50cfa5fa4e692a9e4da40a94e758a3884f73600acc7506edb29f2b2228340f7e

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
27-06-2024 05:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50cfa5fa4e692a9e4da40a94e758a3884f73600acc7506edb29f2b2228340f7e_NeikiAnalytics.exe
Size

128KB
MD5

bcb3c816663489bca1f5657e73b18360
SHA1

67a97769fa0a06354ad3ecba965dee1832e9a76a
SHA256

50cfa5fa4e692a9e4da40a94e758a3884f73600acc7506edb29f2b2228340f7e
SHA512

34a3c432a643cc8d73b916f628cfa67c7705102383046dbb74a809fa2f0ef802f6610b26120ffaecab54dc9428d4910ba2b6d9b88a7027beb709b4bf2019f9a0
SSDEEP

3072:ZqEoHWUCzDHWaUpfogsS5DSCopsIm81+jq2832dp5Xp+7+10l:ZqEooDHW9AgsSZSCZj81+jq4peBl

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hibljoco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haidklda.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iabgaklg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iakaql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idofhfmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iannfk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdaldd32.exe

Executes dropped EXE 64 IoCs

pid	Process
2192	Hbhdmd32.exe
2024	Hibljoco.exe
2660	Haidklda.exe
5028	Ibjqcd32.exe
4680	Iidipnal.exe
2740	Iakaql32.exe
2776	Ibmmhdhm.exe
1240	Ijdeiaio.exe
2460	Iannfk32.exe
2444	Ibojncfj.exe
2360	Ijfboafl.exe
5108	Iapjlk32.exe
5016	Idofhfmm.exe
2232	Ijhodq32.exe
1148	Iabgaklg.exe
4568	Idacmfkj.exe
220	Ijkljp32.exe
2656	Jaedgjjd.exe
4716	Jdcpcf32.exe
3492	Jfaloa32.exe
2640	Jagqlj32.exe
4888	Jdemhe32.exe
3004	Jfdida32.exe
4624	Jplmmfmi.exe
4276	Jfffjqdf.exe
768	Jmpngk32.exe
3716	Jbmfoa32.exe
4564	Jkdnpo32.exe
4740	Jangmibi.exe
60	Jbocea32.exe
1512	Jiikak32.exe
4540	Kaqcbi32.exe
4080	Kdopod32.exe
4140	Kgmlkp32.exe
4532	Kilhgk32.exe
1688	Kacphh32.exe
1116	Kdaldd32.exe
2300	Kgphpo32.exe
4672	Kkkdan32.exe
1068	Kmjqmi32.exe
5052	Kphmie32.exe
3488	Kbfiep32.exe
4764	Kgbefoji.exe
4708	Kmlnbi32.exe
396	Kpjjod32.exe
4444	Kcifkp32.exe
3316	Kkpnlm32.exe
3056	Kibnhjgj.exe
3820	Kpmfddnf.exe
1652	Kckbqpnj.exe
628	Kkbkamnl.exe
3132	Lmqgnhmp.exe
3008	Lpocjdld.exe
384	Lgikfn32.exe
2132	Lkdggmlj.exe
3024	Lmccchkn.exe
5104	Lpappc32.exe
1640	Lgkhlnbn.exe
2168	Lnepih32.exe
792	Lpcmec32.exe
696	Lgneampk.exe
1960	Lnhmng32.exe
1416	Lpfijcfl.exe
4816	Lcdegnep.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ijhodq32.exe	Idofhfmm.exe
File opened for modification	C:\Windows\SysWOW64\Lpappc32.exe	Lmccchkn.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Hibljoco.exe	Hbhdmd32.exe
File opened for modification	C:\Windows\SysWOW64\Ibmmhdhm.exe	Iakaql32.exe
File opened for modification	C:\Windows\SysWOW64\Jfffjqdf.exe	Jplmmfmi.exe
File opened for modification	C:\Windows\SysWOW64\Kacphh32.exe	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Milgab32.dll	Kbfiep32.exe
File opened for modification	C:\Windows\SysWOW64\Kcifkp32.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Gmbkmemo.dll	Iakaql32.exe
File opened for modification	C:\Windows\SysWOW64\Idacmfkj.exe	Iabgaklg.exe
File opened for modification	C:\Windows\SysWOW64\Kdaldd32.exe	Kacphh32.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Lpappc32.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Hdgpjm32.dll	Haidklda.exe
File created	C:\Windows\SysWOW64\Ijfboafl.exe	Ibojncfj.exe
File created	C:\Windows\SysWOW64\Jaedgjjd.exe	Ijkljp32.exe
File created	C:\Windows\SysWOW64\Jfdida32.exe	Jdemhe32.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Lpappc32.exe
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Lijiaonm.dll	Hibljoco.exe
File created	C:\Windows\SysWOW64\Lcnodhch.dll	Iidipnal.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Kphmie32.exe	Kmjqmi32.exe
File opened for modification	C:\Windows\SysWOW64\Kpmfddnf.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Ggcjqj32.dll	Jfaloa32.exe
File created	C:\Windows\SysWOW64\Kilhgk32.exe	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Kmlnbi32.exe	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Eeandl32.dll	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Kbmebabl.dll	Ijdeiaio.exe
File created	C:\Windows\SysWOW64\Aajjaf32.dll	Jdcpcf32.exe
File created	C:\Windows\SysWOW64\Jbocea32.exe	Jangmibi.exe
File created	C:\Windows\SysWOW64\Dnapla32.dll	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Iabgaklg.exe	Ijhodq32.exe
File created	C:\Windows\SysWOW64\Ijkljp32.exe	Idacmfkj.exe
File created	C:\Windows\SysWOW64\Lgkhlnbn.exe	Lpappc32.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Kmjqmi32.exe	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Akanejnd.dll	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Gbledndp.dll	Ijkljp32.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kkbkamnl.exe
File opened for modification	C:\Windows\SysWOW64\Jmpngk32.exe	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Kbfiep32.exe	Kphmie32.exe
File created	C:\Windows\SysWOW64\Kckbqpnj.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Ogndib32.dll	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Mjqjih32.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Hbhdmd32.exe	50cfa5fa4e692a9e4da40a94e758a3884f73600acc7506edb29f2b2228340f7e_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Hbhdmd32.exe	50cfa5fa4e692a9e4da40a94e758a3884f73600acc7506edb29f2b2228340f7e_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6108	5900	WerFault.exe	192

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgblmpji.dll"	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplmgmol.dll"	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgblndm.dll"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcbnd32.dll"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	50cfa5fa4e692a9e4da40a94e758a3884f73600acc7506edb29f2b2228340f7e_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjlcankg.dll"	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qknpkqim.dll"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghpbg32.dll"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflepa32.dll"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnckcnhb.dll"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeecjqkd.dll"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Impoan32.dll"	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iabgaklg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	50cfa5fa4e692a9e4da40a94e758a3884f73600acc7506edb29f2b2228340f7e_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppaaagol.dll"	Kphmie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baefid32.dll"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1536 wrote to memory of 2192	1536	50cfa5fa4e692a9e4da40a94e758a3884f73600acc7506edb29f2b2228340f7e_NeikiAnalytics.exe	83
PID 1536 wrote to memory of 2192	1536	50cfa5fa4e692a9e4da40a94e758a3884f73600acc7506edb29f2b2228340f7e_NeikiAnalytics.exe	83
PID 1536 wrote to memory of 2192	1536	50cfa5fa4e692a9e4da40a94e758a3884f73600acc7506edb29f2b2228340f7e_NeikiAnalytics.exe	83
PID 2192 wrote to memory of 2024	2192	Hbhdmd32.exe	84
PID 2192 wrote to memory of 2024	2192	Hbhdmd32.exe	84
PID 2192 wrote to memory of 2024	2192	Hbhdmd32.exe	84
PID 2024 wrote to memory of 2660	2024	Hibljoco.exe	85
PID 2024 wrote to memory of 2660	2024	Hibljoco.exe	85
PID 2024 wrote to memory of 2660	2024	Hibljoco.exe	85
PID 2660 wrote to memory of 5028	2660	Haidklda.exe	86
PID 2660 wrote to memory of 5028	2660	Haidklda.exe	86
PID 2660 wrote to memory of 5028	2660	Haidklda.exe	86
PID 5028 wrote to memory of 4680	5028	Ibjqcd32.exe	87
PID 5028 wrote to memory of 4680	5028	Ibjqcd32.exe	87
PID 5028 wrote to memory of 4680	5028	Ibjqcd32.exe	87
PID 4680 wrote to memory of 2740	4680	Iidipnal.exe	88
PID 4680 wrote to memory of 2740	4680	Iidipnal.exe	88
PID 4680 wrote to memory of 2740	4680	Iidipnal.exe	88
PID 2740 wrote to memory of 2776	2740	Iakaql32.exe	89
PID 2740 wrote to memory of 2776	2740	Iakaql32.exe	89
PID 2740 wrote to memory of 2776	2740	Iakaql32.exe	89
PID 2776 wrote to memory of 1240	2776	Ibmmhdhm.exe	90
PID 2776 wrote to memory of 1240	2776	Ibmmhdhm.exe	90
PID 2776 wrote to memory of 1240	2776	Ibmmhdhm.exe	90
PID 1240 wrote to memory of 2460	1240	Ijdeiaio.exe	91
PID 1240 wrote to memory of 2460	1240	Ijdeiaio.exe	91
PID 1240 wrote to memory of 2460	1240	Ijdeiaio.exe	91
PID 2460 wrote to memory of 2444	2460	Iannfk32.exe	92
PID 2460 wrote to memory of 2444	2460	Iannfk32.exe	92
PID 2460 wrote to memory of 2444	2460	Iannfk32.exe	92
PID 2444 wrote to memory of 2360	2444	Ibojncfj.exe	93
PID 2444 wrote to memory of 2360	2444	Ibojncfj.exe	93
PID 2444 wrote to memory of 2360	2444	Ibojncfj.exe	93
PID 2360 wrote to memory of 5108	2360	Ijfboafl.exe	94
PID 2360 wrote to memory of 5108	2360	Ijfboafl.exe	94
PID 2360 wrote to memory of 5108	2360	Ijfboafl.exe	94
PID 5108 wrote to memory of 5016	5108	Iapjlk32.exe	95
PID 5108 wrote to memory of 5016	5108	Iapjlk32.exe	95
PID 5108 wrote to memory of 5016	5108	Iapjlk32.exe	95
PID 5016 wrote to memory of 2232	5016	Idofhfmm.exe	96
PID 5016 wrote to memory of 2232	5016	Idofhfmm.exe	96
PID 5016 wrote to memory of 2232	5016	Idofhfmm.exe	96
PID 2232 wrote to memory of 1148	2232	Ijhodq32.exe	97
PID 2232 wrote to memory of 1148	2232	Ijhodq32.exe	97
PID 2232 wrote to memory of 1148	2232	Ijhodq32.exe	97
PID 1148 wrote to memory of 4568	1148	Iabgaklg.exe	98
PID 1148 wrote to memory of 4568	1148	Iabgaklg.exe	98
PID 1148 wrote to memory of 4568	1148	Iabgaklg.exe	98
PID 4568 wrote to memory of 220	4568	Idacmfkj.exe	99
PID 4568 wrote to memory of 220	4568	Idacmfkj.exe	99
PID 4568 wrote to memory of 220	4568	Idacmfkj.exe	99
PID 220 wrote to memory of 2656	220	Ijkljp32.exe	101
PID 220 wrote to memory of 2656	220	Ijkljp32.exe	101
PID 220 wrote to memory of 2656	220	Ijkljp32.exe	101
PID 2656 wrote to memory of 4716	2656	Jaedgjjd.exe	102
PID 2656 wrote to memory of 4716	2656	Jaedgjjd.exe	102
PID 2656 wrote to memory of 4716	2656	Jaedgjjd.exe	102
PID 4716 wrote to memory of 3492	4716	Jdcpcf32.exe	103
PID 4716 wrote to memory of 3492	4716	Jdcpcf32.exe	103
PID 4716 wrote to memory of 3492	4716	Jdcpcf32.exe	103
PID 3492 wrote to memory of 2640	3492	Jfaloa32.exe	104
PID 3492 wrote to memory of 2640	3492	Jfaloa32.exe	104
PID 3492 wrote to memory of 2640	3492	Jfaloa32.exe	104
PID 2640 wrote to memory of 4888	2640	Jagqlj32.exe	105

C:\Users\Admin\AppData\Local\Temp\50cfa5fa4e692a9e4da40a94e758a3884f73600acc7506edb29f2b2228340f7e_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\50cfa5fa4e692a9e4da40a94e758a3884f73600acc7506edb29f2b2228340f7e_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Windows\SysWOW64\Hbhdmd32.exe
  C:\Windows\system32\Hbhdmd32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\SysWOW64\Hibljoco.exe
    C:\Windows\system32\Hibljoco.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2024
  - - C:\Windows\SysWOW64\Haidklda.exe
      C:\Windows\system32\Haidklda.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2660
    - - C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5028
      - C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4680
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1240
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1148
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4568
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3492
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        24⤵
        Executes dropped EXE
        
        PID:3004
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4624
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4276
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        27⤵
        Executes dropped EXE
        
        PID:768
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3716
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        29⤵
        Executes dropped EXE
        
        PID:4564
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4740
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:60
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1512
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4540
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        34⤵
        Executes dropped EXE
        
        PID:4080
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4140
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4532
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1116
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2300
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4672
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1068
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3488
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4764
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4708
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:396
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3316
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3056
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3820
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:628
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3132
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        54⤵
        Executes dropped EXE
        
        PID:3008
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        55⤵
        Executes dropped EXE
        
        PID:384
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2132
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5104
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2168
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        61⤵
        Executes dropped EXE
        
        PID:792
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:696
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1960
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1416
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4816
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4616
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        67⤵
        Modifies registry class
        
        PID:4556
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1220
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1784
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        70⤵
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        71⤵
        Drops file in System32 directory
        
        PID:1656
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2940
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2280
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1776
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        75⤵
        Drops file in System32 directory
        
        PID:4768
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        76⤵
        Modifies registry class
        
        PID:4924
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2764
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4128
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2916
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        81⤵
        Drops file in System32 directory
        
        PID:2784
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        82⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4240
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1132
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:916
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:652
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        87⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3320
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        89⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5184
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        91⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        92⤵
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5364
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5408
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        96⤵
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        97⤵
        Drops file in System32 directory
        
        PID:5492
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5620
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5676
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5720
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        104⤵
        Modifies registry class
        
        PID:5848
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        105⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5900 -s 408
        106⤵
        Program crash
        
        PID:6108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5900 -ip 5900
1⤵
PID:5996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Haidklda.exe

Filesize
128KB

MD5
22de635a73ab244286ef0c7eddbeb3cd

SHA1
5f5e450335af89fd8c75cbc0f13e0fd1f25187be

SHA256
b9364eec0f0eb49b68398c1b6ef0a695a125ffbd8031bc0350874d76a74ea407

SHA512
2f1272636173d54b26920bd13b4e4df21cebbd67e0365cf0691c15633a95f657198d7612bd40a3262735c78a19124b907dae8b706672be14fefe34d8a2f474e8

Download Submit
C:\Windows\SysWOW64\Hbhdmd32.exe

Filesize
128KB

MD5
819e4c7b64e3fd51f7bbbc18f0b0970d

SHA1
12ad02b021879ee5b4cfe07d93a41414f3dc3ba1

SHA256
8cbddd3db5e3b2535fa67ff0b6aedf37cf1c3b8da966b65803a54b024284799c

SHA512
86ef9ee54431cb9ddf59ab343a49de5cec823993e9ec674464eec8c139c2ecb8942447f3ad2c6c1f218863af3f23b37d15f9f3dc96a61520b8b15cf0fcb80d49

Download Submit
C:\Windows\SysWOW64\Hibljoco.exe

Filesize
128KB

MD5
dc4bbf5fb828ccd04ea17256a0b494e5

SHA1
bad920837d0ad9610d13c54b40016a219e53556c

SHA256
f43d31bae7e53142abdf028d614dd263e87cd323270e4d37beeec8e70feb9964

SHA512
3076d74ed4a32889fb386e618d8a9c732a2031d7d86a1424485d448624bf09703edfb685cb38bcfe65fb4ccc73cdab25469d1ef5f10c4190f1f05304d61dcaab

Download Submit
C:\Windows\SysWOW64\Iabgaklg.exe

Filesize
128KB

MD5
7a68b4cb5d5f194aa8fd07bbdf11b1ff

SHA1
c97b88d3dee7bd70fd48228936b6c47ff0fc17bc

SHA256
6800bf7e8d8627539843f1b0bce56fabed8a2e620a686f5d94dc6f0cce1fa7a7

SHA512
23cb883b4fc443a61a7b9d6d1a8254d8c2bec5bc30165b136d0a29a3f5d5dbc75528e50d4bb765c9781f30b26a96bff369449e303305cf1953872accf6112a7b

Download Submit
C:\Windows\SysWOW64\Iakaql32.exe

Filesize
128KB

MD5
7fb4133ff40a7089dcf21f39d7b8a30d

SHA1
a2ea9e86e6b6ef6efcd40740359cd486095cf5d9

SHA256
120879b33f1798600549872f7be81650ae171c18229b9a5fee42bcdf6e207e42

SHA512
432db9156545160efac56ebfb74fe1d365723f968a11f25e2979587e031938de08cb5a9e44ec0251e37a2e302d2ff5c1340696832b13737ad51bbfdaa80837f1

Download Submit
C:\Windows\SysWOW64\Iannfk32.exe

Filesize
128KB

MD5
6bb1af252b2a5a3b49ad6cdd986f52aa

SHA1
47127b61a558368d13689d83bcd6d2174ccde269

SHA256
4f2a06a86e0b1ad8c905beed84c0064adfac65d7dad1aef676a6e856af581603

SHA512
757d41f490eed736ee052aa0ff3d14950398d76777e20d073a18c71ee3d9d433f2f6d118b8641b518535d0e1736051c0d70a077f1e1a25af5a1d7e73eecb28e3

Download Submit
C:\Windows\SysWOW64\Iapjlk32.exe

Filesize
128KB

MD5
9676cbc44b8ad312a9672b79d794f00a

SHA1
80eda44e3e53d83b886bd94b12504c4f155e941f

SHA256
2bd9730f096e2070f5e4fa962cab70aa765013cd4ff35fef21c675712b17e02e

SHA512
bb98794d9b37898c67da865d6180481ca2da67dff0d0ca54ee91de3188bd8748e134c88b7a870001fe235d62cd5a21721659f6a6b4142e2493c0154537cb597c

Download Submit
C:\Windows\SysWOW64\Ibjqcd32.exe

Filesize
128KB

MD5
b6ee3614d2167d60be0109f7981a7909

SHA1
9055d47d5756332e0841e4140492601e6c3d3a15

SHA256
bf22734f767c1a5657348d4eff269d6ee1e07a3e8e9fbcd454eb52f630ab2e2e

SHA512
cfb543fa6637c7940622a022722db4697bf086dade8b45e54cb530aff2f0e0d69d69958a95e92592e48f6cbe9cfcea6559dfea756ecaa4cb2882fe2399a49e07

Download Submit
C:\Windows\SysWOW64\Ibmmhdhm.exe

Filesize
128KB

MD5
6bc3761ad68ad2587eb9112cd9451aa0

SHA1
81599d2044af5cc0bfc35a4a2f91ddc000456b25

SHA256
b69cb47abd4ee96188c3daae393ce09594d48105092a3c9b5bf3310a38ab610d

SHA512
2e8fb67d3a04340950d6ceb73242a4330449be5b2adde764f54b343acc66737099dfa7d681006715ed6ff45f153b1e0402c558e329804b19f5613869418b0b21

Download Submit
C:\Windows\SysWOW64\Ibojncfj.exe

Filesize
128KB

MD5
5ba8d74f5638a8234df6131519ee540b

SHA1
60495d3f1a51d09087464cbe71fafa84233b327e

SHA256
dcfcad4ff4dcedb5d4d950bdaff23ab776ee02e89fb80cd2e8afd9b2974457ec

SHA512
4530e4b7b842b25cee7ff5e69fc0c3ea608b191132c177aa7ca626bcaf41e6f4f5f0f1d32eca5835ccaa6b822cd10307a20fe31bf29902fb2f7b55330a7395ae

Download Submit
C:\Windows\SysWOW64\Idacmfkj.exe

Filesize
128KB

MD5
d747b07e5543b6ccb77a9e82a410fd9c

SHA1
3fb0e152ed0b64b02525f0fc29b3208baa08746f

SHA256
1bb2798d64b1db9072262b2b640e87c6187931d12fc97d8b25d4ed27b93d5f46

SHA512
e3f33adef3be928920dff62d603b1d89b6c1f330aed79c0f1a11390d9bf109e2cfcede11b6a5c0140b687ce1bf4b10df1036b8cc481402560dbb21dc5cc04e51

Download Submit
C:\Windows\SysWOW64\Idofhfmm.exe

Filesize
128KB

MD5
faa9c809b9154a2ae8dd382d4f0d6165

SHA1
fcb2a7446a80d20727e28b200485f57cc7ad3826

SHA256
a46180185872d50e85ca5510d04c992a26a296e597986650b5c71b8865dea70c

SHA512
afe70715eacb5400caf50bdf22902ed04612713df937834c2e34a886e7ab00a1d37f330458e4d9fc7ab2b54fd9a0d8c0420fe4b4f5885d8e6c0823e8f7081bb1

Download Submit
C:\Windows\SysWOW64\Iidipnal.exe

Filesize
128KB

MD5
4e245af39bbff2c3a0fdb9ccacabb502

SHA1
8f02085c9076f07b05548f05720bc3be6f0de7f6

SHA256
08f3231f6c6198e4e921901735d310b9f1ebd4b81f2bab33acac0043a4f9f8a4

SHA512
bf6059fec5bf661a5973140d473c6d13dd7d2c97fc815c63d68fea9ab0407c151c2dcaf91ef12df93a02897545b1e1223119354462b934cdeb1316285a902e76

Download Submit
C:\Windows\SysWOW64\Ijdeiaio.exe

Filesize
128KB

MD5
17e6e195162738c7596777e80888acd2

SHA1
f5345a10d38775b3ca1255285d6aadcce61c0e66

SHA256
039c2e19cc4b51d88e69c7a590355daf8a6d2308ca3c2940b2bec5fd13065f72

SHA512
7cb40c767d4b05099321bdc8386f8490b1aa9f4e791cb7460e7d4c66fbc7a6d79d306d0cf2b67f16329a47a96fcffe8cc862447d6e02c8a6bc9874d071f2114d

Download Submit
C:\Windows\SysWOW64\Ijfboafl.exe

Filesize
128KB

MD5
927d43665233ad9917a15fefe771c6c7

SHA1
3beb8757bda4c3b3057b003adcdc677532630325

SHA256
26ac6ea76357098096dd1d4687d3386b573dffb7aed1e0953d61e5fbfae9776d

SHA512
1166163d4730552c7d097ae1ea90d08265b16c11eaedec154743e40549b41e708bc8e8f7d1bcb3e1c94b799381092b9183b7cbc6a7afa4b8784a4f0e237fe073

Download Submit
C:\Windows\SysWOW64\Ijhodq32.exe

Filesize
128KB

MD5
3a14940123f7623cae5dff42a13a74fe

SHA1
0a10517df830830cbf29e563541b5fe88817c862

SHA256
80374c40df4c52db549d8305e3aa643cddee2cfc3ec0445c9c86e8f209a6c399

SHA512
06c629b822b09e8387527821a0d9b8832559beff5d3901a647f8fdc04a238db1517b44e75b95be0bd9d638eee499fb74951b1fc24f1a9f0c16572bb512655055

Download Submit
C:\Windows\SysWOW64\Ijkljp32.exe

Filesize
128KB

MD5
c5574fff1b0f9b77b399b4e44b739c2a

SHA1
efcb02eddeb3d7b7d10565177657c077767ec5e1

SHA256
cdfa22e14744d634c55f1d64785812d65c8b7b181cc7f0a0b5cb4f8e885ee684

SHA512
3cfa6463eb8885407369296baafadf37ac5158c54028300a88a3e9d42821e26ca7b999403071256ed65634f557adae4e4624088ebe2653b714b4c8616c389838

Download Submit
C:\Windows\SysWOW64\Jaedgjjd.exe

Filesize
128KB

MD5
b4263f777ad0ad417b4f993fb4bef3b4

SHA1
3e6960b7a4b965e0ccca72411d137ee0fd19ac12

SHA256
6b23518dae704f301128df47f56e8383d1035ab154932cdf0b87f577cd9f6ff7

SHA512
0321aff0c03e1f098337ac237984af87d9fa7dfaa70b60ed774298a883d522fd58cd16ae5bd612db96d3e2749927b18435064459a4c8b220a42cc95b9b05acb8

Download Submit
C:\Windows\SysWOW64\Jagqlj32.exe

Filesize
128KB

MD5
b0800b199de1bf14a6e45ab4fe70ef62

SHA1
13a8521a71c983d4fe8fb963821fec94ca2cf61a

SHA256
a57d19fe659d452f27b667b4523f2b5242ac47ceeb31992504d37c81b1bc62b1

SHA512
1503c10061daa4d60e1ac5505925dee04846bf15336a25d2abbe4e00a6d8951b88d682e6afadc850508e3e7937015f0b1358d70636431c29d01fdb8af0058139

Download Submit
C:\Windows\SysWOW64\Jangmibi.exe

Filesize
128KB

MD5
48b08bfec134821e2128a5a2828a3c4c

SHA1
1c8ddd360a0f907c6a6b204d48640c7bdef6e034

SHA256
f3c7b17c18a80114e0cc31aca191161ff32739976d42e6ddbee45827bef38d1a

SHA512
6077b83cf4c040e791a3d6f119c79cabce6a795d96b1a6771847a38a9c838b040085300c9ba733b96f2d58ecd4d5e1229d30dbd64815935eada49f22c53372b2

Download Submit
C:\Windows\SysWOW64\Jbmfoa32.exe

Filesize
128KB

MD5
1efce297c84de2170533beb2442ebb14

SHA1
b0f563f90fd8a7b076722abbb9d7d9cf444ccea1

SHA256
d91d882ace2648ffcea4f3fbdc38cb038cf25955e6176a88fbb9037b97ecc84f

SHA512
6493314f6647e42179da1e38a36566b214c89acf109fba5d667f2f264d8cc856b8b2cf0e5b05c30233284632dbd2de8e35b915d4eb619fb0db6554f6a581573a

Download Submit
C:\Windows\SysWOW64\Jbocea32.exe

Filesize
128KB

MD5
094a0581541fc0cb887a7be37e9a892f

SHA1
3b850148d6bdcbf4616f374ad1a8940feaec7723

SHA256
f31a316a6af61fadca191f3724f66dea0d2bc360a2e28d39b7280bd0689c402f

SHA512
875a1b45240308edd546cc63781afa24f992ec96772b195c4f659d0ec274350602848ab3b6476e3f42ae79e302e9bbe1a70bb5a64d7792267897283d9983fb04

Download Submit
C:\Windows\SysWOW64\Jdcpcf32.exe

Filesize
128KB

MD5
18611fbb8c0c0d21148ed59ae9dd71ab

SHA1
1872cbe2a3b9ed2543137ae7f90feef5f4b05b08

SHA256
129ec0fde7316879740a3ccf5f76bc602c24366122366a899b4d4651c12d6538

SHA512
7d28e4fd45adb1ca7da65ef4628f8b429fec7d4c2784dfc8a6e69c4fb5473941d673736eaa9779407a0e29776eacb65e351fde9f86fac8b3f9ce40549f7520a9

Download Submit
C:\Windows\SysWOW64\Jdemhe32.exe

Filesize
128KB

MD5
5670b787affd6426f12f6d91cf88e4d1

SHA1
4ea1fe7c7e9498f2a14b73e4fa8b49a6d79b2f55

SHA256
5e1a1ef014c79a5c1cdad368a351fb69fa994b385ed8ece6f1387f03e09d6346

SHA512
5ac0dc5812eb263153c62b35a647511eb827150854abba19c03d9796104abe23c7d051402d1a8e90db7cd580fa18b91f4b5f22f20230e2b85692dfd79e784bd1

Download Submit
C:\Windows\SysWOW64\Jfaloa32.exe

Filesize
128KB

MD5
7eaff90005a6a176ad5b555e18023e9b

SHA1
678883df4ee67e241224ddc8d24611192d034b9e

SHA256
dede9a172a0fde1083b37f47c36785fac13a54141cbb4b73428a91b07394ec11

SHA512
36320de3ef44c4710fd8a41b676ee2d6c9a9f50ebba6d054f613981400e4a2d96def73842bfeb3f9cdf751d924eeb52afe002da6b9dc625e321b7819c9e8ac0b

Download Submit
C:\Windows\SysWOW64\Jfdida32.exe

Filesize
128KB

MD5
77335b19ac3c300ba4a32b8a51f7ae66

SHA1
f66e22925a7ff1084ac8ab2a5ec2befc82d736eb

SHA256
5a92ac90c81ef09bc2fb69edb0cedf6d08636aff03e0a5310e9e6bb04b848625

SHA512
f1eea791d35ff0f2e5b7e08fc15626b3cb13f8137e14a0e65d7f6b36a4ef9387a63d3f16a6e3c12e5cb41fe3a6f492520464ed13268c84cc884011436a3ab18c

Download Submit
C:\Windows\SysWOW64\Jfffjqdf.exe

Filesize
128KB

MD5
f1b53444d92eae090579b65bc1ad167d

SHA1
85ed00ca80191f93d3f4bdb018efa66ff7ea1921

SHA256
e90c65f31b837509c1e76a205b4b488669c22f9f459fffe148985797a20a8a31

SHA512
5e07197e9fba6e9a82f4e0b0cb1567c57f88349a0ec0d26aa6275cf7e3cea66ba7e9e243163d546f7f21b2edecf73ed59ec605427a9408266f04f223558e1749

Download Submit
C:\Windows\SysWOW64\Jiikak32.exe

Filesize
128KB

MD5
3352750e80eedd20f3879f96e00e2b6c

SHA1
eb5f02341579c299e095447fd0238bacc3d475ab

SHA256
6753eaa76576190707a289e670b12daae3a67a5754bac8c6b44f56857129f4a3

SHA512
a1ff03e89fdd45fd2b551586c3ac7f6974b564ac85a3c52062c14bab712317b3a34a283451c47b9f0af882ed02d7ad0711d7bff76c4df9e6af15d2e22e418dd7

Download Submit
C:\Windows\SysWOW64\Jkdnpo32.exe

Filesize
128KB

MD5
5d0cc022c5dc04ebebe873b24fa91aa1

SHA1
3702aff094ca528198260517e265552726a9b2fe

SHA256
160c9e52dc48d0a196dc765fd25b753aacfb1321c09033511807aa3ad4bb401e

SHA512
b92ae057cb398be316a9b9763f5bfe6ce857b46c5ac687e0d8335436fb26a0724e284be3b5a993d62c4e855e01e19f93d2e5179c6016a6f3244b678ed661337a

Download Submit
C:\Windows\SysWOW64\Jmpngk32.exe

Filesize
128KB

MD5
7e29f6eb06b2c391e4312a740bb1c440

SHA1
2364b31174f180c0317d640a6a325746796ad367

SHA256
81b1cfa8dc3c1933c7a3e4c1a26b68e3341680517c1d29fd6f3a76dd078db6dd

SHA512
3d6d4262add22a16501110c8ac65a14b633af14b37fb8eb57f20e5a209b4c889aa4540790ab9ad1e451ad06f2d8b90c13832cd4b48bda282aaa2300d2281b3b1

Download Submit
C:\Windows\SysWOW64\Jplmmfmi.exe

Filesize
128KB

MD5
b77f14bfaaf191916e32713586cff8a4

SHA1
53d2148936c6c575a55333c8d62686a1fa213105

SHA256
cd788f8fe1706e8e91c5557f1d7a755e4b40a60aa80dfb94184b1676f7a564af

SHA512
661a209be382260dd70acc84bb296604c6a0f3b6d17b6bae6cd23303ea3148d4217cc8bc8f356cce2b1a5ebb16c37790bc2295251ffe421f6c9138f144141461

Download Submit
C:\Windows\SysWOW64\Kaqcbi32.exe

Filesize
128KB

MD5
1004ec802a2b2fc4da10d9b78c61d648

SHA1
d0e0baf1a794b0f8bee339a15d71fbe710fd6d03

SHA256
363cd0e13f2988e0d89c2b0d87a512a2739fdfad8da15e6b9d982c634092e9bd

SHA512
fd15d6279557b0ae9c3d4f831d38043c978aa6f32b56eccf07018160fec224017ec33a92aefdcfdd55b57663f925753b10b9ed734ef4534b3b4f03001a5dbfd9

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
128KB

MD5
e0b3cbe4982efc87dabfc61377405208

SHA1
a3d52b52153d3fad9590b8dd4133d7b5dd3ca8e9

SHA256
261a4c8252fc16e3a2208ac41d20e7500e708d229efc802633f60c50ee8151ee

SHA512
431d118cccee6ad8e5084c2bab3914989cf34f91891a06b3c63213c37a2cbad02059a5561c72691bd33aea6746f1dd7bf25d30904d9ea569acd6612710ed30bf

Download Submit
memory/60-241-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/220-137-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/384-393-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/396-337-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/628-371-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/652-585-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/696-431-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/768-208-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/792-430-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/916-579-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1068-309-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1116-291-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1132-567-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1148-121-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1220-471-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1240-65-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1416-447-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1484-527-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1512-249-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1536-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1536-539-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1536-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1620-483-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1640-413-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1652-369-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1656-489-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1688-285-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1776-503-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1784-476-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1960-437-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2024-21-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2024-559-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2132-399-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2168-424-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2192-552-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2192-9-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2232-112-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2280-501-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2300-293-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2340-592-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2360-89-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2444-81-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2460-73-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2640-173-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2656-145-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2660-25-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2660-566-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2740-49-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2740-587-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2764-521-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2776-57-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2776-594-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2784-546-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2916-540-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2940-491-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3004-189-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3008-383-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3024-401-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3056-353-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3132-381-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3316-347-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3488-321-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3492-160-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3716-219-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3820-359-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4080-263-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4128-533-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4140-269-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4240-564-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4276-201-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4444-341-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4532-275-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4540-257-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4556-461-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4564-225-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4568-133-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4588-557-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4616-455-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4624-192-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4672-299-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4680-40-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4680-584-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4708-329-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4716-157-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4740-233-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4764-327-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4768-513-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4816-449-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4888-181-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4924-515-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5016-104-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5028-33-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5028-577-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5052-315-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5104-407-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5108-97-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads