910056f1e33eef5f9fb6e23d28b29d7f94627ec4dee70db64b067f8b5191024f

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
12/05/2024, 17:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

382359fa5bdef9326cecb85c526c41f0_NeikiAnalytics.exe
Size

117KB
MD5

382359fa5bdef9326cecb85c526c41f0
SHA1

16eb823cda9b9b6c9d092aade489bfdd6fb28e57
SHA256

910056f1e33eef5f9fb6e23d28b29d7f94627ec4dee70db64b067f8b5191024f
SHA512

15f316150ca915c84daba7cdd0d79c87ba74974154ac3abfeebc8cd1aa7874525834d33aa2b4ab4530569d522b5c34dd175bb25263b745a9be5da508918eb5f9
SSDEEP

1536:YMtvJ+EzJjlEYubErh216HcB6QOGty8T4cFFfUN1Avhw6JCM:YOJPzJjyYHh216HVQvtyrcFFfUrQlM

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odkjng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndcdmikd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncianepl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odkjng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqknig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oneklm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qddfkd32.exe

Executes dropped EXE 64 IoCs

pid	Process
4688	Ngpccdlj.exe
3712	Nebdoa32.exe
3608	Nnjlpo32.exe
2884	Nphhmj32.exe
3220	Ndcdmikd.exe
3252	Njqmepik.exe
2796	Nloiakho.exe
428	Ncianepl.exe
3388	Nfgmjqop.exe
940	Nnneknob.exe
2892	Ndhmhh32.exe
4856	Nggjdc32.exe
220	Njefqo32.exe
4448	Odkjng32.exe
2576	Ogifjcdp.exe
5052	Ojgbfocc.exe
4612	Olfobjbg.exe
2136	Odmgcgbi.exe
3304	Ogkcpbam.exe
2804	Oneklm32.exe
2180	Opdghh32.exe
4608	Ocbddc32.exe
2580	Ojllan32.exe
1952	Olkhmi32.exe
5012	Odapnf32.exe
5072	Ogpmjb32.exe
1512	Ojoign32.exe
4248	Oqhacgdh.exe
3392	Ocgmpccl.exe
3988	Pqknig32.exe
1504	Pcijeb32.exe
1612	Pjcbbmif.exe
4944	Pdifoehl.exe
532	Pclgkb32.exe
4444	Pfjcgn32.exe
4744	Pmdkch32.exe
2396	Pcncpbmd.exe
3396	Pjhlml32.exe
4128	Pmfhig32.exe
4520	Pdmpje32.exe
3864	Pgllfp32.exe
4504	Pfolbmje.exe
744	Pnfdcjkg.exe
856	Pqdqof32.exe
916	Pcbmka32.exe
3156	Pgnilpah.exe
4232	Pjmehkqk.exe
4240	Qqfmde32.exe
232	Qceiaa32.exe
3668	Qfcfml32.exe
992	Qmmnjfnl.exe
1436	Qddfkd32.exe
4564	Qgcbgo32.exe
3476	Ajanck32.exe
4212	Aqkgpedc.exe
4208	Acjclpcf.exe
2196	Afhohlbj.exe
3652	Anogiicl.exe
2776	Aqncedbp.exe
3672	Aeiofcji.exe
1624	Afjlnk32.exe
2692	Anadoi32.exe
1664	Aqppkd32.exe
3456	Agjhgngj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Agjhgngj.exe	Aqppkd32.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Glgmkm32.dll	Njefqo32.exe
File created	C:\Windows\SysWOW64\Dfdjmlhn.dll	Ocbddc32.exe
File created	C:\Windows\SysWOW64\Kkbljp32.dll	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Pjmehkqk.exe	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Gfnphnen.dll	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Ffcnippo.dll	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Ndhmhh32.exe	Nnneknob.exe
File created	C:\Windows\SysWOW64\Oqhacgdh.exe	Ojoign32.exe
File opened for modification	C:\Windows\SysWOW64\Olkhmi32.exe	Ojllan32.exe
File opened for modification	C:\Windows\SysWOW64\Pjmehkqk.exe	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Ajanck32.exe	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Aeiofcji.exe	Aqncedbp.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Njqmepik.exe	Ndcdmikd.exe
File created	C:\Windows\SysWOW64\Llmglb32.dll	Opdghh32.exe
File created	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qfcfml32.exe
File opened for modification	C:\Windows\SysWOW64\Bgcknmop.exe	Bchomn32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Pfjcgn32.exe	Pclgkb32.exe
File opened for modification	C:\Windows\SysWOW64\Pgllfp32.exe	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Kmcjho32.dll	Ndhmhh32.exe
File opened for modification	C:\Windows\SysWOW64\Ogkcpbam.exe	Odmgcgbi.exe
File opened for modification	C:\Windows\SysWOW64\Opdghh32.exe	Oneklm32.exe
File opened for modification	C:\Windows\SysWOW64\Pqdqof32.exe	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Ldfgeigq.dll	Accfbokl.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Nphhmj32.exe	Nnjlpo32.exe
File created	C:\Windows\SysWOW64\Nfgmjqop.exe	Ncianepl.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Oqhacgdh.exe	Ojoign32.exe
File created	C:\Windows\SysWOW64\Pcijeb32.exe	Pqknig32.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Hjgaigfg.dll	Ncianepl.exe
File opened for modification	C:\Windows\SysWOW64\Odapnf32.exe	Olkhmi32.exe
File opened for modification	C:\Windows\SysWOW64\Ojgbfocc.exe	Ogifjcdp.exe
File created	C:\Windows\SysWOW64\Chmhoe32.dll	Oneklm32.exe
File created	C:\Windows\SysWOW64\Pcncpbmd.exe	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Nloiakho.exe	Njqmepik.exe
File created	C:\Windows\SysWOW64\Ifndpaoq.dll	Njqmepik.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Gbdhjm32.dll	Ndcdmikd.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Odmgcgbi.exe	Olfobjbg.exe
File created	C:\Windows\SysWOW64\Ladjgikj.dll	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Oomibind.dll	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Aglemn32.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Njqmepik.exe	Ndcdmikd.exe
File created	C:\Windows\SysWOW64\Nnneknob.exe	Nfgmjqop.exe
File created	C:\Windows\SysWOW64\Blfiei32.dll	Pgllfp32.exe
File opened for modification	C:\Windows\SysWOW64\Ajanck32.exe	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Bclhhnca.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5128	5960	WerFault.exe	210

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnjlpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oomibind.dll"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciopbjik.dll"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfhoiaf.dll"	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kboeke32.dll"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbejge32.dll"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empblm32.dll"	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	382359fa5bdef9326cecb85c526c41f0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpgii32.dll"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgaoidec.dll"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laqpgflj.dll"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goaojagc.dll"	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpbkoql.dll"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qgcbgo32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2628 wrote to memory of 4688	2628	382359fa5bdef9326cecb85c526c41f0_NeikiAnalytics.exe	85
PID 2628 wrote to memory of 4688	2628	382359fa5bdef9326cecb85c526c41f0_NeikiAnalytics.exe	85
PID 2628 wrote to memory of 4688	2628	382359fa5bdef9326cecb85c526c41f0_NeikiAnalytics.exe	85
PID 4688 wrote to memory of 3712	4688	Ngpccdlj.exe	86
PID 4688 wrote to memory of 3712	4688	Ngpccdlj.exe	86
PID 4688 wrote to memory of 3712	4688	Ngpccdlj.exe	86
PID 3712 wrote to memory of 3608	3712	Nebdoa32.exe	87
PID 3712 wrote to memory of 3608	3712	Nebdoa32.exe	87
PID 3712 wrote to memory of 3608	3712	Nebdoa32.exe	87
PID 3608 wrote to memory of 2884	3608	Nnjlpo32.exe	88
PID 3608 wrote to memory of 2884	3608	Nnjlpo32.exe	88
PID 3608 wrote to memory of 2884	3608	Nnjlpo32.exe	88
PID 2884 wrote to memory of 3220	2884	Nphhmj32.exe	89
PID 2884 wrote to memory of 3220	2884	Nphhmj32.exe	89
PID 2884 wrote to memory of 3220	2884	Nphhmj32.exe	89
PID 3220 wrote to memory of 3252	3220	Ndcdmikd.exe	92
PID 3220 wrote to memory of 3252	3220	Ndcdmikd.exe	92
PID 3220 wrote to memory of 3252	3220	Ndcdmikd.exe	92
PID 3252 wrote to memory of 2796	3252	Njqmepik.exe	93
PID 3252 wrote to memory of 2796	3252	Njqmepik.exe	93
PID 3252 wrote to memory of 2796	3252	Njqmepik.exe	93
PID 2796 wrote to memory of 428	2796	Nloiakho.exe	94
PID 2796 wrote to memory of 428	2796	Nloiakho.exe	94
PID 2796 wrote to memory of 428	2796	Nloiakho.exe	94
PID 428 wrote to memory of 3388	428	Ncianepl.exe	95
PID 428 wrote to memory of 3388	428	Ncianepl.exe	95
PID 428 wrote to memory of 3388	428	Ncianepl.exe	95
PID 3388 wrote to memory of 940	3388	Nfgmjqop.exe	96
PID 3388 wrote to memory of 940	3388	Nfgmjqop.exe	96
PID 3388 wrote to memory of 940	3388	Nfgmjqop.exe	96
PID 940 wrote to memory of 2892	940	Nnneknob.exe	97
PID 940 wrote to memory of 2892	940	Nnneknob.exe	97
PID 940 wrote to memory of 2892	940	Nnneknob.exe	97
PID 2892 wrote to memory of 4856	2892	Ndhmhh32.exe	98
PID 2892 wrote to memory of 4856	2892	Ndhmhh32.exe	98
PID 2892 wrote to memory of 4856	2892	Ndhmhh32.exe	98
PID 4856 wrote to memory of 220	4856	Nggjdc32.exe	99
PID 4856 wrote to memory of 220	4856	Nggjdc32.exe	99
PID 4856 wrote to memory of 220	4856	Nggjdc32.exe	99
PID 220 wrote to memory of 4448	220	Njefqo32.exe	100
PID 220 wrote to memory of 4448	220	Njefqo32.exe	100
PID 220 wrote to memory of 4448	220	Njefqo32.exe	100
PID 4448 wrote to memory of 2576	4448	Odkjng32.exe	101
PID 4448 wrote to memory of 2576	4448	Odkjng32.exe	101
PID 4448 wrote to memory of 2576	4448	Odkjng32.exe	101
PID 2576 wrote to memory of 5052	2576	Ogifjcdp.exe	102
PID 2576 wrote to memory of 5052	2576	Ogifjcdp.exe	102
PID 2576 wrote to memory of 5052	2576	Ogifjcdp.exe	102
PID 5052 wrote to memory of 4612	5052	Ojgbfocc.exe	103
PID 5052 wrote to memory of 4612	5052	Ojgbfocc.exe	103
PID 5052 wrote to memory of 4612	5052	Ojgbfocc.exe	103
PID 4612 wrote to memory of 2136	4612	Olfobjbg.exe	104
PID 4612 wrote to memory of 2136	4612	Olfobjbg.exe	104
PID 4612 wrote to memory of 2136	4612	Olfobjbg.exe	104
PID 2136 wrote to memory of 3304	2136	Odmgcgbi.exe	105
PID 2136 wrote to memory of 3304	2136	Odmgcgbi.exe	105
PID 2136 wrote to memory of 3304	2136	Odmgcgbi.exe	105
PID 3304 wrote to memory of 2804	3304	Ogkcpbam.exe	106
PID 3304 wrote to memory of 2804	3304	Ogkcpbam.exe	106
PID 3304 wrote to memory of 2804	3304	Ogkcpbam.exe	106
PID 2804 wrote to memory of 2180	2804	Oneklm32.exe	107
PID 2804 wrote to memory of 2180	2804	Oneklm32.exe	107
PID 2804 wrote to memory of 2180	2804	Oneklm32.exe	107
PID 2180 wrote to memory of 4608	2180	Opdghh32.exe	108

C:\Users\Admin\AppData\Local\Temp\382359fa5bdef9326cecb85c526c41f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\382359fa5bdef9326cecb85c526c41f0_NeikiAnalytics.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Windows\SysWOW64\Ngpccdlj.exe
  C:\Windows\system32\Ngpccdlj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4688
- - C:\Windows\SysWOW64\Nebdoa32.exe
    C:\Windows\system32\Nebdoa32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3712
  - - C:\Windows\SysWOW64\Nnjlpo32.exe
      C:\Windows\system32\Nnjlpo32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3608
    - - C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2884
      - C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3220
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3252
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:428
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3388
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:940
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4612
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3304
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4608
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5012
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5072
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1512
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4248
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3392
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        31⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3988
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        33⤵
        Executes dropped EXE
        
        PID:1504
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        35⤵
        Executes dropped EXE
        
        PID:4944
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:532
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        37⤵
        Executes dropped EXE
        
        PID:4444
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4744
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2396
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3396
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4128
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4520
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3864
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4504
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:744
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        46⤵
        Executes dropped EXE
        
        PID:856
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        47⤵
        Executes dropped EXE
        
        PID:916
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3156
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4232
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4240
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:232
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:992
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1436
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3476
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4212
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4208
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2196
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        60⤵
        Executes dropped EXE
        
        PID:3652
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2776
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3672
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1624
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2692
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1664
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        66⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3456
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1548
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4204
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4516
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        70⤵
        Drops file in System32 directory
        
        PID:4344
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1028
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        72⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        73⤵
        Modifies registry class
        
        PID:440
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2768
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        75⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        76⤵
        Modifies registry class
        
        PID:3284
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:552
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4224
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4704
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4860
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        81⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4488
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        82⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4736
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        84⤵
        Drops file in System32 directory
        
        PID:4028
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2836
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2416
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        87⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5144
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        89⤵
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5240
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5280
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        92⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        93⤵
        Drops file in System32 directory
        
        PID:5368
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5412
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        96⤵
        Drops file in System32 directory
        
        PID:5504
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        97⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        98⤵
        Drops file in System32 directory
        
        PID:5608
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        100⤵
        Drops file in System32 directory
        
        PID:5704
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        101⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        102⤵
        Modifies registry class
        
        PID:5804
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        103⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        104⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        105⤵
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5980
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        107⤵
        Drops file in System32 directory
        
        PID:6044
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        108⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6132
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        110⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5232
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        114⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        115⤵
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        116⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        117⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        119⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5784
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        121⤵
        Drops file in System32 directory
        
        PID:5896
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        122⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5960 -s 408
        123⤵
        Program crash
        
        PID:5128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5960 -ip 5960
1⤵
PID:6112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ceehho32.exe

Filesize
117KB

MD5
b99e7bf74a310e0ce32e5094d41a2077

SHA1
dba980665032009942bbe9b33485ab7ecf7a81c0

SHA256
c9a6a0d41a3555863689b3071dccbe9d732df52f1b273113d08699a504117270

SHA512
72456bb5b2ed1a26eb5db3bfaa8b0b57eaaacf78df3cf9aeaa609b0d4574f6f3185aa8e7efbddfcdac92644eab147d3a3400863e388be6f523495eeb57d43ab3

Download Submit
C:\Windows\SysWOW64\Goaojagc.dll

Filesize
7KB

MD5
8920e54f0481c9c9bca72083f6d4209f

SHA1
658df80818973ca99f4395332d8cf4471bc048dd

SHA256
116b98186835d91a0ddad6f0681d182fd8ddef5da9c6450f51283a76b198a284

SHA512
5cf0304b61c8f8731b64d96ec4b2bbc8900e70626e19e9a61260a1f6057b027e4fe4a5d1fadb1ba87da8cad8dc762d1e42bc3d3778a0dc7db6797f98007b2c91

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
117KB

MD5
220b4c462e59384f778c92af423b1aa0

SHA1
19536162fd0b5d9cdae5fabaee7243c8a579b7c8

SHA256
224d2bccf9ca9dd09f93268209c4d3d3c3393703131907d6626e26c3e9e3faec

SHA512
9490905be90fa641211203d152b316f2790a8defac8bb75f5a6752ca275edb60abf9d613bef99c64b9992c5a7b361a17183397293b81782d85bad2daaf9e6397

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
117KB

MD5
a7ba63c1cdde9c2b5d44c1761c517586

SHA1
7a287e6e279c0f3baf92413226d62556193ad4cd

SHA256
7020fcf71819f8669acb1dce52485cc48469aea12cc9d9a40ef506d7511c2f4a

SHA512
b30d71f5e08f4978ce0fa281ac74ccfaffa551b8a5721408825889149bfa9265d74ef54930a87f38e06b0ff80f3f6bf278a824d00f8d62b728d230cf14d64b87

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
117KB

MD5
a973a0b89c580a0113603a1bce7b31e3

SHA1
67589d1542150bfa2562a58e4c39fde2fcfb75e4

SHA256
e57a76fa4c68340aa57d4f707f6651f4e3dab3a1f93a208eee45201b9f3c3ac1

SHA512
53de316d9597dc11acd8059a86b090ca129232af2db01024ae21d8e201bbc3ae2e290c0250205a7f54e0400048f179ce78acd6660f3f153500d1736b099d66a4

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
117KB

MD5
1abd1861fcfa26b287936f70bc89b81a

SHA1
9cffc2f428803d993a90ffb35c12c40909a5726d

SHA256
63e2b092b5b6958d6a65b67689ba3d56349751091b5b0587cc37f7561053fcca

SHA512
38b8bdf11179f21084ebc3375063654491c764371f58491a40b0b3263c60fc858497597e86067978cd3989e7bfa3abcc14ea0d657799fe76dbf373bffcbeb05c

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
117KB

MD5
c8a3a8cfa427e52e8409d632ab8ff2c3

SHA1
b7810e4d2961f585ad2ce8c3da03d4d69f57b9b5

SHA256
8f38b7ee1ce783a3714eec29468f7179b472178cba884b0445fba13379d70eb5

SHA512
89f057d87ec39b2e4227a16cd27cd4087313b52ad3efc4a2aa36a294052d6ad0b6b99aa39bc86a14cac4056f0344866674b3e53d93093546d0b37ba7c849e49f

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
117KB

MD5
4457cd671fc65c53ba8023350bb807ff

SHA1
6794eea967091a177ba40e02751869883cfaa8a2

SHA256
b3c88b4658f5f81be74a99763de142358a461947c11e3f13ff1ef1ed6b772e19

SHA512
aa052a5b9eeb75214238f5b03ff23ed979bab2e7401c5beb141073a5ea2c0a1c0ca23325ce574a4fe52bfc7e08b220c515418a31f9944360835c050aeb74ca4e

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
117KB

MD5
7b271c9c6107a0ea612456d616a8e39c

SHA1
6de675bb6299e015ca820ac977c0f8698263ebad

SHA256
4119e2b6e3667dc9e58ceebbd3cb66dd0b334d6a144d6e285b092e1e01c021d7

SHA512
14ea2164ffc3857f5d16bca447e8be0e04ea711ce9a50bf1a2aab0b0519beb17fb22cefe531cc84a7fc58cb25b37240e7a6506422aa286174b2b071173193500

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
117KB

MD5
4a1e6eaa5b8d983d4c97d8e8155acfb9

SHA1
056e6d0d2f9ff0a69d7aff70759a01a10386be45

SHA256
ee246317944720152227393bfcb10f78cd4803f6f99266295f9ce151500fa2a2

SHA512
c3999c102b3a2feb5648c9509e1e522a210b1e3c1ed09762c5f744734662660cae91f2ac474065889ec7b6e86541749ab7504f90e08e9db4c21054069c309add

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
117KB

MD5
1c09b513b4062ff7a51b9c5b4038b1ae

SHA1
7960ca92d226cafd1e66b1f18618d02f7f1faa9e

SHA256
9adbaadf677799ed83cf71ab120019bc853df30c42bd43ec5d35fb8e53bda3a1

SHA512
251a4712d45f1b2187195c0b020d5c24112494b1844023884477842b2ff4393c48e5c49c78790542febd2c1e01860fff03646fce8499276d60f2eac1ab4fe113

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
117KB

MD5
9dd33e1789ce010136a2cb545d822738

SHA1
b909e62368a6bb9bdcceee354f41b01248cf83c2

SHA256
08967a0c3982d6979d15a25a722173b6e0c85bb854226162528f6c9f30b2f5c8

SHA512
990a46bf0d59cea5709995f09e344e94a341626fcab17736df85fb9c3bea15bea257de5159e2491d8bd19082058913e13469c0ac906d4627fab222380d9dfff7

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
117KB

MD5
2cbba59a0ea0f83d6d9b4ffcd8acca6a

SHA1
645573495f233342f5ba04c13079f4fc6b2b9d45

SHA256
81e7fbbd4c228eab97ee722f273cfea19e2838bf375c0394a19881e9be07e52d

SHA512
9a2d97b2dc0fd319d4df4068bb4f7daf322cc2faf6ed6c6078bc89afd525f73793229c63de928a20ca2d0a062694c90acf95be68b2f5f708f6790724d9ef3cc8

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
117KB

MD5
c3cfe719e325b6154d46e5d8f50740b3

SHA1
b95d28a4e8975c07c12105e01a60c6628c59cd6b

SHA256
8436c5d6a7c0579d11ffd3a9b0297ebe5ae43fdfc37f0dcf329baa4b4beaad1c

SHA512
b039da53beee8fa5fd30ef1a3cd3ac14d9208155d1d9bc1e8bf318a4c32f65472cc82dda5e4fddcc11c1d8ac93e56a53435e909a884b12dec188811bc1160378

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
117KB

MD5
2bf5577fa7ec8f1192a28371c8db28d3

SHA1
7fdece1d030003b80183d9c3a25dcac33b3faec6

SHA256
6cf78d50076c49d05b424d5ace914a510b73f19c65e4686eef1c3aa155cb3f77

SHA512
3d468d971f031c2b8d2101f6d7f0cabd4be1173584c7ca1ef97990eb6b1b366da2cfca7370c5c9794077183e3ca18b1c020145c9685df9b50af8b863428883b1

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
117KB

MD5
9d59773fb4dcff8527d3ed6b2ffe0d4f

SHA1
6925e3e92018cb66fe48231a0d55e2b70d44a39b

SHA256
3487b355647b4e7c81776d896f282087ef33b583fb22831fee01173b60539f42

SHA512
4374843e2cfa60fdc17cf2b6bada9f3ce43edcfe7dff20933d4be118eb9340eb126f0d0b2264722f9b1d8313ca65bc426c6fc7d3b2c13afb1611d826642905a6

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
117KB

MD5
3f69e304d63fc41c8859f449f7f77f18

SHA1
be942f6e1d2f98c19c059b202c6ecfec363756ae

SHA256
9c38dae2d173b62338193bb6b1c1ea909877874d292815a630de7219b3858260

SHA512
8ad0d43e81a567695420ec280cb4cc3bbacc6e74fa078dd20862c985526485c6fe5f30091b9e5607aa52cda4eba90d6fd382165904213a888f58267ae26b5412

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
117KB

MD5
b1cd334073d44d7d39267c7284c6af27

SHA1
f88fc9b78221caa7e7a59c3703f1d2acc1187429

SHA256
ed3ff96652f0fce29aa4f7f7db20e0714eb4a14d747a130f340b27ed1b678d03

SHA512
d5b81a3fe457d90eea4361f9910029b437c9c9db376c38d7beac404784deeed71922497ea962539937185e3fb4ce3a730585ca0e1e04ef36dc4530f86f4c7634

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
117KB

MD5
58a66d0162c5f120f4d83a0547ba48bc

SHA1
cb7b738632df71af26f0b10bb5353d69eaa9f874

SHA256
1bd8e5bf6d6bcb84216e6c40fb6ff690ac148775dd78b2b9f66109d83ea3d303

SHA512
fb1448444ef6a3222fce649707b597543e3b08d8af3eed4f421b3123f3ccfebee5150b114bebeab4d19244ebf2716238525b1b19eb4fe7d61b1469d3c1bdd1cd

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
117KB

MD5
4a25b5f6681de7fbb9a8981180fb3afb

SHA1
aa4242d256ff807d8f1a99d46092b4ee2a353291

SHA256
d6b45e0e0c7fccee4ac8243d58d4ab233de1c8366fd8c6e94422719c369e0be4

SHA512
4b65f6bbceb75b429cee74ededbca3fe903268822e8c8342b03eed2934161c8ad468965392e12948f6afbbadd0dc80f24b62b87771ad52552a9378edd951ad07

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
117KB

MD5
76440e2ec42530c9e8930d278f5835fc

SHA1
3bcf1c659d93bf12ab68b4bf2bb1df10b158b752

SHA256
31113276169005d51507b557cab1f2ac87b0abbe170ba7ec967296dae9dfde68

SHA512
ec7fac7260783b02561c93faaf16c7c5982ecffac2f79cc6a7eff8c33e3f71095474b5be254a22fc2adb8b4a542c1766392f6e5a65f770ae0e2b481017b62fed

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
117KB

MD5
f800993d6aab14882be26ec212e173eb

SHA1
8345d69ba4e319ea89321b13233459121ed90b8c

SHA256
18bbaa939a599c36bf358f3e877549bf1531309020b47f432e9b6c0322d8b1a6

SHA512
3053bb7dcd87874bd451d7dea22fb83a9f596625c423ea525900bf6cf955615324d99dbf516d30f9e427f4dc2109bfc20cc0fcaa87d5af15afdce95e5466f9fc

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
117KB

MD5
afffddb42e07ffff92a5d1981ec9dda9

SHA1
6c0e121dc284493569308089470663e293173877

SHA256
e6492094b1364c53be5db8354da1cb8a1a13abadaed8e41e6b2d401aba6c3ea4

SHA512
fd721e9fb74884ba93494b3a75895cee2eccff20f3b795c2dfe844a4142be97b40558a1cc7bd4c2214504470bc2bc300af3f69b88ac899a7933411bfe78c18fa

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
117KB

MD5
3d9933e4e510ce049f5c6a0dc5e18081

SHA1
4c4655ad5b680a1fa7b6c84e6fb29257276ea910

SHA256
344d9f6eb8eb5493d45f741ec544e91274d83aac45c8e823e03f9dcabb61d569

SHA512
15b69aa5c6467ccfd02b64e8b33832c7fa53f25643cd70229b00170060df777b061b2025e308eef04a89f913fc99580087901ed3882293d3c21c6714b0fece04

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
117KB

MD5
6a26310dd74aee7b894ecbfecd476bb2

SHA1
f90f03001e3c5fcd35675b5e1a2a014b6bf473ca

SHA256
3a82e7133a4398d1e3c514f18adf22bf7ffa89fa3c5c23c0a18fbc5fd9c36e90

SHA512
1ab67533955f87a0c01db6c2d6423ac40dbf1169b04edf5956011cbba9898089b5e10831ae2fca90ec027e1a147d12cc6ccbf35a59d6269add42e33010039082

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
117KB

MD5
5d06d4364215c7f01f1480e8c8e4aa86

SHA1
99089acc6dd7a408e7f028f3442c72c4a0bdc4ee

SHA256
bd2103b7f0183f00a951d1e908c6308407e04fb34cfdbbb965494453120576cc

SHA512
8c72a3fd1fe54295bbce095c40a586f6e63e474d1a36ec53f4bd7feb703789f7c4774f4e2b2303e1c36d74582a42ae5a512edb8aadf86abab6783e8fee895e29

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
117KB

MD5
ba191ac339c9787b06581720cc674286

SHA1
c71db91ed3505f85677252e560eb6c002a20a0e2

SHA256
6c44257009e43599129b8e4834743ce63a1a6d6e5cf86d3301a8ad477e372e1f

SHA512
5c001a1020907393a09e9a6ff0af43b094985dc5bdcb8c1049fe70e94b083776d73a0fe7217de947c93f603a13888b13793dc902e89a8f0a3c7b6d35f0261499

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
117KB

MD5
0c76a3b7241c1f1df73238e3c1fc2a47

SHA1
2509a72ad9136e73d65d080557499ec5c321e753

SHA256
c5ecb425a1aa74e192e68b73bc5c116c0e9aea67f78708cb1901e044cefc7301

SHA512
47a9b1ef4cd476516f3a2281484367a252b604335bc4c365bb13a053b8df5b6b9fb480fc448d46307c2a6b380c253c8f7c762441692fd9379542b67783c81fe0

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
117KB

MD5
c43cd15e81096cad038fd3c68f0e5245

SHA1
20907dc76fc70ee48a4dae01015f914639526680

SHA256
fc79f642e0aa6695cf05183b8d098f401691c148bde5a4c5d7e27e44780d564f

SHA512
01e6f906e81b1470e578503ab7841ba058922895db69b807b3b4e73e17ca9d9c20d7b6d603a54af257464a4c87779855a5cbbc4dc2017918149d798bc66e2126

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
117KB

MD5
156521096fbaa9104adb3313f621fad0

SHA1
4e43ff42f0950ee038a176a6f7d67217605cba71

SHA256
c7aca3b3298346c300ef112201cde2b49b61360ee93cf657dd28d8118425bd2f

SHA512
e36bfd1c3c22b5f8d12e4454b3657db454a4a8900f24774efecd42fdf04c32f30f2220d417593f25f7d61b262cfe4f1f37d8d2da3ed6042db275a8a7044c15e9

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
117KB

MD5
8732b4c094d3b7610f0178521108e5c5

SHA1
02de80ad3d84b2b15148e03d1d8f575dc388fefa

SHA256
c7d3e3de81a3c7b9279dc0a6a2632dd99c1b4c9dfdfa6565f37857530ae4d582

SHA512
3b5e998f177d11b7e30c3da36c9c9f38fc484109ff8cb7c3ed6d3ac01b227ead500d5d0d2e56f2a4b5958a4e24909f322d651ece4c8d93f25f5b49c8cdff0224

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
117KB

MD5
51957255a1c712ffcd4c05945db7f3d4

SHA1
da64142b7ecbfca3ce3c6bffccacdba0c6a3d182

SHA256
3ac44293288e8493fd85a1d2e9f8aeb250a2d56ed0f5f5bfd0fdd8139ef2080c

SHA512
0470c1abe848612c5b07c534177258f04fb0200a511c880def5459a7616b6ff4ed72e04d78dc6c444419bc6753eb5a254d78b2225239703e6149d4cea4cb0c84

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe

Filesize
117KB

MD5
f4717af6cec66f547053905328f0b576

SHA1
81764df243ca978ab97772f22e61c0fe8510acdc

SHA256
33f5e4f689e5aad1a9fcc93f5037fb5e7dd70d3cc3bfccd02e5bcb827d55dce3

SHA512
ef7aa4faf33e4830181c96d34eb0af1abceb299bb315b406b59426d6e23b3cbbedd530afb9c7582cce9503e3d35757193dfd29dc46f594b92d721a638e1cda01

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
117KB

MD5
7e02b6e2502cb930e2c725d89951864b

SHA1
ad0447941a548dfdd6df57a32018b3872fd010c9

SHA256
0302f35d5d072d05b7a704ef687908511e32177ceccc59474628a7e1e0754c4f

SHA512
84e91d16d48927a6918d6daed35d028f0e24cabaf690a258201516ec002125bbc918e897428540e1227aa22bd376dc4f16ced7735ac68ccd0bb29a452c2a2530

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
117KB

MD5
382b3563917684f5ed95fa4d21adbbc4

SHA1
79d9914fa22a926a946d44057ce0ea98bfcb63d4

SHA256
c704088998b8ff17ef6fb1ab8413c2d8285d552271f7679f2616a659bc7355c7

SHA512
2edcdd0b642822777b906682591026b8b90484baa6c29c5ae94e793b88749c3ece573895a6de609f6296a2737931499d66a4989f7b39bcfb018bc2e44da6e12e

Download Submit
memory/220-104-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/232-359-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/428-64-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/428-592-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/440-495-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/532-274-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/552-515-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/744-326-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/856-333-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/916-339-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/940-80-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/992-371-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1028-483-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1436-377-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1504-252-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1512-216-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1548-455-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1612-255-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1624-435-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1664-443-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1952-192-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2116-503-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2136-144-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2180-168-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2196-407-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2396-287-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2416-572-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2576-120-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2580-184-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2628-543-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2628-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2692-442-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2768-501-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2776-423-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2796-56-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2796-585-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2804-160-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2836-565-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2884-36-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2892-88-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3052-579-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3156-346-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3220-39-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3220-571-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3252-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3252-578-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3284-513-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3304-156-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3388-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3388-597-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3392-231-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3396-293-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3456-450-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3476-389-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3608-28-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3652-418-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3668-365-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3672-425-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3712-552-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3712-20-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3864-315-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3988-240-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4028-559-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4128-299-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4204-461-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4208-401-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4212-395-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4224-525-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4232-347-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4240-357-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4248-224-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4344-473-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4420-551-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4444-275-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4448-115-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4488-544-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4504-322-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4516-467-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4520-309-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4564-383-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4608-180-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4612-136-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4688-15-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4704-527-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4736-553-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4744-281-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4816-485-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4856-96-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4860-537-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4928-236-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4944-268-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5012-200-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5052-128-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5072-208-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5144-590-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5192-598-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads