3636da2672c314aa420a1a85ede84308f1aa0bf63a40b971136ab6b9fe7eaa46

Analysis

max time kernel
139s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
16-05-2024 11:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc688ec08c14501981084e9ac721e260_NeikiAnalytics.exe
Size

163KB
MD5

dc688ec08c14501981084e9ac721e260
SHA1

e40e88e336aff7d88bc4645b9a98301e5290be11
SHA256

3636da2672c314aa420a1a85ede84308f1aa0bf63a40b971136ab6b9fe7eaa46
SHA512

f01301f14071590a7934635de85feef8314896392615e7df1fb8e3a10f2cae746dd8dbd73fd1fdc527f073f24a4d1e08bdaefe27b06e74ea280ac797eb91d5b2
SSDEEP

1536:P005veIrPAMoQRrW259BTkNtA6TlProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:M4XrPAArr7WNtA6TltOrWKDBr+yJb

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbcakg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifmcdblq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqaeco32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcpapkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcbnejem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmoliohh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqkocpod.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbjhlfhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfhqbe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fckhdk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmklen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbgkfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfljmdjc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcpapkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbgbpihg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqkocpod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iiffen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmmfmbhn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Habnjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hclakimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejgdpg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmmhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dagiil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmhfhp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iannfk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dakbckbe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhnepfpj.exe

Executes dropped EXE 64 IoCs

pid	Process
1420	Doccaall.exe
3540	Dabpnlkp.exe
4320	Dlgdkeje.exe
1464	Dofpgqji.exe
2080	Dephckaf.exe
1452	Dhnepfpj.exe
1028	Dcdimopp.exe
1044	Dagiil32.exe
376	Dllmfd32.exe
3928	Daifnk32.exe
3268	Djpnohej.exe
856	Dpjflb32.exe
924	Dakbckbe.exe
4752	Ejbkehcg.exe
1936	Epmcab32.exe
4912	Efikji32.exe
4916	Elccfc32.exe
1260	Ecmlcmhe.exe
4136	Ejgdpg32.exe
2284	Eleplc32.exe
2244	Ebbidj32.exe
1184	Ehlaaddj.exe
3356	Ecbenm32.exe
3556	Ejlmkgkl.exe
5048	Eqfeha32.exe
3752	Fbgbpihg.exe
4580	Fjnjqfij.exe
3208	Fmmfmbhn.exe
3224	Fcgoilpj.exe
4420	Ffekegon.exe
4872	Fqkocpod.exe
4460	Fbllkh32.exe
3888	Fifdgblo.exe
4084	Fqmlhpla.exe
4736	Fckhdk32.exe
2316	Ffjdqg32.exe
4820	Fihqmb32.exe
4152	Fmclmabe.exe
4712	Fobiilai.exe
1104	Fbqefhpm.exe
3040	Fijmbb32.exe
748	Fqaeco32.exe
1088	Gcpapkgp.exe
3988	Gbcakg32.exe
4056	Gjjjle32.exe
3352	Gmhfhp32.exe
3932	Gcbnejem.exe
1428	Gfqjafdq.exe
2520	Giofnacd.exe
3804	Gqfooodg.exe
4428	Gcekkjcj.exe
3916	Gbgkfg32.exe
2472	Giacca32.exe
4000	Gqikdn32.exe
2816	Gbjhlfhb.exe
4368	Gjapmdid.exe
4236	Gmoliohh.exe
1988	Gpnhekgl.exe
2936	Gfhqbe32.exe
1552	Gifmnpnl.exe
3472	Gmaioo32.exe
3964	Hclakimb.exe
3488	Hihicplj.exe
3840	Hapaemll.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Fbgbpihg.exe	Eqfeha32.exe
File opened for modification	C:\Windows\SysWOW64\Kbfiep32.exe	Kphmie32.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nafokcol.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Daifnk32.exe	Dllmfd32.exe
File created	C:\Windows\SysWOW64\Elccfc32.exe	Efikji32.exe
File created	C:\Windows\SysWOW64\Fbgbpihg.exe	Eqfeha32.exe
File opened for modification	C:\Windows\SysWOW64\Hmioonpn.exe	Hjjbcbqj.exe
File opened for modification	C:\Windows\SysWOW64\Iikopmkd.exe	Ifmcdblq.exe
File opened for modification	C:\Windows\SysWOW64\Kbapjafe.exe	Kdopod32.exe
File created	C:\Windows\SysWOW64\Lghekack.dll	Fobiilai.exe
File created	C:\Windows\SysWOW64\Jmkefnli.dll	Hjjbcbqj.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Omlami32.dll	Dlgdkeje.exe
File opened for modification	C:\Windows\SysWOW64\Dpjflb32.exe	Djpnohej.exe
File created	C:\Windows\SysWOW64\Qjebnamp.dll	Ejgdpg32.exe
File opened for modification	C:\Windows\SysWOW64\Gbjhlfhb.exe	Gqikdn32.exe
File opened for modification	C:\Windows\SysWOW64\Hjjbcbqj.exe	Hbckbepg.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Hcnnaikp.exe	Hapaemll.exe
File created	C:\Windows\SysWOW64\Nqjfoc32.dll	Kbdmpqcb.exe
File opened for modification	C:\Windows\SysWOW64\Kphmie32.exe	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Fckhdk32.exe	Fqmlhpla.exe
File opened for modification	C:\Windows\SysWOW64\Jbocea32.exe	Jangmibi.exe
File created	C:\Windows\SysWOW64\Kmegbjgn.exe	Jkfkfohj.exe
File created	C:\Windows\SysWOW64\Kpepcedo.exe	Kacphh32.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Gddfpk32.dll	Fqkocpod.exe
File opened for modification	C:\Windows\SysWOW64\Ijfboafl.exe	Iannfk32.exe
File created	C:\Windows\SysWOW64\Bbbjnidp.dll	Jmnaakne.exe
File created	C:\Windows\SysWOW64\Ppmeid32.dll	Hjmoibog.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Jangmibi.exe	Jigollag.exe
File created	C:\Windows\SysWOW64\Jjblgaie.dll	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Gdkdqfii.dll	Doccaall.exe
File opened for modification	C:\Windows\SysWOW64\Dagiil32.exe	Dcdimopp.exe
File created	C:\Windows\SysWOW64\Iiffen32.exe	Ibmmhdhm.exe
File created	C:\Windows\SysWOW64\Iinlemia.exe	Ifopiajn.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Majopeii.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Ejlmkgkl.exe	Ecbenm32.exe
File created	C:\Windows\SysWOW64\Egoqlckf.dll	Ibjqcd32.exe
File created	C:\Windows\SysWOW64\Ldobbkdk.dll	Kacphh32.exe
File created	C:\Windows\SysWOW64\Dllmfd32.exe	Dagiil32.exe
File created	C:\Windows\SysWOW64\Ehifigof.dll	Jpojcf32.exe
File created	C:\Windows\SysWOW64\Kbapjafe.exe	Kdopod32.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Lmmcfa32.dll	Kdopod32.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Gcbnejem.exe	Gmhfhp32.exe
File created	C:\Windows\SysWOW64\Hihicplj.exe	Hclakimb.exe
File created	C:\Windows\SysWOW64\Iikopmkd.exe	Ifmcdblq.exe
File opened for modification	C:\Windows\SysWOW64\Kmegbjgn.exe	Jkfkfohj.exe
File opened for modification	C:\Windows\SysWOW64\Efikji32.exe	Epmcab32.exe
File created	C:\Windows\SysWOW64\Djmdfpmb.dll	Gbjhlfhb.exe
File created	C:\Windows\SysWOW64\Mfogkh32.dll	Hpihai32.exe
File created	C:\Windows\SysWOW64\Kpccnefa.exe	Kmegbjgn.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7344	7212	WerFault.exe	289

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eilljncf.dll"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncldlbah.dll"	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbkmec32.dll"	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmoliohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diefokle.dll"	Gpnhekgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpgkkioa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibmmhdhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbbjnidp.dll"	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogjfmfe.dll"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjjjle32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmlfmg32.dll"	Hpgkkioa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmkefnli.dll"	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgllgqcp.dll"	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmioonpn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmclmabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hakfehok.dll"	Fijmbb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iidipnal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfdcbdnc.dll"	Ecmlcmhe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqfeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hofddb32.dll"	Fckhdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmjdia32.dll"	Hcnnaikp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiagblgj.dll"	Dakbckbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ecmlcmhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lghekack.dll"	Fobiilai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ffjdqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfogkh32.dll"	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gqfooodg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhnepfpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebbidj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ecbenm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ffekegon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ffjdqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcekkjcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmklen32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 1420	2952	dc688ec08c14501981084e9ac721e260_NeikiAnalytics.exe	84
PID 2952 wrote to memory of 1420	2952	dc688ec08c14501981084e9ac721e260_NeikiAnalytics.exe	84
PID 2952 wrote to memory of 1420	2952	dc688ec08c14501981084e9ac721e260_NeikiAnalytics.exe	84
PID 1420 wrote to memory of 3540	1420	Doccaall.exe	85
PID 1420 wrote to memory of 3540	1420	Doccaall.exe	85
PID 1420 wrote to memory of 3540	1420	Doccaall.exe	85
PID 3540 wrote to memory of 4320	3540	Dabpnlkp.exe	86
PID 3540 wrote to memory of 4320	3540	Dabpnlkp.exe	86
PID 3540 wrote to memory of 4320	3540	Dabpnlkp.exe	86
PID 4320 wrote to memory of 1464	4320	Dlgdkeje.exe	87
PID 4320 wrote to memory of 1464	4320	Dlgdkeje.exe	87
PID 4320 wrote to memory of 1464	4320	Dlgdkeje.exe	87
PID 1464 wrote to memory of 2080	1464	Dofpgqji.exe	88
PID 1464 wrote to memory of 2080	1464	Dofpgqji.exe	88
PID 1464 wrote to memory of 2080	1464	Dofpgqji.exe	88
PID 2080 wrote to memory of 1452	2080	Dephckaf.exe	89
PID 2080 wrote to memory of 1452	2080	Dephckaf.exe	89
PID 2080 wrote to memory of 1452	2080	Dephckaf.exe	89
PID 1452 wrote to memory of 1028	1452	Dhnepfpj.exe	90
PID 1452 wrote to memory of 1028	1452	Dhnepfpj.exe	90
PID 1452 wrote to memory of 1028	1452	Dhnepfpj.exe	90
PID 1028 wrote to memory of 1044	1028	Dcdimopp.exe	91
PID 1028 wrote to memory of 1044	1028	Dcdimopp.exe	91
PID 1028 wrote to memory of 1044	1028	Dcdimopp.exe	91
PID 1044 wrote to memory of 376	1044	Dagiil32.exe	92
PID 1044 wrote to memory of 376	1044	Dagiil32.exe	92
PID 1044 wrote to memory of 376	1044	Dagiil32.exe	92
PID 376 wrote to memory of 3928	376	Dllmfd32.exe	93
PID 376 wrote to memory of 3928	376	Dllmfd32.exe	93
PID 376 wrote to memory of 3928	376	Dllmfd32.exe	93
PID 3928 wrote to memory of 3268	3928	Daifnk32.exe	94
PID 3928 wrote to memory of 3268	3928	Daifnk32.exe	94
PID 3928 wrote to memory of 3268	3928	Daifnk32.exe	94
PID 3268 wrote to memory of 856	3268	Djpnohej.exe	95
PID 3268 wrote to memory of 856	3268	Djpnohej.exe	95
PID 3268 wrote to memory of 856	3268	Djpnohej.exe	95
PID 856 wrote to memory of 924	856	Dpjflb32.exe	96
PID 856 wrote to memory of 924	856	Dpjflb32.exe	96
PID 856 wrote to memory of 924	856	Dpjflb32.exe	96
PID 924 wrote to memory of 4752	924	Dakbckbe.exe	97
PID 924 wrote to memory of 4752	924	Dakbckbe.exe	97
PID 924 wrote to memory of 4752	924	Dakbckbe.exe	97
PID 4752 wrote to memory of 1936	4752	Ejbkehcg.exe	99
PID 4752 wrote to memory of 1936	4752	Ejbkehcg.exe	99
PID 4752 wrote to memory of 1936	4752	Ejbkehcg.exe	99
PID 1936 wrote to memory of 4912	1936	Epmcab32.exe	100
PID 1936 wrote to memory of 4912	1936	Epmcab32.exe	100
PID 1936 wrote to memory of 4912	1936	Epmcab32.exe	100
PID 4912 wrote to memory of 4916	4912	Efikji32.exe	101
PID 4912 wrote to memory of 4916	4912	Efikji32.exe	101
PID 4912 wrote to memory of 4916	4912	Efikji32.exe	101
PID 4916 wrote to memory of 1260	4916	Elccfc32.exe	102
PID 4916 wrote to memory of 1260	4916	Elccfc32.exe	102
PID 4916 wrote to memory of 1260	4916	Elccfc32.exe	102
PID 1260 wrote to memory of 4136	1260	Ecmlcmhe.exe	103
PID 1260 wrote to memory of 4136	1260	Ecmlcmhe.exe	103
PID 1260 wrote to memory of 4136	1260	Ecmlcmhe.exe	103
PID 4136 wrote to memory of 2284	4136	Ejgdpg32.exe	105
PID 4136 wrote to memory of 2284	4136	Ejgdpg32.exe	105
PID 4136 wrote to memory of 2284	4136	Ejgdpg32.exe	105
PID 2284 wrote to memory of 2244	2284	Eleplc32.exe	106
PID 2284 wrote to memory of 2244	2284	Eleplc32.exe	106
PID 2284 wrote to memory of 2244	2284	Eleplc32.exe	106
PID 2244 wrote to memory of 1184	2244	Ebbidj32.exe	107

C:\Users\Admin\AppData\Local\Temp\dc688ec08c14501981084e9ac721e260_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\dc688ec08c14501981084e9ac721e260_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Windows\SysWOW64\Doccaall.exe
  C:\Windows\system32\Doccaall.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1420
- - C:\Windows\SysWOW64\Dabpnlkp.exe
    C:\Windows\system32\Dabpnlkp.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3540
  - - C:\Windows\SysWOW64\Dlgdkeje.exe
      C:\Windows\system32\Dlgdkeje.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4320
    - - C:\Windows\SysWOW64\Dofpgqji.exe
        
        C:\Windows\system32\Dofpgqji.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1464
      - C:\Windows\SysWOW64\Dephckaf.exe
        
        C:\Windows\system32\Dephckaf.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\SysWOW64\Dhnepfpj.exe
        
        C:\Windows\system32\Dhnepfpj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1452
        
        C:\Windows\SysWOW64\Dcdimopp.exe
        
        C:\Windows\system32\Dcdimopp.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\SysWOW64\Dagiil32.exe
        
        C:\Windows\system32\Dagiil32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Windows\SysWOW64\Dllmfd32.exe
        
        C:\Windows\system32\Dllmfd32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:376
        
        C:\Windows\SysWOW64\Daifnk32.exe
        
        C:\Windows\system32\Daifnk32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        C:\Windows\SysWOW64\Djpnohej.exe
        
        C:\Windows\system32\Djpnohej.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3268
        
        C:\Windows\SysWOW64\Dpjflb32.exe
        
        C:\Windows\system32\Dpjflb32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:856
        
        C:\Windows\SysWOW64\Dakbckbe.exe
        
        C:\Windows\system32\Dakbckbe.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:924
        
        C:\Windows\SysWOW64\Ejbkehcg.exe
        
        C:\Windows\system32\Ejbkehcg.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4752
        
        C:\Windows\SysWOW64\Epmcab32.exe
        
        C:\Windows\system32\Epmcab32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\SysWOW64\Efikji32.exe
        
        C:\Windows\system32\Efikji32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SysWOW64\Elccfc32.exe
        
        C:\Windows\system32\Elccfc32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\SysWOW64\Ecmlcmhe.exe
        
        C:\Windows\system32\Ecmlcmhe.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Windows\SysWOW64\Ejgdpg32.exe
        
        C:\Windows\system32\Ejgdpg32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4136
        
        C:\Windows\SysWOW64\Eleplc32.exe
        
        C:\Windows\system32\Eleplc32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        23⤵
        Executes dropped EXE
        
        PID:1184
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3356
        
        C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        25⤵
        Executes dropped EXE
        
        PID:3556
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5048
        
        C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3752
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        28⤵
        Executes dropped EXE
        
        PID:4580
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3208
        
        C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        30⤵
        Executes dropped EXE
        
        PID:3224
        
        C:\Windows\SysWOW64\Ffekegon.exe
        
        C:\Windows\system32\Ffekegon.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4872
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        33⤵
        Executes dropped EXE
        
        PID:4460
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        34⤵
        Executes dropped EXE
        
        PID:3888
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4084
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4736
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2316
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        38⤵
        Executes dropped EXE
        
        PID:4820
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4152
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4712
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        41⤵
        Executes dropped EXE
        
        PID:1104
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3040
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:748
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1088
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3988
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4056
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3352
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3932
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        49⤵
        Executes dropped EXE
        
        PID:1428
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        50⤵
        Executes dropped EXE
        
        PID:2520
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3804
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4428
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3916
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        54⤵
        Executes dropped EXE
        
        PID:2472
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4000
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2816
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        57⤵
        Executes dropped EXE
        
        PID:4368
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4236
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2936
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1552
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        62⤵
        Executes dropped EXE
        
        PID:3472
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3964
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        64⤵
        Executes dropped EXE
        
        PID:3488
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3840
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        66⤵
        Modifies registry class
        
        PID:3960
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1568
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2124
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        69⤵
        Drops file in System32 directory
        
        PID:2920
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2212
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        71⤵
        Modifies registry class
        
        PID:4520
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        72⤵
        Modifies registry class
        
        PID:3476
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        73⤵
        Drops file in System32 directory
        
        PID:1056
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3908
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5072
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        76⤵
        Modifies registry class
        
        PID:4620
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2704
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1468
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        79⤵
        Drops file in System32 directory
        
        PID:2140
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        80⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        81⤵
        Modifies registry class
        
        PID:4860
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1868
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3876
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5220
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        86⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        87⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        89⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        90⤵
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5500
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        92⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5584
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        94⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        95⤵
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        98⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        100⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5924
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        102⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        103⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6048
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6088
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6132
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        107⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        108⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        109⤵
        Drops file in System32 directory
        
        PID:5212
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5352
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        111⤵
        Modifies registry class
        
        PID:5404
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        112⤵
        Drops file in System32 directory
        
        PID:5424
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        113⤵
        Drops file in System32 directory
        
        PID:5552
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5620
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        115⤵
        Drops file in System32 directory
        
        PID:5688
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5740
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        117⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5876
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        119⤵
        Drops file in System32 directory
        
        PID:5948
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        120⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        121⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5124
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        123⤵
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        124⤵
        Drops file in System32 directory
        
        PID:5332
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        125⤵
        Drops file in System32 directory
        
        PID:5448
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        126⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        127⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        128⤵
        Modifies registry class
        
        PID:5780
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        129⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        130⤵
        Modifies registry class
        
        PID:5980
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        131⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        132⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        133⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5564
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5792
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        136⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        137⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        138⤵
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        139⤵
        Modifies registry class
        
        PID:5648
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        140⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:548
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5724
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        143⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        144⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5508
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6160
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        147⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        148⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        149⤵
        Modifies registry class
        
        PID:6300
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6360
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6404
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        152⤵
        Modifies registry class
        
        PID:6448
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        153⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        154⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        155⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6616
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        157⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6704
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        159⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6748
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        160⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        161⤵
        Drops file in System32 directory
        
        PID:6828
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        162⤵
        Modifies registry class
        
        PID:6876
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        163⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        164⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        165⤵
        
        PID:7000
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        166⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        167⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7140
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        169⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6248
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        171⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        172⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        173⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        174⤵
        Modifies registry class
        
        PID:6500
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        175⤵
        Drops file in System32 directory
        
        PID:6560
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        176⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        177⤵
        
        PID:6672
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        178⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6816
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        180⤵
        Drops file in System32 directory
        
        PID:6872
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        181⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        182⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7008
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        183⤵
        
        PID:7092
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6012
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        185⤵
        
        PID:6232
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        186⤵
        Drops file in System32 directory
        
        PID:6432
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        187⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        188⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6624
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6800
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        190⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        191⤵
        Modifies registry class
        
        PID:7072
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        192⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        193⤵
        Modifies registry class
        
        PID:6584
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        194⤵
        Drops file in System32 directory
        
        PID:6896
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        195⤵
        Drops file in System32 directory
        
        PID:6152
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6860
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        197⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        198⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6596
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        199⤵
        
        PID:7212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7212 -s 404
        200⤵
        Program crash
        
        PID:7344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 7212 -ip 7212
1⤵
PID:7316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dabpnlkp.exe

Filesize
163KB

MD5
4469169e0bcabd7672173520b9ad8811

SHA1
f9a09bd38dd49e426eaec4b2ae49a9b76caf7fbe

SHA256
6245b22960d107353c005a47db41dbbdd66d7185c37ed93b6682bb2aaadac2e9

SHA512
555e22c462a137c1a028b09f36ac56ef82471a15163c4db83a3929de190a0c48413bd6d512f9c0166dbb0aa85fff43482d7c239bfae82cca6fbfdeadb18058bf

Download Submit
C:\Windows\SysWOW64\Dagiil32.exe

Filesize
163KB

MD5
4ebbbcff5e92aa4621312254f8f32c56

SHA1
f6ad93763178a63d3094c35b539d41a5d50fe4d9

SHA256
9c780f0246be55fed1c7fa248545f81c21b86164ca322883e921c0794cc6fb9a

SHA512
2dd707eda12137bf66a9b707ef30e5232244ed5339feec4f9cffc507c85527f9f126f4d1171a725330192900ed7262188b0836164fba1c001ed048f5c5d09601

Download Submit
C:\Windows\SysWOW64\Daifnk32.exe

Filesize
163KB

MD5
513db842dfa9358b621dd6b6a623728c

SHA1
73ec92d60edbf378dad99d9547d53c94b335502d

SHA256
fd34142d9dd2ef9784fef67d4608ffd810c4a2530b8b34ed46294275448da632

SHA512
b88c5062a47c2119e0653da7ff5aae0778fa59fad46987d2382a1763026ff399b5c834bbe30897cbe8f8e0c503d4ca58f272b9afcd636e9ab663c1b4bd778c00

Download Submit
C:\Windows\SysWOW64\Dakbckbe.exe

Filesize
163KB

MD5
1e2e93c8bde96d4f10c2a8bee45b69cb

SHA1
85146336d90bed72a9e8eb7a5da92ff9a857bc9a

SHA256
11cecfe51d51631df8d9ad04a743e90a2425ceda37eb857ac1aea69a31335db7

SHA512
39eadab876e192e8b669b2ef9a60a43259804f2a58c76e31a1210da92c3aa40598e2919f095b6d2eefa13d52bf6c9ac1e3560c2f798800a1a58566f8e400f83c

Download Submit
C:\Windows\SysWOW64\Dcdimopp.exe

Filesize
163KB

MD5
bad6d54a9b568b251515547fe6261644

SHA1
be8a9b64b4425b2400e13adda61aaebf565cefc1

SHA256
c162f58039497812a9578a3d35fd398d9382cff4514ea1e1209de390d438c8ea

SHA512
31003cf08da8a134c6b06e3680dbc052b640e280b03fdc0a339eb451c88f5f7e6f5afc27da045c2b1ee8c93f76ef808c8ee5ef8984f407919e3ff6310202b625

Download Submit
C:\Windows\SysWOW64\Dephckaf.exe

Filesize
163KB

MD5
d17e96737b6556942de02e4fb742f8b4

SHA1
0f7678a6a5c75f04819b80f774bc1d59d94f36a0

SHA256
8de27da8aa127fb6c8a9b3787533d1c324104431e8d08c02db2c0c37de11fc21

SHA512
d4e619f483ac1d9632f8919a622ea5c6638b371a75f7e42a2e7d28ddbf4813f24c7d70587beabbb0d163bde66cf53b83c0b3e08537993472315a5dee46d3bd2e

Download Submit
C:\Windows\SysWOW64\Dhnepfpj.exe

Filesize
163KB

MD5
8796079a441c7c6d72dbbb3fc8e280d2

SHA1
895e277a24c475138172f8cb2cfac77fae201703

SHA256
afa34701d54616ae04b24ff98313aefd046f42c81c580cf833df90972c57590c

SHA512
38a834350be22335deaba9d28497d026bfb2d98086ca2d41a918442ee97bfb1a024078e70b52a01c393671cd205d492e73eedb68981fa75ab837378ded45eb22

Download Submit
C:\Windows\SysWOW64\Djpnohej.exe

Filesize
163KB

MD5
077c32ae1d179798bb7ec30130c38fa0

SHA1
30c11732247ca602f2e256de42fdf7d21cdc3769

SHA256
cc33788958762f8bcdf07328e230480a5ecfff0c4d1f18d2ffb77d5670c887f2

SHA512
76778fce2011c71ece797334f112bda9a51b29fa152a72f685d3373b47336ee0f6239ced8d788dd38a66c3825a2e4c196d1064ecf549b9c336cc68745b0881f2

Download Submit
C:\Windows\SysWOW64\Dlgdkeje.exe

Filesize
163KB

MD5
9216ded8ee23841116b6f7fdf9dbf3a6

SHA1
4645cdb85625600fc9a0cdc89607bb2c094f060c

SHA256
d4fb8b884ef87a92f6052f6ee888dc6fe6a9bde934c689fa20ac109dd4a5c3ab

SHA512
db80436839e430c24bb5e03ec796d392c798506d05de0ef4ad1ff7ddba068b2058518d623932a8643e5ddff12a36032be8bd4126080170b0d5e29b2b6c428e7f

Download Submit
C:\Windows\SysWOW64\Dllmfd32.exe

Filesize
163KB

MD5
efe118b0724096f12ccb5ea6d1a9bee8

SHA1
59c6abe0aaba7a62321da30af74985866e269f88

SHA256
bc4f7ace704e57a26d051b4faee776080c2b47fbbbf6f13cd43a4b8fc36bfb06

SHA512
feebcdcda1c3eba16401721ed15572e32a0a390b62ab6136162bd88174416a5945d3e5b711ab79417c5c6e7a0f1fbba5aa0e685c01720232854a4218d13fdce1

Download Submit
C:\Windows\SysWOW64\Doccaall.exe

Filesize
163KB

MD5
d7f1654901cf8b819e78d19b65914c7a

SHA1
b253041c1a8129211a37739e3ff4b0a926ade6cd

SHA256
a9ef74ad60f39194eb00dbf6f1fb5a82868c81e7b54501525a680b680ae2af8b

SHA512
e7a220bfe5c2b11cf9cd2c53baec20cd79c8bdc0479179912ca641ade090ca4bd73a69299deded7e5f81d001523914f73628469ac4f42d2f80c22193a574de0f

Download Submit
C:\Windows\SysWOW64\Dofpgqji.exe

Filesize
163KB

MD5
59859c860d8054257841140e242df318

SHA1
c0c07a614ffd9c4171149f44bdead143b40418ac

SHA256
7fe35ad92396dca3923a3fe8943bead7dbc3e780cabe87194968e789e84a6837

SHA512
41abe654ae97692d1629e053a2d6d5ade5202b7ba29af750978ea8a4ed3bb2837813feefe59c295f2763f80837567716bbd3ae61ca36217fbc4a25666094962e

Download Submit
C:\Windows\SysWOW64\Dpjflb32.exe

Filesize
163KB

MD5
3b84bf9775b89a267a4d6f8f7c7bb5fd

SHA1
026bc387b6c8deb3cad17a5b2d4f3230996dc93b

SHA256
d6adef88a6f5d82691ec8196744e82a39142e773a99cd8af0758e3b6a7dfafd7

SHA512
1470084d783650d4a041591ee1e56bedcad9c564382e1ae312e4df4182f132a7405491e98c555f15049cb02644e1b36400a9f22e683c244947618352248f075b

Download Submit
C:\Windows\SysWOW64\Ebbidj32.exe

Filesize
163KB

MD5
f82097d4417618510117148e9388607d

SHA1
e6b48c353d6e26511f3ec96356cdd236c379a5ad

SHA256
8a63fe6e5d17328a1ae6fb41469e0ce53ef7e9eea062622bcea691af69e5acd0

SHA512
40482ca66c9796ae9075efade937bb5cfc41e0de4340f7651b8f24413b9d6bd2b314a1c1f18c9314e389bc8bb1ad2b9e798a14bf3c31bfb12f8ebd107ea3c905

Download Submit
C:\Windows\SysWOW64\Ecbenm32.exe

Filesize
163KB

MD5
0d47d786682ef6a38a211489f49f6112

SHA1
e9daa127496d9fca98b834c1cdd65166dba75012

SHA256
79a6f504dc21f451207ffaffd323d0eab2252d6fab2aec8bf53382c1904b00e4

SHA512
e14d1440f73af897b31f77908f6f5e5f1ca4ecd605955b77dc53abc9e9141c54b23a6498ca88bc9e2eba868e41c7a3a3c0756510efeb0aae306385905a02227f

Download Submit
C:\Windows\SysWOW64\Ecmlcmhe.exe

Filesize
163KB

MD5
4ab76e0fe511b4b827a29216f68201a7

SHA1
49dc3d2ca8675f69461eb14bd3be6c91ccceb036

SHA256
150320ca57927c7b3c8fc1e17b1a85168a354661a13942b54426b2b0ab59983e

SHA512
9457e0f316cff92a2913a30bf89464c957f8c57be4addc84f843e3912b93455e556a436fa818cf83443849183d7adf8544aa29f7fb8ff4cdf37219f74e07026d

Download Submit
C:\Windows\SysWOW64\Efikji32.exe

Filesize
163KB

MD5
ef6d3407662d74f8df77638a68067ecb

SHA1
304bebd6f910272a388aa596186d4c6768110d69

SHA256
fc6713ff18608b3f12766bf8a1fb8991ce526e0d0eeeed94290c8b0ae300eab5

SHA512
fded84bfc929a11a80d0213884f25de7b7d3cb43dbeca035868b8cbe9710969bdfbc194299b3d179f65af9c14bb0ed76e55c2daf6a6006cc8cb7290b76f4f06d

Download Submit
C:\Windows\SysWOW64\Ehlaaddj.exe

Filesize
163KB

MD5
cb1918a9d3e50a78f8d24641453c54f2

SHA1
08e2a6e1214b7c2475d884f00ef454ea0a88c8c0

SHA256
bfcc3b305f0b126d636b022cfd04240471beb021b5d2ac772e2b4cef6f9ac3ac

SHA512
83f4cebd4ac1e08e5496f8170af2972e1c1f4b3c29d10a58d236ea6d6bed8099e039a28f189c59f8a20dce98f23aa025ec322bf4dd632bc6d5d7b969a6e8e776

Download Submit
C:\Windows\SysWOW64\Ejbkehcg.exe

Filesize
163KB

MD5
a1836dde32ab0d11a5507e07d094c270

SHA1
bd574059a52a7e3548554eacd5550e19f6e86125

SHA256
9eebaf48f73ace38b347e32feaec6858662e3ef1ef56f7777e986181878e717b

SHA512
0e52b3b9a3018d3888b8e9a1d3abfe36df03cb37a1f23864a1cd757851f788cc7d4a383481b90abe0a295a5e0a5f4780224bb67feaae2e91f7980ffbca33858b

Download Submit
C:\Windows\SysWOW64\Ejgdpg32.exe

Filesize
163KB

MD5
51995e7fb0e65a47b2005a7e37428617

SHA1
acdec7e7e2230cdf9bd9105d5aac4d2850299135

SHA256
d4a309979bd5bd1261deb05475ecc41063fd4163049d938202422494220db262

SHA512
1659af566a0f674af54e2d708a048657a5ba0882a425ca0f7187947797d76936c6448a72965d260f5bfd5df80a105b7060a6e7d6ee0af7d1dc0b971199cdbb98

Download Submit
C:\Windows\SysWOW64\Ejlmkgkl.exe

Filesize
163KB

MD5
3853067d68d407293084d15388348ac0

SHA1
23f5ab9ff59ecea0cd3f4e7d36f6fbfacc88acbb

SHA256
7c145e469927f9c19e6e2852c0f19863fa22dabd25257b36ff282361c1fa3416

SHA512
905d430ef3ae20890899503eff5bda5998e1bb521e2e0e2af66121c9ffcd131a2c0022b70e5dad71bb6c7b91be1dabed0b35a0bbbe7b3678c026bcf2f391aafb

Download Submit
C:\Windows\SysWOW64\Elccfc32.exe

Filesize
163KB

MD5
8cc339a90c0ab8f8e3fd5b910e4ecd28

SHA1
c300ce245233db7aed1bf946e08c2662995c2415

SHA256
7c8fbb79464c5e58b3437119821968a2ed216c8eabad7725975a02cbc631a99f

SHA512
393a5e76e6f1535c9fa7d45012ab34bcd984fbeff640245fb2d11c61bb21acf1bd6a7354e8dae6455e28de5cf2f2daeba598da93dc9187f691a71f733f992dbf

Download Submit
C:\Windows\SysWOW64\Eleplc32.exe

Filesize
163KB

MD5
101a00d6d3b2f87976fc33836c318a59

SHA1
2580f76f05c783425bc57efa1d852fb3fc6767cd

SHA256
c687bacf35ebcdf22113fb964a13cc3611cd48cf51fa82140ebd29460c2c00ce

SHA512
b4348737488b4ee01f93debf1b4c0214b682a315bff9285ccb7e927e519da42bf4979a2dd17e2c53f289a22d47e9ba7ec94dcabf9d55c2fd8bac217aed9c1c0d

Download Submit
C:\Windows\SysWOW64\Epmcab32.exe

Filesize
163KB

MD5
71a9bae171ac550e17299bc2c8be8493

SHA1
fa6b042b1d26980578a130bcc2cf0ea6d9b49283

SHA256
2c8fb79e68061c138c7dc25cabd95800e41399957cbd8397eed4916acec5118b

SHA512
9c07cdcec1fb1f52b7d49f50ee34fee62a525522f126535af4a33bb344d11695ede3b9f5c5f3107fd911e959c0b62a3227155cdb8f2b95062eb87a0bfe1a769e

Download Submit
C:\Windows\SysWOW64\Eqfeha32.exe

Filesize
163KB

MD5
6d2b101548a758e53f5a167d63dbced1

SHA1
89080fc3d49ef553442d700e2eaf15a77832730b

SHA256
d740a5b8aa233861636de7b9d3f4d941285132b94c776224715378c0112c638d

SHA512
c2c62587fb4b1c157a842ff2122fad07cd2783e4a71e48009024ce0c7e17f8d0b7a03146ca54518c5c4c6b0ca2f6b7ecd4ebbce5435e6e67db140c6ab613f727

Download Submit
C:\Windows\SysWOW64\Fbgbpihg.exe

Filesize
163KB

MD5
f2618b821d9992b857f11bda1a24fbd5

SHA1
295fc06c0c444433f71e25a8eef5f92fafdf50c5

SHA256
beb88b4b173566f7e4c0fcc3154756bcea09944f007d3855d3e94ffd4dde606a

SHA512
24b292e3ced3bc02b2908e915db76a8ce0254f7eaba03df863ca5842d24ed263f42332c4b572b7b0fce134863027b6562633e2e906715e5fa9d6bda4bbdc8697

Download Submit
C:\Windows\SysWOW64\Fbllkh32.exe

Filesize
163KB

MD5
0e8aa84679f85993d14f42eef847c57a

SHA1
5462009e8df7c31b0e15a94e58de4cebef5acfa3

SHA256
68e5b7064ab3f72c6433c2ee5b00f069fd2726f3939bb5d5108e2370f426b89d

SHA512
618b42729747ccc202251cb2b4fd91beb7e010d150d5e956e37a500d74b27288d933d9ddd0908ffd99989f2824a091d6a2d1d5dee3ed60a7a0fdff9394513453

Download Submit
C:\Windows\SysWOW64\Fcgoilpj.exe

Filesize
163KB

MD5
b62532883661b452aa939a3e33c47ac0

SHA1
43af48b5f98957e5f02711d69bc327dc39d9f300

SHA256
91087f5b3e32d9b0b9439e6335e423a6fa304328a23f03222a03fd66c6c11bb1

SHA512
3d59d101ad958078e1f3ea77aa63f53a75b940e0bd6f000ea89b551486cb9ff26bb727e1ad97a4ef59d84b89e7ab49daf0f4dc86e2eb13f55c5aeda2adaee45f

Download Submit
C:\Windows\SysWOW64\Fckhdk32.exe

Filesize
163KB

MD5
fa67899b275db5c3c7687b1cb5e898d5

SHA1
b351077dcd1bf3fef9540be003004eaea554c36a

SHA256
7618961442fc478fbbbc8f2dead88ee85ef9e0c20f84c0728b7ebf422af24123

SHA512
326b91fa54b2d3737891e2ea4ec43c6624b245cd5a6e7bc611f328a88f45b58ef3c0a0989ceef1ce27af2cea3f37c9ca8467a752d70f15c9af810dbf424a3793

Download Submit
C:\Windows\SysWOW64\Ffekegon.exe

Filesize
163KB

MD5
4a345f6c5f2877f15715cde9216e5bfa

SHA1
6aafdd0ec5a8cd46f6c4d65b824d12d7f674face

SHA256
be1eef08693ba8c441b4216a295209202a48c7765d9132af1397a8d2055ad08d

SHA512
a551fb6b658eafb94808bb709bfbe416e9ba52600271938be357d0e5f7caf8d50ea9739149cf3a2daaa3fa7a0db987705769707c230f01bfd7f8e2fccc86a542

Download Submit
C:\Windows\SysWOW64\Fjnjqfij.exe

Filesize
163KB

MD5
959392691b6b5f73c2df621846091803

SHA1
e649a5746aa00bb80a9af2c8464a667f0ef01893

SHA256
bb452a31b91b725a18f355ff50fe734e68a0c5e68a133dffaf5bc811de14f73f

SHA512
77b59c80377220514e299da14bbe118b21733b975676fcb1360c5dc663e0f9ced407bc96901be8a36aac9593a724ebcdf6ac46eac268671385489a252ba308a4

Download Submit
C:\Windows\SysWOW64\Fmmfmbhn.exe

Filesize
163KB

MD5
5fb98b50972dd912219a678f336393e0

SHA1
7c49c87414268e38425593530f6d2ab167b57130

SHA256
18e80836ca75d189a6b5156e393b259ebd18a59a2c53ac971a7f9077f7d2dcac

SHA512
c2d42e50c7a13637cfbbde1fc082ac1e238eb49422b744cd85f75d2f9156f61091ea2e0f648e4651fd32494d3c3c85c581fbf7e42a5d4a022d6ca3d8aee5b21b

Download Submit
C:\Windows\SysWOW64\Fqaeco32.exe

Filesize
163KB

MD5
78b0532c0697fa3bcdb0945017ea888e

SHA1
03567a68125da4933d751b0635ceab0e28ec29b3

SHA256
633945cf1757a328e60a9e546c766be6ee4735bee27d16345b71df3998b3225b

SHA512
cd193a83e9a11f9183001b9f84d0d65be45396879d0ca86d4695888ae3dd0686a4971046a384d7a924a62f9227c01f3b315aa6570fb97e7534dbe5113ccf2fd6

Download Submit
C:\Windows\SysWOW64\Fqkocpod.exe

Filesize
163KB

MD5
a0e9172c602555715d51b637036b5fd7

SHA1
ae7440d71723fa83f63d57cea095da09d7575315

SHA256
1121b07a826160262cbadc4d403f0842235e858d497e42bb0a78e1cb25c7d335

SHA512
46f27d49da313383188a6f772c8410f71d47b07f70a4779172b115a87aa8438c52ae45b3e48769b4c23035448562894b1c2006c459892396c929e87f26eef5fb

Download Submit
C:\Windows\SysWOW64\Jigollag.exe

Filesize
163KB

MD5
274b0ce242fd1a83751521c3980ae2df

SHA1
f7d9a88cb0f68332f9552f5fd34c2c8a45682c68

SHA256
4cb11e37dd81fc82b08d8d229a2f562ab11dd4f144256279182cf41d35949e75

SHA512
2c693f168523ede6a7b95d1a4b18b4b5404c550996e6ec93df7c41fa76e4de02489a50b50b779f63f9bc1f84460f8973c02dfe2e38136417f2f1935edebe0a0d

Download Submit
C:\Windows\SysWOW64\Jkfkfohj.exe

Filesize
163KB

MD5
2f39c4ffe878b76dab437904ef762f9a

SHA1
ebde2f3fe3c0c4f0165dca349082583243ac87fe

SHA256
a23b99a8263038c4140b33bb0954a349651175e66f27d011bd1ad03ecac097ae

SHA512
54f840b1aba6c2a26eda7f0bcae950fc95236ffec7a7fc8093aa15609934255750033ee47776ae98a9ded9e6496cee78e61b0765cf777d871a90b463319798cf

Download Submit
C:\Windows\SysWOW64\Kajfig32.exe

Filesize
163KB

MD5
ab924f00831e57dcb9b5218f4f04669c

SHA1
cbf08c74a8f32e08cfc2887e7f27991f655ab54e

SHA256
ff0088993280c857e01fcab87c44c84126ef1b649ee4e0cb62258a22b6c541c2

SHA512
f6d86b1b1d29e3af2f11e8306aeddade1f36274f5cfce22157aecf474ee7a6ac952811460a537daa45702ddd4cead64994a2f22176ae052dd1aa1444399d530b

Download Submit
C:\Windows\SysWOW64\Kbapjafe.exe

Filesize
163KB

MD5
17beb33a76b7d2517ec2677971c3972d

SHA1
fcc11a538bad66dedcfff41c95df61308e2b12fa

SHA256
8b40fa0418390b2d60a9f8ed59f971747387de4cf7989dd5d39c5559b029a8d9

SHA512
283afd694b926da437b3fd1799eb6ace3458fcf1269d5c0e2d5ea3ae3b651ed3cc1397e21e8cd9a80476912c5245c0cb7f608475ba35bdc03e3ecccf3f0d11a0

Download Submit
C:\Windows\SysWOW64\Kgphpo32.exe

Filesize
163KB

MD5
0c233acdb86c076990b09436ae596000

SHA1
df720fa581dc05f730e429e80d0e0bc86395fef2

SHA256
3b04d617077e8cd0b91c3c2bbed1be5c7d0309c971714fcaf3ea55e4e167f613

SHA512
aee0e05fdba042911e3a8fd0f360a4ae729b962dd554cb2d2e94762814a813149e6da6fe8bbd1beb597c410b9bf194bba8edb8824f435ac1e335a61b25b29e91

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
163KB

MD5
3f557b9dc181654820d153ec2613f2dc

SHA1
c50a22f315764a51ecbf530ce0ff5a43db4d7b60

SHA256
b3c6778396fc7aa813dcd347eac0106f982289a6ce48f4f6a3206ebe1ceca89b

SHA512
7fa9ed18139f100c9e003bd09995d3f4f1a39df7de72ef98164ec926df52c8625ffaaf3de3614a7eb4d88c0029c7be439454520f51b1305b44c39896b7aeaeda

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
163KB

MD5
38edca8f59fc0dfed47f969a80aeb376

SHA1
e3c0a1e96ab9a5893f0ec195def83a0809984f80

SHA256
408dc294cc0f1297cfd2c9f6bd7713366194a469794cdb20478d2e8b615cec78

SHA512
7651ad2c6ce239b58e759f58b144e06a548a3743b4b18937a354376e98266d941dd87181225631d5f3343c11315ab0d01a1c523ce650325b41895df344fffaec

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
163KB

MD5
9be1e4f5e4a82a8273d15b0fff9028ca

SHA1
b381ddbe7217857ddaf4ad6fdddf7ccc6e771b11

SHA256
b50c637783b9f03483094f6b829696c5e6f23ce279ae0d0dab9bcfd6e28ee753

SHA512
feaece838a9d9bb7080a9b075c7d234f4e61f94e2b7e0d5cce7ba1d8667330e49a5124ae31f6cafdcf0f61255886ac2ebf6ed428b694b5cc823b544091eab701

Download Submit
memory/376-73-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/376-599-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/748-315-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/856-617-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/856-96-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/924-624-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/924-105-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1028-585-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1028-61-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1044-65-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1044-592-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1056-490-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1088-325-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1184-177-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1260-145-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1420-13-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1420-543-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1428-355-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1452-578-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1452-49-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1464-564-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1464-33-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1468-518-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1568-455-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1868-544-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1936-121-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1988-410-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2080-45-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2080-571-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2124-461-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2140-528-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2212-476-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2244-169-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2284-161-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2316-280-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2472-384-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2520-357-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2816-392-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2952-530-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2952-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2952-5-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/3040-309-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3208-225-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3224-233-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3268-615-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3268-88-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3352-339-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3356-184-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3472-431-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3476-484-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3540-17-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3540-550-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3556-193-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3708-531-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3752-209-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3840-448-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3876-551-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3888-263-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3916-374-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3928-605-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3928-81-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3932-345-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3960-454-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3964-432-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3988-327-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4000-386-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4056-337-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4084-269-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4136-153-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4152-292-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4236-408-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4320-29-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4320-557-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4368-403-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4420-241-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4428-372-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4460-257-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4520-478-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4580-221-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4620-511-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4712-298-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4752-113-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4820-290-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4860-537-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4872-248-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4912-128-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4916-137-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5048-200-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5072-502-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5168-558-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5220-565-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5252-1411-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5264-572-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5316-579-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5368-586-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5412-593-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5584-618-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/6168-1319-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/6704-1341-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads