7740a008560082f379819be1ea0b4f3a73d84882ad6ecf4dfaf60d43e93b4ae4

Analysis

max time kernel
142s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 14:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

574df620cd3e412a4c011cbe952d37f0_NeikiAnalytics.exe
Size

109KB
MD5

574df620cd3e412a4c011cbe952d37f0
SHA1

d8f8b93bfce19623ecf702846b1f32fc6e5eb122
SHA256

7740a008560082f379819be1ea0b4f3a73d84882ad6ecf4dfaf60d43e93b4ae4
SHA512

2bfca020d60418424ad86e4a673816429bc5486ea231c44005463c69ab095e522f2e4013e631ca957eac259146dc181a781d791e6bc722b2a1bd5cbb76957b5f
SSDEEP

3072:T3A/MSaHv8r2J9iGNzEoreM0i1GPBMkuGGJ9QLCqwzBu1DjHLMVDqqkSp:jYMSq42J9iGNzEoreJi1GPB+J9Qwtu1c

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gaebef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Noblkqca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncbafoge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojemig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qbonoghb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qmeigg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akdilipp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fijdjfdb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dncpkjoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Epdime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dnmaea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqncnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbhgoh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amfobp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmhhd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnipbc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpbpbecj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nfaemp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eafbmgad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmeandma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hfjdqmng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mokfja32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckggnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmeigg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ganldgib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnibokbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kakmna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpjjmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njedbjej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bkkhbb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckebcg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hioflcbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhifomdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njjmni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdjblf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gpelhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckebcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kofdhd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejjaqk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fimhjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ebaplnie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mhldbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gpaihooo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgihop32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjodla32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cammjakm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckgohf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqgmmk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mokfja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cpfmlghd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eppjfgcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fpkibf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbnoiqdq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phfcipoo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpjjmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ooibkpmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dahfkimd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lqmmmmph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fbbicl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmladm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lohqnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ekqckmfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iepaaico.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Opqofe32.exe

Malware Dropper & Backdoor - Berbew 64 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/memory/4156-0-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0008000000023261-6.dat	family_berbew
behavioral2/memory/5048-8-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0008000000023267-14.dat	family_berbew
behavioral2/memory/5004-16-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x000700000002326a-22.dat	family_berbew
behavioral2/memory/5100-23-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x000700000002326c-30.dat	family_berbew
behavioral2/memory/4724-31-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x000700000002326e-33.dat	family_berbew
behavioral2/memory/4732-39-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/3000-47-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023270-48.dat	family_berbew
behavioral2/files/0x0008000000023265-54.dat	family_berbew
behavioral2/memory/2284-56-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023273-62.dat	family_berbew
behavioral2/files/0x0007000000023276-66.dat	family_berbew
behavioral2/files/0x0007000000023276-70.dat	family_berbew
behavioral2/memory/224-72-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/4460-63-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023278-78.dat	family_berbew
behavioral2/memory/4648-79-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x000700000002327a-88.dat	family_berbew
behavioral2/memory/1660-87-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x000700000002327c-94.dat	family_berbew
behavioral2/memory/2076-95-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x000700000002327e-104.dat	family_berbew
behavioral2/memory/3860-103-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023280-111.dat	family_berbew
behavioral2/files/0x0007000000023282-118.dat	family_berbew
behavioral2/memory/4632-119-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023284-128.dat	family_berbew
behavioral2/memory/4004-127-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/2528-136-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023286-135.dat	family_berbew
behavioral2/files/0x0007000000023288-143.dat	family_berbew
behavioral2/memory/4232-144-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023282-114.dat	family_berbew
behavioral2/memory/3764-112-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x000700000002328b-150.dat	family_berbew
behavioral2/memory/2444-152-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x000700000002328d-159.dat	family_berbew
behavioral2/memory/3052-164-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x000700000002328f-166.dat	family_berbew
behavioral2/memory/716-167-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023291-174.dat	family_berbew
behavioral2/memory/2136-180-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023293-182.dat	family_berbew
behavioral2/memory/3536-183-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023295-190.dat	family_berbew
behavioral2/memory/4160-196-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023297-198.dat	family_berbew
behavioral2/memory/3372-199-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023299-206.dat	family_berbew
behavioral2/memory/1288-208-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x000700000002329b-214.dat	family_berbew
behavioral2/memory/4244-215-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x000700000002329d-222.dat	family_berbew
behavioral2/memory/2192-223-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x000700000002329f-230.dat	family_berbew
behavioral2/memory/2352-232-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x00070000000232a1-238.dat	family_berbew
behavioral2/memory/536-240-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x00070000000232a3-246.dat	family_berbew

Executes dropped EXE 64 IoCs

pid	Process
5048	Eppjfgcp.exe
5004	Feoodn32.exe
5100	Fimhjl32.exe
4724	Fnipbc32.exe
4732	Fpimlfke.exe
3000	Fpkibf32.exe
2284	Glbjggof.exe
4460	Gifkpknp.exe
224	Gbnoiqdq.exe
4648	Gpbpbecj.exe
1660	Gpelhd32.exe
2076	Gmimai32.exe
3860	Hipmfjee.exe
3764	Hfcnpn32.exe
4632	Hpnoncim.exe
4004	Hifcgion.exe
2528	Hfjdqmng.exe
4232	Hlglidlo.exe
2444	Iepaaico.exe
3052	Lqmmmmph.exe
716	Mfqlfb32.exe
2136	Mjodla32.exe
3536	Mgbefe32.exe
4160	Nnojho32.exe
3372	Nclbpf32.exe
1288	Npepkf32.exe
4244	Nfaemp32.exe
2192	Ngqagcag.exe
2352	Ocjoadei.exe
536	Opqofe32.exe
516	Opclldhj.exe
1292	Pfoann32.exe
4264	Pjpfjl32.exe
4892	Phfcipoo.exe
2548	Qmeigg32.exe
4392	Qjiipk32.exe
4408	Amjbbfgo.exe
220	Aknbkjfh.exe
4548	Adfgdpmi.exe
1436	Apmhiq32.exe
2240	Aaldccip.exe
3320	Akdilipp.exe
3852	Bdmmeo32.exe
1184	Bmeandma.exe
3216	Cammjakm.exe
3960	Ckebcg32.exe
1828	Ckgohf32.exe
2164	Cdpcal32.exe
1416	Cklhcfle.exe
1776	Dnmaea32.exe
2280	Dhdbhifj.exe
3116	Dndgfpbo.exe
932	Ebaplnie.exe
3884	Eqgmmk32.exe
4888	Enkmfolf.exe
2096	Egcaod32.exe
3364	Enmjlojd.exe
1028	Egened32.exe
432	Eqncnj32.exe
1980	Fnbcgn32.exe
2988	Fkfcqb32.exe
4032	Fijdjfdb.exe
4516	Fbbicl32.exe
3124	Fqgedh32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ebaplnie.exe	Dndgfpbo.exe
File created	C:\Windows\SysWOW64\Fpmfmgnc.dll	Egened32.exe
File opened for modification	C:\Windows\SysWOW64\Fbgbnkfm.exe	Fqgedh32.exe
File created	C:\Windows\SysWOW64\Hpioin32.exe	Hioflcbj.exe
File opened for modification	C:\Windows\SysWOW64\Lpjjmg32.exe	Ledepn32.exe
File created	C:\Windows\SysWOW64\Higplnpb.dll	Ajmladbl.exe
File created	C:\Windows\SysWOW64\Aammfkln.dll	Dgpeha32.exe
File created	C:\Windows\SysWOW64\Pjpfjl32.exe	Pfoann32.exe
File opened for modification	C:\Windows\SysWOW64\Aknbkjfh.exe	Amjbbfgo.exe
File created	C:\Windows\SysWOW64\Mpnmig32.dll	Jikoopij.exe
File created	C:\Windows\SysWOW64\Amoppdld.dll	Bbfmgd32.exe
File created	C:\Windows\SysWOW64\Nnoefe32.dll	Ejjaqk32.exe
File created	C:\Windows\SysWOW64\Mjodla32.exe	Mfqlfb32.exe
File opened for modification	C:\Windows\SysWOW64\Nclbpf32.exe	Nnojho32.exe
File created	C:\Windows\SysWOW64\Odaodc32.dll	Geoapenf.exe
File created	C:\Windows\SysWOW64\Apmhiq32.exe	Adfgdpmi.exe
File created	C:\Windows\SysWOW64\Anjcohke.dll	Jbepme32.exe
File created	C:\Windows\SysWOW64\Nijqcf32.exe	Noblkqca.exe
File created	C:\Windows\SysWOW64\Dgeaknci.dll	Adfgdpmi.exe
File created	C:\Windows\SysWOW64\Ddcebe32.exe	Dgpeha32.exe
File created	C:\Windows\SysWOW64\Aolphl32.dll	Ekljpm32.exe
File created	C:\Windows\SysWOW64\Baaelkfn.dll	Feoodn32.exe
File created	C:\Windows\SysWOW64\Aijjhbli.dll	Cammjakm.exe
File created	C:\Windows\SysWOW64\Mpapnfhg.exe	Lpochfji.exe
File created	C:\Windows\SysWOW64\Dhdbhifj.exe	Dnmaea32.exe
File created	C:\Windows\SysWOW64\Abocgb32.dll	Dahfkimd.exe
File created	C:\Windows\SysWOW64\Ncjiib32.dll	Dgihop32.exe
File created	C:\Windows\SysWOW64\Ghehjh32.dll	Eqncnj32.exe
File created	C:\Windows\SysWOW64\Ooibkpmi.exe	Ncbafoge.exe
File opened for modification	C:\Windows\SysWOW64\Fgiaemic.exe	Fqphic32.exe
File opened for modification	C:\Windows\SysWOW64\Gicgpelg.exe	Fkofga32.exe
File opened for modification	C:\Windows\SysWOW64\Glhimp32.exe	Geoapenf.exe
File created	C:\Windows\SysWOW64\Jpehef32.dll	Gaebef32.exe
File created	C:\Windows\SysWOW64\Cgilho32.dll	Edaaccbj.exe
File created	C:\Windows\SysWOW64\Hifcgion.exe	Hpnoncim.exe
File created	C:\Windows\SysWOW64\Pmikmcgp.dll	Ocjoadei.exe
File created	C:\Windows\SysWOW64\Fnbcgn32.exe	Eqncnj32.exe
File created	C:\Windows\SysWOW64\Coppbe32.dll	Hnibokbd.exe
File created	C:\Windows\SysWOW64\Fkaokcqj.dll	Mpapnfhg.exe
File opened for modification	C:\Windows\SysWOW64\Ncbafoge.exe	Njjmni32.exe
File opened for modification	C:\Windows\SysWOW64\Ekqckmfb.exe	Eqkondfl.exe
File created	C:\Windows\SysWOW64\Fnhbmgmk.exe	Fgnjqm32.exe
File created	C:\Windows\SysWOW64\Dibkjmof.dll	Gpbpbecj.exe
File opened for modification	C:\Windows\SysWOW64\Npepkf32.exe	Nclbpf32.exe
File created	C:\Windows\SysWOW64\Mlbmonhi.dll	Fijdjfdb.exe
File created	C:\Windows\SysWOW64\Hioflcbj.exe	Hnibokbd.exe
File created	C:\Windows\SysWOW64\Himfiblh.dll	Hbnaeh32.exe
File created	C:\Windows\SysWOW64\Naagioah.dll	Noppeaed.exe
File opened for modification	C:\Windows\SysWOW64\Bpqjjjjl.exe	Afcmfe32.exe
File opened for modification	C:\Windows\SysWOW64\Pjlcjf32.exe	Padnaq32.exe
File created	C:\Windows\SysWOW64\Cnnbme32.dll	Gbnoiqdq.exe
File opened for modification	C:\Windows\SysWOW64\Hipmfjee.exe	Gmimai32.exe
File opened for modification	C:\Windows\SysWOW64\Dnmaea32.exe	Cklhcfle.exe
File created	C:\Windows\SysWOW64\Eqgmmk32.exe	Ebaplnie.exe
File created	C:\Windows\SysWOW64\Kemooo32.exe	Kakmna32.exe
File created	C:\Windows\SysWOW64\Gdmpga32.dll	Opqofe32.exe
File opened for modification	C:\Windows\SysWOW64\Jimldogg.exe	Jikoopij.exe
File opened for modification	C:\Windows\SysWOW64\Ngqagcag.exe	Nfaemp32.exe
File created	C:\Windows\SysWOW64\Lpcgahca.dll	Cpfmlghd.exe
File created	C:\Windows\SysWOW64\Kkcghg32.dll	Ejagaj32.exe
File created	C:\Windows\SysWOW64\Iffahdpm.dll	Fclhpo32.exe
File opened for modification	C:\Windows\SysWOW64\Enmjlojd.exe	Egcaod32.exe
File created	C:\Windows\SysWOW64\Gaebef32.exe	Glhimp32.exe
File opened for modification	C:\Windows\SysWOW64\Hpioin32.exe	Hioflcbj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6328	6964	WerFault.exe	261

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hlglidlo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lqmmmmph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncjakdno.dll"	Kemooo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abocgb32.dll"	Dahfkimd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bopnkd32.dll"	Dpmcmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnndji32.dll"	Ookoaokf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	574df620cd3e412a4c011cbe952d37f0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhdbhifj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mhldbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mokfja32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Noblkqca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ppdbgncl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfoann32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gillppii.dll"	Hioflcbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dnqcfjae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jimldogg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpjjmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mokfja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enfhldel.dll"	Qmdblp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgnnai32.dll"	Mfqlfb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gbnhoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dahfkimd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dnqcfjae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fgqgfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anoipp32.dll"	Iepaaico.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghehjh32.dll"	Eqncnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ooibkpmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bbfmgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfbhcl32.dll"	Ddmhhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fqgedh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pggdhe32.dll"	Heegad32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lohqnd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Noppeaed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epgldbkn.dll"	Pmbegqjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkgppbgc.dll"	Kofdhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkaokcqj.dll"	Mpapnfhg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pbhgoh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pciqnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjpfjl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dnmaea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ebaplnie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Joqafgni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naagioah.dll"	Noppeaed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bdmmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghnllm32.dll"	Njedbjej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgpeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lqmmmmph.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hnibokbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elckbhbj.dll"	Ledepn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dahfkimd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Apmhiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gaebef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcejdp32.dll"	Mhldbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmbegqjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgpeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Npepkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pboglh32.dll"	Ihbponja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ihbponja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qbajeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddmhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gifkpknp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mfqlfb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afcmfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eqkondfl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4156 wrote to memory of 5048	4156	574df620cd3e412a4c011cbe952d37f0_NeikiAnalytics.exe	89
PID 4156 wrote to memory of 5048	4156	574df620cd3e412a4c011cbe952d37f0_NeikiAnalytics.exe	89
PID 4156 wrote to memory of 5048	4156	574df620cd3e412a4c011cbe952d37f0_NeikiAnalytics.exe	89
PID 5048 wrote to memory of 5004	5048	Eppjfgcp.exe	90
PID 5048 wrote to memory of 5004	5048	Eppjfgcp.exe	90
PID 5048 wrote to memory of 5004	5048	Eppjfgcp.exe	90
PID 5004 wrote to memory of 5100	5004	Feoodn32.exe	91
PID 5004 wrote to memory of 5100	5004	Feoodn32.exe	91
PID 5004 wrote to memory of 5100	5004	Feoodn32.exe	91
PID 5100 wrote to memory of 4724	5100	Fimhjl32.exe	92
PID 5100 wrote to memory of 4724	5100	Fimhjl32.exe	92
PID 5100 wrote to memory of 4724	5100	Fimhjl32.exe	92
PID 4724 wrote to memory of 4732	4724	Fnipbc32.exe	93
PID 4724 wrote to memory of 4732	4724	Fnipbc32.exe	93
PID 4724 wrote to memory of 4732	4724	Fnipbc32.exe	93
PID 4732 wrote to memory of 3000	4732	Fpimlfke.exe	94
PID 4732 wrote to memory of 3000	4732	Fpimlfke.exe	94
PID 4732 wrote to memory of 3000	4732	Fpimlfke.exe	94
PID 3000 wrote to memory of 2284	3000	Fpkibf32.exe	95
PID 3000 wrote to memory of 2284	3000	Fpkibf32.exe	95
PID 3000 wrote to memory of 2284	3000	Fpkibf32.exe	95
PID 2284 wrote to memory of 4460	2284	Glbjggof.exe	96
PID 2284 wrote to memory of 4460	2284	Glbjggof.exe	96
PID 2284 wrote to memory of 4460	2284	Glbjggof.exe	96
PID 4460 wrote to memory of 224	4460	Gifkpknp.exe	97
PID 4460 wrote to memory of 224	4460	Gifkpknp.exe	97
PID 4460 wrote to memory of 224	4460	Gifkpknp.exe	97
PID 224 wrote to memory of 4648	224	Gbnoiqdq.exe	98
PID 224 wrote to memory of 4648	224	Gbnoiqdq.exe	98
PID 224 wrote to memory of 4648	224	Gbnoiqdq.exe	98
PID 4648 wrote to memory of 1660	4648	Gpbpbecj.exe	99
PID 4648 wrote to memory of 1660	4648	Gpbpbecj.exe	99
PID 4648 wrote to memory of 1660	4648	Gpbpbecj.exe	99
PID 1660 wrote to memory of 2076	1660	Gpelhd32.exe	100
PID 1660 wrote to memory of 2076	1660	Gpelhd32.exe	100
PID 1660 wrote to memory of 2076	1660	Gpelhd32.exe	100
PID 2076 wrote to memory of 3860	2076	Gmimai32.exe	101
PID 2076 wrote to memory of 3860	2076	Gmimai32.exe	101
PID 2076 wrote to memory of 3860	2076	Gmimai32.exe	101
PID 3860 wrote to memory of 3764	3860	Hipmfjee.exe	102
PID 3860 wrote to memory of 3764	3860	Hipmfjee.exe	102
PID 3860 wrote to memory of 3764	3860	Hipmfjee.exe	102
PID 3764 wrote to memory of 4632	3764	Hfcnpn32.exe	103
PID 3764 wrote to memory of 4632	3764	Hfcnpn32.exe	103
PID 3764 wrote to memory of 4632	3764	Hfcnpn32.exe	103
PID 4632 wrote to memory of 4004	4632	Hpnoncim.exe	104
PID 4632 wrote to memory of 4004	4632	Hpnoncim.exe	104
PID 4632 wrote to memory of 4004	4632	Hpnoncim.exe	104
PID 4004 wrote to memory of 2528	4004	Hifcgion.exe	105
PID 4004 wrote to memory of 2528	4004	Hifcgion.exe	105
PID 4004 wrote to memory of 2528	4004	Hifcgion.exe	105
PID 2528 wrote to memory of 4232	2528	Hfjdqmng.exe	106
PID 2528 wrote to memory of 4232	2528	Hfjdqmng.exe	106
PID 2528 wrote to memory of 4232	2528	Hfjdqmng.exe	106
PID 4232 wrote to memory of 2444	4232	Hlglidlo.exe	107
PID 4232 wrote to memory of 2444	4232	Hlglidlo.exe	107
PID 4232 wrote to memory of 2444	4232	Hlglidlo.exe	107
PID 2444 wrote to memory of 3052	2444	Iepaaico.exe	108
PID 2444 wrote to memory of 3052	2444	Iepaaico.exe	108
PID 2444 wrote to memory of 3052	2444	Iepaaico.exe	108
PID 3052 wrote to memory of 716	3052	Lqmmmmph.exe	109
PID 3052 wrote to memory of 716	3052	Lqmmmmph.exe	109
PID 3052 wrote to memory of 716	3052	Lqmmmmph.exe	109
PID 716 wrote to memory of 2136	716	Mfqlfb32.exe	110

C:\Users\Admin\AppData\Local\Temp\574df620cd3e412a4c011cbe952d37f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\574df620cd3e412a4c011cbe952d37f0_NeikiAnalytics.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4156
- C:\Windows\SysWOW64\Eppjfgcp.exe
  C:\Windows\system32\Eppjfgcp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5048
- - C:\Windows\SysWOW64\Feoodn32.exe
    C:\Windows\system32\Feoodn32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:5004
  - - C:\Windows\SysWOW64\Fimhjl32.exe
      C:\Windows\system32\Fimhjl32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:5100
    - - C:\Windows\SysWOW64\Fnipbc32.exe
        
        C:\Windows\system32\Fnipbc32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4724
      - C:\Windows\SysWOW64\Fpimlfke.exe
        
        C:\Windows\system32\Fpimlfke.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Windows\SysWOW64\Fpkibf32.exe
        
        C:\Windows\system32\Fpkibf32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\SysWOW64\Glbjggof.exe
        
        C:\Windows\system32\Glbjggof.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\SysWOW64\Gifkpknp.exe
        
        C:\Windows\system32\Gifkpknp.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Windows\SysWOW64\Gbnoiqdq.exe
        
        C:\Windows\system32\Gbnoiqdq.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:224
        
        C:\Windows\SysWOW64\Gpbpbecj.exe
        
        C:\Windows\system32\Gpbpbecj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4648
        
        C:\Windows\SysWOW64\Gpelhd32.exe
        
        C:\Windows\system32\Gpelhd32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\SysWOW64\Gmimai32.exe
        
        C:\Windows\system32\Gmimai32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\SysWOW64\Hipmfjee.exe
        
        C:\Windows\system32\Hipmfjee.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3860
        
        C:\Windows\SysWOW64\Hfcnpn32.exe
        
        C:\Windows\system32\Hfcnpn32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3764
        
        C:\Windows\SysWOW64\Hpnoncim.exe
        
        C:\Windows\system32\Hpnoncim.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4632
        
        C:\Windows\SysWOW64\Hifcgion.exe
        
        C:\Windows\system32\Hifcgion.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4004
        
        C:\Windows\SysWOW64\Hfjdqmng.exe
        
        C:\Windows\system32\Hfjdqmng.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\Hlglidlo.exe
        
        C:\Windows\system32\Hlglidlo.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4232
        
        C:\Windows\SysWOW64\Iepaaico.exe
        
        C:\Windows\system32\Iepaaico.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\SysWOW64\Lqmmmmph.exe
        
        C:\Windows\system32\Lqmmmmph.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\SysWOW64\Mfqlfb32.exe
        
        C:\Windows\system32\Mfqlfb32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:716
        
        C:\Windows\SysWOW64\Mjodla32.exe
        
        C:\Windows\system32\Mjodla32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2136
        
        C:\Windows\SysWOW64\Mgbefe32.exe
        
        C:\Windows\system32\Mgbefe32.exe
        24⤵
        Executes dropped EXE
        
        PID:3536
        
        C:\Windows\SysWOW64\Nnojho32.exe
        
        C:\Windows\system32\Nnojho32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4160
        
        C:\Windows\SysWOW64\Nclbpf32.exe
        
        C:\Windows\system32\Nclbpf32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3372
        
        C:\Windows\SysWOW64\Npepkf32.exe
        
        C:\Windows\system32\Npepkf32.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1288
        
        C:\Windows\SysWOW64\Nfaemp32.exe
        
        C:\Windows\system32\Nfaemp32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4244
        
        C:\Windows\SysWOW64\Ngqagcag.exe
        
        C:\Windows\system32\Ngqagcag.exe
        29⤵
        Executes dropped EXE
        
        PID:2192
        
        C:\Windows\SysWOW64\Ocjoadei.exe
        
        C:\Windows\system32\Ocjoadei.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2352
        
        C:\Windows\SysWOW64\Opqofe32.exe
        
        C:\Windows\system32\Opqofe32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:536
        
        C:\Windows\SysWOW64\Opclldhj.exe
        
        C:\Windows\system32\Opclldhj.exe
        32⤵
        Executes dropped EXE
        
        PID:516
        
        C:\Windows\SysWOW64\Pfoann32.exe
        
        C:\Windows\system32\Pfoann32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1292
        
        C:\Windows\SysWOW64\Pjpfjl32.exe
        
        C:\Windows\system32\Pjpfjl32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4264
        
        C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4892
        
        C:\Windows\SysWOW64\Qmeigg32.exe
        
        C:\Windows\system32\Qmeigg32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2548
        
        C:\Windows\SysWOW64\Qjiipk32.exe
        
        C:\Windows\system32\Qjiipk32.exe
        37⤵
        Executes dropped EXE
        
        PID:4392
        
        C:\Windows\SysWOW64\Amjbbfgo.exe
        
        C:\Windows\system32\Amjbbfgo.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4408
        
        C:\Windows\SysWOW64\Aknbkjfh.exe
        
        C:\Windows\system32\Aknbkjfh.exe
        39⤵
        Executes dropped EXE
        
        PID:220
        
        C:\Windows\SysWOW64\Adfgdpmi.exe
        
        C:\Windows\system32\Adfgdpmi.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4548
        
        C:\Windows\SysWOW64\Apmhiq32.exe
        
        C:\Windows\system32\Apmhiq32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1436
        
        C:\Windows\SysWOW64\Aaldccip.exe
        
        C:\Windows\system32\Aaldccip.exe
        42⤵
        Executes dropped EXE
        
        PID:2240
        
        C:\Windows\SysWOW64\Akdilipp.exe
        
        C:\Windows\system32\Akdilipp.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3320
        
        C:\Windows\SysWOW64\Bdmmeo32.exe
        
        C:\Windows\system32\Bdmmeo32.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3852
        
        C:\Windows\SysWOW64\Bmeandma.exe
        
        C:\Windows\system32\Bmeandma.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1184
        
        C:\Windows\SysWOW64\Cammjakm.exe
        
        C:\Windows\system32\Cammjakm.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3216
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3960
        
        C:\Windows\SysWOW64\Ckgohf32.exe
        
        C:\Windows\system32\Ckgohf32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1828
        
        C:\Windows\SysWOW64\Cdpcal32.exe
        
        C:\Windows\system32\Cdpcal32.exe
        49⤵
        Executes dropped EXE
        
        PID:2164
        
        C:\Windows\SysWOW64\Cklhcfle.exe
        
        C:\Windows\system32\Cklhcfle.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1416
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\Dhdbhifj.exe
        
        C:\Windows\system32\Dhdbhifj.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2280
        
        C:\Windows\SysWOW64\Dndgfpbo.exe
        
        C:\Windows\system32\Dndgfpbo.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3116
        
        C:\Windows\SysWOW64\Ebaplnie.exe
        
        C:\Windows\system32\Ebaplnie.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:932
        
        C:\Windows\SysWOW64\Eqgmmk32.exe
        
        C:\Windows\system32\Eqgmmk32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3884
        
        C:\Windows\SysWOW64\Enkmfolf.exe
        
        C:\Windows\system32\Enkmfolf.exe
        56⤵
        Executes dropped EXE
        
        PID:4888
        
        C:\Windows\SysWOW64\Egcaod32.exe
        
        C:\Windows\system32\Egcaod32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2096
        
        C:\Windows\SysWOW64\Enmjlojd.exe
        
        C:\Windows\system32\Enmjlojd.exe
        58⤵
        Executes dropped EXE
        
        PID:3364
        
        C:\Windows\SysWOW64\Egened32.exe
        
        C:\Windows\system32\Egened32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1028
        
        C:\Windows\SysWOW64\Eqncnj32.exe
        
        C:\Windows\system32\Eqncnj32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:432
        
        C:\Windows\SysWOW64\Fnbcgn32.exe
        
        C:\Windows\system32\Fnbcgn32.exe
        61⤵
        Executes dropped EXE
        
        PID:1980
        
        C:\Windows\SysWOW64\Fkfcqb32.exe
        
        C:\Windows\system32\Fkfcqb32.exe
        62⤵
        Executes dropped EXE
        
        PID:2988
        
        C:\Windows\SysWOW64\Fijdjfdb.exe
        
        C:\Windows\system32\Fijdjfdb.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4032
        
        C:\Windows\SysWOW64\Fbbicl32.exe
        
        C:\Windows\system32\Fbbicl32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4516
        
        C:\Windows\SysWOW64\Fqgedh32.exe
        
        C:\Windows\system32\Fqgedh32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3124
        
        C:\Windows\SysWOW64\Fbgbnkfm.exe
        
        C:\Windows\system32\Fbgbnkfm.exe
        66⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\Fkofga32.exe
        
        C:\Windows\system32\Fkofga32.exe
        67⤵
        Drops file in System32 directory
        
        PID:540
        
        C:\Windows\SysWOW64\Gicgpelg.exe
        
        C:\Windows\system32\Gicgpelg.exe
        68⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\Ganldgib.exe
        
        C:\Windows\system32\Ganldgib.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1152
        
        C:\Windows\SysWOW64\Gbnhoj32.exe
        
        C:\Windows\system32\Gbnhoj32.exe
        70⤵
        Modifies registry class
        
        PID:1004
        
        C:\Windows\SysWOW64\Gpaihooo.exe
        
        C:\Windows\system32\Gpaihooo.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1160
        
        C:\Windows\SysWOW64\Geoapenf.exe
        
        C:\Windows\system32\Geoapenf.exe
        72⤵
        Drops file in System32 directory
        
        PID:1968
        
        C:\Windows\SysWOW64\Glhimp32.exe
        
        C:\Windows\system32\Glhimp32.exe
        73⤵
        Drops file in System32 directory
        
        PID:2376
        
        C:\Windows\SysWOW64\Gaebef32.exe
        
        C:\Windows\system32\Gaebef32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4324
        
        C:\Windows\SysWOW64\Hnibokbd.exe
        
        C:\Windows\system32\Hnibokbd.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4772
        
        C:\Windows\SysWOW64\Hioflcbj.exe
        
        C:\Windows\system32\Hioflcbj.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3968
        
        C:\Windows\SysWOW64\Hpioin32.exe
        
        C:\Windows\system32\Hpioin32.exe
        77⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\Heegad32.exe
        
        C:\Windows\system32\Heegad32.exe
        78⤵
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\Hlppno32.exe
        
        C:\Windows\system32\Hlppno32.exe
        79⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\Hhfpbpdo.exe
        
        C:\Windows\system32\Hhfpbpdo.exe
        80⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\Hbldphde.exe
        
        C:\Windows\system32\Hbldphde.exe
        81⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\Hbnaeh32.exe
        
        C:\Windows\system32\Hbnaeh32.exe
        82⤵
        Drops file in System32 directory
        
        PID:1100
        
        C:\Windows\SysWOW64\Iogopi32.exe
        
        C:\Windows\system32\Iogopi32.exe
        83⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\Ihbponja.exe
        
        C:\Windows\system32\Ihbponja.exe
        84⤵
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Ibjqaf32.exe
        
        C:\Windows\system32\Ibjqaf32.exe
        85⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\Joqafgni.exe
        
        C:\Windows\system32\Joqafgni.exe
        86⤵
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Jhifomdj.exe
        
        C:\Windows\system32\Jhifomdj.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5308
        
        C:\Windows\SysWOW64\Jlgoek32.exe
        
        C:\Windows\system32\Jlgoek32.exe
        88⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\Jikoopij.exe
        
        C:\Windows\system32\Jikoopij.exe
        89⤵
        Drops file in System32 directory
        
        PID:5424
        
        C:\Windows\SysWOW64\Jimldogg.exe
        
        C:\Windows\system32\Jimldogg.exe
        90⤵
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Jbepme32.exe
        
        C:\Windows\system32\Jbepme32.exe
        91⤵
        Drops file in System32 directory
        
        PID:5552
        
        C:\Windows\SysWOW64\Khbiello.exe
        
        C:\Windows\system32\Khbiello.exe
        92⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\Kakmna32.exe
        
        C:\Windows\system32\Kakmna32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5660
        
        C:\Windows\SysWOW64\Kemooo32.exe
        
        C:\Windows\system32\Kemooo32.exe
        94⤵
        Modifies registry class
        
        PID:5708
        
        C:\Windows\SysWOW64\Kofdhd32.exe
        
        C:\Windows\system32\Kofdhd32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Lohqnd32.exe
        
        C:\Windows\system32\Lohqnd32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Ledepn32.exe
        
        C:\Windows\system32\Ledepn32.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5856
        
        C:\Windows\SysWOW64\Lpjjmg32.exe
        
        C:\Windows\system32\Lpjjmg32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5900
        
        C:\Windows\SysWOW64\Llqjbhdc.exe
        
        C:\Windows\system32\Llqjbhdc.exe
        99⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\Lpochfji.exe
        
        C:\Windows\system32\Lpochfji.exe
        100⤵
        Drops file in System32 directory
        
        PID:5992
        
        C:\Windows\SysWOW64\Mpapnfhg.exe
        
        C:\Windows\system32\Mpapnfhg.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Mhldbh32.exe
        
        C:\Windows\system32\Mhldbh32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6076
        
        C:\Windows\SysWOW64\Mokfja32.exe
        
        C:\Windows\system32\Mokfja32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6120
        
        C:\Windows\SysWOW64\Mlofcf32.exe
        
        C:\Windows\system32\Mlofcf32.exe
        104⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\Noppeaed.exe
        
        C:\Windows\system32\Noppeaed.exe
        105⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Njedbjej.exe
        
        C:\Windows\system32\Njedbjej.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5300
        
        C:\Windows\SysWOW64\Noblkqca.exe
        
        C:\Windows\system32\Noblkqca.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Nijqcf32.exe
        
        C:\Windows\system32\Nijqcf32.exe
        108⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Njjmni32.exe
        
        C:\Windows\system32\Njjmni32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5576
        
        C:\Windows\SysWOW64\Ncbafoge.exe
        
        C:\Windows\system32\Ncbafoge.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5668
        
        C:\Windows\SysWOW64\Ooibkpmi.exe
        
        C:\Windows\system32\Ooibkpmi.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Ookoaokf.exe
        
        C:\Windows\system32\Ookoaokf.exe
        112⤵
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Oqklkbbi.exe
        
        C:\Windows\system32\Oqklkbbi.exe
        113⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\Oblhcj32.exe
        
        C:\Windows\system32\Oblhcj32.exe
        114⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\Ojemig32.exe
        
        C:\Windows\system32\Ojemig32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6092
        
        C:\Windows\SysWOW64\Ppdbgncl.exe
        
        C:\Windows\system32\Ppdbgncl.exe
        116⤵
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Padnaq32.exe
        
        C:\Windows\system32\Padnaq32.exe
        117⤵
        Drops file in System32 directory
        
        PID:5284
        
        C:\Windows\SysWOW64\Pjlcjf32.exe
        
        C:\Windows\system32\Pjlcjf32.exe
        118⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\Pbhgoh32.exe
        
        C:\Windows\system32\Pbhgoh32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Pfepdg32.exe
        
        C:\Windows\system32\Pfepdg32.exe
        120⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Pciqnk32.exe
        
        C:\Windows\system32\Pciqnk32.exe
        121⤵
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Pmbegqjk.exe
        
        C:\Windows\system32\Pmbegqjk.exe
        122⤵
        Modifies registry class
        
        PID:5976
        
        C:\Windows\SysWOW64\Qbonoghb.exe
        
        C:\Windows\system32\Qbonoghb.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6068
        
        C:\Windows\SysWOW64\Qmdblp32.exe
        
        C:\Windows\system32\Qmdblp32.exe
        124⤵
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Qbajeg32.exe
        
        C:\Windows\system32\Qbajeg32.exe
        125⤵
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Amfobp32.exe
        
        C:\Windows\system32\Amfobp32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5568
        
        C:\Windows\SysWOW64\Amikgpcc.exe
        
        C:\Windows\system32\Amikgpcc.exe
        127⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\Ajmladbl.exe
        
        C:\Windows\system32\Ajmladbl.exe
        128⤵
        Drops file in System32 directory
        
        PID:5984
        
        C:\Windows\SysWOW64\Afcmfe32.exe
        
        C:\Windows\system32\Afcmfe32.exe
        129⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6140
        
        C:\Windows\SysWOW64\Bpqjjjjl.exe
        
        C:\Windows\system32\Bpqjjjjl.exe
        130⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\Bpcgpihi.exe
        
        C:\Windows\system32\Bpcgpihi.exe
        131⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Bkkhbb32.exe
        
        C:\Windows\system32\Bkkhbb32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6104
        
        C:\Windows\SysWOW64\Bphqji32.exe
        
        C:\Windows\system32\Bphqji32.exe
        133⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\Bbfmgd32.exe
        
        C:\Windows\system32\Bbfmgd32.exe
        134⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5240
        
        C:\Windows\SysWOW64\Bmladm32.exe
        
        C:\Windows\system32\Bmladm32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:512
        
        C:\Windows\SysWOW64\Cibain32.exe
        
        C:\Windows\system32\Cibain32.exe
        136⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\Cienon32.exe
        
        C:\Windows\system32\Cienon32.exe
        137⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\Cdjblf32.exe
        
        C:\Windows\system32\Cdjblf32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6216
        
        C:\Windows\SysWOW64\Ckggnp32.exe
        
        C:\Windows\system32\Ckggnp32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6260
        
        C:\Windows\SysWOW64\Cgmhcaac.exe
        
        C:\Windows\system32\Cgmhcaac.exe
        140⤵
        
        PID:6300
        
        C:\Windows\SysWOW64\Cpfmlghd.exe
        
        C:\Windows\system32\Cpfmlghd.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6352
        
        C:\Windows\SysWOW64\Dgpeha32.exe
        
        C:\Windows\system32\Dgpeha32.exe
        142⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6404
        
        C:\Windows\SysWOW64\Ddcebe32.exe
        
        C:\Windows\system32\Ddcebe32.exe
        143⤵
        
        PID:6464
        
        C:\Windows\SysWOW64\Dahfkimd.exe
        
        C:\Windows\system32\Dahfkimd.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6532
        
        C:\Windows\SysWOW64\Dkpjdo32.exe
        
        C:\Windows\system32\Dkpjdo32.exe
        145⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\Dpmcmf32.exe
        
        C:\Windows\system32\Dpmcmf32.exe
        146⤵
        Modifies registry class
        
        PID:6632
        
        C:\Windows\SysWOW64\Dggkipii.exe
        
        C:\Windows\system32\Dggkipii.exe
        147⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\Dnqcfjae.exe
        
        C:\Windows\system32\Dnqcfjae.exe
        148⤵
        Modifies registry class
        
        PID:6740
        
        C:\Windows\SysWOW64\Dgihop32.exe
        
        C:\Windows\system32\Dgihop32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6804
        
        C:\Windows\SysWOW64\Dncpkjoc.exe
        
        C:\Windows\system32\Dncpkjoc.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6852
        
        C:\Windows\SysWOW64\Ddmhhd32.exe
        
        C:\Windows\system32\Ddmhhd32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6904
        
        C:\Windows\SysWOW64\Ejjaqk32.exe
        
        C:\Windows\system32\Ejjaqk32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6956
        
        C:\Windows\SysWOW64\Epdime32.exe
        
        C:\Windows\system32\Epdime32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6988
        
        C:\Windows\SysWOW64\Ejlnfjbd.exe
        
        C:\Windows\system32\Ejlnfjbd.exe
        154⤵
        
        PID:7032
        
        C:\Windows\SysWOW64\Edaaccbj.exe
        
        C:\Windows\system32\Edaaccbj.exe
        155⤵
        Drops file in System32 directory
        
        PID:7092
        
        C:\Windows\SysWOW64\Ekljpm32.exe
        
        C:\Windows\system32\Ekljpm32.exe
        156⤵
        Drops file in System32 directory
        
        PID:7140
        
        C:\Windows\SysWOW64\Eafbmgad.exe
        
        C:\Windows\system32\Eafbmgad.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6164
        
        C:\Windows\SysWOW64\Ejagaj32.exe
        
        C:\Windows\system32\Ejagaj32.exe
        158⤵
        Drops file in System32 directory
        
        PID:6236
        
        C:\Windows\SysWOW64\Eqkondfl.exe
        
        C:\Windows\system32\Eqkondfl.exe
        159⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6280
        
        C:\Windows\SysWOW64\Ekqckmfb.exe
        
        C:\Windows\system32\Ekqckmfb.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6372
        
        C:\Windows\SysWOW64\Fclhpo32.exe
        
        C:\Windows\system32\Fclhpo32.exe
        161⤵
        Drops file in System32 directory
        
        PID:6456
        
        C:\Windows\SysWOW64\Fqphic32.exe
        
        C:\Windows\system32\Fqphic32.exe
        162⤵
        Drops file in System32 directory
        
        PID:6552
        
        C:\Windows\SysWOW64\Fgiaemic.exe
        
        C:\Windows\system32\Fgiaemic.exe
        163⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\Fgnjqm32.exe
        
        C:\Windows\system32\Fgnjqm32.exe
        164⤵
        Drops file in System32 directory
        
        PID:6712
        
        C:\Windows\SysWOW64\Fnhbmgmk.exe
        
        C:\Windows\system32\Fnhbmgmk.exe
        165⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\Fgqgfl32.exe
        
        C:\Windows\system32\Fgqgfl32.exe
        166⤵
        Modifies registry class
        
        PID:6888
        
        C:\Windows\SysWOW64\Gddgpqbe.exe
        
        C:\Windows\system32\Gddgpqbe.exe
        167⤵
        
        PID:6964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6964 -s 412
        168⤵
        Program crash
        
        PID:6328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 6964 -ip 6964
1⤵
PID:7084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1040 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaldccip.exe

Filesize
109KB

MD5
ec657bb02f0c07d934bcc226d54eff3f

SHA1
13e6d53a554a39222486ec8f7958df0efa6c3d00

SHA256
5488724fa0d420f43a8cc50a13b44fbb09bc7b3e4afc5cbe058d10c5d5d9e1de

SHA512
e373f997ef658c175d6a96b8a68dd5cfbf5981cf7fd1bd5230b9d22362690645b688461547e96912243468191c1e204d0504aef15422aff0e0d5a76564c27fb9

Download Submit
C:\Windows\SysWOW64\Bdmmeo32.exe

Filesize
109KB

MD5
e06864efd373dbe83123dfbaea5beb8f

SHA1
1504c8895c3e379fabaf42a878ba2ad155cbdcbd

SHA256
2a1ce8ee6aa987b2e7ceab914f6268502221caa2a14792c5411d02cf05312fac

SHA512
a57beef001e7ff576a14a0ac0d39e2b7088f5500779f72242646aeab95a9e0214723a1446b8710100720f4cb736a5a4c0e8e554647a5ac75dcddfaa78e4d646e

Download Submit
C:\Windows\SysWOW64\Bmladm32.exe

Filesize
109KB

MD5
2ddf59207d13314a6d2663bbb69ca4d5

SHA1
f55438a8c889c66e3d824124a2ff3c2897905fe4

SHA256
dd6a6eff967def9ea251cd53394c9eec17e513beea2212f0f908a0fb629927d1

SHA512
d91ddffcda666400cd4d32db1e5f55422cc8d49fce6fefe7159bb97f0c6447f19a609a9f22fad995aed2b6adf9c2ea7fcc6f544ec3dbd6a870b180411ab1529b

Download Submit
C:\Windows\SysWOW64\Bpqjjjjl.exe

Filesize
109KB

MD5
ed3271a0e47ca892eaba6b220950bd2f

SHA1
0bc03352c155ebfa0d40e51eb29f9bcc01d9736b

SHA256
c3b8d0603833bb26f0800fb6280557c2f0c06555d20d4fafe5377c4b01f5f4a8

SHA512
93dcd827355c50ffdbb3a9e089f1a9d6ad8dfdcf4a144e0483d8dbeb547410a469b4d6c9fad63af54a36c21fb3e055789fae4aa34ea24e39608baee91d6c8f33

Download Submit
C:\Windows\SysWOW64\Cdjblf32.exe

Filesize
109KB

MD5
aa8688ac53b6d9dab0f971f3754bbd79

SHA1
b2c72e973fc2df218056f0b01027e89e0774644e

SHA256
8f28df75e9f257a6f783b125e9e02833f330c16ac179ff1e1c3073a8bc72f525

SHA512
2a5856ccfbaa458bfa6343d57013f30babad70df505b0e5a68e5ce46abc80746d0aff39618e3a87372a224d9c3c032322c49a79a1caf7701b56c0c09711ec044

Download Submit
C:\Windows\SysWOW64\Cdpcal32.exe

Filesize
109KB

MD5
adcb57f81c66daaa7b1ce16bcb5d6c01

SHA1
cfeed037e6c0c80eb971f9efeaa87ce968b0b548

SHA256
0e17d95898f81d0f7defbb874f482f9316f6c893844f69379b85cb34a8bf036d

SHA512
5ce8f85acc0aef815cae3035dda9126a12ebb54b23a9f7780503402441f2248cc29c8af1687ea22da438795eeada5e6e7925e8041354eb58921a7e82f6005523

Download Submit
C:\Windows\SysWOW64\Ckebcg32.exe

Filesize
109KB

MD5
dde8fc73f4c9d5b420a0240e1be42e0d

SHA1
156e70e3de684b9e010c5d4124db85a29bdbd830

SHA256
fbda652c6b4f5593f24b4bc453280f4b026aa828eac7b72fb3d0a34570436688

SHA512
698945719354d54641dea8c74e3015a256d6e8846326a6ebd627f31876deaf04b9f9b701a51475f8ce20f49a5509e07b71813c258d60020a97882329016c6b7e

Download Submit
C:\Windows\SysWOW64\Cmpdihki.dll

Filesize
7KB

MD5
aef35518d3364185d211379c55a389a4

SHA1
f600d20a83f3f091efa41420c02f73aa41443317

SHA256
8ecc7b8f18c02870ad9fb3a096a77d43c80f0a4b0aecf6e5304013fb23b9953e

SHA512
bdedb8a8bb834a906abd0628adaec5656f7c1cc2fdd2fe4a7453105ba8ae8cab1bdee06acf3e7df67d2e7ce4de8d9e2d922ce3813bba2c9f0fe673020a15164d

Download Submit
C:\Windows\SysWOW64\Dnmaea32.exe

Filesize
109KB

MD5
386eb21048ce571cbeaf4ee1007a9a07

SHA1
081ff4befcbed94965c29630fa641b1e4be97bb8

SHA256
ce02547f74b901a4f39dc7d0ab12a3b40964c2a8549d63af0f025db5424c744a

SHA512
d2107dba848d704e994f3010fd13c6b727da66b6293050e34eb536148136be337dafdf4cd1b9cd5bab18fb0dca25e30d45ae1059af4411da89ce5395c1f05799

Download Submit
C:\Windows\SysWOW64\Eppjfgcp.exe

Filesize
109KB

MD5
e57f0d351b0be3f3d5492ae52f64c590

SHA1
cdc916168079e9a2d822f517546d53ca7649b5f3

SHA256
28a99c3a43c8cc5954f07d1e9d83655430b588deea9fd8ad24c046d0faa560c7

SHA512
641eb9fa8b293e77f953bd71710dcf7c557eacadfd1a920aebbce164e64b29ed043f4e5f00999ef2cebebe4c62b9321f35e16de163ef38e8bb3cb1effe1ac028

Download Submit
C:\Windows\SysWOW64\Eqgmmk32.exe

Filesize
109KB

MD5
7dd5379eaed830d262741161081320b0

SHA1
97047ee0c2bcc5503b2a62a1ff546aac01282c4f

SHA256
01d2b44c3be2d093fdbd90b55310bc7a1471753dfbd059047f83eada1f469d8c

SHA512
04eb40f7e48780063c9c62ceed7d0eebb9829a403349513ae3228068dd726fb7142a9c1991092e0fa490f626cadc50819b265be07b0e7456ecea9733ab080437

Download Submit
C:\Windows\SysWOW64\Feoodn32.exe

Filesize
109KB

MD5
64f7dbb8e11dd1bca8970225589e31c5

SHA1
bedad1a2591fb2da38a2f7288f6b8ea1ffcbe628

SHA256
1033b6c0df119df120d0e20ee847aadd8a26d9e1ee5c7d84b419004b2f4ce706

SHA512
a0c5161bd268377a5313dd09d0e1aca9786f9628738325bdd692fccd1538d0c8f5e60a538138b7b37e3389f049b1be8ac47c498427cfdb40f8af14c03d0f4ce6

Download Submit
C:\Windows\SysWOW64\Fijdjfdb.exe

Filesize
109KB

MD5
5f5a468c8450d9c30139fea3560cd74f

SHA1
c429967c5f787820a8bdac44eb195422091cfe4a

SHA256
f11775bba591d908185749db9318f3bb4ae077f404f5e0f791ba1cfa8b7e4bf7

SHA512
d4de137d0f40fdef7d8b96ea34fb79c9bfadba0f0687865c0215c952a3b71d0f0bc61e5e4d0fbb4da47c3c088f6aad4f45848469e34100d52df87247bfd5ade7

Download Submit
C:\Windows\SysWOW64\Fimhjl32.exe

Filesize
109KB

MD5
bf1ee31be0d5a4a720c39a506b5caaab

SHA1
8f566717bd41652f149146b3cacef6b579a01666

SHA256
fe8af29def704d6b452ba66406b88d2bb641d2c7365553915de57792317f86e1

SHA512
50646a57778128e6c61931a2cd7ca3945b8d0b2b8521c21e9947c9f26ed0a2b8bfdb848617d075d1b0326b722f8aacdc0b054648a754e39d34a4d590333243f0

Download Submit
C:\Windows\SysWOW64\Fnipbc32.exe

Filesize
109KB

MD5
9f3f1f52709e088953469cf8d4622d56

SHA1
e70dd2f9b213f1e22a35b19ed305292211924371

SHA256
7c92060c463928445278a440980df4de87c549c178db41200e21ad696f787fa1

SHA512
efcd4af4fa4828e73bad947ecc95603e68b69443852ccf29c68ddec66ce20a8fb530be05e6b86b0ece4e99b1f70ab768b33ff4890dedc537ebca909083f8bf3b

Download Submit
C:\Windows\SysWOW64\Fpimlfke.exe

Filesize
109KB

MD5
2754da54eb7d6317b91081cfcf8e6447

SHA1
9bb1933955924beae6e795f78d21661b529f5411

SHA256
56e49ceecfce839e58498d61b95e889757d5312206952cf8ab9fb71dc2719ec7

SHA512
006e9c94355d74b5fb58a45d1509a6592afbcb506701704b6dc1e76fcacd657030113f661ddd1b6251268518e33d2449f1fa2e75d20e4d651caa9de0f6edd231

Download Submit
C:\Windows\SysWOW64\Fpkibf32.exe

Filesize
109KB

MD5
eadb70a99c3709854371c735e0107cc9

SHA1
37e307b912c0bf658d32d67e0f039206d06981a3

SHA256
e70e743cfd6c55180f1c0307e1f6b4da88cfdd98dd4ea90c53cb602450d6e099

SHA512
deb5a990966136450cda658c55f4325b04b72094bd9859bedb061c1e0bb15ef24e5f6f474dd464b323c02898da6c14230e21deee84896d006c9208a6cd90b893

Download Submit
C:\Windows\SysWOW64\Gaebef32.exe

Filesize
64KB

MD5
7c20fa58065c7d24880640cfe6a91fe8

SHA1
0fd3fbfc0a9fcd1435bec6530e7ee2ae6defaba2

SHA256
ba715122cf4a7e4b6db241199ec9f45982ee778d22023afa30515f4f11f1af31

SHA512
71780edc36b946a12402141153b1503f3ac74ab7bd08c733759029ff4c1b28278c5e115631d8b21f2d6e44fe942d0875456d814944decbc89ba14ec1c28ed6e0

Download Submit
C:\Windows\SysWOW64\Gbnoiqdq.exe

Filesize
109KB

MD5
a189aa53e1bbff59db6790d4b4205fff

SHA1
27b4d1cbb3d86be25c48c294a8ddcfa7737fed37

SHA256
75b267e1fa5d3ea2fc1fe3d6cd0e7752a4136be20d3fd3cb0ef5ee11fde0b19b

SHA512
b922d631da7baf3e0f7d8099e15720811266fa6565206b4466ee60b2bef14678dee4468d6acb88e5c9d93e5539f2c3bff4a2a816c2388fae955f6ca3ebacf2ee

Download Submit
C:\Windows\SysWOW64\Gbnoiqdq.exe

Filesize
109KB

MD5
a5bddd9f7bc5c5673f6a5c77b3fd9213

SHA1
8c143bec02017000bc4a62e72b20663d7e28cf76

SHA256
e7c9caf2342f5d48efd0f7c176ec56aca6d177ed018b0e701912dda38a174fb4

SHA512
23655086753222ba331ea63bf3d843f435ec0a2686d770a42bf5172f5cefea273ad8bbdc549797a66c81b12e3185ef0c41a1fb54f166f435ab5ff9c931caa3c4

Download Submit
C:\Windows\SysWOW64\Gifkpknp.exe

Filesize
109KB

MD5
6ecfffa274dc0d20c499490a646ca40b

SHA1
12e93e55e3fa217a1ac8210da24f40a3fc35de85

SHA256
058446a64199583eb946b8eb036bf20f4a8c3a0852a1296f1953fcea63a58367

SHA512
8288b411b0e7a1fa163a7d0f77ec4e83503ead356ae9aa1bd3d6d86c5e6b6983ac7aa278d3c5124ee300cdbd5e43c80f72c091e6357dc3eb7d2a69cc1f8a0e40

Download Submit
C:\Windows\SysWOW64\Glbjggof.exe

Filesize
109KB

MD5
000301f9b760dfa21a9b95ade663f929

SHA1
9427c6283d5b36315140250131044d541efdbfc5

SHA256
6b02ba8c4df08678a0377f6a20e8706ec054196e1041fc9ac2626bd14a5f7719

SHA512
751fde5c57a32a298bb93ef844c82244bcda6361d8a8304b18a28127187cc644b8084f615de7b19343ba4f750d0f1122e92326e62aa7e00be6f227c2418828ff

Download Submit
C:\Windows\SysWOW64\Gmimai32.exe

Filesize
109KB

MD5
9c604355e6c2caef5fc0430af1962b0a

SHA1
0c20e928a0a39844f803042fcec0dc3856c7bdff

SHA256
aaf9aa683b7d5cb3c10877790e584cf97bec245adf7781e6da3be0d2233a9284

SHA512
5f3f00dda5300d729a0735ab45ecd51e63ac15198f677aa0cb96e31e0bae2aebd9ba7ff348444cd42e32e445b3a71608c86873edcac5c27aa5ca577bb42a7544

Download Submit
C:\Windows\SysWOW64\Gpaihooo.exe

Filesize
109KB

MD5
8cdab21f1d70f9bcc8845ca08d8e25a9

SHA1
e6fc4ce9b3bb63af3c61c4fb049ad1ba55f30066

SHA256
6451cb7d89c8d35fd19bcd4f280725094915abbeab6036b44e26d37e7209e272

SHA512
9743e472d8fa26a4a79b8b72f56067bf2ac5aee66c5d377a1a242cfd0d6427f2a2a822039f4da06e2276cd412e43974a9c5fa7f0bc6bc848b117adac7c9d549a

Download Submit
C:\Windows\SysWOW64\Gpbpbecj.exe

Filesize
109KB

MD5
44bff2bcec48b58a94e5ba9f12b253b1

SHA1
47904edceee249fdd31848842566cc706a8298e1

SHA256
4fb09548e2c0bb583ac61eb154be3eda90d830cf78f47c3569e5444d9cf45b20

SHA512
61d535e8783dca72ea419a81bd94f006a29cddb9f2ab7b2b4556ad061f8205670920246188cc79ad5a44c592b8a8909f168e21c7fbc505be5e6100be2bce696f

Download Submit
C:\Windows\SysWOW64\Gpelhd32.exe

Filesize
109KB

MD5
8a44f19ad75a8680f4b0822290fd53c4

SHA1
d16ff1903a2250d2aa11c2f92e5000feaeacb1b1

SHA256
0d49d50a514ac88dbb92bd7bb2de2e71130e007ea17870e3dc23cca2df7fbd15

SHA512
fb31ff56edad5dc10d4b9257716afe6b9893dbd0127426ce0ea323ad23ed45fdedd0822e20c1f730ff59817366e512014fd0466ca009788677ca63edcb9bd38e

Download Submit
C:\Windows\SysWOW64\Hbnaeh32.exe

Filesize
109KB

MD5
96aee121fd7996e9d320034519181bb5

SHA1
e50e51930641ec0a15e3c19d64c103050af4080e

SHA256
13a70db5ab305e0442bfd795a68ba4331be1088a226c9620e54181f279afa380

SHA512
288bf53644af27c8e0231ab1e8ac39a28df08e61e6f6fc6ce48180e8ec978c34ada00abcc1a91d6da19eba43cfd9f3c49bd45d96194412f8a65d134879dc3c13

Download Submit
C:\Windows\SysWOW64\Hfcnpn32.exe

Filesize
109KB

MD5
47ebdadd31cc61400d2d6c2e4fa6a256

SHA1
b7b478a55e227779b4a7b2cb7d130306fbe11ffa

SHA256
071fed826a47df43a71a9dd781c6a6e3e5d22c09bff09e747aaa2b8fa2cd426d

SHA512
b6ebded8ac83bb792ff453fb870a0f8d31e1815ba557452902e0dd62b8240119aee8435b6602f533ddd2a9adea265bc32912bece6fc5fc4141fefb925ac0c36e

Download Submit
C:\Windows\SysWOW64\Hfjdqmng.exe

Filesize
109KB

MD5
faffb18926b2bad650d95af3069ed1ed

SHA1
b484f8ac4d4ad08b33361db49bcd8ff476c00978

SHA256
edd92891f73fee48e65f013eed8f39ce22b8e8af093fa9b1f237579393d867f4

SHA512
d1ba82c257d0a3182c3110975316b7de77f831ec209b8b0bc35735c9ad7386060d61ed574219f91df5c48c15fc0f4821fcfbc2020211d7e4918483e33d84261f

Download Submit
C:\Windows\SysWOW64\Hifcgion.exe

Filesize
109KB

MD5
59b4102393810694f2e58dfdb1c96674

SHA1
b50cd653f043d35db793e4efc34728b2f8590b4c

SHA256
a139dd10ed5e5f7db0deffb3a0b25a61c33f24747cbef2f3d7583556f5833340

SHA512
24a772ee264894b5c5cc2ad2c3e48883f588bb87512ec4e1780e1c68f17619e868377440253fa8ef1972c374cc9850b63ae5bf93ebba78720797537ab3e23151

Download Submit
C:\Windows\SysWOW64\Hipmfjee.exe

Filesize
109KB

MD5
9d023526c8a50bae21df8b7db442ccde

SHA1
b664be2e57628d99b4327ce7fb01b933a2fbc71b

SHA256
17907406d13bf83bbc6dd0c9ceb77c8cad5de4cff8d52658ca008d502fc96e07

SHA512
b9019981bb611052074b0373ff721dc1d1e41d9944d7a776b722140a3069b21298bb4358221ef6b834eb81249b0d84f3277883f4e690e77d7e2fdb338ceed3fa

Download Submit
C:\Windows\SysWOW64\Hlglidlo.exe

Filesize
109KB

MD5
45c2bdcfc89cdf925611fcf40b89762e

SHA1
f91125c71218b2480bd7841424d53f9b24acb269

SHA256
c00b3f1469b856e67430e57134be52cbeea4fc53354ddb1707977d0bea24311a

SHA512
ece5c283de967e755126027421b20278cb18dc2664c1815d071a7e877322b6d2620d753fcd7bf89deb448242a0258f6eff5704a36cabac9f0ad91d881e6a9e14

Download Submit
C:\Windows\SysWOW64\Hpnoncim.exe

Filesize
109KB

MD5
f8b27057d21c7140f71e62a30490e6eb

SHA1
2fc1e10eac28682213d07ac4fa68fe02fc0bceba

SHA256
3d7ba68012d5062b1aae477c7e9697c987f191628a036b1c603e121276298740

SHA512
d8f0778bc1374eddd6834f59e97458e414c94f8f8e569d069710cdaf10745328715e940300ec828a53c22a1bbf57f64360a6c7e0b230303534643ad0af0c1395

Download Submit
C:\Windows\SysWOW64\Hpnoncim.exe

Filesize
109KB

MD5
2c8125a93af3d1a0719abcbfc2bcae66

SHA1
b2f129c3c1579a48e32414c1a557dc981df2caf3

SHA256
6ddd238e1535c22ed27d57400f91f9eef44ad95ae794cbe5b65acdbea7072fad

SHA512
11133898a9a9bdedfadea9c5766a89135aa41c64a3beaaaeb024aeb809fe62c895f01beddfe2c00b9c1a8bbcaea59bc5b524a038bd28935a4476d8bf338e4611

Download Submit
C:\Windows\SysWOW64\Iepaaico.exe

Filesize
109KB

MD5
e41f5a535be08651fdd61b29c236121f

SHA1
102ca2e6bd8574268f2fbe7e72c548e3d821df71

SHA256
9389fae48ab10851cb61bdbaba1424d8410c62836a21cc544801032a57cc5505

SHA512
221391aa4ad678fa2177313dd619b2672938d279035067b27b136d2d6567376c2af28c0e1a128907d7063b68c0285ecf7f1f7d1286869e87e5d796b257a9cf3e

Download Submit
C:\Windows\SysWOW64\Llqjbhdc.exe

Filesize
109KB

MD5
9631d19333d31bfa560b921a7ff457fa

SHA1
4fc20fbc9238e0c90c01c4b509ccd3f4d2cb375b

SHA256
bdee44fecf7bb1884e17ebb343bba5aebc4b8a734baa97dc2214e7f1782c4782

SHA512
861815176f1cf596e66a8dd6fde543e2f7f665fe075e7b8bf1658fc9b60c5ebda0b94b3a09875fd94688bedb68183f44bb4cf28d6a1cf3e0fae2d0dda05d082f

Download Submit
C:\Windows\SysWOW64\Lohqnd32.exe

Filesize
109KB

MD5
b4f9081e367133f56cb0d6ad867cc183

SHA1
3fed0c963cc1bc40655ddee5f9f46154ac95004a

SHA256
a98d5328b8bc63a43f1e7b8d2afb6eb852095e224289a81adb6ea8ef5412a4d4

SHA512
9ebc4a74ceadccce7008e6cb5c91f746c31d0c82298cf4376a07ad68b14d394dc57bcf1f8e5ef032bdeb4c975bc67c7c1b6f130dcb90d1897dea2f0bd973be7a

Download Submit
C:\Windows\SysWOW64\Lqmmmmph.exe

Filesize
109KB

MD5
cb8d612e11032ccbbca8d9499c8a7733

SHA1
e7e2bb12e1ea9586efd79e24d4f2e69415b2dafd

SHA256
90e7a5d5ee8ef6067c8684fca29ed5ddd6efdb9f504405127d0cd2733198b2b5

SHA512
ee0863de0634f5f311a97deec9c3e37b527033a27ffa840a48a1bf50b32fba9a71f0dd50827a4517e84ad1625aee40a7b8f005d72cdc3d3ee7e087718d5a7291

Download Submit
C:\Windows\SysWOW64\Mfqlfb32.exe

Filesize
109KB

MD5
d9ee0fd1d0b702fe64b1a9ec08d1fe2c

SHA1
d06b6e93edc84dd089570e6add33aee36e570a6b

SHA256
4bd919ce50c2214f361fe5c2f4d9033aaf4a42769b1051b25ee56e049e5a8c19

SHA512
d94907574c87423686a943abe7d6a5a79a5a3cc1777f6c13697c2d6049310bff49538cdf072df0c6bedcf745085298ddae356c0c39daa9bffc8d5c066c542532

Download Submit
C:\Windows\SysWOW64\Mgbefe32.exe

Filesize
109KB

MD5
e91f0f56109488bc634cc2e1889759a2

SHA1
136af4724b82a18f7b94374d500ccc68ae822cf9

SHA256
1930909eafd4d844356ffbcbf04a080a0dc8dc36ce58eb03247f11e78dd0f57e

SHA512
b7b0f002ecc9a18b01c486e481c0a4827007241f753253b184c52dfb50f0f64b7de0dac117d939af5a720594c759cf70e5308323491a92f16e7c360cdd2cfaff

Download Submit
C:\Windows\SysWOW64\Mjodla32.exe

Filesize
109KB

MD5
730d87ed023a7a9a64c629354b6c08a6

SHA1
94964c54da03bdb4cb1a746905dc85655d45dbf5

SHA256
f2e6a5809a4728c71e6485a229cbdb4b95df44b9d23c0de63b1155778f023e5b

SHA512
81f838a79f3d613f4a225457b6556add1891997299b573264c5c66578d8470c173b54e6939a094c201a4ad593010a661f3354922caf6a4bf39e8404b2d719d72

Download Submit
C:\Windows\SysWOW64\Mlofcf32.exe

Filesize
109KB

MD5
d77488a64edf2abeac2d37e2d1d0a835

SHA1
a70baec35324f712caf1eee53f79901fb31b0de5

SHA256
c2f0e1f7a87b84e49b11a25bac93b7484434416e4485122e701db48cccd307f3

SHA512
a05da4ffeca703b2853c0a12ddd4c2068bc53538ac0bd1000cf35b41211f68b118026af1f9797b6f68905a60152dba0d45d20ca38b6cdc63b413694eb2e11fef

Download Submit
C:\Windows\SysWOW64\Nclbpf32.exe

Filesize
109KB

MD5
6fb8ca6f7a17a6d9f748ed0cfacb7064

SHA1
77639dffd3c483f44f768631159e42c6bfca6c03

SHA256
0249a0363931add5f97da83b99641e44d7c1a2409e1e380fbb62c408a91612c4

SHA512
3b31bbec94c23ad2fb985afbd4d5e3eeaf2e2de6dfaf71114e57061bc496fe8d9b698c3bfcc2a0f98e9a636b7eac9460a605d9c7088901b722fb0daed2c65307

Download Submit
C:\Windows\SysWOW64\Nfaemp32.exe

Filesize
109KB

MD5
648deb2cb94743b3325a34134bbb374d

SHA1
dcf2e1379f4ee2f41dc3a7af2c56dabef0f1631b

SHA256
4ce3577f8ea3ae856f922b03247f9ac424ccf1b13ac44875205ed508b9191804

SHA512
816540c56e5bc9a577c9421252d0a64e2f132a03bd0b375b6f816f6493ffbc76609b53d1c399c070ae5e13f57b7c94ff44dfbc28edd95112c1a815a1e4000567

Download Submit
C:\Windows\SysWOW64\Ngqagcag.exe

Filesize
109KB

MD5
a1ada7057dc8846cbfee8ebad02d891f

SHA1
8f21e8260a2c15ec6f331facbe18882a6c6ec6fd

SHA256
91bd94888797f72580bc81ab58aa0b541dbfce260e4565e7b4eec2837516808a

SHA512
e352a1644ae0b1d93cef250d67f9b5cdef14397f6373d4aa87343b05c087abb5b5ed69b3c3d36eb7392aafbceba8f6c3da1323672d398d9a19635d9d367fec1c

Download Submit
C:\Windows\SysWOW64\Nijqcf32.exe

Filesize
109KB

MD5
d3f8e1cf53f77fc98afded56c6f8d946

SHA1
140d6b63a1940393c93673a00717a48211a167e8

SHA256
9c741547e7d7a0905b56f640823ab7d93f0f3b165532ffa384e7d5f46e8a45ee

SHA512
c8aa83f01e811296e842cff016f69765847979672b35c934641a075b4de999401492d3ab287fbd91f673a195b3a18c3940bc97433e1f357885b81852efe3fdb1

Download Submit
C:\Windows\SysWOW64\Nnojho32.exe

Filesize
109KB

MD5
1734e665a36fab9595df1d4eb22346cc

SHA1
7b8ad9561a8a6d5c3e2efe4f2a9c505a7fa34acb

SHA256
29a98613158b33890e0f206d4b523a68cc2f95bb37691d9683a1451e3f7847bd

SHA512
53b68540c34ca80a957ed3976ba4fa6e65207d165748734b98ed204a688d856f1c1d9fe59d67683e08ec657bc14ecb3d5031cb65d67db36a7b5ca53e88e3d704

Download Submit
C:\Windows\SysWOW64\Npepkf32.exe

Filesize
109KB

MD5
20a1657d817a3f20bd91152a64be0603

SHA1
6c0dab0dce0e3983da646ac27a1483d64e602f39

SHA256
b2c5dc94300e4fe53b71fbc5923f34043597167db03d549b8b14554976064fca

SHA512
c5626c66da882ffe9581641a18387ad7adabb8b075658e73eaf056d1454c84e3460fd94c080545c02c6f1015620ff8ee3f9b007e0b25f8277d2843a3a46e63ba

Download Submit
C:\Windows\SysWOW64\Ocjoadei.exe

Filesize
109KB

MD5
aa096d5799f4debca13492a472828f55

SHA1
f587d9dc9df741b669bdc19562841c12c3015b67

SHA256
3d79fd7d652a0b5b7d8de98860b390a46534cab6e6c0f4887dc65f7794b189b9

SHA512
e98e85fd9b653d43eff2bdc411fa8c776e5f3fe0f5a95f7e939819c1453961ef533cfbf0832376b9f347278891dfe30842a2470f0dd8ea24dadaeb23a3afbd49

Download Submit
C:\Windows\SysWOW64\Ojemig32.exe

Filesize
109KB

MD5
02c7047034bc78e4129e2dc07d924df0

SHA1
cb69dcd4ce16fa2ca78b0ac13c1e68aa277318cf

SHA256
89451ddf3f1f29f4393eff612b53d23b7f714ab5cc9ff710215e8bacd8edb8ab

SHA512
7803e845b163401e8fb138aa02582b7c25325f890d31949d968f32a95c3692146e4339619ed414d6fbde82906b995ba994779e5c10170a7ebcdc9d3aafd306d8

Download Submit
C:\Windows\SysWOW64\Opclldhj.exe

Filesize
109KB

MD5
2fc13a15c6c5824bc236ad16474da9fe

SHA1
a72f146a9f4be0d1103638b6d9d3c2acf3d031c4

SHA256
35239e82c3af117b111b8c94e27b2f7b12ecd0a9f4d839b2d23beedbd8ea02f6

SHA512
39717e02ea5d7ef6f3101f93e8a43a130889ae3305a4ddb6b80d3fcabc639ecef2ab2a6c8bf42079bb840499dcf50a5dd51b74fecaaf230c28c1621a265207ca

Download Submit
C:\Windows\SysWOW64\Opqofe32.exe

Filesize
109KB

MD5
6d4d24c0650280b269397a7c89106977

SHA1
1baf8a33e91bdfe0a18e2d4728e7b0e1674ce3e8

SHA256
ad57dcf1e760574cda501f0af78a31fe8d5d33b1a4cf1f5d9f465a37dc21d6c4

SHA512
67227ca6f658b9365364dd87365ea16289518860754bb4aea58a0ad05c1fecaaec4a1186f68349c17e5ed5ae43602b96bd337ce6cc266ec063b17110ef9d3f2d

Download Submit
C:\Windows\SysWOW64\Pbhgoh32.exe

Filesize
109KB

MD5
ce6896912cb9f78459942be328737985

SHA1
a5a34cd9629428020c22193b55eea116ace2e92b

SHA256
2a365ff3772bd6659d605c51ccb092b7b47d7dfd4ac258b93df6115d31a53749

SHA512
d3342c89574683f03906dde15b0b430f05c6cb43547400db69bf644c8306269d16b01d775ad8be4b3ba1f532cc0b38f31a9be9e82306ff294d5fe74e72ab1930

Download Submit
C:\Windows\SysWOW64\Pfoann32.exe

Filesize
109KB

MD5
8e88a57e50a1ad7ce6b75831421dfa8a

SHA1
e02132827190d6b2117cda040cb5f7d20cca1bd1

SHA256
b460280edacd482fe48adb033cd7524092ab513b977a44dcda1499c3a8e495be

SHA512
af443e9ba1f6f89d78ec36207e1da5decd017067a2056bd3b4718dafc135dba7e9369433200c298682500b081a973713f0a80ac03c23e5d5b8a08f9f7c4fe55a

Download Submit
C:\Windows\SysWOW64\Phfcipoo.exe

Filesize
109KB

MD5
7a00a78dd87e433e5bc6fe8b973c9c0b

SHA1
35137d7b4ba699744b3eb626dc5c164d4560d815

SHA256
2f6127aa1a3d399feb240d65baa7173a7fc8863f9ea73eb14485bd2c905bdaa5

SHA512
df5dc9277e7168fa4da0c5a742e73584d0c9eed2bf93544d22c88ea895a4cf13cdd63f012177d47564e48d3922a9463ed3cd307e029eacc4345afba5210b8c7f

Download Submit
C:\Windows\SysWOW64\Pjlcjf32.exe

Filesize
109KB

MD5
61862e294c8760f0265bea696ffcf913

SHA1
3278a2c02a49421f0bce7267cf12ebed06bbe83e

SHA256
d467d9758241d1e155224c4f9cce708f1ba9574d0ee5ba1fadaf4ae639ee13ce

SHA512
cfbc476d383778f3d2fced8b6ca72137bea5a717f0deeeb403d8cae1a08ba73bcbefc5dcd396f5341618aad9dd24ae6b48bf1d4a6f63552aeaef8e9f28a33090

Download Submit
memory/220-296-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/224-72-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/432-418-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/516-248-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/536-240-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/540-460-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/716-167-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/932-382-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1004-478-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1028-417-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1100-556-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1152-472-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1160-484-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1168-536-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1184-328-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1288-208-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1292-255-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1416-358-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1436-304-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1492-454-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1660-87-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1776-364-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1828-346-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1968-494-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1980-424-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2076-95-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2096-400-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2136-180-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2164-352-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2168-538-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2192-223-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2240-310-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2280-370-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2284-56-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2284-593-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2352-232-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2376-496-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2444-152-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2528-136-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2548-274-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2864-520-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2988-430-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3000-586-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3000-47-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3052-164-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3116-376-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3124-448-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3216-334-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3320-316-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3364-406-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3372-199-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3536-183-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3764-112-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3852-322-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3860-103-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3884-388-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3960-340-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3968-517-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4004-127-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4032-436-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4156-544-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4156-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4160-196-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4196-545-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4232-144-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4244-215-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4264-262-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4324-502-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4328-466-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4392-280-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4408-286-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4460-63-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4516-442-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4548-298-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4632-119-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4648-79-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4724-31-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4724-572-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4732-39-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4732-579-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4772-508-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4872-526-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4888-394-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4892-268-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5004-558-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5004-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5020-563-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5048-8-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5048-551-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5100-23-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5100-565-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5128-566-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5172-573-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5252-580-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5308-587-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5360-596-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads