ce3ea321ba17977f4452320bda7ab46ac5067af5f0c6a6fcc3c9036e220565c6

Analysis

max time kernel
92s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13/05/2024, 09:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad15d2949ffdf7a51b0c839b03342900_NeikiAnalytics.exe
Size

64KB
MD5

ad15d2949ffdf7a51b0c839b03342900
SHA1

7b310e2138a8fb562fcea1d03a1be14bdb01ead9
SHA256

ce3ea321ba17977f4452320bda7ab46ac5067af5f0c6a6fcc3c9036e220565c6
SHA512

665532771e3844718b4d5bac8e69aae22f42821fd50585360300ebb0f146393e9e62f272849507c3e10b6457031f218e4bab5e7d0586fa006aea4b0362f6294d
SSDEEP

1536:36bJL8qzpesbGoW9PJr/bX+2L6KCYrum8SPE:36bJL5plbGTPV/bz5VT8SE

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngmgne32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndcdmikd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqijje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nepgjaeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nckndeni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miifeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opakbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	ad15d2949ffdf7a51b0c839b03342900_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njqmepik.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckndeni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nngokoej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nloiakho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe

Executes dropped EXE 64 IoCs

pid	Process
2884	Mpablkhc.exe
4972	Mgkjhe32.exe
4364	Menjdbgj.exe
532	Miifeq32.exe
1540	Mlhbal32.exe
764	Ndokbi32.exe
3840	Ngmgne32.exe
2888	Nepgjaeg.exe
4944	Nngokoej.exe
3040	Ndaggimg.exe
3636	Ngpccdlj.exe
4848	Nnjlpo32.exe
4108	Ndcdmikd.exe
4260	Njqmepik.exe
1408	Nloiakho.exe
2260	Ncianepl.exe
808	Nfgmjqop.exe
852	Nlaegk32.exe
1000	Nckndeni.exe
1088	Njefqo32.exe
4932	Olcbmj32.exe
1908	Ocnjidkf.exe
4592	Ojgbfocc.exe
3852	Opakbi32.exe
1036	Ofnckp32.exe
684	Olhlhjpd.exe
1596	Ocbddc32.exe
1592	Ojllan32.exe
4496	Oqfdnhfk.exe
3112	Ocdqjceo.exe
4288	Onjegled.exe
4220	Oqhacgdh.exe
5096	Ocgmpccl.exe
5032	Ofeilobp.exe
3120	Pnlaml32.exe
3596	Pmoahijl.exe
732	Pcijeb32.exe
736	Pgefeajb.exe
2792	Pnonbk32.exe
4940	Pdifoehl.exe
1572	Pclgkb32.exe
3048	Pjeoglgc.exe
3752	Pmdkch32.exe
1380	Pqpgdfnp.exe
3228	Pcncpbmd.exe
4796	Pflplnlg.exe
4756	Pncgmkmj.exe
3080	Pdmpje32.exe
2592	Pgllfp32.exe
1040	Pjjhbl32.exe
1952	Pnfdcjkg.exe
3044	Pqdqof32.exe
4036	Pgnilpah.exe
1872	Pjmehkqk.exe
4420	Qmkadgpo.exe
1844	Qdbiedpa.exe
3376	Qfcfml32.exe
916	Qnjnnj32.exe
3168	Qqijje32.exe
2704	Qcgffqei.exe
1120	Qffbbldm.exe
3640	Anmjcieo.exe
4344	Aqkgpedc.exe
4416	Acjclpcf.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Mpablkhc.exe	ad15d2949ffdf7a51b0c839b03342900_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Kqgmgehp.dll	ad15d2949ffdf7a51b0c839b03342900_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Olhlhjpd.exe	Ofnckp32.exe
File created	C:\Windows\SysWOW64\Pgllfp32.exe	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Ehfnmfki.dll	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Menjdbgj.exe	Mgkjhe32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjlpo32.exe	Ngpccdlj.exe
File created	C:\Windows\SysWOW64\Mnodjf32.dll	Ocnjidkf.exe
File created	C:\Windows\SysWOW64\Mfilim32.dll	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Pqdqof32.exe	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Bnmcjg32.exe
File opened for modification	C:\Windows\SysWOW64\Nfgmjqop.exe	Ncianepl.exe
File created	C:\Windows\SysWOW64\Dmgabj32.dll	Oqfdnhfk.exe
File opened for modification	C:\Windows\SysWOW64\Onjegled.exe	Ocdqjceo.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bfdodjhm.exe
File opened for modification	C:\Windows\SysWOW64\Ofeilobp.exe	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Qgppolie.dll	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Nenqea32.dll	Nngokoej.exe
File created	C:\Windows\SysWOW64\Nnjlpo32.exe	Ngpccdlj.exe
File opened for modification	C:\Windows\SysWOW64\Ndcdmikd.exe	Nnjlpo32.exe
File created	C:\Windows\SysWOW64\Nfgmjqop.exe	Ncianepl.exe
File created	C:\Windows\SysWOW64\Mjbbkg32.dll	Njefqo32.exe
File created	C:\Windows\SysWOW64\Ojllan32.exe	Ocbddc32.exe
File opened for modification	C:\Windows\SysWOW64\Pclgkb32.exe	Pdifoehl.exe
File created	C:\Windows\SysWOW64\Eiojlkkj.dll	Ambgef32.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Ofnckp32.exe	Opakbi32.exe
File created	C:\Windows\SysWOW64\Kjpgii32.dll	Ofeilobp.exe
File opened for modification	C:\Windows\SysWOW64\Pjmehkqk.exe	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Kmfiloih.dll	Aminee32.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Bfddbh32.dll	Aclpap32.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Agoabn32.exe
File opened for modification	C:\Windows\SysWOW64\Nepgjaeg.exe	Ngmgne32.exe
File created	C:\Windows\SysWOW64\Jfpbkoql.dll	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Pmoahijl.exe	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Hmmblqfc.dll	Pdmpje32.exe
File opened for modification	C:\Windows\SysWOW64\Pjjhbl32.exe	Pgllfp32.exe
File opened for modification	C:\Windows\SysWOW64\Qfcfml32.exe	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Abkobg32.dll	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Bcebhoii.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Njefqo32.exe	Nckndeni.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Pmoahijl.exe	Pnlaml32.exe
File opened for modification	C:\Windows\SysWOW64\Ofnckp32.exe	Opakbi32.exe
File created	C:\Windows\SysWOW64\Ocbddc32.exe	Olhlhjpd.exe
File created	C:\Windows\SysWOW64\Pcijeb32.exe	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Lffnijnj.dll	Mpablkhc.exe
File created	C:\Windows\SysWOW64\Ngmgne32.exe	Ndokbi32.exe
File created	C:\Windows\SysWOW64\Pnjknp32.dll	Ngmgne32.exe
File opened for modification	C:\Windows\SysWOW64\Pdmpje32.exe	Pncgmkmj.exe
File opened for modification	C:\Windows\SysWOW64\Nlaegk32.exe	Nfgmjqop.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5840	5688	WerFault.exe	206

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmhofmq.dll"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgkjhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjkmdp32.dll"	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njqmepik.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Halpnqlq.dll"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agocgbni.dll"	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmblqfc.dll"	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjgaigfg.dll"	Ncianepl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnamnpl.dll"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqbodd32.dll"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aminee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmfpfmmm.dll"	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbepcmd.dll"	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgldjcmk.dll"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjbbkg32.dll"	Njefqo32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 2884	2476	ad15d2949ffdf7a51b0c839b03342900_NeikiAnalytics.exe	82
PID 2476 wrote to memory of 2884	2476	ad15d2949ffdf7a51b0c839b03342900_NeikiAnalytics.exe	82
PID 2476 wrote to memory of 2884	2476	ad15d2949ffdf7a51b0c839b03342900_NeikiAnalytics.exe	82
PID 2884 wrote to memory of 4972	2884	Mpablkhc.exe	83
PID 2884 wrote to memory of 4972	2884	Mpablkhc.exe	83
PID 2884 wrote to memory of 4972	2884	Mpablkhc.exe	83
PID 4972 wrote to memory of 4364	4972	Mgkjhe32.exe	84
PID 4972 wrote to memory of 4364	4972	Mgkjhe32.exe	84
PID 4972 wrote to memory of 4364	4972	Mgkjhe32.exe	84
PID 4364 wrote to memory of 532	4364	Menjdbgj.exe	85
PID 4364 wrote to memory of 532	4364	Menjdbgj.exe	85
PID 4364 wrote to memory of 532	4364	Menjdbgj.exe	85
PID 532 wrote to memory of 1540	532	Miifeq32.exe	86
PID 532 wrote to memory of 1540	532	Miifeq32.exe	86
PID 532 wrote to memory of 1540	532	Miifeq32.exe	86
PID 1540 wrote to memory of 764	1540	Mlhbal32.exe	87
PID 1540 wrote to memory of 764	1540	Mlhbal32.exe	87
PID 1540 wrote to memory of 764	1540	Mlhbal32.exe	87
PID 764 wrote to memory of 3840	764	Ndokbi32.exe	88
PID 764 wrote to memory of 3840	764	Ndokbi32.exe	88
PID 764 wrote to memory of 3840	764	Ndokbi32.exe	88
PID 3840 wrote to memory of 2888	3840	Ngmgne32.exe	89
PID 3840 wrote to memory of 2888	3840	Ngmgne32.exe	89
PID 3840 wrote to memory of 2888	3840	Ngmgne32.exe	89
PID 2888 wrote to memory of 4944	2888	Nepgjaeg.exe	90
PID 2888 wrote to memory of 4944	2888	Nepgjaeg.exe	90
PID 2888 wrote to memory of 4944	2888	Nepgjaeg.exe	90
PID 4944 wrote to memory of 3040	4944	Nngokoej.exe	91
PID 4944 wrote to memory of 3040	4944	Nngokoej.exe	91
PID 4944 wrote to memory of 3040	4944	Nngokoej.exe	91
PID 3040 wrote to memory of 3636	3040	Ndaggimg.exe	92
PID 3040 wrote to memory of 3636	3040	Ndaggimg.exe	92
PID 3040 wrote to memory of 3636	3040	Ndaggimg.exe	92
PID 3636 wrote to memory of 4848	3636	Ngpccdlj.exe	93
PID 3636 wrote to memory of 4848	3636	Ngpccdlj.exe	93
PID 3636 wrote to memory of 4848	3636	Ngpccdlj.exe	93
PID 4848 wrote to memory of 4108	4848	Nnjlpo32.exe	94
PID 4848 wrote to memory of 4108	4848	Nnjlpo32.exe	94
PID 4848 wrote to memory of 4108	4848	Nnjlpo32.exe	94
PID 4108 wrote to memory of 4260	4108	Ndcdmikd.exe	95
PID 4108 wrote to memory of 4260	4108	Ndcdmikd.exe	95
PID 4108 wrote to memory of 4260	4108	Ndcdmikd.exe	95
PID 4260 wrote to memory of 1408	4260	Njqmepik.exe	96
PID 4260 wrote to memory of 1408	4260	Njqmepik.exe	96
PID 4260 wrote to memory of 1408	4260	Njqmepik.exe	96
PID 1408 wrote to memory of 2260	1408	Nloiakho.exe	97
PID 1408 wrote to memory of 2260	1408	Nloiakho.exe	97
PID 1408 wrote to memory of 2260	1408	Nloiakho.exe	97
PID 2260 wrote to memory of 808	2260	Ncianepl.exe	98
PID 2260 wrote to memory of 808	2260	Ncianepl.exe	98
PID 2260 wrote to memory of 808	2260	Ncianepl.exe	98
PID 808 wrote to memory of 852	808	Nfgmjqop.exe	99
PID 808 wrote to memory of 852	808	Nfgmjqop.exe	99
PID 808 wrote to memory of 852	808	Nfgmjqop.exe	99
PID 852 wrote to memory of 1000	852	Nlaegk32.exe	101
PID 852 wrote to memory of 1000	852	Nlaegk32.exe	101
PID 852 wrote to memory of 1000	852	Nlaegk32.exe	101
PID 1000 wrote to memory of 1088	1000	Nckndeni.exe	102
PID 1000 wrote to memory of 1088	1000	Nckndeni.exe	102
PID 1000 wrote to memory of 1088	1000	Nckndeni.exe	102
PID 1088 wrote to memory of 4932	1088	Njefqo32.exe	103
PID 1088 wrote to memory of 4932	1088	Njefqo32.exe	103
PID 1088 wrote to memory of 4932	1088	Njefqo32.exe	103
PID 4932 wrote to memory of 1908	4932	Olcbmj32.exe	105

C:\Users\Admin\AppData\Local\Temp\ad15d2949ffdf7a51b0c839b03342900_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\ad15d2949ffdf7a51b0c839b03342900_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Windows\SysWOW64\Mpablkhc.exe
  C:\Windows\system32\Mpablkhc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\SysWOW64\Mgkjhe32.exe
    C:\Windows\system32\Mgkjhe32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4972
  - - C:\Windows\SysWOW64\Menjdbgj.exe
      C:\Windows\system32\Menjdbgj.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4364
    - - C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:532
      - C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3840
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3636
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4108
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4260
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:808
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:852
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1000
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1908
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        24⤵
        Executes dropped EXE
        
        PID:4592
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3852
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1036
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:684
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1596
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        29⤵
        Executes dropped EXE
        
        PID:1592
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4496
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3112
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        32⤵
        Executes dropped EXE
        
        PID:4288
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4220
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5096
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5032
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3120
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3596
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:732
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:736
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2792
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4940
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1572
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3048
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3752
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1380
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3228
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        47⤵
        Executes dropped EXE
        
        PID:4796
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4756
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3080
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2592
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        51⤵
        Executes dropped EXE
        
        PID:1040
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1952
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4036
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1872
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1844
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3376
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:916
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3168
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        61⤵
        Executes dropped EXE
        
        PID:2704
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1120
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3640
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4344
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        65⤵
        Executes dropped EXE
        
        PID:4416
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4536
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        67⤵
        Drops file in System32 directory
        
        PID:4740
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2604
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4080
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        71⤵
        Drops file in System32 directory
        
        PID:3000
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4048
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2992
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:752
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        75⤵
        Drops file in System32 directory
        
        PID:1560
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3988
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4160
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        78⤵
        Modifies registry class
        
        PID:4520
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        79⤵
        Drops file in System32 directory
        
        PID:1300
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        80⤵
        Modifies registry class
        
        PID:2416
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        81⤵
        Drops file in System32 directory
        
        PID:3500
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3224
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        83⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1216
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3416
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1340
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3928
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        88⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4648
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:632
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1232
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        92⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        93⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        94⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5268
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5312
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5364
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        98⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5448
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        100⤵
        Drops file in System32 directory
        
        PID:5492
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        101⤵
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        102⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5624
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        104⤵
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5712
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        106⤵
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5800
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        109⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        110⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        111⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        112⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        114⤵
        Modifies registry class
        
        PID:6108
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        115⤵
        Drops file in System32 directory
        
        PID:5128
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        116⤵
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        117⤵
        Drops file in System32 directory
        
        PID:5276
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        120⤵
        Modifies registry class
        
        PID:5484
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        121⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        122⤵
        Drops file in System32 directory
        
        PID:5616
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        123⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5688 -s 396
        124⤵
        Program crash
        
        PID:5840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5688 -ip 5688
1⤵
PID:5808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
64KB

MD5
1ad57a0ff93fa21cffeb8064dd5355f4

SHA1
baf04a19ecb295588b2cddb1a26b6cd3ad95fd77

SHA256
fad6f266226d95c7b29cadcf4c57475bd9065b46fcc23422621595e30cfc9eeb

SHA512
3fe7bc68318d6e7c242d45e32f15cc8326f781245c0fab73e1e8141a1d604e6de69e43f7946d8d354a006c6d09ec47dadf7e4c68bce185261db2c75fbf2a6dc1

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
64KB

MD5
8f313d98d34dc568b5df38628f0e0248

SHA1
e91cca89e4278e5b6e6f28d900380deadcc702e3

SHA256
3fae66ca03acac88f677df367c3e3df931758b641a34a3482145e948ceb8df6d

SHA512
5b0ef419e4fdf14322670de6efea3bd9d5e9c60081217e4b88df12350e97a0aaf452c679432f96b6a27a85b2ad06fea43d943786c3ed0970e8bb477d3adc8df2

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
64KB

MD5
2be4cd2887e046b5bfbd1b9b3fafa81f

SHA1
7b927441953933c8e518a14f1b238762384b3456

SHA256
b233a40551280192275e9df77ac025de3d3a5c9a4819e8ad2e2848643fffefc4

SHA512
ca91c630b4e40659b2a46cc8723b34cf7612f5fafd134f4378f3541302006f34d069e6b990e8522b3de31996ac8dc4bfe5c0536a7eaa28e393b61734178e2e25

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
64KB

MD5
a54a672433eb711b55ec21c4fc982ee7

SHA1
3a406d58ce235d53569a25b12f57de546b58f322

SHA256
24e505f22e4b8e60d49a9d99450f44fb90352b3e6425b1a1fbede4fe1c17d4b6

SHA512
bb6a3118c7292a3fe6ca88ed37ee3ae548b0271bc7d96a9169722c660f42a586db5a1eb5eabd3b00d5c02f27485be93e3627741f2b011b3bee52fbc92c9581f3

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
64KB

MD5
66d8d82df85cdb2681f31f31b370d8f4

SHA1
2fa680777cb734c74ac88df1d0b5b4acff0ad1dc

SHA256
96da56b31da139b5fe9c9110b82eb93039c1a941b391d29051ed711982c5c161

SHA512
5243dd94b91f82744f2e9f94000ef5ac847743ec84c4e0ffc480b2d3fa541e2a39d66cded240e2333f99add8fc9d5e06bd01c79d3730befce69b12396c4b58ac

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
64KB

MD5
790db7255b1f42066f6ac237016c74e9

SHA1
135476f698b25eeca09e2b1b04cc4695a87ba1a4

SHA256
6b2996c5b79fe0f688667c348709142e7dec4a4d81a9ab504dd6dfa7bf5722e4

SHA512
bae84b325bd93fbcbb39cc181d7ef28a961c13d5274ef16caca166843558bc64aebf3729abf39a3929f935ca76c69426e7c211507f8f3523b0697bea62cac7f8

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
64KB

MD5
05b97fe297ecd6183b1efe34af313ade

SHA1
836d3bd4b4d8ea9eb3490ef36be217ae4f2fdb83

SHA256
9586524bd5ce433162a28818d698679ccf06b2682f817a7a5af8f5e1e9d25c6e

SHA512
a446611d2e6dd173e556334274c244f434acb1e2d4c27818513fe7482678b8a7bbbe7a35855b0bd4f125b7bc4879905b88e8b62f646acc54c304919df6c89528

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
64KB

MD5
ff71aebbc996938ae9b1cb283fe09174

SHA1
9a6f0639b211217e9531de3debbf9744ed8f91b9

SHA256
c285dbe2752b2efede11abd627e92de406cd30f283ff0d854b34b1a533038ad1

SHA512
f045880b7ddfec8f69f7c34341b51526f734a260f483f47e085caefc0e23223a2e642c5b7f518e96d3d7bd2b38ff72a2421721a75f7bb379f5a45ee40da47fa4

Download Submit
C:\Windows\SysWOW64\Mgkjhe32.exe

Filesize
64KB

MD5
885faa91abcffc99afafbf8f0217cd5d

SHA1
0b0c1288f17ec9819cf2a57f091e698530cf62fb

SHA256
c215f0d34cd878c8a89898243093ad3d81f71d7fd97b1be7a6c8da3eb58736ff

SHA512
963333b48b73fd2de90b90b6659a06a0a8ce8a7e3340e230f8883c5db389420986690367d36186cac82bde338a4907536772db80c8f655d80e7886a2efaa396f

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
64KB

MD5
9e690e8546399c512b5161de2fbba2cc

SHA1
b05e21161b46d6e2daa8a9ebe2a49942fb97dc9f

SHA256
84e5b66ee63f2db755d809033247eace0f48069d8d60d6cb963f58289b10cb56

SHA512
d83d1ff08ab491d9b49084a0f3657f755c3286f217cd412ff637b93c4e4ab0169849b8ce8718eb7fef8f7f0b20ebc0e7f7c0d6d5e6c413e3346ad26ed9f7f5b8

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
64KB

MD5
d8140116b506501ffcdfb1fe5a792e74

SHA1
027ede57a1590fdc46a0b52b872b0ef8a40fd51a

SHA256
a644f956b4bba0acd1ddb835abbf4b9ecfce30b29a36fe1a288ff5dd71d03a4c

SHA512
c98adeafb8a65f73c73c4a7f5189c2c7dfff24dc03f9643143d3f62761a9c23f59af1e75e1a6c8606e37ecf3fc46505884578ea47f2971e32f24ab7a5d5a107b

Download Submit
C:\Windows\SysWOW64\Mpablkhc.exe

Filesize
64KB

MD5
4374ad0eaa970060c4514b8869649102

SHA1
821cbd9d19035e8c1492536b68b79a61465a8677

SHA256
0fe9301dcc8402717f6686b2397cd8e0f07443cc9f94022033450c6eacc47bd5

SHA512
9934805ff0757a6626331f921658cad314d2e6c8b3bafd1e248c95bd1ed3467039325b870a8080af74968e099c87740af71b606134f30529dd6c7765cd86bc24

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
64KB

MD5
5a25ee50b10c24130a75ad3d3f4d4d42

SHA1
61937f585f6028a5ffc7c571105f4c04bc238740

SHA256
454088656241785cd6c277d8f42db9fd8b905e5c108cf261c56f30513d105ad5

SHA512
c0efa4f9e6757136b37b441ac52cdc21d2b926a6b5f5723c858ef29f872568cbb275be0de0b11eec86f389871f1a29d7cdf38d0c448a1afb3ea9a76a07baf984

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
64KB

MD5
b9863414d93a73441dcd3ab2f8cfddf4

SHA1
db00bcf8a2de1598ed4d5caf17568b7fc0446c53

SHA256
bb6c0ce48441c0348e4a543d13cfe3acb43a09a3c6900c3c2c0a024272758c09

SHA512
7e48911de3e7a6fd78f788c408e126e22c603a781c3e6e6636e9c5d9430be7a791d073062348e5b323c787207dc86760fd397ffcef42e574549488d573e69153

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
64KB

MD5
22b12ca56988157e7b4eb87a268ceb02

SHA1
42fb857b7c44b2e7491614f0bdefdc78fa12dd7b

SHA256
b891c8d628c8c333c1dd89218e9d04df7334385aa8303841aac96e1aaafafde6

SHA512
c0c2bf3a11089da27858982051179aed8477aaaf861ad03cb3f336d5d31ade9657b684adbe8302fa0e2b3faa5ae2b06bd97abccaba69e88bcc122b5c235ce641

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
64KB

MD5
1768cb0c6931b2cdf50874f72447cac6

SHA1
fe8693305709d219bcba2ac93859b4703800a283

SHA256
e6b0d9ee09b436a3ef66fca4467f049364e559b05fb1aa96b60ffde42a83a4f1

SHA512
cc93a6bc40e5da571c89c2d737b603105d91e8c82d7820f7bcebdc216d3139299a15b823dceefb464d33976aab4cb0a504e67db1a8446381b55931871c8f5131

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
64KB

MD5
2b57e3ca6c1c0413ec94c1f67977f764

SHA1
db93af16fa94986d2d785097f9411e03f1bc56ac

SHA256
f4cece84cabe2e6dba33ebb96ee893f9e8db71093bb5019eab5f9c849b562b40

SHA512
64dcc28c4362c79d8d6e2e2e60db6373894317d0e35b119d0b7b61094ca3f86e3b2b9cd9c128d087056714d6bca62afc0ad7a20602b45523b57b89f6fbe352ee

Download Submit
C:\Windows\SysWOW64\Nepgjaeg.exe

Filesize
64KB

MD5
c78238a4c1a0581dadc9ca3e57f7f702

SHA1
ec2c55f4cbbcebf98708e5c56e432ba60aaf0a75

SHA256
e6f1599000384e77730cbebf7b319d23c238606cfdfeb334f4c9fdb6bff0f1c0

SHA512
c6843c8e7d9038eddf7121c182ecc84572167f82ef2bee468732278903f9ddc49dd1a7283d00e3d49bf12ebb0f65aac71c5bff14ae8ea5d06f003ae40b77bd13

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
64KB

MD5
6bb7cb4267fa5adaf9472ee3cd5cdd25

SHA1
763049d6b84f54d0a088d1f9263107779ce8b32d

SHA256
a05ba3a65644d782b07829186c6e4682899501737c08fd0e5eaced2505ce7e9a

SHA512
aab538a7e378ad03eaeb6d56677435512fe8734883929c52b10152a04dc607b6e0a235bd9e73134654d66e7431f3768f7715ac6dd8fdc28a9ac3b32c8a3d014c

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
64KB

MD5
ae7b5acde7d0b3d65c01221ffdb288ec

SHA1
770f9ed102156473b44804bb1b2d0e2895db4e63

SHA256
78e17293a1e50889019f6bfdfed10c83f9b9e30e5471518b4492bbd6bb97a5df

SHA512
4603dee5972107fff058a9c9a87859b77d8c735af9f86e2c4efcdbe4d0a06fb8229951948fba7c7faf2ae3f4cb0d6844c65c5e183279b8934f412a06fc6e33ee

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
64KB

MD5
facf06466e2a007e847b91f26e8e5aef

SHA1
4fb0de86cde1ffce1a15014712e659b829d2a16b

SHA256
29847536f03b5ef26f826545461ffc2a9505983bbe9fb2ce20c6d58918b42f22

SHA512
c7e8b537e5357fd16d74d3d4b850b866145e05af9ab877291116757edd65ba2e269bf249f5007c03b3b3a38780c81f57bea8b4520f98ebd6326ede0a117a41d8

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
64KB

MD5
a106de4047e36ed337cee0cd602ec2d1

SHA1
fd46ae0da4eb15487466b1c216e9c6f9d9383928

SHA256
bc95f3ce206ddc0dc73169a8e6206f0a9cf4fe237eee8da904815d8deda4f2cb

SHA512
962f2107eca282bdd8e6727c272851736268972d63dc673d1204ca162c32942a2dd47d5f1680a53f968fae7d8b7ed3ca18a788531968a9ce60e312622f8c98e8

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
64KB

MD5
7c1e5704b0773e17689d6db02be55140

SHA1
b7c2fa3ab2b432a03ca407a907a4c30bf8d021eb

SHA256
49f9354d35c6d2e8a197ccd0acb7ef754b1aed754cc6148221b4666fdb8de7f0

SHA512
df344b0f06775aba36ad90bbae50d3f410f54481495647c3b14e91a223d57d74f98ea27af446e0f83530087641c39b0116fd5c35597d864250fe0864094c33ba

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
64KB

MD5
7eea52951f80f4a1fdc3dd8068d326ab

SHA1
58875d25fad12570b5871cf7bb2431abe44b056b

SHA256
795c2a97bb7809b12989bd3310e8fa0e43b0ccf079bc071c3012fb716caca65a

SHA512
a2d9fd4699c7eef111c2c33418fe4535669dbacf7d6615407fe2397e8560f5808ff942937f197aa995a5294d28dcc88150b62f2108c138c2609e011e17670b76

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
64KB

MD5
c0e17110386387bc5c0107367ce8b542

SHA1
78bd684c34059b6553687504f6af85388d514e87

SHA256
99c16d4298c7ec7e3ae31f03f5a3654c505ee785a6b931f73baa965b4b9508c8

SHA512
954b6e655deb8097f99cc3775bd94a8d15a290b430dbdc4363c0da994c68a47637749a4d1b574d06d3080c48a6ccbe9e15a5a4b1e46249febf85fb82ad542851

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
64KB

MD5
8694ccf801bc886cc9a1babb57c6445e

SHA1
9a46454fb36a2d7b4bfd73e1483770c864727a17

SHA256
2ee9cfcc3b3d93cdb72b7199dc20856c19ce2a0a344502f7d38c56783efce408

SHA512
4050c9852caca5963d088df0f924d36b55a2b5266960676543d6a8079ed571d5d8a403ba69556ed900914c173f8693b61b5fb450106779072d4878206ac68413

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
64KB

MD5
b9fde50ce2c668827b6532e2de804c48

SHA1
dd7e7c4a5d128097f8d38e2e20960dcf6133fe86

SHA256
d63b4dd2c76252db05686db145ca27edc8e8015ec3444b5784ef34ec7862d111

SHA512
5b5a96caa618cab8277596baa0275c22424ca6ed1caf0491fcbb66c35ff7f032eb171ee4a11a23e99972899c7e1c956c2ae9dc915040902cfcd2b77585e54c65

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
64KB

MD5
914a257fabb31af8d88a26ef05bb0e58

SHA1
4605ce5b9181fa0f57c5fd01b1bad240dde5d2ac

SHA256
0ed904b647d38e18e35a69b8a5f3ce6d2532370c30a69a1a48b47a7d82b38824

SHA512
d51d64ffe7e0ff1fa0cc10280db2911aa7ec75b5a061552d364704603322842eca8bf35f0dde5419d1888c1128de0530540459facfc975ebc228317efbf15da1

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
64KB

MD5
a5f7b6da22e7df74d8de5573176ae201

SHA1
622023a6812e6ca204539f3ac8a442fe56ef9164

SHA256
7e8d4026b6f53334ea1998e7d6393f439d08b17625f6853e99fd58beb6d93616

SHA512
47f5e05a19064c06ba9306fc7fcbfe6762aa55b446251432f6878017727e443911b89a14031e827ef3b1733d112f721defda01d08258af107bdd9d6e5c9a4eff

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
64KB

MD5
255d25767263d61fadf8df7603a79c36

SHA1
22401d2e49de36d67cbcf5076c7955b212be116d

SHA256
d88f205ed12bd8d015219e982189f19a7089625124902b8299e9a6fadf0e41d8

SHA512
47686b897bc0580ea3df4a71d2a716e68b1e8fa066ae1db78aaae55351e20e993a83523db058e6f6e4bdf0d1c96cfa65ee0df1461e57aab34e7d15069b5f2d14

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
64KB

MD5
4308fbe36132a50eda64743fc8163601

SHA1
12958b1327644dbb313f15a9af6491751e5f3ed7

SHA256
8b5807706973da9e2e9560661c3dd304e5e21968709123659d7dedd7411be5fd

SHA512
9b4984b35b189f72054ebbb394ae8a9e7cfa4c591a0a0b6a39011282e48bc3efd8ad0bc7ac66608cfaf57a9a09031c1a9a2bbfe8cebf91dc6c42fbbf4fc711c2

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
64KB

MD5
ef7a93645838ff55428ce3129e41be9f

SHA1
ac68a953fc065497e9cc207db38a7aa7ff5a8b6c

SHA256
c0294703dd5d114010716ad0072121e4242b812f43458ec2eed2f760da6e5fc4

SHA512
67cb0f32986b87d9b51ec0625adf4b48292d794f2bd22a96be19184157d203f38e7d982ba2d65fad58d97c3be3d5272c161af5922205924006308180740ae352

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
64KB

MD5
1ab39b05fb021244175ea154f4cdf38f

SHA1
18973fb6280ddf1f9d73fee253cb7b2483188c1e

SHA256
6923bb406d99c7e417659389fb7bcd05b561726290003f083bf0ee5feabc4735

SHA512
6e427ec7197ee94dadf66750a2671ab5f24a213c5194c7f8f6071b6fd5cdca14801095751234415234d06168233b12c730ed6c49eccb82affae1d774060251c6

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
64KB

MD5
4f720de66251ebef3e8f84ca1db07db0

SHA1
b02750c9b407796943012e91617363a44802f5d9

SHA256
5f1f0b5d926b17e83f557b26bf99e19a8804b818f88187ba17f895fde2ab46e1

SHA512
627789a50cb3f2d898f804ae06942d62dec10c00e66ca0d0696fe8b76916a0706168afbc2dce520df5c1eff5a2a489e9737175b027847289e60d0d410889f736

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
64KB

MD5
0f337c40af44f9f5de172488b4d0b161

SHA1
654e280585e69bab377e4b756b8e6c61fea4d37c

SHA256
ae63a15b4aecb5430e83463ba260640c0556f25dea15814ac6fe5330ead45fa0

SHA512
0b5c14abde43c994d17cef5ba1784b10977d8b6f93ca631ad243401c93c792dcf8549ebbaafae8bc00b611a2e81a60489e62d70bab81c4da878bb410f5bd9036

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
64KB

MD5
e8662c655556b3785e984ca63a573521

SHA1
6b5fa372ba17acb5833d1974ea5a4358efeddd96

SHA256
81d7dec18821b0b1f73c3098afdea7f0ddab65827e38c060b4a21516c5be2a5d

SHA512
aee0a50379f01a33ab08b88f5bfa84e835edf4612eb696010f80e02049d958a5b83bf40ab0c9a634aae5625f6c0289737bc9b257aaad8ee9aab42806346d8e8f

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
64KB

MD5
3faa875386b1180845d3d65ba397bdd1

SHA1
9871641ecbd3790f4b3fae7019b84e908a1416da

SHA256
e19fd09458db9df67d7ff0c537c0fe6761e370263d490d9c0332d8326883df01

SHA512
32bf8cb36f37a932893d2606cc910ae8c0f2548061981e2135a1f01da85cf5283b7e43bb6ab35990762bfb2349e70d188d4a8a835f3a13e1e2c8bdddfdb16bc4

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
64KB

MD5
f73a0c845218802f532dccb6892957e2

SHA1
729e750ce2814dfd7b6dec15dbf078db3f268a12

SHA256
c89b4bad7039fc1d7e394ea9f4867d9decc4725d8684f3e7a2dacd02c1fdd9c6

SHA512
570f3022477b5813243d626bf5595d9c50d33d16370fdeac23da989b564bc372db372e456560cc1da10ee6cc795c1602a5bbb2f67ccb517720ada1b3eb5d810d

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
64KB

MD5
5c59630e32d4da86b8786b61d2d82b44

SHA1
c936d7f23a9afb80997fb95823ba7b1b50849c1f

SHA256
f863c82d138b8964c08b9b603f7b629df5fbafa72a7ca1e33fb2a876096cbd43

SHA512
ec5316447c1bb1a1dd35f391bc5cdfadae3a79f3e0f525ba917ebd94174dc968cda0eac2853f287ab3dea949c5209f0a3d7eecd645eb315b8bdd931e20a58584

Download Submit
memory/532-34-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/532-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/684-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/732-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/736-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/752-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/764-53-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/808-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/852-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/916-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1000-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1036-202-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1040-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1088-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1120-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1216-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1300-537-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1340-585-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1380-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1408-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1540-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1540-45-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1560-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1572-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1592-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1596-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1844-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1872-393-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1908-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1952-375-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2260-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2416-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2476-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2476-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2476-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2592-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2604-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2704-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2792-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2812-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2884-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2884-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2888-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2992-501-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3000-489-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3040-85-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3044-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3048-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3080-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3112-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3120-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3168-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3224-556-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3228-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3376-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3416-578-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3500-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3596-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3636-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3640-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3752-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3840-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3840-593-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3852-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3928-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3988-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4036-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4048-495-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4080-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4108-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4160-525-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4220-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4260-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4288-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4344-447-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4364-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4364-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4416-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4420-399-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4496-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4520-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4520-917-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4536-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4592-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4740-465-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4756-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4796-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4848-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4940-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4944-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4972-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4972-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5032-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5096-266-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads