50ece4b8661e8b635b6fa1178b30bdf96d113a2265518d63ba4790594caa6bac

Analysis

max time kernel
96s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13-05-2024 20:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0fb185f7a5105efb2e752b0bf5182570_NeikiAnalytics.exe
Size

64KB
MD5

0fb185f7a5105efb2e752b0bf5182570
SHA1

a632ff65bf92ae6897113149754dd25ec53e00a4
SHA256

50ece4b8661e8b635b6fa1178b30bdf96d113a2265518d63ba4790594caa6bac
SHA512

edba98b47ab85fc7a53a952303ee1a800c09f0c7aeb2570d3ea4045cc325fe4827dc0b11d89b756197ae9237144c42d677f7feaf47ce435b9d1cc2d45912833f
SSDEEP

768:Z5qnHlK9+QOaYRx8nPRX7KMSH0mem64+lLf4sZsBd2p/1H5UXdnh0Usb0DWBi:ZjhYEPRX7EUDm6hid2LIrDWBi

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oponmilc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlaegk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmidog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nckndeni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckndeni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe

Executes dropped EXE 64 IoCs

pid	Process
2084	Ncianepl.exe
1524	Nfgmjqop.exe
1060	Nlaegk32.exe
3348	Ndhmhh32.exe
3484	Nckndeni.exe
1216	Nfjjppmm.exe
1516	Nnqbanmo.exe
116	Oponmilc.exe
4292	Ogifjcdp.exe
3236	Ojgbfocc.exe
4396	Olfobjbg.exe
4152	Ocpgod32.exe
1996	Oneklm32.exe
2304	Opdghh32.exe
3244	Ocbddc32.exe
3380	Ognpebpj.exe
2308	Onhhamgg.exe
3312	Ogpmjb32.exe
2964	Ojoign32.exe
2192	Oqhacgdh.exe
4392	Ogbipa32.exe
2516	Ojaelm32.exe
8	Pqknig32.exe
2672	Pdfjifjo.exe
1960	Pfhfan32.exe
3004	Pqmjog32.exe
4908	Pclgkb32.exe
2184	Pnakhkol.exe
4336	Pmdkch32.exe
5096	Pgioqq32.exe
4072	Pjhlml32.exe
4468	Pdmpje32.exe
1924	Pfolbmje.exe
1956	Pnfdcjkg.exe
2240	Pmidog32.exe
2176	Pcbmka32.exe
5076	Pjmehkqk.exe
5072	Qmkadgpo.exe
4372	Qgqeappe.exe
212	Qjoankoi.exe
4604	Qmmnjfnl.exe
1608	Qqijje32.exe
1904	Qffbbldm.exe
4684	Aqppkd32.exe
1072	Afmhck32.exe
4144	Andqdh32.exe
4904	Aeniabfd.exe
3504	Afoeiklb.exe
1508	Aminee32.exe
2380	Accfbokl.exe
4344	Bfabnjjp.exe
2440	Bmkjkd32.exe
2520	Bagflcje.exe
1180	Bganhm32.exe
1116	Bmngqdpj.exe
3964	Baicac32.exe
3708	Bgcknmop.exe
4828	Bjagjhnc.exe
436	Bmpcfdmg.exe
2024	Balpgb32.exe
4840	Bgehcmmm.exe
3096	Bjddphlq.exe
4816	Bmbplc32.exe
3532	Banllbdn.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Pfolbmje.exe	Pdmpje32.exe
File opened for modification	C:\Windows\SysWOW64\Bmkjkd32.exe	Bfabnjjp.exe
File opened for modification	C:\Windows\SysWOW64\Banllbdn.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Nfgmjqop.exe	Ncianepl.exe
File created	C:\Windows\SysWOW64\Blfiei32.dll	Pdmpje32.exe
File opened for modification	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qjoankoi.exe
File opened for modification	C:\Windows\SysWOW64\Bmngqdpj.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Qgqeappe.exe	Qmkadgpo.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Ogpmjb32.exe	Onhhamgg.exe
File opened for modification	C:\Windows\SysWOW64\Pqknig32.exe	Ojaelm32.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Ocpgod32.exe	Olfobjbg.exe
File created	C:\Windows\SysWOW64\Aqppkd32.exe	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Bfddbh32.dll	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Akmfnc32.dll	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Beapme32.dll	Ocbddc32.exe
File created	C:\Windows\SysWOW64\Oqhacgdh.exe	Ojoign32.exe
File created	C:\Windows\SysWOW64\Aoqimi32.dll	Qqijje32.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Chmhoe32.dll	Oneklm32.exe
File created	C:\Windows\SysWOW64\Pqmjog32.exe	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Kgngca32.dll	Qjoankoi.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Balpgb32.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Ocpgod32.exe	Olfobjbg.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Jijjfldq.dll	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Fjegoh32.dll	Nlaegk32.exe
File created	C:\Windows\SysWOW64\Nnqbanmo.exe	Nfjjppmm.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Bagflcje.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Baicac32.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Aminee32.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cndikf32.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Lgepdkpo.dll	Ndhmhh32.exe
File created	C:\Windows\SysWOW64\Bqbodd32.dll	Qmmnjfnl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5448	5272	WerFault.exe	199

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfligghk.dll"	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlaqpipg.dll"	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjgaigfg.dll"	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehaaclak.dll"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beapme32.dll"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpabk32.dll"	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Andqdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diphbb32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oncmnnje.dll"	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igjnojdk.dll"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elocna32.dll"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgngca32.dll"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlaegk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opdghh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hddeok32.dll"	0fb185f7a5105efb2e752b0bf5182570_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baicac32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 696 wrote to memory of 2084	696	0fb185f7a5105efb2e752b0bf5182570_NeikiAnalytics.exe	82
PID 696 wrote to memory of 2084	696	0fb185f7a5105efb2e752b0bf5182570_NeikiAnalytics.exe	82
PID 696 wrote to memory of 2084	696	0fb185f7a5105efb2e752b0bf5182570_NeikiAnalytics.exe	82
PID 2084 wrote to memory of 1524	2084	Ncianepl.exe	83
PID 2084 wrote to memory of 1524	2084	Ncianepl.exe	83
PID 2084 wrote to memory of 1524	2084	Ncianepl.exe	83
PID 1524 wrote to memory of 1060	1524	Nfgmjqop.exe	84
PID 1524 wrote to memory of 1060	1524	Nfgmjqop.exe	84
PID 1524 wrote to memory of 1060	1524	Nfgmjqop.exe	84
PID 1060 wrote to memory of 3348	1060	Nlaegk32.exe	85
PID 1060 wrote to memory of 3348	1060	Nlaegk32.exe	85
PID 1060 wrote to memory of 3348	1060	Nlaegk32.exe	85
PID 3348 wrote to memory of 3484	3348	Ndhmhh32.exe	86
PID 3348 wrote to memory of 3484	3348	Ndhmhh32.exe	86
PID 3348 wrote to memory of 3484	3348	Ndhmhh32.exe	86
PID 3484 wrote to memory of 1216	3484	Nckndeni.exe	87
PID 3484 wrote to memory of 1216	3484	Nckndeni.exe	87
PID 3484 wrote to memory of 1216	3484	Nckndeni.exe	87
PID 1216 wrote to memory of 1516	1216	Nfjjppmm.exe	88
PID 1216 wrote to memory of 1516	1216	Nfjjppmm.exe	88
PID 1216 wrote to memory of 1516	1216	Nfjjppmm.exe	88
PID 1516 wrote to memory of 116	1516	Nnqbanmo.exe	89
PID 1516 wrote to memory of 116	1516	Nnqbanmo.exe	89
PID 1516 wrote to memory of 116	1516	Nnqbanmo.exe	89
PID 116 wrote to memory of 4292	116	Oponmilc.exe	90
PID 116 wrote to memory of 4292	116	Oponmilc.exe	90
PID 116 wrote to memory of 4292	116	Oponmilc.exe	90
PID 4292 wrote to memory of 3236	4292	Ogifjcdp.exe	91
PID 4292 wrote to memory of 3236	4292	Ogifjcdp.exe	91
PID 4292 wrote to memory of 3236	4292	Ogifjcdp.exe	91
PID 3236 wrote to memory of 4396	3236	Ojgbfocc.exe	92
PID 3236 wrote to memory of 4396	3236	Ojgbfocc.exe	92
PID 3236 wrote to memory of 4396	3236	Ojgbfocc.exe	92
PID 4396 wrote to memory of 4152	4396	Olfobjbg.exe	93
PID 4396 wrote to memory of 4152	4396	Olfobjbg.exe	93
PID 4396 wrote to memory of 4152	4396	Olfobjbg.exe	93
PID 4152 wrote to memory of 1996	4152	Ocpgod32.exe	95
PID 4152 wrote to memory of 1996	4152	Ocpgod32.exe	95
PID 4152 wrote to memory of 1996	4152	Ocpgod32.exe	95
PID 1996 wrote to memory of 2304	1996	Oneklm32.exe	96
PID 1996 wrote to memory of 2304	1996	Oneklm32.exe	96
PID 1996 wrote to memory of 2304	1996	Oneklm32.exe	96
PID 2304 wrote to memory of 3244	2304	Opdghh32.exe	97
PID 2304 wrote to memory of 3244	2304	Opdghh32.exe	97
PID 2304 wrote to memory of 3244	2304	Opdghh32.exe	97
PID 3244 wrote to memory of 3380	3244	Ocbddc32.exe	98
PID 3244 wrote to memory of 3380	3244	Ocbddc32.exe	98
PID 3244 wrote to memory of 3380	3244	Ocbddc32.exe	98
PID 3380 wrote to memory of 2308	3380	Ognpebpj.exe	100
PID 3380 wrote to memory of 2308	3380	Ognpebpj.exe	100
PID 3380 wrote to memory of 2308	3380	Ognpebpj.exe	100
PID 2308 wrote to memory of 3312	2308	Onhhamgg.exe	101
PID 2308 wrote to memory of 3312	2308	Onhhamgg.exe	101
PID 2308 wrote to memory of 3312	2308	Onhhamgg.exe	101
PID 3312 wrote to memory of 2964	3312	Ogpmjb32.exe	102
PID 3312 wrote to memory of 2964	3312	Ogpmjb32.exe	102
PID 3312 wrote to memory of 2964	3312	Ogpmjb32.exe	102
PID 2964 wrote to memory of 2192	2964	Ojoign32.exe	104
PID 2964 wrote to memory of 2192	2964	Ojoign32.exe	104
PID 2964 wrote to memory of 2192	2964	Ojoign32.exe	104
PID 2192 wrote to memory of 4392	2192	Oqhacgdh.exe	105
PID 2192 wrote to memory of 4392	2192	Oqhacgdh.exe	105
PID 2192 wrote to memory of 4392	2192	Oqhacgdh.exe	105
PID 4392 wrote to memory of 2516	4392	Ogbipa32.exe	106

C:\Users\Admin\AppData\Local\Temp\0fb185f7a5105efb2e752b0bf5182570_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0fb185f7a5105efb2e752b0bf5182570_NeikiAnalytics.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:696
- C:\Windows\SysWOW64\Ncianepl.exe
  C:\Windows\system32\Ncianepl.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Windows\SysWOW64\Nfgmjqop.exe
    C:\Windows\system32\Nfgmjqop.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1524
  - - C:\Windows\SysWOW64\Nlaegk32.exe
      C:\Windows\system32\Nlaegk32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1060
    - - C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3348
      - C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3484
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1216
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3236
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4396
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4152
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3244
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3380
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3312
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2516
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        24⤵
        Executes dropped EXE
        
        PID:8
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        27⤵
        Executes dropped EXE
        
        PID:3004
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4908
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2184
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5096
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4072
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        34⤵
        Executes dropped EXE
        
        PID:1924
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2240
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2176
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5076
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5072
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:212
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4604
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1608
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1904
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4684
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1072
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4144
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        48⤵
        Executes dropped EXE
        
        PID:4904
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3504
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        50⤵
        Executes dropped EXE
        
        PID:1508
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2380
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4344
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2440
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2520
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1180
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1116
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3964
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3708
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4828
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:436
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        62⤵
        Executes dropped EXE
        
        PID:4840
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        63⤵
        Executes dropped EXE
        
        PID:3096
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4816
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3532
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3780
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        67⤵
        Drops file in System32 directory
        
        PID:4240
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2576
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        69⤵
        Drops file in System32 directory
        
        PID:1432
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        70⤵
        Drops file in System32 directory
        
        PID:4804
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        71⤵
        Modifies registry class
        
        PID:3816
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        72⤵
        Drops file in System32 directory
        
        PID:3648
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4636
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        74⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3476
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4472
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3956
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        77⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3784
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2328
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        80⤵
        Drops file in System32 directory
        
        PID:4772
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        81⤵
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:680
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        83⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3308
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4136
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        86⤵
        Drops file in System32 directory
        
        PID:1344
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4288
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4824
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:836
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        90⤵
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        91⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5228
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        93⤵
        Drops file in System32 directory
        
        PID:5276
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5328
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        96⤵
        Modifies registry class
        
        PID:5412
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        97⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        98⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        99⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5580
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        101⤵
        Drops file in System32 directory
        
        PID:5624
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5672
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        103⤵
        Drops file in System32 directory
        
        PID:5716
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        104⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        105⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5804
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5848
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5888
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        108⤵
        Modifies registry class
        
        PID:5932
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5976
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        110⤵
        Drops file in System32 directory
        
        PID:6024
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        111⤵
        Modifies registry class
        
        PID:6068
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        114⤵
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        115⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5272 -s 396
        116⤵
        Program crash
        
        PID:5448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5272 -ip 5272
1⤵
PID:5396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afmhck32.exe

Filesize
64KB

MD5
7cc106b9a528fc9202cb5a1c662b2e13

SHA1
f7bf48317463bb01da8847cd7bd9d261bb434cdc

SHA256
0d27c1116e8ee384fd5433aafcbe2949c0b64917486bcfed1b737eafa871eff7

SHA512
7191bb625d26af5eae38ba61d47a6a2c3130dd0bf58731eaac2665e085d39907e30141a171769805e4f7dba405a5f57d8ab8d6ecc6f8e4a2b31d89ffd8bb3848

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
64KB

MD5
670d2ae22a8fccaeb45bfeef41e30754

SHA1
1a24e9ac108c4b8757450605a5294d8ad9f3dde1

SHA256
9d3a7e2ea8248e809a77c4a96314f5c60915e13b4cfdf37d540897c2ade5240d

SHA512
569f1b62b789eacfc7a8396cf6a2323646d9c2f7c8087b1e51809c2866cf1d0457b0852dd8f16a5378b4e977332f5b5258f7e0c215c0dff33c4b2a9229812871

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
64KB

MD5
ac86a4dd7b29b103bb68b86e635eff74

SHA1
835527013be830b374f2e8e4e83244f93940f98d

SHA256
94b64d91d86410f3a1b58b421981529dcf95f5699e2b9300ffa7e0b734044e19

SHA512
9691e23c0e327db53ad6a5010cc8f1e51084c290b32e8655dcbcade4f69470276a4c9c0cb34d3c6380d540b7a74af00bad2781f39e1614601b1fbd5bfb29ddb0

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
64KB

MD5
8f3b1f74d5ce92e54272db11df4b63ef

SHA1
95418052ddac9694432b7429586cb679f2a0855c

SHA256
4775ae67045330f4666934ba89186a21addf9c14d27ab2acaad4fe16ccafb53c

SHA512
898d49088b118e833391478f133d4215d5cc9a0c66a42072ea29f3fbb163c6ae8079455426d2a3149de72c28dca5e6eeb99cfba380b14705813d36882bcd5a36

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
64KB

MD5
0f81e6adb3d5d06affc742305c5b9686

SHA1
7031aa8422c2ce9845e0ce4289e451742ec1090c

SHA256
bbffd0f4e3dce8a83dcaebc3a628df8dc8d7ef116f3305e5384b43c799a9c519

SHA512
6e238d5bcaa92bb8ec376e79f4bbf2f1b136df85241f5a1b59b6a004a51f219b583a2952bc2af9fd5acd622ae303894939adb4dd324cbee7eb8647d507f3068c

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
64KB

MD5
71e034e3416ad806efb636eea4564934

SHA1
dd24a9f1f83e137e3749cd4bf88a63ff44618b07

SHA256
6a6796c53a2f2406af6a08419de7ad7313fd09a9b9b271872b96b8f200636aaf

SHA512
df08c5d7470b2dbfe81a1ae11c71d4a4bf56c88529841d8ae656501fdc9470bf20fb4957a9a7672ba9352b0350cc0373d4f7c7480c2fb1c131eff20a196f8564

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
64KB

MD5
23b839dae41fa37b1d868aa0429b1ffb

SHA1
ca7e2b596d4611968910d9d5931f18a325b2a3fe

SHA256
291cc71a31e76bd1c57678ec2848d5e025beb78d95a6923817f9ea0d7e61e123

SHA512
61ad2bf67fbd8bc040d2f436504bdbce09e17be43049e65f1a998230632055b1df6005702fffa9bee08a3983e82983387059a013a5b66719186d30aceab21a61

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
64KB

MD5
f1a0278810b4a2ffc4db2672cd898485

SHA1
d5efe1c1bfbba897d0725fc4ed48778dc038eae4

SHA256
13739817167192086ec84650c546bbf857e7c41b69f68be47046b01807b706a2

SHA512
6c9aaa9c8139632fce9c635e36b9ebb8ce48afe6b2d91643d39c5a08daf4c6a94628d1a97945acdc5badc45c91aed128898c7c7c1796ae193ef1a8024b823625

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
64KB

MD5
8fc2b848ac7241fbcbf12b28186fd5a7

SHA1
7a37713d25a0a3581fafdf4316724816bbabdf48

SHA256
283adf42d283affc3952475910caead01dfaf5939755639b2730643adcb6f767

SHA512
f0c0aa4860341fb9868a42de5eb67308eff94bb21692730e47396523dc488f5e5cd75d15ca3791fe56e44945fa2feb92c30e9294a8eb8251c56851ead2bd97ac

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
64KB

MD5
85fb5ebe36c571251afadc1a26f1c53d

SHA1
60d8878d040cc358695cff9ec9341ed40c7c912e

SHA256
3a194ae56ca5422afb22670c0a67666b5b452c9664036bd227e33fbc984ac335

SHA512
4609cc405d0e54156d069d3a37e7815cb2b64cd49f839265cbdd340e31d0af8877c7fe1a21fcfeeaddf76b97ec2f943fd42a1ba19d2f056144724910c65637d5

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
64KB

MD5
1debb6a149b5df85cd3ef773fad4668d

SHA1
a673108fb5914a424d5c75737f0c8ee20c4006a0

SHA256
c063c90691fc7081a36544f8913ae3c630afd38c2bac19a224c1c4431157f044

SHA512
e93adc6ee31d1125e0addb61917a69fc2e2b4649943a6d350853a4f71d31683750b156ce124b6080e05c3d86fc0289b0d771a6c81c604585c1cf6dfa6efb5989

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
64KB

MD5
5f22b595689ee1404086aae7c9753d2f

SHA1
a71cfb0394955a7fbfad62c0201278a31e635b72

SHA256
9e4bf0220df329bcfa99e877f6ce4f44405e67033f72b1af553e89e16aacc6a0

SHA512
772b7279de0c3f39a1a604cfce212fa7f3515cc78218be8b506f089e425702df4d03d4851fc70645059c31128362506b04b1c58bb23e4df5b89dd158215046ec

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
64KB

MD5
22697c60e5d78a4db241e29cf011f3e1

SHA1
23341a8892a3d33a6f66c4ca4a1697e5d596523a

SHA256
3fc96b7a9d851eae4797731ca9a5fb7076dc450a8f45d776c02c29821d5b3a97

SHA512
c74fe098784928f33ac2fc2225fb92eec2b1bdc62cd9d1bb40ec3b49f895bbb44d990b87b1a85aaa0ede86d6275400d831d641dcc38a8bd569a764f2e3de0ec4

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
64KB

MD5
58b51ad542cef54d3e48ecd43e001dad

SHA1
7ce75f5b214dd589265e2e1d59aea13288b84c10

SHA256
be953d8d29317aa5316f1b3d6595a92e007909d63065d9ccb6ee5451b9bba6fe

SHA512
9fbc20d606e601048dd0fb72286bddc910c61a893f12d953c87beb57708b8b49a70f42848fc2b84ce8e4361cdd1164fe63019a983a728a957e7b045e19b337af

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
64KB

MD5
50f5587095162eeb51f0fbe2377fa245

SHA1
ea294430017da9293ff50a8d95bd593df77b0880

SHA256
325b36b181d6a82b57638cd277e512ace18c02490626261a09c7a1e2193184ac

SHA512
493b96660c2dfef22e30dfd18d2b01db2489075ca4a69448405ce5099c4a78f1b86a20c219e50ac762d24f0051a7fb45d4119e6d47d809196d4825d44d94239b

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
64KB

MD5
bc2996e18dbaa8fae31c3d0f06e2965b

SHA1
fd39843670eebb16a1edc4c2c928f39bcf564f53

SHA256
4f532bb74875e8ea11c7bfa2b9f5bbb6b196cc524ddefedf617405cfe56fb23d

SHA512
51f4ebc0513d1e3a6f1a135e800bccf56109333d7c825bd2bd23c3b2a7dad433cd7f9f088a92846308d3f4f822c2af1fb8df3beaba1e6bb958681d41b6dbdc09

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
64KB

MD5
d0ffddb390f12ea2a6bc1272f7cf34c5

SHA1
19ffe6d553736a7f178cdb8ecdbb5bd7e7a8b681

SHA256
094b4e4d7d723bc35ac04beece670f08a87719c02561331c7e6f9c01fb2f741e

SHA512
def9fd0e3e0e7432f5b5ab137ac1dd4ba3f0a8161de6e87c12c53658037c9a85e759315ccbeedd48287925616e435eb57e2e7387925db6d3f86fcb44c1f1809c

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
64KB

MD5
c3d03be47bc2fa69c27f778ddb8124f3

SHA1
fe5a6943da069b4189d742bdde19de54bd3508a6

SHA256
ea51e06195ce5fa8bfe95cc04acf409ab1ccc8d8e08ba7ef406563216abae3fa

SHA512
799a07894606d27a2189327a4e70ad16658b3f098007e618fb5c979616f877e0f2604684610517a804b091bd578ec4d0c00553b500ba114789f92d0293052f16

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
64KB

MD5
fffdc43f96541ce4bf8842115fe51a37

SHA1
7923acf85875950e623200cf1057a6eccb2039be

SHA256
00397a2217a38e029173a12bdcbf0e25b0553b27fb3abc7c881641e55f7dbba4

SHA512
56e4114d76a1a3ff91746011a8c970415c74f23d6da2def12851b697fc5fc451ff84ca18054fefa457c7c2c248ef9084d8b5db5c2034f314649ccbcb17f74ed9

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
64KB

MD5
49a9e332ed48112f3ab22d7f67573c64

SHA1
be3f520b1870ba0fddfaf3fbd231e5970b1c65c1

SHA256
739945e91ee1a9e55182945ef8e306d601113b66048293f3b2a67a623cb9ca27

SHA512
bc126d760e61da402be521745d17b57893802c6c662055d6394b2b37f698771d9809874ef18e09a8049b0acb72fd42a67c0bbc547d59e5296d277602ba3d383d

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
64KB

MD5
7958e872d04485b8b90cc4440323dc4c

SHA1
cc60f8772f7bf0ba937a591d943c790bdc0d0592

SHA256
07c123f1f1c374515df888b544f114df17e4b98baaf077a43988c4821d7d8a81

SHA512
ff3fd3f1f3b7ca14d24897b142787e36834ca3ac2ecd66812c813c4acd06702d3a5ccf3ce627a63a083261be952565f922d49f6e9bf69e59d7039e221fa98a8a

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
64KB

MD5
61d376e2328f9587f6bd5153f99b9b3d

SHA1
6eed134a378ccf4060999a9c1a288115881321c5

SHA256
3c0ba835a5e128751ced07d1b91bef0460b986a35c9469afad39ee4dddbded36

SHA512
18e40a15dc11f914ca8648f180c7b56e5f8ffca04ee3a369043dbc073f9deac08f60851df94ad44b9810aa175a34d5bdb46983e2dfc643ddffd1ed61fb0df4c6

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
64KB

MD5
3090d957479041060116f87d68346ccf

SHA1
db83b036ca676bc9a173b9d8359f2957d1ac4332

SHA256
a9a576d0c1fe5d280707a70f5169a364cc0d2782e51c6af15b056a48a8edc522

SHA512
84edc15b879618e6e48b1c94f9a572c0f344da15a9a972a69891590fc1174516ec76159b8ecc18234c770ad582d0a7319a59ea872145de5753d30a7c3c952eda

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
64KB

MD5
e3ac274334b37b6e1940bfda84f408b1

SHA1
b140a7bb678c4caddeddedcaf243d918e2b2fc65

SHA256
3e6b2bbb8efcf9c616a975bec015fef39adcf74d80a7b5332a0751348e00f565

SHA512
cb2271d67785d458d37ee30ac6620c267c837fa630be2f4adc64557e5c2d3ba105322274472ddba08dfae6bfe0512e49561650deea8c5cc6243ed27f6e9ac87a

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
64KB

MD5
1dfec6ff3710d813f54c34d78ab2a877

SHA1
e502f2c48df952ba8eb846cd6e076fd5d49da474

SHA256
c075aedb9d6af95a51d9d27ed9feb10457ee60026181a4da4a488b82fbf7466d

SHA512
54895d36c39dd07653949425dc4860c1d8c8cb1e33a9cdfd53982962e3d47c827f0fee54564992f7877011f0ef720c73ae7420b9bc1a8235e4c41af9a8a320c3

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
64KB

MD5
4874a480e25f507344509d8aaef84e1d

SHA1
612ef111444cfe0a9e69073dbea01bac48e8f98d

SHA256
e5e5df183806df2208e166399ea34e0e08460d240a90daac31047485477f40be

SHA512
95b81def7e6430797bb14bbafcc4810380055b9c986de4c3197c703f8bf522122d02e2bf1e1f048ba4ebac306533094e541a0d9162a33a24d498d57e5020cdae

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
64KB

MD5
79db609bb482c4a52af85c117021d3ae

SHA1
0a1a0c5717c745b31674d5a8d1bbc6b4550c9e15

SHA256
dc2f91662b95f6b3976dbcca4954598c2e1fda982d3cb53a8d3206878d635be2

SHA512
fdb60650f235cbb377112aeb0a1504a83670f59d1d74ef56483e69c12b9b0316ad1631102585deea3ecaca3b5975404683963722d1d618a58d45181958634e22

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
64KB

MD5
e148eac2a37027d39fdba65618c69167

SHA1
89349e5dbabb6caff2f66123d3c2b3fe1286469a

SHA256
a62997452b46e873fbd679a88681063a6d7a0d19d8501652b783909ed6de8b80

SHA512
1816cba85c83d83162f62488cb2b03a86a731c3f678ec0589f721f39a1a74a916fabaf2ac99b96a5329c26aad945add422e58ac6a1b41b4bc7a9a033f6066926

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
64KB

MD5
7cf10fa984b11978c10414fe0f693fe1

SHA1
55106e4b4eec8efb74050d60e40cffd6a4ccf49a

SHA256
7ef61b0940eb5f16cdd6642023267ca6462a2a9889c4fd79292f3640fd96a750

SHA512
fd52215b0249a58a6347cdce1d354fc2043738ff590b9bb1732643b61deb017ceda98b03ff09176e4dc01a027d0a42a7ebcbadb29bb5d90de148fc309f975c55

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
64KB

MD5
110f93c30da05dd65808e7a10e01ab53

SHA1
5759d18ffe53b22c40208fa89dbb50354d70b92a

SHA256
7bee2a3400bfd46fdf894345a443178e013ab5b026e9a283b45f38bdead47533

SHA512
d8fe9845d90b8a8e0ca5ea4163ee6de25ec5009b3b1d9e09546123f984c3f9be11763a934f3df44e41d17234d75fb69ff73d872dcc6e86677a12bf442f60bb56

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
64KB

MD5
259c2404ac7415e68ae6385590ff33d7

SHA1
ebd55c345009f1cb06a3215d060c637c660287d3

SHA256
113ce41e69b6e6f1da8ca8991d29a360eac99f466983a89d1e5d64b5388bedc2

SHA512
b5efde5a5e136efb46c713fc88cfc78248be244cecc725f1509ef92727a69633cbd35db4318512e9a0625f0749537e3ee01a34c3ba8edea0e3bf4f8d969c5d07

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
64KB

MD5
d512e9e593eb73680410dfcd2e313c60

SHA1
ef07d6b7c98c99ecfa540b549508ac790b171d00

SHA256
c93da6f112dffebcda2c23b06a4efb4e41e34b367def97921a2f2c8985d87ea3

SHA512
ff0b9583ae04ddc7e8a5e999adc092a646cdbb4f2c144674c84b1a1974e083f687bc75bb566d0cd0ffe7153e7abb471cb729f619560b6045e99eb1a0b776d693

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
64KB

MD5
5f77a39f27cfff096f4466dc535675e2

SHA1
f9d5a89a3519f53ea418c297e9709eaabc774b8d

SHA256
e02a9f4f4dd38acf33cfb649b4218cecf8e881d6409b6073607566e32c07fdc9

SHA512
7da9b7124ecfa7b275abf61d619d0c3f6b54c91ad0f77a8ac1dbd638463cab842fb5021dc86954bae580f1f67823cd97b9fd93d1233c99b971bb1019e527f519

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
64KB

MD5
f4b2174cc25d8a0d854ed43d8c492ad3

SHA1
0701b1c6ac5f6daaaaacf8f88dba9bca1f265756

SHA256
b8bf3d14e037022bcb51f1d74636ebc757830d4e93224ca68ccb5915427d7459

SHA512
9fbe43e2566db457365a26bc46f7d2fed66e7f4d1b852d79091c6b19fbd81e7963e94c240e76d068eeb24b273f3a5ebadf48273456b12515ec2d170f654d2f52

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
64KB

MD5
e83b7c0b896e44f055a5212326ee5f30

SHA1
c28ff5d85c6e91d90a6ec5dbc39836516178140f

SHA256
ef693917635e2226cb1ebae49ee25451a218bc9902ebafd16bf86d76c8ec64d3

SHA512
12706db06fe09d61ba3cc66739de29f8e3588c727d93835f8fa32b09914a4169de643cb106ce6e2c3cbbb9f5036b0d8dc930d77198ba60462a10378e38f8737c

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
64KB

MD5
166fb52893f3e847ca00cc5cb935d1ec

SHA1
21ffc7bb199c0c1ce0dac7837f1db702b7202448

SHA256
8e9313aaff78a48cbd8cfc54ed0ff221ee204f5cc37860cb374b3911be343244

SHA512
fc99f4c2a5c51ee36abec1e9af3daabcc5bd8338b53ecce354fa128336b1245a637b2be195c016e980b521baac250d38f8787ae8a8409b08602763e4ae9708f3

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
64KB

MD5
0738b1bc9b8e43b6037cf86f2e49f3c2

SHA1
691c42594a775ddab4118d1c295c9fdc4d996d11

SHA256
e0c47fd558df0303804f3daa63096be19d477926a52539e2f081084c2e876576

SHA512
7ccdd9df39c9ad467ec210a3b311a576e9cbb92ca132743ec14da92d8e6beaf5ba418116f9c4ca96d10cbefc85adf6911dd19082877564e05bba2c1cb147a9f9

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
64KB

MD5
6518f61a9590fc152146a7656a475e77

SHA1
bdcebf46029f299db5b4d88ad2ca89d3b86fc51d

SHA256
06a964696ffab14f558da89bc10f02d27c0465eb2d9839c853398cd7fdf9e1d7

SHA512
5e95faec5bb2288fd1a8c36cd878b6b7aedf607ee4eeaba26cd61dde70adb71571a5810692b47cb1e2ca2e5ebd7f60978e4b7d9e448e65eac76a39a1cab6f1e5

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
64KB

MD5
a348f01b6d653eea175ed6d922bc3b09

SHA1
2c7f069a397c96abcf0596bef58628f6c00ec953

SHA256
d763e02b60bfda202441662956286e4e5af6269de87e360ac19ebd9ca7d8d791

SHA512
ce2753e1cba5c2039eda9c81780618290c1cf408e410b89f6821572da9db1fd1948c375979e030f6da7e543ebe0216aee685ee453021cc226307fd310053fa8e

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
64KB

MD5
9ddc380d6b70c167e9c7cf92e464c479

SHA1
e50cdcfc2f01a5f2ae26f0a029bc0c81765dcadb

SHA256
3d7c35be06408894405a951b8987ceeacd7980b658ed038930f43bca9f8718e7

SHA512
e127a571cd8b151ea2f4b79c8916ae3bc9a27cd73d6af8bf1d53a6b4200625fce763fb6bcd3b29445dff316c1ae6593a08ba4eda805bb9d6db98ddb8d3399191

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
64KB

MD5
d1eaf83023d5ed93eb73d262d49b1929

SHA1
a54c47a2cc2727510011657a193c8f575999d40b

SHA256
0afaf0deb2143d9786a84128582494187106315e2785d87f90e880577bc82583

SHA512
3500a7f653248a695cf43fe128bae96bc785f19f856686a369967e838082ea1a94f0b2b875055bd3329b5efc6d863346b1de09bff224ecc1a4cd174bbaf1d3cd

Download Submit
memory/8-196-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/8-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/116-155-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/116-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/212-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/696-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/696-4-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/696-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1060-106-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1060-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1072-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1072-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1116-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1180-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1216-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1216-54-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1508-391-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1516-142-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1516-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1524-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1524-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1608-409-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1608-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1904-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1904-416-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1924-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1924-282-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1956-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1996-107-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1996-195-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2084-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2176-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2176-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2184-242-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2184-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2192-170-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2192-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2240-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2304-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2308-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2308-230-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2380-397-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2440-410-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2516-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2516-187-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2520-417-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2672-204-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2672-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-247-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3004-302-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3004-222-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3236-82-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3236-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3244-211-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3244-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3312-156-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3348-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3348-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3380-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3380-134-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3484-45-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3504-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3964-438-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4072-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4072-266-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4144-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4144-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4152-98-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4152-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4292-74-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4292-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4336-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4336-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4344-403-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4372-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4372-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4392-178-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4392-264-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4396-94-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4468-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4468-344-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4604-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4684-423-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4684-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4904-448-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4904-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4908-313-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4908-231-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5072-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5072-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5076-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5096-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5096-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads