bb9d95175019cc12612de3acd43642cf373226a2f81103b0521af72d538139dc

Analysis

max time kernel
146s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 13:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e94cb26812885cf7642b70e683547aa0_NeikiAnalytics.exe
Size

357KB
MD5

e94cb26812885cf7642b70e683547aa0
SHA1

b197f592b14d57d46409d45d715598f24b6a0bd6
SHA256

bb9d95175019cc12612de3acd43642cf373226a2f81103b0521af72d538139dc
SHA512

d96b5ba5be37496774ce45dd915cebee8b141b3bdbd2c11bcce60914f55abbec4ea85e3643b13d8320c4547f06705463bc923b66cd699944446ffc92ced6e1bb
SSDEEP

6144:749TFRFY1n6xJmPMwZoXpKtCe8AUReheFlfSZR0SvsuFrGoyeg3kl+fiXFOFLaJP:8954ZoXpKtCe1eehil6ZR5ZrQeg3kljt

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fmclmabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fbqefhpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcekkjcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gameonno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibagcc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcikolnh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcedaheh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fcikolnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fbgbpihg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fjcclf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjjjle32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbgbpihg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfedle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fmmfmbhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gfhqbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbioei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iabgaklg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fbioei32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfljmdjc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiffen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmmfmbhn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Efpajh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ecdbdl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Impepm32.exe

Malware Dropper & Backdoor - Berbew 58 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/files/0x0007000000023289-6.dat	family_berbew
behavioral2/files/0x0007000000023402-14.dat	family_berbew
behavioral2/files/0x0007000000023404-23.dat	family_berbew
behavioral2/files/0x0007000000023406-30.dat	family_berbew
behavioral2/files/0x0007000000023408-39.dat	family_berbew
behavioral2/files/0x000700000002340a-46.dat	family_berbew
behavioral2/files/0x000700000002340c-54.dat	family_berbew
behavioral2/files/0x000700000002340e-57.dat	family_berbew
behavioral2/files/0x000700000002340e-64.dat	family_berbew
behavioral2/files/0x0007000000023410-71.dat	family_berbew
behavioral2/files/0x0007000000023412-79.dat	family_berbew
behavioral2/files/0x0007000000023414-87.dat	family_berbew
behavioral2/files/0x0007000000023418-102.dat	family_berbew
behavioral2/files/0x000700000002341c-118.dat	family_berbew
behavioral2/files/0x000700000002341e-126.dat	family_berbew
behavioral2/files/0x0007000000023420-135.dat	family_berbew
behavioral2/files/0x0007000000023425-153.dat	family_berbew
behavioral2/files/0x0007000000023425-160.dat	family_berbew
behavioral2/files/0x000700000002342a-177.dat	family_berbew
behavioral2/files/0x000700000001d9e8-175.dat	family_berbew
behavioral2/files/0x000700000002342c-190.dat	family_berbew
behavioral2/files/0x000700000002342e-198.dat	family_berbew
behavioral2/files/0x0007000000023430-206.dat	family_berbew
behavioral2/files/0x0007000000023438-239.dat	family_berbew
behavioral2/files/0x000700000002343a-247.dat	family_berbew
behavioral2/files/0x000700000002348a-492.dat	family_berbew
behavioral2/files/0x00070000000234a8-588.dat	family_berbew
behavioral2/files/0x00070000000234a6-580.dat	family_berbew
behavioral2/files/0x00070000000234a2-567.dat	family_berbew
behavioral2/files/0x000700000002349c-547.dat	family_berbew
behavioral2/files/0x000700000002349a-538.dat	family_berbew
behavioral2/files/0x0007000000023488-485.dat	family_berbew
behavioral2/files/0x000700000002347a-443.dat	family_berbew
behavioral2/files/0x000700000002346c-400.dat	family_berbew
behavioral2/files/0x0007000000023466-384.dat	family_berbew
behavioral2/files/0x0007000000023460-366.dat	family_berbew
behavioral2/files/0x000700000002345e-359.dat	family_berbew
behavioral2/files/0x000700000002345a-347.dat	family_berbew
behavioral2/files/0x0003000000022ab9-275.dat	family_berbew
behavioral2/files/0x000700000002343c-255.dat	family_berbew
behavioral2/files/0x0007000000023436-231.dat	family_berbew
behavioral2/files/0x0007000000023434-224.dat	family_berbew
behavioral2/files/0x0007000000023432-215.dat	family_berbew
behavioral2/files/0x0007000000023432-209.dat	family_berbew
behavioral2/files/0x000700000002342a-183.dat	family_berbew
behavioral2/files/0x0007000000023427-167.dat	family_berbew
behavioral2/files/0x00080000000233fe-151.dat	family_berbew
behavioral2/files/0x0007000000023422-143.dat	family_berbew
behavioral2/files/0x000700000002341e-121.dat	family_berbew
behavioral2/files/0x000700000002341a-111.dat	family_berbew
behavioral2/files/0x0007000000023416-95.dat	family_berbew
behavioral2/files/0x00070000000234c6-691.dat	family_berbew
behavioral2/files/0x00070000000234d2-731.dat	family_berbew
behavioral2/files/0x00070000000234d6-744.dat	family_berbew
behavioral2/files/0x00070000000234de-773.dat	family_berbew
behavioral2/files/0x00070000000234e2-787.dat	family_berbew
behavioral2/files/0x00070000000234ec-821.dat	family_berbew
behavioral2/files/0x00070000000234f4-849.dat	family_berbew

Executes dropped EXE 64 IoCs

pid	Process
4544	Efpajh32.exe
2472	Eqfeha32.exe
1632	Ecdbdl32.exe
1812	Fbgbpihg.exe
680	Fmmfmbhn.exe
3552	Fbioei32.exe
3920	Fcikolnh.exe
1288	Fjcclf32.exe
1416	Fopldmcl.exe
3184	Fbnhphbp.exe
3720	Fmclmabe.exe
1208	Fbqefhpm.exe
448	Fqaeco32.exe
4816	Gbcakg32.exe
548	Gjjjle32.exe
1408	Gqdbiofi.exe
748	Giofnacd.exe
1152	Gcekkjcj.exe
3256	Gmmocpjk.exe
2244	Gpklpkio.exe
1212	Gfedle32.exe
3356	Gidphq32.exe
4856	Gpnhekgl.exe
1348	Gfhqbe32.exe
2188	Gameonno.exe
3996	Hbanme32.exe
632	Hfljmdjc.exe
5080	Hpenfjad.exe
3540	Hfofbd32.exe
216	Hadkpm32.exe
3172	Hfachc32.exe
792	Hmklen32.exe
1512	Hcedaheh.exe
4392	Hfcpncdk.exe
4616	Hmmhjm32.exe
4528	Ipldfi32.exe
4156	Iffmccbi.exe
4056	Impepm32.exe
1808	Icjmmg32.exe
4656	Iiffen32.exe
708	Ipqnahgf.exe
3532	Icljbg32.exe
1528	Ifjfnb32.exe
4596	Iiibkn32.exe
4700	Iapjlk32.exe
1252	Ibagcc32.exe
1604	Ijhodq32.exe
1652	Iikopmkd.exe
4840	Iabgaklg.exe
4344	Idacmfkj.exe
4416	Ifopiajn.exe
4652	Imihfl32.exe
948	Jaedgjjd.exe
2248	Jbfpobpb.exe
2124	Jfaloa32.exe
3320	Jiphkm32.exe
2748	Jagqlj32.exe
4920	Jbhmdbnp.exe
4628	Jibeql32.exe
404	Jmnaakne.exe
1336	Jdhine32.exe
2196	Jfffjqdf.exe
2732	Jjbako32.exe
4088	Jaljgidl.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Iffmccbi.exe	Ipldfi32.exe
File opened for modification	C:\Windows\SysWOW64\Iabgaklg.exe	Iikopmkd.exe
File created	C:\Windows\SysWOW64\Bpqnnk32.dll	Iabgaklg.exe
File created	C:\Windows\SysWOW64\Jaljgidl.exe	Jjbako32.exe
File created	C:\Windows\SysWOW64\Ocaapo32.dll	Gbcakg32.exe
File created	C:\Windows\SysWOW64\Gfhqbe32.exe	Gpnhekgl.exe
File created	C:\Windows\SysWOW64\Jfaloa32.exe	Jbfpobpb.exe
File opened for modification	C:\Windows\SysWOW64\Kmjqmi32.exe	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Hefffnbk.dll	Kknafn32.exe
File created	C:\Windows\SysWOW64\Akihmf32.dll	Kagichjo.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Giofnacd.exe	Gqdbiofi.exe
File created	C:\Windows\SysWOW64\Jaedgjjd.exe	Imihfl32.exe
File opened for modification	C:\Windows\SysWOW64\Kkkdan32.exe	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Kgfoan32.exe	Kajfig32.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Ecdbdl32.exe	Eqfeha32.exe
File created	C:\Windows\SysWOW64\Dnplgc32.dll	Hpenfjad.exe
File created	C:\Windows\SysWOW64\Jiphkm32.exe	Jfaloa32.exe
File opened for modification	C:\Windows\SysWOW64\Jiphkm32.exe	Jfaloa32.exe
File created	C:\Windows\SysWOW64\Ogndib32.dll	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Fqaeco32.exe	Fbqefhpm.exe
File created	C:\Windows\SysWOW64\Gidphq32.exe	Gfedle32.exe
File opened for modification	C:\Windows\SysWOW64\Impepm32.exe	Iffmccbi.exe
File created	C:\Windows\SysWOW64\Ehifigof.dll	Jaljgidl.exe
File created	C:\Windows\SysWOW64\Dbcjkf32.dll	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Qfiapa32.dll	Fcikolnh.exe
File opened for modification	C:\Windows\SysWOW64\Hfcpncdk.exe	Hcedaheh.exe
File opened for modification	C:\Windows\SysWOW64\Jjbako32.exe	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Ggpfjejo.dll	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Ginahd32.dll	Gjjjle32.exe
File created	C:\Windows\SysWOW64\Dendnoah.dll	Ipqnahgf.exe
File opened for modification	C:\Windows\SysWOW64\Jaedgjjd.exe	Imihfl32.exe
File created	C:\Windows\SysWOW64\Gjjjle32.exe	Gbcakg32.exe
File created	C:\Windows\SysWOW64\Iiibkn32.exe	Ifjfnb32.exe
File created	C:\Windows\SysWOW64\Bgllgqcp.dll	Jagqlj32.exe
File created	C:\Windows\SysWOW64\Bekppcpp.dll	Hmmhjm32.exe
File opened for modification	C:\Windows\SysWOW64\Iapjlk32.exe	Iiibkn32.exe
File created	C:\Windows\SysWOW64\Pglanoaq.dll	Impepm32.exe
File created	C:\Windows\SysWOW64\Gbcakg32.exe	Fqaeco32.exe
File created	C:\Windows\SysWOW64\Ocdehlgh.dll	Gmmocpjk.exe
File created	C:\Windows\SysWOW64\Mlilmlna.dll	Iiffen32.exe
File created	C:\Windows\SysWOW64\Ibagcc32.exe	Iapjlk32.exe
File created	C:\Windows\SysWOW64\Fbioei32.exe	Fmmfmbhn.exe
File created	C:\Windows\SysWOW64\Fbqefhpm.exe	Fmclmabe.exe
File opened for modification	C:\Windows\SysWOW64\Jfhbppbc.exe	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Kbapjafe.exe	Kpccnefa.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Chbijmok.dll	Giofnacd.exe
File created	C:\Windows\SysWOW64\Mmpfpdoi.dll	Iffmccbi.exe
File opened for modification	C:\Windows\SysWOW64\Kkpnlm32.exe	Kdffocib.exe
File created	C:\Windows\SysWOW64\Lijdhiaa.exe	Lkgdml32.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Hfcpncdk.exe	Hcedaheh.exe
File created	C:\Windows\SysWOW64\Jagqlj32.exe	Jiphkm32.exe
File created	C:\Windows\SysWOW64\Aajjaf32.dll	Jbfpobpb.exe
File created	C:\Windows\SysWOW64\Kajfig32.exe	Kkpnlm32.exe
File opened for modification	C:\Windows\SysWOW64\Lkgdml32.exe	Ldmlpbbj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5452	5244	WerFault.exe	211

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hpenfjad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aajjaf32.dll"	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ecdbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fmmfmbhn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fbqefhpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hionfema.dll"	Hmklen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecppdbpl.dll"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldggfbc.dll"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hbanme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgblndm.dll"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppaaagol.dll"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jjbako32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hmmhjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdhdf32.dll"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogndib32.dll"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diefokle.dll"	Gpnhekgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fopldmcl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iabgaklg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Imihfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gameonno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dendnoah.dll"	Ipqnahgf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gameonno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldooifgl.dll"	Gameonno.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hcedaheh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hfcpncdk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hfljmdjc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hpenfjad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgnnhk32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 4544	1780	e94cb26812885cf7642b70e683547aa0_NeikiAnalytics.exe	84
PID 1780 wrote to memory of 4544	1780	e94cb26812885cf7642b70e683547aa0_NeikiAnalytics.exe	84
PID 1780 wrote to memory of 4544	1780	e94cb26812885cf7642b70e683547aa0_NeikiAnalytics.exe	84
PID 4544 wrote to memory of 2472	4544	Efpajh32.exe	85
PID 4544 wrote to memory of 2472	4544	Efpajh32.exe	85
PID 4544 wrote to memory of 2472	4544	Efpajh32.exe	85
PID 2472 wrote to memory of 1632	2472	Eqfeha32.exe	86
PID 2472 wrote to memory of 1632	2472	Eqfeha32.exe	86
PID 2472 wrote to memory of 1632	2472	Eqfeha32.exe	86
PID 1632 wrote to memory of 1812	1632	Ecdbdl32.exe	87
PID 1632 wrote to memory of 1812	1632	Ecdbdl32.exe	87
PID 1632 wrote to memory of 1812	1632	Ecdbdl32.exe	87
PID 1812 wrote to memory of 680	1812	Fbgbpihg.exe	88
PID 1812 wrote to memory of 680	1812	Fbgbpihg.exe	88
PID 1812 wrote to memory of 680	1812	Fbgbpihg.exe	88
PID 680 wrote to memory of 3552	680	Fmmfmbhn.exe	89
PID 680 wrote to memory of 3552	680	Fmmfmbhn.exe	89
PID 680 wrote to memory of 3552	680	Fmmfmbhn.exe	89
PID 3552 wrote to memory of 3920	3552	Fbioei32.exe	90
PID 3552 wrote to memory of 3920	3552	Fbioei32.exe	90
PID 3552 wrote to memory of 3920	3552	Fbioei32.exe	90
PID 3920 wrote to memory of 1288	3920	Fcikolnh.exe	91
PID 3920 wrote to memory of 1288	3920	Fcikolnh.exe	91
PID 3920 wrote to memory of 1288	3920	Fcikolnh.exe	91
PID 1288 wrote to memory of 1416	1288	Fjcclf32.exe	92
PID 1288 wrote to memory of 1416	1288	Fjcclf32.exe	92
PID 1288 wrote to memory of 1416	1288	Fjcclf32.exe	92
PID 1416 wrote to memory of 3184	1416	Fopldmcl.exe	93
PID 1416 wrote to memory of 3184	1416	Fopldmcl.exe	93
PID 1416 wrote to memory of 3184	1416	Fopldmcl.exe	93
PID 3184 wrote to memory of 3720	3184	Fbnhphbp.exe	94
PID 3184 wrote to memory of 3720	3184	Fbnhphbp.exe	94
PID 3184 wrote to memory of 3720	3184	Fbnhphbp.exe	94
PID 3720 wrote to memory of 1208	3720	Fmclmabe.exe	96
PID 3720 wrote to memory of 1208	3720	Fmclmabe.exe	96
PID 3720 wrote to memory of 1208	3720	Fmclmabe.exe	96
PID 1208 wrote to memory of 448	1208	Fbqefhpm.exe	98
PID 1208 wrote to memory of 448	1208	Fbqefhpm.exe	98
PID 1208 wrote to memory of 448	1208	Fbqefhpm.exe	98
PID 448 wrote to memory of 4816	448	Fqaeco32.exe	99
PID 448 wrote to memory of 4816	448	Fqaeco32.exe	99
PID 448 wrote to memory of 4816	448	Fqaeco32.exe	99
PID 4816 wrote to memory of 548	4816	Gbcakg32.exe	100
PID 4816 wrote to memory of 548	4816	Gbcakg32.exe	100
PID 4816 wrote to memory of 548	4816	Gbcakg32.exe	100
PID 548 wrote to memory of 1408	548	Gjjjle32.exe	101
PID 548 wrote to memory of 1408	548	Gjjjle32.exe	101
PID 548 wrote to memory of 1408	548	Gjjjle32.exe	101
PID 1408 wrote to memory of 748	1408	Gqdbiofi.exe	102
PID 1408 wrote to memory of 748	1408	Gqdbiofi.exe	102
PID 1408 wrote to memory of 748	1408	Gqdbiofi.exe	102
PID 748 wrote to memory of 1152	748	Giofnacd.exe	104
PID 748 wrote to memory of 1152	748	Giofnacd.exe	104
PID 748 wrote to memory of 1152	748	Giofnacd.exe	104
PID 1152 wrote to memory of 3256	1152	Gcekkjcj.exe	105
PID 1152 wrote to memory of 3256	1152	Gcekkjcj.exe	105
PID 1152 wrote to memory of 3256	1152	Gcekkjcj.exe	105
PID 3256 wrote to memory of 2244	3256	Gmmocpjk.exe	106
PID 3256 wrote to memory of 2244	3256	Gmmocpjk.exe	106
PID 3256 wrote to memory of 2244	3256	Gmmocpjk.exe	106
PID 2244 wrote to memory of 1212	2244	Gpklpkio.exe	107
PID 2244 wrote to memory of 1212	2244	Gpklpkio.exe	107
PID 2244 wrote to memory of 1212	2244	Gpklpkio.exe	107
PID 1212 wrote to memory of 3356	1212	Gfedle32.exe	108

C:\Users\Admin\AppData\Local\Temp\e94cb26812885cf7642b70e683547aa0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\e94cb26812885cf7642b70e683547aa0_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Windows\SysWOW64\Efpajh32.exe
  C:\Windows\system32\Efpajh32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4544
- - C:\Windows\SysWOW64\Eqfeha32.exe
    C:\Windows\system32\Eqfeha32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2472
  - - C:\Windows\SysWOW64\Ecdbdl32.exe
      C:\Windows\system32\Ecdbdl32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1632
    - - C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1812
      - C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:680
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3552
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3920
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3184
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3720
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:548
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:748
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3256
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        23⤵
        Executes dropped EXE
        
        PID:3356
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1348
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3996
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:632
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3540
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        31⤵
        Executes dropped EXE
        
        PID:216
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3172
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:792
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1512
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4392
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4616
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4528
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4156
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4056
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1808
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4656
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:708
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3532
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4596
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4700
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1252
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        48⤵
        Executes dropped EXE
        
        PID:1604
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1652
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4840
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4344
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        52⤵
        Executes dropped EXE
        
        PID:4416
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4652
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:948
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2124
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3320
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2748
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        59⤵
        Executes dropped EXE
        
        PID:4920
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4628
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:404
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        62⤵
        Executes dropped EXE
        
        PID:1336
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2196
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4088
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        66⤵
        Drops file in System32 directory
        
        PID:2368
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2128
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1940
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        69⤵
        Modifies registry class
        
        PID:2920
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5116
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        71⤵
        Modifies registry class
        
        PID:1840
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        72⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        73⤵
        Drops file in System32 directory
        
        PID:4036
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4988
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        75⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3872
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        77⤵
        Drops file in System32 directory
        
        PID:1900
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4184
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        79⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4040
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        81⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        82⤵
        Drops file in System32 directory
        
        PID:3136
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4000
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3664
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        86⤵
        Drops file in System32 directory
        
        PID:5128
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5216
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        90⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        92⤵
        Modifies registry class
        
        PID:5392
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        93⤵
        Drops file in System32 directory
        
        PID:5436
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        94⤵
        Drops file in System32 directory
        
        PID:5480
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        95⤵
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5572
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        98⤵
        Modifies registry class
        
        PID:5660
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        101⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5832
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        103⤵
        Drops file in System32 directory
        
        PID:5876
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5920
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5964
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        106⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        107⤵
        Modifies registry class
        
        PID:6056
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6100
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        109⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3064
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5248
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        112⤵
        Modifies registry class
        
        PID:5300
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5356
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        114⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        115⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        118⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5724
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        120⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5864
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        122⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        123⤵
        Drops file in System32 directory
        
        PID:6024
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        124⤵
        Modifies registry class
        
        PID:6076
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        125⤵
        Drops file in System32 directory
        
        PID:2136
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        126⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5244 -s 412
        127⤵
        Program crash
        
        PID:5452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5244 -ip 5244
1⤵
PID:5332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ecdbdl32.exe

Filesize
357KB

MD5
8809638b4fbb3dccc2b5e5df361aa502

SHA1
3e7b97980fb135685480db97644e5eaf9dacc0dc

SHA256
c841caf3f86ebe16edaf11892263e646b42658112b803b532fecfc44bd1fccb0

SHA512
dc6007c2687d1c02f0fdca1fbc17efc8f1f529e4580736f3139277f3313608d221bf01ea2369e29ab917a287baa371fa3c22b940b0e7aa282cba2e86095e61b7

Download Submit
C:\Windows\SysWOW64\Efpajh32.exe

Filesize
357KB

MD5
b51800892f9957a7a0f1357f3aadac1f

SHA1
cdeb9f4608604df4da632ad481e24b38d0442a3b

SHA256
d52cae681e490136693dbdbb922b83e81cf9576e7842db36c12acf0489495fff

SHA512
5c934eaef5a51fc30745ac9b5dd08c84301a90e3b02507e1aa376e091c706c7db7084a16a72cac5d837855e4481c829db56236b73b314e39fe484ed41e6cfb00

Download Submit
C:\Windows\SysWOW64\Eqfeha32.exe

Filesize
357KB

MD5
85227ab39a3882042d0d4f7fb4a86c91

SHA1
2673bf0e325091b29f830805407b1001eeddd116

SHA256
ff33fc380074e39ffaf174c7b88b2332ef26d7cbcbec0218e01c6576beb3ef55

SHA512
a22d48331d6b4f367ae721cf57a2b3831e0a67f0714128a48928549e3db3df473191743e7163db9b31d5430c768331927f48087e2fab56e41d18549c16325f68

Download Submit
C:\Windows\SysWOW64\Fbgbpihg.exe

Filesize
357KB

MD5
2d93ea6472a41d8aff141bfa69387aac

SHA1
1a0396e98e7a160ea773a63880ee9b24dee9830b

SHA256
fd6c6c59607fa3e977b22b97e1e5acc347491040fc155f5bc37e5b35771fd6ee

SHA512
43361dd0e4e1e7bd6481856c7d4906ad3c38b27b60c9224498ad14bbd3a9799919581d755d88b4108cc70dbea453061dc6afe44c7a67ea2624bb0cb6c887c664

Download Submit
C:\Windows\SysWOW64\Fbioei32.exe

Filesize
357KB

MD5
990b73a1b4e087d82fefe4a522c9bf49

SHA1
8122637744c665daa7d9093ecee0690f9a439cec

SHA256
9fa4faf0c3de3a064493696b9eb9f13ff09603237711e9706e50e4e6ae06b0f2

SHA512
f29fc42a6e1148165d90bd5b48c520c4aa945b82073cf92275128a00b6c208dd069edb2ea812a6e04e78f850e05e25e06fb60a129dfb0f6ed7c2d2be5329a3d1

Download Submit
C:\Windows\SysWOW64\Fbnhphbp.exe

Filesize
357KB

MD5
21eb9b318a628f3b2c1ffcbba3cc0278

SHA1
e873a0010216fd3f3f8e6565b17e9d7c44fc40cb

SHA256
95189e892304e121b078458112732b0377996647cafdcd45b10593c5783551dc

SHA512
3e1f973acb3e5168a370e7d1986ed520a614b7f5fa7476287c466eb5c9622b45bbc8c49891bfb8caa884776f8de82c3fcc6e95b700157a9ae7778028d41522de

Download Submit
C:\Windows\SysWOW64\Fbqefhpm.exe

Filesize
357KB

MD5
ff2e219eb2b462cdf1a2775434e7b939

SHA1
a6245f3c58c72fc8bbf739a719eacd2dc01fbf4f

SHA256
bf2ddb31c30544707e656cb06a5102ae43afd9aa5b6954f6e4b09cf746995733

SHA512
ff2d8569b2ed83169c5465f23a5355620ba69229a296d789fd81c65efa03edba5cc3283204320a4f285f40317b18402edf891c41e47b70ee012c8d45ff747914

Download Submit
C:\Windows\SysWOW64\Fcikolnh.exe

Filesize
357KB

MD5
ed0df1557888083ffe6f495b7216a731

SHA1
6f7f296d0264030785fcc3ab82de2e0cfdfafa7c

SHA256
cd0a7b88f1986fcd4b5e24d1f27d14aea4e8f450b621e89087db06d836a10b28

SHA512
b65572c5d922f9077c878953cf0f94199806359721027a0ae429742edbe78e7cd5787adc4d43263f75c1ccf887c95cbfea4673e987e045932e29faf8ce0ff183

Download Submit
C:\Windows\SysWOW64\Fjcclf32.exe

Filesize
357KB

MD5
443fc6b0006afbd13bb7ea7bfc42d1f6

SHA1
4b5a549a6489d9f599cd4935029ed8568e2e7b60

SHA256
d5b96a5b2a7be1bec0b15e5c05b0e40e1e8c7bd529ea0846290b7dd47f8c55de

SHA512
e5ed7b7fb6a5d894d769b8a0b2097a5280c5687c0535eb8b9d0f1036b27900e9ab3d85ccce89489ba20c445cb81e283167771b0eab8c0456de27cfe6d98bcc43

Download Submit
C:\Windows\SysWOW64\Fjcclf32.exe

Filesize
357KB

MD5
b6a288d472db5d28b3244827f234026c

SHA1
bd86dd6d0d0d8ed98b38bfbbe2b036675d1279da

SHA256
f7bacb41cf67f6bca36e71d803aea3749bfec9414822e7ff9d5096d2d9a2d83f

SHA512
9f9c54f2517946544ce6a4dcc630255c389d6af68538e589d7d5a25b38cfda2e1d46601277de3c2a4850500c56eb856df0c0cec6b6dd0a470e1d4a872487a479

Download Submit
C:\Windows\SysWOW64\Fmclmabe.exe

Filesize
357KB

MD5
9c7fb3fda87558f14726b541ad0c52ff

SHA1
c939a6a10301a7209479d1c23e1bb6a6226ba1ab

SHA256
7f8077f5ff88897e8104f99dffbaa414b0b3a2e42ef848b55b1cb9f910365921

SHA512
567e7dc056ea8693743c2579543a46c16857d4d84af7c610492f63835f3ec306b80359f0b566357928b54c611a4e50ae643ff57435c41181ba5e28e28b42f402

Download Submit
C:\Windows\SysWOW64\Fmmfmbhn.exe

Filesize
357KB

MD5
c00253de9b7acf73f47483ec49e81a89

SHA1
806a553874448197c49a0e7d72087343635c00a8

SHA256
a5c37d3f6576deced5d29d5410b7a296eae0784b849236f5a5eb4fe5d43abd92

SHA512
30a836e8a9824bfdb3f81a644992c53ea57a3f64806caa422f197c962997f855b0e9da9bbadd9aa85fff4a1317193832dacd7ca17530c85494b87e9083052654

Download Submit
C:\Windows\SysWOW64\Fopldmcl.exe

Filesize
357KB

MD5
5e03d7f42f5c6255eef00088e73e74b1

SHA1
0bb7b5c50f29b42d3f9b52c588db4c317154509c

SHA256
d93a58d12e473d88791af8c8ae2a476b08ba17011e7600ac8a98aae17d3dce75

SHA512
da5eeafeb9aae1c6b9929c823b06bf1dc6474903046a92e4f442ffeaf09aa090653a98b0afe48b424b2cc0f3e2abcedbddac8854c215c49ea6e73e9e659ef8d8

Download Submit
C:\Windows\SysWOW64\Fqaeco32.exe

Filesize
357KB

MD5
e95edeeffdb1fb0f6e6f249778df5c1c

SHA1
f23714d50ca169db9a196bcdac0ce1f41f8f23c7

SHA256
07ca1f942e7fc2c646f52dd965f0150bf178814c8471f6d2ec1f64f27e4f02bb

SHA512
f764f435750d364300064f8217bcba58f7abc67b5280b00bd0310607e393c7e754df488d9deb9ead84edb64444c16935a5ec16254e889e1f7c54aa371f603cb5

Download Submit
C:\Windows\SysWOW64\Gameonno.exe

Filesize
357KB

MD5
1b6055b2d8f9cae1e95885cba457ce26

SHA1
672d838fe66066ca0528e360aff73e1c63d60dcf

SHA256
d88dd039a46829655d1610f295b5525b4d10b0b2a2c6c167c9754921690b81df

SHA512
40d4ee197e2220bbb2ce27fe43ddc296c805862628f7f41e65eeaa2ea5371664d6d3f28c1a5523270f562c20b1ca3a079a81ec5e4f99ee5e2e4d0774f77039c0

Download Submit
C:\Windows\SysWOW64\Gbcakg32.exe

Filesize
357KB

MD5
0acd793740b8ab5de614d8ead4f1bfff

SHA1
d88cbf02bfab9fc67beba3c57b8b0171d01d2f0f

SHA256
1b5cc6c851b8226aaf15d647d94f23512f91af519b0924a38771d50a6b4ce293

SHA512
0fdda9ff4c7f1fbdb66c856bd7822d0bfc456d70b5e75ccccc51c7180728781a69aab91c84be9932645b3ede9c82e612f5bfa20efbd169f42f9b1ab89e80c3b3

Download Submit
C:\Windows\SysWOW64\Gcekkjcj.exe

Filesize
357KB

MD5
051fd7db95ceabca3ce70ae97e41a458

SHA1
c88d94a0de250fa2fae89c7eddf662104f620d16

SHA256
98ffa4e0a0959485273b34fa9fa123509ecc9f5410aab7aa780700a3717388d7

SHA512
445c9270e4d68259a7d3696ba6f661556c00d2018ebef096ed1d4b478ff2fc1c1a22b8947280e493a370fca6c75dae6a20152c09177683f8f1a5a2276461ddd4

Download Submit
C:\Windows\SysWOW64\Gfedle32.exe

Filesize
357KB

MD5
fb0812c3717f0e66cdc5b0eb187b4086

SHA1
f22e9bc0125cc810907f1402cfae775e9ade578e

SHA256
64a1134dc167e18fb0027973572c0306c47d08829737038580d1f31608346952

SHA512
28d6058e3ceb175acf694fc38f2aea97bf4fca8c7fa7dbee9e447eac79ebfab68174a42e98a1b1b2ac7b24c9f4a6cadc39c024a103e11125fd8e48808e0582cb

Download Submit
C:\Windows\SysWOW64\Gfhqbe32.exe

Filesize
357KB

MD5
9abc424191b53a3afb164cc2dacc0f9e

SHA1
d326d049b5e3967731974ebeaf09a74591be0062

SHA256
f0630b10771084c05dfd4ed1ce3d45867a67fda3b7a2e6227b5a04b35ece6a19

SHA512
f19872b4cce3cf51e361f37019ee3aa87ab87d6430e7d18aa90ef985a9202b9fa56be5b23bc8b09ce40cbd177418b46e22d5f09614d3aedbf3f15d7b4956a9d1

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
357KB

MD5
4467cbdd946a07f6bc9642dc9535fb6c

SHA1
ee82ebb0806475c199d23cb33ed3fc17f45e6e3c

SHA256
f136554a94c7176660ac3543112f07b024577d530f2d9946685220283fc7914b

SHA512
62ebc167f165f1a6e43dc8802da12a77701103008e3520582e98592b6931a3283b5bac770d2fbab09ef7a6628300c0b0423d6b4528a24a2b8fc2280bea2397f1

Download Submit
C:\Windows\SysWOW64\Giofnacd.exe

Filesize
357KB

MD5
f246ae5cc54bf655537645c59338419c

SHA1
a24f25c8fbc08845acfb3887dca35a48a76f1ae3

SHA256
b18964b7f6ef1575ccf6db0c45702f408ff60ac3d057145a178ec42f9a325db6

SHA512
f799a49c7aa045d68e746d4f56637022a101a4cfd426b56835d3c47ffbbecde76844a7a2edaa0772be55ecf757aefa7e39df9dfc3c36ee94369397c2cb82fde6

Download Submit
C:\Windows\SysWOW64\Gjjjle32.exe

Filesize
357KB

MD5
0231d11abacffe0deda89eb240645170

SHA1
17e6c6e2365cac6a2563c8b76effff025326e648

SHA256
48794336ae08b8fd12bfc5b61fcfbde149b845a42a625267227a35c2e81e2660

SHA512
7679157fb9bbbe81146f8c68adfb8981735a95097392ebad59af28051f059f2e02403b20e87bf996817a36bce6cb2d232e09ed89800a910b54d8666c4e8a7927

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
357KB

MD5
a1c2f49067f5612e4721ae7f925a2f69

SHA1
7f72d4dd3c19b5ba1be3b5b0a53eb84b33694e12

SHA256
3009eccc52d4e13dc2e6298db9f1990dda26922bf5c6d4d21ca7b7a88e5778a9

SHA512
edcb661249303844b300f66494c9a23ed2734609424a43073666439248acbb5133bc4150412d1e4910e601085dc5a1bf4f34f5aabe8340a9a83c51b3e4051637

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
357KB

MD5
2d00f448ae67bffb3fe0a223edd8d011

SHA1
8fda3385c62f2922f0e8a009336c10c44a448180

SHA256
bd1b6ae39b9701e2b8c479d139bb633bf3baad634a69894dc2a26a4ba3212639

SHA512
3b5d839ecae3dce18d73d6359f6d7d1396fd3710c6d57c7e1511d2975583404209b68a05507eeed64cb183631af5e2823b0a9620c33de3574234701d94b17e4e

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
357KB

MD5
fdf5db4140c989037c1865c5ed1774a4

SHA1
bbcf7553cebdbff3e85d9a3f06f04402c029b0ad

SHA256
ca7afb49b211edea8092ad79e5ae13fe53e30add4a971930215ae5cc5392249f

SHA512
1a31e9df0675dbfd3f34bcc2a9ff753c4ff723764d1adfa3cbf92ca98d0b71db546eba1dc19a1bf3cb85e78158a3e3e094cf62225c26f253c372e9e7c870f013

Download Submit
C:\Windows\SysWOW64\Gpnhekgl.exe

Filesize
357KB

MD5
7e31c44629ea17e0c635675be6a1fbf4

SHA1
d23fcb5693e608276a715f9cb5d3107694008a26

SHA256
e1f85f349f526dbf4e7492cb7668e0bd7400da9ad4fedce32d5b5b8ae3064b86

SHA512
5d8d8665cd6935fe73cb90db3c965c08c694702bcec5461b80eab4d6a7d92ead3b14493038d3968f852ed6766e9251e7ec04330c6e3a5fb0e9974e3461381aaa

Download Submit
C:\Windows\SysWOW64\Gpnhekgl.exe

Filesize
357KB

MD5
5dc9d6f0362d5c76806b5ff881dbd695

SHA1
250480bc56196b40f3ee6ea7aa9ca3ea66376512

SHA256
673356aefe2fe29428690c1626f315c48e2d6c0b41bd20330f6efa6eefdfa60f

SHA512
f15454ddfd37f8df3d62da00186520deaed802430616996c4d4af4e6e76f1e85e071f901811cd1ea4a2c82f04f0d5204ad77b1f84798156159a662f274bea2f5

Download Submit
C:\Windows\SysWOW64\Gqdbiofi.exe

Filesize
357KB

MD5
2295dd6e0402acce78e5e22a47376e54

SHA1
e1aabbbe8c1e403865f9a5c675c12794ca0fdc39

SHA256
f451358ecd8eeec7dd4b778efddb9eeabcb0d48780d0ece8419055cb799f296a

SHA512
8dad4dedc9ab45f3f16908124a74b8c9d5c837d87709818608c3e74edf5db61997bc3524f768d632591de23a9cfb746ed13023e401be142c013e15b168e899a3

Download Submit
C:\Windows\SysWOW64\Gqdbiofi.exe

Filesize
357KB

MD5
122affbe60c204b596f16cc14ac84d13

SHA1
6e19833868a3d857206b126820e53eb6516103e9

SHA256
319f6abb6f3f8e91b38eedde311065524cd50708173242b2ffc205823b94df02

SHA512
29e0abef1ab61215d39daf3fcea2071bd00b3d06b16f0fae52e00911923299c539fa9e686c7eeecd4a36dc850fb71d4e446f2abf8db338a975866f3ccf022093

Download Submit
C:\Windows\SysWOW64\Hadkpm32.exe

Filesize
357KB

MD5
4b56d343f35fba4157a1b42b20761045

SHA1
7eca6a0b8785ac4432751162e03a5986138f06a7

SHA256
6c79c470685124c9f91a0783e98b38fe780e65d11002edb0a83c3aa0c89b6c58

SHA512
ad9d3b7c8c6904402765e65bef4f994e971ecb32278f7170eb119b04030166c162032da8b214904a682ea263e8995b54e93415eaa810790e5c0ab84cf219f577

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
357KB

MD5
72970ff59f594b61bf3a26b6739f0a03

SHA1
665968360dadd909ebd82da4098962e72034c12a

SHA256
597c13bdd82ba53c420c02f1c39b40ae9e5bdda453bf08f700dc30771dad5fcd

SHA512
581d14a8bb336f52bdb8ebd8ff8b33853d43777dcf439de538694935d8af13ece0140dc31335a4cf3d90f8ab6dcc2a620f08a6ceb900a20f71a450fb237d212b

Download Submit
C:\Windows\SysWOW64\Hfachc32.exe

Filesize
357KB

MD5
1f60c94368f35f3c17c35c3b2cd17773

SHA1
ae98101190f53b785598f2c24259080e3370a863

SHA256
fadd51cb7f4ff28b0ee00473c05231fdf2705bfe826b4062c6e00747cfdef8ba

SHA512
dec1cc8a48834a56d633f9a95ee11d59d26308547595583c46689b2267f82a200f3dd1249e45f2d475a1aa7f3c0f21daa6ad66cf6735d58062615219202dfb19

Download Submit
C:\Windows\SysWOW64\Hfljmdjc.exe

Filesize
357KB

MD5
f26c44dd5236f7ead4538c443424cfb6

SHA1
6793af41479fd748057ef7036ad8a84d7c56b598

SHA256
529fa7bfe6326979f7734ddf0737e7cc991a97b5a80850d22e3eadaa169e3e09

SHA512
cc5c5fb6a3bdc2db8938ea2cea548330b88d6eccd49798e253f3616e89c9fe6975cbf2020864bba81063cd7c8c65f50989fa655de23d7c724f318aa0e46c81b9

Download Submit
C:\Windows\SysWOW64\Hfljmdjc.exe

Filesize
357KB

MD5
6811def2e788f0685cb513ccfed34d14

SHA1
d15daab0031b54d3296f39f1b3a97578b8bfc121

SHA256
ddd315d08cc0b0e14a6ef82157520110cb373e94d5a62c8eb7dd5184e8a7d34b

SHA512
da260ab40c76078ab05b8fbd83ea4fcf1dcfca623cb14c9ee64c520b5e3fe346259e28711024c92ff596299719ac392998d4b3f01d6fd204cdb32460a0b88c51

Download Submit
C:\Windows\SysWOW64\Hfofbd32.exe

Filesize
357KB

MD5
9485a35b66e82840f865b67fe4678c5b

SHA1
bc4b2e747b86b69d1e465eb6531810304e1dbc81

SHA256
c2fb4b681cb04c44ddefd07e5bb71a478817800e9e84ef2271dda425988f1ccd

SHA512
4170d0462b10e6b7872da631ac53c92b0fe167890e2a44d12f255fd71b52a4e6e9ed5c9f44a3497fec86de495bf9c4181217cc50b6079549b5d1c5e769c1e00b

Download Submit
C:\Windows\SysWOW64\Hmklen32.exe

Filesize
357KB

MD5
dfc115b00af13d290689238c686b73d9

SHA1
12e633068a89d08fb1aa182f11a458f286313737

SHA256
2f62672e47d0f0ddbf3e1facecbb00703c5ba3c25cfd411b5ccec91cab45e270

SHA512
5019459e55effd03531b31d7cd095a943c1fdd5c72388e67ba5bb56cdf011635775aeb71347fa6deecbda88a1a608f6aef63fec59896c2383728fcaedb192e95

Download Submit
C:\Windows\SysWOW64\Hpenfjad.exe

Filesize
357KB

MD5
69fa1aac01cd41224518811902754750

SHA1
8a7b3a5d85dc09004330d4f47701505be2f7949d

SHA256
ed346bcdae38743204b32dbaa775e13f345998e80803c5600776d4a4438232b5

SHA512
b574e5a3a9aa5365bdfc57eab17e18cd468fe94fb682b8b299bf4df44c816b9be577fafeabe14eacde455c3362a22868b5baf5211adeff4252188019edf98d17

Download Submit
C:\Windows\SysWOW64\Idacmfkj.exe

Filesize
357KB

MD5
ce4af0f73d613dd316c44c050dcee39a

SHA1
96ef4b7561b540abdd5f6f49c0d07a890f13141e

SHA256
7a45f04cfa511d246a127b6a3c39965cb26ef695a39d2bf3ac977bc3c4836790

SHA512
500d6be25015b8156ecf34c9b1bb4e4d8f44f0eec514d069f4e46ef51d82540b0225b539056b9b68cb962e5f1238297d0eccd6f5663b1d913d4cb1c6060f1e41

Download Submit
C:\Windows\SysWOW64\Ifopiajn.exe

Filesize
357KB

MD5
97c645d2bb7717f0b072297cba13bf77

SHA1
108269801ca10d0e6386047dc98a71a04dd6ad58

SHA256
531dc908a3173f48faa4f5216dd989c069e2d62d74a47135acba071b1b8a90f4

SHA512
67cecc7d9583dc60005c6fe2ea62e025e51eec42240cd458f340ca989ce34556fc07c4e9d8d345e51870dd8a4d190ac5353f3cecfcf7d25c9088fb8ec59430d3

Download Submit
C:\Windows\SysWOW64\Iikopmkd.exe

Filesize
357KB

MD5
f3ff7b3765176a69e0725b4106c09531

SHA1
3748d85317d29de9c7b91b33a86b52bd9fc41fd3

SHA256
b22da9ea24ee05501f4fd41713b5b5c5852370656e56d8d86ec9bc1277fdad3b

SHA512
e38330abc45b8d8a7cd947fc32fc2af02c2bbdc8a1d1180a428df11905b7a799d4041fa380a7b3580a42e4902b88e11f62b732d8b7717264b551035ea29d1d22

Download Submit
C:\Windows\SysWOW64\Ipldfi32.exe

Filesize
357KB

MD5
fe397322279cf1e0de58f69c3d5f567c

SHA1
4efb12e0f694fd959a4189b3ae35da2ee4ac3995

SHA256
3c11584a77fc3ad555685a53f1195f4a76d7bac05309e81731a2e958a89d178f

SHA512
fa38d8ca75f886097993e9117966fc90e1d62fde57e869bba9eeadf4451512efce44e929c674c555a3e352b977a334cd368dcf14957a820fd6341c02ceaa02cb

Download Submit
C:\Windows\SysWOW64\Jagqlj32.exe

Filesize
357KB

MD5
20dfcbe1b4427e64393b5f605802b3df

SHA1
27e89090de13e047dd2b632501f328787e227e23

SHA256
66da46b25b9d13e4f8e2c7fdcdcd568aed11d92d9eaa75b19e62644f5795e5b1

SHA512
51d9cdfab4ac451e5b106116218c8bd6b2845913979ff3014199e1cf4c2abc0a26c8b8df6016d67d0a64ef97c55884924149d256c012c4953e96980460d2dd37

Download Submit
C:\Windows\SysWOW64\Jaljgidl.exe

Filesize
357KB

MD5
7f625d3e583249796f74733765c6959a

SHA1
0e9d46d9ec61c332184df7473f782e86578fe0d9

SHA256
eed7eec46e4791b18ba576a69440ed7a41f18c5bbc05b410646df1db405b2efa

SHA512
ee136453a5ebe9c4dd1de8fcf075bb08f1e7949fed9799dfc282d944c34eb5dfbcbafd23a831fc13fb172572e37c2cddd2dfe58e66e775a9c173408ccecf0b2e

Download Submit
C:\Windows\SysWOW64\Jbfpobpb.exe

Filesize
357KB

MD5
b3a57e4fb1967343e6554f4cb31967ca

SHA1
c260cd59b45e875e5f87b4c5a84fc219fe5257f5

SHA256
719ce9d7575ad3dea0038ca8c2dfeafc36b79320e108517dd3134b327c6124fa

SHA512
d844ee90d5e7bef576f95073160cd592dcc31bac004f58dbb547ad3fdabfd6b9af553a7b30f06ff10312113b19da1fb95c1275187efdc10d715febe5f8ec4df5

Download Submit
C:\Windows\SysWOW64\Kbfiep32.exe

Filesize
357KB

MD5
8e1ddb18b53d01b31f12c327cbdd4bfc

SHA1
9d1abc7879597a2ee34343a812a8b829485ab39a

SHA256
4e12e5d30f661025361ba41cac9ac2d16c3c31e1b3a67a30b80aa093812cd20c

SHA512
f4428715ce1449904809bc45c104354bb4a05b51bf82870ce228e3b551ace0f34df9ec90420de8e632e2a2983c609003dfd94c72b728891fd8272c757580c462

Download Submit
C:\Windows\SysWOW64\Kgfoan32.exe

Filesize
357KB

MD5
a046444517157b2638766cbdf4341f07

SHA1
fbadb749359b912ccd0258d9eb6ff4db73e207d8

SHA256
7a983b7302cc6053227ba7d0dd8075bcd6036eba0af2d10a284b289d99d410fe

SHA512
bc244ee479eee41dcc53c7f631e32d57bcdad80a26bfb172514b8d0610e9f4d4a3098deae31b0dc6a72f0bc7678413bea435ad121f136109bc2e0d5ebd48e1f7

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
357KB

MD5
c068d9d92ed750d16c4df712d4a15092

SHA1
216c567f3a01cdcb2bfbdebb8bf23c6805b5d719

SHA256
1fd954dfa681350c061e6ce6074d4369ad6cc7c12bf63e0524f5e339cc46b616

SHA512
ef5cf94737622e389f29627b4f9c88c8aa93f0c15d48e0f39e9b6b8cb59b1263060dd836c7d38658f0d2cd7937e1afec67496475a04e4385fbd61709d506f1bb

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
357KB

MD5
06fc87444b8b78ab162beb46c9204d0c

SHA1
923c6a5360e999c2676181a50f8dfef616e8ba0c

SHA256
7699d52b76ec91c887054584481d44e9d3f334fc9961678279a236dd13784d97

SHA512
78550996b7ff9a340d13533e6a6821e54402e077beb3ec7e7151c64e3047793ddb02174de47599228a63800b0c336f360f9cbffbdef52cc37e29d9c924d177f1

Download Submit
C:\Windows\SysWOW64\Kmegbjgn.exe

Filesize
357KB

MD5
20c95d0fc6635d8830f21bad996c2892

SHA1
ae9851dabea6a769524e72fb8c8ecceaa0466ac2

SHA256
ee71c1a726cb6a97685c69a4cbfa078caeca1d7b4a8231ab98ad4e662624bc2d

SHA512
2b043dcc893ebcd34c719d30827c927751d4891ac859f0e9562383d3c0a8b5e136fdb00bdfd6b13f12cfe3f4276720a2cb63666e572c7afedf7ea3e8fae661c7

Download Submit
C:\Windows\SysWOW64\Kpccnefa.exe

Filesize
357KB

MD5
e196d413eaf9d20b2b2d45de4353f6ec

SHA1
bb0667a2c75749a2c9dd332cff264adb2869e4c3

SHA256
69750963676a4577f5c2b100026f7e7a4e150f532a3d08e4a1ecc4695b75c73b

SHA512
0972749c27352cedcb9297f5a8bb12754bef20e4503cbca69bfc31665952b039a5f1b8a29096fe7b77696435d356f6584a8bfdabd6e38f3c62327d27775871c7

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
357KB

MD5
8c32b1485ed523ffb7443673a8c843c0

SHA1
36c22485473fddc04c3fb8a4506f0635c6f9fd01

SHA256
4cc72dffb9004b115bb75a6e24435c91eb13cd266df48d05781962a961e9f681

SHA512
8cc88fb6d47ce5e12cb84e75f25eed3f979a4c6dd7bc3d5596e0299aa910832eebd5ebd0700922150d03badb1a2fc426ebeed5ae094907b2f08e165b42d725d3

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
357KB

MD5
97d5330dacbd0a0f64c601072aef1c2c

SHA1
8815c4b934dc9fce7865b6cd0c2a1d850c3e3a68

SHA256
e2d1b07a9bccdce0114c760b152587ded31a49eb73ea2864efae8c67598b6590

SHA512
790d53d90b5298dca90df6f44887b2e0fa95e5f29a7cbff0c8d974bf27936b992ebaa91efef49d45d7e3438493e28a88c2a6c5e37ae8d85880f143b01dc5c279

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
357KB

MD5
e9388e3190d755e3938a96dd7e01406c

SHA1
6ba3ea82901f3dbb76f080cfab2417e23d140824

SHA256
a3308b1a8be1485fe3f47beb3bdf44f0c57816b34f0442cc46de2c4d3667bbd1

SHA512
c28967d99fa76ff44f2f3d2ebb9fa752b2184a9840447519d5b85f8598d33be965ab28fb1fb2dab0e60a1a2bfecf8c83828bda6e5f150cc7e309b76246916734

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
357KB

MD5
4c92ba84f5110c25d5f9495b246cbe7a

SHA1
6b618fba56f03970c2d4d64d5c549af2cdc96f2b

SHA256
a39adb2d9b307891ee8ce1b3a385508a943ad215ac92a73bd12cfaa78b017747

SHA512
ffb898a6e2a5c2e54f80116bc0ad1a9eb51f4e06392cfc6b900104eba7f1c989a6baff19df69616cc46aade0a09eb9748c5ce4db06d436847f203c786f814ee5

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
357KB

MD5
1ed7a4d1204be2eb89a63172b856f3b2

SHA1
72a585eb973c1bb034c04d66aecc24efd421ed87

SHA256
4aa532b046a76460317b5dbdc2156f6e872a407ac267e6f986bab68660c8a0da

SHA512
afd8b749f8d2d7f29664c3ecb9325cbb835117d2838e521745c48f1d3297e6b83dc3fecfaff5bffebc8ec0f1cf07d160af53dcdfa525f5e70a5d617f1dd48ffd

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
357KB

MD5
6806233bd5319219afcf1ef472d5a2af

SHA1
c82eb9ef66423b9c041d196dad0f3f959053db37

SHA256
6dabb87812b31b35295bc76a01c5f325f5776b738f81c23adec5238510996d30

SHA512
a142efb5555f5fc2dbd5f6c9cfd4db412c6a62275fe66f8572fcffeb3d32f61a6fab3803ad2aa979fd83d48947122b124775d1fe04098c93c37975267b950e71

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
357KB

MD5
ac36642487a4e675ca139cef590471ac

SHA1
3c0b7777d193f999e774c04b5e62719773ef8a69

SHA256
d34b7d584598bc2c2bc75c471508293137e8600232d582047b8d6b425e18c36b

SHA512
9685b0b28e8dac872807b210e3611094918e5573f1aab8463c7ee10e53e687d565054776d9e42bf16dcdb1c6932b36cbf5b9b56f53858ebd8e5f4629efa9e826

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
357KB

MD5
73bd906b4af55c92217727d0dbf11770

SHA1
302938823680003bfcffd0eb12ef0e74c53a5cc4

SHA256
83bf0cac042a7d3f855b33a7ed4e9b199e127c2ad35ab39220661bd52fc0909b

SHA512
02bdad71e79788c2ad1a9ee4108d28e8dae61ee4bc9403e5f11b2b7a771f8b534c27cd97030de378dbae8a8299a3ffd0260a14f727dc4752d6aec50ed0c89ba7

Download Submit
C:\Windows\SysWOW64\Ogaodjbe.dll

Filesize
7KB

MD5
44e5a4e9b999175ef09f3e31ab28ce82

SHA1
0ea067a23dbf57cbafc3a875309948c04c41185e

SHA256
a4a4778244a76b0c6a10215be35d972c47a428c2be52f709d1e28ecbcae93519

SHA512
1b26cbc3bc3467727c17a44aac2f9694b999332d1faf02d7f5f66077d1fd75df2b9fb5c0676de4cbc0053812ffec82a3d175c28ad330a610c082a207ec94bc96

Download Submit
memory/216-240-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/404-427-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/448-104-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/548-120-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/632-216-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/680-578-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/680-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/708-310-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/748-141-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/792-256-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/948-382-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1152-144-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1208-96-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1212-168-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1252-344-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1256-490-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1288-599-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1288-63-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1336-431-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1348-192-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1408-127-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1416-72-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1512-262-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1528-322-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1604-346-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1632-28-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1652-352-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1780-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1780-544-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1808-302-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1812-32-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1812-571-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1840-484-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1900-521-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1936-545-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1940-470-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2124-398-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2128-462-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2188-204-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2196-440-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2244-159-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2248-388-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2368-454-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2472-20-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2472-558-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2508-508-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2732-442-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2748-406-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2920-472-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3136-552-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3172-248-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3184-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3256-152-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3320-404-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3356-176-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3532-316-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3540-232-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3552-585-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3552-47-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3664-572-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3720-88-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3872-514-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3920-55-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3920-592-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3996-208-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4000-565-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4036-496-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4040-543-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4056-292-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4088-448-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4156-286-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4184-530-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4344-364-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4392-268-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4416-370-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4444-536-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4528-280-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4544-7-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4544-551-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4596-328-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4616-274-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4628-418-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4652-380-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4656-304-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4700-334-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4816-112-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4836-559-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4840-358-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4856-188-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4920-412-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4988-502-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5080-223-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5116-478-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5128-579-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5172-586-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5216-593-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads