
250KB

MD5
b2a003d6e90645b50a83c57227145c12

SHA1
b6b0b2653ce674ed5b1db50ae0bdffb12d3c9a0c

SHA256
e7c143330aca9c8f92e769688afe147e4a6ce42e75eac3f10303f6057f21dea6

SHA512
c0bf1c5300f1bda55dffd5cefdc5a9e3370edd1062766341bbbc67fcc8500ea2ab97dacc9c1ff177aca3117974c3d622da5ce1fd3ae41972e055b78426c3c6fb

Download Submit
C:\Windows\SysWOW64\Jdcpcf32.exe

Filesize
250KB

MD5
1f94d1647c6f30dcd74e53ff20bc50e4

SHA1
2f947a43fae2e3b98c6d3c4b397fe58f9e301373

SHA256
cd770f4c09bfc80ab6228b9da410730b051fdaf1e5b4622b094a13e33508cf0d

SHA512
5bbd3a7d589082c72de57bd4aae15926f6c11c38f060d93bad284968d9cd07e798400baaacb4e4a2308b4c75263642a3a0e9b478b7e747629c69ad1df873eade

Download Submit
C:\Windows\SysWOW64\Jdemhe32.exe

Filesize
250KB

MD5
b59b9d13a27ce120e6e4445f1a23df09

SHA1
30838f7adaf6d877515dc4e8a7b732c4ec58c050

SHA256
a0492747481d2e135026c1f192e6940600497bd059751020b05557d543cece10

SHA512
b74f0a29721295168662d3d25d915ea34b5cc95dfd5517684db5f955fcfa9bab7b6b5d4b35cdd539ac4ed381952b1e2bcd30e855e786c1131dd22815aae428d1

Download Submit
C:\Windows\SysWOW64\Jfaloa32.exe

Filesize
250KB

MD5
6ce428015301301a9b07bb1b16292dce

SHA1
0b0f91e7d50cd8c453656a76bd32def5fba294d5

SHA256
d7ad241c9f64d3ad1a6853cb1905cf68de1c1dae5d3b8af9d98cd1668e18789c

SHA512
e04215e238031fd45dcba932ec38dc05920a55d9614cad3208c667b8285e5421eed503d16108d2c9904f17be14acefa4338d6acb59f33ee8706048da70f61dd1

Download Submit
C:\Windows\SysWOW64\Jfdida32.exe

Filesize
250KB

MD5
a16b99b0a4a1fdae9d4f09c81a9f0330

SHA1
c3320ceb905c1091767c01740ccf64df02756189

SHA256
bc0fa93aa5c69e6e1ef87184ef6e46a0d6073b208f47d2502ef8d69f33fa3518

SHA512
a93dd7bcef6a72b54296dbf7afb4bacd64d42a9bb8e0875e418499d92f8b17ece5c86f0813a45f1b709a9d51b0dd3f96b598b6daccf002b22ca09c9929c3b4aa

Download Submit
C:\Windows\SysWOW64\Jiphkm32.exe

Filesize
250KB

MD5
ffaaad3f86937dd50db2170519573c65

SHA1
50d6e27ea043d8e8c16b1f9dfffd9ec0703d6a02

SHA256
f210a94e688d8931d17bb8af7e096768735568840491c39c56d2e3e544313382

SHA512
d1f315cea8cf18dff75b1194da36157f4fed31961674f1c8a65e6b521618c90a09a13a96f97046e287fafdb3e3eb13f97de7f3734fd850432d6d2987b1fccd07

Download Submit
C:\Windows\SysWOW64\Jjmhppqd.exe

Filesize
250KB

MD5
26e427de8898605e9de0c4a9e9f4c709

SHA1
898a96b8c762e43f0384f480900ab45a75ba446a

SHA256
f4f1a256d39230ad0322c0f6a1352b7a667cb6165a41fffaec5f49f0f95bc272

SHA512
a62fda80f62be939e855107b72d5a3d3ceef6170fed35588c8dfcab25ef52b58dc6f8378ecfa9427b54ae718032a8a3b109367e7f5ce6d01d3822e140b91a101

Download Submit
C:\Windows\SysWOW64\Jmkdlkph.exe

Filesize
250KB

MD5
be76f31fdaeccff98ea1682ff2e9193c

SHA1
6edb27fd4c41498902c6a287e5a34272bab55ef0

SHA256
27b286891a27928d6305fa46e1901e9aab84f913db52dfaa25e494be7588f6df

SHA512
391abbb5f26de1859f7f8f19b44dff82a14d06fb6fb13380f4cbcd163e7c35c6faabe3b46237ddbc10620cf0338514bd366436dbce061ebf367e7cf5b3c77ac0

Download Submit
C:\Windows\SysWOW64\Jpgdbg32.exe

Filesize
250KB

MD5
1971687d2fe2ee2827190085ba72dfaf

SHA1
410a689d348cbd8bb9af5973db49802bd4a81990

SHA256
5d1f4d7740cb9616e387018dfad86970b86f0072a5352bf6ba3e73fbd50487e0

SHA512
ca34e3eac369dd331cb6cca4a32531b89cde88027d9c38c2ed1400c4788006fc7db69292f5175d62d40901863a260c34a8614dd331189e49323f69302f6ab91f

Download Submit
C:\Windows\SysWOW64\Jpjqhgol.exe

Filesize
250KB

MD5
554f28d24a417b457bca9a4f2713cb6b

SHA1
44233f0d1a4d5292b9e61bc137b13b76c45118f9

SHA256
26ce0116f1538326c1c9822a1a3626f39dedaf1750f7b2a462218c4fc1da48f9

SHA512
afb24b73bc22cdfa0ae4459c8b9ce05bffb9c933a8d62b23eacc2886dc36b8b438aed7ac6fc33c958e5f2b6c91d476f20ee06dca6a2944c0a2ec071e2a9e5983

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
250KB

MD5
05e49837370a51a17117174d8ac3c40d

SHA1
66bc6e8fb4531dfacb7758c4da17e556908a06ea

SHA256
b76ff6307b7b51fa75ba6d010281edd3ac6f6677db82288d06851287c32699bc

SHA512
50b97c679b3c0ce55b21f9ae05a7feb08e9012a2bb2d3489a46384b5f924a7e91cc6fc01608a2c11a26a9eacbfadad48829695b3980733b42c793beca1f58511

Download Submit
memory/372-584-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/384-475-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/620-352-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/784-329-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/860-354-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/928-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1076-389-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1168-388-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1204-99-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1304-335-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1320-367-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1332-436-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1356-353-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1400-340-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1508-336-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1548-569-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1568-418-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1592-316-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1592-860-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1624-458-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1764-711-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1896-442-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1908-32-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2064-337-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2172-313-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2176-529-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2248-453-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2348-48-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2428-568-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2560-551-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2700-330-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2712-44-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2728-312-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2728-867-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2740-406-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2784-407-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2844-314-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2876-55-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2964-16-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3004-348-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3076-341-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3160-68-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3164-501-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3212-844-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3212-338-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3220-7-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3232-596-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3232-709-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3240-377-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3260-24-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3268-483-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3544-349-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3712-516-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3908-317-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4012-465-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4068-539-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4072-494-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4080-495-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4128-322-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4148-315-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4204-424-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4328-350-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4428-477-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4444-342-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4484-339-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4700-874-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4700-98-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4744-430-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4796-557-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4816-355-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4940-876-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4940-76-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4956-523-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4992-100-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5032-396-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5128-707-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5168-705-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5168-602-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5208-612-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5208-703-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5288-701-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5288-614-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5340-699-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5376-630-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5376-697-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5412-695-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5452-640-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5452-693-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5492-691-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5528-651-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5528-689-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5568-653-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5568-687-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5608-685-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5608-659-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5648-669-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5648-683-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5688-681-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5688-676-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5740-679-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5740-677-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads