f6aa8f54f1bb4221e1ea23d78e70eba55ee0744382d0948f4163881a9e66b890

Analysis

max time kernel
125s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 16:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

225cfc18cf65c7c1e8bb1ce60a8d0250_NeikiAnalytics.exe
Size

1.6MB
MD5

225cfc18cf65c7c1e8bb1ce60a8d0250
SHA1

d1105bfe995ccaafbde07ea0eeb925c8e11a1d13
SHA256

f6aa8f54f1bb4221e1ea23d78e70eba55ee0744382d0948f4163881a9e66b890
SHA512

d6fe960c4c06ea664ca85e34afc75c444947fc7adcf8c2ac04d46c5a28510de42119593a0259265d4157f061ff9eb04b22b8622471ee166eefc132e1e397b5e3
SSDEEP

24576:Pngu5YyCtCCm0BmmvFimm0wh2kkkkK4kXkkkkkkkkhLX3a20R0v50+YNpsKv2Ev3:vgu5RCtCmi7bazR0vKLXZ+Ktz

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojdnid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hlbcnd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iojbpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmkdcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjaabq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocgbld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahdpjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjnqh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kflide32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncnofeof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfohgqlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppolhcnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adkqoohc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pkegpb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enpmld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hiipmhmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfbped32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngqagcag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmhocd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lclpdncg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hblkjo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpqldc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipeeobbe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lobjni32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofhknodl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chfegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eiokinbk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omnjojpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocaebc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdmdnadc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qjfmkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eiokinbk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ennqfenp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nfohgqlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Phajna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qjiipk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Camddhoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fflohaij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fpdcag32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfeaopqo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hipmfjee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjmjdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bklomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cggimh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnindhpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kjjiej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apaadpng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mokmdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Onapdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pccahbmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fflohaij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlbcnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpqldc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpchib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpchib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Geaepk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbhboolf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jebfng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgbloglj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onapdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmdemd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkeekk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncabfkqo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnicid32.exe

Executes dropped EXE 64 IoCs

pid	Process
1816	Kjjiej32.exe
5016	Lklbdm32.exe
1628	Lnjnqh32.exe
1556	Lclpdncg.exe
2580	Ljfhqh32.exe
4460	Lmdemd32.exe
5008	Lcnmin32.exe
4856	Lkeekk32.exe
3048	Lqbncb32.exe
3928	Ncabfkqo.exe
1652	Nhokljge.exe
2348	Nnicid32.exe
5092	Ojdnid32.exe
4792	Oeokal32.exe
232	Poimpapp.exe
4796	Pahilmoc.exe
2744	Pkegpb32.exe
4116	Qoelkp32.exe
3272	Qklmpalf.exe
432	Aafemk32.exe
2408	Ahpmjejp.exe
2312	Akccap32.exe
1052	Badanigc.exe
3904	Bohbhmfm.exe
2384	Bafndi32.exe
4728	Bedgjgkg.exe
4140	Blnoga32.exe
3324	Bnoknihb.exe
212	Camddhoi.exe
2068	Cnindhpg.exe
836	Cdbfab32.exe
2608	Dfnbgc32.exe
548	Eiokinbk.exe
5068	Enkdaepb.exe
456	Eiahnnph.exe
1580	Eehicoel.exe
1344	Emoadlfo.exe
4900	Enpmld32.exe
4548	Efgemb32.exe
1880	Ekdnei32.exe
3188	Efjbcakl.exe
4284	Fpbflg32.exe
4564	Fflohaij.exe
4964	Fijkdmhn.exe
468	Fpdcag32.exe
4032	Fmhdkknd.exe
3008	Fbelcblk.exe
1044	Fiodpl32.exe
1784	Fnlmhc32.exe
5116	Flpmagqi.exe
2764	Gfeaopqo.exe
2256	Gpnfge32.exe
1140	Gifkpknp.exe
3940	Gncchb32.exe
4164	Glgcbf32.exe
4380	Gikdkj32.exe
3740	Gpelhd32.exe
1332	Geaepk32.exe
2936	Gojiiafp.exe
3640	Hipmfjee.exe
2532	Hbhboolf.exe
5132	Hlpfhe32.exe
5180	Hbjoeojc.exe
5228	Hlbcnd32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pcmdgodo.dll	Cpdgqmnb.exe
File created	C:\Windows\SysWOW64\Dahmfpap.exe	Dojqjdbl.exe
File created	C:\Windows\SysWOW64\Ahbohd32.dll	Gfeaopqo.exe
File created	C:\Windows\SysWOW64\Ndmdae32.dll	Hlpfhe32.exe
File created	C:\Windows\SysWOW64\Egdagc32.dll	Jcoaglhk.exe
File opened for modification	C:\Windows\SysWOW64\Lcimdh32.exe	Lgbloglj.exe
File opened for modification	C:\Windows\SysWOW64\Pnmopk32.exe	Pdhkcb32.exe
File opened for modification	C:\Windows\SysWOW64\Kjjiej32.exe	225cfc18cf65c7c1e8bb1ce60a8d0250_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Dmcnoekk.dll	Ickglm32.exe
File created	C:\Windows\SysWOW64\Ojnkocdc.dll	Mqdcnl32.exe
File opened for modification	C:\Windows\SysWOW64\Nnojho32.exe	Mgeakekd.exe
File created	C:\Windows\SysWOW64\Qjiipk32.exe	Qaqegecm.exe
File opened for modification	C:\Windows\SysWOW64\Lmdemd32.exe	Ljfhqh32.exe
File created	C:\Windows\SysWOW64\Lblldc32.dll	Iojbpo32.exe
File created	C:\Windows\SysWOW64\Kqqpck32.dll	Flpmagqi.exe
File created	C:\Windows\SysWOW64\Hblkjo32.exe	Hlbcnd32.exe
File created	C:\Windows\SysWOW64\Dempqa32.dll	Nagiji32.exe
File created	C:\Windows\SysWOW64\Pagbaglh.exe	Pjmjdm32.exe
File created	C:\Windows\SysWOW64\Kioghlbd.dll	Qjiipk32.exe
File created	C:\Windows\SysWOW64\Cnaaib32.exe	Cggimh32.exe
File opened for modification	C:\Windows\SysWOW64\Ljfhqh32.exe	Lclpdncg.exe
File created	C:\Windows\SysWOW64\Iomoenej.exe	Iedjmioj.exe
File opened for modification	C:\Windows\SysWOW64\Kflide32.exe	Klcekpdo.exe
File created	C:\Windows\SysWOW64\Mjaabq32.exe	Mokmdh32.exe
File created	C:\Windows\SysWOW64\Kpibgp32.dll	Ofhknodl.exe
File created	C:\Windows\SysWOW64\Hlbcnd32.exe	Hbjoeojc.exe
File created	C:\Windows\SysWOW64\Cpfcfmlp.exe	Ckjknfnh.exe
File opened for modification	C:\Windows\SysWOW64\Pahilmoc.exe	Poimpapp.exe
File created	C:\Windows\SysWOW64\Ibaeen32.exe	Hpchib32.exe
File created	C:\Windows\SysWOW64\Oakbehfe.exe	Ojajin32.exe
File opened for modification	C:\Windows\SysWOW64\Opclldhj.exe	Onapdl32.exe
File created	C:\Windows\SysWOW64\Coqncejg.exe	Chfegk32.exe
File created	C:\Windows\SysWOW64\Aafemk32.exe	Qklmpalf.exe
File created	C:\Windows\SysWOW64\Gaakdpkj.dll	Nnicid32.exe
File opened for modification	C:\Windows\SysWOW64\Glgcbf32.exe	Gncchb32.exe
File created	C:\Windows\SysWOW64\Phfcipoo.exe	Ppolhcnm.exe
File opened for modification	C:\Windows\SysWOW64\Oclkgccf.exe	Oanokhdb.exe
File created	C:\Windows\SysWOW64\Hehkga32.dll	Lqbncb32.exe
File opened for modification	C:\Windows\SysWOW64\Nnicid32.exe	Nhokljge.exe
File created	C:\Windows\SysWOW64\Nagiji32.exe	Ncchae32.exe
File created	C:\Windows\SysWOW64\Ocgeag32.dll	Oanokhdb.exe
File opened for modification	C:\Windows\SysWOW64\Coqncejg.exe	Chfegk32.exe
File created	C:\Windows\SysWOW64\Bgelgi32.exe	Bknlbhhe.exe
File opened for modification	C:\Windows\SysWOW64\Hiipmhmk.exe	Hfjdqmng.exe
File opened for modification	C:\Windows\SysWOW64\Lqmmmmph.exe	Ljceqb32.exe
File created	C:\Windows\SysWOW64\Jihiic32.dll	Nqmfdj32.exe
File opened for modification	C:\Windows\SysWOW64\Onapdl32.exe	Oclkgccf.exe
File opened for modification	C:\Windows\SysWOW64\Amnlme32.exe	Ahaceo32.exe
File opened for modification	C:\Windows\SysWOW64\Dddllkbf.exe	Cklhcfle.exe
File opened for modification	C:\Windows\SysWOW64\Enkdaepb.exe	Eiokinbk.exe
File created	C:\Windows\SysWOW64\Glgcbf32.exe	Gncchb32.exe
File opened for modification	C:\Windows\SysWOW64\Mfnoqc32.exe	Mmfkhmdi.exe
File opened for modification	C:\Windows\SysWOW64\Bdagpnbk.exe	Bmhocd32.exe
File created	C:\Windows\SysWOW64\Hbobifpp.dll	Chfegk32.exe
File created	C:\Windows\SysWOW64\Nnicid32.exe	Nhokljge.exe
File created	C:\Windows\SysWOW64\Ddipic32.dll	Hbhboolf.exe
File created	C:\Windows\SysWOW64\Pccahbmn.exe	Pnfiplog.exe
File created	C:\Windows\SysWOW64\Jomnmjjb.dll	Akccap32.exe
File created	C:\Windows\SysWOW64\Jiejjepo.dll	Hlbcnd32.exe
File created	C:\Windows\SysWOW64\Gpkpbaea.dll	Mmkdcm32.exe
File created	C:\Windows\SysWOW64\Npefkf32.dll	Bnoknihb.exe
File created	C:\Windows\SysWOW64\Ppolhcnm.exe	Pnmopk32.exe
File created	C:\Windows\SysWOW64\Kldbpfio.dll	Emoadlfo.exe
File created	C:\Windows\SysWOW64\Dibkjmof.dll	Gikdkj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6288	7132	WerFault.exe	267

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cpbjkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbnimm32.dll"	225cfc18cf65c7c1e8bb1ce60a8d0250_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Badanigc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hbhboolf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jcoaglhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnihkq32.dll"	Mokmdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjodla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iocedcbl.dll"	Akdilipp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghoqak32.dll"	Ojdnid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npefkf32.dll"	Bnoknihb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdbfab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejhdfi32.dll"	Ibcaknbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mmfkhmdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	225cfc18cf65c7c1e8bb1ce60a8d0250_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pahilmoc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Coqncejg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gojiiafp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ignlbcmf.dll"	Jebfng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcnmin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abdkep32.dll"	Eiahnnph.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Efgemb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmblagmf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iikmbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipgijcij.dll"	Kjjbjd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpkpbaea.dll"	Mmkdcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Phfcipoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ahaceo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gifkpknp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkjefc32.dll"	Aafemk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fijkdmhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncnofeof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdmpga32.dll"	Onapdl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Akdilipp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojmcpd32.dll"	Poimpapp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Geaepk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfmcjlk.dll"	Ocaebc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dddllkbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gfeaopqo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lblldc32.dll"	Iojbpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Opclldhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ppolhcnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckgohf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcgmfg32.dll"	Lcnmin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fmhdkknd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gfeaopqo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdebopdl.dll"	Ahaceo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgelgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pahilmoc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fbelcblk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hbjoeojc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iomoenej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Efjbcakl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	225cfc18cf65c7c1e8bb1ce60a8d0250_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqpdko32.dll"	Cnindhpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ljceqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fenghpla.dll"	Ekdnei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fiodpl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gpelhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdmdnadc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncchae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qaqegecm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kldbpfio.dll"	Emoadlfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Glgcbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Joahqn32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 536 wrote to memory of 1816	536	225cfc18cf65c7c1e8bb1ce60a8d0250_NeikiAnalytics.exe	89
PID 536 wrote to memory of 1816	536	225cfc18cf65c7c1e8bb1ce60a8d0250_NeikiAnalytics.exe	89
PID 536 wrote to memory of 1816	536	225cfc18cf65c7c1e8bb1ce60a8d0250_NeikiAnalytics.exe	89
PID 1816 wrote to memory of 5016	1816	Kjjiej32.exe	90
PID 1816 wrote to memory of 5016	1816	Kjjiej32.exe	90
PID 1816 wrote to memory of 5016	1816	Kjjiej32.exe	90
PID 5016 wrote to memory of 1628	5016	Lklbdm32.exe	91
PID 5016 wrote to memory of 1628	5016	Lklbdm32.exe	91
PID 5016 wrote to memory of 1628	5016	Lklbdm32.exe	91
PID 1628 wrote to memory of 1556	1628	Lnjnqh32.exe	92
PID 1628 wrote to memory of 1556	1628	Lnjnqh32.exe	92
PID 1628 wrote to memory of 1556	1628	Lnjnqh32.exe	92
PID 1556 wrote to memory of 2580	1556	Lclpdncg.exe	93
PID 1556 wrote to memory of 2580	1556	Lclpdncg.exe	93
PID 1556 wrote to memory of 2580	1556	Lclpdncg.exe	93
PID 2580 wrote to memory of 4460	2580	Ljfhqh32.exe	94
PID 2580 wrote to memory of 4460	2580	Ljfhqh32.exe	94
PID 2580 wrote to memory of 4460	2580	Ljfhqh32.exe	94
PID 4460 wrote to memory of 5008	4460	Lmdemd32.exe	95
PID 4460 wrote to memory of 5008	4460	Lmdemd32.exe	95
PID 4460 wrote to memory of 5008	4460	Lmdemd32.exe	95
PID 5008 wrote to memory of 4856	5008	Lcnmin32.exe	96
PID 5008 wrote to memory of 4856	5008	Lcnmin32.exe	96
PID 5008 wrote to memory of 4856	5008	Lcnmin32.exe	96
PID 4856 wrote to memory of 3048	4856	Lkeekk32.exe	97
PID 4856 wrote to memory of 3048	4856	Lkeekk32.exe	97
PID 4856 wrote to memory of 3048	4856	Lkeekk32.exe	97
PID 3048 wrote to memory of 3928	3048	Lqbncb32.exe	100
PID 3048 wrote to memory of 3928	3048	Lqbncb32.exe	100
PID 3048 wrote to memory of 3928	3048	Lqbncb32.exe	100
PID 3928 wrote to memory of 1652	3928	Ncabfkqo.exe	102
PID 3928 wrote to memory of 1652	3928	Ncabfkqo.exe	102
PID 3928 wrote to memory of 1652	3928	Ncabfkqo.exe	102
PID 1652 wrote to memory of 2348	1652	Nhokljge.exe	103
PID 1652 wrote to memory of 2348	1652	Nhokljge.exe	103
PID 1652 wrote to memory of 2348	1652	Nhokljge.exe	103
PID 2348 wrote to memory of 5092	2348	Nnicid32.exe	104
PID 2348 wrote to memory of 5092	2348	Nnicid32.exe	104
PID 2348 wrote to memory of 5092	2348	Nnicid32.exe	104
PID 5092 wrote to memory of 4792	5092	Ojdnid32.exe	105
PID 5092 wrote to memory of 4792	5092	Ojdnid32.exe	105
PID 5092 wrote to memory of 4792	5092	Ojdnid32.exe	105
PID 4792 wrote to memory of 232	4792	Oeokal32.exe	106
PID 4792 wrote to memory of 232	4792	Oeokal32.exe	106
PID 4792 wrote to memory of 232	4792	Oeokal32.exe	106
PID 232 wrote to memory of 4796	232	Poimpapp.exe	107
PID 232 wrote to memory of 4796	232	Poimpapp.exe	107
PID 232 wrote to memory of 4796	232	Poimpapp.exe	107
PID 4796 wrote to memory of 2744	4796	Pahilmoc.exe	108
PID 4796 wrote to memory of 2744	4796	Pahilmoc.exe	108
PID 4796 wrote to memory of 2744	4796	Pahilmoc.exe	108
PID 2744 wrote to memory of 4116	2744	Pkegpb32.exe	109
PID 2744 wrote to memory of 4116	2744	Pkegpb32.exe	109
PID 2744 wrote to memory of 4116	2744	Pkegpb32.exe	109
PID 4116 wrote to memory of 3272	4116	Qoelkp32.exe	110
PID 4116 wrote to memory of 3272	4116	Qoelkp32.exe	110
PID 4116 wrote to memory of 3272	4116	Qoelkp32.exe	110
PID 3272 wrote to memory of 432	3272	Qklmpalf.exe	111
PID 3272 wrote to memory of 432	3272	Qklmpalf.exe	111
PID 3272 wrote to memory of 432	3272	Qklmpalf.exe	111
PID 432 wrote to memory of 2408	432	Aafemk32.exe	112
PID 432 wrote to memory of 2408	432	Aafemk32.exe	112
PID 432 wrote to memory of 2408	432	Aafemk32.exe	112
PID 2408 wrote to memory of 2312	2408	Ahpmjejp.exe	113

C:\Users\Admin\AppData\Local\Temp\225cfc18cf65c7c1e8bb1ce60a8d0250_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\225cfc18cf65c7c1e8bb1ce60a8d0250_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:536
- C:\Windows\SysWOW64\Kjjiej32.exe
  C:\Windows\system32\Kjjiej32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1816
- - C:\Windows\SysWOW64\Lklbdm32.exe
    C:\Windows\system32\Lklbdm32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5016
  - - C:\Windows\SysWOW64\Lnjnqh32.exe
      C:\Windows\system32\Lnjnqh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1628
    - - C:\Windows\SysWOW64\Lclpdncg.exe
        
        C:\Windows\system32\Lclpdncg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1556
      - C:\Windows\SysWOW64\Ljfhqh32.exe
        
        C:\Windows\system32\Ljfhqh32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\SysWOW64\Lmdemd32.exe
        
        C:\Windows\system32\Lmdemd32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Windows\SysWOW64\Lcnmin32.exe
        
        C:\Windows\system32\Lcnmin32.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\SysWOW64\Lkeekk32.exe
        
        C:\Windows\system32\Lkeekk32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\SysWOW64\Lqbncb32.exe
        
        C:\Windows\system32\Lqbncb32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\Ncabfkqo.exe
        
        C:\Windows\system32\Ncabfkqo.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        C:\Windows\SysWOW64\Nhokljge.exe
        
        C:\Windows\system32\Nhokljge.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\SysWOW64\Nnicid32.exe
        
        C:\Windows\system32\Nnicid32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\SysWOW64\Ojdnid32.exe
        
        C:\Windows\system32\Ojdnid32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\SysWOW64\Oeokal32.exe
        
        C:\Windows\system32\Oeokal32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Windows\SysWOW64\Poimpapp.exe
        
        C:\Windows\system32\Poimpapp.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:232
        
        C:\Windows\SysWOW64\Pahilmoc.exe
        
        C:\Windows\system32\Pahilmoc.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\SysWOW64\Pkegpb32.exe
        
        C:\Windows\system32\Pkegpb32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\SysWOW64\Qoelkp32.exe
        
        C:\Windows\system32\Qoelkp32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4116
        
        C:\Windows\SysWOW64\Qklmpalf.exe
        
        C:\Windows\system32\Qklmpalf.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3272
        
        C:\Windows\SysWOW64\Aafemk32.exe
        
        C:\Windows\system32\Aafemk32.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:432
        
        C:\Windows\SysWOW64\Ahpmjejp.exe
        
        C:\Windows\system32\Ahpmjejp.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Windows\SysWOW64\Akccap32.exe
        
        C:\Windows\system32\Akccap32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2312
        
        C:\Windows\SysWOW64\Badanigc.exe
        
        C:\Windows\system32\Badanigc.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1052
        
        C:\Windows\SysWOW64\Bohbhmfm.exe
        
        C:\Windows\system32\Bohbhmfm.exe
        25⤵
        Executes dropped EXE
        
        PID:3904
        
        C:\Windows\SysWOW64\Bafndi32.exe
        
        C:\Windows\system32\Bafndi32.exe
        26⤵
        Executes dropped EXE
        
        PID:2384
        
        C:\Windows\SysWOW64\Bedgjgkg.exe
        
        C:\Windows\system32\Bedgjgkg.exe
        27⤵
        Executes dropped EXE
        
        PID:4728
        
        C:\Windows\SysWOW64\Blnoga32.exe
        
        C:\Windows\system32\Blnoga32.exe
        28⤵
        Executes dropped EXE
        
        PID:4140
        
        C:\Windows\SysWOW64\Bnoknihb.exe
        
        C:\Windows\system32\Bnoknihb.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3324
        
        C:\Windows\SysWOW64\Camddhoi.exe
        
        C:\Windows\system32\Camddhoi.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:212
        
        C:\Windows\SysWOW64\Cnindhpg.exe
        
        C:\Windows\system32\Cnindhpg.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2068
        
        C:\Windows\SysWOW64\Cdbfab32.exe
        
        C:\Windows\system32\Cdbfab32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:836
        
        C:\Windows\SysWOW64\Dfnbgc32.exe
        
        C:\Windows\system32\Dfnbgc32.exe
        33⤵
        Executes dropped EXE
        
        PID:2608
        
        C:\Windows\SysWOW64\Eiokinbk.exe
        
        C:\Windows\system32\Eiokinbk.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:548
        
        C:\Windows\SysWOW64\Enkdaepb.exe
        
        C:\Windows\system32\Enkdaepb.exe
        35⤵
        Executes dropped EXE
        
        PID:5068
        
        C:\Windows\SysWOW64\Eiahnnph.exe
        
        C:\Windows\system32\Eiahnnph.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:456
        
        C:\Windows\SysWOW64\Ennqfenp.exe
        
        C:\Windows\system32\Ennqfenp.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1852
        
        C:\Windows\SysWOW64\Eehicoel.exe
        
        C:\Windows\system32\Eehicoel.exe
        38⤵
        Executes dropped EXE
        
        PID:1580
        
        C:\Windows\SysWOW64\Emoadlfo.exe
        
        C:\Windows\system32\Emoadlfo.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1344
        
        C:\Windows\SysWOW64\Enpmld32.exe
        
        C:\Windows\system32\Enpmld32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4900
        
        C:\Windows\SysWOW64\Efgemb32.exe
        
        C:\Windows\system32\Efgemb32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Ekdnei32.exe
        
        C:\Windows\system32\Ekdnei32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1880
        
        C:\Windows\SysWOW64\Efjbcakl.exe
        
        C:\Windows\system32\Efjbcakl.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3188
        
        C:\Windows\SysWOW64\Fpbflg32.exe
        
        C:\Windows\system32\Fpbflg32.exe
        44⤵
        Executes dropped EXE
        
        PID:4284
        
        C:\Windows\SysWOW64\Fflohaij.exe
        
        C:\Windows\system32\Fflohaij.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4564
        
        C:\Windows\SysWOW64\Fijkdmhn.exe
        
        C:\Windows\system32\Fijkdmhn.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4964
        
        C:\Windows\SysWOW64\Fpdcag32.exe
        
        C:\Windows\system32\Fpdcag32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:468
        
        C:\Windows\SysWOW64\Fmhdkknd.exe
        
        C:\Windows\system32\Fmhdkknd.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4032
        
        C:\Windows\SysWOW64\Fbelcblk.exe
        
        C:\Windows\system32\Fbelcblk.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\Fiodpl32.exe
        
        C:\Windows\system32\Fiodpl32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1044
        
        C:\Windows\SysWOW64\Fnlmhc32.exe
        
        C:\Windows\system32\Fnlmhc32.exe
        51⤵
        Executes dropped EXE
        
        PID:1784
        
        C:\Windows\SysWOW64\Flpmagqi.exe
        
        C:\Windows\system32\Flpmagqi.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5116
        
        C:\Windows\SysWOW64\Gfeaopqo.exe
        
        C:\Windows\system32\Gfeaopqo.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2764
        
        C:\Windows\SysWOW64\Gpnfge32.exe
        
        C:\Windows\system32\Gpnfge32.exe
        54⤵
        Executes dropped EXE
        
        PID:2256
        
        C:\Windows\SysWOW64\Gifkpknp.exe
        
        C:\Windows\system32\Gifkpknp.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1140
        
        C:\Windows\SysWOW64\Gncchb32.exe
        
        C:\Windows\system32\Gncchb32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3940
        
        C:\Windows\SysWOW64\Glgcbf32.exe
        
        C:\Windows\system32\Glgcbf32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4164
        
        C:\Windows\SysWOW64\Gikdkj32.exe
        
        C:\Windows\system32\Gikdkj32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4380
        
        C:\Windows\SysWOW64\Gpelhd32.exe
        
        C:\Windows\system32\Gpelhd32.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3740
        
        C:\Windows\SysWOW64\Geaepk32.exe
        
        C:\Windows\system32\Geaepk32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1332
        
        C:\Windows\SysWOW64\Gojiiafp.exe
        
        C:\Windows\system32\Gojiiafp.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2936
        
        C:\Windows\SysWOW64\Hipmfjee.exe
        
        C:\Windows\system32\Hipmfjee.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3640
        
        C:\Windows\SysWOW64\Hbhboolf.exe
        
        C:\Windows\system32\Hbhboolf.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Hlpfhe32.exe
        
        C:\Windows\system32\Hlpfhe32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5132
        
        C:\Windows\SysWOW64\Hbjoeojc.exe
        
        C:\Windows\system32\Hbjoeojc.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Hlbcnd32.exe
        
        C:\Windows\system32\Hlbcnd32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5228
        
        C:\Windows\SysWOW64\Hblkjo32.exe
        
        C:\Windows\system32\Hblkjo32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5272
        
        C:\Windows\SysWOW64\Hmbphg32.exe
        
        C:\Windows\system32\Hmbphg32.exe
        68⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\Hpqldc32.exe
        
        C:\Windows\system32\Hpqldc32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5360
        
        C:\Windows\SysWOW64\Hfjdqmng.exe
        
        C:\Windows\system32\Hfjdqmng.exe
        70⤵
        Drops file in System32 directory
        
        PID:5404
        
        C:\Windows\SysWOW64\Hiipmhmk.exe
        
        C:\Windows\system32\Hiipmhmk.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5448
        
        C:\Windows\SysWOW64\Hpchib32.exe
        
        C:\Windows\system32\Hpchib32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5492
        
        C:\Windows\SysWOW64\Ibaeen32.exe
        
        C:\Windows\system32\Ibaeen32.exe
        73⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\Iikmbh32.exe
        
        C:\Windows\system32\Iikmbh32.exe
        74⤵
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Ipeeobbe.exe
        
        C:\Windows\system32\Ipeeobbe.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5628
        
        C:\Windows\SysWOW64\Ibcaknbi.exe
        
        C:\Windows\system32\Ibcaknbi.exe
        76⤵
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Iojbpo32.exe
        
        C:\Windows\system32\Iojbpo32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Iedjmioj.exe
        
        C:\Windows\system32\Iedjmioj.exe
        78⤵
        Drops file in System32 directory
        
        PID:5764
        
        C:\Windows\SysWOW64\Iomoenej.exe
        
        C:\Windows\system32\Iomoenej.exe
        79⤵
        Modifies registry class
        
        PID:5808
        
        C:\Windows\SysWOW64\Ickglm32.exe
        
        C:\Windows\system32\Ickglm32.exe
        80⤵
        Drops file in System32 directory
        
        PID:5852
        
        C:\Windows\SysWOW64\Joahqn32.exe
        
        C:\Windows\system32\Joahqn32.exe
        81⤵
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Jcoaglhk.exe
        
        C:\Windows\system32\Jcoaglhk.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5940
        
        C:\Windows\SysWOW64\Jepjhg32.exe
        
        C:\Windows\system32\Jepjhg32.exe
        83⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Jebfng32.exe
        
        C:\Windows\system32\Jebfng32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6028
        
        C:\Windows\SysWOW64\Jjpode32.exe
        
        C:\Windows\system32\Jjpode32.exe
        85⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\Kgdpni32.exe
        
        C:\Windows\system32\Kgdpni32.exe
        86⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\Klahfp32.exe
        
        C:\Windows\system32\Klahfp32.exe
        87⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\Kckqbj32.exe
        
        C:\Windows\system32\Kckqbj32.exe
        88⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\Klcekpdo.exe
        
        C:\Windows\system32\Klcekpdo.exe
        89⤵
        Drops file in System32 directory
        
        PID:5204
        
        C:\Windows\SysWOW64\Kflide32.exe
        
        C:\Windows\system32\Kflide32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5288
        
        C:\Windows\SysWOW64\Kjjbjd32.exe
        
        C:\Windows\system32\Kjjbjd32.exe
        91⤵
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Lfbped32.exe
        
        C:\Windows\system32\Lfbped32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5420
        
        C:\Windows\SysWOW64\Lgbloglj.exe
        
        C:\Windows\system32\Lgbloglj.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5484
        
        C:\Windows\SysWOW64\Lcimdh32.exe
        
        C:\Windows\system32\Lcimdh32.exe
        94⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\Ljceqb32.exe
        
        C:\Windows\system32\Ljceqb32.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5620
        
        C:\Windows\SysWOW64\Lqmmmmph.exe
        
        C:\Windows\system32\Lqmmmmph.exe
        96⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\Lobjni32.exe
        
        C:\Windows\system32\Lobjni32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2188
        
        C:\Windows\SysWOW64\Mmfkhmdi.exe
        
        C:\Windows\system32\Mmfkhmdi.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2792
        
        C:\Windows\SysWOW64\Mfnoqc32.exe
        
        C:\Windows\system32\Mfnoqc32.exe
        99⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\Mqdcnl32.exe
        
        C:\Windows\system32\Mqdcnl32.exe
        100⤵
        Drops file in System32 directory
        
        PID:5824
        
        C:\Windows\SysWOW64\Mfqlfb32.exe
        
        C:\Windows\system32\Mfqlfb32.exe
        101⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\Mmkdcm32.exe
        
        C:\Windows\system32\Mmkdcm32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5956
        
        C:\Windows\SysWOW64\Mcelpggq.exe
        
        C:\Windows\system32\Mcelpggq.exe
        103⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\Mjodla32.exe
        
        C:\Windows\system32\Mjodla32.exe
        104⤵
        Modifies registry class
        
        PID:6108
        
        C:\Windows\SysWOW64\Mokmdh32.exe
        
        C:\Windows\system32\Mokmdh32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1788
        
        C:\Windows\SysWOW64\Mjaabq32.exe
        
        C:\Windows\system32\Mjaabq32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5224
        
        C:\Windows\SysWOW64\Mgeakekd.exe
        
        C:\Windows\system32\Mgeakekd.exe
        107⤵
        Drops file in System32 directory
        
        PID:3828
        
        C:\Windows\SysWOW64\Nnojho32.exe
        
        C:\Windows\system32\Nnojho32.exe
        108⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Nqmfdj32.exe
        
        C:\Windows\system32\Nqmfdj32.exe
        109⤵
        Drops file in System32 directory
        
        PID:5560
        
        C:\Windows\SysWOW64\Nggnadib.exe
        
        C:\Windows\system32\Nggnadib.exe
        110⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Ncnofeof.exe
        
        C:\Windows\system32\Ncnofeof.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Npepkf32.exe
        
        C:\Windows\system32\Npepkf32.exe
        112⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\Nfohgqlg.exe
        
        C:\Windows\system32\Nfohgqlg.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5800
        
        C:\Windows\SysWOW64\Ncchae32.exe
        
        C:\Windows\system32\Ncchae32.exe
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5924
        
        C:\Windows\SysWOW64\Nagiji32.exe
        
        C:\Windows\system32\Nagiji32.exe
        115⤵
        Drops file in System32 directory
        
        PID:6012
        
        C:\Windows\SysWOW64\Ngqagcag.exe
        
        C:\Windows\system32\Ngqagcag.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:388
        
        C:\Windows\SysWOW64\Omnjojpo.exe
        
        C:\Windows\system32\Omnjojpo.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5252
        
        C:\Windows\SysWOW64\Ocgbld32.exe
        
        C:\Windows\system32\Ocgbld32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5336
        
        C:\Windows\SysWOW64\Ojajin32.exe
        
        C:\Windows\system32\Ojajin32.exe
        119⤵
        Drops file in System32 directory
        
        PID:5532
        
        C:\Windows\SysWOW64\Oakbehfe.exe
        
        C:\Windows\system32\Oakbehfe.exe
        120⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\Ofhknodl.exe
        
        C:\Windows\system32\Ofhknodl.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5000
        
        C:\Windows\SysWOW64\Oanokhdb.exe
        
        C:\Windows\system32\Oanokhdb.exe
        122⤵
        Drops file in System32 directory
        
        PID:5872
        
        C:\Windows\SysWOW64\Oclkgccf.exe
        
        C:\Windows\system32\Oclkgccf.exe
        123⤵
        Drops file in System32 directory
        
        PID:6048
        
        C:\Windows\SysWOW64\Onapdl32.exe
        
        C:\Windows\system32\Onapdl32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Opclldhj.exe
        
        C:\Windows\system32\Opclldhj.exe
        125⤵
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Ocaebc32.exe
        
        C:\Windows\system32\Ocaebc32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Pnfiplog.exe
        
        C:\Windows\system32\Pnfiplog.exe
        127⤵
        Drops file in System32 directory
        
        PID:5848
        
        C:\Windows\SysWOW64\Pccahbmn.exe
        
        C:\Windows\system32\Pccahbmn.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5172
        
        C:\Windows\SysWOW64\Pjmjdm32.exe
        
        C:\Windows\system32\Pjmjdm32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5432
        
        C:\Windows\SysWOW64\Pagbaglh.exe
        
        C:\Windows\system32\Pagbaglh.exe
        130⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\Phajna32.exe
        
        C:\Windows\system32\Phajna32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6080
        
        C:\Windows\SysWOW64\Pdhkcb32.exe
        
        C:\Windows\system32\Pdhkcb32.exe
        132⤵
        Drops file in System32 directory
        
        PID:5680
        
        C:\Windows\SysWOW64\Pnmopk32.exe
        
        C:\Windows\system32\Pnmopk32.exe
        133⤵
        Drops file in System32 directory
        
        PID:5260
        
        C:\Windows\SysWOW64\Ppolhcnm.exe
        
        C:\Windows\system32\Ppolhcnm.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        135⤵
        Modifies registry class
        
        PID:5648
        
        C:\Windows\SysWOW64\Pmblagmf.exe
        
        C:\Windows\system32\Pmblagmf.exe
        136⤵
        Modifies registry class
        
        PID:6156
        
        C:\Windows\SysWOW64\Pdmdnadc.exe
        
        C:\Windows\system32\Pdmdnadc.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6200
        
        C:\Windows\SysWOW64\Qjfmkk32.exe
        
        C:\Windows\system32\Qjfmkk32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6248
        
        C:\Windows\SysWOW64\Qaqegecm.exe
        
        C:\Windows\system32\Qaqegecm.exe
        139⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6296
        
        C:\Windows\SysWOW64\Qjiipk32.exe
        
        C:\Windows\system32\Qjiipk32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6340
        
        C:\Windows\SysWOW64\Ahmjjoig.exe
        
        C:\Windows\system32\Ahmjjoig.exe
        141⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\Aogbfi32.exe
        
        C:\Windows\system32\Aogbfi32.exe
        142⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\Aphnnafb.exe
        
        C:\Windows\system32\Aphnnafb.exe
        143⤵
        
        PID:6472
        
        C:\Windows\SysWOW64\Aknbkjfh.exe
        
        C:\Windows\system32\Aknbkjfh.exe
        144⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\Aagkhd32.exe
        
        C:\Windows\system32\Aagkhd32.exe
        145⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\Ahaceo32.exe
        
        C:\Windows\system32\Ahaceo32.exe
        146⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6604
        
        C:\Windows\SysWOW64\Amnlme32.exe
        
        C:\Windows\system32\Amnlme32.exe
        147⤵
        
        PID:6648
        
        C:\Windows\SysWOW64\Ahdpjn32.exe
        
        C:\Windows\system32\Ahdpjn32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6692
        
        C:\Windows\SysWOW64\Adkqoohc.exe
        
        C:\Windows\system32\Adkqoohc.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6736
        
        C:\Windows\SysWOW64\Akdilipp.exe
        
        C:\Windows\system32\Akdilipp.exe
        150⤵
        Modifies registry class
        
        PID:6776
        
        C:\Windows\SysWOW64\Apaadpng.exe
        
        C:\Windows\system32\Apaadpng.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6824
        
        C:\Windows\SysWOW64\Bmeandma.exe
        
        C:\Windows\system32\Bmeandma.exe
        152⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\Bhkfkmmg.exe
        
        C:\Windows\system32\Bhkfkmmg.exe
        153⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\Bmhocd32.exe
        
        C:\Windows\system32\Bmhocd32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6956
        
        C:\Windows\SysWOW64\Bdagpnbk.exe
        
        C:\Windows\system32\Bdagpnbk.exe
        155⤵
        
        PID:7000
        
        C:\Windows\SysWOW64\Bklomh32.exe
        
        C:\Windows\system32\Bklomh32.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7044
        
        C:\Windows\SysWOW64\Bknlbhhe.exe
        
        C:\Windows\system32\Bknlbhhe.exe
        157⤵
        Drops file in System32 directory
        
        PID:7092
        
        C:\Windows\SysWOW64\Bgelgi32.exe
        
        C:\Windows\system32\Bgelgi32.exe
        158⤵
        Modifies registry class
        
        PID:7140
        
        C:\Windows\SysWOW64\Bnoddcef.exe
        
        C:\Windows\system32\Bnoddcef.exe
        159⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\Cggimh32.exe
        
        C:\Windows\system32\Cggimh32.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6232
        
        C:\Windows\SysWOW64\Cnaaib32.exe
        
        C:\Windows\system32\Cnaaib32.exe
        161⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\Chfegk32.exe
        
        C:\Windows\system32\Chfegk32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6372
        
        C:\Windows\SysWOW64\Coqncejg.exe
        
        C:\Windows\system32\Coqncejg.exe
        163⤵
        Modifies registry class
        
        PID:6448
        
        C:\Windows\SysWOW64\Cpbjkn32.exe
        
        C:\Windows\system32\Cpbjkn32.exe
        164⤵
        Modifies registry class
        
        PID:6508
        
        C:\Windows\SysWOW64\Ckgohf32.exe
        
        C:\Windows\system32\Ckgohf32.exe
        165⤵
        Modifies registry class
        
        PID:6584
        
        C:\Windows\SysWOW64\Cpdgqmnb.exe
        
        C:\Windows\system32\Cpdgqmnb.exe
        166⤵
        Drops file in System32 directory
        
        PID:6644
        
        C:\Windows\SysWOW64\Ckjknfnh.exe
        
        C:\Windows\system32\Ckjknfnh.exe
        167⤵
        Drops file in System32 directory
        
        PID:6720
        
        C:\Windows\SysWOW64\Cpfcfmlp.exe
        
        C:\Windows\system32\Cpfcfmlp.exe
        168⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\Cklhcfle.exe
        
        C:\Windows\system32\Cklhcfle.exe
        169⤵
        Drops file in System32 directory
        
        PID:6856
        
        C:\Windows\SysWOW64\Dddllkbf.exe
        
        C:\Windows\system32\Dddllkbf.exe
        170⤵
        Modifies registry class
        
        PID:6928
        
        C:\Windows\SysWOW64\Dojqjdbl.exe
        
        C:\Windows\system32\Dojqjdbl.exe
        171⤵
        Drops file in System32 directory
        
        PID:6988
        
        C:\Windows\SysWOW64\Dahmfpap.exe
        
        C:\Windows\system32\Dahmfpap.exe
        172⤵
        
        PID:7064
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        173⤵
        
        PID:7132
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7132 -s 424
        174⤵
        Program crash
        
        PID:6288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3988,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=1036 /prefetch:8
1⤵
PID:3880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 7132 -ip 7132
1⤵
PID:6244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aafemk32.exe

Filesize
1.6MB

MD5
b95e04de89d79c25651fb3dd3543a17e

SHA1
f389e335f697c580b47ff6dce6cc30012b71982e

SHA256
b88a6e9cfb8307d72de31ec6e262d00ce13131b57ab9df98c66659697a260ac4

SHA512
0bed8078662968f6a883f02717fc22b904f97c98ca3b7603e9f536a3b9b043f8ca2853f92964abe72659bf55f8321e3575b71270791d24262bcf30a0863fb246

Download Submit
C:\Windows\SysWOW64\Ahpmjejp.exe

Filesize
1.6MB

MD5
f4b7fa6aefec784d95699f88a44f4be1

SHA1
57e84acfd6df27f7c48496879eeb3c786eac569f

SHA256
c8f5e50a692f2ca19c872d404769e05740a0ec3561eecd817a281bf7139fb0ec

SHA512
a4fd5bdc30028e6085fa742a3aa07ee9b37d7e9840d57b3a23772fb712f8a530c086b158cf149347489ede6c80ee199e1514ea6da74626f2afcd698d1a692221

Download Submit
C:\Windows\SysWOW64\Akccap32.exe

Filesize
1.6MB

MD5
fb366db4793d51a7b0fca9cd926455cf

SHA1
aa81308a361654b43503fe29022ee4942994fdd0

SHA256
1b4f9f175bb532b4727897d4b257cd1cdb35e79d437e9e8e4053f344657a4d0e

SHA512
54df799e9ad773b6342385811bc1502043981e59f15eae1c095704496faffdf567510914ab967ea38b370dca33b926c455767b3ad7ec3085f1241e1ce6f94e17

Download Submit
C:\Windows\SysWOW64\Apaadpng.exe

Filesize
1.6MB

MD5
8fc7132d1e75628e1b7782443b179af8

SHA1
c1b2fad95f41af39da4b1e7b2ef8e6a42e996e43

SHA256
a31c070bb856e4ce249033ef68778b67d5370690f16fcf818b7313d7e4c77e64

SHA512
aa6cb3fbe9e5c55f308022a4261f1a5036490fa9b88e25f19ca1b2c3e8ab37f400327da1765bce27d0936747e1bacdf33a7424098b146273f1727e9c4b382bfb

Download Submit
C:\Windows\SysWOW64\Badanigc.exe

Filesize
1.6MB

MD5
dfb372e0b18d636f2c73fb93ec98e540

SHA1
52ce1f31cb12378b1b10b063327001c9bef9493f

SHA256
4a6af037240b4328ed1e8b4f534742ff1c307d8276e669bf455e23217b602a85

SHA512
4650823246b07bb7224b56e22754333b953ac6d95b2bfbc090d6fec122fc8bc567dc989c23e143a1fd9bca212cdd8e3be4d0f0b5bb48635a027623eb38eba483

Download Submit
C:\Windows\SysWOW64\Bafndi32.exe

Filesize
1.6MB

MD5
57248624c9fb67635899cf7a43e2911e

SHA1
f93256f1318053b133367af9e851846d0f2ee38c

SHA256
b0533b71e9b92ba45e8175f25922659e7cc4632e37fbfe6faf14062e1d99c032

SHA512
0c64e558188d79ea659cd855f7f6e10380aa9d6348fa65e92a2c3daab6222151f7d10d496bd7df8da2721fadb5a8523ae8aa6f9577192fdac888175a8c31f31e

Download Submit
C:\Windows\SysWOW64\Bedgjgkg.exe

Filesize
1.6MB

MD5
b5916fbef1c2c10299a471e211832ff1

SHA1
2cbb592bf5ba301e0a2396c35e0e9f69c6c902e8

SHA256
597a11a32c7abbd457f5c2a1af3f931a3275019466ceb6635acf9aeae66947dc

SHA512
1d0a733fb35dbe630ea1a2aeee9bdf64794c66a65f852ab385a4629af1bde42276fe6e0508b6f6bb32fe46540a857d6ea7926ce0b7c978b0707eb5472d8d4f5b

Download Submit
C:\Windows\SysWOW64\Bklomh32.exe

Filesize
1.6MB

MD5
15bbfc9b3c4b00242d39988466b31602

SHA1
4a5a49ea78601e1c073dad05fbdffbcf532355fe

SHA256
5639ba7023988bf8312f0a7db209964f53f65fa1a72696f9078636a23b7cc77f

SHA512
1abd2dd04af1fc13187c22ab9ecb713dbd59ca3acc0cf7d8e0ba118f0c96a4695fb180f7f0f44df2c2f830b37e82ab70b3c93cc0b5ced28a6519d2b06f50460f

Download Submit
C:\Windows\SysWOW64\Bknlbhhe.exe

Filesize
1.6MB

MD5
37c2b00373a8302c6f73297cb0641a91

SHA1
ce29c7334ac3127f4356026e43936b1cc85f9024

SHA256
37c5f04187b3fb8fd76a672b9bb2956a712939a5f18704104f96f1afc605cc08

SHA512
50ac307b51c75f02526a4e9dbbbc5324eeed73f76ef360d856c143d53c29ebaea6673ce591680d9e4890c230c65f0ea29fd5c8fdcc9b829fb46e7d0f5b527959

Download Submit
C:\Windows\SysWOW64\Blnoga32.exe

Filesize
1.6MB

MD5
439137a8076905c52972e60e285147ee

SHA1
4c732375d31b27747f476f2f633239d2976f9a40

SHA256
798e49be5ff78382a36f0d092664d3ab6046d8b2162533ecef264adf8e7457a9

SHA512
afc76e6bc6e8037f41142cc51f23492d7f8cfb0c52c0052823964261c642e805d9daee049109471649eb7a16009f67a78fadc3e5e66870b0fc00f32a312841f0

Download Submit
C:\Windows\SysWOW64\Bnoknihb.exe

Filesize
1.6MB

MD5
7690aa9fee6808b02e509d7044cc6871

SHA1
3a0e6c22c24435e6f4a886b38105b6e34a353d81

SHA256
e6e7f83b1a0e98281762dd7bd9d8b46bb8b63e5316a0af0f2bf31692c81bf7ef

SHA512
1daa690e4777f113193303ab87aacfd17aa3d270e42922d302ba23bc920a52f7195c84675b351ec7e99af3ea75bde983707b66096e76c0e705a4c103c97213a6

Download Submit
C:\Windows\SysWOW64\Bohbhmfm.exe

Filesize
1.6MB

MD5
2a9893f3878e63ac89047237ea19911e

SHA1
d4832946a800b528414fdc0038bcc398d8527a29

SHA256
85b3dd3c69b86982f9d30c2d4c7ae0a02e30c06f17a21316573605cfb1680561

SHA512
e3b68b46f0341afad22eb86fbec376b7f1c739a809525f356c610693816ab9db40d4abf5d8c62bd17f399c8235672023529f0a84a074b6d6ca6165426e2873ff

Download Submit
C:\Windows\SysWOW64\Camddhoi.exe

Filesize
1.6MB

MD5
fbc1fed5bcbbdb15a86b7929a2b8f892

SHA1
9da65ce561d4c45c373d038c83edd4635a331c5a

SHA256
ef0bbd39c920fc134d7963801ce97716a01aeab4d43f89122cfa50234b0567cd

SHA512
470a700687c3db074738c7d2cf27304fb6078cabd7ea260423505e9cc7dadd27964f92965967e062b5cfc3b7bed17eda4132dc27d94b08119f4e462a143ed4d7

Download Submit
C:\Windows\SysWOW64\Cdbfab32.exe

Filesize
1.6MB

MD5
799479fee296c2a1c99efdd8850320c2

SHA1
9bab420ee3141740e88cfa9b84f84b4177470f0d

SHA256
d674e4c7d480dba45d748dff6db1f15c15e0bebb3c615c6eb7e7ec45d36cc3b1

SHA512
fb1ac15a28c3543899576ca6d15721e386118c29548447a70f8eb7839b7f3f01e9771339dc908b45bf45d69740100ab986bdd521f8ef4acd20d9edad62010f23

Download Submit
C:\Windows\SysWOW64\Cnindhpg.exe

Filesize
1.6MB

MD5
829f6f83cfc51f928c7d8801d0e32463

SHA1
303afb3e65625c1c24b38ddd932b558574897351

SHA256
ddae266fd27102954e7dd2e7e509f0873c528141f4d845a718072d38ceac2ec1

SHA512
c403bf6e189d059cdc318286b7dc79f10ca970959ac65210e14a473791e10167a32c46b503b868a27583d0c3b2e034a45f1c7b581f7aca8d1c6e5cf3a0999332

Download Submit
C:\Windows\SysWOW64\Dfnbgc32.exe

Filesize
1.6MB

MD5
42bd3384668eb39acb3d482f3115946c

SHA1
5a55a59f8b6c87c904a5542dd65404054c5ee944

SHA256
23d8396ca1cf04985959a3b2a576f3113078d1b1de174b5d83f8f02f80603794

SHA512
226b46eb0aff19d87ed307602c3537e741f615b421ba22dbb7f409dacdbf4c6c5b49bbdee146275366a02e180968899c9837f9858ee2283a736ac760570e1b6a

Download Submit
C:\Windows\SysWOW64\Dkqaoe32.exe

Filesize
1.6MB

MD5
1e2bc8f093b5e15825b1947edab52b50

SHA1
67809e2cf53bc4b202be63ac9c75df145f90ba38

SHA256
900de5b89e633c8d1575835155b52ecacba4321ec9bab1e17d4e09db239524ab

SHA512
dffcebeaeb5762a7403c88711279cafdd4105e4337d50b7d899ba67550a4d863f732a38f236cf67447451fa531afa7db8612214fe3af53f94ec375d8e0b568c3

Download Submit
C:\Windows\SysWOW64\Fpdcag32.exe

Filesize
1.6MB

MD5
91ed141de83dc32f9a538424a52fcb93

SHA1
e90c4d59a249c253af97a782da381d7dc7bbfdd3

SHA256
d92bacd668211a840f64cb0d5240cdd07d092be033928fc1f9281fc3f7d27272

SHA512
c6b5a8ce6f61e49fd00e59f554d39f17e8b8c900e19b15b52e1d4705b255ac9245372121edef2f1f4f006a55499912aab3d008a1eb10eec7c5b167ba09173651

Download Submit
C:\Windows\SysWOW64\Gncchb32.exe

Filesize
1.6MB

MD5
4af2ef03eeb0f725fd767d5a99760845

SHA1
c3628638af64630960d2b9a3e842b2907308ebf2

SHA256
981c892f28945324841eb8963472dc40642bbfe80946ffae12a6db7f089e37b5

SHA512
84fdb17c9f6bbaf8a47657438d0220bfc4b7a285509e871bad2f265d19b895a5c50274f39871398727b32c4089b299323502d88bd1b3871cc9d42bbb786e152a

Download Submit
C:\Windows\SysWOW64\Gojiiafp.exe

Filesize
1.6MB

MD5
6a017642d6828c3e8cf454baca37e213

SHA1
803cb26a413034f3c2a694010c12c1815d2a6bc7

SHA256
876a5fcaa2c0f718877e780e571ebcc939351e4641502221930c238b043b9b94

SHA512
da35183d5f6b6e537e0727d42d0fcef91b6ae3c769fdf92258c585a0fd31be3a5747bd302aeba1de4cbc82c7f607526aa18b43915d46e8212cfc7d95d06cf703

Download Submit
C:\Windows\SysWOW64\Gpnfge32.exe

Filesize
64KB

MD5
371480ca0ccde007bd5c1154c091e862

SHA1
d3ad457b3723cef4625788874283af349cf513f0

SHA256
eb47faa79191094f837aa77808f84ec2be48097d169d5c39976f961b90fd0712

SHA512
e0b424dac2163211053b75ff919b8ddd592e2b2c888588db2e0e4f6fd1c9d7f68182df8c4bbe7210eea64cec531ed5d40dc78197e9b6cff9157a68f3b4bfb219

Download Submit
C:\Windows\SysWOW64\Hbjoeojc.exe

Filesize
1.6MB

MD5
e9ee24b9a0487c4dd971714c10e60869

SHA1
abc11fb6e9cb6578e5b51b789c187b33fca4c387

SHA256
8e81aa37c2dae16d7885f1b6e30b1d6258d0b37292cccb3ab5e50da461f6957d

SHA512
a1af08d84a56895448f8d090dea9b81751ad84617b2b83ea70908e3103985a5c1eb3e308d5c6b9aee1c9b6df3bf91d8aeb3917c035eb1de8fe70eaad9085849e

Download Submit
C:\Windows\SysWOW64\Hblkjo32.exe

Filesize
1.6MB

MD5
637d0c5d3924b7b0a75aaf5059c2250d

SHA1
411fe10eacdeb2bdeb35bf90609a38253cc40ebb

SHA256
eb8d80f461b608b35030e236cbf1481a611e0e2d82e89fb80bb165eb3545ef0c

SHA512
a7bcdb88daafbff837e768e94e62275ce5ef418ce546038f60dcd1d60b1d5cf1ee064063f00dad047f23e85dca479016c3c27dafebf62f198f38b4e8bd4216df

Download Submit
C:\Windows\SysWOW64\Ibcaknbi.exe

Filesize
1.6MB

MD5
b9dce6eb7b0ee076744f99d7cc5df7ef

SHA1
a903bc249c8bc7ea0af1c5bfbb01d73206dedc63

SHA256
edc49bb258420c633c71a63a2314c88f07695ff42cfbbedafea69f9bf27e273c

SHA512
3e9f1d497587b96fb898c8bc196c4ac650b1f1ed217881f53cf33d2c741693e1900c013f371ed4a5e4b7215c31f72ef72a741d157213cb6bee385632273ac9d7

Download Submit
C:\Windows\SysWOW64\Ickglm32.exe

Filesize
1.6MB

MD5
21634905f1df10e58429c7aca36bb3d4

SHA1
b733498471863fe7e136a82431044e173668b575

SHA256
a1029bbfa3594131ba336239b31598b46efc46aa9d967455726bb7573d87da30

SHA512
509207c88fa6357e3ac8135fcdd45be6d48057553df516038689fcf9598b1fa50ed42a94df2d526d242d39b3d2fa17b6bcef57121672f413d083bd39b0f2527e

Download Submit
C:\Windows\SysWOW64\Iigkob32.dll

Filesize
7KB

MD5
89e145f5736738453f4e938911e8c044

SHA1
08b38f8faa47e5421f3c1c521ef31075d9a77c41

SHA256
bf3d0f8d26efb9dc66f68b7afde9b4a8b91bfe9e1bb67eb32c8743fbe5799206

SHA512
ad7ba504244611020421ddcde6fc40bcdedbe5dd0ceff7200b4c79dfd967d7f6d0fd548c2e69c41d289f842ffc161066f62dfbfa7b760e0d69be5a7cccc4b12a

Download Submit
C:\Windows\SysWOW64\Jcoaglhk.exe

Filesize
1.6MB

MD5
60899477ed015b767abffe62245d9884

SHA1
6232680f4f267f044f5ca07ccf494f61b89a4f03

SHA256
c6d616835173acc5510384b739ee5a4d7b264325eae95b5584e93e7cae792379

SHA512
ac8488d4b04011c5163884d37bc7e2226da526d357fb705db8e3cc3d53d30a22fd9b3810719cca0bfee93193e50480a7117254e2bd5eb6d6126ba5582178651d

Download Submit
C:\Windows\SysWOW64\Kflide32.exe

Filesize
1.6MB

MD5
d6c2db31ec366926126db54748c9f93c

SHA1
173aa3414ea61910650a130b694875f03ff382ab

SHA256
4dbc3c35fefd663bfa3772cae3985a3037056fb8cf121be4b1ecbca943ff8add

SHA512
00f61dbbd5958d8095d9fa044db26288ff7c5d17751bcdb037cb5da7d200d106bf1ec4bab79aa6bfaf0d67418bace00ee4869c146c23c265a7d30ee79eb6debe

Download Submit
C:\Windows\SysWOW64\Kjjiej32.exe

Filesize
1.6MB

MD5
cc14500a9ee88c8905b7b10c45d3d780

SHA1
0097353bef6b8a5f5af1d5ebf74dee91f65567a6

SHA256
7a483ea2b503ef318701bf10efafd92a391f1f3f4b402d3281033f20daee9035

SHA512
c6a4fb9ebb90b23b9623b7e1786233f96a85563c236bc00ff050231b7f07bfeadbb8c710d2f6b4b3560cd28d40c2359b5e3721e4f6fcab9622b8becbe6ae568d

Download Submit
C:\Windows\SysWOW64\Lclpdncg.exe

Filesize
1.6MB

MD5
8e178f817e7bb7cfac3a830abb280ad1

SHA1
9227eec5fa231990df92fc0aa504dd324ff77005

SHA256
1ea7a9574e50abc1ca56835f1ce5e54baffae2b00b2d38f4554fcf3597cc3a9d

SHA512
6e65f65e570c9f1eb5104654a40c4f1fe5203306449f9eaf9e38a318803ee3f26badede5f1485aab2a5e6d8da649633dbd2381a51e40cda4981424d6868efd84

Download Submit
C:\Windows\SysWOW64\Lcnmin32.exe

Filesize
1.6MB

MD5
0b6fa4d5572d1c688a37a091c2d78f53

SHA1
11f7926257bfd742dddb9792e89ea3346c61dc28

SHA256
7cfe6da1a771d5330fedae50e84c042021a2cfb99f86bb9c9968e10dfa50cbe7

SHA512
133c286f8c04541435619ab6f1789dc7d173dce7dba4bc33bb0a89cedfa9367c5928fd43b8eb970bd4d528ba09273348b5c0575cfc531ad9a191bbdf02b11d63

Download Submit
C:\Windows\SysWOW64\Ljfhqh32.exe

Filesize
1.6MB

MD5
371c46be394e27acc9319c2f3f4dca25

SHA1
25ed3c05fbba8ce52bab281def3246ad8ac8fa05

SHA256
24f45cae558c504f80e6e76697a8d848172f003484a1fc8946dfe572db10d6c1

SHA512
9793f79a019d919b5a75915c57a74f007674a8acf80c93ddcd3ac2573af3ecfe914afba7234c0d36a49910329312df195b0bdd0cf2bb37855ba6e4888f389b9e

Download Submit
C:\Windows\SysWOW64\Lkeekk32.exe

Filesize
1.6MB

MD5
0a35b1db4f1ed4ff0fddd742eb48edf4

SHA1
fab7436f6631c0b94df7efd1ecd35ccd530ea37f

SHA256
c05630b5065785f254171039b3089382d83c72b580be80dc47500f5ae55a5513

SHA512
4d1836a0cf14d0c21498c3d1301f937053d238c7ff8bcdd8c4fe239095f8cf8468e4c02df12e2653763fe89703ad257d0efeb109ff98ea9b567274eb91519118

Download Submit
C:\Windows\SysWOW64\Lklbdm32.exe

Filesize
1.6MB

MD5
88b75d1a5bfe71fd8bb48b12ad22257d

SHA1
2f2b0d7682ae6e435e00052f924e50c23e5cb9e8

SHA256
2af2f4e5bef1c6763c43e771e9238f4eaab519b584e9c51c46d23eb148aa77f0

SHA512
6817bf7440242de1e4ccb02e220ebf9661a122d82f4c9d42880602d1844755de0a30dd889053747aa2a692d90ea64a3182e8665511a1715cb62a7bee9350c6b8

Download Submit
C:\Windows\SysWOW64\Lmdemd32.exe

Filesize
1.6MB

MD5
a496510dd2e1c07e7587abdc10d64c87

SHA1
4ecbac9d35124f94b66c9254e25ceab08fc87bd3

SHA256
48ed0d8d9a4d288d980958426132049129217c83574aace5dbe1d8c819029bf1

SHA512
d556b438efa5c3666bdf302bd205efa6003c493e71bd06262480ad89645e942557aa22fba39da6435ce79e6fab1f3536af08826e231dc7844e8b46895276d8e4

Download Submit
C:\Windows\SysWOW64\Lnjnqh32.exe

Filesize
1.6MB

MD5
24d2e036ea04eca1770758309cff4862

SHA1
c53e1bc3592d9645a70946c8b3a17df762dbd97c

SHA256
7fa26900de8ca21a3e5b5bfe6f553038f36037c9886531699fefb0d628ce93b3

SHA512
ac5a7912ddc71702257278ad4723c7e428e4a235f5710d14f9cd821bf377c27e32d933a68d8da4f21c54868d3b0e8b3af8bf99ddb6ce1f614e72e5f2640fe7e8

Download Submit
C:\Windows\SysWOW64\Lobjni32.exe

Filesize
1.6MB

MD5
8a85280c4da704246cf0354ec11e66b8

SHA1
13099b2a19abed8bebcbe7a18cd8611fe0c0d014

SHA256
c3ed37468177dd7aa5f475bd0150ae5a51a4ea9c847f9e2af51e37de001895f4

SHA512
f4513cc9f9ec57d06a59e20694866dc45610c0334d07374250d6977329a37d440dfdb2984ef9d2979e91d0e577133505b3f5cd36785e203bc68e4867d16c5c6b

Download Submit
C:\Windows\SysWOW64\Lqbncb32.exe

Filesize
1.6MB

MD5
0c10bf0bb69a18efab030888e30569d5

SHA1
4c156357cf7c344816d25b34d397376eda980685

SHA256
d08c0dc1004c3cea16f58aa4729c2e3cbcea63c2630927bb8f1547e4f15354de

SHA512
db8f8f1e31c9c9aeabacf62ff02bb3109179f7c0ff349624bf54b267cd7c49de52032bbaa11221eb0ca33cc6f01f3889d84a3e9d98bce296e00a39bbe9517e05

Download Submit
C:\Windows\SysWOW64\Mgeakekd.exe

Filesize
1.6MB

MD5
289a8baefd98b21b80863f9798a5407a

SHA1
361a663dbb0db5981d112c9c2f081613864ba068

SHA256
66f6e1e810a9cd6aa942d2a6489e7d6f7408f70e8d3a474520cbb5cd9ec8df5f

SHA512
579cbeba0e6fd0353d9b8dabfdf1dc1d0b7943552b643bbbc44f49dbf0a969b93a857231054d1e1e76f3b4babb823c8b18a395ca6d57b19918e0dd2dfdcf9ea0

Download Submit
C:\Windows\SysWOW64\Mjaabq32.exe

Filesize
1.6MB

MD5
060c35e9be707ad95968f742be1df8ea

SHA1
ef6bf74b0ec4f96ca0221a356fba10f13160112c

SHA256
c81ee1782db20bae4fdea6d0ea72a6fc823f06265405605c40795e1b73577026

SHA512
17a758cd5766fbcbb6d1b8db10314866c95c17639e8cb3008d6f5afe598aa39cd39965441c6f5725fb2b0d7c2c10a1398fd7275b9b1b898280c5245614bea018

Download Submit
C:\Windows\SysWOW64\Mmfkhmdi.exe

Filesize
1.6MB

MD5
92e305ee5be5bd3932cb52e3e560c27e

SHA1
908ad270690c4ae2832ae0775b92f74a1289c845

SHA256
65106e5ff1dbd35ba7555b7a2e897bbd11a0e28afc49b662906c018b1dc04bd0

SHA512
fe6b7c005411809521eebfacc07d568b20bc2307a243c311f2dc7e0def811ebb33f6cfd9107192061fa9369689d29659344ae25cbe7ed9964020dfb159171a6d

Download Submit
C:\Windows\SysWOW64\Ncabfkqo.exe

Filesize
1.6MB

MD5
e82ce8a8fe8cd182576b356e69b1b947

SHA1
04db2b3f50d942a68d9ea81336a52e7b4bc4c838

SHA256
6c105490833e007dced4ca6fa9037a459de24cddda9b91e34d7c33636eefdfdd

SHA512
16939aab8b1e544c1ca506e9a0c82b27b14f94c63b025784e9f873a9c3cb5226c85efd28bcdbc2b9b979019d599d9282e59b5d5aea2c4e90b38cbeed7238372b

Download Submit
C:\Windows\SysWOW64\Ncchae32.exe

Filesize
1.6MB

MD5
719016ffb448b22e9cbfa243b08b2fbe

SHA1
a3df10a1859e4ffbec1286a2b586a638fedd5400

SHA256
e26b9cbde6a7f66c095c4b8c37273513b63515fed312cd5a0687fb082dc4c39b

SHA512
ee45ca2dee9ed379510761838efada934bf59bcdf08856efc8ffe4dad47207d5daf3e1a0849d373898db11cc84be703d63c5ecea4160ff8abf87053efbd22399

Download Submit
C:\Windows\SysWOW64\Ncnofeof.exe

Filesize
1.6MB

MD5
2025e3a2a106c95aac3930a4bc166856

SHA1
6c628356ea10c4144892236bb592a92e1ebb1573

SHA256
9c468dc915acc6a50f0bd41eea7d1400f1059b41b4d0fdda56967d144802b296

SHA512
85ea269b3fe14cebd14e74a3cbf3733ea06cb4a1362a172d9e5f36e6b1b5a0b5e0ce944e576de92c335a168342e0780a66e0ea0a4f133070ce6b548a4bbf6d16

Download Submit
C:\Windows\SysWOW64\Nhokljge.exe

Filesize
1.6MB

MD5
be421da8d8125e6672b989ee8407de79

SHA1
61e0a747d3350f664ec91be873465144af889939

SHA256
879d933773dfca8885048164a34f909e4480cff972c357550ed38789668f6293

SHA512
d3407d2dbd23e6ba29ee5ce035993abb8d51d1b52cb9e6453a7c7dd6b10bf51e1d40a2dd0b4a5082855d19ca2b5dd8d68229e84d34e0e73299536d4910cbee5a

Download Submit
C:\Windows\SysWOW64\Nnicid32.exe

Filesize
1.6MB

MD5
c3c4e03019d53f13777c16b7d2456248

SHA1
b65be375d38adfd021e046f990b1211466f48abf

SHA256
f6dca2ed31f14381cf1f3bfa3e293a9e9ef2f069777589de24a75c08ea7d93cc

SHA512
fb2f23b68c882a55d2f31ed64ea335f6c225bb90ef1a5e6cb1f3a019287ce458d5b030931f77e7cf9c4a775707837d53439c92589782198654f9289c84fefc31

Download Submit
C:\Windows\SysWOW64\Npepkf32.exe

Filesize
1.6MB

MD5
5a6e72c1496c26c26db547307043d9dd

SHA1
67f295ad9f52261be12950f2b530ebc3c831b4c5

SHA256
6302a3449dfc62c5fa5a99dc84793873b9af9c3386005fd8ed10212b9e749487

SHA512
ec66f334d9e4adc26568853b42b4a245bd6d71b7c1900112d531631c54cf11bb87a8c96c52a2e8220ecb185065494401f30627ba19632ec3c9204d03845da6e7

Download Submit
C:\Windows\SysWOW64\Oeokal32.exe

Filesize
1.6MB

MD5
b54eee58c191c48838edf43ff9490ede

SHA1
3ed2132cde151ff702dbd7b06010f71ff93ba9da

SHA256
2d17545f7d3d8a697192d696d026e76ef13efda2e44d51456bb9efd329217e9c

SHA512
f228df80f39427f4c498fa9603e30b6df2432c23469ec950ba2a845420da0d014a15cf3130ad344787caad1c601a6b18133a94dc93cc319fa2e6c5a2fecc19e7

Download Submit
C:\Windows\SysWOW64\Ojdnid32.exe

Filesize
1.6MB

MD5
a3499f8a1c854a10b20745fc4a51bc3d

SHA1
727bf6fdbd76cddddc5ad525aba79d2067111fbd

SHA256
e5eef47628d0e1070595fb3c73dd85f5bb2136319521b3dbf2c96bccebc33d3c

SHA512
3af846a4ee26f9887c5bf9a39df2a074f7dcedb0d8c7c9efdf5b09469838585aea56a15b90459528c5e3d82b05803ee9e441341fe8cd32ab03a5bf77a636d827

Download Submit
C:\Windows\SysWOW64\Ojdnid32.exe

Filesize
1.6MB

MD5
cc9b7ed44c6bba58aeb6f7a5e7bd15f9

SHA1
d4a04cd502ec27b62d0588ec2d374d564371c43c

SHA256
57c9ec32997469749872fda1a83e883148d8258419e4f39f5e763dac3bc3f33d

SHA512
44544a98a7bfdd4857e4d0ed48c2c3a946e4c1807bce8bf9c84875c06342429613548e645e8a391c0551bd49046ed0a3f5db50bc46c71f4534765f6b3215843b

Download Submit
C:\Windows\SysWOW64\Opclldhj.exe

Filesize
1.6MB

MD5
9989003496fb1cd02c2ebbc7a84a1141

SHA1
edfc31a017ba841fccf74f9ad6691777a3d8605b

SHA256
2684ee5cb9caba2e2db0f0e2a399d994480a75f8f3271d374c071e7f42ae3603

SHA512
775fced5e156862dc95bdd4a4d5ca51ab9c1ad4d93658301a0da79fdebbb04f2064cff5b73600210e063229ef47ae0f008c070555764a0d1311fafeaeeaa1553

Download Submit
C:\Windows\SysWOW64\Pahilmoc.exe

Filesize
1.6MB

MD5
4b29307eb9dec9112938a2851a9da372

SHA1
479a283d00c0398351c78db60dbace6f06779989

SHA256
f49cbfe4df8011c3555f5d5a4f1cac8c608c35ef0635f7de652deaf7e20d2bc6

SHA512
cbe6078590137ee237cafd2d75fba90d8f6d05132cf4af0c408ee2343ee0da01ee2d1d4965e95ec69f149657596954418f8e9e8d3ad238b2650120ee3c4271cc

Download Submit
C:\Windows\SysWOW64\Phajna32.exe

Filesize
1.6MB

MD5
692a959fd5db4c1302145c92b9eb1603

SHA1
0d08d0f4e13395a108b557d1ab536f6b7a94232b

SHA256
d194b7bc0dbb2a6387711f8864409a86664fec45fac4f5250f34ac975018af55

SHA512
883573ddd8f10b649b0a5d096cace0b9cab5b961029ba2b3d31caadc694751085d2c2737cf02ece592658ed1351f747855b0354a1b1a15a28bde33915332656c

Download Submit
C:\Windows\SysWOW64\Pkegpb32.exe

Filesize
1.6MB

MD5
3bcc7c8fef7ec4d70dbb39a01d5a7a6c

SHA1
a597d52f6ab6c1b9e379972c1a3ba9ea5d81f7ce

SHA256
33c7c1dc8f87cacc168b21f047c02879767e09bf93d5985eea50151a3706386d

SHA512
6110d41644c6a6fa23e64d472f12728482711928be286df77839d7afe31e3734124eff6b9f21b862071e78463496660a0ddc2c05485fa5e84489d76cea5dbada

Download Submit
C:\Windows\SysWOW64\Poimpapp.exe

Filesize
1.6MB

MD5
ba78ccf5d4657c5c5f2cbf63a406a78e

SHA1
bdfdaaf86f87dbb4aa6d4b794c63beb50a48c7da

SHA256
65fdd25551904cfcfa3f5c8d89b720799a9a4d5cc19239a5343fbef147d2e820

SHA512
c9c5f06c04b7dc75bf640ec516adc8a81b822a6c0d09315d4e9995d978eba107b26687865d1e6112f458daa02e17b682da811f91ec9ffa6b2b806b2d967fc9c4

Download Submit
C:\Windows\SysWOW64\Qjfmkk32.exe

Filesize
1.6MB

MD5
6808b53e376e3eac3e345206ac860672

SHA1
fc144d269078c731c3a60a2163e34b697f2d9821

SHA256
5c6ee6b5bde6da059ecb3176b29e0aff2b638153058f48a154e90be30f869cc7

SHA512
da6c009644847df7c03dd58c1f5f11efba1cdb305caa3877dcfbdba728959aaff0aa536f4b917223a11c14a687950ce0c5effd61c572e0889e5884a19028f713

Download Submit
C:\Windows\SysWOW64\Qjiipk32.exe

Filesize
1.6MB

MD5
70fdfd1ec253579059332f1bfa956b1f

SHA1
708550eafb555f992610d06b245058404ba29b03

SHA256
ecfcf3058c6f6764d0700929570fb7581ed540b720076c7e26921eaaaab4b41a

SHA512
31c7b31d5dc2ef64eae40695f9bc7bbc2ba120d2807211abf5a97713433d714a3bf0d37b23bad8b33fbb12f85881e6b8f65ea931ecac493696bfe038a562157e

Download Submit
C:\Windows\SysWOW64\Qklmpalf.exe

Filesize
1.6MB

MD5
bb775579e15d5ff7430804f59f849010

SHA1
2014cdce435fe744f9631b301dbb5e65502e0cd3

SHA256
80c8872a8878f5cfc43cfd8d183067db1c07d8f90fd01eeb05c1707f62d0e8cc

SHA512
b9acb332186bbd9478687d14ddae4677d20448f23cbf6380858f7e9a00574ed1c28a916820c99c182365b61885b244bbbb8ec967d20e771aae09d5d81208d20c

Download Submit
C:\Windows\SysWOW64\Qoelkp32.exe

Filesize
1.6MB

MD5
476f37576f99514862010c3500edf047

SHA1
f7560933ea3fa74f9dbf156df3f4d57e5f7b1781

SHA256
859ec458786b0cbcdfab770b520fe522734e713df9b53e2c5f1dc02a0a4076d6

SHA512
2c5b10a773ef6844a729e471b81a9a0bc1b6e6f111cc96cc28a72d5c482eaff1ab2111de2eefe823aa22985e7b976f279a38fbdd32f5d59e25b7105bf0f478cd

Download Submit
memory/212-253-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/232-224-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/232-125-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/432-172-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/456-292-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/468-427-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/468-358-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/536-79-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/536-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/548-284-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/836-325-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/836-265-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1044-447-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1044-379-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1052-200-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1140-414-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1332-448-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1344-306-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1344-375-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1556-36-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1580-299-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1580-364-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1628-24-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1628-107-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1652-90-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1652-180-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1784-454-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1784-386-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1816-8-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1816-89-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1852-297-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1880-326-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1880-392-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2068-318-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2068-258-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2256-407-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2312-186-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2312-283-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2348-185-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2348-99-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2384-225-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2408-181-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2580-124-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2580-44-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2608-273-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2608-332-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2744-237-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2744-142-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2764-400-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3008-376-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3048-158-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3048-72-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3188-399-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3188-333-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3272-159-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3272-257-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3324-238-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3324-305-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3740-441-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3904-209-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3928-80-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3928-171-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3940-421-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4032-365-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4032-434-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4116-252-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4116-149-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4140-234-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4164-428-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4284-339-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4284-406-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4380-435-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4460-52-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4548-385-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4548-319-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4564-346-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4564-413-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4728-226-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4792-115-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4792-208-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4796-133-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4796-233-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4856-69-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4900-378-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4900-312-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4964-352-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4964-420-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5008-141-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5008-59-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5016-98-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5016-15-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5068-286-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5068-345-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5092-198-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5092-108-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5116-393-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads