001aa4bfeaa0a185d6b1cfe4bd42b22feaa9f9850e24666fa27080f52725f00e

Analysis

max time kernel
142s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 13:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0854872637f90f4dfea3e83949694830_NeikiAnalytics.exe
Size

80KB
MD5

0854872637f90f4dfea3e83949694830
SHA1

808cc1e6614ccc136af1e9d9bf65e6b1171d05fe
SHA256

001aa4bfeaa0a185d6b1cfe4bd42b22feaa9f9850e24666fa27080f52725f00e
SHA512

b40b0855a8d2743a583a306a8bf415fd9c42ae3a6d2b8dcbf20f0fb296a9352fb47d2f74c918aa0e77846482fb5ac42f2316207b941411c9fa28302dec1ccc79
SSDEEP

1536:GG2PYKeeGa2bfq7G9NoIG2v6te12LVCYrum8SPG2:MxsDZG2vaemVVT8SL

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gimqajgh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jifecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpgpgfmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Flmqlg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Loighj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmdlmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkekjdck.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfeeabda.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opnbae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qbonoghb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpcpfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hoobdp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imiehfao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iepaaico.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baegibae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enopghee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imnocf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekcgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nimmifgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdcmkgmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjodla32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibjqaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckgohf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnegbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Knenkbio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfqlfb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jleijb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fganqbgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqoefand.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebimgcfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdbpgl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lchfib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boldhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Giecfejd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hppeim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Knqepc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kofdhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Niojoeel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoioli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pccahbmn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjpfjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqlfhjig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihmfco32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofkgcobj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejjaqk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Flmqlg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jojdlfeo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hehdfdek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbnhoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpegkj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adkqoohc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddgibkpc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amnlme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdeiqgkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fndpmndl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ggmmlamj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkpjdo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hifcgion.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogcnmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Johnamkm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckggnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgkmgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pccahbmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpiplm32.exe

Executes dropped EXE 64 IoCs

pid	Process
1064	Cnkkjh32.exe
2920	Dkahilkl.exe
3816	Dkceokii.exe
2472	Dkfadkgf.exe
1452	Dfnbgc32.exe
1268	Ebdcld32.exe
1012	Enkdaepb.exe
5016	Ebimgcfi.exe
2340	Eblimcdf.exe
3540	Felbnn32.exe
2356	Fijkdmhn.exe
1600	Fngcmcfe.exe
4704	Fpgpgfmh.exe
4516	Flmqlg32.exe
2988	Flpmagqi.exe
688	Gehbjm32.exe
3652	Gnqfcbnj.exe
2232	Gppcmeem.exe
4144	Gihgfk32.exe
4508	Geohklaa.exe
1588	Gimqajgh.exe
532	Hpiecd32.exe
2256	Hefnkkkj.exe
3696	Hoobdp32.exe
4468	Hlbcnd32.exe
4392	Hifcgion.exe
2236	Hbohpn32.exe
2436	Hmdlmg32.exe
3396	Iepaaico.exe
3532	Iohejo32.exe
1596	Imiehfao.exe
3772	Iedjmioj.exe
4024	Iomoenej.exe
2596	Imnocf32.exe
1044	Igfclkdj.exe
4444	Jcmdaljn.exe
5032	Jleijb32.exe
3416	Jgkmgk32.exe
1624	Jofalmmp.exe
4684	Johnamkm.exe
1072	Jinboekc.exe
2304	Jgbchj32.exe
1880	Kpjgaoqm.exe
1912	Kjblje32.exe
3476	Kpmdfonj.exe
3056	Knqepc32.exe
760	Kflide32.exe
2688	Kpanan32.exe
3632	Knenkbio.exe
4524	Kgnbdh32.exe
2296	Loighj32.exe
4032	Llmhaold.exe
3536	Lgbloglj.exe
444	Lgdidgjg.exe
456	Lqmmmmph.exe
4940	Ljeafb32.exe
3036	Mqafhl32.exe
1680	Mnegbp32.exe
2680	Mfqlfb32.exe
3868	Mqfpckhm.exe
4512	Mjodla32.exe
3492	Mfeeabda.exe
4544	Nmbjcljl.exe
2484	Nmdgikhi.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Fnhbmgmk.exe	Fbaahf32.exe
File created	C:\Windows\SysWOW64\Fpgpgfmh.exe	Fngcmcfe.exe
File opened for modification	C:\Windows\SysWOW64\Gehbjm32.exe	Flpmagqi.exe
File opened for modification	C:\Windows\SysWOW64\Iomoenej.exe	Iedjmioj.exe
File created	C:\Windows\SysWOW64\Hhlpmmgb.dll	Kpanan32.exe
File opened for modification	C:\Windows\SysWOW64\Lchfib32.exe	Lojmcdgl.exe
File opened for modification	C:\Windows\SysWOW64\Nmfmde32.exe	Ncmhko32.exe
File created	C:\Windows\SysWOW64\Lhdbgapf.dll	Ocaebc32.exe
File opened for modification	C:\Windows\SysWOW64\Ebfign32.exe	Edbiniff.exe
File created	C:\Windows\SysWOW64\Ckcdlpbd.dll	Fniihmpf.exe
File created	C:\Windows\SysWOW64\Lkjaaljm.dll	Jpegkj32.exe
File created	C:\Windows\SysWOW64\Lgdidgjg.exe	Lgbloglj.exe
File created	C:\Windows\SysWOW64\Ngidlo32.dll	Lqmmmmph.exe
File opened for modification	C:\Windows\SysWOW64\Qhjmdp32.exe	Qjfmkk32.exe
File opened for modification	C:\Windows\SysWOW64\Bpfkpp32.exe	Bkibgh32.exe
File opened for modification	C:\Windows\SysWOW64\Fijkdmhn.exe	Felbnn32.exe
File created	C:\Windows\SysWOW64\Klqcmdnk.dll	Hoobdp32.exe
File created	C:\Windows\SysWOW64\Anhejhfp.dll	Jgkmgk32.exe
File opened for modification	C:\Windows\SysWOW64\Kjblje32.exe	Kpjgaoqm.exe
File created	C:\Windows\SysWOW64\Eqlfhjig.exe	Ebfign32.exe
File opened for modification	C:\Windows\SysWOW64\Fganqbgg.exe	Fniihmpf.exe
File opened for modification	C:\Windows\SysWOW64\Ecdbop32.exe	Ejlnfjbd.exe
File opened for modification	C:\Windows\SysWOW64\Oifppdpd.exe	Omopjcjp.exe
File created	C:\Windows\SysWOW64\Dbcdbi32.dll	Aimogakj.exe
File created	C:\Windows\SysWOW64\Jgjjlakk.dll	Eahobg32.exe
File created	C:\Windows\SysWOW64\Gmiadfmi.dll	Fijkdmhn.exe
File created	C:\Windows\SysWOW64\Mnfgko32.dll	Kofdhd32.exe
File created	C:\Windows\SysWOW64\Mjlalkmd.exe	Mlhqcgnk.exe
File opened for modification	C:\Windows\SysWOW64\Ncmhko32.exe	Nfihbk32.exe
File opened for modification	C:\Windows\SysWOW64\Flmqlg32.exe	Fpgpgfmh.exe
File opened for modification	C:\Windows\SysWOW64\Fniihmpf.exe	Fqeioiam.exe
File created	C:\Windows\SysWOW64\Gbnhoj32.exe	Giecfejd.exe
File created	C:\Windows\SysWOW64\Ebdpoomj.dll	Oifppdpd.exe
File opened for modification	C:\Windows\SysWOW64\Bdocph32.exe	Aimogakj.exe
File created	C:\Windows\SysWOW64\Bdcmkgmm.exe	Bkkhbb32.exe
File created	C:\Windows\SysWOW64\Qfgllk32.dll	Hmdlmg32.exe
File opened for modification	C:\Windows\SysWOW64\Pagbaglh.exe	Pccahbmn.exe
File opened for modification	C:\Windows\SysWOW64\Pnplfj32.exe	Pmpolgoi.exe
File created	C:\Windows\SysWOW64\Pakdbp32.exe	Paihlpfi.exe
File created	C:\Windows\SysWOW64\Eddnic32.exe	Ecdbop32.exe
File created	C:\Windows\SysWOW64\Ampillfk.dll	Bkibgh32.exe
File created	C:\Windows\SysWOW64\Fijdjfdb.exe	Fndpmndl.exe
File opened for modification	C:\Windows\SysWOW64\Gkaclqkk.exe	Gnnccl32.exe
File created	C:\Windows\SysWOW64\Nimmifgo.exe	Nmfmde32.exe
File created	C:\Windows\SysWOW64\Dqnjgl32.exe	Ddgibkpc.exe
File created	C:\Windows\SysWOW64\Ekcgkb32.exe	Enpfan32.exe
File created	C:\Windows\SysWOW64\Jifecp32.exe	Ibjqaf32.exe
File created	C:\Windows\SysWOW64\Ncqlkemc.exe	Nmdgikhi.exe
File created	C:\Windows\SysWOW64\Ogmeemdg.dll	Niojoeel.exe
File created	C:\Windows\SysWOW64\Obnehj32.exe	Oifppdpd.exe
File created	C:\Windows\SysWOW64\Cpcpfg32.exe	Ckggnp32.exe
File created	C:\Windows\SysWOW64\Gadiippo.dll	Ofkgcobj.exe
File opened for modification	C:\Windows\SysWOW64\Cdbpgl32.exe	Ckjknfnh.exe
File created	C:\Windows\SysWOW64\Pncepolj.dll	Glfmgp32.exe
File created	C:\Windows\SysWOW64\Ckggnp32.exe	Cgiohbfi.exe
File created	C:\Windows\SysWOW64\Jojdlfeo.exe	Jpegkj32.exe
File created	C:\Windows\SysWOW64\Fnhbmgmk.exe	Fbaahf32.exe
File opened for modification	C:\Windows\SysWOW64\Gnqfcbnj.exe	Gehbjm32.exe
File created	C:\Windows\SysWOW64\Kpmdfonj.exe	Kjblje32.exe
File created	C:\Windows\SysWOW64\Lqmmmmph.exe	Lgdidgjg.exe
File opened for modification	C:\Windows\SysWOW64\Ibjqaf32.exe	Ihmfco32.exe
File created	C:\Windows\SysWOW64\Kpqfid32.dll	Giecfejd.exe
File created	C:\Windows\SysWOW64\Bdocph32.exe	Aimogakj.exe
File created	C:\Windows\SysWOW64\Fniihmpf.exe	Fqeioiam.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7684	7588	WerFault.exe	290

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kflide32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnplfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pneclb32.dll"	Ggmmlamj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikpndppf.dll"	Dkpjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbklgfdh.dll"	Iepaaico.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Omopjcjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpagaf32.dll"	Pafkgphl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkaiphj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djiono32.dll"	Ebdcld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pncepolj.dll"	Glfmgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkkjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Knqepc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncqlkemc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgnnai32.dll"	Mqfpckhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llmhaold.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiikeffm.dll"	Dqnjgl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dqpfmlce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ggmmlamj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pakdbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dodebo32.dll"	Cgiohbfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eddnic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jodamh32.dll"	Eddnic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdecba32.dll"	Dkahilkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjmdlh32.dll"	Hpiecd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gejqna32.dll"	Omopjcjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aldclhie.dll"	Babcil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jleijb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baegibae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fqeioiam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pggdhe32.dll"	Hnlodjpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdcmkgmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgiohbfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgnbdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Edbiniff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qimkic32.dll"	Nmbjcljl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckjknfnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgnpek32.dll"	Lpepbgbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdeiqgkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebimgcfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jcmdaljn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onocomdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klbjgbff.dll"	Pccahbmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmpolgoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckgohf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hahokfag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kafkmp32.dll"	Jifecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faoiogei.dll"	Mpapnfhg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cibain32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llmhaold.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpegkj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ookoaokf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnbgc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Johnamkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eanmnefk.dll"	Lgbloglj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boldhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcmdgodo.dll"	Ckgohf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebjjgd32.dll"	Ddgibkpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dqnjgl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Glfmgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogmeemdg.dll"	Niojoeel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmbjcljl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofckhj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fgqgfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkfadkgf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4296 wrote to memory of 1064	4296	0854872637f90f4dfea3e83949694830_NeikiAnalytics.exe	91
PID 4296 wrote to memory of 1064	4296	0854872637f90f4dfea3e83949694830_NeikiAnalytics.exe	91
PID 4296 wrote to memory of 1064	4296	0854872637f90f4dfea3e83949694830_NeikiAnalytics.exe	91
PID 1064 wrote to memory of 2920	1064	Cnkkjh32.exe	92
PID 1064 wrote to memory of 2920	1064	Cnkkjh32.exe	92
PID 1064 wrote to memory of 2920	1064	Cnkkjh32.exe	92
PID 2920 wrote to memory of 3816	2920	Dkahilkl.exe	93
PID 2920 wrote to memory of 3816	2920	Dkahilkl.exe	93
PID 2920 wrote to memory of 3816	2920	Dkahilkl.exe	93
PID 3816 wrote to memory of 2472	3816	Dkceokii.exe	94
PID 3816 wrote to memory of 2472	3816	Dkceokii.exe	94
PID 3816 wrote to memory of 2472	3816	Dkceokii.exe	94
PID 2472 wrote to memory of 1452	2472	Dkfadkgf.exe	95
PID 2472 wrote to memory of 1452	2472	Dkfadkgf.exe	95
PID 2472 wrote to memory of 1452	2472	Dkfadkgf.exe	95
PID 1452 wrote to memory of 1268	1452	Dfnbgc32.exe	96
PID 1452 wrote to memory of 1268	1452	Dfnbgc32.exe	96
PID 1452 wrote to memory of 1268	1452	Dfnbgc32.exe	96
PID 1268 wrote to memory of 1012	1268	Ebdcld32.exe	97
PID 1268 wrote to memory of 1012	1268	Ebdcld32.exe	97
PID 1268 wrote to memory of 1012	1268	Ebdcld32.exe	97
PID 1012 wrote to memory of 5016	1012	Enkdaepb.exe	98
PID 1012 wrote to memory of 5016	1012	Enkdaepb.exe	98
PID 1012 wrote to memory of 5016	1012	Enkdaepb.exe	98
PID 5016 wrote to memory of 2340	5016	Ebimgcfi.exe	99
PID 5016 wrote to memory of 2340	5016	Ebimgcfi.exe	99
PID 5016 wrote to memory of 2340	5016	Ebimgcfi.exe	99
PID 2340 wrote to memory of 3540	2340	Eblimcdf.exe	100
PID 2340 wrote to memory of 3540	2340	Eblimcdf.exe	100
PID 2340 wrote to memory of 3540	2340	Eblimcdf.exe	100
PID 3540 wrote to memory of 2356	3540	Felbnn32.exe	101
PID 3540 wrote to memory of 2356	3540	Felbnn32.exe	101
PID 3540 wrote to memory of 2356	3540	Felbnn32.exe	101
PID 2356 wrote to memory of 1600	2356	Fijkdmhn.exe	102
PID 2356 wrote to memory of 1600	2356	Fijkdmhn.exe	102
PID 2356 wrote to memory of 1600	2356	Fijkdmhn.exe	102
PID 1600 wrote to memory of 4704	1600	Fngcmcfe.exe	103
PID 1600 wrote to memory of 4704	1600	Fngcmcfe.exe	103
PID 1600 wrote to memory of 4704	1600	Fngcmcfe.exe	103
PID 4704 wrote to memory of 4516	4704	Fpgpgfmh.exe	104
PID 4704 wrote to memory of 4516	4704	Fpgpgfmh.exe	104
PID 4704 wrote to memory of 4516	4704	Fpgpgfmh.exe	104
PID 4516 wrote to memory of 2988	4516	Flmqlg32.exe	105
PID 4516 wrote to memory of 2988	4516	Flmqlg32.exe	105
PID 4516 wrote to memory of 2988	4516	Flmqlg32.exe	105
PID 2988 wrote to memory of 688	2988	Flpmagqi.exe	106
PID 2988 wrote to memory of 688	2988	Flpmagqi.exe	106
PID 2988 wrote to memory of 688	2988	Flpmagqi.exe	106
PID 688 wrote to memory of 3652	688	Gehbjm32.exe	107
PID 688 wrote to memory of 3652	688	Gehbjm32.exe	107
PID 688 wrote to memory of 3652	688	Gehbjm32.exe	107
PID 3652 wrote to memory of 2232	3652	Gnqfcbnj.exe	108
PID 3652 wrote to memory of 2232	3652	Gnqfcbnj.exe	108
PID 3652 wrote to memory of 2232	3652	Gnqfcbnj.exe	108
PID 2232 wrote to memory of 4144	2232	Gppcmeem.exe	109
PID 2232 wrote to memory of 4144	2232	Gppcmeem.exe	109
PID 2232 wrote to memory of 4144	2232	Gppcmeem.exe	109
PID 4144 wrote to memory of 4508	4144	Gihgfk32.exe	110
PID 4144 wrote to memory of 4508	4144	Gihgfk32.exe	110
PID 4144 wrote to memory of 4508	4144	Gihgfk32.exe	110
PID 4508 wrote to memory of 1588	4508	Geohklaa.exe	111
PID 4508 wrote to memory of 1588	4508	Geohklaa.exe	111
PID 4508 wrote to memory of 1588	4508	Geohklaa.exe	111
PID 1588 wrote to memory of 532	1588	Gimqajgh.exe	112

C:\Users\Admin\AppData\Local\Temp\0854872637f90f4dfea3e83949694830_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0854872637f90f4dfea3e83949694830_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4296
- C:\Windows\SysWOW64\Cnkkjh32.exe
  C:\Windows\system32\Cnkkjh32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1064
- - C:\Windows\SysWOW64\Dkahilkl.exe
    C:\Windows\system32\Dkahilkl.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Windows\SysWOW64\Dkceokii.exe
      C:\Windows\system32\Dkceokii.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3816
    - - C:\Windows\SysWOW64\Dkfadkgf.exe
        
        C:\Windows\system32\Dkfadkgf.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2472
      - C:\Windows\SysWOW64\Dfnbgc32.exe
        
        C:\Windows\system32\Dfnbgc32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1452
        
        C:\Windows\SysWOW64\Ebdcld32.exe
        
        C:\Windows\system32\Ebdcld32.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Windows\SysWOW64\Enkdaepb.exe
        
        C:\Windows\system32\Enkdaepb.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Windows\SysWOW64\Ebimgcfi.exe
        
        C:\Windows\system32\Ebimgcfi.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\SysWOW64\Eblimcdf.exe
        
        C:\Windows\system32\Eblimcdf.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\SysWOW64\Felbnn32.exe
        
        C:\Windows\system32\Felbnn32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3540
        
        C:\Windows\SysWOW64\Fijkdmhn.exe
        
        C:\Windows\system32\Fijkdmhn.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\SysWOW64\Fngcmcfe.exe
        
        C:\Windows\system32\Fngcmcfe.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\SysWOW64\Fpgpgfmh.exe
        
        C:\Windows\system32\Fpgpgfmh.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\SysWOW64\Flmqlg32.exe
        
        C:\Windows\system32\Flmqlg32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\SysWOW64\Flpmagqi.exe
        
        C:\Windows\system32\Flpmagqi.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\SysWOW64\Gehbjm32.exe
        
        C:\Windows\system32\Gehbjm32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:688
        
        C:\Windows\SysWOW64\Gnqfcbnj.exe
        
        C:\Windows\system32\Gnqfcbnj.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3652
        
        C:\Windows\SysWOW64\Gppcmeem.exe
        
        C:\Windows\system32\Gppcmeem.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\SysWOW64\Gihgfk32.exe
        
        C:\Windows\system32\Gihgfk32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4144
        
        C:\Windows\SysWOW64\Geohklaa.exe
        
        C:\Windows\system32\Geohklaa.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4508
        
        C:\Windows\SysWOW64\Gimqajgh.exe
        
        C:\Windows\system32\Gimqajgh.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\SysWOW64\Hpiecd32.exe
        
        C:\Windows\system32\Hpiecd32.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:532
        
        C:\Windows\SysWOW64\Hefnkkkj.exe
        
        C:\Windows\system32\Hefnkkkj.exe
        24⤵
        Executes dropped EXE
        
        PID:2256
        
        C:\Windows\SysWOW64\Hoobdp32.exe
        
        C:\Windows\system32\Hoobdp32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3696
        
        C:\Windows\SysWOW64\Hlbcnd32.exe
        
        C:\Windows\system32\Hlbcnd32.exe
        26⤵
        Executes dropped EXE
        
        PID:4468
        
        C:\Windows\SysWOW64\Hifcgion.exe
        
        C:\Windows\system32\Hifcgion.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4392
        
        C:\Windows\SysWOW64\Hbohpn32.exe
        
        C:\Windows\system32\Hbohpn32.exe
        28⤵
        Executes dropped EXE
        
        PID:2236
        
        C:\Windows\SysWOW64\Hmdlmg32.exe
        
        C:\Windows\system32\Hmdlmg32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2436
        
        C:\Windows\SysWOW64\Iepaaico.exe
        
        C:\Windows\system32\Iepaaico.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3396
        
        C:\Windows\SysWOW64\Iohejo32.exe
        
        C:\Windows\system32\Iohejo32.exe
        31⤵
        Executes dropped EXE
        
        PID:3532
        
        C:\Windows\SysWOW64\Imiehfao.exe
        
        C:\Windows\system32\Imiehfao.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1596
        
        C:\Windows\SysWOW64\Iedjmioj.exe
        
        C:\Windows\system32\Iedjmioj.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3772
        
        C:\Windows\SysWOW64\Iomoenej.exe
        
        C:\Windows\system32\Iomoenej.exe
        34⤵
        Executes dropped EXE
        
        PID:4024
        
        C:\Windows\SysWOW64\Imnocf32.exe
        
        C:\Windows\system32\Imnocf32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2596
        
        C:\Windows\SysWOW64\Igfclkdj.exe
        
        C:\Windows\system32\Igfclkdj.exe
        36⤵
        Executes dropped EXE
        
        PID:1044
        
        C:\Windows\SysWOW64\Jcmdaljn.exe
        
        C:\Windows\system32\Jcmdaljn.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Jleijb32.exe
        
        C:\Windows\system32\Jleijb32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5032
        
        C:\Windows\SysWOW64\Jgkmgk32.exe
        
        C:\Windows\system32\Jgkmgk32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3416
        
        C:\Windows\SysWOW64\Jofalmmp.exe
        
        C:\Windows\system32\Jofalmmp.exe
        40⤵
        Executes dropped EXE
        
        PID:1624
        
        C:\Windows\SysWOW64\Johnamkm.exe
        
        C:\Windows\system32\Johnamkm.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4684
        
        C:\Windows\SysWOW64\Jinboekc.exe
        
        C:\Windows\system32\Jinboekc.exe
        42⤵
        Executes dropped EXE
        
        PID:1072
        
        C:\Windows\SysWOW64\Jgbchj32.exe
        
        C:\Windows\system32\Jgbchj32.exe
        43⤵
        Executes dropped EXE
        
        PID:2304
        
        C:\Windows\SysWOW64\Kpjgaoqm.exe
        
        C:\Windows\system32\Kpjgaoqm.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1880
        
        C:\Windows\SysWOW64\Kjblje32.exe
        
        C:\Windows\system32\Kjblje32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1912
        
        C:\Windows\SysWOW64\Kpmdfonj.exe
        
        C:\Windows\system32\Kpmdfonj.exe
        46⤵
        Executes dropped EXE
        
        PID:3476
        
        C:\Windows\SysWOW64\Knqepc32.exe
        
        C:\Windows\system32\Knqepc32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3056
        
        C:\Windows\SysWOW64\Kflide32.exe
        
        C:\Windows\system32\Kflide32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:760
        
        C:\Windows\SysWOW64\Kpanan32.exe
        
        C:\Windows\system32\Kpanan32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2688
        
        C:\Windows\SysWOW64\Knenkbio.exe
        
        C:\Windows\system32\Knenkbio.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3632
        
        C:\Windows\SysWOW64\Kgnbdh32.exe
        
        C:\Windows\system32\Kgnbdh32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4524
        
        C:\Windows\SysWOW64\Loighj32.exe
        
        C:\Windows\system32\Loighj32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2296
        
        C:\Windows\SysWOW64\Llmhaold.exe
        
        C:\Windows\system32\Llmhaold.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4032
        
        C:\Windows\SysWOW64\Lgbloglj.exe
        
        C:\Windows\system32\Lgbloglj.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3536
        
        C:\Windows\SysWOW64\Lgdidgjg.exe
        
        C:\Windows\system32\Lgdidgjg.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:444
        
        C:\Windows\SysWOW64\Lqmmmmph.exe
        
        C:\Windows\system32\Lqmmmmph.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:456
        
        C:\Windows\SysWOW64\Ljeafb32.exe
        
        C:\Windows\system32\Ljeafb32.exe
        57⤵
        Executes dropped EXE
        
        PID:4940
        
        C:\Windows\SysWOW64\Mqafhl32.exe
        
        C:\Windows\system32\Mqafhl32.exe
        58⤵
        Executes dropped EXE
        
        PID:3036
        
        C:\Windows\SysWOW64\Mnegbp32.exe
        
        C:\Windows\system32\Mnegbp32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1680
        
        C:\Windows\SysWOW64\Mfqlfb32.exe
        
        C:\Windows\system32\Mfqlfb32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2680
        
        C:\Windows\SysWOW64\Mqfpckhm.exe
        
        C:\Windows\system32\Mqfpckhm.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3868
        
        C:\Windows\SysWOW64\Mjodla32.exe
        
        C:\Windows\system32\Mjodla32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4512
        
        C:\Windows\SysWOW64\Mfeeabda.exe
        
        C:\Windows\system32\Mfeeabda.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3492
        
        C:\Windows\SysWOW64\Nmbjcljl.exe
        
        C:\Windows\system32\Nmbjcljl.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4544
        
        C:\Windows\SysWOW64\Nmdgikhi.exe
        
        C:\Windows\system32\Nmdgikhi.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2484
        
        C:\Windows\SysWOW64\Ncqlkemc.exe
        
        C:\Windows\system32\Ncqlkemc.exe
        66⤵
        Modifies registry class
        
        PID:3308
        
        C:\Windows\SysWOW64\Nfaemp32.exe
        
        C:\Windows\system32\Nfaemp32.exe
        67⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\Onkidm32.exe
        
        C:\Windows\system32\Onkidm32.exe
        68⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\Ogcnmc32.exe
        
        C:\Windows\system32\Ogcnmc32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3500
        
        C:\Windows\SysWOW64\Opnbae32.exe
        
        C:\Windows\system32\Opnbae32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3300
        
        C:\Windows\SysWOW64\Onocomdo.exe
        
        C:\Windows\system32\Onocomdo.exe
        71⤵
        Modifies registry class
        
        PID:832
        
        C:\Windows\SysWOW64\Ofkgcobj.exe
        
        C:\Windows\system32\Ofkgcobj.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2280
        
        C:\Windows\SysWOW64\Ocaebc32.exe
        
        C:\Windows\system32\Ocaebc32.exe
        73⤵
        Drops file in System32 directory
        
        PID:3464
        
        C:\Windows\SysWOW64\Pccahbmn.exe
        
        C:\Windows\system32\Pccahbmn.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4004
        
        C:\Windows\SysWOW64\Pagbaglh.exe
        
        C:\Windows\system32\Pagbaglh.exe
        75⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\Pjpfjl32.exe
        
        C:\Windows\system32\Pjpfjl32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4868
        
        C:\Windows\SysWOW64\Pmpolgoi.exe
        
        C:\Windows\system32\Pmpolgoi.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3496
        
        C:\Windows\SysWOW64\Pnplfj32.exe
        
        C:\Windows\system32\Pnplfj32.exe
        78⤵
        Modifies registry class
        
        PID:4988
        
        C:\Windows\SysWOW64\Qjfmkk32.exe
        
        C:\Windows\system32\Qjfmkk32.exe
        79⤵
        Drops file in System32 directory
        
        PID:4012
        
        C:\Windows\SysWOW64\Qhjmdp32.exe
        
        C:\Windows\system32\Qhjmdp32.exe
        80⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\Aoioli32.exe
        
        C:\Windows\system32\Aoioli32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5236
        
        C:\Windows\SysWOW64\Amnlme32.exe
        
        C:\Windows\system32\Amnlme32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5280
        
        C:\Windows\SysWOW64\Adkqoohc.exe
        
        C:\Windows\system32\Adkqoohc.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5324
        
        C:\Windows\SysWOW64\Bobabg32.exe
        
        C:\Windows\system32\Bobabg32.exe
        84⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\Bkibgh32.exe
        
        C:\Windows\system32\Bkibgh32.exe
        85⤵
        Drops file in System32 directory
        
        PID:5420
        
        C:\Windows\SysWOW64\Bpfkpp32.exe
        
        C:\Windows\system32\Bpfkpp32.exe
        86⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\Baegibae.exe
        
        C:\Windows\system32\Baegibae.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5520
        
        C:\Windows\SysWOW64\Bpkdjofm.exe
        
        C:\Windows\system32\Bpkdjofm.exe
        88⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Boldhf32.exe
        
        C:\Windows\system32\Boldhf32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5636
        
        C:\Windows\SysWOW64\Cnaaib32.exe
        
        C:\Windows\system32\Cnaaib32.exe
        90⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Ckgohf32.exe
        
        C:\Windows\system32\Ckgohf32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5724
        
        C:\Windows\SysWOW64\Ckjknfnh.exe
        
        C:\Windows\system32\Ckjknfnh.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5780
        
        C:\Windows\SysWOW64\Cdbpgl32.exe
        
        C:\Windows\system32\Cdbpgl32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5852
        
        C:\Windows\SysWOW64\Dpiplm32.exe
        
        C:\Windows\system32\Dpiplm32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5900
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Dqnjgl32.exe
        
        C:\Windows\system32\Dqnjgl32.exe
        96⤵
        Modifies registry class
        
        PID:6028
        
        C:\Windows\SysWOW64\Dqpfmlce.exe
        
        C:\Windows\system32\Dqpfmlce.exe
        97⤵
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Dkekjdck.exe
        
        C:\Windows\system32\Dkekjdck.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5012
        
        C:\Windows\SysWOW64\Dhikci32.exe
        
        C:\Windows\system32\Dhikci32.exe
        99⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\Edplhjhi.exe
        
        C:\Windows\system32\Edplhjhi.exe
        100⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\Edbiniff.exe
        
        C:\Windows\system32\Edbiniff.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Ebfign32.exe
        
        C:\Windows\system32\Ebfign32.exe
        102⤵
        Drops file in System32 directory
        
        PID:5500
        
        C:\Windows\SysWOW64\Eqlfhjig.exe
        
        C:\Windows\system32\Eqlfhjig.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5600
        
        C:\Windows\SysWOW64\Enpfan32.exe
        
        C:\Windows\system32\Enpfan32.exe
        104⤵
        Drops file in System32 directory
        
        PID:5692
        
        C:\Windows\SysWOW64\Ekcgkb32.exe
        
        C:\Windows\system32\Ekcgkb32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5760
        
        C:\Windows\SysWOW64\Fdlkdhnk.exe
        
        C:\Windows\system32\Fdlkdhnk.exe
        106⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\Fndpmndl.exe
        
        C:\Windows\system32\Fndpmndl.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5960
        
        C:\Windows\SysWOW64\Fijdjfdb.exe
        
        C:\Windows\system32\Fijdjfdb.exe
        108⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\Fqeioiam.exe
        
        C:\Windows\system32\Fqeioiam.exe
        109⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6140
        
        C:\Windows\SysWOW64\Fniihmpf.exe
        
        C:\Windows\system32\Fniihmpf.exe
        110⤵
        Drops file in System32 directory
        
        PID:5272
        
        C:\Windows\SysWOW64\Fganqbgg.exe
        
        C:\Windows\system32\Fganqbgg.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5396
        
        C:\Windows\SysWOW64\Fajbjh32.exe
        
        C:\Windows\system32\Fajbjh32.exe
        112⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Gnnccl32.exe
        
        C:\Windows\system32\Gnnccl32.exe
        113⤵
        Drops file in System32 directory
        
        PID:5716
        
        C:\Windows\SysWOW64\Gkaclqkk.exe
        
        C:\Windows\system32\Gkaclqkk.exe
        114⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\Giecfejd.exe
        
        C:\Windows\system32\Giecfejd.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6016
        
        C:\Windows\SysWOW64\Gbnhoj32.exe
        
        C:\Windows\system32\Gbnhoj32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6132
        
        C:\Windows\SysWOW64\Glfmgp32.exe
        
        C:\Windows\system32\Glfmgp32.exe
        117⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Ggmmlamj.exe
        
        C:\Windows\system32\Ggmmlamj.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Geanfelc.exe
        
        C:\Windows\system32\Geanfelc.exe
        119⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\Hahokfag.exe
        
        C:\Windows\system32\Hahokfag.exe
        120⤵
        Modifies registry class
        
        PID:5992
        
        C:\Windows\SysWOW64\Hnlodjpa.exe
        
        C:\Windows\system32\Hnlodjpa.exe
        121⤵
        Modifies registry class
        
        PID:5228
        
        C:\Windows\SysWOW64\Hlppno32.exe
        
        C:\Windows\system32\Hlppno32.exe
        122⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\Hehdfdek.exe
        
        C:\Windows\system32\Hehdfdek.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6064
        
        C:\Windows\SysWOW64\Hppeim32.exe
        
        C:\Windows\system32\Hppeim32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5388
        
        C:\Windows\SysWOW64\Ilfennic.exe
        
        C:\Windows\system32\Ilfennic.exe
        125⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Ihmfco32.exe
        
        C:\Windows\system32\Ihmfco32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5572
        
        C:\Windows\SysWOW64\Ibjqaf32.exe
        
        C:\Windows\system32\Ibjqaf32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6172
        
        C:\Windows\SysWOW64\Jifecp32.exe
        
        C:\Windows\system32\Jifecp32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6216
        
        C:\Windows\SysWOW64\Jlgoek32.exe
        
        C:\Windows\system32\Jlgoek32.exe
        129⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\Jpegkj32.exe
        
        C:\Windows\system32\Jpegkj32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6304
        
        C:\Windows\SysWOW64\Jojdlfeo.exe
        
        C:\Windows\system32\Jojdlfeo.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6352
        
        C:\Windows\SysWOW64\Kbhmbdle.exe
        
        C:\Windows\system32\Kbhmbdle.exe
        132⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\Kidben32.exe
        
        C:\Windows\system32\Kidben32.exe
        133⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\Khiofk32.exe
        
        C:\Windows\system32\Khiofk32.exe
        134⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\Kofdhd32.exe
        
        C:\Windows\system32\Kofdhd32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6532
        
        C:\Windows\SysWOW64\Lpepbgbd.exe
        
        C:\Windows\system32\Lpepbgbd.exe
        136⤵
        Modifies registry class
        
        PID:6576
        
        C:\Windows\SysWOW64\Lojmcdgl.exe
        
        C:\Windows\system32\Lojmcdgl.exe
        137⤵
        Drops file in System32 directory
        
        PID:6620
        
        C:\Windows\SysWOW64\Lchfib32.exe
        
        C:\Windows\system32\Lchfib32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6668
        
        C:\Windows\SysWOW64\Mpapnfhg.exe
        
        C:\Windows\system32\Mpapnfhg.exe
        139⤵
        Modifies registry class
        
        PID:6712
        
        C:\Windows\SysWOW64\Mlhqcgnk.exe
        
        C:\Windows\system32\Mlhqcgnk.exe
        140⤵
        Drops file in System32 directory
        
        PID:6756
        
        C:\Windows\SysWOW64\Mjlalkmd.exe
        
        C:\Windows\system32\Mjlalkmd.exe
        141⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\Mbgeqmjp.exe
        
        C:\Windows\system32\Mbgeqmjp.exe
        142⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\Mhckcgpj.exe
        
        C:\Windows\system32\Mhckcgpj.exe
        143⤵
        
        PID:6888
        
        C:\Windows\SysWOW64\Nmaciefp.exe
        
        C:\Windows\system32\Nmaciefp.exe
        144⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\Nfihbk32.exe
        
        C:\Windows\system32\Nfihbk32.exe
        145⤵
        Drops file in System32 directory
        
        PID:7004
        
        C:\Windows\SysWOW64\Ncmhko32.exe
        
        C:\Windows\system32\Ncmhko32.exe
        146⤵
        Drops file in System32 directory
        
        PID:7064
        
        C:\Windows\SysWOW64\Nmfmde32.exe
        
        C:\Windows\system32\Nmfmde32.exe
        147⤵
        Drops file in System32 directory
        
        PID:7120
        
        C:\Windows\SysWOW64\Nimmifgo.exe
        
        C:\Windows\system32\Nimmifgo.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1144
        
        C:\Windows\SysWOW64\Niojoeel.exe
        
        C:\Windows\system32\Niojoeel.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6256
        
        C:\Windows\SysWOW64\Ofckhj32.exe
        
        C:\Windows\system32\Ofckhj32.exe
        150⤵
        Modifies registry class
        
        PID:6348
        
        C:\Windows\SysWOW64\Ookoaokf.exe
        
        C:\Windows\system32\Ookoaokf.exe
        151⤵
        Modifies registry class
        
        PID:4196
        
        C:\Windows\SysWOW64\Omopjcjp.exe
        
        C:\Windows\system32\Omopjcjp.exe
        152⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6516
        
        C:\Windows\SysWOW64\Oifppdpd.exe
        
        C:\Windows\system32\Oifppdpd.exe
        153⤵
        Drops file in System32 directory
        
        PID:6592
        
        C:\Windows\SysWOW64\Obnehj32.exe
        
        C:\Windows\system32\Obnehj32.exe
        154⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\Oqoefand.exe
        
        C:\Windows\system32\Oqoefand.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6744
        
        C:\Windows\SysWOW64\Ojhiogdd.exe
        
        C:\Windows\system32\Ojhiogdd.exe
        156⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\Pfojdh32.exe
        
        C:\Windows\system32\Pfojdh32.exe
        157⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\Pcbkml32.exe
        
        C:\Windows\system32\Pcbkml32.exe
        158⤵
        
        PID:6964
        
        C:\Windows\SysWOW64\Pafkgphl.exe
        
        C:\Windows\system32\Pafkgphl.exe
        159⤵
        Modifies registry class
        
        PID:7056
        
        C:\Windows\SysWOW64\Paihlpfi.exe
        
        C:\Windows\system32\Paihlpfi.exe
        160⤵
        Drops file in System32 directory
        
        PID:7144
        
        C:\Windows\SysWOW64\Pakdbp32.exe
        
        C:\Windows\system32\Pakdbp32.exe
        161⤵
        Modifies registry class
        
        PID:6248
        
        C:\Windows\SysWOW64\Pjcikejg.exe
        
        C:\Windows\system32\Pjcikejg.exe
        162⤵
        
        PID:6392
        
        C:\Windows\SysWOW64\Qbonoghb.exe
        
        C:\Windows\system32\Qbonoghb.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6520
        
        C:\Windows\SysWOW64\Qfmfefni.exe
        
        C:\Windows\system32\Qfmfefni.exe
        164⤵
        
        PID:6648
        
        C:\Windows\SysWOW64\Aimogakj.exe
        
        C:\Windows\system32\Aimogakj.exe
        165⤵
        Drops file in System32 directory
        
        PID:6796
        
        C:\Windows\SysWOW64\Bdocph32.exe
        
        C:\Windows\system32\Bdocph32.exe
        166⤵
        
        PID:6872
        
        C:\Windows\SysWOW64\Babcil32.exe
        
        C:\Windows\system32\Babcil32.exe
        167⤵
        Modifies registry class
        
        PID:7060
        
        C:\Windows\SysWOW64\Bkkhbb32.exe
        
        C:\Windows\system32\Bkkhbb32.exe
        168⤵
        Drops file in System32 directory
        
        PID:7156
        
        C:\Windows\SysWOW64\Bdcmkgmm.exe
        
        C:\Windows\system32\Bdcmkgmm.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6340
        
        C:\Windows\SysWOW64\Bdeiqgkj.exe
        
        C:\Windows\system32\Bdeiqgkj.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6564
        
        C:\Windows\SysWOW64\Cibain32.exe
        
        C:\Windows\system32\Cibain32.exe
        171⤵
        Modifies registry class
        
        PID:6720
        
        C:\Windows\SysWOW64\Cgiohbfi.exe
        
        C:\Windows\system32\Cgiohbfi.exe
        172⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6476
        
        C:\Windows\SysWOW64\Ckggnp32.exe
        
        C:\Windows\system32\Ckggnp32.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6160
        
        C:\Windows\SysWOW64\Cpcpfg32.exe
        
        C:\Windows\system32\Cpcpfg32.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6540
        
        C:\Windows\SysWOW64\Cmgqpkip.exe
        
        C:\Windows\system32\Cmgqpkip.exe
        175⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\Dkkaiphj.exe
        
        C:\Windows\system32\Dkkaiphj.exe
        176⤵
        Modifies registry class
        
        PID:6956
        
        C:\Windows\SysWOW64\Dphiaffa.exe
        
        C:\Windows\system32\Dphiaffa.exe
        177⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\Dnljkk32.exe
        
        C:\Windows\system32\Dnljkk32.exe
        178⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\Dkpjdo32.exe
        
        C:\Windows\system32\Dkpjdo32.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5184
        
        C:\Windows\SysWOW64\Djegekil.exe
        
        C:\Windows\system32\Djegekil.exe
        180⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Dcnlnaom.exe
        
        C:\Windows\system32\Dcnlnaom.exe
        181⤵
        
        PID:6880
        
        C:\Windows\SysWOW64\Dncpkjoc.exe
        
        C:\Windows\system32\Dncpkjoc.exe
        182⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\Ejjaqk32.exe
        
        C:\Windows\system32\Ejjaqk32.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6972
        
        C:\Windows\SysWOW64\Ejlnfjbd.exe
        
        C:\Windows\system32\Ejlnfjbd.exe
        184⤵
        Drops file in System32 directory
        
        PID:4336
        
        C:\Windows\SysWOW64\Ecdbop32.exe
        
        C:\Windows\system32\Ecdbop32.exe
        185⤵
        Drops file in System32 directory
        
        PID:5144
        
        C:\Windows\SysWOW64\Eddnic32.exe
        
        C:\Windows\system32\Eddnic32.exe
        186⤵
        Modifies registry class
        
        PID:7204
        
        C:\Windows\SysWOW64\Eahobg32.exe
        
        C:\Windows\system32\Eahobg32.exe
        187⤵
        Drops file in System32 directory
        
        PID:7248
        
        C:\Windows\SysWOW64\Enopghee.exe
        
        C:\Windows\system32\Enopghee.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7292
        
        C:\Windows\SysWOW64\Fjeplijj.exe
        
        C:\Windows\system32\Fjeplijj.exe
        189⤵
        
        PID:7344
        
        C:\Windows\SysWOW64\Fboecfii.exe
        
        C:\Windows\system32\Fboecfii.exe
        190⤵
        
        PID:7392
        
        C:\Windows\SysWOW64\Fbaahf32.exe
        
        C:\Windows\system32\Fbaahf32.exe
        191⤵
        Drops file in System32 directory
        
        PID:7440
        
        C:\Windows\SysWOW64\Fnhbmgmk.exe
        
        C:\Windows\system32\Fnhbmgmk.exe
        192⤵
        
        PID:7488
        
        C:\Windows\SysWOW64\Fgqgfl32.exe
        
        C:\Windows\system32\Fgqgfl32.exe
        193⤵
        Modifies registry class
        
        PID:7540
        
        C:\Windows\SysWOW64\Gddgpqbe.exe
        
        C:\Windows\system32\Gddgpqbe.exe
        194⤵
        
        PID:7588
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7588 -s 400
        195⤵
        Program crash
        
        PID:7684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 7588 -ip 7588
1⤵
PID:7656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
1⤵
PID:7992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bdocph32.exe

Filesize
80KB

MD5
ebb43ed690c62ce30a1a6f3eefb06f1d

SHA1
2b08632e988ad4b04969e75c8e9edde1f1526572

SHA256
324f40a2c7d2af0bd295e6603d028cbf2a46c71f1e7ff3e15fdeee3a7a61a8c8

SHA512
5678ac4825bb412a6abcf21b29206e012453cd5ff700311257eb470783c9b1b7ada7ccade33c511acbe5f0d7d0b30390f2edbfb8366d2a2f809e2319bc7fd58c

Download Submit
C:\Windows\SysWOW64\Cgiohbfi.exe

Filesize
80KB

MD5
fff8f253229ed00193fa1ba7e27342f9

SHA1
801011e6d24e639480e627dcb9338378b0bcb47c

SHA256
d44e95da53f25b7c9f8232101c9a8d75fbab09714113c873dac3b33483c6b30b

SHA512
4482c787249c82b3cf03103ea7ed830108b47d45283a8994d96bb0d27f86619d3066be514b1e0a9bc08906360b4aa6129f66248ae6d7872d4f65c9a0d0e4f579

Download Submit
C:\Windows\SysWOW64\Cibain32.exe

Filesize
80KB

MD5
79480d4662524c2d232b4233e125b8af

SHA1
9ebdcfd239fc32f9dda1328327a84d729ae815f0

SHA256
3d2bbae125318379a67a01e2d244c675dd0ed7f8caf0eb59a0fa5543be64780f

SHA512
453e1f15ede572321ebf16521367e964ab068d932045f32e36f04f5edd98555078305183cfaf948c6f5da24c4a4990de97b8538209c53f09d119afec64ba753e

Download Submit
C:\Windows\SysWOW64\Cnaaib32.exe

Filesize
80KB

MD5
7d4e8f697c943c41fdb57e36091726be

SHA1
56610c161ad14345366ec5d1870b6a00e394966b

SHA256
1b98016661f1b660232afe4db3c2c5af46085ddcdc3114ddd4abe3aa74e89cee

SHA512
0df7bc393ab1e9dc2757639272508cf011de32fe6c92850a75b2fda7169d07463b71f32d250324457a28b8246d77c1c0d52db4f8850da85eadfd0a9e8ebffe94

Download Submit
C:\Windows\SysWOW64\Cnkkjh32.exe

Filesize
80KB

MD5
0a1ffd88879768013123db6cb8721e78

SHA1
61191c408c87a312baeeaa9b88dfa828f0048d33

SHA256
60b8b66e9352c5ddc0cb03c6605418042b1018203aec6a93005b1b9644e31cc8

SHA512
543df80909c275e885d466e5f3aaddbfb335ed079f479f28ccbd5dd460b47ba91f0ba7c94931b1e123b97a15dd1ef63eb0b02058c2c6558dacb4cc25c856f9f9

Download Submit
C:\Windows\SysWOW64\Dfnbgc32.exe

Filesize
80KB

MD5
4eff533bc1656e67558843c25ab2227e

SHA1
a1f7188dfe2e79c25d37d4aab4e0579525516d43

SHA256
94fd46781e16713678154dc35f89deb4ea95b9b5b2eac5e131586f8268d41609

SHA512
444bf7f4ccd9d46c57367ef4f5a16d4ffadbc3e126cd699731bf137a967f836c98445c24d5241c8e80d19782c4f267eef840c84584afc134e3c54fc2fbd77fd8

Download Submit
C:\Windows\SysWOW64\Dkahilkl.exe

Filesize
80KB

MD5
558dc977e7b69a47da5257dafb2ad91c

SHA1
747af503d27bcd54c205bf323a8ce3b9b1bad363

SHA256
58fd97898aa3d406277d53ac9656d2308d6eb32278554045b379194918acdb50

SHA512
946f956240bb37c77f9dffe15ffc363c7195cb76392e2f833c1cbc2e27a9f47f81642f0500a41bb8e1635db244cbe4742e12293f8d6dd5b815dc899d5ddd77f1

Download Submit
C:\Windows\SysWOW64\Dkceokii.exe

Filesize
80KB

MD5
d3e329c465c496e1f5e0734545421a14

SHA1
95d0533a4e3462de4a4d5c959418705b818be869

SHA256
a5ac615e1dce960cbff4e0fe9cc3da429aa941c0f886e7227fdbdb4074a05bbc

SHA512
c230b9b00a7996d18476509ee9b98e97484ad49128e5bcbc93490c57b2cdcc7785a13f93581a4668683a1187dec34fad369ea88a18316671810cdb52aaf9994a

Download Submit
C:\Windows\SysWOW64\Dkfadkgf.exe

Filesize
80KB

MD5
62b2df96e07523fb99ae16a52b16c993

SHA1
0a1ae6e77adc727febaa48e6e3a6e327a9be83e5

SHA256
608447788f6a89399cb5866970c59d78d9bf765a254f62a98a10ef97a3fbb5c9

SHA512
6a9c36ce574e98ec013192266c803285f511855c822def57338d73de1b8ad68474283652baab16292ebc00cdf0c61ff0edb48adf7ceec972c7428d53f5d7d3ef

Download Submit
C:\Windows\SysWOW64\Dkpjdo32.exe

Filesize
80KB

MD5
85c80ff809cfc869e74df2e59dccee8f

SHA1
8b2163ac162a642f30eefcb925750f13e8e4fb87

SHA256
c20bed993dd96d1ba78512f6a862c29ca3e4dd76031f7c106a0892a14df8925a

SHA512
4acf5bc22692debe3aa58b3fbe31fd22c887ef7b1f9fc6131c7cb3de68b67f10e58620456833e3e305f8f721b4b804e42973b9db75d0f4eecfe1e1f0937f802a

Download Submit
C:\Windows\SysWOW64\Dpiplm32.exe

Filesize
80KB

MD5
8918638dc1469178dd19ea5fbd72c38f

SHA1
609b134d15062298f64ba3e0b7cf35bba01868f8

SHA256
71c8694a67340ed181d0cd2f1fa9a6ae7b1e51bd4bc68d5135198cdb3232db88

SHA512
fd9403eb71981c8c2eb48ef78d4b857eeb6a1921fd01e768d788a6098087c034fb497e740d87b5b8ebde46d7fc52677db3e6dae7d700fded7fef2869356eca6c

Download Submit
C:\Windows\SysWOW64\Ebdcld32.exe

Filesize
80KB

MD5
a122d961deaf6f5fd523376d8b8dc253

SHA1
2ce3b0f9518c2a91ff81b2ac8b75fbd8c7c3c840

SHA256
aeecf717e667088e3c24c23de3cd34b5a173f2df76287e8d59a11137e47959bc

SHA512
bb96c48e08671d94be91d87cd86fa541ce56d5c6627a5e72e1f312cf9971955371141e27e520176057f4733b8b7af48907248343efa24fbc019da1adbf58ad54

Download Submit
C:\Windows\SysWOW64\Ebimgcfi.exe

Filesize
80KB

MD5
3eecb9122fa2c31168ef7a94150e221a

SHA1
33b76cb39c78425a3232f184774d132abe9446e8

SHA256
0124f395114d3d8fa74d69f923fdb7ccf36f47e8ef76095cbe7e71202ac4853a

SHA512
caaaad7d21e0f060dd80292c249b713649669957b62632f03d1549ff629effeeb92a4927d16f67513e5ade349188583fabb300d85242ae25a205bd6893f263d2

Download Submit
C:\Windows\SysWOW64\Eblimcdf.exe

Filesize
80KB

MD5
1081b63c8e583a1e4549ee083475585e

SHA1
640a08647fe0fba7f123ab115c5b25e29c6a8001

SHA256
ac0a4d60cc863ce281292837c2bb551396020538f05d4da83d48e58dfca6561b

SHA512
d3fcba41a8156908f1af8ed8319dff555c44001c8867ca9e73bdcab0217318a071eca4122db78557fbbd586f4244b19f8f0d575de96b48f49869518a62cef444

Download Submit
C:\Windows\SysWOW64\Ejlnfjbd.exe

Filesize
80KB

MD5
e8d560b5ede184806c7af9600a0e06a3

SHA1
fecb298a5493009bcbdc86597a8685512d60283b

SHA256
703d2c45f23e1d25aa737dd188505a59a1a40387542be4415031bcef7c3af279

SHA512
8c45785f606f9c6819eab6287b717f40c6aeab7f87609e095a098557c6f86c6078627f8038d35214ef399f563131784cfd6f7b9a6e9034bc7a7903b007928f98

Download Submit
C:\Windows\SysWOW64\Enkdaepb.exe

Filesize
80KB

MD5
baed3a49d405d61652d0f999645b1ab6

SHA1
07991fc7cb43d67b4656b20e03101ff592ec7d87

SHA256
2036b21dc90728fde0ac217ddcfc9416ace1a213ecb9a7a103c67fee4bbadee5

SHA512
5d7654ae52c74777fc5a1c2a156f148e0c9b87a3f5fec0e75b7f656d6c82b4db52c186a6e10e6b2925ad369a97e4e0f2a0aead910567a8592e3804db76bae3a2

Download Submit
C:\Windows\SysWOW64\Fboecfii.exe

Filesize
80KB

MD5
a0dac34f7c0bb020b34684fc1ac8b511

SHA1
1e3c083d4cc3fd6ebced7aaf2db24691856b31f8

SHA256
3261f13642ae61f5792dda86110d846a7db15d0f4def3c04c54f23da0b5629f3

SHA512
59503518aaa7727987b58fdb0e25ef65151a7b1cca0780167a7587eced161a33f248f8d6955f2904fda70fd5b25f25c3dec9ab435ddff382fb573ab10d0124d4

Download Submit
C:\Windows\SysWOW64\Felbnn32.exe

Filesize
80KB

MD5
e7c3e9085271e14114ca1639d68ca822

SHA1
e3c573fca679a5b1a763b4691c3fd2bdae73ef21

SHA256
c9eb84fa28e004cd0a8b164dde138a86882a0f5673d1c62ac57e1e1db37cf653

SHA512
7de512dd5f2ce49cdb045da051adc011e57a432bb0692e7531afa94866ba13cb7de06772897ade66fe301cd08764bfbc5346307e7c406472ce0ac665d6d69701

Download Submit
C:\Windows\SysWOW64\Fijkdmhn.exe

Filesize
80KB

MD5
9ab7cc1656258074727321dd43a91f64

SHA1
0513b6bdcff9b15e2e9ca7388bc7150b479f5568

SHA256
d191277e798553fd642facd6f01e1ee380f082bcc15c7e5a44d71ffaac1a2e5f

SHA512
8de53024fea57e79c0d961b042522d1a621d3c76918a1c3e38cd97f859447a35fc5563e56273aae456b73deb41755d8bd852d3fa229673c588c0c159d47c78fa

Download Submit
C:\Windows\SysWOW64\Flmqlg32.exe

Filesize
80KB

MD5
d9ab1a7a0a0762d1d715a1af9d951367

SHA1
80377b5cfc6fbaebd2c314f9dac9b49fc5e8f0e8

SHA256
ee7f467a38f56d8385d8a92cb979a653e447e5bfa8ef219b3e79491ff48f5a39

SHA512
fd056df36cbea01e6ec044d2b5a885eb7d25992f93459d0fdf56d294dafefb9de85618bdb4dddb9afffbb50b190580ff04a43d28eddf079105c24003261db4a2

Download Submit
C:\Windows\SysWOW64\Flpmagqi.exe

Filesize
80KB

MD5
d0af77d79d5ffddd8d70c0f126e5be2b

SHA1
9fb2fb5ef2f3b4e278e1e08e6ef6c457c42e40a4

SHA256
31dda867771d9628c2c22c017e818bf51c074b0ef405f83885e6ef18a33e1b60

SHA512
87d8a1faa4946d9cd4167508ffc57ef8d5d68a6949a1ca01170580e492faf60f5891cc80cff69fc6c0c387ebaab4c589704897b23bfdf85656d48faf18116be0

Download Submit
C:\Windows\SysWOW64\Fndpmndl.exe

Filesize
80KB

MD5
d3487ae370683411d9eda612e191bc4e

SHA1
9cf27fb680f1beaf31cb7c93e65ae3289301c51e

SHA256
ee2d63e81d49a264f51d2e466f6dd0f99f39911599027ee129cb21e33c5d5167

SHA512
8e1c8dfc5f44f32e274ca3f1e18dbf2d91b8ae91597db4316edafd89e30179cb0f400adc8e9dfe30221d53048efb00a610869bebb2f343729bf5896b463f38d1

Download Submit
C:\Windows\SysWOW64\Fngcmcfe.exe

Filesize
80KB

MD5
1f1f4a41444988472b6858a0e6585b78

SHA1
471f153c41f3d1408c93043cea5534163049b4a0

SHA256
34235db4311e8f79202bf8559c518ddb4c7e07ca1badb9054e42838cbf69e7b0

SHA512
a7598248696de266f5c16f514b487bbc4f9eab2d4e167408833512259e67a7c47d006732f21979b28a4a1656d637290442d6be9c9acc232fe8397fc89f4f2c95

Download Submit
C:\Windows\SysWOW64\Fpgpgfmh.exe

Filesize
80KB

MD5
dfd338195014a1c9ba7664f8b8004b11

SHA1
7676135f1721019f747bf414fab969e64aedfde7

SHA256
b9c27154bdf359cd69573668ebb6391ef242bb15cd01946bc0f584c8c762fa9a

SHA512
5bb27565c73377dbeb0eb624ff5821dfa1932871f6ec3e37dc62139a000971aaa5c0d014a93909cbe8ab5e8565f2a99399e41c44759fb6904051b599d9df986f

Download Submit
C:\Windows\SysWOW64\Gddgpqbe.exe

Filesize
80KB

MD5
fe65d98286faf9aef8ecb41e4959ed80

SHA1
df363bd550f789f22c8af0f9c3dff4eb59742db6

SHA256
bb54bbffb6c140820100792134f7b1263520825d20fb958a82f03bfed595a1cc

SHA512
e70ba0e8afe8e4424e4f0538998bbec24882d5d1a6b0bd820df59b7817be593a778851c85d4bb8ff7ab38546d575c633e33e8db7a1a004c00ef58560d8c76827

Download Submit
C:\Windows\SysWOW64\Geanfelc.exe

Filesize
80KB

MD5
8cef919b1ad058df2f9d9e0cf5d808b2

SHA1
330d89cdb66f3eb5e8fec1fe95457ff6e9479eb2

SHA256
3a8d5f5db6fc11bf4c0f07b595f3391b4d7ff4b41032b06ee23fb9a8e05c21c8

SHA512
8f93a7c518cbdab77215345f8af1d30590547888cc605f0c7e3ad75cfe90d64ea7ec97d40f52284ff21a02091bd817600a1a9319ed76e7fb56d8f2bde6c73068

Download Submit
C:\Windows\SysWOW64\Gehbjm32.exe

Filesize
80KB

MD5
ac69be7c88a5413aacb8170dd9bf36d9

SHA1
82b53367fc9bedbf3e624e04ceee31b825fd1dfd

SHA256
58111783856550ede28c4281ef0d5210da608a6268bc625fb0de45187d3cc223

SHA512
bd4023ef47d7757905cb5a5fb685c93861c345648819f6aa37375b67381774f867096e3b8941171d594b3fe0f1e96fd91ba39eb48cd4920cdae1b77284a2df23

Download Submit
C:\Windows\SysWOW64\Geohklaa.exe

Filesize
80KB

MD5
0d33288129d0d26e618930359a210a4b

SHA1
3077d1e12d02cfb5aec8748a0075fbad3ca06ef7

SHA256
2d9e4618e71625bece690e23802776ce64cc121b7b6a5043c83e345dd2c5e141

SHA512
89bddea09703abaf377dc3fc45d766d6e859365d14135388cee4fb45ec65c2d57350d0da4d9f9017dbe4cdad73f780fe69d24ef1a6579df66f980d9b0008829b

Download Submit
C:\Windows\SysWOW64\Gihgfk32.exe

Filesize
80KB

MD5
aac877ad8ca82950dcec0f14e9b979ce

SHA1
9c8a8f396a0b98cda1e746fb159184c44f114e39

SHA256
f5660ac8b6455424caa2d2f85dd051cc6640efbcf0a766b72c52dbc308c1f00a

SHA512
96e3d62acd5f046d922fc72dce74937a3889a32c6d744b220d6c9759f46b194ec39bf07168fcd54a88ec51b921b1f8545f4877a87da9fd4a2ac24222d948a0b6

Download Submit
C:\Windows\SysWOW64\Gimqajgh.exe

Filesize
80KB

MD5
c3ab372717df78fc32ee0eed12e82f36

SHA1
c4d3667d6130a9cfd52d6fd5ba8433f9a49fee0b

SHA256
9d483817b4fef5a57f224cf561886c0ba5267fcc3ecf150d31d9491e6e499a89

SHA512
c747c4d5f19f456dc347422bdd8364d8f285d144e4c2fc18e253e3c3767be6a73615374fd5cb753774eeb68acc34782f4ac214823bc6ea47c18c08ee758c2dbe

Download Submit
C:\Windows\SysWOW64\Gnnccl32.exe

Filesize
80KB

MD5
d26a76f8dc89a589d330f242de954073

SHA1
5bf027a988580a63bbeb039a7085f55095b31268

SHA256
eee30ccac25d8c46d9ac0a2796aa309062fa8a4b88c037e05c21e79cb0e7d0d4

SHA512
6784233a49b5102dd3b87ad45e0574ac40739ea8e5126428d8ef1bdefd4ab682b51f4d3c1f92c667c67251951b0539e00f9703dfc6b0fbddee316442b76a3869

Download Submit
C:\Windows\SysWOW64\Gnqfcbnj.exe

Filesize
80KB

MD5
1d60fd6d69accb826579109c6ef91360

SHA1
c1320d287d4f89760960516cdc33ed41ae40b75c

SHA256
850dea67ec5244cc33ced23b0af7fd2d72414c9a7dba44e89bb6d2834f2d45e6

SHA512
ac3c47586cb7b654823a04249cd3dfa2b9314d3f5196d7d2681ae6fd8cd5905c3cf2e618989344a76264c0e6b90820e52878221080b535e10690ed9977e72ee6

Download Submit
C:\Windows\SysWOW64\Gppcmeem.exe

Filesize
80KB

MD5
ea81b53cddcb8d667eb5e7d6a08f36ad

SHA1
0da3ad97d46a1f9d686ff199ee3d1f68f776f17b

SHA256
174410342ea6550df2a1fa5243168d26a80ea11c66cb441352a141bf0df77cc3

SHA512
45239d02d2ad0c25799892b0d56c4ae9096d79a4b12538d03614cdf481340959dccb464e1042d3e359b8c3a30132c21399ebf2a891267afff73f5fc881926e3f

Download Submit
C:\Windows\SysWOW64\Hbohpn32.exe

Filesize
80KB

MD5
24cee89344d86458648085de039658d3

SHA1
5b68e7f849c0e1d51255ee0cdd988a11212e725a

SHA256
b2f3880dc974594624a8a5439d4dfed164c3bec04ed46259714df2efa7cf9115

SHA512
274c02b38567ce747b1fd04f13e8cb39f8aa79abb165248633fe72f744e8f809efa4501407e1ac59c2eae80f163ac1d0618d46eefeb95bb835475435a3636984

Download Submit
C:\Windows\SysWOW64\Hefnkkkj.exe

Filesize
80KB

MD5
cbbad283a65aa3c18a62178713dc3027

SHA1
a967c081cf690acde62f84e82b963b181cea7d66

SHA256
963fbc93694e518700af42bbe172278b92c5b8480dd6ee23e64f67ae2872d3e8

SHA512
9a7f0f934d746eb282dc0802693a367882fad7153f6a7b51406438b1573c56c86803cb3c4318021174199e6a4a17b86928b795fbfd4ee2bd58c3573dbecf9c49

Download Submit
C:\Windows\SysWOW64\Hifcgion.exe

Filesize
80KB

MD5
08b4a34db9952ebacc26f5745e27dfd9

SHA1
1d2ff62907bc6c9b7bf0ce3fee64c42be85ad4f9

SHA256
58218a6779958b316551ba9ea6cc967d2daa975db7b6e1e25efa0cf0c72dc324

SHA512
1ee9161ba793d2c9c2071151c215a3a5685837717c92bbeecf6f0835c35cc891b81af09db0dd3aa3141252c57c150ffcd75e0114faaa0fcb685932d6c3bcafd0

Download Submit
C:\Windows\SysWOW64\Hlbcnd32.exe

Filesize
80KB

MD5
736cde7108cb3579a39c07c5f68d1881

SHA1
aaf0cce64f9c21b053a2b56fb8ac867840b5e623

SHA256
89b8f8f05403972af5d2ceeca6fe72edca6b266f70d954caac1cb8b4a6afed92

SHA512
6fa58d7444acbb856bb4b42dc621601688a8b0efc84d93a1209d7fb3ed95d16cc452b69288b75f1ef5e19f49568d680981ce7e1937e40ce9171d57d784556fe1

Download Submit
C:\Windows\SysWOW64\Hlppno32.exe

Filesize
80KB

MD5
185e5bad86763745612bca96655b30bc

SHA1
d98c348cb6a5056badf7d6c7ee477a743790a388

SHA256
b32ef056d1a87ad30249cdf12be28b4520dd256fa1b8d31ecf2e294f321540d5

SHA512
6232917348fcbb28950b9ac9fc637403ffcfd817e773a1b728e06320bdbb1f27e7c91b7e2513f481511477709beadb153da48fa1955621faedb3728de3f3ed23

Download Submit
C:\Windows\SysWOW64\Hmdlmg32.exe

Filesize
80KB

MD5
f4be20aed15cf60ed7a6c7b06c6fadcc

SHA1
5e50baa00f11acdf8336ad343f67b8f5142f3e99

SHA256
228d130405e4e3bb0db12367007d15818d15dbc2e60111745e8eca99ea6a61a5

SHA512
9f49bb29982e6de6ffa482eaae777e244c52e3878a69d6bccb125e1def44931894fe850023be767c6d034f1ea4a3f928159948f0b9ec73bfe6d6c5b8dcb3496a

Download Submit
C:\Windows\SysWOW64\Hoobdp32.exe

Filesize
80KB

MD5
eb702a1bf92e8a7d451e47c24334288c

SHA1
dd21129125abef176e498a55abad46e1cd1bf536

SHA256
df12aa4bfbcce32fecce97cf2744fa03b84f56acc61b2ba6e193fbc70d69e3b3

SHA512
8fb5a5dd7d26ed14c8c3332f3f47c3be3c62dab1680cee6d1fd21008922303b0b83024a9339c4d7979745dd19f3915f04c6ed54e7b1f10551569a336d0ac124b

Download Submit
C:\Windows\SysWOW64\Hpiecd32.exe

Filesize
80KB

MD5
e573058df74d23c4015970f73ca0c04c

SHA1
605d3408c1d73a7573a8cfa2b78e013fa30a513a

SHA256
5455ab30cc2d2956f5a951d62c4023dcbfe947cd72f88b021f80017276ddf496

SHA512
457b4825b23226fe4e32ee720c4d0ad65fb2ff260e6fb5db8857463b5567c9f667ec701b36f8d9b65b66866892bc438ac0d2f9304de5ff8be43a3bd588dd9e7c

Download Submit
C:\Windows\SysWOW64\Ibjqaf32.exe

Filesize
80KB

MD5
2ed47ae903a33a239de45f1bee10bb2e

SHA1
cb2a4bc075256f15c61c1e4e7ea3298458fb42cf

SHA256
514cb63ee1dc33f9ff297106deabd0e4a3221f2d3502e77d4d650e7f489e5c23

SHA512
574aad2647beb1cf081c84a77c74cf078d6c777d34692038aa5f2e257ee5ccf16bd2af2df13fd55a0ddf3834afc2a82b26c356eb49a16f6ea1be78c0173dd3ea

Download Submit
C:\Windows\SysWOW64\Iedjmioj.exe

Filesize
80KB

MD5
73d99cbbbb15d693e8008aaa37c1f756

SHA1
875d4f68e271adfceb0d6f8ba71c98d5f7ec9ffa

SHA256
2e92d21909ba794430e2676f8d633f17a284f413b25612de0de4d52426bde9ec

SHA512
3f020ede48d06fc01b24dbe10973700c2de590dfcccc76a21b2454dfa078fc3e970d6b08403d581869b87626501d6927bcf766e4c09f0c794f4883779d10525b

Download Submit
C:\Windows\SysWOW64\Iepaaico.exe

Filesize
80KB

MD5
fa7d8340abe48095873ccfa4244b6274

SHA1
14a5663ad5cca141e7289ee8190bf9926c11ef9a

SHA256
c5d5cbb8d9d19862e83279d1da6ad662b9d31abd1d79d0dc5b69e3b1ebaba41e

SHA512
a5fb4572d15839a5d5be504e74fecea9aa0e3673e87bf10d258851043304ea6763c1540686d5047f3de2eacd598cf11938c9a4650a9f5e7c74d63050d63a61c8

Download Submit
C:\Windows\SysWOW64\Imiehfao.exe

Filesize
80KB

MD5
1f4d74e2c4d1bc8fcee9c1820f227816

SHA1
413ccc5db035fb49827beabbef9b0246d5830781

SHA256
ac1c464d14047ad907a9938ea368a3167449d72b34806941f2a8526d58107869

SHA512
f95d0b7cc52382c6217f9626288ed96ac003f3a3095f07d40c2ccbee071eb69d5278c0baec54008b1ade3314f79e1d4b16a0139f561242d239c96dec098e479e

Download Submit
C:\Windows\SysWOW64\Iohejo32.exe

Filesize
80KB

MD5
7570df58735aed4cbb2e80ee86031baa

SHA1
770fb23702ec0ea2913630db66d76dce07036749

SHA256
93befc51cf3d3a250406c1ed727cb183b275dd962eb9af65dab648bde637ffad

SHA512
6bfcef3761dfa5c76e5e38320fd0af0cb3ce3b1f13e62366c53915572aa00ce938c9c1c3cc7d6b28a77bdc1d25590538a72785f3a977def1a7da7c2439e4ebd1

Download Submit
C:\Windows\SysWOW64\Iomoenej.exe

Filesize
80KB

MD5
3e395cc4dcd44628b1581d786fda6272

SHA1
7acf3bc6fec0481be30ebb08c687529154fb5d75

SHA256
70757c9a26af89f79a81a969e378e4c39a9081df9d10b04bec19e2d23efbea7d

SHA512
57b8ee9adbdbff5bb396545e285e92e247709dd746221c89653a6d4766f1c4c5eca96e9b8c194d15dcc11d496f5a9c835b97677d2c73ca32cec87d59b4b63dc7

Download Submit
C:\Windows\SysWOW64\Jgbchj32.exe

Filesize
80KB

MD5
17f766db160b74f6717c531f3ab633d0

SHA1
cfbb6465a43c490d137e6997feaa3d7f67b33c18

SHA256
6efb706d45d3fd0a84f3e0f6fe85915ce9844474c60ee0b7661bf30e8e2f6fc3

SHA512
e1aed19f33ae8302f3a4e15cbdcd86ce75f3415a7246228487e02a98b857d6962f60db894a52fde1313ad8b02b40fb03edab02fd68f55666fdd16607851870da

Download Submit
C:\Windows\SysWOW64\Johnamkm.exe

Filesize
80KB

MD5
8e0798a53ccb018835e26c9f05484cb0

SHA1
e865c832f5cfb274d32b23ddcb08afcc718a0de2

SHA256
aa564bf76a7ebeac1a8eae5eaabd93c22846bcad4379c6536d37d4c387f1be5d

SHA512
bda0c6dee83a0bfc981619bc431885eab78383301fa7b6f9f382292d311d67bb2c2c02b22a332e10154f50745734ff4820f994ac64667985b51ae6fe4c4d8865

Download Submit
C:\Windows\SysWOW64\Kgnbdh32.exe

Filesize
80KB

MD5
d35b1cf35810d14a70b5f0c86820b617

SHA1
27a481c0b52183ef34d18ba33eeaa044c89ed88f

SHA256
31cd2d4271ea3147c1ab11aea940e12ca2ffd9ebb7873d63064e8ad3b05d0aff

SHA512
e531bdccf67c4f9828565cce88fdda014f6507fd6ce62f286327d63e7116eb1679b2fe26cb7ac2456a92199d415fe94baea4bd432d585cabd6bdb894423974b4

Download Submit
C:\Windows\SysWOW64\Kpanan32.exe

Filesize
80KB

MD5
d6efb189f561f9fcf4dfeba3d3233722

SHA1
78963733db8f6c3d22217b682fe79b81ac19262b

SHA256
f4b309d14873a4b5e4ddde154c7b62eb877cf0bbe19aa7c7b70e99a04eede55b

SHA512
781bf660bc49e801575b6bafd66ed6b9ea02c8edae68359549bb97eb6e2bc67138a2523863a07e7f1f2357bfaf91e55df6b2aee1d4819d57fd73e6c4be46d4f5

Download Submit
C:\Windows\SysWOW64\Kpmdfonj.exe

Filesize
80KB

MD5
fa8ec398502b2fed623b4c8bf8248dfd

SHA1
0c71526a9b1caef9a619d863a599bb856dd0d98d

SHA256
dc44ba98116d8b1b03f50bb009fc929a6ca5d0e5a2c19e819a1d1c17378c8217

SHA512
d3d664c6fd1d6ef00411ce7e44da40bce5504a36a5dc4d715e517c53b88ba8d0ba3c5bced49c62651486f3dbda40b4822c45c99bd850c6eab08cd06debda969a

Download Submit
C:\Windows\SysWOW64\Llmhaold.exe

Filesize
64KB

MD5
9299c51b66ac4d21846cadff338c0e41

SHA1
a74ba0e90ebc84ec46afb27a1775e6b531813995

SHA256
ef111398f3fc6b23c6d7e8f2d63a394eb5163966e816e3b8c7e31d88f746764a

SHA512
0d51833e5bb053dd8b953be50e46364626ba8d4d53d406dabdd5dff234db6fc28f99a5e025942c7969bd8dd4202e6b15a5525659ab357d3d611fd4aeae1e4cd2

Download Submit
C:\Windows\SysWOW64\Mhckcgpj.exe

Filesize
80KB

MD5
f581685d9f2cc1c8ca47c85c7ab568ef

SHA1
eb1a7f1e559cdbe9e849fd391681f8d87ecdedc5

SHA256
2cb5e2563b4e1ffc0e88a0781b2a1985f0d10e43f3cb6655060f5c477f0cafb4

SHA512
8de96956d4164dbba5c4754fe709d3048149fb78076a97b9a5fa13ee4d208b10a7eb7451b8b8c6f300f11166a901b96f182ed8ac61f318d534e37dbf47949291

Download Submit
C:\Windows\SysWOW64\Mnegbp32.exe

Filesize
80KB

MD5
b5cb90ee3f13a844f6c0244ec603737b

SHA1
e91eff09a4a446189ea3208a7bfb3dfd98455bfd

SHA256
58f552e48495d0a04a262832228d3951162b9f8da90db0ea4c7ddece857ecb17

SHA512
6edad16f0dab7ca59609beccd5329f68be7e30b1f53e65fb10bdfd837cde661b0849142e535f5c1dc05452c0f55ce58942f4648510e44f28a9b9badb0882cda1

Download Submit
C:\Windows\SysWOW64\Ncqlkemc.exe

Filesize
80KB

MD5
2f2b7fe3e4285c73abe2ff9b64de3fb3

SHA1
167528e402fd3a20234f0cef3fecb191e445c5c2

SHA256
36d53f9695084ca1c82a4fe4e4df93fb27cdbb6bb081b79793f6247abcb96109

SHA512
0991d5ff23f6cf7372efa34621fd4aad1d0be56d6f7b6158e489fc5c28abfeae344a244f1a80db1459362c68bff94c493a964b181d10d39a015e18c419e0dcd0

Download Submit
C:\Windows\SysWOW64\Nfihbk32.exe

Filesize
80KB

MD5
ecf23b8cbe88df4118e260ea4f2a721d

SHA1
9f760b272508dd8639e62c5fb0c9faefa0771262

SHA256
6816993e70abe3a26f77a1837a6c32e67e473ce9e29b82779f1ac624a6b86c68

SHA512
d2ada966f3451c88577c3f3ba262f788fd5376867ceaa5eacb4cc1c9060c2c9ee03d91ac38ca28797d4c604939303c0447c0856864af4a2f82e19d57d52ff66f

Download Submit
C:\Windows\SysWOW64\Ojhiogdd.exe

Filesize
80KB

MD5
125db488979267e39eaa157429c00c24

SHA1
fa2539fa14dfc47851756bf09244fadd786ff2d2

SHA256
7e6b3f6e88c49cde30e31816cca3860a7e9bb9ef61a7b4e29f14a24e685f3faa

SHA512
b8ab62d7bd3731cb361a70aeb6a7e976c1cd3f57d0b3b35ac420cdfac8c728729dae392075284c2390b52fc1345c7e26da404b3ea452ddfbf487c52ce4391e75

Download Submit
C:\Windows\SysWOW64\Pnplfj32.exe

Filesize
80KB

MD5
6c652cd6e9e89d9219e4f75246ed507c

SHA1
14a136e733be7ebee9cdcf8da345736f9b07d923

SHA256
1e1566aea64840ceb009dec834dfd4c836ac392f94a0dd9622cfd58f3619795b

SHA512
cd5984efa39a34cf4e7acacc4fb6a96f24d1f2149fa64d6024f351774a83df6d03fc4148ed788b6ccfe0eb1a79ada46f744290bbd366911521314d036cdbb1ae

Download Submit
C:\Windows\SysWOW64\Qbonoghb.exe

Filesize
80KB

MD5
795fd5f658b7a65eb8880d5851f9e22f

SHA1
4ec46aa395aa983d0b1be99d5a1a31bd07f33e36

SHA256
e39a20082ab9dee0c1e76125a755df5c5dbc66b42bc4acd18f7a90792d7d7086

SHA512
f86bd8e63f17ff96ea4a2b35db1b5103e4f9db9cb2a87841a4f1fb284f58caad30599006489ddd6c8fe8b8a6f3a9af47107a099a49787581f5e409d9fb1897a2

Download Submit
memory/444-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/456-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/532-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/688-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/760-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/832-489-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1012-595-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1012-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1044-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1064-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1064-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1072-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1268-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1268-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1452-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1452-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1588-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1596-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1600-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1624-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1680-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1880-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1912-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2232-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2236-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2256-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2280-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2296-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2304-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2332-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2340-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2356-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2436-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2472-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2472-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2484-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2596-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2680-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2688-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2920-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2920-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2988-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3036-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3056-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3300-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3308-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3396-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3416-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3464-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3476-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3492-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3496-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3500-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3532-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3536-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3540-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3632-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3652-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3696-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3772-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3816-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3816-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3868-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4004-507-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4012-537-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4024-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4032-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4144-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4296-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4296-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4296-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4392-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4444-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4468-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4508-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4512-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4516-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4524-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4544-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4656-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4684-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4704-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4868-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4940-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4988-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5008-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5016-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5032-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5188-541-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5236-547-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5280-554-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5324-561-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5368-568-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5420-579-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5476-586-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5520-589-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads