5178698af746edc71aa62b2922b44dab11d597ccfc30822447c2627ec02176d6

Analysis

max time kernel
144s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 07:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d48a04911c42d7371b30de55c5a18414_NeikiAnalytics.exe
Size

406KB
MD5

d48a04911c42d7371b30de55c5a18414
SHA1

5139c0ac0dd6ed4268889099a7577315a73d2e6b
SHA256

5178698af746edc71aa62b2922b44dab11d597ccfc30822447c2627ec02176d6
SHA512

4384a191f7e36fffe22f99677c50260eae32edd7614c9eb81c2209b81c18e8f7d68a1aea1ab2e17de445d3934e2228b2ad1f55603f4b62bd48a190065a1e5c41
SSDEEP

6144:k4YIKLaU5U5Xj1XH5U5Xj83XH5U1XH5U5Xj8s5DXH5U5qXH5XXH5U5oXH:lOMp3Ma3M3MvD3Mq3B3Mo3

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fijmbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gqfooodg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjcclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcggpj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmclmabe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfedle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbioei32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqkocpod.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqmlhpla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giofnacd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejlmkgkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfcgge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcpapkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjjjle32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqhbmqqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ficgacna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Elhmablc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebeejijj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcpapkgp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giacca32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hadkpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbioei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbnhphbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpnhekgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbnhphbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmmocpjk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe

Executes dropped EXE 64 IoCs

pid	Process
4120	Eodlho32.exe
992	Ebbidj32.exe
2684	Efneehef.exe
3268	Ehlaaddj.exe
2168	Elhmablc.exe
4504	Eqciba32.exe
4360	Ebeejijj.exe
1724	Efpajh32.exe
3644	Ejlmkgkl.exe
4600	Emjjgbjp.exe
2236	Eoifcnid.exe
4900	Ecdbdl32.exe
5064	Ffbnph32.exe
4136	Fjnjqfij.exe
4016	Fmmfmbhn.exe
424	Fqhbmqqg.exe
4492	Fcgoilpj.exe
1368	Fbioei32.exe
3780	Fjqgff32.exe
4480	Ficgacna.exe
2420	Fqkocpod.exe
4076	Fomonm32.exe
4732	Fcikolnh.exe
4300	Ffggkgmk.exe
1344	Fjcclf32.exe
1604	Fifdgblo.exe
4032	Fqmlhpla.exe
3372	Fopldmcl.exe
2760	Fckhdk32.exe
2032	Fbnhphbp.exe
3940	Fjepaecb.exe
5012	Fihqmb32.exe
1828	Fmclmabe.exe
4980	Fobiilai.exe
5032	Fcnejk32.exe
4672	Fbqefhpm.exe
1668	Fflaff32.exe
3132	Fijmbb32.exe
4352	Fodeolof.exe
712	Gcpapkgp.exe
1508	Gbcakg32.exe
3916	Gjjjle32.exe
4452	Gimjhafg.exe
804	Gqdbiofi.exe
1924	Gogbdl32.exe
4468	Gcbnejem.exe
1940	Gjlfbd32.exe
3348	Giofnacd.exe
1360	Gqfooodg.exe
2988	Gcekkjcj.exe
2892	Gbgkfg32.exe
1020	Gfcgge32.exe
4692	Giacca32.exe
1436	Gmmocpjk.exe
1384	Gpklpkio.exe
2336	Gcggpj32.exe
4516	Gfedle32.exe
2792	Gidphq32.exe
396	Gqkhjn32.exe
3820	Gpnhekgl.exe
3616	Gcidfi32.exe
3356	Gfhqbe32.exe
4432	Gifmnpnl.exe
3556	Gmaioo32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Gbjgbh32.dll	d48a04911c42d7371b30de55c5a18414_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Fihqmb32.exe	Fjepaecb.exe
File opened for modification	C:\Windows\SysWOW64\Kmnjhioc.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Hippdo32.exe	Hadkpm32.exe
File created	C:\Windows\SysWOW64\Jbkjjblm.exe	Jmnaakne.exe
File created	C:\Windows\SysWOW64\Gncoccha.dll	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Enbofg32.dll	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Imppcc32.dll	Kgfoan32.exe
File opened for modification	C:\Windows\SysWOW64\Gogbdl32.exe	Gqdbiofi.exe
File created	C:\Windows\SysWOW64\Gcggpj32.exe	Gpklpkio.exe
File opened for modification	C:\Windows\SysWOW64\Kmegbjgn.exe	Jiikak32.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Gqfooodg.exe	Giofnacd.exe
File created	C:\Windows\SysWOW64\Lkgdml32.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Giofnacd.exe	Gjlfbd32.exe
File created	C:\Windows\SysWOW64\Ocdehlgh.dll	Gmmocpjk.exe
File opened for modification	C:\Windows\SysWOW64\Hippdo32.exe	Hadkpm32.exe
File created	C:\Windows\SysWOW64\Ggpfjejo.dll	Jbmfoa32.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Fjnjqfij.exe	Ffbnph32.exe
File created	C:\Windows\SysWOW64\Lbdfmi32.dll	Fjepaecb.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Jbocea32.exe	Jangmibi.exe
File created	C:\Windows\SysWOW64\Ekfnlmai.dll	Fobiilai.exe
File created	C:\Windows\SysWOW64\Oeahce32.dll	Gbgkfg32.exe
File created	C:\Windows\SysWOW64\Diefokle.dll	Gcidfi32.exe
File created	C:\Windows\SysWOW64\Ifhmhq32.dll	Hadkpm32.exe
File created	C:\Windows\SysWOW64\Iinlemia.exe	Ifopiajn.exe
File created	C:\Windows\SysWOW64\Ogaodjbe.dll	Fjnjqfij.exe
File created	C:\Windows\SysWOW64\Lghekack.dll	Fcnejk32.exe
File created	C:\Windows\SysWOW64\Jflepa32.dll	Jbocea32.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Eoifcnid.exe	Emjjgbjp.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mahbje32.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Jangmibi.exe	Jigollag.exe
File created	C:\Windows\SysWOW64\Ejlmkgkl.exe	Efpajh32.exe
File created	C:\Windows\SysWOW64\Gmlgol32.dll	Jangmibi.exe
File created	C:\Windows\SysWOW64\Jcpkbc32.dll	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Fifdgblo.exe	Fjcclf32.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Laciofpa.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Fcgoilpj.exe	Fqhbmqqg.exe
File created	C:\Windows\SysWOW64\Fibgnfha.dll	Fcgoilpj.exe
File opened for modification	C:\Windows\SysWOW64\Fobiilai.exe	Fmclmabe.exe
File opened for modification	C:\Windows\SysWOW64\Fcnejk32.exe	Fobiilai.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Fodeolof.exe	Fijmbb32.exe
File created	C:\Windows\SysWOW64\Gjjjle32.exe	Gbcakg32.exe
File created	C:\Windows\SysWOW64\Giacca32.exe	Gfcgge32.exe
File created	C:\Windows\SysWOW64\Akanejnd.dll	Kdcijcke.exe
File opened for modification	C:\Windows\SysWOW64\Liekmj32.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Ffbnph32.exe	Ecdbdl32.exe
File created	C:\Windows\SysWOW64\Qgenhgdd.dll	Gcpapkgp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5352	5820	WerFault.exe	226

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ffbnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iljnde32.dll"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojmmkpmf.dll"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjlcankg.dll"	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcbnejem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adijolgl.dll"	Gpnhekgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gpnhekgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfhilofo.dll"	Eodlho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diefokle.dll"	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddhbep32.dll"	Fjqgff32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gpnhekgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecdbdl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqhbmqqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjnjqfij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpacnb32.dll"	Gqkhjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akanejnd.dll"	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmggiogn.dll"	Elhmablc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ffbnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jokmgc32.dll"	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpfjejo.dll"	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jiikak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfiapa32.dll"	Ffggkgmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fodeolof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geekfi32.dll"	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eoifcnid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnnkcb32.dll"	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fomonm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Emjjgbjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hifqbnpb.dll"	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gqfooodg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebeejijj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ficgacna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gimjhafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iebapp32.dll"	Gcekkjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gfcgge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejlmkgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcpapkgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjjjle32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcbnejem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Efpajh32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 4120	2276	d48a04911c42d7371b30de55c5a18414_NeikiAnalytics.exe	82
PID 2276 wrote to memory of 4120	2276	d48a04911c42d7371b30de55c5a18414_NeikiAnalytics.exe	82
PID 2276 wrote to memory of 4120	2276	d48a04911c42d7371b30de55c5a18414_NeikiAnalytics.exe	82
PID 4120 wrote to memory of 992	4120	Eodlho32.exe	83
PID 4120 wrote to memory of 992	4120	Eodlho32.exe	83
PID 4120 wrote to memory of 992	4120	Eodlho32.exe	83
PID 992 wrote to memory of 2684	992	Ebbidj32.exe	84
PID 992 wrote to memory of 2684	992	Ebbidj32.exe	84
PID 992 wrote to memory of 2684	992	Ebbidj32.exe	84
PID 2684 wrote to memory of 3268	2684	Efneehef.exe	85
PID 2684 wrote to memory of 3268	2684	Efneehef.exe	85
PID 2684 wrote to memory of 3268	2684	Efneehef.exe	85
PID 3268 wrote to memory of 2168	3268	Ehlaaddj.exe	86
PID 3268 wrote to memory of 2168	3268	Ehlaaddj.exe	86
PID 3268 wrote to memory of 2168	3268	Ehlaaddj.exe	86
PID 2168 wrote to memory of 4504	2168	Elhmablc.exe	87
PID 2168 wrote to memory of 4504	2168	Elhmablc.exe	87
PID 2168 wrote to memory of 4504	2168	Elhmablc.exe	87
PID 4504 wrote to memory of 4360	4504	Eqciba32.exe	88
PID 4504 wrote to memory of 4360	4504	Eqciba32.exe	88
PID 4504 wrote to memory of 4360	4504	Eqciba32.exe	88
PID 4360 wrote to memory of 1724	4360	Ebeejijj.exe	89
PID 4360 wrote to memory of 1724	4360	Ebeejijj.exe	89
PID 4360 wrote to memory of 1724	4360	Ebeejijj.exe	89
PID 1724 wrote to memory of 3644	1724	Efpajh32.exe	90
PID 1724 wrote to memory of 3644	1724	Efpajh32.exe	90
PID 1724 wrote to memory of 3644	1724	Efpajh32.exe	90
PID 3644 wrote to memory of 4600	3644	Ejlmkgkl.exe	91
PID 3644 wrote to memory of 4600	3644	Ejlmkgkl.exe	91
PID 3644 wrote to memory of 4600	3644	Ejlmkgkl.exe	91
PID 4600 wrote to memory of 2236	4600	Emjjgbjp.exe	92
PID 4600 wrote to memory of 2236	4600	Emjjgbjp.exe	92
PID 4600 wrote to memory of 2236	4600	Emjjgbjp.exe	92
PID 2236 wrote to memory of 4900	2236	Eoifcnid.exe	93
PID 2236 wrote to memory of 4900	2236	Eoifcnid.exe	93
PID 2236 wrote to memory of 4900	2236	Eoifcnid.exe	93
PID 4900 wrote to memory of 5064	4900	Ecdbdl32.exe	94
PID 4900 wrote to memory of 5064	4900	Ecdbdl32.exe	94
PID 4900 wrote to memory of 5064	4900	Ecdbdl32.exe	94
PID 5064 wrote to memory of 4136	5064	Ffbnph32.exe	95
PID 5064 wrote to memory of 4136	5064	Ffbnph32.exe	95
PID 5064 wrote to memory of 4136	5064	Ffbnph32.exe	95
PID 4136 wrote to memory of 4016	4136	Fjnjqfij.exe	96
PID 4136 wrote to memory of 4016	4136	Fjnjqfij.exe	96
PID 4136 wrote to memory of 4016	4136	Fjnjqfij.exe	96
PID 4016 wrote to memory of 424	4016	Fmmfmbhn.exe	97
PID 4016 wrote to memory of 424	4016	Fmmfmbhn.exe	97
PID 4016 wrote to memory of 424	4016	Fmmfmbhn.exe	97
PID 424 wrote to memory of 4492	424	Fqhbmqqg.exe	98
PID 424 wrote to memory of 4492	424	Fqhbmqqg.exe	98
PID 424 wrote to memory of 4492	424	Fqhbmqqg.exe	98
PID 4492 wrote to memory of 1368	4492	Fcgoilpj.exe	99
PID 4492 wrote to memory of 1368	4492	Fcgoilpj.exe	99
PID 4492 wrote to memory of 1368	4492	Fcgoilpj.exe	99
PID 1368 wrote to memory of 3780	1368	Fbioei32.exe	100
PID 1368 wrote to memory of 3780	1368	Fbioei32.exe	100
PID 1368 wrote to memory of 3780	1368	Fbioei32.exe	100
PID 3780 wrote to memory of 4480	3780	Fjqgff32.exe	101
PID 3780 wrote to memory of 4480	3780	Fjqgff32.exe	101
PID 3780 wrote to memory of 4480	3780	Fjqgff32.exe	101
PID 4480 wrote to memory of 2420	4480	Ficgacna.exe	102
PID 4480 wrote to memory of 2420	4480	Ficgacna.exe	102
PID 4480 wrote to memory of 2420	4480	Ficgacna.exe	102
PID 2420 wrote to memory of 4076	2420	Fqkocpod.exe	103

C:\Users\Admin\AppData\Local\Temp\d48a04911c42d7371b30de55c5a18414_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d48a04911c42d7371b30de55c5a18414_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\SysWOW64\Eodlho32.exe
  C:\Windows\system32\Eodlho32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4120
- - C:\Windows\SysWOW64\Ebbidj32.exe
    C:\Windows\system32\Ebbidj32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:992
  - - C:\Windows\SysWOW64\Efneehef.exe
      C:\Windows\system32\Efneehef.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3268
      - C:\Windows\SysWOW64\Elhmablc.exe
        
        C:\Windows\system32\Elhmablc.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Windows\SysWOW64\Ebeejijj.exe
        
        C:\Windows\system32\Ebeejijj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3644
        
        C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4900
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4136
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:424
        
        C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4492
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1368
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3780
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4076
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        24⤵
        Executes dropped EXE
        
        PID:4732
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4300
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1344
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        27⤵
        Executes dropped EXE
        
        PID:1604
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4032
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        29⤵
        Executes dropped EXE
        
        PID:3372
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        30⤵
        Executes dropped EXE
        
        PID:2760
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2032
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3940
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        33⤵
        Executes dropped EXE
        
        PID:5012
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1828
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4980
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5032
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        37⤵
        Executes dropped EXE
        
        PID:4672
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        38⤵
        Executes dropped EXE
        
        PID:1668
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3132
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:712
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1508
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3916
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:804
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1924
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1940
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3348
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1360
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2892
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1020
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4692
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1436
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1384
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2336
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4516
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        59⤵
        Executes dropped EXE
        
        PID:2792
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:396
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3820
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3616
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        63⤵
        Executes dropped EXE
        
        PID:3356
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4432
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        65⤵
        Executes dropped EXE
        
        PID:3556
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        66⤵
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2388
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1928
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3904
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        70⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        71⤵
        Drops file in System32 directory
        
        PID:432
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        73⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4728
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4920
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        76⤵
        Modifies registry class
        
        PID:3812
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        77⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        78⤵
        Drops file in System32 directory
        
        PID:808
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        79⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5036
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        81⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        82⤵
        Drops file in System32 directory
        
        PID:3384
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2536
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        84⤵
        Drops file in System32 directory
        
        PID:4052
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2208
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2268
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3808
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        89⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1136
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3208
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        92⤵
        Drops file in System32 directory
        
        PID:5084
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        94⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4256
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3296
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5160
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        99⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5252
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        101⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        102⤵
        Modifies registry class
        
        PID:5364
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5400
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        104⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        105⤵
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5600
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        108⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5648
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        109⤵
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5728
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5768
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        112⤵
        Drops file in System32 directory
        
        PID:5812
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5860
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5896
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        115⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5984
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        117⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        118⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        119⤵
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4520
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        122⤵
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        123⤵
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        124⤵
        Drops file in System32 directory
        
        PID:5496
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        127⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        128⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4088
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        130⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5764
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        132⤵
        Drops file in System32 directory
        
        PID:5888
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5964
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5908
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6116
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        136⤵
        Drops file in System32 directory
        
        PID:5172
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        137⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5244
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        139⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5500
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        141⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        142⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5820 -s 408
        143⤵
        Program crash
        
        PID:5352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5820 -ip 5820
1⤵
PID:5144

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:4256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ebbidj32.exe

Filesize
406KB

MD5
cec08616a530afd7fc56b6ea33b40e9a

SHA1
6bb6b7759ab09d7b49af7ae93f6fc3a80ad8e0a6

SHA256
7acd313800714a07cfc2dd08e48ed392e1f5e8b853a363a4181021bc3797c3b3

SHA512
3451f08a044a8e4f287ada85098c868ee9212cd34eca0405660399358073b0f540629caa5286fa3e562d7810c416b7c1deb94b0697729e41daa51aca1923a99f

Download Submit
C:\Windows\SysWOW64\Ebeejijj.exe

Filesize
406KB

MD5
ef5a1904a5d635463736f3f280483391

SHA1
07f00f25a2d150508933e9efe7a3deaa6ea4fadd

SHA256
f7ecc68df7a34e94cf022eb656f5ef366edc5734272f3f593d9f6d4077cf300f

SHA512
ec51b235c9cb91ca41f47a28808ec2fb4b66de5ad6fc1eadc98da877843e0c3b023c2303c86aac250f13b0a13e8ea016b761761b1e367bc332d6672871b91551

Download Submit
C:\Windows\SysWOW64\Ecdbdl32.exe

Filesize
406KB

MD5
16d7fa2b515a380bcc069b36eb96f9c2

SHA1
72940e239bc1d2130b5bde6be1b72792d1cd30d6

SHA256
f734a1852eab427181896219e9e58f1f0dfa8a99f84835c17168e6e1fa1c43b6

SHA512
bbd435d082cb3e7cc2b95933b25730657b62aeb42dfb96bcc1d0c968c044f9c4486fb3bc1cf0ed75ab1fc47370157ac6e72e87a0412725113c8c04b4979ab85a

Download Submit
C:\Windows\SysWOW64\Efneehef.exe

Filesize
406KB

MD5
17ae701c76e112cf66eedf9c2ff4ec22

SHA1
6778810edb6ed8d178ae909ab5d3b85e507f7b0d

SHA256
eac6e43d07c887b8b900056c71cf71a41b575ab7dafaf6677743617d23d554f2

SHA512
7f5e2ad98980f3facf31871fc565e6082f427d7b3940f55d5a4020dd22c59e0d2a9e53ddb8e0cd1ca8011cf34e3762d708ff2b4cfd1f1d3e2cc7936f76329443

Download Submit
C:\Windows\SysWOW64\Efpajh32.exe

Filesize
406KB

MD5
a9bceeb776b14f07b5e1cd21551bce62

SHA1
c6f4cddb1e539478079e7212504546b15a9555e1

SHA256
1d11cef61c22b0cea31763f3c9d1d118320b7f99c7d077b816f806eac8319171

SHA512
c35d4cdb3bc83f0a0f70bc37cebfaced01bb9d9ff0018e51b4e121bb27e05b6d7873f1a2e831572d432e816f2d60797a48746a02a89dd5a7dfb6da3a2ae6544f

Download Submit
C:\Windows\SysWOW64\Ehlaaddj.exe

Filesize
406KB

MD5
6a925995d6bd763f4d5a9f775b060035

SHA1
b163e069ac9e60b42130fe1c42d365606aa4e8d6

SHA256
dadada41768f7470132b94bb5a4546026b1cf1ace39ea7859fd68f04b7f9f15c

SHA512
dad9eeddc917907880d497690cc60db733bf831b90c139bab9955bba0c75c93ade7581d969ec94a5d5d4c53c09f82bc2510e0fd3240ca47ce90def24fdb1a7a8

Download Submit
C:\Windows\SysWOW64\Ejlmkgkl.exe

Filesize
406KB

MD5
f6331dc4d1d3b5e2586ebc084ff4f1d8

SHA1
0417d765e8f91d178c01a752727f532d8e327cfe

SHA256
9a30c184526835c49d5f28dc6b9d8bafcb268c84af483273e469e31757ed665a

SHA512
a39f40b57ced175e545c71bae00ea6a385582abb556cb208b41421827acaf9ad3a4b49846b312b37aa5105fe2751e000bf663b45f43a11b8226ada131d633fb7

Download Submit
C:\Windows\SysWOW64\Elhmablc.exe

Filesize
406KB

MD5
6095a70bf39472334a24ff1d18eb1bd7

SHA1
21359d157f5a0328441a4fef977ba12d45f9f83a

SHA256
fff3892046204e912b466fc37e5f6dd8e4ddfe6809b7ff4fd780fd43bf3647ec

SHA512
88593a2c4b11506021c794f33a54c39ed4bbe64403945351902c9db9b3d02912696936d048bf1149c427a0271cbfad98939d8261fbc9e63af1d4815a9e20ee1b

Download Submit
C:\Windows\SysWOW64\Emjjgbjp.exe

Filesize
406KB

MD5
1d8a06d204f7c23f9f269a946d3c84cb

SHA1
dd5784b28225217ab96a271b4b22920cf52043f4

SHA256
68c13a673ea7407a498add2370dfe46c66d1c2940cb2465a0416f998f722e4fd

SHA512
79e582981a8bc0e83a7a02f08e827debf7a231abb0aed4484e08a2343bc6a2d6b26c8a22d979c95c9c2a0f90997e11ee44482810c524aeee63c2d0008a2f6e92

Download Submit
C:\Windows\SysWOW64\Eodlho32.exe

Filesize
406KB

MD5
daf6c30939fca08559616de245c2590a

SHA1
3a54a04785fdc42bf825111f1aeaa481d5585397

SHA256
26ea1bbe58c4bd8e876777c250706a3e1af96124b6ffe9318c3a61246ea9ff14

SHA512
d40639c570079433085345707c12f25cb5228f9c986792aa261eaa1a063a4a642558f46af455d67ba957e0fd3f1c2920958a62dd8749c5f8270b651dc3cc89ec

Download Submit
C:\Windows\SysWOW64\Eoifcnid.exe

Filesize
406KB

MD5
912c904c39204d6a8fc98642642cbfc7

SHA1
2235e957312045d7c465ece33db62f008975742d

SHA256
ecfdd8908f98428f9cd14ba91d0c4e9e831537fd5c4805b419d439e684e93c31

SHA512
e36d2e14f58f20fa9373d88dcca0afdd3809e4ffaed63244e8b8faa3ea2b27143b9b615a5f19ec7d8aa5275e345a1ed7b6becb9429085f65b6b2fdf7cae88990

Download Submit
C:\Windows\SysWOW64\Eqciba32.exe

Filesize
406KB

MD5
ec7807e731076fa362ec4d493b3bff3d

SHA1
063b5ccc9ced35203c5134b46d70a18e83de0ce2

SHA256
a0cbb070342cc09664a7d4ef34cc879f9b1143fa320d5325af8fe144687e8850

SHA512
a8e73aef79f731af28a0725989bb9db5aefefb342c0bffc4070a1e590bb055fbdd7e19264d4d42af60d66b15caeca5f7668e8af4c80d93077515fa9206a05ed5

Download Submit
C:\Windows\SysWOW64\Fbioei32.exe

Filesize
406KB

MD5
4c4b66e2eccb4688830262eeb247397d

SHA1
4dc21234b5cecb5ded39f262e321743575a27cb1

SHA256
91c3c4c0facc6ee237d59e89cae2727e9473ff1f44197ee0879b3ab4757c6f0e

SHA512
4e893fa0748479215471218d4e72edb5b2933f98f4012f1a1094ddd85e05eedb1fec8c222d2db7a96e024937416b2170f263ef4e8e774d6f1506c4cd65297556

Download Submit
C:\Windows\SysWOW64\Fbnhphbp.exe

Filesize
406KB

MD5
0d23bf2153de96ab68fcf8fc02440f20

SHA1
6ddc9c2f759e54247ca716cdebedbe4751102ae1

SHA256
5126344551376e112a3a822b3b91d701e186f639394edcd3e668c9aac0d26817

SHA512
ebca887a31e5c4dc0375e3ea388f9ed7d518ca32ae6e1f83f1b885cc890762663a323382b8aec86f7c13e05810382a55ff7a7509b96c35fec29692c6ff4a7778

Download Submit
C:\Windows\SysWOW64\Fcgoilpj.exe

Filesize
406KB

MD5
0deebd8f59fdd48202de3092f287fd4c

SHA1
0dad74173279a64605dd50b16231278706b1dd19

SHA256
2fac21065c87908e9c7bb6e9d0016efb629723fbe92d44989247d40c826c7d0f

SHA512
a5a531a2c652a88e984ec068ef475ada06aa0093b8a25a15e2f11f5c2f918081ddae5e36c4c8d3f544ded8d87cc0e0cd02f7ef98a66ee3fe13ff728eb99dc145

Download Submit
C:\Windows\SysWOW64\Fcikolnh.exe

Filesize
406KB

MD5
926af539d93b10548902ea3d6533e741

SHA1
62aaa24cb7ec4c833349faa0b5a5267eafcbf470

SHA256
3319a31ff324864bf60c414a1830905b8254b80b6236e9445f593811b67a8a43

SHA512
a6ef98fee09ca0843a2dc7f4d7c10e811f8e9c2f2836c41b94a7d0c092bb521db343e7cee2bcba49c21a007e18a16396a303cb667088123168a59a86b53d562a

Download Submit
C:\Windows\SysWOW64\Fckhdk32.exe

Filesize
406KB

MD5
5728f8e96979b0f09e6a70b7725a2cd7

SHA1
ae236e8c5b8d8f66d80bef11838211960821746e

SHA256
ec65154306145f40623543507d859a90c9569d5f139035935d45af0012fac60c

SHA512
d6c54fbc14e049e2993bfde24c371feb7e5213e3e7ca59850714ebdfdef43c83a73acaba5fa4f7dbd90ce4f8fcc37d5470fda6e47018e99da6d07f5f3b61d17f

Download Submit
C:\Windows\SysWOW64\Ffbnph32.exe

Filesize
406KB

MD5
67a3d2409fe4c151d4e4ea589146b410

SHA1
3154d2c6d38cc840a4eaee4b956f7c3350b29ba6

SHA256
d7d6b122f184787e004da09d5dc61c985ea671fb62e1517c81cd643a50d6b591

SHA512
f1f8de322b1f66d10d48457c86cf2ec668bda0e71003970aa29e337297e9d38b17a5287f2f6002548bd75321429d2291026875124667c8dceec6c70271fed5b6

Download Submit
C:\Windows\SysWOW64\Ffggkgmk.exe

Filesize
406KB

MD5
d567f09539b67826b97d5f15818e4bf4

SHA1
b54d4e898232daefcf402f4f646a260a2ddf5ed1

SHA256
a75270362b2202809f92ab2cb850ef4cb9f1fad8d6e106d3a27e841f841c8fa5

SHA512
26605704ac17ef6f09e4684ee71146de8224ef15dcdccf47598dad9afb681671765f0eb5fb991621106b7d3b07d42e6d713848ae7755b022b0a62d72157c0a23

Download Submit
C:\Windows\SysWOW64\Ficgacna.exe

Filesize
406KB

MD5
c3bd37e3d9e225883a0bd2622a911b47

SHA1
15974de90d3e9c77574f488107e15fb0d4225ed0

SHA256
548b58c8f78d5ca17183edd38d9846cd8ca1cb115a3dac686b3885c15a91555c

SHA512
f6e3719c71d103d413af5541430f708bd912ee33166ccbfe8b32b9d1b90fb068229ecdbbb367befc844f265e37478643e88819f55f7427746feed412b78efd08

Download Submit
C:\Windows\SysWOW64\Fifdgblo.exe

Filesize
406KB

MD5
bf1d1ceab8cba1656dbf5f0dd56e7246

SHA1
e754fcb9d8f3a1c84496de24cb222fefa61b7e6b

SHA256
ef7c24810c58574ea09676da42de44d7113d960dca49567b31ec6e8257f46b15

SHA512
54ae2beffd24d751e3bdddb15681918ccd3614b55034482afecd608b54f68474565bb45b73de7d37870b4f36e3650e7d9019d8c8bde66274e9dc162eb8322418

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
406KB

MD5
9ee215e3e04aadb837a4d673cc42e8c6

SHA1
7dd1f2d8604d8de09a4ca84661d16e483e58b3c7

SHA256
288204d33e849e54a1d92c024cd1751bfd891f4d1dd27ba9b81da5dfb1a6f744

SHA512
7395ae99517732e9e557dc94639476d1d6013b6613cc655fcbd905825c894708e0f5b623a152a8f084a22a097685b8d0b36d77ecc9eab0a45c6d5bbdb32241d8

Download Submit
C:\Windows\SysWOW64\Fjcclf32.exe

Filesize
406KB

MD5
a21aeb7cf5e657324e1a249d193d5fc6

SHA1
7102782873e5ab432bb6588ef6763b6bc68fe5ea

SHA256
e3ec5622a331dd59146693909d193e551b65cac24871185864fe04673d37335e

SHA512
1f3648ba2a9e9b5753bd51a853aa9e9828c03c08c444dc57ae8f4abce39c647ef68bbfae822af1ca688ed6430d60f825da89f1ad83339e1c46f8be3f94a61e43

Download Submit
C:\Windows\SysWOW64\Fjepaecb.exe

Filesize
406KB

MD5
72b79e2f0ef2e64f206386693678256e

SHA1
dec5552de788c7700d8a4e09b984cbac1f184d47

SHA256
a383e5cdafea0ca1b39e0943e4cb944cac3cb84053927187cf4f0e660848d826

SHA512
2e96aecc68119b7e5a613b228f06e6d299c4a3a4fb789b6a7cdd4d5d6c7f9e08b5cbb386b1a022e9173fd5368149dfc36d09cfe3ea11f0f47ae41998e9ab73f4

Download Submit
C:\Windows\SysWOW64\Fjnjqfij.exe

Filesize
406KB

MD5
1f12f2fbaa5c34344d9c40b65526946a

SHA1
8b5985276d1219c4a6fb6ac46d7c374092ce98f4

SHA256
41ab8664d8b15ac8bab5edc416ea854b614c5de6c3cbc01a6102d4de00056271

SHA512
c72a2d9323e46b357d069e98a3d20e3c38006ddf6e61ddf01930559b49739cb79e07249edcc0cbfaa571e9041c84d05d0a677789c24f92e69c60a3164d3ff187

Download Submit
C:\Windows\SysWOW64\Fjqgff32.exe

Filesize
406KB

MD5
0e93494c0e9779b064794816595f83e4

SHA1
247c40ad1733e4b0237287ef0af9f80a48421430

SHA256
703f70cce92cb6410fee343b63db19276fb37187490cd2fa3cd1bbf7b9a57f61

SHA512
ab5f8f928c3a76126432f7a5fcfd10cb735b80500076fb211b091596b80323f642af03eadfcf1f10b9467e5e0df4459da55e6362754d2e35e2a11fabaf40e13a

Download Submit
C:\Windows\SysWOW64\Fmmfmbhn.exe

Filesize
406KB

MD5
898c295ffebac17fb7d6f891dd062765

SHA1
b00fb8eead4c2e2f6cfa889e71cb31390bcd54fc

SHA256
59fc20f60f4e5d80d688d191ec58a59456807a9783e92bf42428a90667bf32d0

SHA512
8c26553725464a0d05d15c5583d39cd83b682e0f78b5e3b0f6edf6d312e9be101e78f4faa1b7f85de6d2f21b88defdfa3b1b989c5a5a8826165612239dfc00ee

Download Submit
C:\Windows\SysWOW64\Fomonm32.exe

Filesize
406KB

MD5
0ebde5079be574480b9cf8860fd3b593

SHA1
c0537bf15bafdd8dff9a714a70be991f95c2dd71

SHA256
e5e92f1f2e22c466ac62502d19de91549f50430df99dcc120da07e6987116878

SHA512
5ca33a52caa29377370d3fbb0b8b68f81623f2ce4db438bd93c9fc08269960e5d527b6c2bcc5da0990f82dad2533539199e22f2da98ba87497f3d26b794d8d0b

Download Submit
C:\Windows\SysWOW64\Fopldmcl.exe

Filesize
406KB

MD5
d45128a315e5d8c701ede959b7a4e3a7

SHA1
18ceea5fc921f512e9501ffcef44348cb7201db8

SHA256
a294cd5ae1c8b97e2db3ce24ff74ea959f9fa8b904cc61c0371caf0a6c7b20ff

SHA512
719c01fb2811cf031fb0490f47d1255ddb845e80e27cd719df6bef276cc40fa27d4b1d9b41c40a10e0e9a75bc999ea3f2ca3952db8abf64860276d168873c52c

Download Submit
C:\Windows\SysWOW64\Fqhbmqqg.exe

Filesize
406KB

MD5
ac6caf6005e824cbaa0f680983561bb8

SHA1
e6348d86d01deb5cdbb85a74d11d359d869e9122

SHA256
4072d2b3397f273df720fb2355797ce9cc1197bcd35715231b1d3f76fdeadc42

SHA512
a7852885dc05fd44bc223c6fdba76fea82ccda73f5128f8e1542974bfe269ea2bc035f13f0c5a19acc6dad1579be03c844a6cd853e175772b12a40fbd62fcbd7

Download Submit
C:\Windows\SysWOW64\Fqkocpod.exe

Filesize
406KB

MD5
ba6cc9218aca14de0c12ea5d148e8b11

SHA1
56ca32b53d370173a8f06c3655fa6302c7175eeb

SHA256
abacbc4e8a597341cd90f22ba251f4abe150f9d02964f64034020ccebe5bbafa

SHA512
c1a07c3b268c8cf8a3a8d2e46cc5c69868fde3a26dd9af619881556d6550a25f621be131cdb80e4b6dbfbe7ab1e6b5eff960d3f2ea76bcee468cf7b0c46a1e2e

Download Submit
C:\Windows\SysWOW64\Fqmlhpla.exe

Filesize
406KB

MD5
d4b1e3d519e0337c8de193d1a6618bc4

SHA1
3c3778485c3de52cc16d255eb407a20601af26b6

SHA256
fcf639c3a10cee627b870124248c8d01259324350ea27772b9b17ba2740f98f7

SHA512
d0dcbcc1122890584466b4b92ce05850bac452c5a4727fd410fd557faa019e2d3c7c3f09dcdf328406cd60d55b806b28e87592fd8bb01dd32bd908aef191e57c

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
406KB

MD5
f1ad8b9ca2d596a29078374741c2787c

SHA1
289a41eb965a6853c9ab4211704342dd3bc6bba5

SHA256
469d58ff3ce4322a9b05fabc67f08c28a89fd13737e8772a2ac521b35dff82b3

SHA512
030c10aec4106eaaeb29afedd7b9c7c7c04307eb9b7dd664085835f5f7dd489793a75d136e97d8ec5990ab1625d7eb85fd51c78ebd33e143aee902e2b8ad11ca

Download Submit
memory/424-406-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/804-427-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/804-1063-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/808-503-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/992-21-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1136-572-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1268-502-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1344-419-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1344-1101-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1360-436-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1368-408-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1604-421-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1608-590-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1644-453-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1724-398-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1924-428-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1928-455-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1940-431-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2032-424-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2168-45-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2208-982-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2208-547-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2236-401-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2268-560-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2276-0-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2276-7-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2356-776-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2388-454-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2420-411-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2536-533-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2684-29-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2792-444-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2892-1049-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2892-438-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3052-611-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3208-578-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3268-37-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3348-435-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3356-1027-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3372-423-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3384-530-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3556-452-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3644-1133-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3644-399-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3780-409-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3808-561-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3812-496-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3904-456-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3916-425-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4016-405-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4032-422-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4052-542-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4064-596-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4076-412-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4088-798-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4120-8-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4136-404-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4136-1122-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4256-963-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4300-418-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4360-397-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4432-450-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4452-426-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4452-1064-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4468-429-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4480-410-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4492-407-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4504-396-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4512-469-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4600-1131-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4600-400-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4672-1078-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4692-439-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4728-479-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4732-416-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4820-974-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4884-457-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4892-509-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4900-402-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4920-485-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/5036-519-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/5064-403-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/5084-588-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/5160-622-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/5172-834-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/5188-754-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/5204-627-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/5288-755-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/5288-909-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/5300-635-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/5364-645-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/5388-763-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/5400-647-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/5452-658-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/5488-659-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/5488-943-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/5600-674-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/5616-787-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/5644-789-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/5688-682-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/5728-691-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/5764-811-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/5768-693-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/5812-929-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/5860-709-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/5896-714-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/5908-885-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/5940-716-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/5964-821-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/6024-732-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/6064-737-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/6116-833-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads