c50d09baf5a28094f8fb9deb7559b1984de3cbbbb6571d4f0421b88ae3c29b61

Analysis

max time kernel
92s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 15:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16dfd1a29a5b513265521dc4931211d0_NeikiAnalytics.exe
Size

1.2MB
MD5

16dfd1a29a5b513265521dc4931211d0
SHA1

d61856580a2fdafb1d650fdead95c766ff65e773
SHA256

c50d09baf5a28094f8fb9deb7559b1984de3cbbbb6571d4f0421b88ae3c29b61
SHA512

edd6ab1a5a26d03d388bc02a6dfda60e92dd720a42377272944cc15300b721a01f3c4bfcbc276ffc79e24f2fb69ed32681d2a118f832e14576713e95b5035399
SSDEEP

12288:yFDKtYlFiWZCXwpnsKvNA+XTvZHWuEo3oWiQ4ca:ciYlFiWZpsKv2EvZHp3oWiQ4ca

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fomhdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifgbnlmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpjlklok.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	16dfd1a29a5b513265521dc4931211d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldleel32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifllil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlpkba32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lenamdem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npmagine.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmhhehlb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhjfhl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbnjmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njqmepik.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddbbeade.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klgqcqkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dojcgi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfankifm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpgfooop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Medgncoe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpnchp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmfmmcbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lffhfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mplhql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmfmmcbo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfankifm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlhbal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iihkpg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbaipkbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmgfda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cehkhecb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mplhql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	16dfd1a29a5b513265521dc4931211d0_NeikiAnalytics.exe

Malware Dropper & Backdoor - Berbew 54 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/files/0x00090000000233d3-7.dat	family_berbew
behavioral2/files/0x00070000000233e0-15.dat	family_berbew
behavioral2/files/0x00070000000233e2-23.dat	family_berbew
behavioral2/files/0x00070000000233e4-31.dat	family_berbew
behavioral2/files/0x00070000000233e6-39.dat	family_berbew
behavioral2/files/0x00070000000233e8-43.dat	family_berbew
behavioral2/files/0x00080000000233dd-55.dat	family_berbew
behavioral2/files/0x00070000000233eb-63.dat	family_berbew
behavioral2/files/0x00070000000233ed-71.dat	family_berbew
behavioral2/files/0x00070000000233ef-79.dat	family_berbew
behavioral2/files/0x00070000000233f1-87.dat	family_berbew
behavioral2/files/0x00070000000233f3-94.dat	family_berbew
behavioral2/files/0x00070000000233f5-103.dat	family_berbew
behavioral2/files/0x00070000000233f7-111.dat	family_berbew
behavioral2/files/0x00070000000233f9-119.dat	family_berbew
behavioral2/files/0x00070000000233fb-127.dat	family_berbew
behavioral2/files/0x00070000000233fd-135.dat	family_berbew
behavioral2/files/0x00070000000233ff-143.dat	family_berbew
behavioral2/files/0x0007000000023401-151.dat	family_berbew
behavioral2/files/0x0007000000023403-159.dat	family_berbew
behavioral2/files/0x0007000000023405-167.dat	family_berbew
behavioral2/files/0x0007000000023407-175.dat	family_berbew
behavioral2/files/0x0007000000023409-183.dat	family_berbew
behavioral2/files/0x000700000002340b-191.dat	family_berbew
behavioral2/files/0x000700000002340d-199.dat	family_berbew
behavioral2/files/0x000700000002340f-207.dat	family_berbew
behavioral2/files/0x0007000000023411-215.dat	family_berbew
behavioral2/files/0x0007000000023413-223.dat	family_berbew
behavioral2/files/0x0007000000023415-230.dat	family_berbew
behavioral2/files/0x0007000000023417-239.dat	family_berbew
behavioral2/files/0x0007000000023419-247.dat	family_berbew
behavioral2/files/0x000700000002341b-254.dat	family_berbew
behavioral2/files/0x0007000000023421-270.dat	family_berbew
behavioral2/files/0x0007000000023427-288.dat	family_berbew
behavioral2/files/0x000700000002342f-312.dat	family_berbew
behavioral2/files/0x0007000000023437-336.dat	family_berbew
behavioral2/files/0x0007000000023447-384.dat	family_berbew
behavioral2/files/0x000700000002344f-408.dat	family_berbew
behavioral2/files/0x000700000002345f-456.dat	family_berbew
behavioral2/files/0x0007000000023465-474.dat	family_berbew
behavioral2/files/0x000700000002346f-504.dat	family_berbew
behavioral2/files/0x000700000002347d-547.dat	family_berbew
behavioral2/files/0x0007000000023483-567.dat	family_berbew
behavioral2/files/0x0007000000023487-580.dat	family_berbew
behavioral2/files/0x000700000002348d-602.dat	family_berbew
behavioral2/files/0x0007000000023493-623.dat	family_berbew
behavioral2/files/0x000700000002349d-653.dat	family_berbew
behavioral2/files/0x00070000000234a1-667.dat	family_berbew
behavioral2/files/0x00070000000234b7-744.dat	family_berbew
behavioral2/files/0x00070000000234bd-765.dat	family_berbew
behavioral2/files/0x00070000000234d5-846.dat	family_berbew
behavioral2/files/0x00070000000234db-868.dat	family_berbew
behavioral2/files/0x00070000000234e9-915.dat	family_berbew
behavioral2/files/0x00070000000234eb-923.dat	family_berbew

Executes dropped EXE 64 IoCs

pid	Process
1592	Bjghpn32.exe
2284	Boepel32.exe
860	Chpada32.exe
992	Cbgbgj32.exe
960	Cehkhecb.exe
3568	Docmgjhp.exe
1836	Ddbbeade.exe
664	Dojcgi32.exe
1540	Eaklidoi.exe
3156	Eoolbinc.exe
4480	Eocenh32.exe
4348	Ecandfpd.exe
2060	Fcckif32.exe
5080	Fcfhof32.exe
1520	Fomhdg32.exe
3604	Fbnafb32.exe
2356	Fhjfhl32.exe
2728	Glhonj32.exe
876	Gkmlofol.exe
1816	Gokdeeec.exe
4672	Gomakdcp.exe
3536	Hbnjmp32.exe
4684	Heocnk32.exe
1772	Hmhhehlb.exe
3008	Hcdmga32.exe
4220	Icgjmapi.exe
2500	Ifgbnlmj.exe
1588	Iihkpg32.exe
2064	Ifllil32.exe
3256	Jimekgff.exe
3644	Jpijnqkp.exe
452	Jlpkba32.exe
3096	Jpnchp32.exe
624	Jfhlejnh.exe
2188	Jcllonma.exe
2932	Klgqcqkl.exe
5112	Kbaipkbi.exe
4132	Kmfmmcbo.exe
1012	Kimnbd32.exe
2924	Kpgfooop.exe
2852	Kfankifm.exe
3164	Kpjcdn32.exe
1716	Kefkme32.exe
1936	Kdgljmcd.exe
3668	Lffhfh32.exe
1404	Lmppcbjd.exe
2892	Ligqhc32.exe
1928	Ldleel32.exe
4860	Lenamdem.exe
2036	Lpcfkm32.exe
3728	Lgmngglp.exe
2980	Lmgfda32.exe
4912	Ldanqkki.exe
1008	Lingibiq.exe
3236	Medgncoe.exe
5076	Mpjlklok.exe
2724	Mgddhf32.exe
1044	Mplhql32.exe
2668	Mlcifmbl.exe
4964	Mcmabg32.exe
4956	Mlefklpj.exe
4852	Mgkjhe32.exe
4380	Mlhbal32.exe
3336	Ndokbi32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hjqaij32.dll	Ddbbeade.exe
File opened for modification	C:\Windows\SysWOW64\Lmgfda32.exe	Lgmngglp.exe
File opened for modification	C:\Windows\SysWOW64\Mpjlklok.exe	Medgncoe.exe
File created	C:\Windows\SysWOW64\Mplhql32.exe	Mgddhf32.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bagflcje.exe
File opened for modification	C:\Windows\SysWOW64\Mlefklpj.exe	Mcmabg32.exe
File opened for modification	C:\Windows\SysWOW64\Pcppfaka.exe	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Jlklhm32.dll	Agglboim.exe
File created	C:\Windows\SysWOW64\Ilabfj32.dll	Bjghpn32.exe
File created	C:\Windows\SysWOW64\Mhciec32.dll	Chpada32.exe
File opened for modification	C:\Windows\SysWOW64\Fbnafb32.exe	Fomhdg32.exe
File opened for modification	C:\Windows\SysWOW64\Jlpkba32.exe	Jpijnqkp.exe
File created	C:\Windows\SysWOW64\Lffhfh32.exe	Kdgljmcd.exe
File opened for modification	C:\Windows\SysWOW64\Andqdh32.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Cehkhecb.exe	Cbgbgj32.exe
File created	C:\Windows\SysWOW64\Eoolbinc.exe	Eaklidoi.exe
File created	C:\Windows\SysWOW64\Kpgfooop.exe	Kimnbd32.exe
File created	C:\Windows\SysWOW64\Kpjcdn32.exe	Kfankifm.exe
File opened for modification	C:\Windows\SysWOW64\Ifgbnlmj.exe	Icgjmapi.exe
File created	C:\Windows\SysWOW64\Jpijnqkp.exe	Jimekgff.exe
File created	C:\Windows\SysWOW64\Gjgfjhqm.dll	Pdifoehl.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Fcfhof32.exe	Fcckif32.exe
File created	C:\Windows\SysWOW64\Ndcdmikd.exe	Nnjlpo32.exe
File created	C:\Windows\SysWOW64\Pnakhkol.exe	Pdifoehl.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cenahpha.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Lmppcbjd.exe	Lffhfh32.exe
File created	C:\Windows\SysWOW64\Aqppkd32.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bagflcje.exe
File created	C:\Windows\SysWOW64\Bjghpn32.exe	16dfd1a29a5b513265521dc4931211d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Fhjfhl32.exe	Fbnafb32.exe
File created	C:\Windows\SysWOW64\Kdgljmcd.exe	Kefkme32.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Bhaomhld.dll	Klgqcqkl.exe
File created	C:\Windows\SysWOW64\Gcgnkd32.dll	Njciko32.exe
File opened for modification	C:\Windows\SysWOW64\Pdifoehl.exe	Pgefeajb.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Ojoign32.exe	Odapnf32.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	Agoabn32.exe
File opened for modification	C:\Windows\SysWOW64\Afoeiklb.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Dqfhilhd.dll	Aepefb32.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Bjghpn32.exe	16dfd1a29a5b513265521dc4931211d0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mnodjf32.dll	Oponmilc.exe
File created	C:\Windows\SysWOW64\Jpcmfk32.dll	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Qcgffqei.exe	Qfcfml32.exe
File opened for modification	C:\Windows\SysWOW64\Eoolbinc.exe	Eaklidoi.exe
File created	C:\Windows\SysWOW64\Ecandfpd.exe	Eocenh32.exe
File opened for modification	C:\Windows\SysWOW64\Kefkme32.exe	Kpjcdn32.exe
File created	C:\Windows\SysWOW64\Ecaobgnf.dll	Medgncoe.exe
File created	C:\Windows\SysWOW64\Acjclpcf.exe	Ampkof32.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Jimekgff.exe	Ifllil32.exe
File opened for modification	C:\Windows\SysWOW64\Lffhfh32.exe	Kdgljmcd.exe
File opened for modification	C:\Windows\SysWOW64\Medgncoe.exe	Lingibiq.exe
File created	C:\Windows\SysWOW64\Npmagine.exe	Njciko32.exe
File created	C:\Windows\SysWOW64\Gmdkpdef.dll	Ojoign32.exe
File created	C:\Windows\SysWOW64\Ldanqkki.exe	Lmgfda32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6012	5928	WerFault.exe	222

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fcfhof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olpppj32.dll"	Gomakdcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keajjc32.dll"	Hmhhehlb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acqimo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gokdeeec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ligqhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojoign32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmgfda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epbahkcp.dll"	Fcckif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmhhehlb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llmglb32.dll"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjqaij32.dll"	Ddbbeade.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihlnnp32.dll"	Jfhlejnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	16dfd1a29a5b513265521dc4931211d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhkngh32.dll"	Kefkme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Medgncoe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chpada32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhaomhld.dll"	Klgqcqkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbgbgj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifgbnlmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imllie32.dll"	Kpgfooop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icgjmapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfcej32.dll"	Ldanqkki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlcifmbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mchqfb32.dll"	Mlcifmbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Glhonj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adopjh32.dll"	Ifgbnlmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll"	Anogiicl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kefkme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lingibiq.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1812 wrote to memory of 1592	1812	16dfd1a29a5b513265521dc4931211d0_NeikiAnalytics.exe	81
PID 1812 wrote to memory of 1592	1812	16dfd1a29a5b513265521dc4931211d0_NeikiAnalytics.exe	81
PID 1812 wrote to memory of 1592	1812	16dfd1a29a5b513265521dc4931211d0_NeikiAnalytics.exe	81
PID 1592 wrote to memory of 2284	1592	Bjghpn32.exe	82
PID 1592 wrote to memory of 2284	1592	Bjghpn32.exe	82
PID 1592 wrote to memory of 2284	1592	Bjghpn32.exe	82
PID 2284 wrote to memory of 860	2284	Boepel32.exe	83
PID 2284 wrote to memory of 860	2284	Boepel32.exe	83
PID 2284 wrote to memory of 860	2284	Boepel32.exe	83
PID 860 wrote to memory of 992	860	Chpada32.exe	84
PID 860 wrote to memory of 992	860	Chpada32.exe	84
PID 860 wrote to memory of 992	860	Chpada32.exe	84
PID 992 wrote to memory of 960	992	Cbgbgj32.exe	85
PID 992 wrote to memory of 960	992	Cbgbgj32.exe	85
PID 992 wrote to memory of 960	992	Cbgbgj32.exe	85
PID 960 wrote to memory of 3568	960	Cehkhecb.exe	86
PID 960 wrote to memory of 3568	960	Cehkhecb.exe	86
PID 960 wrote to memory of 3568	960	Cehkhecb.exe	86
PID 3568 wrote to memory of 1836	3568	Docmgjhp.exe	87
PID 3568 wrote to memory of 1836	3568	Docmgjhp.exe	87
PID 3568 wrote to memory of 1836	3568	Docmgjhp.exe	87
PID 1836 wrote to memory of 664	1836	Ddbbeade.exe	88
PID 1836 wrote to memory of 664	1836	Ddbbeade.exe	88
PID 1836 wrote to memory of 664	1836	Ddbbeade.exe	88
PID 664 wrote to memory of 1540	664	Dojcgi32.exe	89
PID 664 wrote to memory of 1540	664	Dojcgi32.exe	89
PID 664 wrote to memory of 1540	664	Dojcgi32.exe	89
PID 1540 wrote to memory of 3156	1540	Eaklidoi.exe	90
PID 1540 wrote to memory of 3156	1540	Eaklidoi.exe	90
PID 1540 wrote to memory of 3156	1540	Eaklidoi.exe	90
PID 3156 wrote to memory of 4480	3156	Eoolbinc.exe	91
PID 3156 wrote to memory of 4480	3156	Eoolbinc.exe	91
PID 3156 wrote to memory of 4480	3156	Eoolbinc.exe	91
PID 4480 wrote to memory of 4348	4480	Eocenh32.exe	92
PID 4480 wrote to memory of 4348	4480	Eocenh32.exe	92
PID 4480 wrote to memory of 4348	4480	Eocenh32.exe	92
PID 4348 wrote to memory of 2060	4348	Ecandfpd.exe	93
PID 4348 wrote to memory of 2060	4348	Ecandfpd.exe	93
PID 4348 wrote to memory of 2060	4348	Ecandfpd.exe	93
PID 2060 wrote to memory of 5080	2060	Fcckif32.exe	94
PID 2060 wrote to memory of 5080	2060	Fcckif32.exe	94
PID 2060 wrote to memory of 5080	2060	Fcckif32.exe	94
PID 5080 wrote to memory of 1520	5080	Fcfhof32.exe	95
PID 5080 wrote to memory of 1520	5080	Fcfhof32.exe	95
PID 5080 wrote to memory of 1520	5080	Fcfhof32.exe	95
PID 1520 wrote to memory of 3604	1520	Fomhdg32.exe	96
PID 1520 wrote to memory of 3604	1520	Fomhdg32.exe	96
PID 1520 wrote to memory of 3604	1520	Fomhdg32.exe	96
PID 3604 wrote to memory of 2356	3604	Fbnafb32.exe	97
PID 3604 wrote to memory of 2356	3604	Fbnafb32.exe	97
PID 3604 wrote to memory of 2356	3604	Fbnafb32.exe	97
PID 2356 wrote to memory of 2728	2356	Fhjfhl32.exe	98
PID 2356 wrote to memory of 2728	2356	Fhjfhl32.exe	98
PID 2356 wrote to memory of 2728	2356	Fhjfhl32.exe	98
PID 2728 wrote to memory of 876	2728	Glhonj32.exe	99
PID 2728 wrote to memory of 876	2728	Glhonj32.exe	99
PID 2728 wrote to memory of 876	2728	Glhonj32.exe	99
PID 876 wrote to memory of 1816	876	Gkmlofol.exe	100
PID 876 wrote to memory of 1816	876	Gkmlofol.exe	100
PID 876 wrote to memory of 1816	876	Gkmlofol.exe	100
PID 1816 wrote to memory of 4672	1816	Gokdeeec.exe	101
PID 1816 wrote to memory of 4672	1816	Gokdeeec.exe	101
PID 1816 wrote to memory of 4672	1816	Gokdeeec.exe	101
PID 4672 wrote to memory of 3536	4672	Gomakdcp.exe	102

C:\Users\Admin\AppData\Local\Temp\16dfd1a29a5b513265521dc4931211d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\16dfd1a29a5b513265521dc4931211d0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Windows\SysWOW64\Bjghpn32.exe
  C:\Windows\system32\Bjghpn32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1592
- - C:\Windows\SysWOW64\Boepel32.exe
    C:\Windows\system32\Boepel32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2284
  - - C:\Windows\SysWOW64\Chpada32.exe
      C:\Windows\system32\Chpada32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:860
    - - C:\Windows\SysWOW64\Cbgbgj32.exe
        
        C:\Windows\system32\Cbgbgj32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:992
      - C:\Windows\SysWOW64\Cehkhecb.exe
        
        C:\Windows\system32\Cehkhecb.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:960
        
        C:\Windows\SysWOW64\Docmgjhp.exe
        
        C:\Windows\system32\Docmgjhp.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3568
        
        C:\Windows\SysWOW64\Ddbbeade.exe
        
        C:\Windows\system32\Ddbbeade.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\Windows\SysWOW64\Dojcgi32.exe
        
        C:\Windows\system32\Dojcgi32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:664
        
        C:\Windows\SysWOW64\Eaklidoi.exe
        
        C:\Windows\system32\Eaklidoi.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Windows\SysWOW64\Eoolbinc.exe
        
        C:\Windows\system32\Eoolbinc.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3156
        
        C:\Windows\SysWOW64\Eocenh32.exe
        
        C:\Windows\system32\Eocenh32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\SysWOW64\Ecandfpd.exe
        
        C:\Windows\system32\Ecandfpd.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4348
        
        C:\Windows\SysWOW64\Fcckif32.exe
        
        C:\Windows\system32\Fcckif32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\SysWOW64\Fcfhof32.exe
        
        C:\Windows\system32\Fcfhof32.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\SysWOW64\Fomhdg32.exe
        
        C:\Windows\system32\Fomhdg32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\SysWOW64\Fbnafb32.exe
        
        C:\Windows\system32\Fbnafb32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3604
        
        C:\Windows\SysWOW64\Fhjfhl32.exe
        
        C:\Windows\system32\Fhjfhl32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\SysWOW64\Glhonj32.exe
        
        C:\Windows\system32\Glhonj32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\Gkmlofol.exe
        
        C:\Windows\system32\Gkmlofol.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\SysWOW64\Gokdeeec.exe
        
        C:\Windows\system32\Gokdeeec.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\SysWOW64\Gomakdcp.exe
        
        C:\Windows\system32\Gomakdcp.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Windows\SysWOW64\Hbnjmp32.exe
        
        C:\Windows\system32\Hbnjmp32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3536
        
        C:\Windows\SysWOW64\Heocnk32.exe
        
        C:\Windows\system32\Heocnk32.exe
        24⤵
        Executes dropped EXE
        
        PID:4684
        
        C:\Windows\SysWOW64\Hmhhehlb.exe
        
        C:\Windows\system32\Hmhhehlb.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1772
        
        C:\Windows\SysWOW64\Hcdmga32.exe
        
        C:\Windows\system32\Hcdmga32.exe
        26⤵
        Executes dropped EXE
        
        PID:3008
        
        C:\Windows\SysWOW64\Icgjmapi.exe
        
        C:\Windows\system32\Icgjmapi.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4220
        
        C:\Windows\SysWOW64\Ifgbnlmj.exe
        
        C:\Windows\system32\Ifgbnlmj.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2500
        
        C:\Windows\SysWOW64\Iihkpg32.exe
        
        C:\Windows\system32\Iihkpg32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1588
        
        C:\Windows\SysWOW64\Ifllil32.exe
        
        C:\Windows\system32\Ifllil32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2064
        
        C:\Windows\SysWOW64\Jimekgff.exe
        
        C:\Windows\system32\Jimekgff.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3256
        
        C:\Windows\SysWOW64\Jpijnqkp.exe
        
        C:\Windows\system32\Jpijnqkp.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3644
        
        C:\Windows\SysWOW64\Jlpkba32.exe
        
        C:\Windows\system32\Jlpkba32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:452
        
        C:\Windows\SysWOW64\Jpnchp32.exe
        
        C:\Windows\system32\Jpnchp32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3096
        
        C:\Windows\SysWOW64\Jfhlejnh.exe
        
        C:\Windows\system32\Jfhlejnh.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Jcllonma.exe
        
        C:\Windows\system32\Jcllonma.exe
        36⤵
        Executes dropped EXE
        
        PID:2188
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2932
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5112
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4132
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1012
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2924
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2852
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3164
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1936
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3668
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        47⤵
        Executes dropped EXE
        
        PID:1404
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2892
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1928
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4860
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        51⤵
        Executes dropped EXE
        
        PID:2036
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3728
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2980
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1008
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3236
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5076
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2724
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1044
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4964
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        62⤵
        Executes dropped EXE
        
        PID:4956
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        63⤵
        Executes dropped EXE
        
        PID:4852
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3336
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        66⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        67⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        68⤵
        Drops file in System32 directory
        
        PID:1480
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        69⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4172
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3908
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5060
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        73⤵
        Modifies registry class
        
        PID:1152
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        74⤵
        Drops file in System32 directory
        
        PID:1108
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4628
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        76⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        77⤵
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        78⤵
        Modifies registry class
        
        PID:3160
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:800
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4832
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        83⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4100
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        85⤵
        Drops file in System32 directory
        
        PID:4880
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4868
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        87⤵
        Drops file in System32 directory
        
        PID:368
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        88⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1076
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        90⤵
        Modifies registry class
        
        PID:4844
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        91⤵
        Modifies registry class
        
        PID:4260
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3564
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4228
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        94⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        95⤵
        Modifies registry class
        
        PID:780
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        96⤵
        Drops file in System32 directory
        
        PID:3272
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1544
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        98⤵
        Modifies registry class
        
        PID:2432
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2088
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4904
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        101⤵
        Drops file in System32 directory
        
        PID:2024
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        102⤵
        
        PID:212
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3884
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        104⤵
        Modifies registry class
        
        PID:2644
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        105⤵
        Modifies registry class
        
        PID:1036
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        106⤵
        Drops file in System32 directory
        
        PID:2896
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2732
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        108⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        109⤵
        Drops file in System32 directory
        
        PID:4340
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3832
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        111⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        112⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        113⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        114⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        115⤵
        Drops file in System32 directory
        
        PID:1148
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:724
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        117⤵
        Modifies registry class
        
        PID:4768
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:864
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2704
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        120⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        121⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4060
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2288
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        123⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        124⤵
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        127⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        128⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        130⤵
        Drops file in System32 directory
        
        PID:5352
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        132⤵
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        133⤵
        Drops file in System32 directory
        
        PID:5488
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        134⤵
        Drops file in System32 directory
        
        PID:5528
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5572
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        137⤵
        Drops file in System32 directory
        
        PID:5660
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        138⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        139⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        140⤵
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        141⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5836
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        142⤵
        Modifies registry class
        
        PID:5872
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        143⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5928 -s 396
        144⤵
        Program crash
        
        PID:6012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5928 -ip 5928
1⤵
PID:5988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Anogiicl.exe

Filesize
1.2MB

MD5
c838a542512b68fcc106a3d09cd16108

SHA1
1f32675f173acb022ee35cfc46a4b02a1ba48a46

SHA256
2434952bd7b818adc75931451db66178519641c0713456f2ad4b32f9d07f6a09

SHA512
4a91829bdf927ed776e68c321a3832b530aa05540f91cd2cbe0bfd796803f6ba507f5455eda7ace9708e19cfdfce630295f1e8a9d5042f3b52ebcac876c83e66

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
1.2MB

MD5
d1c725fb252d718862057ff24e2dae11

SHA1
6c5729d58e736beb83dfd93347c74c9faba0427c

SHA256
612a9b279ea7ead5d50b7d03c9024933876475f18570889e0485d29eaaee7710

SHA512
4f60b3ceedda8debcb6a1b8b54a1c9d76687ac165d23015dc5f4f9fbd50d26e5623b2a8bd76a77ddb88153f8badae7a3ffeb4642f89e7613532df4793173d9fa

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
1.2MB

MD5
9001da4f751a96a5d390b9d18d5014a5

SHA1
68f01bc9ed7ded5840467cd11e5d046228cd3b4c

SHA256
3f2189c27592d46a52ac861afabe1b979d8f1e16ec9c8da866bdb539a3229014

SHA512
4b9ae5d2cc619b694c7c5c5e09c89f8ae6c488b7059a0a6ab0006a8f9543116e0fc956ba29ae9cacca902d0664d06ff228725f42ba63e438e92e54fce27bb208

Download Submit
C:\Windows\SysWOW64\Bjghpn32.exe

Filesize
1.2MB

MD5
4b7f684e5c3b3301afe68cd5bbfef032

SHA1
eb6cd127fbe718a22b0317d69ed88ae6a6d9569c

SHA256
7fe1bc5c5d572a0b315b53d888f261136c6aed3166499c6e0d27401f02f8fc64

SHA512
9d1371a08201eac5e698f3e4b386ae35c37ce99b47d95a8377be8eba19e0334b488ad0242890b7f201c4e69a29064a0e74ad8fd2b1df8b7f72e517eb6a8be349

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
1.2MB

MD5
c18e8e4abde031bf506116a3070ebc6a

SHA1
8d3183e9ee981315da86eac6a86e2ce5854e7726

SHA256
70f39ec57ef628b0492af0a30e4081a08e69df61b6e1af5d9e138f62c1b2a801

SHA512
d704e7cda0596bc066a8bdfc91728926bae466972a19b70b160e11764335d8abe4d427f3fd60bb41968898ac74b5938666bf204963e278aab65df8196f03d209

Download Submit
C:\Windows\SysWOW64\Boepel32.exe

Filesize
1.2MB

MD5
53a77291f59c8259c9b479adae67f8e6

SHA1
ad504bef5f40c92e9eed6a8b70c16d17088afa96

SHA256
85f1dc583927449dc24d555c78df04a2592ec6a93c9c04e8feaf3eb06f2e4761

SHA512
9f81995b7b9bda67d7000fa3af9b8a57dc3848d182af7bfd2e589a65b324719978ee5bb52cb52ce2396fb07bc23f2c1c3380f856d99c770dfdd3a76d01d94cfd

Download Submit
C:\Windows\SysWOW64\Cbgbgj32.exe

Filesize
1.2MB

MD5
df15df37d867c2d15e7eca4f56218680

SHA1
a1d0f9d71d1a61f7e4b65d46bf4abe9a466e628c

SHA256
945f1259b0c543b458fdc9f9cae545103731d12ee0bcdd3527ccdfbf25fea135

SHA512
4dcca91ac2bc98a8dde069414979f3e1dd008131927a954588789d5f65d7945093157db17668a36c2441ab30a9931abf1e184e8c4dd8f65b1c7c091f08fc3f6c

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
1.2MB

MD5
fa6429482dd005ca2f0bb3f682b8e394

SHA1
0bc08e2427d418024e5ac55731dbbf78fe6b32c3

SHA256
e324b9523bbcf06adaf3492474ba053ef471e0ab171d9128d95f9af8dbcf9a95

SHA512
88105ae6365a7c31d26b2999071d6eacdb70d3f7f82a75703e1dbd98c4d418fe30004ffc4e00552ebc8b7fef87a739a2eff47fd5ac764946caa1c1f16f3d63e9

Download Submit
C:\Windows\SysWOW64\Cehkhecb.exe

Filesize
1.2MB

MD5
6680984b2f06a42c7c523d410fc975cb

SHA1
cec58385d2ab52451691354c051dfedd6604b278

SHA256
694582154eaf43ae795d255096957327e9d29142663f9e719a03c50bdcd708bb

SHA512
001572402b96cf5681604a2924096b8c49d1ed43abe6345d948dd2085dbdd86ebaa45028ee862015e1520411acd15b75a46118cb7d85125aa127975afdc66509

Download Submit
C:\Windows\SysWOW64\Chpada32.exe

Filesize
1.2MB

MD5
99d768526a82afdbb13b42d6f6e2d2d0

SHA1
67ff458bdd2e743aa9dac69930ff2a3b21ee0914

SHA256
fba4c18992fa85aab0fc61bd8d77f1a2f924bdcb652e4f3ac72510157af5b32b

SHA512
05509333e5e8475d13e7f0ede7686ef8b4a9ed1ed240c65cdc7fcfb4fee6a3a950ca897d0f6e641f6fbea45ac22a9a1077f48253744330b4f97d05bd5b4fd629

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
1.2MB

MD5
445251e955cce628c3351671fb3fe8a7

SHA1
03ffa61dfc19b556ef72265b3270e8c3021ba984

SHA256
964ca271a665485320215f90e1f7db62bfb381d86a140af0e6262ac57b886635

SHA512
e9623c7e754a1743957348d8bd50e632a214a4b77380b7435002314f3db69addab4d6cf8affa29d858c7ee5f34211bfe711fe0f2c72863a44f2e6671f3b8d1f4

Download Submit
C:\Windows\SysWOW64\Ddbbeade.exe

Filesize
1.2MB

MD5
d9c2dd0da5aa03098e36cd0ce446fe3d

SHA1
2b4f05a6582cc6ff8a749c59948618ab2489d1e6

SHA256
301b9263cda029ab384435d88cf214328330d78769a37e63aa869715379fd9c4

SHA512
9431c0b467d414957a5cc332b47e25f31a3cbbe7d9b4bdd7a26d449e47f2de976dd88a2741503925b6389b238898fcf15f1557adb3a4e51ed1e907f23136360f

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
1.2MB

MD5
c89e9a0da72690b4305abf77ca90938d

SHA1
063c8c2dbc70eb368f715969e575696483c84625

SHA256
56d5ce7700e0591bba0907887c5156e207df293fa5adacd4dbca72037fea99ab

SHA512
537021a05744bb505dbc1eb672361dbf680d1538fea2ced294ad7320110344ea9e25b42fd8480761ca4a73c779378e147758d2c7b11c6ae725736ed2d27982d2

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
1.2MB

MD5
7a6e07da0002cc9e286dbca501a24fdb

SHA1
60f2386fe8b80cab3f79d6d15cc03ecb4217c2ed

SHA256
3361e92b3bc325ad48b711231f438402681124a55d40923c2044a54381d903f4

SHA512
d10e20851ecdcd0309bffb6d2d2cb8b2dc64dd7bd2601a03b83054ff842425f8ed381e5058f83a08d27f50ac382ec8d4b579c875efd775caf047211d20a88e90

Download Submit
C:\Windows\SysWOW64\Docmgjhp.exe

Filesize
1.2MB

MD5
c6b89f8c54339198cb52b7c9cebb59cf

SHA1
5d8c9262b2a59b85a2f9afb6642b641410bbeeca

SHA256
9e6d706aed83de27c8e4b33d98f66f86e43f282eb844c015ab64cfced09e4abd

SHA512
d54fc348a44eb354c7afe9d00a9e3c389e7d10503f1e39fe4aec16260723b5e7e4901bf4199b875e08443c23682082f6d7cbd5b56998cc6473f7139c07cb0547

Download Submit
C:\Windows\SysWOW64\Dojcgi32.exe

Filesize
1.2MB

MD5
47de78cd1ac8752e48e6d7961efbdb03

SHA1
0dc35782ade15a53941aa8614bdc74fca8930ba7

SHA256
48e9b963e7ae1b83f16491d5050bf6a55a0aa298b0588edd5e08c793fc2a3e0b

SHA512
fc1a9ddb26a25a23395b068d02219e350bdb1a18878f51a2af24f6fc4bd1cf0e2baf2c1613b7bf55ca74c0207590465c6e232fd3bbf8f528356363c1b3d44dae

Download Submit
C:\Windows\SysWOW64\Eaklidoi.exe

Filesize
1.2MB

MD5
8d7f1264d5e686ca7718d682b41c2702

SHA1
4794b428161a9426a1581730f5fc06a37fd9152c

SHA256
ad1670e9f4702cd8a2edcf1f316ead025ee0a139b9b51f25ea1ba8c56b4c3ee5

SHA512
a37d2f8bb657b6da27030f8377b98f0632ac320f67355dabdd55b8572dcf0d37dd9ed749b6fffa7db57eb5e0f44a9ffba3b686256bd8f8f23c098090ca36b6d1

Download Submit
C:\Windows\SysWOW64\Ecandfpd.exe

Filesize
1.2MB

MD5
72ec207a3cbaed05da5de9ec3c6e8f97

SHA1
b2e5069304153e55d9464a66ac8c312c9759fab6

SHA256
0f9cf1485a774a42208cfccb36b4659cfa6ee6a0bb7e44d55b69f93d538a4ffb

SHA512
9830c964fd97f67ed4cb952733ecafb3a05de19873c9a37047d314e29a1776822f7e540c4a21d5c8b9e42d8fbf967b5f50223ed44d2674d88e57b8118cfd3d54

Download Submit
C:\Windows\SysWOW64\Eocenh32.exe

Filesize
1.2MB

MD5
c22782478275b5691478165a04728100

SHA1
473cfe459a8a4b5dfa3fe290384ecb9e573c02e4

SHA256
62ae9f489c8adba2452c2b0c6bba1266b797513dd8a502493bb0186babd0748d

SHA512
2bf0ca6b12d01499673a25cf9a7e298caa3f291c77d9bd8ffa8fb2140301c9a2dafae8bf347a640310d0c55890aa927e4338ebf2f7ee068bfeb2588be28feaef

Download Submit
C:\Windows\SysWOW64\Eoolbinc.exe

Filesize
1.2MB

MD5
fb03bed15226eabf830a216558b2c158

SHA1
811e16cb758e027672b44134d774351d876f198a

SHA256
9fb8827d3567ddd161a6ec7bd979a2f91e225b305d75e24366ba51c690705669

SHA512
1d0d1063e7e95cac95bd1f2522955144db49c45966d2c4fe51ae79a6f2baf1eecc4e75345a79c45d1b2f09e62d22d2e06022040decdee883cd0d2d1ae5729c45

Download Submit
C:\Windows\SysWOW64\Fbnafb32.exe

Filesize
704KB

MD5
99f3216d1c1424f0010cb365cce037a1

SHA1
6407be2e2c8cabadfdb36710bf6ab554993288e3

SHA256
1257086cb53b0a249448a0998c39c0de69dff20d8709e46979c6718569f5c21b

SHA512
bb966518b67a497e7cc6b769cdfceec3e7ab1bcf93beca4a47994c1e983a2c0affba722092feb88c265ebd876b2779496764455ec054e81dfd7204d6e4975b3a

Download Submit
C:\Windows\SysWOW64\Fbnafb32.exe

Filesize
1.2MB

MD5
b05b6761e0efad064abe8b09a4c7a745

SHA1
fd9d09df715fba4642a3f2cd71af0f5a37d53353

SHA256
6a0c8d3b01a387ecb3f2b64fc0a61780466ef6d5f17e03e20173397533e51412

SHA512
f03f3b7483923e71cc53b8bab2788058d3e7569d4c0386dfa3477b94f276a813faf132ac961ee0430a9c6c11c6ee08e9c4b051ae05180da71954e59dab6a1cc0

Download Submit
C:\Windows\SysWOW64\Fcckif32.exe

Filesize
1.2MB

MD5
a243bb731386f1cc0040fd3375111f81

SHA1
7b5dd25f8bb5b34c140245a892728397cfa349f7

SHA256
9a91c0bb73d2e59aa730c91cc71ccda39e6901e5ae1fd6f4234aebab3653a521

SHA512
817e9eb692d27cbbe289708fb6cfcf2217fdaaefd1723d599f21bd66e354c22da6f39299ad26122275c6cbce80a4cb85c9c60da034d6af3b5a62068d356de02c

Download Submit
C:\Windows\SysWOW64\Fcfhof32.exe

Filesize
1.2MB

MD5
c6050479744f74c09fcefb91f15f88cb

SHA1
452fd742f17ce1b4d11653ab470600921ce3fb54

SHA256
57f7c83421dc28d0b49ae83fdd71de77b6507d7353502c9f78013b934c360418

SHA512
f1cd318819044824635aa107ed503dab19555743a68c673837722902da50ab4680eaf56cd658b767451a29af20eabf23c28d80eb2562a676ef23bd1b5bc91940

Download Submit
C:\Windows\SysWOW64\Fhjfhl32.exe

Filesize
1.2MB

MD5
060418356948428a4685afaf87934467

SHA1
d1510ed9f9c1a7920f677fe7b8572b5838770676

SHA256
7058139dbb52bbce6bb433225bf16507b727834c6f0e1737c5e32f0176a753c6

SHA512
7f08cf8aeb2c08f765da66a162554b88a8d5ca10408119728b7560979f0aa96aa75d42aa68c9ee4ae3657a81c03a3cb15356733484fdc4a28f0646d15dc90eef

Download Submit
C:\Windows\SysWOW64\Fomhdg32.exe

Filesize
1.2MB

MD5
426f4f75f869a89ae8c5e8658230d73a

SHA1
546683ba8b03050d51d9e388f20db5fef70afa64

SHA256
b78ca60c0751a4b3b29b090430fe764fd6c6116a165c68f032209c07837b9bcd

SHA512
c0398ecf2c1853961c731498426bd93d2d4a2f2f4637b21148b2a9667831d700b7cd07aab9d5476af5158e2c722216820c30bbc3b538b4df47fa5f19339ed61a

Download Submit
C:\Windows\SysWOW64\Gkmlofol.exe

Filesize
1.2MB

MD5
13bea3683ece94760e1d6bfda0c83e34

SHA1
795cb7c51373dd39ae4e3db9150f55c02fc65465

SHA256
2282d251260dc6f794305552934d2b2c3bde4510d8f9e74af1d4e7a2f1167445

SHA512
3c9cc8559a0255a3cfe6754e3fe06b18b04ac1f42917946a2529d1bd05379cb3aaf3aadb338978f48030796604356664d3432bc434052872f120cf0f71c10e18

Download Submit
C:\Windows\SysWOW64\Glhonj32.exe

Filesize
1.2MB

MD5
755a716abd1c86deb697d7d3c8afdbdd

SHA1
c6ab44d7936882a96face95d2f4bd1ad4a8c17fd

SHA256
15d933316d2bb0a6bc656a0587ae3cdfeba2c6c35b9f33564f233c9ed498b090

SHA512
ecf72776ea272ae50ddfc7684f1317e5489c6bffa5861360b39be19478fe6b3222d53db4bc60145e89a291ec6fc503025828b6e884d88f3ab7b113d26ed4f57d

Download Submit
C:\Windows\SysWOW64\Gokdeeec.exe

Filesize
1.2MB

MD5
3fdde554e2595862af81828f571f1ca6

SHA1
823a898d142f4f08f35ae48ff9b2d692c57ca402

SHA256
7c31df09bfad12203f9c139b5b16239f0921eba4c99e33d6aaee2f10d45c5ee6

SHA512
111d1585bff5e1b3f839f8297f494bfb5177c7c72f2b4301a799291ba72818f741cfb7d1677ded83a9cc86a0bb682e8163185e8823ca4693b3e7e9a6087059fb

Download Submit
C:\Windows\SysWOW64\Gomakdcp.exe

Filesize
1.2MB

MD5
6d69ab3d626562d0633970a1e59ecb51

SHA1
03d2acb9c04c48b012fa3e2efe35a92a54fb2480

SHA256
2f77096a8078f7159ace5f501f6c47bf9a885dc5cf7f47e2933367176f600093

SHA512
60c5f4f867bf36426c64c7308fc4c60440f0f43a6cdef47db4b8c77bdada86797adc6ca5c7f3ff72971cada2e4d117fb927a0ac3b4d783ceb41d287dfe37750d

Download Submit
C:\Windows\SysWOW64\Hbnjmp32.exe

Filesize
1.2MB

MD5
0f12f54db32579687a95b4700a0977d4

SHA1
1be68db5b0bfff9a421048b0780aa589ab1d31e9

SHA256
99ef69ce791d9365493896a69278c214858f27fe7781752b4ce942e30b40c9c9

SHA512
4cde63616243acff9f6ea83054d95453a42349fb6b069e42cca9fe35b63903cd14267d1ba35f22c2dabd9b9af98c2214da41f6d33d6efe2c1d951348a19d359a

Download Submit
C:\Windows\SysWOW64\Hcdmga32.exe

Filesize
1.2MB

MD5
94fd9d0936740ec9678df45ad1846ed6

SHA1
d9bdf580110b39aff57678cdf2e180024adad362

SHA256
e8973d67b0c56b0731e76dbdd9ff2750e72939bef5f91a3083c71c098e8b5cb8

SHA512
5e20141092241b8ae9285d24e2e74565fc6162ba74ba335707d378f64db708f3d60cc2e03a8e12bd4c5265e7940f39376fcd689fd83ff6da3d04cf4c985e2f13

Download Submit
C:\Windows\SysWOW64\Heocnk32.exe

Filesize
1.2MB

MD5
acd1cbc2c789b84a7c3758de2fc5eded

SHA1
6c0dd8d82ba26f31e33d456cc498b97d28256520

SHA256
b98f8e969bc4d50e60cb87b6047f5107cf53eb775ebeb0ababcc4603edf44942

SHA512
1f394299081e774a487333f380246d2c99d7a55f6c75c34f9b174346270f6df912e811516176d133aaaae89b8f043e0cc35472aadf5abc89d3ba41d93667551b

Download Submit
C:\Windows\SysWOW64\Hmhhehlb.exe

Filesize
1.2MB

MD5
0f0541613402c2c66b39ddb5a629748d

SHA1
8294651dcce60e7070c9d8444c7cefb540c45c8c

SHA256
4b3a2d2aa99490b4f114ebba54bcadd93ab3abdd4cdccc9a3ebcfd49ff78ab27

SHA512
ab7aee39f1041a6269339111e9bee2e33d3ceb6847d82f702d787db47feda67695992f7edf1affdbb125402b0602de76345a5f2dce05c64e6b038de97ef82596

Download Submit
C:\Windows\SysWOW64\Icgjmapi.exe

Filesize
1.2MB

MD5
dc28c05b74290dc2510d360a8c5291af

SHA1
8b0f014757d0474ffb370a32e2d0e7d797eb7d7f

SHA256
c5bce4b5e2a9df1b9094ce6ffb718041c208647f993d9f8210ce32660501de0f

SHA512
0187619b027a0b3990a085d60b251321c9863682c7da1fa81db3176a05572520bd96e529b5b020e1d451f8374f1c2e4fc6d68a112eec64d10f65ad72ad2dfe3e

Download Submit
C:\Windows\SysWOW64\Ifgbnlmj.exe

Filesize
1.2MB

MD5
c4714e4a54f3b414dc2fec16f8acbbc4

SHA1
0996a30211e90885968d6379cc7f40cab2be0e63

SHA256
a4d686f77d5b0a96ce4152052c6cd034ec60306589973e8367d5b1c230e72d1d

SHA512
f11e9d5243161ebcfc7875a067a974f4ae906c14aad891edbfc4349974f97745e37a277885058ab0e2f842dde96d413516beceaccd293f0e57060cee86325b2d

Download Submit
C:\Windows\SysWOW64\Ifllil32.exe

Filesize
1.2MB

MD5
77a7edec995f7688c8dc236a133ee357

SHA1
6f16e5473d83a13e199286e43c88eff5797d182f

SHA256
9d401c60126d9d3964103a532f4c895ed3237306817319906006f729f171f4b2

SHA512
f092297fd647fc66db1b2e7da1058b95ad00d653d77da986dae4134c47992a7d2015c97e689d069b387e4cb713a08a01df64bb9ac634d74353b59c579d68327a

Download Submit
C:\Windows\SysWOW64\Iihkpg32.exe

Filesize
1.2MB

MD5
f7c89fe8658b973c224e478336bd70b6

SHA1
dc2e96570a5b4ba180bf8c73179623a45a6acd26

SHA256
622fe3fa41e8b337def0af330b7ec702828efe93d5c84ca32d12e1ebc9c27a27

SHA512
46b406bd82bef705b8f2e558dfd1258c056ca03f74f84be677bc4faf9b1bf2af84508ba2e16916b5c8e30ac73fb0c86580fc0743633dc440b3196823e4371a04

Download Submit
C:\Windows\SysWOW64\Jcllonma.exe

Filesize
1.2MB

MD5
d1082b9444f24488c72119d0793d2a2e

SHA1
633b02e1f99e66d61f91a4cc7d2fd068f9ff7d02

SHA256
39abd93f4ad1c630341dc1bcc22b3da4bb5c09f6780e392be2092014461ae527

SHA512
d0485fff2febac1b5953fbc97f7ac89274ad84ad2e93427ce910bb3d6606e1dcc3ecf485ba035521e0eccf81a27998461625d651a28730e9e8ccf90fac1a8ff0

Download Submit
C:\Windows\SysWOW64\Jimekgff.exe

Filesize
1.2MB

MD5
3b046d508e37a2fb27bb245da235c4af

SHA1
7dba6387ecd57c57d1a9c93dd6805a5e857e6f5e

SHA256
42ade2e729f66df479534365e72671f308d0ba8ec0fe85a1572ecfc974f132fd

SHA512
2f023d15a3640104a12e9e8663de067f17f558aeff6baea4a50d5692ccd58a84c0a1d3f1c00d770815e3995068ed5404061cd24d605176519224bcdba5a3fbf7

Download Submit
C:\Windows\SysWOW64\Jlpkba32.exe

Filesize
1.2MB

MD5
3fb2efc46cdb1269cfb2d8c89196783e

SHA1
b34b9a4612743524c2f6603e51919b23cc4bcfa7

SHA256
0fd49980033b931161de87a2b32ddc4f1d41f1ea59a9b9c961295add15e0cfb5

SHA512
e02e22863bb137d6d695346cfbfd41d90a4d9fd36d7e5c2bb042537c99077e42965c6210561bf41a0326030ec3dd81ec157cd7d0e1cc511400452bd7db1ac8b0

Download Submit
C:\Windows\SysWOW64\Jpijnqkp.exe

Filesize
1.2MB

MD5
51b20dd3464054db44b000ded3a50043

SHA1
7247fd4a238997178a70054d6244e646fa706bc0

SHA256
92f5fbc52331b09aa04aa528c21a8e31f40cfac220e43052b7293044b19184ea

SHA512
0792662044d8dd24baf0257abebbf79510f8083a805b49807425ded43bc0c3eda55c51c564db83cebe2e1bfa2dd11ece558c450988f164184c727204b4e0c0a0

Download Submit
C:\Windows\SysWOW64\Jpnchp32.exe

Filesize
704KB

MD5
37515f45dd796370332fba2644eb9d11

SHA1
3c57e56948ffc45ea6a59fd038dddb6a440ad232

SHA256
3951da96ee35bcf256a7f3728dbb0387033130c82b4483c3380bfd79243dbdec

SHA512
a645f00315096cdfc0b780f55dc39182dfe0a3807faf08c1497a896e9c79721e0ffcba76c9242c8dcf68aa7dc980016b7c68a661c0ea6f5f9cc016e80470e2b3

Download Submit
C:\Windows\SysWOW64\Kmfmmcbo.exe

Filesize
1.2MB

MD5
aa44683ead412fd7fb1012921b964c12

SHA1
3e7162c5c3d82afe038d51a51270a1269b072984

SHA256
fbb137ec4ac1b474644cc1040274f0af24af5c2f2663bd3803d8b3d078c8b026

SHA512
424ccaa1c23b7f843123c2b22b95b38bbe33c672a564b995e66e5313a4c07a49b48b38a29215a8af3d953cb7d457bb16bbbcfb3d757198d663a2aa24ecb02748

Download Submit
C:\Windows\SysWOW64\Kpjcdn32.exe

Filesize
1.2MB

MD5
634abf68022d7f573c1be7b7be5f566f

SHA1
8826949cf18de9e358e34c955bf39b38338104e8

SHA256
cd40c3a4e3586e4728f832548c11d43f5af3a4a59d0b76419634a4c94c95cc30

SHA512
89736955f34d478d7ad1af682ae0dd91940a22b452932a128c35186abdc2b2ccc7cc4c0cc9dbd2f801d90e543b82900b20301d7a5cae46b96ab3d7457efdb4c0

Download Submit
C:\Windows\SysWOW64\Lingibiq.exe

Filesize
1.2MB

MD5
ea577c147fc63fb12a507d1c359ae533

SHA1
dd1ce1b7532dfb4c138022abbd20dfad1b692a37

SHA256
120b3295119249fb806c2edf4b2d6ac89d9290efa2a37e6410b03b65070127ad

SHA512
abd1051aaa466aacb000feabaa9333db2c985e28f9d52a5ea390d29f351b62697e1bad80f2b3a9f9e15f9ee7a2c6fc86aeb3f3fe00b82f862a6a15d7bdd3a08f

Download Submit
C:\Windows\SysWOW64\Lmppcbjd.exe

Filesize
1.2MB

MD5
0faaaee126d45dc05ed87ff6bc161815

SHA1
cf01b8c124f2f5672550b976ac30fee1ce6fb96c

SHA256
b13ec7c8cbbaa46e34f2db53ae893d50049cfc8412162e74b7dba12fd55027b6

SHA512
0cb9a63f7f1c3d5714a0f8f02c45e687ef87eee238ba72d52b2de00100c1918a9a036af98228e1ed0409b292a211aacd0d456cdb36dd3694209c80eda3e6587a

Download Submit
C:\Windows\SysWOW64\Mplhql32.exe

Filesize
1.2MB

MD5
0caf70692eaaf83b900ea70850be1f38

SHA1
2a21243887f637fece96e0740e81788d855440d9

SHA256
90abfa0ddc8fabed83366f77478b4784b5f2071cf8a22a7a4766c53b8f70a70f

SHA512
a8b7e2b8dc82ae391b911b20bb01ca8cd06c3e1441c03a7f473b4a59ce1c62390d43033006bdb4247f23f62614eff991c4ad7d73854362b1e5050a4f96722927

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
1.2MB

MD5
b3d3c6fc2830d69259452f6996de78e1

SHA1
3799c49445527f043c3f3d0dbfba817a614097d1

SHA256
1a2889c426881b058640b15de529d18856039f3caa2cd2fc9e376c4ca230933f

SHA512
f75ec63735d0ae02b780c5358c0f6e9cbed34b9664cf8f653651ccfb1726cbc0aa5390770eb4f71102a8b0990231b7f3fcc23f11a7d0bbbd236545d2fa5eb527

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
1.2MB

MD5
3aa97c99b9503be0ffa7003c40e13980

SHA1
78ae6825563aacc32d2a6f25188fd37aaada12b2

SHA256
1ceb64815777317b6d39696b1da8ac97a56c6d0b7fb1b31551bfdca46b6216b9

SHA512
7fa25315e339b82170f3b4ac3d8c5917d9396810ac9c4d919a350a1e4bd4992fec06b6936def6e3a0fb964614a3b327364cdc389e4aedb6bc86661af5ec4d13b

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
1.2MB

MD5
2145721e74a84121dfa29a1cdab1c2ec

SHA1
9147dcb30883a6da5b9c3c45a9a87d242e88561b

SHA256
468e3e75381978686e0457cc67400998df72e562b1e7e63be8504d5e6ef9c400

SHA512
fa9f4c1cca9ce5e5bc0d5a6f0b6885eaed7b7f9a963f6ef24d5ec844446a52e3cdd305f4c6bd692921df49cb983d38786c3ec92a440a2a76581923f5107a266a

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
1.2MB

MD5
67802d0c07514b1cd12ba826aeeae377

SHA1
a2cdae5faa046a80364c3e3b48041f186daaa2a1

SHA256
b7f46258cf91e34ca908cd2514094006cf5d919a1f3a38d124ab91a4d03b319e

SHA512
06b599a1ba8372f45293d9361821c7dbcb7ec094ad50252de030c4a941187ca22d852e259d1ce0d77e0ebf8c13ff7981e6689d45dca80d37e1ac33661fdea1d2

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
1.2MB

MD5
3a4be72ceafab6e2868a289ef053e3a7

SHA1
6a7584e82760f945154def9f7c8891c4377d9562

SHA256
fb933f64967cf1e394c93a82d17dd5c401d64e7d1f968a55caa6a28fc183269e

SHA512
f95cf30f759d5400659710b99a64f5d1cd2a1e75dc85ed5e8d66d6c2b750305634c2c5c652523dde3bd5910b1be2f133003a369503e4af1b8cfb9ddca5e5af73

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe

Filesize
1.2MB

MD5
9c2a1f32d6774b8ff0c4925fe84569c3

SHA1
b2c2ee97212b4569eac6217f8405c18fb8411490

SHA256
8312f5eda28a0a1d45a3a17c506a52b6288b1596878d476d2aaafd5a8a379c86

SHA512
cd75d340d349ffec4ce39726e7db3036d54abe7f2e3ae79a6461c048f37dcf9b952889ce0d1bcd2ba2e3f935b27f55f792def20eb2b0f9d0d5b8f6b8e2157d53

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
1.2MB

MD5
2e22b3d82a5b91b6633980ccb03d7172

SHA1
cbda07aebe23b08ec147e3fc06af5d8d662a7bbc

SHA256
d5c4cf442c93f1d2e21584632ce8e6e630604286e34a3f5d233ccefbfd65961b

SHA512
db26f10e1a23da45af0b9cb711dece354f1c7b923a846f415373a6b574855a1d7bdde2c0e2d63243f6debc9b7074d7538b91b3e11d9568e919a9ecf9aae2fe7d

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
1.2MB

MD5
e4836aa9c85e2cb21f04abc3347ecd9b

SHA1
7c937998ebdfa527c380f65c25078cf4b1772205

SHA256
3fce430fc40514d10df3246e524e04489386c6f1084a53ff1a9e675497ce76a1

SHA512
d5cac28dfbd898c7df5097693703185a4ca4eaf2fc53f34b785e4ebbc0880c15a651b0516b3da5287d4fe3e7029a25910ca8517b4318343a807fcaa33c275e5f

Download Submit
memory/368-587-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/452-256-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/464-546-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/624-269-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/664-64-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/800-537-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/860-24-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/860-565-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/876-152-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/960-579-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/960-40-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/992-576-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/992-32-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1008-389-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1012-303-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1044-413-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1108-503-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1152-497-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1404-341-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1480-467-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1516-542-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1520-120-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1540-72-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1588-224-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1592-8-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1592-552-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1680-473-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1716-323-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1772-192-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1812-539-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1812-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1812-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1816-160-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1836-56-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1836-593-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1928-353-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1936-333-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1940-455-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2036-365-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2060-104-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2064-233-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2188-275-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2284-21-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2292-521-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2328-465-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2356-136-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2500-217-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2668-419-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2724-407-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2728-144-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2852-311-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2892-347-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2924-309-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2932-281-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2980-382-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3008-200-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3096-263-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3156-80-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3160-527-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3164-317-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3236-395-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3256-240-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3336-449-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3536-176-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3568-586-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3568-48-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3604-128-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3644-249-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3668-335-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3728-371-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3908-485-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4100-566-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4132-293-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4172-479-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4220-208-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4348-96-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4380-443-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4480-88-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4528-515-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4628-509-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4660-594-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4672-169-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4684-184-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4832-553-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4852-437-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4860-359-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4868-581-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4880-577-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4912-383-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4956-431-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4964-425-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5060-491-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5076-401-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5080-112-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5084-564-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5112-287-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads