53d96c114b1a221b68c7dba97c682d82057ae5c235c0fbddec2a04f477d924cf

Analysis

max time kernel
144s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 13:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc9b6d774ddb081f8483a0fed2ea3660_NEIKI.exe
Size

109KB
MD5

bc9b6d774ddb081f8483a0fed2ea3660
SHA1

8a7e9d03560ea53261001f5b74e71885ed0252eb
SHA256

53d96c114b1a221b68c7dba97c682d82057ae5c235c0fbddec2a04f477d924cf
SHA512

3798fe9b94354da9c7be004fb9529ee404137009d2afa4abd85c2541783edbd33faf8d9eddb459aa84471b21945f3397f313e295b5013ba47bb95e9b4510cd45
SSDEEP

3072:5rSVGklC7R/d7J92DLCqwzBu1DjHLMVDqqkSpR:5rSVLCdJJ9Uwtu1DjrFqhz

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbcakg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Haidklda.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifopiajn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dokjbp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fokbim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebeejijj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fifdgblo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqmlhpla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fjepaecb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hihicplj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfofbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijdeiaio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ecdbdl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpnhekgl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpihai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djpnohej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eleplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfachc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Denlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhlhjf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmocba32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmficqpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ifopiajn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jangmibi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gjjjle32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmhfhp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giofnacd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpbaqj32.exe

Malware Dropper & Backdoor - Berbew 64 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/memory/216-0-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x000700000002341a-14.dat	family_berbew
behavioral2/files/0x000700000002341c-23.dat	family_berbew
behavioral2/memory/1724-28-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/4912-21-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/2564-12-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0008000000023413-7.dat	family_berbew
behavioral2/files/0x000700000002341e-30.dat	family_berbew
behavioral2/memory/1508-32-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023420-38.dat	family_berbew
behavioral2/memory/1580-44-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023422-46.dat	family_berbew
behavioral2/memory/1736-47-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023424-54.dat	family_berbew
behavioral2/memory/4788-55-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023426-62.dat	family_berbew
behavioral2/memory/3924-63-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023428-70.dat	family_berbew
behavioral2/memory/1032-72-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x000700000002342a-78.dat	family_berbew
behavioral2/memory/3472-84-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x000700000002342c-86.dat	family_berbew
behavioral2/memory/4088-88-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x000700000002342e-94.dat	family_berbew
behavioral2/memory/4780-96-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023430-102.dat	family_berbew
behavioral2/memory/4976-108-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023432-110.dat	family_berbew
behavioral2/memory/2568-111-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023435-118.dat	family_berbew
behavioral2/memory/4408-120-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023437-126.dat	family_berbew
behavioral2/memory/3560-128-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/628-138-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/5000-143-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x000700000002343b-144.dat	family_berbew
behavioral2/files/0x0007000000023439-135.dat	family_berbew
behavioral2/files/0x000700000002343d-150.dat	family_berbew
behavioral2/memory/3596-152-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x000700000002343f-158.dat	family_berbew
behavioral2/memory/3668-160-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023441-166.dat	family_berbew
behavioral2/memory/372-168-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023443-174.dat	family_berbew
behavioral2/memory/1188-180-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023446-182.dat	family_berbew
behavioral2/memory/4216-183-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/1672-197-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023448-191.dat	family_berbew
behavioral2/files/0x000700000002344a-198.dat	family_berbew
behavioral2/memory/4488-200-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0008000000023417-206.dat	family_berbew
behavioral2/memory/388-208-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x000700000002344d-214.dat	family_berbew
behavioral2/memory/1156-219-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x000700000002344f-222.dat	family_berbew
behavioral2/memory/2800-228-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023451-230.dat	family_berbew
behavioral2/memory/4756-232-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023453-238.dat	family_berbew
behavioral2/memory/3332-244-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023455-246.dat	family_berbew
behavioral2/memory/4628-248-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023457-254.dat	family_berbew

Executes dropped EXE 64 IoCs

pid	Process
2564	Dcopbp32.exe
4912	Denlnk32.exe
1724	Diihojkb.exe
1508	Dhlhjf32.exe
1580	Dadlclim.exe
1736	Djlddi32.exe
4788	Dohmlp32.exe
3924	Debeijoc.exe
1032	Dhqaefng.exe
3472	Dokjbp32.exe
4088	Daifnk32.exe
4780	Djpnohej.exe
4976	Dpjflb32.exe
2568	Dchbhn32.exe
4408	Ejbkehcg.exe
3560	Epmcab32.exe
628	Eckonn32.exe
5000	Efikji32.exe
3596	Eoapbo32.exe
3668	Ebploj32.exe
372	Ejgdpg32.exe
1188	Eleplc32.exe
4216	Eodlho32.exe
1672	Ejjqeg32.exe
4488	Ehlaaddj.exe
388	Ebeejijj.exe
1156	Ehonfc32.exe
2800	Eqfeha32.exe
4756	Ecdbdl32.exe
3332	Ffbnph32.exe
4628	Fhajlc32.exe
4528	Fokbim32.exe
1768	Fbioei32.exe
4864	Fmocba32.exe
4024	Fomonm32.exe
1108	Fbllkh32.exe
4920	Fifdgblo.exe
4548	Fqmlhpla.exe
1040	Fckhdk32.exe
4664	Fbnhphbp.exe
4644	Fjepaecb.exe
4396	Fmclmabe.exe
1916	Fcnejk32.exe
5012	Fbqefhpm.exe
2180	Fijmbb32.exe
1392	Fmficqpc.exe
2356	Fodeolof.exe
3432	Gbcakg32.exe
3948	Gjjjle32.exe
4588	Gmhfhp32.exe
3200	Gogbdl32.exe
2092	Gbenqg32.exe
2020	Giofnacd.exe
2328	Gqfooodg.exe
916	Gbgkfg32.exe
804	Giacca32.exe
636	Gqikdn32.exe
1036	Gfedle32.exe
3968	Gmoliohh.exe
1340	Gpnhekgl.exe
3336	Gbldaffp.exe
868	Gifmnpnl.exe
4448	Gameonno.exe
2536	Hboagf32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fmclmabe.exe	Fjepaecb.exe
File created	C:\Windows\SysWOW64\Iinlemia.exe	Ifopiajn.exe
File opened for modification	C:\Windows\SysWOW64\Lcbiao32.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Fbnhphbp.exe	Fckhdk32.exe
File created	C:\Windows\SysWOW64\Hfcpncdk.exe	Hpihai32.exe
File created	C:\Windows\SysWOW64\Ndninjfg.dll	Jmkdlkph.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Gbenqg32.exe	Gogbdl32.exe
File created	C:\Windows\SysWOW64\Mepgghma.dll	Gmhfhp32.exe
File opened for modification	C:\Windows\SysWOW64\Himcoo32.exe	Hfofbd32.exe
File created	C:\Windows\SysWOW64\Jpojcf32.exe	Jaljgidl.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mgidml32.exe
File created	C:\Windows\SysWOW64\Cniohj32.dll	Eckonn32.exe
File created	C:\Windows\SysWOW64\Ifhmhq32.dll	Hfachc32.exe
File created	C:\Windows\SysWOW64\Kkdeek32.dll	Kdopod32.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Lgpagm32.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Lmbocjjm.dll	Giacca32.exe
File created	C:\Windows\SysWOW64\Ejbkehcg.exe	Dchbhn32.exe
File created	C:\Windows\SysWOW64\Hfachc32.exe	Hccglh32.exe
File created	C:\Windows\SysWOW64\Iffmccbi.exe	Icgqggce.exe
File created	C:\Windows\SysWOW64\Hefffnbk.dll	Kgbefoji.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Djpnohej.exe	Daifnk32.exe
File opened for modification	C:\Windows\SysWOW64\Gmhfhp32.exe	Gjjjle32.exe
File created	C:\Windows\SysWOW64\Kajfig32.exe	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Ehonfc32.exe	Ebeejijj.exe
File created	C:\Windows\SysWOW64\Fibgnfha.dll	Fokbim32.exe
File created	C:\Windows\SysWOW64\Bgdnaigp.dll	Hfcpncdk.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Djlddi32.exe	Dadlclim.exe
File created	C:\Windows\SysWOW64\Fmficqpc.exe	Fijmbb32.exe
File created	C:\Windows\SysWOW64\Gmhfhp32.exe	Gjjjle32.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mahbje32.exe
File created	C:\Windows\SysWOW64\Eodlho32.exe	Eleplc32.exe
File opened for modification	C:\Windows\SysWOW64\Efikji32.exe	Eckonn32.exe
File created	C:\Windows\SysWOW64\Qjebnamp.dll	Ejgdpg32.exe
File opened for modification	C:\Windows\SysWOW64\Eodlho32.exe	Eleplc32.exe
File created	C:\Windows\SysWOW64\Eplmgmol.dll	Kmegbjgn.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Ejbkehcg.exe	Dchbhn32.exe
File created	C:\Windows\SysWOW64\Gqikdn32.exe	Giacca32.exe
File created	C:\Windows\SysWOW64\Jjpeepnb.exe	Jdemhe32.exe
File opened for modification	C:\Windows\SysWOW64\Kdffocib.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mamleegg.exe
File created	C:\Windows\SysWOW64\Oddfqf32.dll	Giofnacd.exe
File created	C:\Windows\SysWOW64\Fomonm32.exe	Fmocba32.exe
File opened for modification	C:\Windows\SysWOW64\Ipnalhii.exe	Impepm32.exe
File created	C:\Windows\SysWOW64\Cdcbljie.dll	Ijdeiaio.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Laefdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Nokakckp.dll	Diihojkb.exe
File created	C:\Windows\SysWOW64\Fbllkh32.exe	Fomonm32.exe
File opened for modification	C:\Windows\SysWOW64\Hpenfjad.exe	Hikfip32.exe
File created	C:\Windows\SysWOW64\Lijiaonm.dll	Hibljoco.exe
File created	C:\Windows\SysWOW64\Jgiacnii.dll	Jaedgjjd.exe
File opened for modification	C:\Windows\SysWOW64\Jfhbppbc.exe	Jpojcf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6944	6424	WerFault.exe	280

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpckhigh.dll"	Gjjjle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gjjjle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ebeejijj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hfachc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Denlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Denlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eceakm32.dll"	Dadlclim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbkmec32.dll"	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neahbi32.dll"	Fhajlc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekfnlmai.dll"	Fmclmabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qngfmkdl.dll"	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppaheqp.dll"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkageheh.dll"	Himcoo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hefffnbk.dll"	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhlhjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dadlclim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iifpphha.dll"	Ejbkehcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ehlaaddj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ecdbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dpjflb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dakcla32.dll"	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbledndp.dll"	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocaapo32.dll"	Gbcakg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmpfpdoi.dll"	Iffmccbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhlhjf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eckonn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fckhdk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gbldaffp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gpnhekgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qekdppan.dll"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ebploj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fmficqpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mepgghma.dll"	Gmhfhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fijmbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldooifgl.dll"	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 216 wrote to memory of 2564	216	bc9b6d774ddb081f8483a0fed2ea3660_NEIKI.exe	84
PID 216 wrote to memory of 2564	216	bc9b6d774ddb081f8483a0fed2ea3660_NEIKI.exe	84
PID 216 wrote to memory of 2564	216	bc9b6d774ddb081f8483a0fed2ea3660_NEIKI.exe	84
PID 2564 wrote to memory of 4912	2564	Dcopbp32.exe	85
PID 2564 wrote to memory of 4912	2564	Dcopbp32.exe	85
PID 2564 wrote to memory of 4912	2564	Dcopbp32.exe	85
PID 4912 wrote to memory of 1724	4912	Denlnk32.exe	86
PID 4912 wrote to memory of 1724	4912	Denlnk32.exe	86
PID 4912 wrote to memory of 1724	4912	Denlnk32.exe	86
PID 1724 wrote to memory of 1508	1724	Diihojkb.exe	87
PID 1724 wrote to memory of 1508	1724	Diihojkb.exe	87
PID 1724 wrote to memory of 1508	1724	Diihojkb.exe	87
PID 1508 wrote to memory of 1580	1508	Dhlhjf32.exe	88
PID 1508 wrote to memory of 1580	1508	Dhlhjf32.exe	88
PID 1508 wrote to memory of 1580	1508	Dhlhjf32.exe	88
PID 1580 wrote to memory of 1736	1580	Dadlclim.exe	89
PID 1580 wrote to memory of 1736	1580	Dadlclim.exe	89
PID 1580 wrote to memory of 1736	1580	Dadlclim.exe	89
PID 1736 wrote to memory of 4788	1736	Djlddi32.exe	90
PID 1736 wrote to memory of 4788	1736	Djlddi32.exe	90
PID 1736 wrote to memory of 4788	1736	Djlddi32.exe	90
PID 4788 wrote to memory of 3924	4788	Dohmlp32.exe	91
PID 4788 wrote to memory of 3924	4788	Dohmlp32.exe	91
PID 4788 wrote to memory of 3924	4788	Dohmlp32.exe	91
PID 3924 wrote to memory of 1032	3924	Debeijoc.exe	92
PID 3924 wrote to memory of 1032	3924	Debeijoc.exe	92
PID 3924 wrote to memory of 1032	3924	Debeijoc.exe	92
PID 1032 wrote to memory of 3472	1032	Dhqaefng.exe	93
PID 1032 wrote to memory of 3472	1032	Dhqaefng.exe	93
PID 1032 wrote to memory of 3472	1032	Dhqaefng.exe	93
PID 3472 wrote to memory of 4088	3472	Dokjbp32.exe	94
PID 3472 wrote to memory of 4088	3472	Dokjbp32.exe	94
PID 3472 wrote to memory of 4088	3472	Dokjbp32.exe	94
PID 4088 wrote to memory of 4780	4088	Daifnk32.exe	95
PID 4088 wrote to memory of 4780	4088	Daifnk32.exe	95
PID 4088 wrote to memory of 4780	4088	Daifnk32.exe	95
PID 4780 wrote to memory of 4976	4780	Djpnohej.exe	96
PID 4780 wrote to memory of 4976	4780	Djpnohej.exe	96
PID 4780 wrote to memory of 4976	4780	Djpnohej.exe	96
PID 4976 wrote to memory of 2568	4976	Dpjflb32.exe	97
PID 4976 wrote to memory of 2568	4976	Dpjflb32.exe	97
PID 4976 wrote to memory of 2568	4976	Dpjflb32.exe	97
PID 2568 wrote to memory of 4408	2568	Dchbhn32.exe	98
PID 2568 wrote to memory of 4408	2568	Dchbhn32.exe	98
PID 2568 wrote to memory of 4408	2568	Dchbhn32.exe	98
PID 4408 wrote to memory of 3560	4408	Ejbkehcg.exe	99
PID 4408 wrote to memory of 3560	4408	Ejbkehcg.exe	99
PID 4408 wrote to memory of 3560	4408	Ejbkehcg.exe	99
PID 3560 wrote to memory of 628	3560	Epmcab32.exe	100
PID 3560 wrote to memory of 628	3560	Epmcab32.exe	100
PID 3560 wrote to memory of 628	3560	Epmcab32.exe	100
PID 628 wrote to memory of 5000	628	Eckonn32.exe	101
PID 628 wrote to memory of 5000	628	Eckonn32.exe	101
PID 628 wrote to memory of 5000	628	Eckonn32.exe	101
PID 5000 wrote to memory of 3596	5000	Efikji32.exe	102
PID 5000 wrote to memory of 3596	5000	Efikji32.exe	102
PID 5000 wrote to memory of 3596	5000	Efikji32.exe	102
PID 3596 wrote to memory of 3668	3596	Eoapbo32.exe	103
PID 3596 wrote to memory of 3668	3596	Eoapbo32.exe	103
PID 3596 wrote to memory of 3668	3596	Eoapbo32.exe	103
PID 3668 wrote to memory of 372	3668	Ebploj32.exe	104
PID 3668 wrote to memory of 372	3668	Ebploj32.exe	104
PID 3668 wrote to memory of 372	3668	Ebploj32.exe	104
PID 372 wrote to memory of 1188	372	Ejgdpg32.exe	105

C:\Users\Admin\AppData\Local\Temp\bc9b6d774ddb081f8483a0fed2ea3660_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\bc9b6d774ddb081f8483a0fed2ea3660_NEIKI.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:216
- C:\Windows\SysWOW64\Dcopbp32.exe
  C:\Windows\system32\Dcopbp32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\SysWOW64\Denlnk32.exe
    C:\Windows\system32\Denlnk32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4912
  - - C:\Windows\SysWOW64\Diihojkb.exe
      C:\Windows\system32\Diihojkb.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1724
    - - C:\Windows\SysWOW64\Dhlhjf32.exe
        
        C:\Windows\system32\Dhlhjf32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1508
      - C:\Windows\SysWOW64\Dadlclim.exe
        
        C:\Windows\system32\Dadlclim.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\SysWOW64\Djlddi32.exe
        
        C:\Windows\system32\Djlddi32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\SysWOW64\Dohmlp32.exe
        
        C:\Windows\system32\Dohmlp32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4788
        
        C:\Windows\SysWOW64\Debeijoc.exe
        
        C:\Windows\system32\Debeijoc.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3924
        
        C:\Windows\SysWOW64\Dhqaefng.exe
        
        C:\Windows\system32\Dhqaefng.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Windows\SysWOW64\Dokjbp32.exe
        
        C:\Windows\system32\Dokjbp32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3472
        
        C:\Windows\SysWOW64\Daifnk32.exe
        
        C:\Windows\system32\Daifnk32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4088
        
        C:\Windows\SysWOW64\Djpnohej.exe
        
        C:\Windows\system32\Djpnohej.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\SysWOW64\Dpjflb32.exe
        
        C:\Windows\system32\Dpjflb32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\SysWOW64\Dchbhn32.exe
        
        C:\Windows\system32\Dchbhn32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\SysWOW64\Ejbkehcg.exe
        
        C:\Windows\system32\Ejbkehcg.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4408
        
        C:\Windows\SysWOW64\Epmcab32.exe
        
        C:\Windows\system32\Epmcab32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3560
        
        C:\Windows\SysWOW64\Eckonn32.exe
        
        C:\Windows\system32\Eckonn32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Windows\SysWOW64\Efikji32.exe
        
        C:\Windows\system32\Efikji32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Windows\SysWOW64\Eoapbo32.exe
        
        C:\Windows\system32\Eoapbo32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3596
        
        C:\Windows\SysWOW64\Ebploj32.exe
        
        C:\Windows\system32\Ebploj32.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\Windows\SysWOW64\Ejgdpg32.exe
        
        C:\Windows\system32\Ejgdpg32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:372
        
        C:\Windows\SysWOW64\Eleplc32.exe
        
        C:\Windows\system32\Eleplc32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1188
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        24⤵
        Executes dropped EXE
        
        PID:4216
        
        C:\Windows\SysWOW64\Ejjqeg32.exe
        
        C:\Windows\system32\Ejjqeg32.exe
        25⤵
        Executes dropped EXE
        
        PID:1672
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4488
        
        C:\Windows\SysWOW64\Ebeejijj.exe
        
        C:\Windows\system32\Ebeejijj.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:388
        
        C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        28⤵
        Executes dropped EXE
        
        PID:1156
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        29⤵
        Executes dropped EXE
        
        PID:2800
        
        C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4756
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        31⤵
        Executes dropped EXE
        
        PID:3332
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4628
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4528
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        34⤵
        Executes dropped EXE
        
        PID:1768
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4864
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4024
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        37⤵
        Executes dropped EXE
        
        PID:1108
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4920
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4548
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1040
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        41⤵
        Executes dropped EXE
        
        PID:4664
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4644
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        44⤵
        Executes dropped EXE
        
        PID:1916
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        45⤵
        Executes dropped EXE
        
        PID:5012
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1392
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        48⤵
        Executes dropped EXE
        
        PID:2356
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3432
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3948
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4588
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3200
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        53⤵
        Executes dropped EXE
        
        PID:2092
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2020
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        55⤵
        Executes dropped EXE
        
        PID:2328
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        56⤵
        Executes dropped EXE
        
        PID:916
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:804
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        58⤵
        Executes dropped EXE
        
        PID:636
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        59⤵
        Executes dropped EXE
        
        PID:1036
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        60⤵
        Executes dropped EXE
        
        PID:3968
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1340
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3336
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        63⤵
        Executes dropped EXE
        
        PID:868
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        64⤵
        Executes dropped EXE
        
        PID:4448
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        65⤵
        Executes dropped EXE
        
        PID:2536
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:396
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2712
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        68⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        69⤵
        Drops file in System32 directory
        
        PID:3636
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        70⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2016
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        72⤵
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        73⤵
        Drops file in System32 directory
        
        PID:736
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        75⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:452
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        77⤵
        Drops file in System32 directory
        
        PID:3376
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        78⤵
        Drops file in System32 directory
        
        PID:3876
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2708
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        80⤵
        Drops file in System32 directory
        
        PID:2036
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        81⤵
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        82⤵
        Drops file in System32 directory
        
        PID:4176
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        83⤵
        Modifies registry class
        
        PID:4000
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3396
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        85⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        86⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1012
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        88⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        89⤵
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        90⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        91⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        92⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5376
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        94⤵
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        95⤵
        Drops file in System32 directory
        
        PID:5464
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5512
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        97⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5636
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        99⤵
        Drops file in System32 directory
        
        PID:5708
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        100⤵
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        101⤵
        Drops file in System32 directory
        
        PID:5804
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        102⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        103⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        104⤵
        Modifies registry class
        
        PID:5944
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        106⤵
        Drops file in System32 directory
        
        PID:6036
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6088
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6132
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        109⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        110⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5300
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        112⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        113⤵
        Drops file in System32 directory
        
        PID:5484
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5564
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        115⤵
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        116⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        117⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        118⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        119⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        120⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        121⤵
        Drops file in System32 directory
        
        PID:6124
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        122⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        123⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        124⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        125⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        126⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        127⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        128⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        129⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        130⤵
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5448
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5752
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        133⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6076
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        135⤵
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        136⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6012
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        138⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        139⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        140⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5228
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5332
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6176
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        144⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6216
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6256
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        146⤵
        Drops file in System32 directory
        
        PID:6300
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        147⤵
        Drops file in System32 directory
        
        PID:6348
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6388
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6436
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6480
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        151⤵
        Drops file in System32 directory
        
        PID:6524
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        152⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6568
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        153⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        154⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6704
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6748
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        157⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        158⤵
        Drops file in System32 directory
        
        PID:6832
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6876
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        160⤵
        
        PID:6916
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        161⤵
        Drops file in System32 directory
        
        PID:6956
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        162⤵
        Drops file in System32 directory
        
        PID:7000
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7040
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7084
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        165⤵
        Modifies registry class
        
        PID:7144
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        166⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6160
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        167⤵
        Drops file in System32 directory
        
        PID:6244
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        168⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        169⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        170⤵
        Modifies registry class
        
        PID:6444
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        171⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6580
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        173⤵
        Modifies registry class
        
        PID:6640
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6724
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        175⤵
        Modifies registry class
        
        PID:6788
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        176⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        177⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        178⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7008
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7096
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7164
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6224
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        182⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6456
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6532
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6668
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6776
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        187⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        188⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        189⤵
        Modifies registry class
        
        PID:6236
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        190⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6424 -s 412
        191⤵
        Program crash
        
        PID:6944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6424 -ip 6424
1⤵
PID:6852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dadlclim.exe

Filesize
109KB

MD5
1d5da06e1629b5707a755d07b8bf66d7

SHA1
a3e7541f227390dc8db4cf693def3a1392126a49

SHA256
9e8f19d131be0d33a9eb6942b940008eb23b84e43bd8b4ce11c4e9f65bc992b1

SHA512
b799df0b66c4535cca71b8a92a4f520c1d8b9936dc5932abf16a566f0feb506624448c7898b9be577449248610a8c4ccbc8df7508df1cf7b26bd8914e0d0a542

Download Submit
C:\Windows\SysWOW64\Daifnk32.exe

Filesize
109KB

MD5
e98d0857ff34b573b8a20fc6c6b9d9da

SHA1
46a1a80b9e9d97b3e53924773a9ae815ffcb4416

SHA256
8bc672b0b296c74aff6c5c76660916fbd2ddc1e4c890e1b7778df3a06c606caf

SHA512
f3763595264cffc3e3cd492ab9d867146870e4587c9159089def325b174d14c1bc89e7bf362d96d6d01abe9215875c005d178df76a7df6de21710bfb5ac70799

Download Submit
C:\Windows\SysWOW64\Dchbhn32.exe

Filesize
109KB

MD5
8916472f1575526ceb7b72a50ed632e0

SHA1
b07fde4f54b9bd0bfaa5d26df6c5e996cf62af58

SHA256
f4306f8b234c69efe32bb41360e2128466d6dc20c779264b4b2f82cacd79b4dc

SHA512
8be19c9e1d76e8e1a904f5cc7a30d145c65949cb5ef6ec7d8bc51c2ad0bdeef9c32ad01d536be4ca0948212d57bd68cf0f3c872ba105bf4c21467b67e5813b60

Download Submit
C:\Windows\SysWOW64\Dcopbp32.exe

Filesize
109KB

MD5
8e6551c665973781eeace13b4d10507b

SHA1
64141c743463620b9b4c752f836b4ef576556201

SHA256
8872027a367a907d0db0836e8ee5b10114f7c724532ec4127eb13668cbdbb579

SHA512
e650808ba2cf59547b830a76ead0dfbfef704066a5ca42dd5de0778505a4ea00f345c844189be33cdacc4dd8488c37ab7cdbeea7ea0bb80f08398ee207b2c239

Download Submit
C:\Windows\SysWOW64\Debeijoc.exe

Filesize
109KB

MD5
367ed868477c2df8a953c58e00e04b93

SHA1
6a27200eb0f66546e40fc9bec7f16f7d8bd087c7

SHA256
f9c83a5e9f8416bb1bd040da86b80798b196557714de62a3f6d30a38b2b14b59

SHA512
108f75decb2523c3288e22ab04dcccd4d7c7bf3863b4b089af63e0248e57883b2e288236db5af45c97e5a7825428a0d9acf67ddb1728abeec517bc85c8b50723

Download Submit
C:\Windows\SysWOW64\Denlnk32.exe

Filesize
109KB

MD5
c8a6aff86336898de4c76a2cbb2f07c8

SHA1
94c5bed23bc15453986a45b30df611ca7f070ba3

SHA256
f08f9e6dfe40334cda19c67a6dd89e5cd2ede312de06bad2f874c0fba947733d

SHA512
e33710d8ae3b8b0e9e8d299427013bcf31acaa1675a60b7e51d39eeb0a943f874b5400593381c769dd3a20db71140b1b3b2a933edc9cab46cb0e47c86b59d1cd

Download Submit
C:\Windows\SysWOW64\Dhlhjf32.exe

Filesize
109KB

MD5
7bf9b2fb8b3d5e516b2b919fcdb1c91b

SHA1
e53204d28bafd060bbf039d237e1ec94b92b2b0d

SHA256
90931134b7b6afda60cad0088cc1414fc497dd7a0b96830806495a987c552aa4

SHA512
791f9d5bf6c43d63f4a2c7b5afcaffb7d3c631eab2eaf1cd3b9a0eb0fc66ff8921fba0efac3148b607c14f428ee75c95f2567284f7ace8ed7e3eb9e23727c361

Download Submit
C:\Windows\SysWOW64\Dhqaefng.exe

Filesize
109KB

MD5
2a3211167f9a6e963deb2f1352dec241

SHA1
de43f4db0e1adb7f1832493a9734600f5659f108

SHA256
510b89a731d2c8f69df6965481176e5d95f7fcb0f1541bded8d579758cbe5973

SHA512
37c8aec29fd5ea26cb97021818311a26d68d2f519687014a38dba15127810667648724ef19dabd407d4216697796f03c31a1704066706869b8e64a1c65e57ce2

Download Submit
C:\Windows\SysWOW64\Diihojkb.exe

Filesize
109KB

MD5
4a222e1e2b129c8d7dcc11e043e17c4f

SHA1
febcb738a110e6c61e665be68e7714ab22e02466

SHA256
97d897fef8322fdf39fb771fa113f87db7ee70b2749d3269b001088b283af0ca

SHA512
a783cd9144ad63c2a95bcdd26f86078b7fe5ee05cc5d9d5d1775c5a8197a30f14a39ef0e2274c08616e58c73812f763d80988dda136fd3f9d5fe4d08eab504aa

Download Submit
C:\Windows\SysWOW64\Djlddi32.exe

Filesize
109KB

MD5
5c9df57dd4c380425c4197a929639f19

SHA1
080a349e9d9cbe54c8e953f888bc56a41fc4b85e

SHA256
ea44406930f9c31a92bb4c612f14fd8445680085c8770c4c034a6958bee3d932

SHA512
5bcdb2bcf6b2781b3839f9829763d4e4c58b52d405e9d9122713f972856a58f78dac77d29c2331b2a602013e37b9bfa4625ee31b2e9f2e5631f8db422e7ada06

Download Submit
C:\Windows\SysWOW64\Djpnohej.exe

Filesize
109KB

MD5
d21d09f0e9b5981707bb41c1be90c368

SHA1
9bf3777d3fa4ab850142f8fa0d28a8ba504caa2a

SHA256
2687d281194f828dc270ce047bfb8c0ff74fec0bb884869737792b7ec7e5fca9

SHA512
2c78263ab4f3f2c45cff282b9415706b94ab5d15bdd671d54780ab779222df43d239cfcc467704d10e352c1f0a4b8e0c85a15842df478f9888ef8601d7a35356

Download Submit
C:\Windows\SysWOW64\Dohmlp32.exe

Filesize
109KB

MD5
cdeb3d6a990630725d3a3223a767b79e

SHA1
46240da73e57c9d65f5d5ff1dba898956eddb6b4

SHA256
72d60a9911c88c68ece7132a845c10a1a6b78822572baeab02f4baf843fe0db6

SHA512
f904aad6d16b82bbfae75018a4923ce6e1d42c5e5579cf7b979fbbd754b0b82d1956da67e4b7319f1db198823059e04126e38f1b9c94e4c4d1c988bc24daa4e1

Download Submit
C:\Windows\SysWOW64\Dokjbp32.exe

Filesize
109KB

MD5
b52998c4553a96b70f548fc0dd851148

SHA1
9abc82add8dde3c3010fc7ab16dc15a69ab1bf6d

SHA256
79e41a5d44a1d63bad22d016fad674093ada6a857284ef2879ddb9d9945e6509

SHA512
8b14ac0092dea6170e46ab49d8bc169bb96530c71c2b5eab3ab8bed375bad4e53ddb9bb408c2f49f26732cbd361c39be3d2afbf075106cf622ae8f652f833f92

Download Submit
C:\Windows\SysWOW64\Dpjflb32.exe

Filesize
109KB

MD5
6a6227229c73ba54c90a1b024e0e7a5f

SHA1
76f6cabc574791d013df2f784cfb044e1b3b1432

SHA256
4f3f1b1fce8a5cf6dd523a4fe08a09d320ebd799e6f3c8ea1f6f3ee9c5ec03bd

SHA512
9083a2fe4d6dcb635c105a8143417347dcca40c06465a6e356e4b22bc826db5a43472346c11b2ba350de7796fab12e5cf0244deafe3404dc85cf95255f97451a

Download Submit
C:\Windows\SysWOW64\Ebeejijj.exe

Filesize
109KB

MD5
7191929b402bfdc51c6d55b81dd55719

SHA1
6bef983fccf853fef6ca698a7ee555dd0f1c828f

SHA256
d007e11a6ae8484ea5d53191c37158a056b4541a3f150bcc77a093fd3350c573

SHA512
cbe90eed34f86f904e0f48e2a502f85986096bbe6b89130b842fbd30275d3ee632cd960d586fedbf3941476386b4f8ce972319decd5c99de3602be6d6029b047

Download Submit
C:\Windows\SysWOW64\Ebploj32.exe

Filesize
109KB

MD5
542d43873dbdf7b8044bef38ee8389df

SHA1
7b035320d479c094399d9c43bc5a91b5c4f22b04

SHA256
fe1c22583d9757b42c0741b9328a56c5190bc80cec9160285f2c2588c276a9a2

SHA512
e3f9b5a7f7b277a67fb942feef57e7ab9b29664d8f38a53eadc4790fd89060dfc791df503575bf9a45523c9101779e7c5f57cf891acd823a718ddb79d896c959

Download Submit
C:\Windows\SysWOW64\Ecdbdl32.exe

Filesize
109KB

MD5
73270f38e611f9fb867f4df64fec0e50

SHA1
fbf5766bce8466da2f705c48e6b0c6aa0a7a2aba

SHA256
4aa7b2592be0fa134b7024c8b8f6b30e2b6d26b902237f2f57549019d7635d92

SHA512
5a9d2138c67d15e2a7c5aa1a06d7b88dd0da74a5ab40a40bbf11e2170b51ebaaba23e9985734b568b787e596f6f481897314ba5ae38baa2b4b79345246bcbeae

Download Submit
C:\Windows\SysWOW64\Eckonn32.exe

Filesize
109KB

MD5
49baad739ec72b1112291d62fea40906

SHA1
c3d3933adb74381d7abf760c9b6f57e3bdb1a17d

SHA256
3136994a5dec960c7fe3c61ee507815c38165b609f2812410de51497d35f705d

SHA512
87adb109f507a4678b84bb9bd2d7245ed0de093a2bfcb3631e7d29eae885761c69f89ee65b1eb2f3bf6820d04519c22767ca51dc5d969c79082c019476bb62ed

Download Submit
C:\Windows\SysWOW64\Efikji32.exe

Filesize
109KB

MD5
567b9c7b7ff7c4fed11eaa745d9eb989

SHA1
673a4aded28bda5ff690b76f23c234177ffb2416

SHA256
894bdd55a77b709663d572edd83dafc37c1e3d8127c4972f9b1b35b22f7aa610

SHA512
4e630a10b2f3e741613a79b9ba5168fd97a0a66ba293e196d3494d966270a3987866fd93e28830d7b36b506b96e6bc4fb166cbd8e12b3b14b1abaac3776b2652

Download Submit
C:\Windows\SysWOW64\Ehlaaddj.exe

Filesize
109KB

MD5
90991bbb1c57b81f46b98baa2cf4630c

SHA1
875e10f3d51a3b0adaff4b1fc0e847ccc3eaf63a

SHA256
26de238c6a46bac78042d7c78aeb4389ff22bd749d11a9b92d1b2175e70eb8c1

SHA512
07b7309a6f0c02b24f2c0cb86f5648d8c592f47f44512783009fd1fda4d54cf35239c557213df51ee5df2ca025b648d31c41648de0ed55d23546b77aafb66ab6

Download Submit
C:\Windows\SysWOW64\Ehonfc32.exe

Filesize
109KB

MD5
5d300817b08d568459a22b5009559b8f

SHA1
feb9e704529b0c12fb4e851b5e3cc07e14c7f4d2

SHA256
4e69a9353f5abe36648176394f9fc3bb36677176c4c56c45c4de1f9aa7ed5d64

SHA512
dcec70c8a0624921665bf61a24bdca9b656f588a2802206c6ad6f5dfc33617635da750065a3507d23d2a4d3b0cbafeef4c9b02925935c1f77c3cf53c70571341

Download Submit
C:\Windows\SysWOW64\Ejbkehcg.exe

Filesize
109KB

MD5
43d3dcb48dc0a8ab1213d86f2a550476

SHA1
e9bb3a8243f2bb49976afce9c26dc0e8c2dfcc86

SHA256
260c7b6ff73a69a6d0d82bcb5d5ed8eaf21e3431b43665c3309c359e72f2a2a9

SHA512
71f9851b4f67445ec1571e91405ef1db42ecba5e449a89896c8f06452bd27d65afc9c56b7c5d69243aaf6096e8049f9709fbf0aa3a20bf4e5a2b5b967356710d

Download Submit
C:\Windows\SysWOW64\Ejgdpg32.exe

Filesize
109KB

MD5
cb4134fd554ac7b884e1af70aabb84ba

SHA1
d1370ddd621297286e299ea50128cac2a78c6372

SHA256
ea86044c34d84669b06fa5ec16e432d53824dacf6b5247e79fb40c8885eea399

SHA512
e28e6c7603f5b5ecf264a1a188a28354e008402552ac4ab8a50a1814f6ebd22b23f5ab78787b061826ddde21601626d3aca4e89bf102d4b88a2445c34dd4e546

Download Submit
C:\Windows\SysWOW64\Ejjqeg32.exe

Filesize
109KB

MD5
71f0f94439c0beef7cb5a7a41c0bbf78

SHA1
d3e28192f1a778007a78a1c17fc4d09af3f089db

SHA256
6277fd5752a9e4974044afde7e721f69e7e5dc1ddb3b5a815f2b1357e9363363

SHA512
6a667696fefdec2f579ea2d984c5c6425b6199dc0798e359355c6180bc7a59ba999c6a9b9f31876d15db3d90cac1aa1715f3d85ac197f8eb705f792498fde4ec

Download Submit
C:\Windows\SysWOW64\Eleplc32.exe

Filesize
109KB

MD5
1a27d2377520cde29de0188c421420fb

SHA1
ab0fb5759fde84be8981a55408c4f539afc8f680

SHA256
683b8697a7c7c8fae0ba92d19b57ae37e60793d123d09d588d17a49cbeb4bf0b

SHA512
14ddac0d2caabbef7ba39f62ba65a5ea94437cadd0f0a9a5299eb023302da4207e6fb9af83ceedacc8dc2838896b3b8342586db4516b3a203cfc44fd42f85577

Download Submit
C:\Windows\SysWOW64\Eoapbo32.exe

Filesize
109KB

MD5
1638a989bf40409ae039b4ca64908939

SHA1
c54e1cbcdce65ec0e91f9b186623b409ebdab11f

SHA256
4fe7b2de8af16271585f9ef1f3ec8a7018d1d5500389e4616ac5f34e07c40096

SHA512
ebe49675358a3890e9e398561ecde6a0987e14916604150c60d342403f65de07f9a7764145ca0480c71e1647761017c728242ffed36fa1a3c62d0b160447f135

Download Submit
C:\Windows\SysWOW64\Eodlho32.exe

Filesize
109KB

MD5
5dcbacca8a3419777dd6f394cd780928

SHA1
dd99f8dae0d01aa4e29abdbeb87bcaf9376f8073

SHA256
69b5255dacdebee03498b78a2852e2812f433594248a815c8028429aa13493e7

SHA512
b273cdf2dcb04bb5c26aa0391d33829a3d650e4bcb6dd94e36ecf5ae2eed54350e8b7f84bd14b5d243880a53a44803468dc2b844dc8647f3cbba04c80a5a0256

Download Submit
C:\Windows\SysWOW64\Epmcab32.exe

Filesize
109KB

MD5
ab894db6fa1dac0af61ac9680687a80f

SHA1
9b13b3c3b310d7b635a09b14705804f75c397f3a

SHA256
d6f9e5734aecb0426eaad9972d2321e7a5a4ddfe67bceabecb55aae715d479be

SHA512
a8a04d221f26069e7d1913f52757ed485708dd7e795c9a1b368610a94c6c747a37c73e28b3821d3a1ff29b3868c4756b98ab05bfa6fcbe9981138c4e351efed0

Download Submit
C:\Windows\SysWOW64\Eqfeha32.exe

Filesize
109KB

MD5
3791e53929dbb00808d787ccb132d632

SHA1
223fcf1d7dc36e91bb2c8e0feb1cbd21a42bc0e5

SHA256
4fb2218e011ace62bfa256963b80b3a9c154f8dbb610c9ad831d02427901493c

SHA512
0f2e639ff9df61c42bb7cba8d63ae9c6b89a2eeb2073fea16db5bcba2d64cedbdeb006c7b2a16e44440b23b3e648e9d3638ea84dbf7f7e2f97879cb6bf4b3bd6

Download Submit
C:\Windows\SysWOW64\Fbqefhpm.exe

Filesize
109KB

MD5
1cac964bce62598ef1a4c0353af850b2

SHA1
7d3a1c29722d95cd1b4f06cf7cdb78eeae2baaf7

SHA256
cac3c684219d8d4b1534919553582184a35aed2b15ed871146fe23f73f3a4278

SHA512
551f72a353fee19930bbc988ea1a6215f4ab95d61f69132ccd8398616b4776cbc140bd788f9894254da7fcc7750941c6fa08af17c786438ce967c2d02bbe7700

Download Submit
C:\Windows\SysWOW64\Ffbnph32.exe

Filesize
109KB

MD5
32bf693d9d8ffd23ffedf94faf173f27

SHA1
b331ba38712ebe7696b35210bf7e8cf705af1125

SHA256
41a3695971542969d1b6b2d89253850e053575945dbab119ddbfee3fdf35e5cb

SHA512
c2c3c09ffa11f47351b7bf05e81e651575a09fb4d6e7dcee4d0c7ffebba4a2a2cdf14a918c2b280fa236205ccf78262fa99d07bfed4b8de74f2db23964a22a71

Download Submit
C:\Windows\SysWOW64\Fhajlc32.exe

Filesize
109KB

MD5
0c95217bcaa12fae4ad00545cb56242c

SHA1
443da8a163b85a0523fd225e3af5d1ecceab07d5

SHA256
fdc65c206d7075c4afb351fc55a6ebcafe0297c481c48d66f278997490f57a94

SHA512
ed02f389730ca7fdfea0e431d30de25193398d2b1bb66b63c032f28447f6f00c87d064075eb34555cf9683fbbb1bd7463f1fe115a7b7dfb765ac5311ae40dc79

Download Submit
C:\Windows\SysWOW64\Fmocba32.exe

Filesize
109KB

MD5
9339f3b417e32c435afce0b30606a735

SHA1
f8eec0472a3af82827fbb70f101fa109b798a3f0

SHA256
c1cd1780098cd9157cf2d516c070b192fda0e641ca033c1fb9d2d114cae0b58f

SHA512
07bc4e822dbf1a21940d7cf594ee9cd41a271dc13582ce2f5d602f8ce07084c74430cef53edfbe067317ec29768e30edbd5ff0e507754e196a6b355a3a18a085

Download Submit
C:\Windows\SysWOW64\Fokbim32.exe

Filesize
109KB

MD5
69f7089d84a19c1772e8fcfc841c1d38

SHA1
14bb2b8b21ecd02f2190176bace6643259477e1e

SHA256
619d1965ba059e74e11113dd2cf156c6be1a4c858d6e9772ba9633ef293afac9

SHA512
4a3514c5204ccf0fd3446d3d8558046c27d147937b7ed8a71742809e3fa60f68e49327a30c89ac826caaf23640f09ffdcf4a4730b3ec00754c24ff7dcdfcfd08

Download Submit
C:\Windows\SysWOW64\Himcoo32.exe

Filesize
109KB

MD5
e9c2178c57849cc7cfca3c1a7b132475

SHA1
a5e837a4a22427235b844f687ab30aeeb6d5e578

SHA256
eecbe92315f4ac2a5ca809ffb998044359305e95644ed0a013a5035eb4de0608

SHA512
ed0231db04e0613949979e7112bb5184ca2f7b62a633ad9c8b2038a685388e81fb69239fa55293914e4def943c1191f0990eec23c862b104e756eaba6a1ba5f0

Download Submit
C:\Windows\SysWOW64\Hqlqig32.dll

Filesize
7KB

MD5
0cbdfd65543e31a8da69c20823d2f931

SHA1
8574ce4d537e3c86657a7ed278b94bf872058ba4

SHA256
d889fd9009b01f945209793170cc7a9fdbe15835b916bccaa3ae202b77d4b032

SHA512
e1932d72c6c5ce86d8e98fedbd69cbc5aef8f7161585c1687080fc36689c3de95ccb41a0cee4d71ff0fe89ff1599bca54e1f5dcd6dc400142717b42cedfde69c

Download Submit
C:\Windows\SysWOW64\Iabgaklg.exe

Filesize
109KB

MD5
b66fa60e07025820508f410460102115

SHA1
f3b02a344b4534d8586171556a3ef459952d1691

SHA256
a84484ff4d9d8e9c2cac84ec8e9df551b3528984f75e55e5719d62662e995690

SHA512
d42c7efa63a70086a5e694dab760d1933e6d45513502f6d6b98e17911ca69b13c7d2285760b6b734ee4e5c31c2e520d9bbfb48771e89efb055f233a6aa89bd2a

Download Submit
C:\Windows\SysWOW64\Jkfkfohj.exe

Filesize
109KB

MD5
c5f174a9a9bad6a2460f164f002d5f3f

SHA1
ac030bf2208f80f53abce37679bae91f5fe97650

SHA256
e68e4385d79d6950d4d2f1c8f509399d8e875cc65f666441439e739c2026b29a

SHA512
68568a218870ab655732156fbcea8fb4a6771657da1817de0c1ab8f3a47a3d0d0a8b2b3b0bb5550a060ed1ef43d1b927f58e5f8619a66bb5a8fec303d9340ebf

Download Submit
C:\Windows\SysWOW64\Kdaldd32.exe

Filesize
109KB

MD5
46f09c155cb50fd2ce30118dfaf95828

SHA1
917cdea4ca267777e696f3b3ee0492815babcc15

SHA256
d518aee3939d78af8493f213cbeb6f46c0a65a7678aff9c6864bb4c3bbbf0732

SHA512
dbace2933defebae89afe97c3fd1144ff4f5dd92eb2481f7cc87f2591156e235c24b422de44a101e4f7f817e3d7b0850ff6f28355ddad0a893876cab34a835eb

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
109KB

MD5
f7dff2ce8c90f5291df39fcdf1295c41

SHA1
b317238f1bf583740010a30c5d7cedc475001a3b

SHA256
b06196ddc6076289abb2a8eca7c9548071bf01e9646bed1d90b1409b82f9cb1f

SHA512
2c925145ffa566a9e8e466ff1312d44661eaa24ebc4e2020899f3026aaefa5fd340a1ec07e1109855583e84942c26007ca50aab4f38df638cc89fa07a313216d

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
109KB

MD5
3058e384cd56f91da1809cf9255faa15

SHA1
9406a817c309c0ff47787080a303a4e2a4126728

SHA256
8a17024e0b9c81e1f7d3355d7a8b8c835b756c12591619c8cd2ebf4951d9ebf0

SHA512
3bddbe6bf6d0ffcf8d1daf4901c295c87244d430363b4ae88245c2f98a647632407bc61fe3abcca747cd5f54664b09e5d5508bba3d2ffdbefb66e4974cb1e9e9

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
109KB

MD5
d05da82d62fa11c9fad2ba11c0b31012

SHA1
9ffb2635148b74f49d0bf93ba0bab3bdf0e7d37d

SHA256
9bdbf610b843daf6a8de34b419d7ae05ca1f1b05a5aa8b95ceb46a808eb10ba9

SHA512
0919f7a4c389ffdaa8fb4631c7b3768002fdd3d5a16cf51b431f6b6c7388a88869d4c69db16743f8a1bcaac9ada76dc7ccad9bf3d250ca8b5752d8217cceffae

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
109KB

MD5
ee8edfbb94efb1cab30b517c1034af25

SHA1
358f4e6289986422d40a1493b7500ce585e14300

SHA256
a83427c6d408b42b3e358a9f668db363dd5a17f62192f83e1d3675defb365be2

SHA512
cd27e1e931cc5ce4cc5737ada69e3bc8161f435b65e3a1218fa9c9784a11a90a873390a64321e3d63ca4e0521845ceb05575e1b2e5c7b576d356dbd0ee221e60

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
109KB

MD5
82ac8916cb2a8f1a09d9e0b1ec809261

SHA1
0da7eed455bd7e74bdecf21b52abf527a1142bc9

SHA256
5d9ab4b2c7fac92ae89d71c0795e7ae0ec93f1149c57555283d5df3ae143eb80

SHA512
1e318fa51f0d81627647b3a058b3c21d1f996e59bea4a0be1d07af06a526fc132e2ff5ecca6e35882d5551b00106656a136791fbb99e7879eeeee109aeeadd20

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
109KB

MD5
8d1b6775b73d82665a0d2128301e4033

SHA1
6990e954ca5afd57a11e2ea56d4373a266a33293

SHA256
be29a780b8d06beb8ffcf3b054715095b9d8552cb9ca6e64fc080bf5717e325e

SHA512
0e96b2cfa447a18600e13ea546b27452bc43e7ff7499c5aa09ddccf2db7e7a0f9d286754c516d59a9280b2184bcb5c8087b14b44675a58f8cecc354e8e9167ed

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
109KB

MD5
39350e8375935428341bb81707536615

SHA1
5f9998837709af1e3d9dc12335ee8dc789282e50

SHA256
e282c1d9c084e3b1e1dc5c0c0e0be3851461aaffca937d5b4b867ef984391d3e

SHA512
6ff9f8d4c4446bf50e9f79e6204a71ab300a2d1629e5a02c4ef71945f877a0f8d73d2007e09efbf742dee95f0c85d181b0f7e38147d7b77fb96d917d2fa73fb6

Download Submit
memory/216-544-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/216-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/372-168-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/388-208-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/396-454-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/452-514-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/540-545-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/628-138-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/636-406-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/736-501-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/804-405-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/868-440-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/916-394-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1012-584-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1032-72-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1032-604-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1036-412-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1040-303-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1108-284-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1156-219-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1188-180-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1340-428-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1392-340-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1508-32-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1508-569-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1580-44-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1580-576-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1672-197-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1724-28-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1736-583-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1736-47-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1768-262-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1916-322-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1996-570-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2000-502-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2016-485-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2020-382-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2036-542-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2092-376-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2180-334-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2328-388-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2356-350-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2492-490-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2536-448-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2564-12-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2568-111-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2708-536-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2712-463-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2800-228-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2880-595-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3108-466-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3200-370-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3332-244-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3336-430-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3376-525-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3396-567-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3432-352-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3472-84-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3560-128-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3596-152-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3636-472-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3668-160-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3692-577-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3876-526-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3924-597-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3924-63-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3948-358-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3968-422-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4000-557-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4024-274-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4088-88-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4176-551-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4216-183-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4396-316-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4408-120-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4448-442-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4488-200-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4528-256-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4548-292-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4588-368-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4628-248-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4644-310-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4664-304-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4756-232-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4780-96-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4788-590-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4788-55-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4856-508-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4864-271-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4912-21-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4920-286-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4976-108-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5000-143-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5004-478-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5012-328-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5144-598-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads