e01b62e96ea585aefc39c282f7a1cf2abd287e5299d5c166b22475d858358549

Analysis

max time kernel
142s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 11:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22e85ce8c00381ef328b424f0d71b740_NeikiAnalytics.exe
Size

76KB
MD5

22e85ce8c00381ef328b424f0d71b740
SHA1

cc2132c3644cf3a5d337555a9025ac18ed5d5f5c
SHA256

e01b62e96ea585aefc39c282f7a1cf2abd287e5299d5c166b22475d858358549
SHA512

22f2098aa9ab2200f49b3df364c59c914043b2797cbfeb1c642c657524b08a5d345e123e09097557196d068ec625d77d1ec5ef41812885d6087b76cde8b8d90b
SSDEEP

1536:KSeXQ7ZK41xIoCrmR4kwHq1JBn2kDfsfKIQfHioQV+/eCeyvCQ:57ZV1eHiRfwK1esf6KBfHrk+

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onjegled.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajanck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlmllkja.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojoign32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	22e85ce8c00381ef328b424f0d71b740_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npmagine.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndfqbhia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqknig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afmhck32.exe

Executes dropped EXE 64 IoCs

pid	Process
3608	Npfkgjdn.exe
1932	Ncdgcf32.exe
1612	Nebdoa32.exe
3408	Njnpppkn.exe
4284	Nlmllkja.exe
4004	Nphhmj32.exe
2732	Ncfdie32.exe
2840	Ngbpidjh.exe
4444	Njqmepik.exe
4440	Nnlhfn32.exe
4392	Npjebj32.exe
1432	Ndfqbhia.exe
2852	Ncianepl.exe
1620	Nfgmjqop.exe
2776	Nnneknob.exe
5076	Nlaegk32.exe
1616	Npmagine.exe
2212	Nckndeni.exe
4576	Nfjjppmm.exe
4896	Njefqo32.exe
4976	Oponmilc.exe
2580	Ocnjidkf.exe
5024	Oflgep32.exe
2540	Ojgbfocc.exe
5080	Olfobjbg.exe
1512	Odmgcgbi.exe
3212	Ocpgod32.exe
4084	Ogkcpbam.exe
4516	Ojjolnaq.exe
684	Oneklm32.exe
3372	Opdghh32.exe
1152	Ocbddc32.exe
2720	Ognpebpj.exe
4904	Ojllan32.exe
1096	Olkhmi32.exe
4876	Oqfdnhfk.exe
2576	Odapnf32.exe
4132	Ogpmjb32.exe
4824	Ojoign32.exe
5084	Onjegled.exe
4452	Oqhacgdh.exe
408	Oddmdf32.exe
4012	Ocgmpccl.exe
2272	Ofeilobp.exe
1640	Pnlaml32.exe
388	Pmoahijl.exe
1820	Pqknig32.exe
3784	Pcijeb32.exe
4384	Pgefeajb.exe
828	Pfhfan32.exe
732	Pnonbk32.exe
3800	Pmannhhj.exe
4600	Pdifoehl.exe
3088	Pggbkagp.exe
688	Pfjcgn32.exe
4160	Pnakhkol.exe
5000	Pqpgdfnp.exe
1312	Pqpgdfnp.exe
1088	Pdkcde32.exe
3912	Pgioqq32.exe
1624	Pflplnlg.exe
860	Pncgmkmj.exe
1604	Pmfhig32.exe
3516	Pqbdjfln.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Banllbdn.exe	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Ncfdie32.exe	Nphhmj32.exe
File opened for modification	C:\Windows\SysWOW64\Ojgbfocc.exe	Oflgep32.exe
File created	C:\Windows\SysWOW64\Opdghh32.exe	Oneklm32.exe
File opened for modification	C:\Windows\SysWOW64\Ofeilobp.exe	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Ehmdjdgk.dll	Anmjcieo.exe
File opened for modification	C:\Windows\SysWOW64\Afhohlbj.exe	Acjclpcf.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Jlingkpe.dll	Njnpppkn.exe
File opened for modification	C:\Windows\SysWOW64\Ngbpidjh.exe	Ncfdie32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Pqknig32.exe	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Ghngib32.dll	Pqpgdfnp.exe
File opened for modification	C:\Windows\SysWOW64\Pdmpje32.exe	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Lommhphi.dll	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Pgefeajb.exe	Pcijeb32.exe
File opened for modification	C:\Windows\SysWOW64\Qcgffqei.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Mnodjf32.dll	Oflgep32.exe
File created	C:\Windows\SysWOW64\Igjnojdk.dll	Pgefeajb.exe
File created	C:\Windows\SysWOW64\Pcppfaka.exe	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Afjlnk32.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Ekphijkm.dll	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Olfobjbg.exe	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Gjgfjhqm.dll	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Aeiofcji.exe	Ambgef32.exe
File created	C:\Windows\SysWOW64\Jmmmebhb.dll	Aclpap32.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Oflgep32.exe	Ocnjidkf.exe
File opened for modification	C:\Windows\SysWOW64\Oqfdnhfk.exe	Olkhmi32.exe
File opened for modification	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Anadoi32.exe	Afjlnk32.exe
File opened for modification	C:\Windows\SysWOW64\Anadoi32.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Aqppkd32.exe	Amddjegd.exe
File created	C:\Windows\SysWOW64\Accfbokl.exe	Aepefb32.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Ahioknai.dll	Nebdoa32.exe
File created	C:\Windows\SysWOW64\Kjpgii32.dll	Ofeilobp.exe
File created	C:\Windows\SysWOW64\Aclpap32.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Echegpbb.dll	Afmhck32.exe
File created	C:\Windows\SysWOW64\Akmfnc32.dll	Bnhjohkb.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Oponmilc.exe	Njefqo32.exe
File created	C:\Windows\SysWOW64\Jfpbkoql.dll	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Hddeok32.dll	Ndfqbhia.exe
File created	C:\Windows\SysWOW64\Ogkcpbam.exe	Ocpgod32.exe
File created	C:\Windows\SysWOW64\Qcgffqei.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Acqimo32.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Ajkaii32.exe	Aglemn32.exe
File opened for modification	C:\Windows\SysWOW64\Pmfhig32.exe	Pncgmkmj.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Pfhfan32.exe	Pgefeajb.exe
File opened for modification	C:\Windows\SysWOW64\Ampkof32.exe	Anmjcieo.exe
File opened for modification	C:\Windows\SysWOW64\Bjmnoi32.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Nnneknob.exe	Nfgmjqop.exe
File opened for modification	C:\Windows\SysWOW64\Oneklm32.exe	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Hdoemjgn.dll	Pnonbk32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6784	6160	WerFault.exe	280

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	22e85ce8c00381ef328b424f0d71b740_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnlden32.dll"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgldjcmk.dll"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echegpbb.dll"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgppolie.dll"	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ochpdn32.dll"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggmg32.dll"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elocna32.dll"	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	22e85ce8c00381ef328b424f0d71b740_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	22e85ce8c00381ef328b424f0d71b740_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdkpdef.dll"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbkfake.dll"	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfdjmlhn.dll"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojoign32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehaaclak.dll"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cjkjpgfi.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4152 wrote to memory of 3608	4152	22e85ce8c00381ef328b424f0d71b740_NeikiAnalytics.exe	85
PID 4152 wrote to memory of 3608	4152	22e85ce8c00381ef328b424f0d71b740_NeikiAnalytics.exe	85
PID 4152 wrote to memory of 3608	4152	22e85ce8c00381ef328b424f0d71b740_NeikiAnalytics.exe	85
PID 3608 wrote to memory of 1932	3608	Npfkgjdn.exe	86
PID 3608 wrote to memory of 1932	3608	Npfkgjdn.exe	86
PID 3608 wrote to memory of 1932	3608	Npfkgjdn.exe	86
PID 1932 wrote to memory of 1612	1932	Ncdgcf32.exe	87
PID 1932 wrote to memory of 1612	1932	Ncdgcf32.exe	87
PID 1932 wrote to memory of 1612	1932	Ncdgcf32.exe	87
PID 1612 wrote to memory of 3408	1612	Nebdoa32.exe	88
PID 1612 wrote to memory of 3408	1612	Nebdoa32.exe	88
PID 1612 wrote to memory of 3408	1612	Nebdoa32.exe	88
PID 3408 wrote to memory of 4284	3408	Njnpppkn.exe	89
PID 3408 wrote to memory of 4284	3408	Njnpppkn.exe	89
PID 3408 wrote to memory of 4284	3408	Njnpppkn.exe	89
PID 4284 wrote to memory of 4004	4284	Nlmllkja.exe	90
PID 4284 wrote to memory of 4004	4284	Nlmllkja.exe	90
PID 4284 wrote to memory of 4004	4284	Nlmllkja.exe	90
PID 4004 wrote to memory of 2732	4004	Nphhmj32.exe	91
PID 4004 wrote to memory of 2732	4004	Nphhmj32.exe	91
PID 4004 wrote to memory of 2732	4004	Nphhmj32.exe	91
PID 2732 wrote to memory of 2840	2732	Ncfdie32.exe	92
PID 2732 wrote to memory of 2840	2732	Ncfdie32.exe	92
PID 2732 wrote to memory of 2840	2732	Ncfdie32.exe	92
PID 2840 wrote to memory of 4444	2840	Ngbpidjh.exe	93
PID 2840 wrote to memory of 4444	2840	Ngbpidjh.exe	93
PID 2840 wrote to memory of 4444	2840	Ngbpidjh.exe	93
PID 4444 wrote to memory of 4440	4444	Njqmepik.exe	94
PID 4444 wrote to memory of 4440	4444	Njqmepik.exe	94
PID 4444 wrote to memory of 4440	4444	Njqmepik.exe	94
PID 4440 wrote to memory of 4392	4440	Nnlhfn32.exe	95
PID 4440 wrote to memory of 4392	4440	Nnlhfn32.exe	95
PID 4440 wrote to memory of 4392	4440	Nnlhfn32.exe	95
PID 4392 wrote to memory of 1432	4392	Npjebj32.exe	96
PID 4392 wrote to memory of 1432	4392	Npjebj32.exe	96
PID 4392 wrote to memory of 1432	4392	Npjebj32.exe	96
PID 1432 wrote to memory of 2852	1432	Ndfqbhia.exe	97
PID 1432 wrote to memory of 2852	1432	Ndfqbhia.exe	97
PID 1432 wrote to memory of 2852	1432	Ndfqbhia.exe	97
PID 2852 wrote to memory of 1620	2852	Ncianepl.exe	98
PID 2852 wrote to memory of 1620	2852	Ncianepl.exe	98
PID 2852 wrote to memory of 1620	2852	Ncianepl.exe	98
PID 1620 wrote to memory of 2776	1620	Nfgmjqop.exe	99
PID 1620 wrote to memory of 2776	1620	Nfgmjqop.exe	99
PID 1620 wrote to memory of 2776	1620	Nfgmjqop.exe	99
PID 2776 wrote to memory of 5076	2776	Nnneknob.exe	101
PID 2776 wrote to memory of 5076	2776	Nnneknob.exe	101
PID 2776 wrote to memory of 5076	2776	Nnneknob.exe	101
PID 5076 wrote to memory of 1616	5076	Nlaegk32.exe	102
PID 5076 wrote to memory of 1616	5076	Nlaegk32.exe	102
PID 5076 wrote to memory of 1616	5076	Nlaegk32.exe	102
PID 1616 wrote to memory of 2212	1616	Npmagine.exe	103
PID 1616 wrote to memory of 2212	1616	Npmagine.exe	103
PID 1616 wrote to memory of 2212	1616	Npmagine.exe	103
PID 2212 wrote to memory of 4576	2212	Nckndeni.exe	104
PID 2212 wrote to memory of 4576	2212	Nckndeni.exe	104
PID 2212 wrote to memory of 4576	2212	Nckndeni.exe	104
PID 4576 wrote to memory of 4896	4576	Nfjjppmm.exe	105
PID 4576 wrote to memory of 4896	4576	Nfjjppmm.exe	105
PID 4576 wrote to memory of 4896	4576	Nfjjppmm.exe	105
PID 4896 wrote to memory of 4976	4896	Njefqo32.exe	107
PID 4896 wrote to memory of 4976	4896	Njefqo32.exe	107
PID 4896 wrote to memory of 4976	4896	Njefqo32.exe	107
PID 4976 wrote to memory of 2580	4976	Oponmilc.exe	108

C:\Users\Admin\AppData\Local\Temp\22e85ce8c00381ef328b424f0d71b740_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\22e85ce8c00381ef328b424f0d71b740_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4152
- C:\Windows\SysWOW64\Npfkgjdn.exe
  C:\Windows\system32\Npfkgjdn.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3608
- - C:\Windows\SysWOW64\Ncdgcf32.exe
    C:\Windows\system32\Ncdgcf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1932
  - - C:\Windows\SysWOW64\Nebdoa32.exe
      C:\Windows\system32\Nebdoa32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1612
    - - C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3408
      - C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4284
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4004
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2580
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5024
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2540
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        27⤵
        Executes dropped EXE
        
        PID:1512
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3212
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        29⤵
        Executes dropped EXE
        
        PID:4084
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:684
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        32⤵
        Executes dropped EXE
        
        PID:3372
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        33⤵
        Executes dropped EXE
        
        PID:1152
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        35⤵
        Executes dropped EXE
        
        PID:4904
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1096
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4876
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        38⤵
        Executes dropped EXE
        
        PID:2576
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4132
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4824
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5084
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:408
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4012
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2272
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:388
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1820
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3784
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4384
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:828
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:732
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3800
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        54⤵
        Executes dropped EXE
        
        PID:4600
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3088
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:688
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4160
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        58⤵
        Executes dropped EXE
        
        PID:5000
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1312
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1088
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3912
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        62⤵
        Executes dropped EXE
        
        PID:1624
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:860
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1604
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3516
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        66⤵
        Drops file in System32 directory
        
        PID:2088
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        67⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        68⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2072
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        70⤵
        Modifies registry class
        
        PID:3424
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        71⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3412
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        73⤵
        
        PID:404
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        74⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4224
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        76⤵
        
        PID:208
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        77⤵
        Modifies registry class
        
        PID:4520
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        78⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        80⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5144
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        82⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5220
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5260
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        85⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5392
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        88⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        89⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        90⤵
        Drops file in System32 directory
        
        PID:5520
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5572
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        92⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        93⤵
        Drops file in System32 directory
        
        PID:5668
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        96⤵
        Drops file in System32 directory
        
        PID:5796
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5836
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        98⤵
        Drops file in System32 directory
        
        PID:5880
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        99⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        100⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        101⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6052
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        104⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        105⤵
        Drops file in System32 directory
        
        PID:5212
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        106⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        107⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1936
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5472
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        109⤵
        Drops file in System32 directory
        
        PID:932
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        111⤵
        Drops file in System32 directory
        
        PID:5660
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        112⤵
        Drops file in System32 directory
        
        PID:2632
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5828
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        115⤵
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        116⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        117⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        118⤵
        Modifies registry class
        
        PID:6076
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        119⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        120⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        121⤵
        Drops file in System32 directory
        
        PID:5336
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        122⤵
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        123⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5508
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5720
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        126⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        127⤵
        Drops file in System32 directory
        
        PID:5932
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        128⤵
        Modifies registry class
        
        PID:5992
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3684
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        130⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        131⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        132⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        133⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5900
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        135⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5456
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        137⤵
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        138⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4736
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        140⤵
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        141⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        142⤵
        Modifies registry class
        
        PID:6116
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5488
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5152
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        145⤵
        Modifies registry class
        
        PID:6172
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        146⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6216
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        147⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6268
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6308
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        149⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        150⤵
        Modifies registry class
        
        PID:6392
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        151⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        152⤵
        
        PID:6472
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        153⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6516
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6564
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        155⤵
        Modifies registry class
        
        PID:6600
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6640
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        157⤵
        
        PID:6688
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6728
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6772
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6832
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        161⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6928
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        163⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7012
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7060
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        166⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        167⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        168⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        169⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6296
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        171⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6332
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        172⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        173⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        174⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        175⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6628
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        176⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        177⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        178⤵
        
        PID:6908
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        179⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7108
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6224
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        183⤵
        Modifies registry class
        
        PID:6512
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        184⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6820
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        186⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1752
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        188⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6160 -s 396
        189⤵
        Program crash
        
        PID:6784

C:\Windows\system32\BackgroundTaskHost.exe
"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
1⤵
PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6160 -ip 6160
1⤵
PID:6540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aclpap32.exe

Filesize
76KB

MD5
acf6a9ead42b0aeb4d41178121969102

SHA1
4b4c184f0485ee6b2c2b9ea8ded618a975701a3c

SHA256
0d01ee48757be3f8de6ba11e58e0ec60af8921675074439f3dd040f99752790f

SHA512
733b1233322888d595fa38903b5ea5d8e59f3243dc6da59cd860dd1933e5370ae18db89b43c96df2fa8f02454f32b0323ddef407700144b6eaaa5d289d701d1d

Download Submit
C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
76KB

MD5
c5393701900ecae18ce79f148e5ac0a1

SHA1
9f6f925129e491cd7ef878be6cd5dcfd14a2e930

SHA256
74fff49b84148113fd220ca2a6143208032536d53a0098f12320080e739b913c

SHA512
d210e030f283a5e1231ef7de1d125d5fae0085b9fe47a02aa1b6df247f559e38bea0fa91226b4d5af85615fd61ad6a2114dffc32bd0977bda72f072ffc2c6357

Download Submit
C:\Windows\SysWOW64\Ajanck32.exe

Filesize
76KB

MD5
b336b2f8e9a45d297b8cc0a4d5fe59bd

SHA1
fc9ff5c8dd3d0b038b6cf6388be13818890d0ce7

SHA256
72f36dcd3f4c5ef05676436c16d9aa1ba606e8c11a4e530898189ef1dd15257b

SHA512
df21a0618edb5dd5adc4110452020b2c3e17a1733a687648fe7ab5b6ea47915e2313aa3ce8699ef6e93f5f50bba320349f743045418558eca7a83abcda5cf47c

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
76KB

MD5
892c05f4327870baae8e433e436a5412

SHA1
774d652fffc089f06763deab82f93a34f187a518

SHA256
1a412a14a2f993ee40b994089508c4d2eeb72bd8c0924dbcc3909f7391f385b6

SHA512
c8d82083480d2cb10451c5b0e185226cd7e0f7d9557076e4af47795e00b59043d8d9de5bb653cded167a367d28c5c8a2df77c7a89ac92b905f8db4702b465f3f

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
76KB

MD5
81db3d4503bfdde8d47b3f0c881eba9e

SHA1
1a4102fc72af0f887c0e4d33f0c6c7f5cf170108

SHA256
5a8e9c20a5d5c82fa8188310d1b85cca66dc811439e849c69a9f7c45405b74c6

SHA512
616e5ed1e17cb525cdee02ea1611e20bccd197b23252d1e819afa253d487307279dfa05eec3d12f7233038d3525e353d76e719b91a1219c105bf9a25db43302b

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
76KB

MD5
3b221aeeadb870e4a5f76ba40fbef076

SHA1
921f570a4695e0c89130dc2462252f215059132b

SHA256
9cf94838bf9a620def772543dd8e48f427f032e57364565c78fcf664488e0557

SHA512
4368ef971036a93cc4d72b412994a67a42a3f064210141bbbd531d981ef6f402be08007786f23ab432bf347df12cb1b3c1d673d991f1c88cbeee15a953cdf23c

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
76KB

MD5
03b7976c3c4af7042bb88e7b601187ff

SHA1
807f216d886bacc61231a0cd78038dfd4ca686cc

SHA256
dd4ca24f559b3e6e599cdf86c0e136f4716b852f7805d8fc68e289319a667da7

SHA512
da4570dd82efaf439f0b9975e9d65fb8578b837d6328fe5cad964afb6d5a41cdd6458fdc491dac0c12d74b72e80b964d543de241c55b15f62f00c9f8fd676370

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
76KB

MD5
c0dfaab33aefe337c759e8816aa3593a

SHA1
d631a6220970399c526bdb6e02faa93ef45b46bd

SHA256
4d6e6c6ade84f3be6f3392b45b7ca63426cb866ddd1aa5c29052439ff91bf5dd

SHA512
073d5d2b7c78e3f12d6221ea686c4a0b23c1934764ad4d1c10a64bb6bfd32e0c840f20deeb067a2b3a0b62a19295cbead40934c9efa4595506a3e507a5062ca4

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
76KB

MD5
b1a3c6b31b34b1287784594e8ba550ea

SHA1
5fb5c56e3785f21bf0da7a6297a15aa8053563f4

SHA256
935ae4f9046ce69f6e169075bcf795e19adce983121ba368098c4795312cb6c6

SHA512
b082ec7456d41b7f3ba2c8607125f2665a4cc025e9ce28b2acf56b943ced936ea80adc8ffb52df65078c2e74a9e3af948109af7c6fad3e7ad8e720d0395838c0

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
76KB

MD5
ea748bc910eca59b8cd2bcda49674f47

SHA1
2456178b0d0383cc754128b2baff8375280a309a

SHA256
88afdd0d52a99fcf63260b97982544d70762f7efeb4854b080c5d041f167e263

SHA512
4aa7a03f5b735dd3aa329491908b31bbbbf4e61c7c8830f1f9da560a7580b7c33a474143c573b26fe23cff2fe6becdee5a220b0b51f4cb1c2b4a634860c606a1

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
76KB

MD5
208199ef91b5ea2bb9456e44d68ce12d

SHA1
c7380a5c0b0781e08fb64d00c6ca8522dbf450e2

SHA256
736e001c03a62781e9d7a468694f97676fc73eb9f036299dac24bedbd71ca891

SHA512
9235ed31f02ae1d8249e22c297fd3aeac842c0d9fc9c8da19812530847c063e9dd15824040cf2aae6ae95aa2c87acb944221de8ccdaf3aa71cc8a0ddaaa36b74

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
76KB

MD5
4d870a1af26115f064ce24186fdc132a

SHA1
c123f77a1ffa891ceeae8eeb6c0eca7db744a3d0

SHA256
43d0210ecdb4e4658614cc2ed4a3db46521db8f541cb581afbb3e2f4f99034ac

SHA512
930c7eb82dd5c6d61c34fc2215c9c7ad940f43619eed5e5d3bdde637fa3f7a950eba64218e0721a13db9ffe7713be5f068e68fa6af15c5e3653d300fd241e391

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
76KB

MD5
5aad43800326151905f05f358d200328

SHA1
81c0a950978bae8c6f506e380daa90753ca279ff

SHA256
ab281f17d2e9e0b60bcb76f18631e377574eb803b97381630d1ffd7316a1b70d

SHA512
a3ea40cc7f381e76fc1f93626055932007c1bf735521483420267620310e515edc63fa80a131f3f2baa8df10d622d65c40a24b0692e661f2579cedd341b45ff5

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
76KB

MD5
a01b7d031b8ce2d5d79710c7a8fa3552

SHA1
1dbfd60b59caf9b9b8fab66ed3aa4c1253a00567

SHA256
a13d0604d1019127a05aa3c5b16cce806c290f32b360fcc54333aba2284043d5

SHA512
82a161477e992a94dc1dfd3686c7a19f5eb4403231bc52743ceb4dc19208741788673d07f6eff86a84e80e2159f4fefcc71a5bf04e200d1451c76ee7ba7a03fc

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
76KB

MD5
fecb0a7ac99509b288697a2dfebe5321

SHA1
6e06bbe34539881371c5d3f771b5023011745932

SHA256
389efc33ff583a6945bea8cbedd8a2fbb55ca7d504bffc245b081b5621159792

SHA512
421998615e14cd4722511a3e111c51e53be77ee772ae8d9adc7e8e68ae1d4e52280e3f4e273bfb488da80da1c524bd067c51f3e78bc6f543b414d6a08f3740f2

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
76KB

MD5
9f0c31225a9ab46ff5566363d4811556

SHA1
c03d26e42138cb5874af7e5d6627a2810f31feb3

SHA256
4e53dd2e0e4a3b68b488a61a9cc70e6edc89a754bf280c039fca3262f1a2c22f

SHA512
e3094a311adbb83508202221adb0e12bd731f507cfb308d09a2693431912b01782e0671216366b374a9fe055a2c90aa66a82731ebbd57ab7ef10785a537e6b81

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
76KB

MD5
9ee40178229ce43f6e75c764266bd39f

SHA1
3fd05bb7c1f4f4cbb37b203af2deabb2be32b920

SHA256
6146e839180dc16ae3791f3c8b523e04cfbcae337b7224fc5f5bab7a50bee311

SHA512
014124e93837b00d22c6fa2e8b9fa04d7339bc77a3ce132424db5e28f2504b50db999eec4c7d0eb42786250cc02bdaf6fda04974ee8b0a2bb21ccf1fe1be4f23

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
76KB

MD5
20df0736bbd444029cf5aa3ae88f5565

SHA1
6dfa6588ce494f19988a7a6ea7583b0de62c86c3

SHA256
29b6c3009c85d7d72033d4cd3d6e88a69cad23a2253ad921842ee42dd3190f71

SHA512
79cab4f2f5c7585ac61f5f06d7d0ff2082fd9c19f9de467436f62ec95697a576ae9c03743133e55fcea35d62f4bccc4393c1f59c1fd54daacf5e928d61309b55

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
76KB

MD5
c499da024e2898f325f14c84c79d9073

SHA1
c673baaefb372477f8dbe4b8ef187cd4f5d772b5

SHA256
67d52e87d9c68f43dc5e6ad8b6eaec4f720da43c611844915a3a209aa333d0f8

SHA512
a12969f216ae44b2f4d5d33060537a9a58773aac11e1a9818d48b9c8f892b71eb81ed95e69b29fd01d3ac2bba921f2e57d8c85bf6f16855e1815e93ef9cb38a5

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
76KB

MD5
1bc22204792a90c454e81e18eb172d71

SHA1
057a70b554d67e6626e3b4f877c9433b05cc1e0c

SHA256
9e7fc470539cac3d6e355587c3094c36e0812fe5c55745379ef26f32f0923124

SHA512
5dc21a64829aab827303ba1a307c39d7915ad18f3a7a34fcfb2685c9a398d188a96c62d81047d597063d0534048a2e052d03186b8479620eeeab0fd6411414af

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
76KB

MD5
f6b027b6e000f5065e2d2bd5d771f848

SHA1
f8274b76e59a86d50c1d03f1d3a6088376c4ee92

SHA256
9447e94f686d5bc3b353d5b80aaf3fdbef030d7099c36f4062d2624c4412dc98

SHA512
d3612fd52fcca4874001e44c86ca5135c68bcd3b537854dc0f0da1bd925158b0288583aca36ce981b97304e2490bd968af5377d89d68115788809a46a5754860

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
76KB

MD5
b960822bdbdee023749c75f10c388bc5

SHA1
a19a306219bc39b427b17a7accd454a7ef934489

SHA256
0158f483e8e91c4a0d5a834ce7cecc6020d3b656a3f88d719e709d743386a8d7

SHA512
bcc75fc170b9a51cc78c9601187e3ce78fb6ce1f743225d10a98747fb9eae7d44527ff3a20d6e569da7f42b1ae5e8fb58cafd294af8c76f0d001746e3adbae5e

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
76KB

MD5
7fb77b245721fca3ce06cc817fa27daf

SHA1
678ea660f54102668b7b7c5a3d83dabad5965aa8

SHA256
f5908389a74cb0c6206c511d40021144d17b36fc4b61cef244315ca69e7e55f5

SHA512
9580c704bc9dc3a524b9761404e5c2258ee8e4955b146832a2af111e4d5dfc63ad3ff155d663e45a503e1a6147a764dd8fbf8f316078ae275919c642b97954b5

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
76KB

MD5
5a4b780c311e71322e07feff73e6e423

SHA1
0bf2bc0785b4ed0fcea157360151239514799574

SHA256
d389b7472f32c41b73d6b421a06c81f281c8b200f39a810ab3adab6568dd4ea1

SHA512
9fab6a640c41fb60793088e238dcab17378b65f588da1235a36da84996d02f98d588f4493a1ac45df43df10b36a2b83d1c95c16898613fb6cfad54086c0d10cd

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
76KB

MD5
92676b185ef6c27c54358092b8bab6ac

SHA1
36be2182bff7d3dc7c1ef176282636c65150eb19

SHA256
03c85e168affef0264945922548e61942f4c57266c1739844f33a86065170f07

SHA512
6b262155efac7fe2d81111a1b47b764c1b5456544516560407f021a843eb77bcef91b89f17aa34f495cd7dff1b34b281d6a17da318c3c7f5da6e174410262c92

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
76KB

MD5
2716f401037d5248657ebf479a0eb198

SHA1
88966b159b769f065dbbeed71ca45828d3f7d93f

SHA256
6e36eab1b326c96a407b637d49d9dce04b16c8b159b3df49ae5724fcbaf15ef3

SHA512
e7c42f9bf246934a14fd92ba951f50d14049ad5d0f371f538444f447241a20dc15378c9eb3ff19121c8aef8f404fd5bf4742217b992b470970ad74ec84471420

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
76KB

MD5
fc416ca7734c82b7c00c69c811fab308

SHA1
55e21860304bfc2a098c36de07000d76248f3647

SHA256
51c98ccf6f94dbeb0a486bee524ac009d05054fa41c566b2bceba2cd0ad400b8

SHA512
597e1fa95de300e137b92670dba04a3248ced202475df7f3d54130c5e91ae4fb0abe5354cd0a0afc18e29efa0d52bf70869973e6a7bde15e851f64dd33d6f01d

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
76KB

MD5
815aca38edad4177fab1fec59ebdcf02

SHA1
ff83687be8f9d0a4fe059e197f2f85b0ce700dc1

SHA256
049ef0af8acb3309446323ffcbac6c9f7b2558bc951f4b9babcb1f10a8d89d6c

SHA512
1226b43c780afd412b908c96e3553272fe2187ec29decc24405a707a5a586f39926d6380c68004c3d809fb03242c1cc280f0554bc72cd2c0a9c19b3172b945e6

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
76KB

MD5
32bdae09cd43300317fde3ad27ddb210

SHA1
ef7033e289e8a07a96ccb63a497c0fd2211d2545

SHA256
297263479eeac26f0efe79519005a306a3b73cfc8c4aacdf4d98733ba81e5691

SHA512
c9dcfb32bdf82fefe5cae4b835e231229ba2f72c761e2883825c2458e600101652d9c4df9c27f3aaf2fc8ae7797874cbe06881b49c89fc22c8feb7195ac0e56b

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
76KB

MD5
1608d45fc74a66b0e0af38241e738b56

SHA1
b2aefdf47753527a83862350ff75bd542a9b345c

SHA256
939b66e38ac2326e9604da742f52810da4e352dabdccc685fb92155ba91c72cb

SHA512
7ff09def993336558f23f6637adfd6f3d11baa4a6cd64dfaabc25e83c66c5a04c4393eae656da5ced09686c353a09793e5bd970f815c17056451f9df1b32a6f7

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
76KB

MD5
f7f2aafcd02da3072ca65451bff26170

SHA1
020eb9c9816825bb828a0f348f2f4885b28ecdec

SHA256
42b5e9976c5a9d3e7888cb87b8d6967188dda6db77cb9e06064dd0b539ce76a7

SHA512
3aa2fef928f03069bb905239ce5328a28cf3980028852a673b5720c50843dbbae0a0d6f7ea0b20ddddbed8a0e06f41dedfb96b763c5517c26d3de642f2cf7e83

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
76KB

MD5
f5c03d356f2474f1d152c7e4bb8c672c

SHA1
1edaa8006b549fa2d9eb5377b10db04dfc0f6aec

SHA256
4ce664b3fcdb94d80b1125f2211088a30fa71590affcfd3b87b7ac08fbf12303

SHA512
2c09b0fb0847afea4b57dc0814d554d293a1601f859db8d805ce6670737a1b77594dc03d7f35c9cc895de79ec1352d762c3a70376b05db08e0e572336dd1998c

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
76KB

MD5
c5e61329fedc383819b2d3aac37c02ff

SHA1
3580ef5b1a4bf81abf5e376bdac40c7dbe37907f

SHA256
261f76f3e3f41383e087e71688e28f21b6009c66aec004936740a1c2809c8d4f

SHA512
be857ed317439ef38ebb1f23636f4490a8469bfd30f6aee155468c50aa5d77c2e25ed1e019cab660151de6fc9e3476502f7bda42bf23c661ac8839a1579bb835

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
76KB

MD5
68848811471e0a40da17a916634c782d

SHA1
5778d598abc9e03603f800af5a115ceba883307f

SHA256
4d963926ce34432a1987a1d1d12d401c75d4012f986f248e4ec923b0b15ffb88

SHA512
7f4ba5b5c34bab073dad5e97c64d95434d1cee5db49fb21873f73513a6eff2aacd10786109867dc40f53294ef98069e5c0fd876c81183dddf59c0497c6e76a93

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
76KB

MD5
4cf90160f0f94680dd4f0bcf3c61165b

SHA1
037c03192e75257015c9f5ee801dcd805d03b457

SHA256
68f651406f8c53d8007c8a2d2f55b21c7489fc0d6d13a4b0bb1683c826935f6a

SHA512
e5390aaf97883b51a516a3b78d46da1391fa6e506a278a19b4dd3a90bc6a4378b86f965d5d6d7ba2826dd7c3bf2f81d820ca066451756bbca4456aa02ab91ddf

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
76KB

MD5
339dbe3daf8fc06c7c6e55a2654d0534

SHA1
12931ab6e51a881be81643759482f4dec3cfd09e

SHA256
02cd338abf9b87886102b2167bd948d8722d18db17c1ca7d52a90001dfcb828e

SHA512
7bb567e43399d7806142f9ec8d8eec380c6d3642549aeae6e7e7a58adc8754d7fe9d7162276e4691e83e38c9bf114528675643dafdfd414c455d48c77decad51

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
76KB

MD5
cf4048ccf54d3b0d30c3383d442a2757

SHA1
eff0f80fabdc6aefbec2ed71d48e44961a33b4fa

SHA256
96d72033f3abe783c113247d25ded236b74b81c65be8e2cf541192650a1d7e80

SHA512
804ecba9495e6dcbd7511c465a7b08019b0436107e04ed5da1da3f4350768c9748f1b811423b5e49de92e2444c751aeb39a5e34b2619c1f5f2281dfe86656bee

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
76KB

MD5
32532d09949093a2c8489fc5b3f54fb9

SHA1
41d7f64b6c6cb59973fe46a8aeb262be10f142b6

SHA256
d37286f3c2aa2a1397928bd0cfd5b0d55a8f2998381aa2d7e284b2b6235db19d

SHA512
949f63098a17d66890558e2b0dffb75e53d828c1313c97180fef423dd62dfb36390d644238b5711f21d9e08d5229175e80f8b4584f85c1ea02b9b99155cb7d29

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
76KB

MD5
ad583c0ab9b679e5e4e4a07f68d8ac83

SHA1
822de3e3bd9a5de1a6f7a6c12621e8319d4c4f7d

SHA256
4535e767fba680a843e22af26a42bc22e82cdd51871cdf0c29524f07a7d8b24d

SHA512
648d9971007659d592e722648898cda22269afdd9026bc37c5d11b0cb650988476e78355c51a289806b4d1782a2754260ba741d6719a56f692c511c352b1a5d7

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
76KB

MD5
3423e92a7dd97fa7968360c0223c9dcb

SHA1
4a7bbdf9e4647ccc34907106ef1561c4e1731ed3

SHA256
94df8d97660c906b51094a5f23ff186b145aca8be3f191be32bb91bd299e74bf

SHA512
9bbc97bbf3be065d90c7c685ea805066d192de257485cb4e11c183f88c131cd0501d46d0f83ab80b7bcc0707b1c59a9299a8d6aeadd9224dde43f9caaa3a6a77

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
76KB

MD5
a8f96085b56d5b1b4ddc48a27a180ae0

SHA1
fd188ecbe961bb3e5c7ae39b179d98b05155a3e9

SHA256
71ec0793ae3522fbcdd58ce70a7298d657d85b95c617699c353f8f43e4ef36a2

SHA512
419e9d3308c9b4f8560e71bf5d8c8236bc060ffef5d6ccba2c6d97deb3b36793387e026c5a291d65410831143b0c8914be65727b2b08a5b4bb36546d2fcee0a2

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
76KB

MD5
33edeb7a8e740c829ce79a0d8f17c24e

SHA1
ecddf21374fb43dedfd89d31834e2e69e92f34c9

SHA256
dd9d7818216e6409b19285f50df9aabef17c2aa55f42acbe8d7e4ef65da5bff5

SHA512
1a533c3d85e212c844750a4676813b4f49e0ee54bcdd545cf129fb9c9fdbd40e1a68e1e9088eefbece25f2ac7b0929419c344ca85d9fb3afab67c174f9950dcb

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
76KB

MD5
29a6211a481f470bba51112e3c02c3ef

SHA1
687d693f5c667660f1c16cb5afca560acb51ab55

SHA256
e103bf641975a96de1d6774d35c402fb6eed10f6b7f6708e0a9002bc648cb407

SHA512
2d270b570a1a2ebe9a2242588c5d3f5138bf41b0d53cd9d231c77f02776f2a49af8d24ee4a272b5b2573eaa3ad1a439bd5d25ad43d43df741da2c3a744473f39

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
76KB

MD5
baefe2f73f00eb2e54f9aea3a56033de

SHA1
ba0b0fcee34267137899b60f0970f711ca420bde

SHA256
b1396fe7aa9b3741dd3e311df55075bad0c7ff3e29348962b896e28621946658

SHA512
cfcd7a4ee99ec78a09518cd6351ff710fe85a712ad28cb8375855e4eea58237aee897173ea0512e9eb5b424735edf6b34744f3f6d84e3a52e46cc02f1fd34596

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
76KB

MD5
4f5ef2267441fe3838a76457d97808b4

SHA1
1eb39a6fa4c55424ff2c63f913b688e2cff09ce4

SHA256
9e9f7529373d6fd9d1b561a4864de19a7d693784a634764edc0f0b150486b628

SHA512
00c8887cf6a66fdbe4989c9df49a2dcad3f04c5f08f700b560a6bf6c7ff56a5aa778fe9358871e4bca4644c62177c578e23e4a56c4792f767eee4cebe5e42f8c

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
76KB

MD5
6baa872c03e4ba35e560e10eea72eb33

SHA1
cff9c77e08d466623967ac949a2bc2a9787e681e

SHA256
be8aa0240dea51b2639e62a55f193e8526aa3c371219ff8a114e0a70a598784f

SHA512
dcda5524f4f0c31808ae6a85aa1ab383fc005d9e9b799a6fab850efa9fec995c0b9766a29bf410ed2d7827a133b56358077e574ab4c0cf5a4e8fce19f86a34bb

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
76KB

MD5
44c8b7f88b61d3906165f013d99dcf8b

SHA1
d8c99680f944a950810890e73ff62f559eaf96c9

SHA256
7243c3851064a0cc0d8b2bbe6471db63410f984bf717afc3bb0e99cd7807e793

SHA512
b5c2d0f17c70363baf753ad436dca321c646af16fc3e433d8c1f5ddc8f1eca873050e247eba18463fa29eb872f1dec45247bae55b7c6081c9f5412668f0ea38d

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
76KB

MD5
1cae35179db03a040bf3f8b5a1bcb73b

SHA1
77f51d9ecab500e585194a9cd09bb4c959160415

SHA256
c50c9a66d057817eb24c09e8f3f53a4b6861158dc9b4a994e133bf56a1e90d06

SHA512
241d4874371b4f8908a88de0fdc0977334ba1781dc1b785df9239d81c34c9a5ea63193650cac374114df2b5251aed4b5f9cde5f0d72306f4aeaedc219baccef2

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
76KB

MD5
7914e27211b729c15b60611c609be1aa

SHA1
b0014876de592fe49538fe2f1b0ecea5821cbf47

SHA256
ad99a1fbbd67ffcc72f19c653160239a107bbeaaba8c24c3a59b32d7dd60516f

SHA512
3d2ffff0094b9e66ff0ca58430ab92674c24fa87836ad9fc26314a1d29ee043199746733627ddab2ad0e215d7041220cc9000932d4633e62a05923fd56c9837d

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
76KB

MD5
8d71905b921d1411641b8cb448b95cb9

SHA1
94ecdc999268805b98121017a6a7c8f7988c4e19

SHA256
6562703c314a34077b43d5354df61ed748620752d2144726cd31c4a281c55aeb

SHA512
b726ab7177e381a1f5de5c62bcfc999f14b161f7cba7b1f64bce4a0dcb7ee46a553ec73c9d7ed6a8bb2cca2ab91b0ebfb2f50ada5fa3edf99a981075dd4f6993

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
76KB

MD5
011fae6208f366b9fdbe43f41152bbd5

SHA1
3906b7059c658a01e7069fd78d635f742fda2861

SHA256
454d6cedf7ca8e8ffd11fede39e59ebc8becb9fb8f67d08c22e911d041db9cf6

SHA512
4bd84fe0367c07f985650a7185426df810524479280ddc7a78e22bb83f8b00efe264f75b4a070c868618fc91eaf117953f2c787ab0d94c00487525a96a12d6ff

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
76KB

MD5
5d6b3423a4691363aeece22c1ba8bd23

SHA1
e100e4d797acb7acf3831fc11062cfa8e4d7d9b6

SHA256
036bf34ffd3e6c2cc592b997d92c3fae0e34874fe7a42ba2ca4b94e13291c58a

SHA512
4b6d49aa3f1c872ef36c3e6acfe9f49995f0db875378b99db4b53374761c0a6f5b2891ecd80785e5d79172a505990117b160e8bfedc1082859dee88f895cd37e

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
76KB

MD5
8304ef0d55c487e4de602176d33d28f5

SHA1
8b480e303758252374eda43bb970e25c2eddb673

SHA256
fae24082ae6896a3b2e3433cfb85abd7308b7d431a7cb0f3a9b525cc9490ada9

SHA512
5508a055b3e6544be0e864b4e3f0caf490db916599bd60e34b25928c25cc2f63eb7faa6656ca3866bc3e4463be43dbdce2bab89ae410936b22e87499001fd591

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
76KB

MD5
126b35e9622223f77e1417ef1889b4aa

SHA1
19e582452b9fed0f530732107ecd356fb4cb4f9c

SHA256
0ea0d369f9956ee2df7a56043322f4a392afa907e34df4dbfae8bdaf7d8acb5d

SHA512
7a5e6d643f9a73e19db170d9d52b949106ef83b9afb2172e251ce7d62ad17ab256115b104feb3a81741dc63aa03142900ce47b2555628630978e6530077ad902

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
76KB

MD5
02bf35ac5b85063e2a85965caafc8455

SHA1
19093520232a9ad2f24b0aa821d0f881fe3c8581

SHA256
8e1c77aae786762daaf522d36fcc8bd78a7456eef96d3305ba235a5990277288

SHA512
5bb6ffbcaf76904506755f826b0b05a518ece5076c1ddcffdb047ebaf505b02604138d1d8d3b27d728194f4e65c4fb2a22c7c4f21d581c292cec10e001b03083

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
76KB

MD5
1be1cfa466cbf78c9450c559c4311bdf

SHA1
25ed8c5c3aaadfdaacfdda641861615aefe5e8b3

SHA256
d1b94e3881cae19ad5e0f9500ec9dd8b826636c61608af033e8f4c2639eaa4eb

SHA512
a6ee0fab8f63e3241d076cbf17b76329ff6f3f559d423e20cf5fff01ae63a647c85a3b95d357d3203b2ef942f29dac46a2356b60af5f780d96023a6b5c91d81f

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
76KB

MD5
39a10eb4933cadeb88a4a781c02ff833

SHA1
ea508e2bcc253766c8ccba4014502a74eea93271

SHA256
beda44db3270d6e13788977c4d2ab99cfd951008822efe0dae71d02704063954

SHA512
0d05e987779ea28cf68fbca8af1d5ddcb985bb9b1be575c1946939d2a5323646bab3624c8d3072114503d2eb7164e417b6a12a626c824666e20c907262916dad

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
76KB

MD5
c1a873188e7a5ea4654eceb97dcc941a

SHA1
25e3d884cd819af4bede6f95f8b4416e9b063914

SHA256
fcc0b9964e35f67eea81fb064f9274912ffe7c26f098bbc3d075dc7a19202016

SHA512
76ae63b15504bee73a7de05f51a255b88537c3f0cd78413832941548f09024bb67fce08d3ae28354e1cb9bb2224c8fbe2ddf8d3568d95b7838df7062c6bc2aa7

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
76KB

MD5
92d0fe661fbe309ebdb9babf88e14e43

SHA1
76b77461338f4bd6a9fa7a7d8ff98151eca05614

SHA256
3a9039bd7b30c2eda08b4b8431f1b7b086f80812f61c690985345840412a708d

SHA512
d9067d405d9700b839a265515d924c78c5f67f8527d3a8f1db9e2ec0d1d56ba8070184aacd9ed21033b422ee80850069e6317fc2b8b0325935169f03c717ac92

Download Submit
memory/208-511-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/388-346-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/404-493-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/408-322-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/684-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/688-400-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/732-375-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/828-369-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/860-436-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1088-419-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1096-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1152-261-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1248-539-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1312-409-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1432-101-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1440-527-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1512-215-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1600-463-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1604-440-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1612-586-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1612-25-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1616-141-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1620-113-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1624-431-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1640-340-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1820-351-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1932-583-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1932-17-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2072-469-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2088-451-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2212-145-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2272-331-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2332-529-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2540-193-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2576-287-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2580-181-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2720-265-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2732-57-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2776-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2840-65-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2852-105-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3088-393-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3212-216-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3372-260-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3408-33-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3408-597-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3412-492-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3424-479-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3516-445-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3608-13-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3608-572-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3784-353-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3800-382-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3912-425-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4004-49-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4012-327-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4084-225-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4120-499-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4132-298-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4152-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4152-5-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4152-559-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4160-401-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4176-481-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4224-510-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4284-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4284-600-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4384-364-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4392-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4440-85-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4444-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4452-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4504-462-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4516-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4520-522-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4576-153-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4600-387-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4824-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4876-285-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4896-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4904-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4976-169-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5000-408-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5024-185-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5076-133-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5080-206-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5084-310-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5144-541-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5184-552-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5220-557-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5260-564-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5308-566-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5348-577-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5392-584-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5432-587-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5480-599-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads