0b96760ffd775c8d900cd483cd773e2cb755c4248e03c9ff1b8728886e0c7828

Analysis

max time kernel
143s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 11:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cfc3df2e75679c7708695f9ac5004730_NeikiAnalytics.exe
Size

161KB
MD5

cfc3df2e75679c7708695f9ac5004730
SHA1

bf0f3db5a2eecaf349a0c8c89d7b323d56b11c73
SHA256

0b96760ffd775c8d900cd483cd773e2cb755c4248e03c9ff1b8728886e0c7828
SHA512

f40a620dbb7dd70d6f3614d00e0542c0ba1522e6523f24e5a11057c02b8ac1e6642adffc3d35e2f2cd64af98e5a2b2172f445cb69fd41b35daed5900232dc453
SSDEEP

3072:qBXzqgYTHL/MxcyAlwkuVwtCJXeex7rrIRZK8K8/kv:wqgCMxcyDkuVwtmeetrIyR

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpapnfhg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qikbaaml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmggingc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjolie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Koimbpbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkndie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Foapaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kheekkjl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfbaalbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ahfmpnql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fclhpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kongmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kaaldjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahfmpnql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Loemnnhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lklnconj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Phfcipoo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Joqafgni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdeiqgkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjaphgpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdmcdhhe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaaldjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eqgmmk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cggimh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eghkjdoa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pplobcpp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbnaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbkfbcpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgmhcaac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkkaiphj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Egbken32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbfkceca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceefd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dnljkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hbdgec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Infhebbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jaemilci.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnconj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nadleilm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilkoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpiqfima.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dggkipii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdmaoahm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofmdio32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phfcipoo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmeandma.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhblllfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hjolie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ljqhkckn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnifekmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbknebqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jblflp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klbgfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljqhkckn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojdgnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Egcaod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ekajec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Heegad32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejjaqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fbfkceca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnbnjc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojajin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jidinqpb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgiohbfi.exe

Malware Dropper & Backdoor - Berbew 51 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/files/0x0008000000023268-6.dat	family_berbew
behavioral2/files/0x000800000002326c-14.dat	family_berbew
behavioral2/files/0x0008000000023270-22.dat	family_berbew
behavioral2/files/0x0007000000023272-30.dat	family_berbew
behavioral2/files/0x0007000000023274-38.dat	family_berbew
behavioral2/files/0x0007000000023276-46.dat	family_berbew
behavioral2/files/0x0007000000023278-54.dat	family_berbew
behavioral2/files/0x000700000002327a-63.dat	family_berbew
behavioral2/files/0x000700000002327c-71.dat	family_berbew
behavioral2/files/0x000700000002327f-79.dat	family_berbew
behavioral2/files/0x0007000000023281-87.dat	family_berbew
behavioral2/files/0x0007000000023283-96.dat	family_berbew
behavioral2/files/0x0007000000023285-105.dat	family_berbew
behavioral2/files/0x0007000000023287-114.dat	family_berbew
behavioral2/files/0x0007000000023289-123.dat	family_berbew
behavioral2/files/0x000700000002328b-132.dat	family_berbew
behavioral2/files/0x000700000002328d-141.dat	family_berbew
behavioral2/files/0x000700000002328f-145.dat	family_berbew
behavioral2/files/0x0007000000023291-159.dat	family_berbew
behavioral2/files/0x0007000000023293-168.dat	family_berbew
behavioral2/files/0x0007000000023295-177.dat	family_berbew
behavioral2/files/0x0007000000023298-186.dat	family_berbew
behavioral2/files/0x000700000002329a-195.dat	family_berbew
behavioral2/files/0x000700000002329c-204.dat	family_berbew
behavioral2/files/0x000700000002329e-213.dat	family_berbew
behavioral2/files/0x00070000000232a0-217.dat	family_berbew
behavioral2/files/0x00070000000232a2-231.dat	family_berbew
behavioral2/files/0x00070000000232a4-240.dat	family_berbew
behavioral2/files/0x00070000000232a6-248.dat	family_berbew
behavioral2/files/0x00070000000232a8-258.dat	family_berbew
behavioral2/files/0x00070000000232aa-267.dat	family_berbew
behavioral2/files/0x00070000000232ac-271.dat	family_berbew
behavioral2/files/0x00070000000232b9-322.dat	family_berbew
behavioral2/files/0x00070000000232c1-351.dat	family_berbew
behavioral2/files/0x00070000000232d5-420.dat	family_berbew
behavioral2/files/0x00070000000232db-441.dat	family_berbew
behavioral2/files/0x00070000000232e1-462.dat	family_berbew
behavioral2/files/0x00070000000232ed-504.dat	family_berbew
behavioral2/files/0x00070000000232f1-519.dat	family_berbew
behavioral2/files/0x00070000000232f5-532.dat	family_berbew
behavioral2/files/0x000700000002330a-602.dat	family_berbew
behavioral2/files/0x0007000000023310-623.dat	family_berbew
behavioral2/files/0x000700000002331e-673.dat	family_berbew
behavioral2/files/0x000700000002332f-728.dat	family_berbew
behavioral2/files/0x0007000000023335-749.dat	family_berbew
behavioral2/files/0x0007000000023341-790.dat	family_berbew
behavioral2/files/0x0007000000023347-811.dat	family_berbew
behavioral2/files/0x000700000002334f-839.dat	family_berbew
behavioral2/files/0x000700000002335b-881.dat	family_berbew
behavioral2/files/0x000700000002335d-889.dat	family_berbew
behavioral2/files/0x0007000000023380-1000.dat	family_berbew

Executes dropped EXE 64 IoCs

pid	Process
408	Ljqhkckn.exe
4992	Mnhdgpii.exe
3516	Mokmdh32.exe
3280	Mgeakekd.exe
3184	Nncccnol.exe
4600	Nadleilm.exe
1972	Nceefd32.exe
2492	Ojajin32.exe
4272	Ojdgnn32.exe
4652	Oghghb32.exe
1264	Ofmdio32.exe
1592	Pmiikh32.exe
3744	Pnifekmd.exe
2352	Pplobcpp.exe
4904	Phfcipoo.exe
4568	Qfkqjmdg.exe
2524	Qacameaj.exe
3164	Aknbkjfh.exe
1064	Adhdjpjf.exe
2940	Ahfmpnql.exe
1740	Bmeandma.exe
4424	Bhmbqm32.exe
2960	Bhpofl32.exe
3116	Bhblllfo.exe
1272	Cggimh32.exe
1396	Cacckp32.exe
572	Dkndie32.exe
3852	Ddifgk32.exe
332	Ddkbmj32.exe
4140	Ebaplnie.exe
788	Eqgmmk32.exe
1804	Egcaod32.exe
3988	Ekajec32.exe
1184	Eghkjdoa.exe
3928	Foapaa32.exe
2732	Gokbgpeg.exe
2196	Gnpphljo.exe
2028	Gacepg32.exe
3792	Ghojbq32.exe
4376	Heegad32.exe
1604	Hbihjifh.exe
4864	Hpmhdmea.exe
4752	Hbnaeh32.exe
4208	Ilibdmgp.exe
1224	Ilkoim32.exe
2268	Ipkdek32.exe
4068	Jidinqpb.exe
4640	Joqafgni.exe
1496	Jeocna32.exe
2332	Johggfha.exe
3100	Jimldogg.exe
3244	Kpiqfima.exe
2416	Kheekkjl.exe
4608	Klbnajqc.exe
2216	Kpqggh32.exe
2316	Lpepbgbd.exe
4268	Lhcali32.exe
5112	Llcghg32.exe
4556	Mpapnfhg.exe
2172	Mhldbh32.exe
4948	Mhoahh32.exe
312	Mfbaalbi.exe
1800	Mbibfm32.exe
4928	Nfgklkoc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mgeakekd.exe	Mokmdh32.exe
File created	C:\Windows\SysWOW64\Jimldogg.exe	Johggfha.exe
File created	C:\Windows\SysWOW64\Kpiqfima.exe	Jimldogg.exe
File created	C:\Windows\SysWOW64\Glqfgdpo.dll	Mhldbh32.exe
File created	C:\Windows\SysWOW64\Leeigm32.dll	Qmdblp32.exe
File opened for modification	C:\Windows\SysWOW64\Ojajin32.exe	Nceefd32.exe
File opened for modification	C:\Windows\SysWOW64\Bdeiqgkj.exe	Binhnomg.exe
File opened for modification	C:\Windows\SysWOW64\Jnbgaa32.exe	Jdmcdhhe.exe
File opened for modification	C:\Windows\SysWOW64\Cacckp32.exe	Cggimh32.exe
File created	C:\Windows\SysWOW64\Mjjkejin.dll	Jeocna32.exe
File created	C:\Windows\SysWOW64\Diadam32.dll	Lpepbgbd.exe
File created	C:\Windows\SysWOW64\Hgnfpc32.dll	Khabke32.exe
File opened for modification	C:\Windows\SysWOW64\Ilibdmgp.exe	Hbnaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Hnbnjc32.exe	Hbknebqi.exe
File opened for modification	C:\Windows\SysWOW64\Aplaoj32.exe	Aagdnn32.exe
File created	C:\Windows\SysWOW64\Dnhpfk32.dll	Dalofi32.exe
File created	C:\Windows\SysWOW64\Ipkdek32.exe	Ilkoim32.exe
File opened for modification	C:\Windows\SysWOW64\Pplobcpp.exe	Pnifekmd.exe
File opened for modification	C:\Windows\SysWOW64\Mhldbh32.exe	Mpapnfhg.exe
File opened for modification	C:\Windows\SysWOW64\Fgqgfl32.exe	Fdpnda32.exe
File created	C:\Windows\SysWOW64\Ljqhkckn.exe	cfc3df2e75679c7708695f9ac5004730_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Cjehdpem.dll	Hbihjifh.exe
File created	C:\Windows\SysWOW64\Bhkhop32.dll	Aagdnn32.exe
File opened for modification	C:\Windows\SysWOW64\Ejlnfjbd.exe	Epdime32.exe
File created	C:\Windows\SysWOW64\Mapchaef.dll	Jbijgp32.exe
File created	C:\Windows\SysWOW64\Idefqiag.dll	cfc3df2e75679c7708695f9ac5004730_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Ofgdcipq.exe	Nbebbk32.exe
File created	C:\Windows\SysWOW64\Ipecicga.dll	Bmggingc.exe
File created	C:\Windows\SysWOW64\Bopnkd32.dll	Dnljkk32.exe
File created	C:\Windows\SysWOW64\Gfbhcl32.dll	Ddmhhd32.exe
File created	C:\Windows\SysWOW64\Hgcmbj32.exe	Hjolie32.exe
File created	C:\Windows\SysWOW64\Qnbidcgp.dll	Ahfmpnql.exe
File created	C:\Windows\SysWOW64\Goniok32.dll	Ilkoim32.exe
File opened for modification	C:\Windows\SysWOW64\Hccggl32.exe	Gqbneq32.exe
File created	C:\Windows\SysWOW64\Qfkqjmdg.exe	Phfcipoo.exe
File created	C:\Windows\SysWOW64\Djkpla32.dll	Ppnenlka.exe
File created	C:\Windows\SysWOW64\Qmdblp32.exe	Pmbegqjk.exe
File created	C:\Windows\SysWOW64\Jfdklc32.dll	Loemnnhe.exe
File created	C:\Windows\SysWOW64\Ddifgk32.exe	Dkndie32.exe
File created	C:\Windows\SysWOW64\Pjcfndog.dll	Binhnomg.exe
File created	C:\Windows\SysWOW64\Fopjdidn.dll	Mokmdh32.exe
File opened for modification	C:\Windows\SysWOW64\Bhblllfo.exe	Bhpofl32.exe
File created	C:\Windows\SysWOW64\Lpepbgbd.exe	Kpqggh32.exe
File created	C:\Windows\SysWOW64\Fohogfgd.dll	Dggkipii.exe
File created	C:\Windows\SysWOW64\Epdime32.exe	Ejjaqk32.exe
File opened for modification	C:\Windows\SysWOW64\Khabke32.exe	Koimbpbc.exe
File created	C:\Windows\SysWOW64\Nfgklkoc.exe	Mbibfm32.exe
File opened for modification	C:\Windows\SysWOW64\Pplhhm32.exe	Pcegclgp.exe
File created	C:\Windows\SysWOW64\Lcgagm32.dll	Gqbneq32.exe
File created	C:\Windows\SysWOW64\Gqpbcn32.dll	Jhfbog32.exe
File opened for modification	C:\Windows\SysWOW64\Lklnconj.exe	Loemnnhe.exe
File opened for modification	C:\Windows\SysWOW64\Ahfmpnql.exe	Adhdjpjf.exe
File created	C:\Windows\SysWOW64\Gokbgpeg.exe	Foapaa32.exe
File created	C:\Windows\SysWOW64\Kdlmhj32.dll	Lklnconj.exe
File created	C:\Windows\SysWOW64\Jidinqpb.exe	Ipkdek32.exe
File created	C:\Windows\SysWOW64\Pnjiffif.dll	Ipkdek32.exe
File created	C:\Windows\SysWOW64\Ibepke32.dll	Kheekkjl.exe
File opened for modification	C:\Windows\SysWOW64\Kpqggh32.exe	Klbnajqc.exe
File opened for modification	C:\Windows\SysWOW64\Nceefd32.exe	Nadleilm.exe
File opened for modification	C:\Windows\SysWOW64\Ldikgdpe.exe	Lhbkac32.exe
File created	C:\Windows\SysWOW64\Eclbio32.dll	Egegjn32.exe
File created	C:\Windows\SysWOW64\Apocmn32.dll	Gjaphgpl.exe
File created	C:\Windows\SysWOW64\Lhbkac32.exe	Lklnconj.exe
File created	C:\Windows\SysWOW64\Gpdbcaok.dll	Kpiqfima.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7092	6948	WerFault.exe	238

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojajin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chbobjbh.dll"	Hjolie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aamebb32.dll"	Cggimh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goniok32.dll"	Ilkoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnkibcle.dll"	Ofgdcipq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ljqhkckn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojenek32.dll"	Ojdgnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhblffgn.dll"	Phfcipoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddkbmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cbkfbcpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dggkipii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eilbckfb.dll"	Kaaldjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkhpmopi.dll"	Fdpnda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jelonkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lklnconj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qmdblp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nepmal32.dll"	Cgiohbfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bigpblgh.dll"	Cgmhcaac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfaadk32.dll"	Iecmhlhb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Loemnnhe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Icachjbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Egegjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bibokqno.dll"	Jnbgaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khecje32.dll"	Koimbpbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjllddpj.dll"	Bmeandma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Llcghg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkkaiphj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dnljkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhbjnc32.dll"	Ejlnfjbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jjkdlall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Phfcipoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jaemilci.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gokbgpeg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mhldbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mhoahh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bdeiqgkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fcneeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gkalbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofmfi32.dll"	Nceefd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qacameaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aknbkjfh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ahfmpnql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ahfmpnql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddifgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Egbken32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcgagm32.dll"	Gqbneq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddifgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bdeiqgkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fdpnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pomfkgml.dll"	Jelonkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifkqol32.dll"	Jaemilci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfdklc32.dll"	Loemnnhe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bhmbqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmbnnn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	cfc3df2e75679c7708695f9ac5004730_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgeakekd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gnpphljo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hbihjifh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnpckhnk.dll"	Nbnlaldg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ijiopd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pnifekmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qfkqjmdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijgiemgc.dll"	Bjfogbjb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gkalbj32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4832 wrote to memory of 408	4832	cfc3df2e75679c7708695f9ac5004730_NeikiAnalytics.exe	91
PID 4832 wrote to memory of 408	4832	cfc3df2e75679c7708695f9ac5004730_NeikiAnalytics.exe	91
PID 4832 wrote to memory of 408	4832	cfc3df2e75679c7708695f9ac5004730_NeikiAnalytics.exe	91
PID 408 wrote to memory of 4992	408	Ljqhkckn.exe	92
PID 408 wrote to memory of 4992	408	Ljqhkckn.exe	92
PID 408 wrote to memory of 4992	408	Ljqhkckn.exe	92
PID 4992 wrote to memory of 3516	4992	Mnhdgpii.exe	93
PID 4992 wrote to memory of 3516	4992	Mnhdgpii.exe	93
PID 4992 wrote to memory of 3516	4992	Mnhdgpii.exe	93
PID 3516 wrote to memory of 3280	3516	Mokmdh32.exe	94
PID 3516 wrote to memory of 3280	3516	Mokmdh32.exe	94
PID 3516 wrote to memory of 3280	3516	Mokmdh32.exe	94
PID 3280 wrote to memory of 3184	3280	Mgeakekd.exe	95
PID 3280 wrote to memory of 3184	3280	Mgeakekd.exe	95
PID 3280 wrote to memory of 3184	3280	Mgeakekd.exe	95
PID 3184 wrote to memory of 4600	3184	Nncccnol.exe	96
PID 3184 wrote to memory of 4600	3184	Nncccnol.exe	96
PID 3184 wrote to memory of 4600	3184	Nncccnol.exe	96
PID 4600 wrote to memory of 1972	4600	Nadleilm.exe	97
PID 4600 wrote to memory of 1972	4600	Nadleilm.exe	97
PID 4600 wrote to memory of 1972	4600	Nadleilm.exe	97
PID 1972 wrote to memory of 2492	1972	Nceefd32.exe	98
PID 1972 wrote to memory of 2492	1972	Nceefd32.exe	98
PID 1972 wrote to memory of 2492	1972	Nceefd32.exe	98
PID 2492 wrote to memory of 4272	2492	Ojajin32.exe	99
PID 2492 wrote to memory of 4272	2492	Ojajin32.exe	99
PID 2492 wrote to memory of 4272	2492	Ojajin32.exe	99
PID 4272 wrote to memory of 4652	4272	Ojdgnn32.exe	100
PID 4272 wrote to memory of 4652	4272	Ojdgnn32.exe	100
PID 4272 wrote to memory of 4652	4272	Ojdgnn32.exe	100
PID 4652 wrote to memory of 1264	4652	Oghghb32.exe	101
PID 4652 wrote to memory of 1264	4652	Oghghb32.exe	101
PID 4652 wrote to memory of 1264	4652	Oghghb32.exe	101
PID 1264 wrote to memory of 1592	1264	Ofmdio32.exe	102
PID 1264 wrote to memory of 1592	1264	Ofmdio32.exe	102
PID 1264 wrote to memory of 1592	1264	Ofmdio32.exe	102
PID 1592 wrote to memory of 3744	1592	Pmiikh32.exe	103
PID 1592 wrote to memory of 3744	1592	Pmiikh32.exe	103
PID 1592 wrote to memory of 3744	1592	Pmiikh32.exe	103
PID 3744 wrote to memory of 2352	3744	Pnifekmd.exe	104
PID 3744 wrote to memory of 2352	3744	Pnifekmd.exe	104
PID 3744 wrote to memory of 2352	3744	Pnifekmd.exe	104
PID 2352 wrote to memory of 4904	2352	Pplobcpp.exe	105
PID 2352 wrote to memory of 4904	2352	Pplobcpp.exe	105
PID 2352 wrote to memory of 4904	2352	Pplobcpp.exe	105
PID 4904 wrote to memory of 4568	4904	Phfcipoo.exe	106
PID 4904 wrote to memory of 4568	4904	Phfcipoo.exe	106
PID 4904 wrote to memory of 4568	4904	Phfcipoo.exe	106
PID 4568 wrote to memory of 2524	4568	Qfkqjmdg.exe	107
PID 4568 wrote to memory of 2524	4568	Qfkqjmdg.exe	107
PID 4568 wrote to memory of 2524	4568	Qfkqjmdg.exe	107
PID 2524 wrote to memory of 3164	2524	Qacameaj.exe	108
PID 2524 wrote to memory of 3164	2524	Qacameaj.exe	108
PID 2524 wrote to memory of 3164	2524	Qacameaj.exe	108
PID 3164 wrote to memory of 1064	3164	Aknbkjfh.exe	109
PID 3164 wrote to memory of 1064	3164	Aknbkjfh.exe	109
PID 3164 wrote to memory of 1064	3164	Aknbkjfh.exe	109
PID 1064 wrote to memory of 2940	1064	Adhdjpjf.exe	110
PID 1064 wrote to memory of 2940	1064	Adhdjpjf.exe	110
PID 1064 wrote to memory of 2940	1064	Adhdjpjf.exe	110
PID 2940 wrote to memory of 1740	2940	Ahfmpnql.exe	111
PID 2940 wrote to memory of 1740	2940	Ahfmpnql.exe	111
PID 2940 wrote to memory of 1740	2940	Ahfmpnql.exe	111
PID 1740 wrote to memory of 4424	1740	Bmeandma.exe	112

C:\Users\Admin\AppData\Local\Temp\cfc3df2e75679c7708695f9ac5004730_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\cfc3df2e75679c7708695f9ac5004730_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4832
- C:\Windows\SysWOW64\Ljqhkckn.exe
  C:\Windows\system32\Ljqhkckn.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:408
- - C:\Windows\SysWOW64\Mnhdgpii.exe
    C:\Windows\system32\Mnhdgpii.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4992
  - - C:\Windows\SysWOW64\Mokmdh32.exe
      C:\Windows\system32\Mokmdh32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3516
    - - C:\Windows\SysWOW64\Mgeakekd.exe
        
        C:\Windows\system32\Mgeakekd.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3280
      - C:\Windows\SysWOW64\Nncccnol.exe
        
        C:\Windows\system32\Nncccnol.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3184
        
        C:\Windows\SysWOW64\Nadleilm.exe
        
        C:\Windows\system32\Nadleilm.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Windows\SysWOW64\Nceefd32.exe
        
        C:\Windows\system32\Nceefd32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\SysWOW64\Ojajin32.exe
        
        C:\Windows\system32\Ojajin32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\SysWOW64\Ojdgnn32.exe
        
        C:\Windows\system32\Ojdgnn32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4272
        
        C:\Windows\SysWOW64\Oghghb32.exe
        
        C:\Windows\system32\Oghghb32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Windows\SysWOW64\Ofmdio32.exe
        
        C:\Windows\system32\Ofmdio32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Windows\SysWOW64\Pmiikh32.exe
        
        C:\Windows\system32\Pmiikh32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\SysWOW64\Pnifekmd.exe
        
        C:\Windows\system32\Pnifekmd.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3744
        
        C:\Windows\SysWOW64\Pplobcpp.exe
        
        C:\Windows\system32\Pplobcpp.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\SysWOW64\Qfkqjmdg.exe
        
        C:\Windows\system32\Qfkqjmdg.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4568
        
        C:\Windows\SysWOW64\Qacameaj.exe
        
        C:\Windows\system32\Qacameaj.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\SysWOW64\Aknbkjfh.exe
        
        C:\Windows\system32\Aknbkjfh.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3164
        
        C:\Windows\SysWOW64\Adhdjpjf.exe
        
        C:\Windows\system32\Adhdjpjf.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\SysWOW64\Ahfmpnql.exe
        
        C:\Windows\system32\Ahfmpnql.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\Bmeandma.exe
        
        C:\Windows\system32\Bmeandma.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\SysWOW64\Bhmbqm32.exe
        
        C:\Windows\system32\Bhmbqm32.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4424
        
        C:\Windows\SysWOW64\Bhpofl32.exe
        
        C:\Windows\system32\Bhpofl32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2960
        
        C:\Windows\SysWOW64\Bhblllfo.exe
        
        C:\Windows\system32\Bhblllfo.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3116
        
        C:\Windows\SysWOW64\Cggimh32.exe
        
        C:\Windows\system32\Cggimh32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1272
        
        C:\Windows\SysWOW64\Cacckp32.exe
        
        C:\Windows\system32\Cacckp32.exe
        27⤵
        Executes dropped EXE
        
        PID:1396
        
        C:\Windows\SysWOW64\Dkndie32.exe
        
        C:\Windows\system32\Dkndie32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:572
        
        C:\Windows\SysWOW64\Ddifgk32.exe
        
        C:\Windows\system32\Ddifgk32.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3852
        
        C:\Windows\SysWOW64\Ddkbmj32.exe
        
        C:\Windows\system32\Ddkbmj32.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:332
        
        C:\Windows\SysWOW64\Ebaplnie.exe
        
        C:\Windows\system32\Ebaplnie.exe
        31⤵
        Executes dropped EXE
        
        PID:4140
        
        C:\Windows\SysWOW64\Eqgmmk32.exe
        
        C:\Windows\system32\Eqgmmk32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:788
        
        C:\Windows\SysWOW64\Egcaod32.exe
        
        C:\Windows\system32\Egcaod32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1804
        
        C:\Windows\SysWOW64\Ekajec32.exe
        
        C:\Windows\system32\Ekajec32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3988
        
        C:\Windows\SysWOW64\Eghkjdoa.exe
        
        C:\Windows\system32\Eghkjdoa.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1184
        
        C:\Windows\SysWOW64\Foapaa32.exe
        
        C:\Windows\system32\Foapaa32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3928
        
        C:\Windows\SysWOW64\Gokbgpeg.exe
        
        C:\Windows\system32\Gokbgpeg.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Gnpphljo.exe
        
        C:\Windows\system32\Gnpphljo.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2196
        
        C:\Windows\SysWOW64\Gacepg32.exe
        
        C:\Windows\system32\Gacepg32.exe
        39⤵
        Executes dropped EXE
        
        PID:2028
        
        C:\Windows\SysWOW64\Ghojbq32.exe
        
        C:\Windows\system32\Ghojbq32.exe
        40⤵
        Executes dropped EXE
        
        PID:3792
        
        C:\Windows\SysWOW64\Heegad32.exe
        
        C:\Windows\system32\Heegad32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4376
        
        C:\Windows\SysWOW64\Hbihjifh.exe
        
        C:\Windows\system32\Hbihjifh.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Hpmhdmea.exe
        
        C:\Windows\system32\Hpmhdmea.exe
        43⤵
        Executes dropped EXE
        
        PID:4864
        
        C:\Windows\SysWOW64\Hbnaeh32.exe
        
        C:\Windows\system32\Hbnaeh32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4752
        
        C:\Windows\SysWOW64\Ilibdmgp.exe
        
        C:\Windows\system32\Ilibdmgp.exe
        45⤵
        Executes dropped EXE
        
        PID:4208
        
        C:\Windows\SysWOW64\Ilkoim32.exe
        
        C:\Windows\system32\Ilkoim32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1224
        
        C:\Windows\SysWOW64\Ipkdek32.exe
        
        C:\Windows\system32\Ipkdek32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2268
        
        C:\Windows\SysWOW64\Jidinqpb.exe
        
        C:\Windows\system32\Jidinqpb.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4068
        
        C:\Windows\SysWOW64\Joqafgni.exe
        
        C:\Windows\system32\Joqafgni.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4640
        
        C:\Windows\SysWOW64\Jeocna32.exe
        
        C:\Windows\system32\Jeocna32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1496
        
        C:\Windows\SysWOW64\Johggfha.exe
        
        C:\Windows\system32\Johggfha.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2332
        
        C:\Windows\SysWOW64\Jimldogg.exe
        
        C:\Windows\system32\Jimldogg.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3100
        
        C:\Windows\SysWOW64\Kpiqfima.exe
        
        C:\Windows\system32\Kpiqfima.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3244
        
        C:\Windows\SysWOW64\Kheekkjl.exe
        
        C:\Windows\system32\Kheekkjl.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2416
        
        C:\Windows\SysWOW64\Klbnajqc.exe
        
        C:\Windows\system32\Klbnajqc.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4608
        
        C:\Windows\SysWOW64\Kpqggh32.exe
        
        C:\Windows\system32\Kpqggh32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2216
        
        C:\Windows\SysWOW64\Lpepbgbd.exe
        
        C:\Windows\system32\Lpepbgbd.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2316
        
        C:\Windows\SysWOW64\Lhcali32.exe
        
        C:\Windows\system32\Lhcali32.exe
        58⤵
        Executes dropped EXE
        
        PID:4268
        
        C:\Windows\SysWOW64\Llcghg32.exe
        
        C:\Windows\system32\Llcghg32.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Mpapnfhg.exe
        
        C:\Windows\system32\Mpapnfhg.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4556
        
        C:\Windows\SysWOW64\Mhldbh32.exe
        
        C:\Windows\system32\Mhldbh32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2172
        
        C:\Windows\SysWOW64\Mhoahh32.exe
        
        C:\Windows\system32\Mhoahh32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4948
        
        C:\Windows\SysWOW64\Mfbaalbi.exe
        
        C:\Windows\system32\Mfbaalbi.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:312
        
        C:\Windows\SysWOW64\Mbibfm32.exe
        
        C:\Windows\system32\Mbibfm32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1800
        
        C:\Windows\SysWOW64\Nfgklkoc.exe
        
        C:\Windows\system32\Nfgklkoc.exe
        65⤵
        Executes dropped EXE
        
        PID:4928
        
        C:\Windows\SysWOW64\Nbnlaldg.exe
        
        C:\Windows\system32\Nbnlaldg.exe
        66⤵
        Modifies registry class
        
        PID:4908
        
        C:\Windows\SysWOW64\Nbphglbe.exe
        
        C:\Windows\system32\Nbphglbe.exe
        67⤵
        
        PID:416
        
        C:\Windows\SysWOW64\Nimmifgo.exe
        
        C:\Windows\system32\Nimmifgo.exe
        68⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\Nbebbk32.exe
        
        C:\Windows\system32\Nbebbk32.exe
        69⤵
        Drops file in System32 directory
        
        PID:4480
        
        C:\Windows\SysWOW64\Ofgdcipq.exe
        
        C:\Windows\system32\Ofgdcipq.exe
        70⤵
        Modifies registry class
        
        PID:500
        
        C:\Windows\SysWOW64\Pimfpc32.exe
        
        C:\Windows\system32\Pimfpc32.exe
        71⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\Pcegclgp.exe
        
        C:\Windows\system32\Pcegclgp.exe
        72⤵
        Drops file in System32 directory
        
        PID:3620
        
        C:\Windows\SysWOW64\Pplhhm32.exe
        
        C:\Windows\system32\Pplhhm32.exe
        73⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\Ppnenlka.exe
        
        C:\Windows\system32\Ppnenlka.exe
        74⤵
        Drops file in System32 directory
        
        PID:5136
        
        C:\Windows\SysWOW64\Pmbegqjk.exe
        
        C:\Windows\system32\Pmbegqjk.exe
        75⤵
        Drops file in System32 directory
        
        PID:5188
        
        C:\Windows\SysWOW64\Qmdblp32.exe
        
        C:\Windows\system32\Qmdblp32.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Qikbaaml.exe
        
        C:\Windows\system32\Qikbaaml.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5320
        
        C:\Windows\SysWOW64\Afockelf.exe
        
        C:\Windows\system32\Afockelf.exe
        78⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\Aagdnn32.exe
        
        C:\Windows\system32\Aagdnn32.exe
        79⤵
        Drops file in System32 directory
        
        PID:5424
        
        C:\Windows\SysWOW64\Aplaoj32.exe
        
        C:\Windows\system32\Aplaoj32.exe
        80⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Apnndj32.exe
        
        C:\Windows\system32\Apnndj32.exe
        81⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\Bmbnnn32.exe
        
        C:\Windows\system32\Bmbnnn32.exe
        82⤵
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Bjfogbjb.exe
        
        C:\Windows\system32\Bjfogbjb.exe
        83⤵
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Bmggingc.exe
        
        C:\Windows\system32\Bmggingc.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5672
        
        C:\Windows\SysWOW64\Binhnomg.exe
        
        C:\Windows\system32\Binhnomg.exe
        85⤵
        Drops file in System32 directory
        
        PID:5720
        
        C:\Windows\SysWOW64\Bdeiqgkj.exe
        
        C:\Windows\system32\Bdeiqgkj.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5764
        
        C:\Windows\SysWOW64\Cbkfbcpb.exe
        
        C:\Windows\system32\Cbkfbcpb.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5808
        
        C:\Windows\SysWOW64\Cgiohbfi.exe
        
        C:\Windows\system32\Cgiohbfi.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5852
        
        C:\Windows\SysWOW64\Cgklmacf.exe
        
        C:\Windows\system32\Cgklmacf.exe
        89⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\Cgmhcaac.exe
        
        C:\Windows\system32\Cgmhcaac.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5940
        
        C:\Windows\SysWOW64\Dkkaiphj.exe
        
        C:\Windows\system32\Dkkaiphj.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Dnljkk32.exe
        
        C:\Windows\system32\Dnljkk32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Dggkipii.exe
        
        C:\Windows\system32\Dggkipii.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6088
        
        C:\Windows\SysWOW64\Dalofi32.exe
        
        C:\Windows\system32\Dalofi32.exe
        94⤵
        Drops file in System32 directory
        
        PID:6136
        
        C:\Windows\SysWOW64\Ddmhhd32.exe
        
        C:\Windows\system32\Ddmhhd32.exe
        95⤵
        Drops file in System32 directory
        
        PID:5176
        
        C:\Windows\SysWOW64\Ejjaqk32.exe
        
        C:\Windows\system32\Ejjaqk32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5308
        
        C:\Windows\SysWOW64\Epdime32.exe
        
        C:\Windows\system32\Epdime32.exe
        97⤵
        Drops file in System32 directory
        
        PID:5408
        
        C:\Windows\SysWOW64\Ejlnfjbd.exe
        
        C:\Windows\system32\Ejlnfjbd.exe
        98⤵
        Modifies registry class
        
        PID:5500
        
        C:\Windows\SysWOW64\Egbken32.exe
        
        C:\Windows\system32\Egbken32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Egegjn32.exe
        
        C:\Windows\system32\Egegjn32.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5644
        
        C:\Windows\SysWOW64\Fclhpo32.exe
        
        C:\Windows\system32\Fclhpo32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5728
        
        C:\Windows\SysWOW64\Fcneeo32.exe
        
        C:\Windows\system32\Fcneeo32.exe
        102⤵
        Modifies registry class
        
        PID:5804
        
        C:\Windows\SysWOW64\Fdmaoahm.exe
        
        C:\Windows\system32\Fdmaoahm.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5868
        
        C:\Windows\SysWOW64\Fdpnda32.exe
        
        C:\Windows\system32\Fdpnda32.exe
        104⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Fgqgfl32.exe
        
        C:\Windows\system32\Fgqgfl32.exe
        105⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\Fbfkceca.exe
        
        C:\Windows\system32\Fbfkceca.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6072
        
        C:\Windows\SysWOW64\Gjaphgpl.exe
        
        C:\Windows\system32\Gjaphgpl.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:436
        
        C:\Windows\SysWOW64\Gkalbj32.exe
        
        C:\Windows\system32\Gkalbj32.exe
        108⤵
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Gggmgk32.exe
        
        C:\Windows\system32\Gggmgk32.exe
        109⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\Gqbneq32.exe
        
        C:\Windows\system32\Gqbneq32.exe
        110⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5540
        
        C:\Windows\SysWOW64\Hccggl32.exe
        
        C:\Windows\system32\Hccggl32.exe
        111⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Hbdgec32.exe
        
        C:\Windows\system32\Hbdgec32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5796
        
        C:\Windows\SysWOW64\Hjolie32.exe
        
        C:\Windows\system32\Hjolie32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Hgcmbj32.exe
        
        C:\Windows\system32\Hgcmbj32.exe
        114⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\Hcjmhk32.exe
        
        C:\Windows\system32\Hcjmhk32.exe
        115⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\Hbknebqi.exe
        
        C:\Windows\system32\Hbknebqi.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5352
        
        C:\Windows\SysWOW64\Hnbnjc32.exe
        
        C:\Windows\system32\Hnbnjc32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5536
        
        C:\Windows\SysWOW64\Ijiopd32.exe
        
        C:\Windows\system32\Ijiopd32.exe
        118⤵
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Icachjbb.exe
        
        C:\Windows\system32\Icachjbb.exe
        119⤵
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Infhebbh.exe
        
        C:\Windows\system32\Infhebbh.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6104
        
        C:\Windows\SysWOW64\Iecmhlhb.exe
        
        C:\Windows\system32\Iecmhlhb.exe
        121⤵
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Ieeimlep.exe
        
        C:\Windows\system32\Ieeimlep.exe
        122⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Jbijgp32.exe
        
        C:\Windows\system32\Jbijgp32.exe
        123⤵
        Drops file in System32 directory
        
        PID:6064
        
        C:\Windows\SysWOW64\Jhfbog32.exe
        
        C:\Windows\system32\Jhfbog32.exe
        124⤵
        Drops file in System32 directory
        
        PID:5580
        
        C:\Windows\SysWOW64\Jblflp32.exe
        
        C:\Windows\system32\Jblflp32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5704
        
        C:\Windows\SysWOW64\Jdmcdhhe.exe
        
        C:\Windows\system32\Jdmcdhhe.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6152
        
        C:\Windows\SysWOW64\Jnbgaa32.exe
        
        C:\Windows\system32\Jnbgaa32.exe
        127⤵
        Modifies registry class
        
        PID:6216
        
        C:\Windows\SysWOW64\Jelonkph.exe
        
        C:\Windows\system32\Jelonkph.exe
        128⤵
        Modifies registry class
        
        PID:6260
        
        C:\Windows\SysWOW64\Jbppgona.exe
        
        C:\Windows\system32\Jbppgona.exe
        129⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\Jdalog32.exe
        
        C:\Windows\system32\Jdalog32.exe
        130⤵
        
        PID:6376
        
        C:\Windows\SysWOW64\Jjkdlall.exe
        
        C:\Windows\system32\Jjkdlall.exe
        131⤵
        Modifies registry class
        
        PID:6440
        
        C:\Windows\SysWOW64\Jaemilci.exe
        
        C:\Windows\system32\Jaemilci.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6488
        
        C:\Windows\SysWOW64\Koimbpbc.exe
        
        C:\Windows\system32\Koimbpbc.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6524
        
        C:\Windows\SysWOW64\Khabke32.exe
        
        C:\Windows\system32\Khabke32.exe
        134⤵
        Drops file in System32 directory
        
        PID:6580
        
        C:\Windows\SysWOW64\Kefbdjgm.exe
        
        C:\Windows\system32\Kefbdjgm.exe
        135⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\Kongmo32.exe
        
        C:\Windows\system32\Kongmo32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6680
        
        C:\Windows\SysWOW64\Klbgfc32.exe
        
        C:\Windows\system32\Klbgfc32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6724
        
        C:\Windows\SysWOW64\Kaaldjil.exe
        
        C:\Windows\system32\Kaaldjil.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6768
        
        C:\Windows\SysWOW64\Loemnnhe.exe
        
        C:\Windows\system32\Loemnnhe.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6808
        
        C:\Windows\SysWOW64\Lklnconj.exe
        
        C:\Windows\system32\Lklnconj.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6852
        
        C:\Windows\SysWOW64\Lhbkac32.exe
        
        C:\Windows\system32\Lhbkac32.exe
        141⤵
        Drops file in System32 directory
        
        PID:6904
        
        C:\Windows\SysWOW64\Ldikgdpe.exe
        
        C:\Windows\system32\Ldikgdpe.exe
        142⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6948 -s 232
        143⤵
        Program crash
        
        PID:7092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6948 -ip 6948
1⤵
PID:7040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3752 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
1⤵
PID:6432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adhdjpjf.exe

Filesize
161KB

MD5
077da8f642a784ed1cde986a7a18b608

SHA1
afe5f7b58b6f91a564565d50f49270fd6287a692

SHA256
83d5d0725581f11d1acc74d388ea4b91209e2fd0d2df4cb367090b6139c4b8c0

SHA512
ef584591f404aff715f3d258ac37400d9e9bddfa109b80213871efa2cb3e8ed71f97483806adb15b6e4f1e2f39f2f02ceb6b1a9f3224f9e5a6de6fb9aedda3e7

Download Submit
C:\Windows\SysWOW64\Ahfmpnql.exe

Filesize
161KB

MD5
63e7735dece7e0e8f327c520a00fecfb

SHA1
f0b70a652497e77a0beb933edbb6b0a118b05b44

SHA256
91234fe36f260275a10939540d1070161d665cc1546d3d18b7996c5df8173503

SHA512
968066aacd4764a22035afcf01d7c19e19cef0bd21ce4ad14629198beca5b39676c0a92c210ec35c5c01ed18237aa42267e7fb949d10c3b22cb8f96dd7bf67b9

Download Submit
C:\Windows\SysWOW64\Aknbkjfh.exe

Filesize
161KB

MD5
ad89f13a375b86d071288c92188f184a

SHA1
cb01a4db3edae69d061035e034cd7f1a91007830

SHA256
3d71fd40509270b8bf6d53872efa8bb4450d0db1daba2ea77ccb1196a1f130f0

SHA512
6b46ab9a24ff740c99a69ce63fe9d44ca20cf7aa93be6ddfb81b909a47ed795a9096076c6d92632308534077603efcc977530405ce7c41baf840df90beff79ce

Download Submit
C:\Windows\SysWOW64\Aplaoj32.exe

Filesize
161KB

MD5
62ea326be45da6d79a1623f348c65b95

SHA1
4a7a5889629ecb2b268d6afe71fbb57f8ebc7191

SHA256
05736c984df6825961c42ae868eb5eeaffaf2f38ef6af0b5f6558e7d4515cf43

SHA512
a5796687fe37a2f0f6369ef82e780a793958e09a2fee3d9a4b9400f1e34e5932e6edcfe94aaab7079090e3df312b5c9712c8f145ac8ba8b5e08bbc5bb81818af

Download Submit
C:\Windows\SysWOW64\Bhblllfo.exe

Filesize
161KB

MD5
e86fe2e719898b5a5ebf39c22b01f5a5

SHA1
f47658ef36b72dfd11313e0aad4c8f7005cdf406

SHA256
f8ca1d268b365994839b366cd204157a5596f3db843eef68905f91efb4f15e2a

SHA512
3abe8c37943da1744b4c385467353381ec3358e450e332f9c8bf64ca234851ddbd4e608083b978eb22d312f3e9161eb4f9e2b859be676295cc2bf43beba6508b

Download Submit
C:\Windows\SysWOW64\Bhmbqm32.exe

Filesize
161KB

MD5
747260fc9daf41d29ebcf4a3281dff4e

SHA1
0d145cc22ed118607472d8ad19326291876cae7c

SHA256
00caceaa39f6e67ee5947cff41c8652b91d7e50d1404aafaaf8d27f4c8509c7a

SHA512
aa084b3c22bccb351561783285f14d0d407bbbe3a314d54a41e731ef43033abf182ba27af19f100e62e5334d478ff8527ed7c9289b0a8e6e3e2f164a5a5cfbee

Download Submit
C:\Windows\SysWOW64\Bhpofl32.exe

Filesize
161KB

MD5
36358b439ee7fa97172ada0729c7b837

SHA1
c30037cd78b6ba47b5b2e879b64f22cc01610b98

SHA256
fd6e1df58c88421ba65b38643d907d917394efb813f6c4005c52ccaaff2199aa

SHA512
d4560ce5eea5cb98d9a96cd9c1f219f482b82c32cde27eb425f29201ad615d8660fcf74a78f20a4e173a6d279ac93b83fbf735e59f84984b64cb4973dc6f9bd8

Download Submit
C:\Windows\SysWOW64\Bjfogbjb.exe

Filesize
161KB

MD5
d6a20bb88d22fe45ad4cfe1f3c94184b

SHA1
a96914d2add1abad887fb92a0c664138bb44d0c7

SHA256
44db7c66582851b13a4b3276e968544bae6dc5c8b6aa3385d6259d7aaa0d341e

SHA512
eba31e3ebec2f98f8500e1c2e05305fd4a70d9a1302ce97ee399782745d533b2614f128df0d9627e5412245235d64eb95f40f22891ac15984c450ec32c761012

Download Submit
C:\Windows\SysWOW64\Bmeandma.exe

Filesize
161KB

MD5
30de857f02225a3cbd32c3a2bf4476d0

SHA1
3b848c9d2d4407ac630e91da6bb3047a112ffb7e

SHA256
6849d6bcba5ebf9a056b76414887968b317d05472dd2374bdd3bf3fa31590543

SHA512
365a5b4062afa0bd262b6d64a382dce333acc293596a5fd20a3eae6052a4e99474df6bf3275e9025b8d0af0ceb0e046e97126e596fc8c316929e28ab8be833ac

Download Submit
C:\Windows\SysWOW64\Cacckp32.exe

Filesize
161KB

MD5
8e84c0b8354eab61693a1b5eed19da82

SHA1
afcc6a7067b701757348eaccc4dfa239cd84323a

SHA256
8f5299f7afc0bda33699ea683faed3afec80117a368b1fac315384727ee68b97

SHA512
36dee3cb5680fa3f786d4ddd94d86441632a529bd8bc2be364c4f2019caf3bd88f3bcd8f7c51c672183d2154a208bf52c1774fc03327f3c513eebfd67689a5a7

Download Submit
C:\Windows\SysWOW64\Cggimh32.exe

Filesize
161KB

MD5
3d149bd826f080ced7176d7439b93df2

SHA1
77bbfd2fb445a873c4fcc98d9a87f1b66d9a34a8

SHA256
498f68f48e9b911c757a69e68efbf02bc31550ec76870b05c8aba6aab6295980

SHA512
5dae324afadda78576aa8c050459f2bcca4c2c6803eec189236c79610e67e6def13a165ec77b3580aea81fa5a8a5a03f8719b11b763abc0a7245bcfed483b627

Download Submit
C:\Windows\SysWOW64\Cgmhcaac.exe

Filesize
161KB

MD5
628c28e18143259c49051bbe72238868

SHA1
dddb04a1a6db511c1d31cc7461404e2f290b2063

SHA256
810e99dcf0b06b77fd48f926956c252a6111df227d27480d339022df37805c98

SHA512
ec89e833d6d991f91969911d9ded523cda493c478c8687ed194eceae10ba4aec46597b4254a50864cf8dec0858f1311a4b25d10583ea265cac45cafba147a751

Download Submit
C:\Windows\SysWOW64\Ddifgk32.exe

Filesize
161KB

MD5
f4a01a3fe76f33a936ff78020dc198b9

SHA1
c06b85f50d4fa5a0074368ace7f64db7d09f4783

SHA256
2fdaad90f7c16baa3dc43cc2075b7de2cd62c5904e3c2858444bacca2f9445ff

SHA512
eed8ceeb3ac560767966cf6116394d538506ccd750834ee01d9fb09112b554e300f0d2650bc95eab09528f11729f074763495b8decce6a3277544f9ac5c88874

Download Submit
C:\Windows\SysWOW64\Ddkbmj32.exe

Filesize
161KB

MD5
2f993e38d2537574320ae20e6e71dd40

SHA1
a1cbb40d1d54da4cf164e76c6636da2b350d4cdd

SHA256
4d922496d1cb7fac982d20b83c43628bbfd8a668f9bc0046a5b8651c1e582bdd

SHA512
d7274ebf54b6d514978b96df7031ad810cb50e0468f6da7be1f2f4c8b49071b218940aa71a4f9d3a8093877f45973ccc19bf9e0cdeb06cb9d59170ec923da349

Download Submit
C:\Windows\SysWOW64\Dkndie32.exe

Filesize
161KB

MD5
eafd9195c5d9ce6b2dda4db1b1c6ae0a

SHA1
1cb91450d2d2be1533e1ae4d449dbb7eb098595e

SHA256
e2196066d9dd6412bff091cef0bdc005d7960ec7ab2974c4d0c719f15711976b

SHA512
9125b19b73e5c2882f5267e9803d6ad2addba5e25268a4d91acae70576f96f844e06a81d61c7ace1d640a761675e555984d8c76c64f2833ebe5dd3551d63a807

Download Submit
C:\Windows\SysWOW64\Ebaplnie.exe

Filesize
161KB

MD5
6b7ee68a8115f14b70760c4d6cc9026f

SHA1
add390b51a70a3b5eef64d426d0ea7552d30f474

SHA256
6ed51216efb866bb552324c99809787c2e77c179416d590d876dc371afad315e

SHA512
07b66cf8e17f59ef53e346e2ab628fbfbb7a9533ff119a251468bc7f6a21255b699fde5011f240e47972ea05a033de3f379ab825f0f5c678b799c05067d742d2

Download Submit
C:\Windows\SysWOW64\Egcaod32.exe

Filesize
161KB

MD5
e8a4f2bc3ed7bf0dbf48d61f2fab0e66

SHA1
a9b3c7e28558ce21b49d45d20ae3e0bb8533ab7b

SHA256
772c1b8a3d4cec458a1ba39cf6a3df158a9df2921ce12135e37b95384c4e027a

SHA512
2558889819bbcbefe4ccae73e7dd2b69b6bc08cb0b21b568fc4afeb8e405ba30cda746ad704e4201bb73430ff2a4e06512acdf0e273ff557f9e5d68fc4ebfd83

Download Submit
C:\Windows\SysWOW64\Ejlnfjbd.exe

Filesize
161KB

MD5
9a00edbe42adf6eca283ae30bd0ad68d

SHA1
a5cc28ddbc3c1fe1b7bb2585053f4255eedcc59b

SHA256
bad82ee74fe0389f66d14089239151cdfad7176d8cae87e4c30b39b0d8f9a4c7

SHA512
1a15a8aef23e26e1dc339ff3135422f8c391cadf4652a1309d18d73d46368abea3a2ac10e3ee92dfb4e756830d8fc22cf584f859f6d095d10fc6c80e3f01f3f8

Download Submit
C:\Windows\SysWOW64\Eqgmmk32.exe

Filesize
161KB

MD5
9aa1b37db70334c37f67b2e7bcd60c06

SHA1
219a548c160650c49a406041ed5f0f7e05909e23

SHA256
693e2766f16b34450ff067ca0312838c79cb4bda38cab7c29a28ff77121a1176

SHA512
0c785a2fc37b5ef04d52deaad98ef5cf7382852580434cf9e34ac3b18aa4413deda1f215033c9e2e39a007005462a014f58f586deddc03a96a836a8a159d2fc8

Download Submit
C:\Windows\SysWOW64\Fclhpo32.exe

Filesize
161KB

MD5
011bdd21ee334a68a201928dad6d4bee

SHA1
3d3d4dc4d2ce89e21f47a67122b8769c0f129587

SHA256
66f4ed178f2372d9e73b6bbf168ddf0897de53bcbfbd6fe626ce6defeef2aeea

SHA512
17be02b154dfd5eac6d81a0480a194257589cee163a44fec8ae939406e92586f0c9825cf38c966b655fa02167c8f09726b20f6cb4dfdcb4edc8c00de116afcba

Download Submit
C:\Windows\SysWOW64\Ghojbq32.exe

Filesize
161KB

MD5
f277378d7f7a2179c16e8267b6e300a7

SHA1
1a3bcb8dbf55828fb6c8d7b9cf44caa0ddaefdf5

SHA256
b48a050ef89dbbfb39419b2502b2678eb12d062e1d378fa735cab05a1f6fca2b

SHA512
d51e4fae954ff6853b5a486c32a9bccb50507e99c3f1104d57cfaa85dfdd23611db1595e2ede7f52f72350f847d71f3b8c694ccf0e2be7a066358002a8374c41

Download Submit
C:\Windows\SysWOW64\Gjaphgpl.exe

Filesize
161KB

MD5
53d936d1d0094eabf7a726b62cd722dd

SHA1
0d9a07538f0d84092154bdbcb34e9f599c6710ac

SHA256
e8f201f32f992edd7f314def68be9ca8c275aef6f8b7a244f50b670488db7741

SHA512
48ae2b7b43b6e6f14c1bcd22e145d907fab8acf1595ed0ddb4a7f0db4c479943413aa186ec81519316f7f27ab5528a187d70eb46c76e189133223dcd643d14d4

Download Submit
C:\Windows\SysWOW64\Gqbneq32.exe

Filesize
161KB

MD5
be8eb1ee2cb0aba392b31e33a822c118

SHA1
8c69a9fd8a9437cbe6be76138b8c90474cdbda89

SHA256
4657fc03e3c7b10bf54039444ace545d50d5cdfb18fce9b863b43106f0c6f36b

SHA512
e51dd52353b9d66d3843eae63ea611e23abe1a1823d5c68a7c01ead2038dc11e05051de3263ec1cacdf804ea4a6ea2d25b1a38cacda59d12c61cb76feba523ce

Download Submit
C:\Windows\SysWOW64\Hbnaeh32.exe

Filesize
161KB

MD5
43e5f5d635f031bd5ee160f06c82b2d5

SHA1
3762be980cb6e47302b9e1c0be7c5b2c19481cb2

SHA256
1ee2bfd78df4f5315f7e832f5d0a1e77c1e0fc879b9d34fed2247eec564d963e

SHA512
11a414f0b0e7a5c7241382b215961fea94a421abd0ea22baccdb5380e83b3bb5f678beb281e7d24f0ac0aac2de23ffc3a9e61fa0fe8401c1c642aff4e77f1b85

Download Submit
C:\Windows\SysWOW64\Hgcmbj32.exe

Filesize
161KB

MD5
1c6e50b69708b23f58a687df493e777c

SHA1
dd4f2e2233321543586da5c60b1d0c0cafdb63e8

SHA256
98f17ac1ae3bf6611d34a410e161e135011429d0a2fa5599a25e4c1a9c8d6cf9

SHA512
cd7d0b46404d091c20a0972fbce3bb41ab2b509004e9056854705e683610922d78a3a067108c778b153c9ce2fc2ae1d4564228ff2e2563ed33b981277bdd8a75

Download Submit
C:\Windows\SysWOW64\Iecmhlhb.exe

Filesize
161KB

MD5
2310d3250182b2cc3568ccdec92e7ed6

SHA1
a6bfaba300340ca41e105b2cc4885df5038bef2f

SHA256
49a7f43763cad36a800aeddfb0aac1784a2ec95a4c2837549af13ac93c69f32e

SHA512
7d04ee6bb9ce5b696d785f92f49d73b2a573bc0d09c63023579efc4c9bcca08b14faa0747a42b789efd9c589646ccd66f3a8f03366c14881507a7d53620a054e

Download Submit
C:\Windows\SysWOW64\Infhebbh.exe

Filesize
161KB

MD5
33dd90e8a021e51b6c89fc8fac1005bc

SHA1
1ecab047bf869177071994530381371825d6a27b

SHA256
5654eca126c783d424cbb7ba23c1130993828cc43e916ba7b91f03185d73ff0f

SHA512
6678589a74517ea3cc5334ebd2da176d716ebd9fa60672409f853dce0b418ab1d0fa9d8aee6de7ab531337e54f3e06c4bbd44c9c0d0c3d6371481870a6e5aaea

Download Submit
C:\Windows\SysWOW64\Jjjojj32.dll

Filesize
7KB

MD5
fd5c10dfcd916837ecc1a9e9aaf9760f

SHA1
9c9176fe243ca1f6803096a72b838bcd943435a0

SHA256
081177ca454f530245cfa01c65e602e3aba6f3ab4121dd42d2b84ea060bf87f6

SHA512
85a51bfdcf451ccecc962e8998872a757996627e20d4f61fc677560d8726fe31225410161a2b721a7c776aac11fad8ec954d5e841b11cb0ab6e7b9a70c21e4ff

Download Submit
C:\Windows\SysWOW64\Kheekkjl.exe

Filesize
161KB

MD5
42c65cbaebc72d4e92eef35148359bb5

SHA1
609aef6213499718a2007bb89c4b80819d42c82b

SHA256
09d9224e9f2608a37e46e51a1a44425e74f079f90e57910fff005b27a986907d

SHA512
6a9122e5cd602804da34c0e70f7581199dc0218d3c7e0e9dae2b13bb6e4f72a0f738f24691e11dd892140571ddb442adcf0f9ea9968be8a09abb1c713a1af9bd

Download Submit
C:\Windows\SysWOW64\Klbgfc32.exe

Filesize
161KB

MD5
f50919a52b79e7e0bd63118df54a3596

SHA1
677d26aba02228cb80f5f234201ba210c6bbaccd

SHA256
820bdff5742383e81dcdecc2a5072a93630e51dcb491478f955fdda03656ce95

SHA512
ca06cdcc9ec37bc552169b74cb6e27e33a581927b57730cac9b59571e2bf9fd8aab0da3a7b9ded5df05c4df413e856e4cb5c46d60f2214e944acded1613e0b16

Download Submit
C:\Windows\SysWOW64\Ljqhkckn.exe

Filesize
161KB

MD5
c9fae273804ad8034c8f92e7448df55b

SHA1
8fbdbc0d75de256b747594224f02c861f0d6222f

SHA256
3b6cfc8c0114f2babeae62c33759074c14b1ed506e4d3bf3486fb280bddeb3d8

SHA512
f21b466240f6c92a0a1527f2abd2f970dfb0142608162d82655f0e4fad534e7591f85e2dbeaf4922867c72834eb275054474a5ebf71ed3016a4392d21d711e6d

Download Submit
C:\Windows\SysWOW64\Lpepbgbd.exe

Filesize
161KB

MD5
f092b536f16f7e080e8e979e78c46e70

SHA1
275a0177e56ec766054e57c25cfe4a34c4647da2

SHA256
3baae2a0f10f940fa623a275c5f4098e49d8a330409d1db794aed76fcdf4b891

SHA512
1e2277615b750336cbf71e894e8fb2fa531230dbd7c9f1744df7fc09f7698fcacbb6acf97c24ec459ce5bdb39c439de29f4e0b95834e70b8bb5266d6aacf49e1

Download Submit
C:\Windows\SysWOW64\Mgeakekd.exe

Filesize
64KB

MD5
e98826ada4b3d8b10e5aa169ac5f7fe9

SHA1
352d44f2a2bd8ca585cc50ecbbb7d587d8e89a72

SHA256
c5ee1d5430c873fce9bfc9759551aca938a866bcd79226f35d00be19909378a3

SHA512
52432d1a9309f4e7a03d6ce01e36c4250ce44f2c5ee4b9c20b238464def2fec222b2efb765848d6a22085efb486d897c0535f91425a4449933b97d54de54a164

Download Submit
C:\Windows\SysWOW64\Mgeakekd.exe

Filesize
161KB

MD5
22d36a3e48c30fb482dbfcc6bd780309

SHA1
5f8f928ef8f9b5937e48cfd12c40c82de9bca939

SHA256
e8ff2b884e43163c457475e7cee9d9ed4d6ecb11f7c79f2f5a1ecd7228dbe2a5

SHA512
0bd6b9ba9193b63f8fd79217401d055026dc776b681afa56c5818c558f3da00aeeb75f13cdd62e63d2528b7f0acf61b5446d0c35014c385123c0375ed56cdad5

Download Submit
C:\Windows\SysWOW64\Mnhdgpii.exe

Filesize
161KB

MD5
32be09b29d11f9f345b8be2bda041d48

SHA1
af4359627fb76d888f28c89d82e4ed7bd5505029

SHA256
c49d6e64f89afc3948f06fc9bafc0d00ec81cd55cf6a2bbc2b5747b487164115

SHA512
10c2a34771e826759cee54876cbc4896d53feedb255ba309d1d1a7a58de5d93c00253679a34cc76d01ef6a9d89dd1dec4775b591f572c59aabd10957924f8406

Download Submit
C:\Windows\SysWOW64\Mokmdh32.exe

Filesize
161KB

MD5
1181ce795ee90e11a3ab8bc66ad9322b

SHA1
4e1e9f30883b063ce727d3dfe78afec104c00501

SHA256
35c0e02af6d438dfc4fea22bb753497ba2663050d13a6a74cad45c8cf4eae509

SHA512
5e0bb1c0fc6155ec7c76e6d86e65bb9c0e2494528c000daad65c6161cf9d12909fb436adb6c83314727041cece53963801af192ac3fd21f77426ada9474a4d87

Download Submit
C:\Windows\SysWOW64\Mpapnfhg.exe

Filesize
161KB

MD5
b1871b2ae3e49c645b69a5b91b9f1011

SHA1
03a2e91e9f233ed6aad73d625d8720dc3a89de74

SHA256
e2ff996fb2761af9671fcb4840ce802396943dd1171d633322451b52c0068f09

SHA512
1f74eb8b6028bca6e1be5890e7b6687e207ea59b20bc7e47a134e9caae272ffab8be32c30076a03f785c4a624f28f6fdf4681a35c81df656697c794083e83872

Download Submit
C:\Windows\SysWOW64\Nadleilm.exe

Filesize
161KB

MD5
4b20a3f59b7f48fe2f3cf9fd60257753

SHA1
c22bab99704c9f648c850331000bbd7a272631f0

SHA256
0aafc64a6a992821c3731377fcbad2e0b5011c847b750e6b886f858d73cb5af0

SHA512
950966d9a6233723fe92c3c7b733badf0a940d71ce2101d5766d7f34553251e0af02dfd602855a716f1c5cfef7b4328eabc8d84829b76e265abd333860695859

Download Submit
C:\Windows\SysWOW64\Nbnlaldg.exe

Filesize
161KB

MD5
693307c8d96f2d11f3545965dddf6597

SHA1
f567c56f011b24a9428dbee1b3bc5882e5589b53

SHA256
7f3bb79df18ca602cdc52c196deb70ceaa3f3f58eb160a90af223c3c2c510d5f

SHA512
057865ed10843e6efb5921c76e2e3d38c45b0d34647a0e060d253f3f9379b33f9c077d036b3e2158d9985fb7f644ec48f5dd913c54bd4f4256b90acf374970f9

Download Submit
C:\Windows\SysWOW64\Nceefd32.exe

Filesize
161KB

MD5
7d1173bf58b9ff64b53916889cdf663e

SHA1
863c31eb71e2577f20a8a49026c988f3354fac3c

SHA256
1978896bdf37d028521ef04bfd80d16cc6ea94ef0c213e107f61c5f64a37541f

SHA512
782386365c365d52117da6be36a179d63c3f548b76c403e74b2d2ec86b6e47fab03ffc3b0367a459e3f106f513ecd4fd1af52bfd57976af0d860b921234d13be

Download Submit
C:\Windows\SysWOW64\Nimmifgo.exe

Filesize
161KB

MD5
7d7c318737c530c661e1fce53a7201e3

SHA1
0a7be69530bad2fb386db9adeb7a20cb3c764f8d

SHA256
c52ffa55db9c65a32f54f516ee667063e59ab2d5d71c0fcff26a393514435ea0

SHA512
6f072136a4ab22df969164f27cf55814422983bb9e1071856cb11eaf3800d552419438847a67837460fe51178a76b23582f1b388b569777a86e42dece5e967f5

Download Submit
C:\Windows\SysWOW64\Nncccnol.exe

Filesize
161KB

MD5
f21e87c13d3e05edb35fd1803709d60d

SHA1
2bf81752c7432bf6c06caf3ef0f3f2cdebecc366

SHA256
42d28049ffa47e2ca77ed77505e7ab6c5163683f2cc438bdcdc8e988632f8873

SHA512
ca0bb45bebaa81e1abee758a20b55ec1a6a1a00f1c12918ce4bb8537948fe4ff7de2185c9f3debe035bc301f9931e167ac098d5bb25447e25f88b6fc39dd1f39

Download Submit
C:\Windows\SysWOW64\Ofgdcipq.exe

Filesize
161KB

MD5
0b4f7f32ccf8dea5db1d717616014a78

SHA1
2a692ed748a134fed9503e6eeffe7e0f582ec98d

SHA256
a9f19da9fcd05d37a73438c74a01c3614c60bc81a20228c8914e1b2b605340c3

SHA512
dc14a387d7bee7b2d64bc7f5ca8c399896a07c35fa2de57adbb1ea02a93bc23812767b43037464826370882ea64c915e7850eecc01aa87c37ea8df0bbe6e08ba

Download Submit
C:\Windows\SysWOW64\Ofmdio32.exe

Filesize
161KB

MD5
87062c413796e55962abc94561427ef3

SHA1
f0b03cc1d615ed53e3c231a0a28b9e31f8caafa4

SHA256
ffb33ad6456a32d6aed6c0ca2d896bb28011d49a66ac1a2b33068ee8f969c99d

SHA512
365a44d7f3b0e02d1d915eb7893d54900a1ca597311426f7b45359f5901642b25b26845a26326aa78822436ae82fd7ef6c9a4b0b27b7ee12dd5a057cd0b79adf

Download Submit
C:\Windows\SysWOW64\Oghghb32.exe

Filesize
161KB

MD5
0a7e54eab105ad8ebf7a9280860f573f

SHA1
c7b13767051294ee4c5be25166a49d886e3b2431

SHA256
c5ded8ff9e019c33b7cf780e659f045caff9d12862a4a0c1184affb912abdf01

SHA512
b764c61a5d088f3fd26261b23655d3538d5a080123757f72e40a0578a5df42190b8179ad031afd87c486a8b4ab3002da2a3b37f91448aee72e852af7c00999ef

Download Submit
C:\Windows\SysWOW64\Ojajin32.exe

Filesize
161KB

MD5
f969a35ca5e9c7cfb248b4e402199303

SHA1
97f23ae6b5a9e6d8de82378fef62b07408578fcb

SHA256
44f083581c9813ea8840114a94253034fd7549657ab7563ba1dfe95bea070f80

SHA512
26e4eeb60343a50d3735cd403a79bd8e4d3d75424cca9535adc2c0a44023b72895816ca00792286e291a3f9b9cee5f89ac289d2082907616619e9318a2f10e0b

Download Submit
C:\Windows\SysWOW64\Ojdgnn32.exe

Filesize
161KB

MD5
d3fe142e5074bbf0519bb7eb2b989c1b

SHA1
1ee6b53239d2c8b241b4cdb13d88cf2837bbd1fb

SHA256
e43b76836f361a002ecf7d68a3b8ed3498299d836fa4383f65b9b039615e5098

SHA512
844f5d8fafe55876b2a80b9958903978b303addde97276f7c0ef98fb58a9dc63419522ae260d21f8e354bcac695a53035b86526896d090c18962eaa36a440bef

Download Submit
C:\Windows\SysWOW64\Phfcipoo.exe

Filesize
161KB

MD5
7cfbaedf958bd3759d0eee57399b0867

SHA1
e7f8a990e9108d6b1b0843bcc7093f6aa5c56663

SHA256
8f2b317fd999dc5085223b510fd92e998fbc5fec6043b695c63e1f37aba0bd77

SHA512
03c3d93365c533aee924bc4bf083696dad608cff90f216f0d29f3e621c9b89677382c19a5977b42e879a152c819caf77d23648378b90a3756313c84a1d76d9b4

Download Submit
C:\Windows\SysWOW64\Pmiikh32.exe

Filesize
161KB

MD5
15cb47105b09ed36837ff920241ed5fb

SHA1
92a9942b6bbd50d8d2de903ec4d66d66b8a2556d

SHA256
ec11b637c0848d73163eb8ba3f36ee0eecccc059e917a6de467fb78ecf6295fc

SHA512
44cdb69e4c24e90f5c75e7131623defbf20b955e18fd5d174b5b9b097974c48c22fad1392e3f3a42486c558ec5b351ef454261cb315077e3871abd31971743e3

Download Submit
C:\Windows\SysWOW64\Pnifekmd.exe

Filesize
161KB

MD5
ff7d633d5284516c36752af4dd132254

SHA1
d2caffa5ddcfb8d69f02ca334c90a728ddc4d12f

SHA256
37ffebe6ef036e5684e0053e666b67f0a4eb63a15ed3cc41cdad9c366006428f

SHA512
08e269c8d33bb4c8a961da35252bef9b03290635bdf0d91de410ac2617a8d626773cacf6b2ebcb200731bc9686ceea18d98a047d278154fa95aeffe69aea02f6

Download Submit
C:\Windows\SysWOW64\Pplobcpp.exe

Filesize
161KB

MD5
e71b7632e80aed0a46eb2a8a56a4aeba

SHA1
0e71bb9a0a54a162c3348e6a1286f897f77f478d

SHA256
edefc5a13a201f58c2c758b667679a1791af50ff49951d0fc20cf8bf02f95dba

SHA512
99d00f2a4c39fe26c1a08b7f92db105ff7f5961b1a04ef4a5c3a4020af4d608178f96b475a98d3586ed93bf3dc441177248485e3d27905788710ffec89b8d60e

Download Submit
C:\Windows\SysWOW64\Qacameaj.exe

Filesize
161KB

MD5
e5c002aebdf8903d44bb0b38dc34fd82

SHA1
e44dc3e5c35b3017285098af78483f5dd6dd3f9b

SHA256
7ff7aa702e722bfcc7b9d8eb305f515a7c07d6d93148b1bc2a927cb50fbbc48d

SHA512
a96ed89d2a1a3c54774c3b15092ff6189a5c489554f99dbc1843a5834fda67852845dee3dab10d931807d4965bfc9cdd2aab67389cdd3cfeb77a045839961334

Download Submit
C:\Windows\SysWOW64\Qfkqjmdg.exe

Filesize
161KB

MD5
e9e10623463b881cdbf98c90a1e68a33

SHA1
c3d03024de13eab91d9d4393dc12dd0dc03634e6

SHA256
47303db311862503ee07afb7bf31c1ab5a605d94c51452796565a57b14743a84

SHA512
77379ee4c8ff540326ed5d787179e38c1a904c263f597b89f3ede0c2c61306d0056eefa6bc59adc8e91de4b1f9aa7c7054305f83eacf1c532f092772a1cfe99c

Download Submit
memory/332-327-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/332-252-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/408-7-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/408-88-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/572-313-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/572-233-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/788-341-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/788-269-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1064-250-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1064-161-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1184-293-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1184-362-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1224-370-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1264-89-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1264-178-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1272-299-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1272-215-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1396-306-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1396-224-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1496-398-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1592-187-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1592-98-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1604-342-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1604-411-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1740-268-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1740-179-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1804-348-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1804-278-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1972-57-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1972-142-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2028-390-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2028-321-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2196-383-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2196-314-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2268-377-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2332-405-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2352-117-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2352-205-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2492-64-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2492-151-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2524-232-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2524-143-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2732-376-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2732-307-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2940-259-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2940-170-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2960-198-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2960-285-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3100-412-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3116-206-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3116-292-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3164-241-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3164-152-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3184-124-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3184-39-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3244-419-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3280-31-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3280-116-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3516-23-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3516-106-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3744-196-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3744-107-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3792-397-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3792-328-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3852-242-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3852-320-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3928-300-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3928-369-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3988-286-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3988-355-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4068-384-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4140-334-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4140-260-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4208-363-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4272-72-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4272-160-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4376-335-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4376-404-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4424-277-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4424-188-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4568-223-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4568-134-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4600-133-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4600-48-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4640-391-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4652-169-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4652-80-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4752-356-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4832-56-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4832-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4864-418-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4864-349-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4904-125-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4904-214-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4992-97-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4992-15-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads