800f6ef817ecf01d11cdd87d5ad9ef47beb9ca0268f86dd5c34f792abcf19df1

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13-05-2024 09:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad7ffe0010fafb990cc59719d9e40e50_NeikiAnalytics.exe
Size

300KB
MD5

ad7ffe0010fafb990cc59719d9e40e50
SHA1

eb46cba3628e3a23b614f4517e4ff6973fb8c811
SHA256

800f6ef817ecf01d11cdd87d5ad9ef47beb9ca0268f86dd5c34f792abcf19df1
SHA512

fdb450e7804a35aa0c1ecb9653612ad738a3b1423764307c8014a1b8f9315febba41f4ab4bcaaf31930bf14b4c466c4eb61652c665864e917041091dff0db00a
SSDEEP

6144:JXstrCryHpqufhcmoZjwszeXmr8SeNpgdyuH1l+/Wd:NstrCry9ymCjb87g4/c

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmfmmcbo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aldomc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffimfqgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibjjhn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbefaj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfembo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmhhehlb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odapnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbgipldd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chpada32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oneklm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibcmom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffgqqaip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fhemmlhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmhhehlb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oponmilc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkfoeega.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deoaid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hoiafcic.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adapgfqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blbknaib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffimfqgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hodgkc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkdbpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmfmmcbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nebdoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Echknh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eamhodmf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibcmom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkmchi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndokbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbgipldd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndokbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bajjli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Flnlhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekhjmiad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlbgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cogmkl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffgqqaip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcbpab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gblngpbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmncnb32.exe

Malware Dropper & Backdoor - Berbew 64 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/files/0x0008000000022f51-7.dat	family_berbew
behavioral2/files/0x0007000000023413-15.dat	family_berbew
behavioral2/files/0x0007000000023415-23.dat	family_berbew
behavioral2/files/0x0007000000023417-31.dat	family_berbew
behavioral2/files/0x0007000000023419-39.dat	family_berbew
behavioral2/files/0x000700000002341b-47.dat	family_berbew
behavioral2/files/0x000700000002341d-55.dat	family_berbew
behavioral2/files/0x000700000002341f-58.dat	family_berbew
behavioral2/files/0x0007000000023421-71.dat	family_berbew
behavioral2/files/0x0007000000023423-79.dat	family_berbew
behavioral2/files/0x0007000000023425-87.dat	family_berbew
behavioral2/files/0x0007000000023427-90.dat	family_berbew
behavioral2/files/0x0008000000023410-103.dat	family_berbew
behavioral2/files/0x000700000002342a-111.dat	family_berbew
behavioral2/files/0x000700000002342c-119.dat	family_berbew
behavioral2/files/0x000700000002342e-127.dat	family_berbew
behavioral2/files/0x0007000000023430-135.dat	family_berbew
behavioral2/files/0x0007000000023432-143.dat	family_berbew
behavioral2/files/0x0007000000023434-151.dat	family_berbew
behavioral2/files/0x0007000000023436-159.dat	family_berbew
behavioral2/files/0x0007000000023438-167.dat	family_berbew
behavioral2/files/0x000700000002343a-175.dat	family_berbew
behavioral2/files/0x000700000002343c-184.dat	family_berbew
behavioral2/files/0x000700000002343e-191.dat	family_berbew
behavioral2/files/0x0007000000023440-199.dat	family_berbew
behavioral2/files/0x0007000000023442-207.dat	family_berbew
behavioral2/files/0x0008000000023444-215.dat	family_berbew
behavioral2/files/0x0007000000023447-223.dat	family_berbew
behavioral2/files/0x0007000000023449-231.dat	family_berbew
behavioral2/files/0x000700000002344b-239.dat	family_berbew
behavioral2/files/0x000700000002344d-248.dat	family_berbew
behavioral2/files/0x000700000002344f-256.dat	family_berbew
behavioral2/files/0x000700000002347e-426.dat	family_berbew
behavioral2/files/0x000800000002346f-462.dat	family_berbew
behavioral2/files/0x000700000002349c-534.dat	family_berbew
behavioral2/files/0x00070000000234a6-566.dat	family_berbew
behavioral2/files/0x00070000000234c8-685.dat	family_berbew
behavioral2/files/0x00070000000234de-761.dat	family_berbew
behavioral2/files/0x00070000000234e8-795.dat	family_berbew
behavioral2/files/0x00070000000234ee-816.dat	family_berbew
behavioral2/files/0x00070000000234f2-831.dat	family_berbew
behavioral2/files/0x00070000000234f6-844.dat	family_berbew
behavioral2/files/0x00070000000234fe-870.dat	family_berbew
behavioral2/files/0x0007000000023502-884.dat	family_berbew
behavioral2/files/0x0007000000023508-905.dat	family_berbew
behavioral2/files/0x000700000002350c-919.dat	family_berbew
behavioral2/files/0x0007000000023512-940.dat	family_berbew
behavioral2/files/0x000700000002351c-975.dat	family_berbew
behavioral2/files/0x0007000000023522-996.dat	family_berbew
behavioral2/files/0x0007000000023526-1010.dat	family_berbew
behavioral2/files/0x000700000002352e-1037.dat	family_berbew
behavioral2/files/0x0007000000023532-1051.dat	family_berbew
behavioral2/files/0x0007000000023536-1063.dat	family_berbew
behavioral2/files/0x0007000000023540-1098.dat	family_berbew
behavioral2/files/0x0007000000023548-1126.dat	family_berbew
behavioral2/files/0x0007000000023556-1171.dat	family_berbew
behavioral2/files/0x000700000002356a-1234.dat	family_berbew
behavioral2/files/0x000700000002356e-1248.dat	family_berbew
behavioral2/files/0x000700000002357c-1296.dat	family_berbew
behavioral2/files/0x0007000000023580-1310.dat	family_berbew
behavioral2/files/0x000700000002358a-1345.dat	family_berbew
behavioral2/files/0x0007000000023596-1387.dat	family_berbew
behavioral2/files/0x00070000000235a0-1422.dat	family_berbew
behavioral2/files/0x00070000000235a6-1443.dat	family_berbew

Executes dropped EXE 64 IoCs

pid	Process
3096	Obidhaog.exe
4496	Pjdilcla.exe
232	Pnpemb32.exe
400	Peimil32.exe
4852	Pghieg32.exe
3244	Pbpjhp32.exe
4484	Pengdk32.exe
4816	Peqcjkfp.exe
5012	Pnihcq32.exe
3712	Qnkdhpjn.exe
3188	Qloebdig.exe
4740	Aegikj32.exe
4184	Aanjpk32.exe
1356	Aldomc32.exe
5036	Ajfoiqll.exe
1272	Aelcfilb.exe
2368	Ajiknpjj.exe
1712	Adapgfqj.exe
3208	Adcmmeog.exe
3088	Ajneip32.exe
3696	Becifhfj.exe
5004	Bbgipldd.exe
1900	Bajjli32.exe
4148	Blbknaib.exe
2660	Bldgdago.exe
4600	Bhkhibmc.exe
4196	Ceoibflm.exe
2328	Cogmkl32.exe
2908	Chpada32.exe
1632	Cbefaj32.exe
4408	Clnjjpod.exe
2320	Colffknh.exe
1704	Chdkoa32.exe
808	Conclk32.exe
3132	Cbjoljdo.exe
3308	Cdkldb32.exe
740	Clbceo32.exe
1708	Dbllbibl.exe
4216	Ddmhja32.exe
3880	Docmgjhp.exe
3428	Ddpeoafg.exe
4672	Dlgmpogj.exe
1328	Dbaemi32.exe
3164	Deoaid32.exe
4568	Dhnnep32.exe
3680	Dohfbj32.exe
3004	Dddojq32.exe
4832	Dllfkn32.exe
3996	Dojcgi32.exe
3124	Dedkdcie.exe
2604	Ekacmjgl.exe
4880	Echknh32.exe
424	Eefhjc32.exe
4376	Elppfmoo.exe
3060	Eoolbinc.exe
4092	Eamhodmf.exe
2576	Edkdkplj.exe
1032	Ekemhj32.exe
3608	Ednaqo32.exe
1668	Ekhjmiad.exe
2088	Ecoangbg.exe
2076	Ehljfnpn.exe
3288	Ekjfcipa.exe
2124	Eadopc32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dgifdn32.dll	Cdkldb32.exe
File created	C:\Windows\SysWOW64\Dbaemi32.exe	Dlgmpogj.exe
File created	C:\Windows\SysWOW64\Naekcf32.dll	Onhhamgg.exe
File opened for modification	C:\Windows\SysWOW64\Ajiknpjj.exe	Aelcfilb.exe
File opened for modification	C:\Windows\SysWOW64\Bldgdago.exe	Blbknaib.exe
File created	C:\Windows\SysWOW64\Clnjjpod.exe	Cbefaj32.exe
File created	C:\Windows\SysWOW64\Iddoeojd.dll	Dedkdcie.exe
File created	C:\Windows\SysWOW64\Fkmchi32.exe	Edbklofb.exe
File opened for modification	C:\Windows\SysWOW64\Heapdjlp.exe	Hbbdholl.exe
File created	C:\Windows\SysWOW64\Hfqlnm32.exe	Hcbpab32.exe
File created	C:\Windows\SysWOW64\Mpnaemnl.dll	Hoiafcic.exe
File opened for modification	C:\Windows\SysWOW64\Pbpjhp32.exe	Pghieg32.exe
File created	C:\Windows\SysWOW64\Hffdjk32.dll	Becifhfj.exe
File created	C:\Windows\SysWOW64\Chpada32.exe	Cogmkl32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Jlbgha32.exe	Jfeopj32.exe
File created	C:\Windows\SysWOW64\Bfajji32.dll	Lpqiemge.exe
File created	C:\Windows\SysWOW64\Ibaabn32.dll	Ageolo32.exe
File created	C:\Windows\SysWOW64\Iblfnn32.exe	Ikbnacmd.exe
File opened for modification	C:\Windows\SysWOW64\Qcgffqei.exe	Qnjnnj32.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Ijmanlfp.dll	Fkmchi32.exe
File opened for modification	C:\Windows\SysWOW64\Ibnccmbo.exe	Iblfnn32.exe
File created	C:\Windows\SysWOW64\Empblm32.dll	Njciko32.exe
File created	C:\Windows\SysWOW64\Acqimo32.exe	Ajhddjfn.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Lcjakp32.dll	Aldomc32.exe
File created	C:\Windows\SysWOW64\Gogiek32.dll	Edkdkplj.exe
File opened for modification	C:\Windows\SysWOW64\Fkmchi32.exe	Edbklofb.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Mbpfgbfp.dll	Anadoi32.exe
File opened for modification	C:\Windows\SysWOW64\Bcebhoii.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Lpqiemge.exe	Lekehdgp.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Acqimo32.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Adapgfqj.exe	Ajiknpjj.exe
File created	C:\Windows\SysWOW64\Icfpbq32.dll	Fhemmlhc.exe
File created	C:\Windows\SysWOW64\Nkbjac32.dll	Kpgfooop.exe
File created	C:\Windows\SysWOW64\Kdgljmcd.exe	Kmncnb32.exe
File created	C:\Windows\SysWOW64\Ndokbi32.exe	Mgkjhe32.exe
File created	C:\Windows\SysWOW64\Qqfmde32.exe	Pjmehkqk.exe
File opened for modification	C:\Windows\SysWOW64\Nebdoa32.exe	Nljofl32.exe
File created	C:\Windows\SysWOW64\Lipdae32.dll	Pnfdcjkg.exe
File opened for modification	C:\Windows\SysWOW64\Bmngqdpj.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Aegikj32.exe	Qloebdig.exe
File created	C:\Windows\SysWOW64\Bhkhibmc.exe	Bldgdago.exe
File opened for modification	C:\Windows\SysWOW64\Dlgmpogj.exe	Ddpeoafg.exe
File created	C:\Windows\SysWOW64\Nekfmb32.dll	Hijooifk.exe
File created	C:\Windows\SysWOW64\Hbgmcnhf.exe	Hoiafcic.exe
File opened for modification	C:\Windows\SysWOW64\Jfeopj32.exe	Jcefno32.exe
File opened for modification	C:\Windows\SysWOW64\Jfhlejnh.exe	Jlbgha32.exe
File opened for modification	C:\Windows\SysWOW64\Qnjnnj32.exe	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Dohfbj32.exe	Dhnnep32.exe
File created	C:\Windows\SysWOW64\Kpjgop32.dll	Ekhjmiad.exe
File opened for modification	C:\Windows\SysWOW64\Gfngap32.exe	Glebhjlg.exe
File opened for modification	C:\Windows\SysWOW64\Agjhgngj.exe	Amddjegd.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Chmhoe32.dll	Oneklm32.exe
File opened for modification	C:\Windows\SysWOW64\Adgbpc32.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Agjhgngj.exe	Amddjegd.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Aanjpk32.exe	Aegikj32.exe
File created	C:\Windows\SysWOW64\Ffgqqaip.exe	Fomhdg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7220	7080	WerFault.exe	316

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfeopj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbgipldd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fcckif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lejfpelg.dll"	Hckjacjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibaabn32.dll"	Ageolo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	ad7ffe0010fafb990cc59719d9e40e50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liddbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbagnedl.dll"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gfembo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmfkoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pldhcm32.dll"	Iefioj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anmcpemd.dll"	Jfhlejnh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajneip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddpeoafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ekhjmiad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghkebndc.dll"	Hbbdholl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dlgmpogj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naqcfnjk.dll"	Fcfhof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpiaib32.dll"	Gfngap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ecoangbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hiefcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejfenk32.dll"	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfqlnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nabqkgan.dll"	Ibqpimpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjlpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibqpimpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onjegled.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdkldb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbfmkjoa.dll"	Gblngpbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipnjafgo.dll"	Hkdbpe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcddpdpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhnnep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhnnep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijmanlfp.dll"	Fkmchi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Immapg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blbknaib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bldgdago.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqbjqh32.dll"	Cogmkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocdfloja.dll"	Jpppnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empblm32.dll"	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dbllbibl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciglpe32.dll"	Hkfoeega.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jeaikh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fkopnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fhjfhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfajji32.dll"	Lpqiemge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4500 wrote to memory of 3096	4500	ad7ffe0010fafb990cc59719d9e40e50_NeikiAnalytics.exe	82
PID 4500 wrote to memory of 3096	4500	ad7ffe0010fafb990cc59719d9e40e50_NeikiAnalytics.exe	82
PID 4500 wrote to memory of 3096	4500	ad7ffe0010fafb990cc59719d9e40e50_NeikiAnalytics.exe	82
PID 3096 wrote to memory of 4496	3096	Obidhaog.exe	83
PID 3096 wrote to memory of 4496	3096	Obidhaog.exe	83
PID 3096 wrote to memory of 4496	3096	Obidhaog.exe	83
PID 4496 wrote to memory of 232	4496	Pjdilcla.exe	84
PID 4496 wrote to memory of 232	4496	Pjdilcla.exe	84
PID 4496 wrote to memory of 232	4496	Pjdilcla.exe	84
PID 232 wrote to memory of 400	232	Pnpemb32.exe	85
PID 232 wrote to memory of 400	232	Pnpemb32.exe	85
PID 232 wrote to memory of 400	232	Pnpemb32.exe	85
PID 400 wrote to memory of 4852	400	Peimil32.exe	86
PID 400 wrote to memory of 4852	400	Peimil32.exe	86
PID 400 wrote to memory of 4852	400	Peimil32.exe	86
PID 4852 wrote to memory of 3244	4852	Pghieg32.exe	87
PID 4852 wrote to memory of 3244	4852	Pghieg32.exe	87
PID 4852 wrote to memory of 3244	4852	Pghieg32.exe	87
PID 3244 wrote to memory of 4484	3244	Pbpjhp32.exe	89
PID 3244 wrote to memory of 4484	3244	Pbpjhp32.exe	89
PID 3244 wrote to memory of 4484	3244	Pbpjhp32.exe	89
PID 4484 wrote to memory of 4816	4484	Pengdk32.exe	90
PID 4484 wrote to memory of 4816	4484	Pengdk32.exe	90
PID 4484 wrote to memory of 4816	4484	Pengdk32.exe	90
PID 4816 wrote to memory of 5012	4816	Peqcjkfp.exe	92
PID 4816 wrote to memory of 5012	4816	Peqcjkfp.exe	92
PID 4816 wrote to memory of 5012	4816	Peqcjkfp.exe	92
PID 5012 wrote to memory of 3712	5012	Pnihcq32.exe	94
PID 5012 wrote to memory of 3712	5012	Pnihcq32.exe	94
PID 5012 wrote to memory of 3712	5012	Pnihcq32.exe	94
PID 3712 wrote to memory of 3188	3712	Qnkdhpjn.exe	95
PID 3712 wrote to memory of 3188	3712	Qnkdhpjn.exe	95
PID 3712 wrote to memory of 3188	3712	Qnkdhpjn.exe	95
PID 3188 wrote to memory of 4740	3188	Qloebdig.exe	96
PID 3188 wrote to memory of 4740	3188	Qloebdig.exe	96
PID 3188 wrote to memory of 4740	3188	Qloebdig.exe	96
PID 4740 wrote to memory of 4184	4740	Aegikj32.exe	97
PID 4740 wrote to memory of 4184	4740	Aegikj32.exe	97
PID 4740 wrote to memory of 4184	4740	Aegikj32.exe	97
PID 4184 wrote to memory of 1356	4184	Aanjpk32.exe	98
PID 4184 wrote to memory of 1356	4184	Aanjpk32.exe	98
PID 4184 wrote to memory of 1356	4184	Aanjpk32.exe	98
PID 1356 wrote to memory of 5036	1356	Aldomc32.exe	99
PID 1356 wrote to memory of 5036	1356	Aldomc32.exe	99
PID 1356 wrote to memory of 5036	1356	Aldomc32.exe	99
PID 5036 wrote to memory of 1272	5036	Ajfoiqll.exe	100
PID 5036 wrote to memory of 1272	5036	Ajfoiqll.exe	100
PID 5036 wrote to memory of 1272	5036	Ajfoiqll.exe	100
PID 1272 wrote to memory of 2368	1272	Aelcfilb.exe	101
PID 1272 wrote to memory of 2368	1272	Aelcfilb.exe	101
PID 1272 wrote to memory of 2368	1272	Aelcfilb.exe	101
PID 2368 wrote to memory of 1712	2368	Ajiknpjj.exe	102
PID 2368 wrote to memory of 1712	2368	Ajiknpjj.exe	102
PID 2368 wrote to memory of 1712	2368	Ajiknpjj.exe	102
PID 1712 wrote to memory of 3208	1712	Adapgfqj.exe	103
PID 1712 wrote to memory of 3208	1712	Adapgfqj.exe	103
PID 1712 wrote to memory of 3208	1712	Adapgfqj.exe	103
PID 3208 wrote to memory of 3088	3208	Adcmmeog.exe	104
PID 3208 wrote to memory of 3088	3208	Adcmmeog.exe	104
PID 3208 wrote to memory of 3088	3208	Adcmmeog.exe	104
PID 3088 wrote to memory of 3696	3088	Ajneip32.exe	105
PID 3088 wrote to memory of 3696	3088	Ajneip32.exe	105
PID 3088 wrote to memory of 3696	3088	Ajneip32.exe	105
PID 3696 wrote to memory of 5004	3696	Becifhfj.exe	106

C:\Users\Admin\AppData\Local\Temp\ad7ffe0010fafb990cc59719d9e40e50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\ad7ffe0010fafb990cc59719d9e40e50_NeikiAnalytics.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4500
- C:\Windows\SysWOW64\Obidhaog.exe
  C:\Windows\system32\Obidhaog.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3096
- - C:\Windows\SysWOW64\Pjdilcla.exe
    C:\Windows\system32\Pjdilcla.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4496
  - - C:\Windows\SysWOW64\Pnpemb32.exe
      C:\Windows\system32\Pnpemb32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:232
    - - C:\Windows\SysWOW64\Peimil32.exe
        
        C:\Windows\system32\Peimil32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:400
      - C:\Windows\SysWOW64\Pghieg32.exe
        
        C:\Windows\system32\Pghieg32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4852
        
        C:\Windows\SysWOW64\Pbpjhp32.exe
        
        C:\Windows\system32\Pbpjhp32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3244
        
        C:\Windows\SysWOW64\Pengdk32.exe
        
        C:\Windows\system32\Pengdk32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Windows\SysWOW64\Peqcjkfp.exe
        
        C:\Windows\system32\Peqcjkfp.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\SysWOW64\Pnihcq32.exe
        
        C:\Windows\system32\Pnihcq32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\SysWOW64\Qnkdhpjn.exe
        
        C:\Windows\system32\Qnkdhpjn.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3712
        
        C:\Windows\SysWOW64\Qloebdig.exe
        
        C:\Windows\system32\Qloebdig.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3188
        
        C:\Windows\SysWOW64\Aegikj32.exe
        
        C:\Windows\system32\Aegikj32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\SysWOW64\Aanjpk32.exe
        
        C:\Windows\system32\Aanjpk32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4184
        
        C:\Windows\SysWOW64\Aldomc32.exe
        
        C:\Windows\system32\Aldomc32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Windows\SysWOW64\Ajfoiqll.exe
        
        C:\Windows\system32\Ajfoiqll.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\SysWOW64\Aelcfilb.exe
        
        C:\Windows\system32\Aelcfilb.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1272
        
        C:\Windows\SysWOW64\Ajiknpjj.exe
        
        C:\Windows\system32\Ajiknpjj.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\SysWOW64\Adapgfqj.exe
        
        C:\Windows\system32\Adapgfqj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\SysWOW64\Adcmmeog.exe
        
        C:\Windows\system32\Adcmmeog.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Windows\SysWOW64\Ajneip32.exe
        
        C:\Windows\system32\Ajneip32.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3088
        
        C:\Windows\SysWOW64\Becifhfj.exe
        
        C:\Windows\system32\Becifhfj.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3696
        
        C:\Windows\SysWOW64\Bbgipldd.exe
        
        C:\Windows\system32\Bbgipldd.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5004
        
        C:\Windows\SysWOW64\Bajjli32.exe
        
        C:\Windows\system32\Bajjli32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1900
        
        C:\Windows\SysWOW64\Blbknaib.exe
        
        C:\Windows\system32\Blbknaib.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4148
        
        C:\Windows\SysWOW64\Bldgdago.exe
        
        C:\Windows\system32\Bldgdago.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2660
        
        C:\Windows\SysWOW64\Bhkhibmc.exe
        
        C:\Windows\system32\Bhkhibmc.exe
        27⤵
        Executes dropped EXE
        
        PID:4600
        
        C:\Windows\SysWOW64\Ceoibflm.exe
        
        C:\Windows\system32\Ceoibflm.exe
        28⤵
        Executes dropped EXE
        
        PID:4196
        
        C:\Windows\SysWOW64\Cogmkl32.exe
        
        C:\Windows\system32\Cogmkl32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2328
        
        C:\Windows\SysWOW64\Chpada32.exe
        
        C:\Windows\system32\Chpada32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2908
        
        C:\Windows\SysWOW64\Cbefaj32.exe
        
        C:\Windows\system32\Cbefaj32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1632
        
        C:\Windows\SysWOW64\Clnjjpod.exe
        
        C:\Windows\system32\Clnjjpod.exe
        32⤵
        Executes dropped EXE
        
        PID:4408
        
        C:\Windows\SysWOW64\Colffknh.exe
        
        C:\Windows\system32\Colffknh.exe
        33⤵
        Executes dropped EXE
        
        PID:2320
        
        C:\Windows\SysWOW64\Chdkoa32.exe
        
        C:\Windows\system32\Chdkoa32.exe
        34⤵
        Executes dropped EXE
        
        PID:1704
        
        C:\Windows\SysWOW64\Conclk32.exe
        
        C:\Windows\system32\Conclk32.exe
        35⤵
        Executes dropped EXE
        
        PID:808
        
        C:\Windows\SysWOW64\Cbjoljdo.exe
        
        C:\Windows\system32\Cbjoljdo.exe
        36⤵
        Executes dropped EXE
        
        PID:3132
        
        C:\Windows\SysWOW64\Cdkldb32.exe
        
        C:\Windows\system32\Cdkldb32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3308
        
        C:\Windows\SysWOW64\Clbceo32.exe
        
        C:\Windows\system32\Clbceo32.exe
        38⤵
        Executes dropped EXE
        
        PID:740
        
        C:\Windows\SysWOW64\Dbllbibl.exe
        
        C:\Windows\system32\Dbllbibl.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1708
        
        C:\Windows\SysWOW64\Ddmhja32.exe
        
        C:\Windows\system32\Ddmhja32.exe
        40⤵
        Executes dropped EXE
        
        PID:4216
        
        C:\Windows\SysWOW64\Docmgjhp.exe
        
        C:\Windows\system32\Docmgjhp.exe
        41⤵
        Executes dropped EXE
        
        PID:3880
        
        C:\Windows\SysWOW64\Ddpeoafg.exe
        
        C:\Windows\system32\Ddpeoafg.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3428
        
        C:\Windows\SysWOW64\Dlgmpogj.exe
        
        C:\Windows\system32\Dlgmpogj.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4672
        
        C:\Windows\SysWOW64\Dbaemi32.exe
        
        C:\Windows\system32\Dbaemi32.exe
        44⤵
        Executes dropped EXE
        
        PID:1328
        
        C:\Windows\SysWOW64\Deoaid32.exe
        
        C:\Windows\system32\Deoaid32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3164
        
        C:\Windows\SysWOW64\Dhnnep32.exe
        
        C:\Windows\system32\Dhnnep32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4568
        
        C:\Windows\SysWOW64\Dohfbj32.exe
        
        C:\Windows\system32\Dohfbj32.exe
        47⤵
        Executes dropped EXE
        
        PID:3680
        
        C:\Windows\SysWOW64\Dddojq32.exe
        
        C:\Windows\system32\Dddojq32.exe
        48⤵
        Executes dropped EXE
        
        PID:3004
        
        C:\Windows\SysWOW64\Dllfkn32.exe
        
        C:\Windows\system32\Dllfkn32.exe
        49⤵
        Executes dropped EXE
        
        PID:4832
        
        C:\Windows\SysWOW64\Dojcgi32.exe
        
        C:\Windows\system32\Dojcgi32.exe
        50⤵
        Executes dropped EXE
        
        PID:3996
        
        C:\Windows\SysWOW64\Dedkdcie.exe
        
        C:\Windows\system32\Dedkdcie.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3124
        
        C:\Windows\SysWOW64\Ekacmjgl.exe
        
        C:\Windows\system32\Ekacmjgl.exe
        52⤵
        Executes dropped EXE
        
        PID:2604
        
        C:\Windows\SysWOW64\Echknh32.exe
        
        C:\Windows\system32\Echknh32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4880
        
        C:\Windows\SysWOW64\Eefhjc32.exe
        
        C:\Windows\system32\Eefhjc32.exe
        54⤵
        Executes dropped EXE
        
        PID:424
        
        C:\Windows\SysWOW64\Elppfmoo.exe
        
        C:\Windows\system32\Elppfmoo.exe
        55⤵
        Executes dropped EXE
        
        PID:4376
        
        C:\Windows\SysWOW64\Eoolbinc.exe
        
        C:\Windows\system32\Eoolbinc.exe
        56⤵
        Executes dropped EXE
        
        PID:3060
        
        C:\Windows\SysWOW64\Eamhodmf.exe
        
        C:\Windows\system32\Eamhodmf.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4092
        
        C:\Windows\SysWOW64\Edkdkplj.exe
        
        C:\Windows\system32\Edkdkplj.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2576
        
        C:\Windows\SysWOW64\Ekemhj32.exe
        
        C:\Windows\system32\Ekemhj32.exe
        59⤵
        Executes dropped EXE
        
        PID:1032
        
        C:\Windows\SysWOW64\Ednaqo32.exe
        
        C:\Windows\system32\Ednaqo32.exe
        60⤵
        Executes dropped EXE
        
        PID:3608
        
        C:\Windows\SysWOW64\Ekhjmiad.exe
        
        C:\Windows\system32\Ekhjmiad.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1668
        
        C:\Windows\SysWOW64\Ecoangbg.exe
        
        C:\Windows\system32\Ecoangbg.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2088
        
        C:\Windows\SysWOW64\Ehljfnpn.exe
        
        C:\Windows\system32\Ehljfnpn.exe
        63⤵
        Executes dropped EXE
        
        PID:2076
        
        C:\Windows\SysWOW64\Ekjfcipa.exe
        
        C:\Windows\system32\Ekjfcipa.exe
        64⤵
        Executes dropped EXE
        
        PID:3288
        
        C:\Windows\SysWOW64\Eadopc32.exe
        
        C:\Windows\system32\Eadopc32.exe
        65⤵
        Executes dropped EXE
        
        PID:2124
        
        C:\Windows\SysWOW64\Edbklofb.exe
        
        C:\Windows\system32\Edbklofb.exe
        66⤵
        Drops file in System32 directory
        
        PID:3056
        
        C:\Windows\SysWOW64\Fkmchi32.exe
        
        C:\Windows\system32\Fkmchi32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4084
        
        C:\Windows\SysWOW64\Fcckif32.exe
        
        C:\Windows\system32\Fcckif32.exe
        68⤵
        Modifies registry class
        
        PID:836
        
        C:\Windows\SysWOW64\Fkopnh32.exe
        
        C:\Windows\system32\Fkopnh32.exe
        69⤵
        Modifies registry class
        
        PID:1480
        
        C:\Windows\SysWOW64\Fcfhof32.exe
        
        C:\Windows\system32\Fcfhof32.exe
        70⤵
        Modifies registry class
        
        PID:2080
        
        C:\Windows\SysWOW64\Fdgdgnbm.exe
        
        C:\Windows\system32\Fdgdgnbm.exe
        71⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\Flnlhk32.exe
        
        C:\Windows\system32\Flnlhk32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1224
        
        C:\Windows\SysWOW64\Fomhdg32.exe
        
        C:\Windows\system32\Fomhdg32.exe
        73⤵
        Drops file in System32 directory
        
        PID:4164
        
        C:\Windows\SysWOW64\Ffgqqaip.exe
        
        C:\Windows\system32\Ffgqqaip.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:884
        
        C:\Windows\SysWOW64\Fhemmlhc.exe
        
        C:\Windows\system32\Fhemmlhc.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1176
        
        C:\Windows\SysWOW64\Fckajehi.exe
        
        C:\Windows\system32\Fckajehi.exe
        76⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\Ffimfqgm.exe
        
        C:\Windows\system32\Ffimfqgm.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:996
        
        C:\Windows\SysWOW64\Fkffog32.exe
        
        C:\Windows\system32\Fkffog32.exe
        78⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\Fhjfhl32.exe
        
        C:\Windows\system32\Fhjfhl32.exe
        79⤵
        Modifies registry class
        
        PID:4932
        
        C:\Windows\SysWOW64\Glebhjlg.exe
        
        C:\Windows\system32\Glebhjlg.exe
        80⤵
        Drops file in System32 directory
        
        PID:4020
        
        C:\Windows\SysWOW64\Gfngap32.exe
        
        C:\Windows\system32\Gfngap32.exe
        81⤵
        Modifies registry class
        
        PID:2408
        
        C:\Windows\SysWOW64\Gofkje32.exe
        
        C:\Windows\system32\Gofkje32.exe
        82⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\Gdcdbl32.exe
        
        C:\Windows\system32\Gdcdbl32.exe
        83⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\Gmjlcj32.exe
        
        C:\Windows\system32\Gmjlcj32.exe
        84⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\Gcddpdpo.exe
        
        C:\Windows\system32\Gcddpdpo.exe
        85⤵
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Gkoiefmj.exe
        
        C:\Windows\system32\Gkoiefmj.exe
        86⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\Gfembo32.exe
        
        C:\Windows\system32\Gfembo32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3656
        
        C:\Windows\SysWOW64\Gomakdcp.exe
        
        C:\Windows\system32\Gomakdcp.exe
        88⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\Gblngpbd.exe
        
        C:\Windows\system32\Gblngpbd.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4572
        
        C:\Windows\SysWOW64\Hiefcj32.exe
        
        C:\Windows\system32\Hiefcj32.exe
        90⤵
        Modifies registry class
        
        PID:2168
        
        C:\Windows\SysWOW64\Hkdbpe32.exe
        
        C:\Windows\system32\Hkdbpe32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4008
        
        C:\Windows\SysWOW64\Hckjacjg.exe
        
        C:\Windows\system32\Hckjacjg.exe
        92⤵
        Modifies registry class
        
        PID:4720
        
        C:\Windows\SysWOW64\Hfifmnij.exe
        
        C:\Windows\system32\Hfifmnij.exe
        93⤵
        
        PID:404
        
        C:\Windows\SysWOW64\Hihbijhn.exe
        
        C:\Windows\system32\Hihbijhn.exe
        94⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\Hkfoeega.exe
        
        C:\Windows\system32\Hkfoeega.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\Hcmgfbhd.exe
        
        C:\Windows\system32\Hcmgfbhd.exe
        96⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\Hflcbngh.exe
        
        C:\Windows\system32\Hflcbngh.exe
        97⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\Hijooifk.exe
        
        C:\Windows\system32\Hijooifk.exe
        98⤵
        Drops file in System32 directory
        
        PID:4176
        
        C:\Windows\SysWOW64\Hmfkoh32.exe
        
        C:\Windows\system32\Hmfkoh32.exe
        99⤵
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Hodgkc32.exe
        
        C:\Windows\system32\Hodgkc32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5164
        
        C:\Windows\SysWOW64\Hbbdholl.exe
        
        C:\Windows\system32\Hbbdholl.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Heapdjlp.exe
        
        C:\Windows\system32\Heapdjlp.exe
        102⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Hmhhehlb.exe
        
        C:\Windows\system32\Hmhhehlb.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5304
        
        C:\Windows\SysWOW64\Hcbpab32.exe
        
        C:\Windows\system32\Hcbpab32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5344
        
        C:\Windows\SysWOW64\Hfqlnm32.exe
        
        C:\Windows\system32\Hfqlnm32.exe
        105⤵
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Hmjdjgjo.exe
        
        C:\Windows\system32\Hmjdjgjo.exe
        106⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\Hoiafcic.exe
        
        C:\Windows\system32\Hoiafcic.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5476
        
        C:\Windows\SysWOW64\Hbgmcnhf.exe
        
        C:\Windows\system32\Hbgmcnhf.exe
        108⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\Iefioj32.exe
        
        C:\Windows\system32\Iefioj32.exe
        109⤵
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Immapg32.exe
        
        C:\Windows\system32\Immapg32.exe
        110⤵
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Ibjjhn32.exe
        
        C:\Windows\system32\Ibjjhn32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5660
        
        C:\Windows\SysWOW64\Ikbnacmd.exe
        
        C:\Windows\system32\Ikbnacmd.exe
        112⤵
        Drops file in System32 directory
        
        PID:5704
        
        C:\Windows\SysWOW64\Iblfnn32.exe
        
        C:\Windows\system32\Iblfnn32.exe
        113⤵
        Drops file in System32 directory
        
        PID:5748
        
        C:\Windows\SysWOW64\Ibnccmbo.exe
        
        C:\Windows\system32\Ibnccmbo.exe
        114⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\Ibqpimpl.exe
        
        C:\Windows\system32\Ibqpimpl.exe
        115⤵
        Modifies registry class
        
        PID:5836
        
        C:\Windows\SysWOW64\Imfdff32.exe
        
        C:\Windows\system32\Imfdff32.exe
        116⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\Ibcmom32.exe
        
        C:\Windows\system32\Ibcmom32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5920
        
        C:\Windows\SysWOW64\Jeaikh32.exe
        
        C:\Windows\system32\Jeaikh32.exe
        118⤵
        Modifies registry class
        
        PID:5964
        
        C:\Windows\SysWOW64\Jioaqfcc.exe
        
        C:\Windows\system32\Jioaqfcc.exe
        119⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\Jcefno32.exe
        
        C:\Windows\system32\Jcefno32.exe
        120⤵
        Drops file in System32 directory
        
        PID:6052
        
        C:\Windows\SysWOW64\Jfeopj32.exe
        
        C:\Windows\system32\Jfeopj32.exe
        121⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Jlbgha32.exe
        
        C:\Windows\system32\Jlbgha32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6140
        
        C:\Windows\SysWOW64\Jfhlejnh.exe
        
        C:\Windows\system32\Jfhlejnh.exe
        123⤵
        Modifies registry class
        
        PID:5160
        
        C:\Windows\SysWOW64\Jpppnp32.exe
        
        C:\Windows\system32\Jpppnp32.exe
        124⤵
        Modifies registry class
        
        PID:5228
        
        C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        125⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        126⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5440
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        128⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        129⤵
        Drops file in System32 directory
        
        PID:4700
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        130⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3372
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        132⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        133⤵
        Modifies registry class
        
        PID:5692
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        134⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        135⤵
        Drops file in System32 directory
        
        PID:5832
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        136⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        137⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        138⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        139⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        140⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        141⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        142⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        143⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        144⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        145⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        146⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        147⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        148⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        149⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        150⤵
        Drops file in System32 directory
        
        PID:6116
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5208
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5408
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        153⤵
        Drops file in System32 directory
        
        PID:5556
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5604
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        155⤵
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        156⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        157⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        158⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        159⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        160⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5824
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        162⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        163⤵
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5884
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        165⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6020
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5712
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5868
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        169⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        170⤵
        Modifies registry class
        
        PID:6200
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        171⤵
        Drops file in System32 directory
        
        PID:6240
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6280
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        173⤵
        Modifies registry class
        
        PID:6320
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6360
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        175⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        176⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        177⤵
        Modifies registry class
        
        PID:6480
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        178⤵
        Modifies registry class
        
        PID:6520
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        179⤵
        Modifies registry class
        
        PID:6560
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        180⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6644
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6684
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        183⤵
        
        PID:6732
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6776
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        185⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        186⤵
        Drops file in System32 directory
        
        PID:6864
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        187⤵
        Drops file in System32 directory
        
        PID:6912
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        188⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        189⤵
        Drops file in System32 directory
        
        PID:6996
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7040
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        191⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7084
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        192⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        193⤵
        Drops file in System32 directory
        
        PID:3932
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        194⤵
        Drops file in System32 directory
        
        PID:6216
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        195⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6356
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        197⤵
        Drops file in System32 directory
        
        PID:6432
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        198⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6512
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        199⤵
        Drops file in System32 directory
        
        PID:6580
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        200⤵
        Drops file in System32 directory
        
        PID:6620
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        201⤵
        
        PID:6716
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        202⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        203⤵
        Modifies registry class
        
        PID:6848
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        204⤵
        Modifies registry class
        
        PID:6932
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        205⤵
        Modifies registry class
        
        PID:7008
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        206⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7072
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        207⤵
        Drops file in System32 directory
        
        PID:7144
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        208⤵
        Modifies registry class
        
        PID:6192
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        209⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        210⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        211⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6556
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        212⤵
        Drops file in System32 directory
        
        PID:6672
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        213⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6760
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        214⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6904
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        215⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6980
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        216⤵
        Modifies registry class
        
        PID:7112
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        217⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        218⤵
        Drops file in System32 directory
        
        PID:6408
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        219⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5672
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        220⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6744
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        221⤵
        Modifies registry class
        
        PID:6896
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        222⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        223⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6312
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        224⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6504
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        225⤵
        Modifies registry class
        
        PID:6844
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        226⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7120
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        227⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6508
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        228⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        229⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        230⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6988
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        231⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7080 -s 404
        232⤵
        Program crash
        
        PID:7220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 7080 -ip 7080
1⤵
PID:7196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aanjpk32.exe

Filesize
300KB

MD5
be7c5875b82077b5f7ab3f01591b624f

SHA1
a07fcc61d0c35e50ecc72bec0ae534c1e5575bb1

SHA256
7ea8b9fd74d53d721cbd6a54f2aedf7550123363f877dd42f37139c32019b879

SHA512
afc7203f786a9489fe013e8a6fc096274dbea2afc9fc916e6ce9c632fbfb1f039f69af0a841563f2ee1e4b10b37dd33fd7717735017393e120d03804f6773051

Download Submit
C:\Windows\SysWOW64\Adapgfqj.exe

Filesize
300KB

MD5
5801bb916110de3dafdf3fb651396b6c

SHA1
abf7f8d0f65ff0c31e6f3bfd9e86d4c753c3714a

SHA256
5f1706c0285f29bda4a61a807310f71bb9b5107c4366f4f8d42946a33bb2b6b8

SHA512
546b34dd9d2242f09bdd30d07a6fb9dba26c0c07fee45315ae31805d2b67b043d5f581a81c8d82fbb9f645ee700a5f013e5fd54c5dfffb8a4449d745ebdb2c73

Download Submit
C:\Windows\SysWOW64\Adcmmeog.exe

Filesize
300KB

MD5
f6d4bd417115547f4462b1f0c58ebac7

SHA1
389cb4a4b9d20747d72c2a772c353f83abf5e83a

SHA256
99d79b33d9baa5116393f4c4f73587cc2293d2a9ae4ca0c772c3ec20a17e6738

SHA512
54351eb192a91ff44d8a5a73ede92744b98515bf3e3a309dc1a08daec0ff61a4186f215807a579c6efb7eadf65170c3656d04941b49c0486ab395426bc218300

Download Submit
C:\Windows\SysWOW64\Aegikj32.exe

Filesize
300KB

MD5
6de9f414b47ed3ea67936f60f2c7a65b

SHA1
e148c561790cfc4346beed8aed3f6a438065a606

SHA256
0b9914609dd27a8f784ef0e2811a6a4bc0bbc7cc61c93dfdd0d0fe4dd2e8713e

SHA512
b8a63af36983dfd5905adf0aeb9a70cbab1a2ba901e594d98a68a541c49d37d3a13cf7bfab5315a1c6024fd70df530d59f8174f02fcb9abaa16689c5021abc0b

Download Submit
C:\Windows\SysWOW64\Aelcfilb.exe

Filesize
300KB

MD5
50690650c8ac4207b65ff50452656c04

SHA1
4004cc6fec0e3a5af43d9312840616e387e114b9

SHA256
0a0112b989557cbc91a52db5dc317a11eddf5b246139d0acf88c425b82a5b32d

SHA512
afa03ca7f48d2491d013ad73d03b81188b9a75ed9448a3a83650da63bee11353ee76934f58305824f2d52340ddd71ec854d18d96c411a3ae6b7881aa61129dc2

Download Submit
C:\Windows\SysWOW64\Ajfoiqll.exe

Filesize
300KB

MD5
873ac394c7bccb8077d20a81a5ab33f9

SHA1
3defd106ca01846e22270bac37517f5ea51f7866

SHA256
1e5b8f4f94c4020c661f78023e83fc360abb2fc5ac0578610203285598485edc

SHA512
4abd1107f9f1ccf1f0bcc4d8dc2db1b0ac1b0c337ff58ec35d60f1bf09dcd3293547ec7c23638fce18be54c3a49c4a75d3900716995393022b961e19aa94ddf6

Download Submit
C:\Windows\SysWOW64\Ajiknpjj.exe

Filesize
300KB

MD5
d23b5e5e87bb76531dddcc668422f207

SHA1
fdaf9838aa998d35854c2fccaac5ff971c11f5ae

SHA256
fc3cda1eacc83c8a3621b993bcc0c742051d6e4da7e747407f144b0108c8cfb8

SHA512
7401ff2978c49b740ab041ba7ccbafdbc9697473a9a4ab576e6ffff6b93464775804b86ed582e6e1c82d8d755b76445152b8641b375be655c94fdc2e868614d1

Download Submit
C:\Windows\SysWOW64\Ajneip32.exe

Filesize
300KB

MD5
bbbc11c19a981a8a93325aba0bef1f27

SHA1
d6635727f976d29ea0d3cd844c829e56b0d0e7d2

SHA256
03990ca2ce9b266de49603e8442ac397c96509711d08d008b6b4ec5950a47cb9

SHA512
a3449bf6356e0d57e06ad81776330c5d7b729549dd10d93fecf4bdecca834e394631201c22f61c45c0907cb218a3de28323042e17af7ff748b1c5e8609f2c272

Download Submit
C:\Windows\SysWOW64\Aldomc32.exe

Filesize
300KB

MD5
7d298a7511a72422e19286d0df93b8d4

SHA1
699ff733f7d696d5fdd3654bf5f911877bfe8033

SHA256
1339d498b761fee895270521656b4fbd2cb19ddf5043379448056c9f8e8a7249

SHA512
cf5ca3e817eb58e73fa6e3ba886502c8d27b06d13000aa4a5894e1a0db626094a5b1c6f4184c7c853d3bb213c87dbf492ef794ee10061f9f0a669594ad78c47e

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
300KB

MD5
6b7bac9dde5a28942f4de579381eac01

SHA1
d40318fde99d773ddcf45771f002aec4119c2429

SHA256
4a19760e767f41d5958fe37dec405ae686a92fe4bf1acfbfddafa793b24f497c

SHA512
c86678cfae8c11e53bcecb45a1df57d13c3c4cd7d8e990e42dbbd9cb7a22dd697b73423a6ac00147dafa0379319746224905e13f912439011476bca3e9edfd59

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
300KB

MD5
d494bf88dd9bc3673bea637a6658b241

SHA1
4eeacaf8fb2b160b7952e1258b87ed1998ba45c0

SHA256
3f4d1e18733e005adbc4eb4a226747b6b2b019162838c2e591f0c38c4f4ea1c2

SHA512
ed5276d62104c4430c04cfc8d5578cfec1b8bf37c92dfa909763dc8855955179d8e5a95ee5456fc2cb4037f92afa5c0d9c53813091c09ce5c2d46a2f631f2da0

Download Submit
C:\Windows\SysWOW64\Bajjli32.exe

Filesize
300KB

MD5
a8cc520a5c9ca56684c8676c2425d321

SHA1
78ebf8f0925ea801ca8efb7b0d107fc618e94c75

SHA256
530fca7f52ae49b8067663f36e953fece35c2339ce742d5db252f8f714110fee

SHA512
1a77ae3911c68ed93daf60088f1379f20470545906b059c20161e58027cb3247e4e368bd7fdf159f05104eb98b174b1175e3d60a124d13cbdaa2fdb1cbbc1252

Download Submit
C:\Windows\SysWOW64\Bbgipldd.exe

Filesize
300KB

MD5
6e51df57ec70eac756fd44390f5f7f7e

SHA1
34797df430aaa956e61231035418376c9e22fd37

SHA256
71b18f3789b69a44173ddf618458ce65a748772c3b0634eb4ea8c8bb42985832

SHA512
f12351e7499f2fed66de2f91425c9db76986fa3da1d896f59b8c544d93f5f24652543e59bc490170d9184c8ccc8bd2cb9ef6936647c260b5a870636e865d23d3

Download Submit
C:\Windows\SysWOW64\Becifhfj.exe

Filesize
300KB

MD5
fc5aa0f08d15d55ae4f6ba916312301b

SHA1
416713f2765648cb8fcba0c31688d0ead58f69b8

SHA256
29fdb9714f6b6a60ca920e4054005215a3ca83af28bc4be8f423834d42f30fb2

SHA512
7cf9edee62ca12d2aea74ff54d04ba8f4d8fc23d9451e11595efcc878c0d20e6eb361000853581492a2c38ec7f9c4f9597ec1e39a77c678422b506ec831bf58b

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
300KB

MD5
2d8b5468716fc4e321f43c19d549f999

SHA1
627593c772f3323b77bdd24f1334bfdc046a1d39

SHA256
b14fe1b0d0c4b87837da8a95fc7f090fce8c35aa7bfa1e4cde913f9513c14eed

SHA512
1cc00053580d1dc2c56302a0a21d55cdfbe4b27a84b6bcbaf0a5f09f3cfc26e9cbb58be917464202f4e7ad3b71789798244cb6ff3173b97acd32d08e115ca268

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
300KB

MD5
899045fec5aefe856eb5f720f01dd865

SHA1
de735b538cdeb82551dbd2ef4646ead2debfe4c0

SHA256
98a1aa338b6e5bad59f49daaff163f598d3796b6c388360e272beaa197b030ab

SHA512
752bd51164a5f00fbac3ab1aab6d1c4b90a997802271e729af107eadcd7e9333a9be21fc2a8abd1a9086a246ca5b7e28228628249dbce9063a014b5871a1e4e7

Download Submit
C:\Windows\SysWOW64\Bhkhibmc.exe

Filesize
300KB

MD5
a3c0ea7013a59ed5af114a3f9cfb1fe5

SHA1
8f185e6c69ddece35eb581d75c02e0a4ec158110

SHA256
8926ad3b3c18aa481a79ac2ab27bed87fc2f8f2f3befbbde700234e4beebcce0

SHA512
af441cea35631954b2d0ab1861af16b9b02f3e6867aa596c0c23de40761d0c991ec2b9b4049877d59be8ffc01872232a01547df59daeac0d272f316dea1eb71d

Download Submit
C:\Windows\SysWOW64\Blbknaib.exe

Filesize
300KB

MD5
45429c75fee7e51287ddc8dad6a0d372

SHA1
5ce3c43ab10b58b73eabfcff5d709138b508684f

SHA256
885af7cf0ce339e798ead85183697876301af3399b5bfd369a30666d44b2d6c9

SHA512
bc08a793d1717beaac8c5b9e4a82d49172778caeba2a6ace3b7aa76d7fc29f4b1bfa4baa569bc489d8530a11952b124f1c0e2748477365108f3329d99359799b

Download Submit
C:\Windows\SysWOW64\Bldgdago.exe

Filesize
300KB

MD5
b7d6bbabbbce0fe90fe731d919fe1829

SHA1
6e4f91518db7f68c370467458eedab8d7485f924

SHA256
f8dc47390342be5dfd1d99e9b3b1c37299ff7a116671a331dcf6393c822bc269

SHA512
f9a803e1cf53d04058f45adda29198163fdd2ec8c2bcb5d67e4f9c2d8373721627750fbc3ae5716e7b378fd1149b3ffcaa8e560c8bbcbf87a9bd9bb932e83bfb

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
300KB

MD5
61a32fd1078f14625db64316bb01265b

SHA1
a23481efad9bccc7d58b00f7c895590964f54027

SHA256
bce3250d63d30d258af9eb55b244af4328a8427b526fdcf08a92b3ca94b3cd19

SHA512
f352ea1e7b89835d802ea9c89a31e779b4a776ab6394a59d80a068bbd2289f637f4863c200396868b524c7e51161d12651d497b18d3e9712dbacea7232dc55e9

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
300KB

MD5
c76ca027049d0c7dcb966289ff78b335

SHA1
adbce24cf384d4f290f3121e729919f49e9c8992

SHA256
8835d00297cad99c49289d3542320f0aaa25ee68f59db331dbdaeefcfcd6df4b

SHA512
0406fd55ad5f9c4ed14fefe60060eff1c1985b5f6884b5353baa4e9c533d6ee7f1f6b7a3193727464949f7e90c7b22c0aa6e617c5e66a9dff5e949a202db9af3

Download Submit
C:\Windows\SysWOW64\Cbefaj32.exe

Filesize
300KB

MD5
93e991f02bd05988bfc2e616d48be28c

SHA1
d1922fe70baff370887a664f3bf45863b10abb66

SHA256
030283b35570c843de3b00a358048c90698ac7c08fd67185dd527ef94296c0ef

SHA512
3a74e6f08fbc24f269ca2deb7465e92fb2f551741b641c70c2400b55455161d388b864c1768c1c2a445c7be4b73b06fc23ca2a29b3cc63a4c61e050f249be3d3

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
300KB

MD5
2d4a81b04ce69f17fdb28424cb5f621b

SHA1
f344fca0a06e85292e556834283760f7c313e2f4

SHA256
10c43be2eb74dc1a970ea4f92d274f1ecf323538422f3f66f84961aaaf3e718a

SHA512
98ce6629360a72e59cd44d11b3ef82e428283496c9741329cb23ed7f4d398f63db43bed10c71ea25b971ffc6568c691105913e52bc4d8376da25c6b40d47d741

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
300KB

MD5
f7161c9127e9d9e8f415e6e022fbb612

SHA1
37e9a7cdfca9f58bec2b30fe72659a8b66975cfb

SHA256
d965bc5f419ddcc9a9ff1e31c33ce41634c81f0474bef820efe33c2112b3378f

SHA512
cabcde5fcfd8e40f997b4dcb72b0a7703be89da4a8110ea8bbed5f89ba9a207a7356443cba2dc7ea21c51aa9445a40551e60781e7f70ae15dc07ce0081375968

Download Submit
C:\Windows\SysWOW64\Ceoibflm.exe

Filesize
300KB

MD5
277c5bec384f552fc955bdfc23b058c7

SHA1
eb97e44b2d8a4fc25bafed20bb846f86bdda46a4

SHA256
dcd383b530232be9a3c1403218edf2e18958826d5a0148a612ebb189c1277b1a

SHA512
76f2924302df5acfd3adf397dec581d174beae80a8cbdd95ccb6d80325e43bcd951a42a45b35e5dd559d00257594d5a30a6bf3f905246c8dc0bd76437b2fac97

Download Submit
C:\Windows\SysWOW64\Chpada32.exe

Filesize
300KB

MD5
169e5af8b935978a8fb358f87cf5f0c9

SHA1
d4e89a8f76574b440967da62093b9760b88ee24d

SHA256
006a483d61956608a2c47bf998911ca8df3aff779017d9c0a1f2ed33f83ec278

SHA512
2c4ec2645a052189454b8750d2070b8eaf8dc26ba025b09e70b521588bb119ecfe093be172165d8562c1f2fc53b787975135254d6430a8baf2a934e2b005d5a1

Download Submit
C:\Windows\SysWOW64\Clnjjpod.exe

Filesize
300KB

MD5
01fee8fd61b471ae5763b6225e3872c4

SHA1
f4353cdc7a9e8630451685f126dd779aa478f19d

SHA256
8c79359809e70fa91dad6652b7bc74532942d7cd2d742c7678bd4db2c87d1b13

SHA512
e1f690245f8f8a61a04c23e7575b00999885dbfee5070778530715d5dd53566450d6bee7e3dd7162dde990b5b5ff2e2e78725b97fb37cac8cc47d32e5200d50f

Download Submit
C:\Windows\SysWOW64\Cogmkl32.exe

Filesize
300KB

MD5
9e6f770419dc599dd0d67a19f68b3ec7

SHA1
32141c807402ecb6cb82bcae1b0cc8a472aca474

SHA256
adfe15069f78b3511bfcf6bf571320b98fbd930d410cd02cae66836157aedb58

SHA512
5c7cbb591367379aa07ffc4e02c2f8264fa0ed4ba9a4666c022ecdaa07499aba9279143cadbf6eda6167e3204cfe9382f0b1b342948e65b5fded86eba697c773

Download Submit
C:\Windows\SysWOW64\Colffknh.exe

Filesize
300KB

MD5
731595c7622034226ef7755a3de7c0ac

SHA1
a731b71e94f76d2127ed51c0e4e01b1d8a42fb60

SHA256
a36048c348a68df6834cd0fa96ba0f95b36be50e6729d0c7c7bb45e55f8eba58

SHA512
b09dc07aba9d78bdb00aa48a53ca7e1a39aace8ee2eaa26d6e1e284af82afe6b9ba02c73828f56c4f40b568f4735675158614f3922fcb9087b6cfad9033dcf36

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
300KB

MD5
c44b91a1f078a0d1268e0b294db96424

SHA1
d052e3753eca171c45f0c9eb21485f31b7828382

SHA256
3bbf142e40146659733d4008112c9570ea7e0f6876eec1c6bc62e9231cf62fdd

SHA512
5e4c9718e103588631bb33a9e7df5220bf508d423ca04ce81130b7da860b3749b9665a40392dd4e99d087eba4119d9c4f204e7669ebd8bba98049eab5b7173e3

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
256KB

MD5
cee76356db0a34517388e77b7b71471f

SHA1
d152711b44ca9d255c49f5c3a5401476e5c92f04

SHA256
2132711378426794825e11e1204141024011d45b1646fedf301c53620a866c3e

SHA512
f3054777f8226ee71aa15c568043da5b9f3ced75819036e232dec6fb68ac7650892db0e78a1bd160cd9a4851afd871e616cc4a439c2b2b7601f4b67cae84ab26

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
300KB

MD5
f10ed01a08b6a3c424f81d60ad18982e

SHA1
b2bea0ac3862d5701aa3f0cf09c1df44973e02a6

SHA256
bbcc91e4c1e0aace80a035f78d129c0070fabe6d07de9b1094bbbae2181dd927

SHA512
4a966481e5d3f27e3a3f17dbad0f4a46c050d037f8fd7e71df187f33cba841c0a9e06131f31a92adcec6c529ce275273376f30aea37fa4884c46ce10767ef8df

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
300KB

MD5
86a087c363f7a88d9429afa3711ece59

SHA1
bb7ef667a3370e6bfb68ac091eca981cf27d5fcf

SHA256
9c042916020b699775d3937b0d58d90787012de017f346a8cc96ad035cdad913

SHA512
61b2cdaf4dbf94433911f98069385eab8dcba0d38e7afa3aa0d887e222e9e0da62d276d0fed87a83af93928e08683a8b2973c07b6f670bf7d9a0e868f7d8a0ae

Download Submit
C:\Windows\SysWOW64\Ecoangbg.exe

Filesize
300KB

MD5
8af933c37669c611f09595f9188fd453

SHA1
d73f6cbef72d317663c58d73fdd994fe77a0af55

SHA256
2bbca29489cb16daa77bebd807033e8150982cb2ed588d7a528ed663c79a2886

SHA512
c04ed3f8e52f2b8edf2cc84b10163e5bdd2d0937d6522be13f7810304762928e959376a7b0780e3428598a98a74267b137d81277b25b112dac5fa6112b921c92

Download Submit
C:\Windows\SysWOW64\Fcckif32.exe

Filesize
300KB

MD5
cdc331fd5ab2783e0213e92f2c3cc8b9

SHA1
2855f127b66a8dcf33de9cddfa4835cd1ce7fd4e

SHA256
4a64d3f3a12cb2e51d33f0af3858a12553f8ecc7f0d97d8b0747f5cb6abdcb56

SHA512
9e56db43d1e182aaf2d67d65fc7b0df839ed49f8cb8365599c1c21f321260fea8451b840dce598ea8edcbc998985fbe0b829535ecc4b529dd2d3b0954dcb34bd

Download Submit
C:\Windows\SysWOW64\Gcddpdpo.exe

Filesize
300KB

MD5
b05daf7315ba2be36abb477a69aee287

SHA1
f8b5deb2fc8d624fbad6f4e07c55ba94f9ffd097

SHA256
663787a575b87c07ed176bdade611f431ec3c2b2d685a9bba87b1f1931dd78f1

SHA512
86239a848331130c99b72c73831a62173b21e1483186806b0fff3f9ecf9bd9bb24887b4fed06eb130d619a496edd69b415d639ab5877e2315b911ae075058b40

Download Submit
C:\Windows\SysWOW64\Glebhjlg.exe

Filesize
300KB

MD5
f1bf6751b38da3b11fcba53e250174e3

SHA1
6b57da3390c3564b7158b254b66c0cc9a4c20fa6

SHA256
f26fdaa9dcd2914bb44ec20e2251f3b980d09ab11b68c590b475dd441cff4cd7

SHA512
93b0adc2e8597828fc975da9687ba7c9b5387a57dd7275e27507526441b6b488d6056cba1b3f3d09798a11a66f0cd23d83b8100951184d8785e19e2d231d9923

Download Submit
C:\Windows\SysWOW64\Heapdjlp.exe

Filesize
300KB

MD5
5b5275a682150f9dd0a4e64ddc9d4b8f

SHA1
3985d1597747e3294870fe345d36f5b13c8da343

SHA256
ac60c7431837a128f623b7e240ce86de392fb3829068f381bcc246c32a222ecc

SHA512
dc314a9ec8f7625f36b47745d328b6eaa818eca8c32d41f36032caba3f748e3e75f99feec9f66f78c38583baa138ccb27d175841a3e1c2f719c62d99904b9766

Download Submit
C:\Windows\SysWOW64\Iblfnn32.exe

Filesize
300KB

MD5
0173d5c48f61e7a9833c3b5f5bffe728

SHA1
66c9c9dc4c1f6d728dc44636fba1db5ff04b8952

SHA256
6de557b04ccaf6415b31de71a4bf713f7e6b4df46bccccd2b2b5bf25f636a211

SHA512
6a4ce8ab01320ca8e495615d2222a03d3eb74048aa648f745b67d3a295c170a86e4817cc267462a77a9dd2f333ee153196375853bfabab4ed0f1b6bb84c88307

Download Submit
C:\Windows\SysWOW64\Jeaikh32.exe

Filesize
300KB

MD5
e657b6555608a7428dd0311b2003e692

SHA1
2b2edc6416bbffc618a01e85cabbcdccf1c7cef4

SHA256
0ecf14a1a18af7823bf1c01d8e49a6b0d5ad963d7fd48bdc8df86cd02e6d5fb6

SHA512
d40c705c00912bf0cb385184333e270a2af0e5db0b76da6b5bf07f8d3fa56284207ae4bea57ddf4823af445020f2c4ff3be1a9d8d40432e9c25f56d2f96a6ccc

Download Submit
C:\Windows\SysWOW64\Jfeopj32.exe

Filesize
300KB

MD5
27bc813f6086c090c6985036ac6295a5

SHA1
88f4e480888dbe4d9bd2c6816e55b0553ae3d797

SHA256
3411305d4771380e2c93518cfbf7c96d9b7d32151d11baa6ba6a452c2d1c0590

SHA512
e73ad60b924d54cb34fb0cd73869704b73bdb1da4ed06dc6691d3c52907027630d82f3f194dd9a8b12c30b811f2e0b19ad60db1ce598d3593bbdc9d80eec8456

Download Submit
C:\Windows\SysWOW64\Jfhlejnh.exe

Filesize
300KB

MD5
351a60a3ae246315269d7a81ec5e0393

SHA1
e8db807b1f3ad4244db161be5fadafc27f3013e7

SHA256
f0d522278b8683cb1a58271de8aa03821bbd82bb84fe87cba944ae910474b038

SHA512
cb1a4e1fcd2de92064c941a2507829c59e02eee5c3d3518bcb49ccf490206c7b869d22cb8ce62e650c728ceac966fa48fc7413ac02b77d59da4a41eb0e9de312

Download Submit
C:\Windows\SysWOW64\Kiidgeki.exe

Filesize
300KB

MD5
4fafed0f56c28fd67eaaf0bb30d318ea

SHA1
440329c1814f5b551802d05c16496989d0ef7885

SHA256
5e68ae2636ea65d9310111bb1ad39f0917855cf24cb5d809056c38b54aed67f2

SHA512
680563a9dd067ea9cb1320fc8bf82d661cc123ba998a9b0540e1f1ecb82c07430c1b8fab03d39ad54d542825c6e05e6d9a7803e85dcab3ae774fd1d3625322c7

Download Submit
C:\Windows\SysWOW64\Kmncnb32.exe

Filesize
300KB

MD5
d64bb13bb913d7b1dca73c831f82bd57

SHA1
2746acb66ac657031236df1208138adf2d38e1ff

SHA256
f267513b0f7e174e22b175609229a25e6f609e0bdc29af035bdd51ec80fa6b0b

SHA512
6641299c47bbbf7aebca7ee14bb6e31387e9445396ff4056b8a37b8a28919786088e6c7debac0ef9981083c939a911e9f23b56d3ae962657d1bed77bd6bcbfe6

Download Submit
C:\Windows\SysWOW64\Kpgfooop.exe

Filesize
300KB

MD5
39d5783bf8ab15e9a28f4a262dec40c7

SHA1
9537a4770a935242bf48cfc869c6be5dcc039ec0

SHA256
d60b2aeca5573d34908a90a667374f96e6a74e0d7a795cd39922c095ea16665f

SHA512
9468667049646a49de5642cd734ac08612710390f83551f320a84b7799c9846dc5dd1ffaa37121dd73ed86fb659788fd9c500244028a5670ff56a09e2f3abb8c

Download Submit
C:\Windows\SysWOW64\Likjcbkc.exe

Filesize
300KB

MD5
837b9050ee7150a770469e6f92040213

SHA1
60f0babbf597b26dec6cf342451c7f23698e305c

SHA256
40928a57f46da8c1fe01130d91dbcc89d92b757bdcccdfc37722b73b037919c2

SHA512
58aceff77a5e74d1461a76b5ded2e9b62deed4ad903c84c3bcac7f03c232a5e8f44a12a08deac7514c864263ae6e3ed55f4fcdfaa0fa2477fba6c3b26bf855d8

Download Submit
C:\Windows\SysWOW64\Llcpoo32.exe

Filesize
300KB

MD5
885339c3e850e995cb8b2c0867bb79d2

SHA1
7a703d0c4bd2a8ef29bdc5a9630d2daab1b61920

SHA256
4b752a6c1ed76032ef26e2af809d13f178e106b32dc080b22bc1b8ac13fa8d78

SHA512
1a2f5e55d930f10f81aac714ddd2367000ee1cc625d61ca820513f7488673d2c6946784ae0d84dd4ec4bda62331f7a56a2a1bde129f0ef1574c42ad9bc7a4766

Download Submit
C:\Windows\SysWOW64\Lpqiemge.exe

Filesize
300KB

MD5
6faf3950c8ce5410767a1ffa5389da8c

SHA1
5666036ee9161b69b37dff405917c9960a2013c2

SHA256
0e40365a566412e2102cec5d93ee7718546d64a65ee1c0bfa941053d51330657

SHA512
e1cbfb773c18a10ef42b056931ef299f3bab858c0478cf75e96e3db39f07209cedcddaa06b2604e70b39b4628fadd4e457348f23b328087cf81934230824733d

Download Submit
C:\Windows\SysWOW64\Medgncoe.exe

Filesize
300KB

MD5
16245886c8650fe88ca8afdf5af1fad7

SHA1
09411da811441abcf03c0fd05ce37b5407b776e1

SHA256
4f886281a42c3eff09b91fe2ce9459dfe7c3eef9a56be5eec5a76a3d324b8c3f

SHA512
e4ade8a462e64c6c59b5d036dc3d9f91b4f6ac3b43efbfc966bc8037aca24094bcbf82652429a565974fc610c657e8a67939459431ee16532f23a802b43ae670

Download Submit
C:\Windows\SysWOW64\Meiaib32.exe

Filesize
300KB

MD5
47c0b8e3b778e5977f1994723206f9d6

SHA1
04c431d97c3416fc7a66b33b3509d76051612a5e

SHA256
3833b3b9986903139b30cc387521d8e1556a2ee270c954cb1fd6da39005aa232

SHA512
0fc44f30930796ad4cc2fc3bdee4ad2c2f20fb9aa30247109782d3be186f2d9d75870c27ab4cb48fc351a2c0126b6a11c6a1116862eaec991303bfb691932a51

Download Submit
C:\Windows\SysWOW64\Melnob32.exe

Filesize
300KB

MD5
bff7e7040b93aac8b8ff3f5f0c2008fd

SHA1
f7cf6e51e2d76ce65fd43b2c5c7e510b647853e8

SHA256
23f303d45373134d4a439bc81845706c8ce9b4a790a7c6a0d71f7e7affbe5467

SHA512
4a80210b31d97a2676636d81db045897a80cd0af14516ed9d047b363bff58f4eb3753d15ff6da50d163638f5f0c72823b4215562b2b81e6f4f8c81c8cee68722

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
300KB

MD5
7e0e33152f12ac4f75d70aa20a288bc1

SHA1
c8e9d805bcba6f468b99cfdcc57061b8d9280201

SHA256
253f276ffccd2d4e5cc0daf7f126fd64c8061d363abd63d91e647adf69980bbc

SHA512
6b5cac33e6fb052c53f0ba10e0271acbf0bf124c485acbfdabcecbeb8ede3cbc659e90b2201da03feefea87d5ae644a40fa1003fb02976cc765da21c70b0d9ef

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
300KB

MD5
1d0d032ef7be74840fc8e58279e6f106

SHA1
f8a05ac6036a9ef67bdbb867a0b20152cc6705e4

SHA256
d3a21bf24398248125dc1d015f39121dff581896638242f1bfe8b661a6d862a3

SHA512
f6bb20c5baf8529e52e5744e33b1411f08221e8babdbf0dde7649bf04ccf1e4204ea780571a8af2e25df7b3a1a08c6e4f259a6c3702e41d77dc7fd587ca24dd1

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
300KB

MD5
5cfbc1fe2a40820fed3b16c246414092

SHA1
157dd59659e84eefd3fb520d72535892fa08136c

SHA256
46d91efabc9ad85f3e2c771694aaf2aa9f36c1cd09fc2970c61c076385516b5c

SHA512
fffd97164d638bbd8ba4a7db5b91480cda459a6d4079ef786a015718f1f81b28b44cfc780ff99ac284ea6ca4826400ef97c345e753a083d2a828938631988de8

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
300KB

MD5
3609088d20a458868bab1c689b72ab36

SHA1
f126191c1324f9f8e08c85379e7b6a21ea47a8f2

SHA256
9539bc3fa19959b307dc1551f9cc8fce8d7fe74566911d16d57630aa633bfb7e

SHA512
b64cd024519f1a1abf830c06dabfe519b17005bac2368137258c3e60ceaae48a1e2418ecd8179b3d137352afe683f1ad9200a1e774ddbb1721c35d83986addfe

Download Submit
C:\Windows\SysWOW64\Obidhaog.exe

Filesize
300KB

MD5
7e1bd161a7522a46e6ae770305293324

SHA1
d838917d5082cc837449b0906f8fbca65b888083

SHA256
20206682835bfe7f7f0b558743cdf754f55ceced8f3f7926308b45dce0d75293

SHA512
c85fc738d8f04520268870ea354725a876972959040ee61b92a8e939796c987f7bbe280842bccf7b0b872fbe2f9f75a704114b65d65d206eee984b4281eca01d

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
300KB

MD5
8fe4a6753942de0b10fcbb46c3fb1ffd

SHA1
a053f9669e4650740b8d789d58a81add661529a3

SHA256
cdb7afb80f098a39950d99875d70d750d003ae898a6d8066b2aa0f64edcffe87

SHA512
f354091767fba3e91575892fc1e5013afe05194e0b66cf4ac68701e6581163e365cb2c2bb3b12d6ca704fd5b4c3978fd1f2c9965875b83290a901af08ea5d6c3

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
300KB

MD5
ba4ed16be284cf06707e0269ec55dfa6

SHA1
84aaa6aa6550880b4f9789542a2ac66a32303057

SHA256
e03aed0e02c5d725edf00734a9fe599f6b1533ef173a403477efc7e65182a355

SHA512
6be86603442847fb9d0ba8d7ba5ed3c0c83b21a764addb1731765927b65f2b4fa737a766505382625f70b5d3d2db6e2cd95eeaa8dc0ae1f1e9e5e42b2c757c36

Download Submit
C:\Windows\SysWOW64\Pbpjhp32.exe

Filesize
300KB

MD5
c5cd0b1dd04334181e72bb5a1aabbced

SHA1
89899f721bf0efdbd816aed1caa624a15851e2b0

SHA256
1079dc076e32ae0962e1d1f9b4db2e81cd05da4e2aaf48cbad08998c524b8177

SHA512
3d08acf5079d8206c57c1b662cf0a1f794f7b7b49a50238558a24086bde2650b114aa026f216daf0e9c3078c3397bf6ac3bf819e6ee782a242edfa692d4a1875

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
300KB

MD5
7dc4c350bb18038b26c4847eb70767a4

SHA1
0c0c0efcb530c226e737a007961a8c02a07f7cc3

SHA256
ab91d5c4c48b342cec14b011ec694c63355793e2514098864c4b57b16b9b16fd

SHA512
0fc1dbb7f7514f038349e14a1c94b2a896eae6d8c27e458598eb0ce838b89144fbbd2ea5f9b0d165bccf9682f3816914fa03ef67638b58632b21d04623c43018

Download Submit
C:\Windows\SysWOW64\Peimil32.exe

Filesize
300KB

MD5
4e7bb4c1263d7da0588e0f51b96e85a1

SHA1
901edea1c3b4f55f977c820f8b3020f44aa2925c

SHA256
4861393829e6cc148035b57c12eed7848c2bd3d4ae21c08bba092b5e69015fdb

SHA512
61c599f8e0627efecdb14343e98d45de2ed09743afa1224d99878bc4768a691b8c23297f70f48a65bc6435ce07f5c1a0848dbea102b7447a52a1fb46c6899710

Download Submit
C:\Windows\SysWOW64\Pengdk32.exe

Filesize
300KB

MD5
6de1375b3ba34b76ddb71ada7d26c0d3

SHA1
48ae002a639abce7033af76dc71baaf999e6c27b

SHA256
82e81a95fe2a179c26739a03a2ad96579c7f5aef23fe0996f8e31a50141b789a

SHA512
ce1aea04e458dac7a9eb0e4e0ba9ec2560483d45fcfe0a2fcf17da61939ba3749d1b11538e1218b7082c7eb90abeaa7a3ac4db540f8e69502a3bd45722939bd4

Download Submit
C:\Windows\SysWOW64\Peqcjkfp.exe

Filesize
300KB

MD5
6c6b006a6f8fc0f7ad51fb168a2f4844

SHA1
5ea220c5d4e4fe6dc764694885d6126015b392b9

SHA256
dfea4af39a48f55e4d6f91e5bd70e3d088680e5b64c1311a4695c0167b8b043b

SHA512
e28eb26989bcd2e60615c726fe49fd2626abba34d695edad883fcd6d6233833fdb68d165828437c1b86624c9675dee0284cbee6f93f5bdf62e78421132838495

Download Submit
C:\Windows\SysWOW64\Pghieg32.exe

Filesize
300KB

MD5
bdbcc4c262e2086aa05643ae5b441d8a

SHA1
f509b360fedd999c659ae0ae4d27f4086b951e5a

SHA256
c9c35ff1ae15d8da6909bc04cd9c52a38336b4bec13390a85dfc0c560fc0d579

SHA512
17442b14138b94ce70ef7fea46b6a1c1f41fc915bd2d97a6ed3451a2961a04cc16a4957948d3b3ac1c80218337ccd98ba909ca03a5eb857bf35d3af7ede52307

Download Submit
C:\Windows\SysWOW64\Pjdilcla.exe

Filesize
300KB

MD5
2af428738b4e55bfc59515a89bcd7e5e

SHA1
3f082edef14af1dc3a52587398fd0cc9bbc7858c

SHA256
27308ed442ff9e162d04ca7211a20e4f6d38284e7496c946e06f108297377bd9

SHA512
6534572ecaf809f30f966fd05f06cbc49fdf6c5f6edc7aa0d639f6242d37adce00b04cc0bebf4f0b6b1e4c15e74df06149decb52732d2325b8c82a49b91da409

Download Submit
C:\Windows\SysWOW64\Pnihcq32.exe

Filesize
300KB

MD5
757a6e79f2de99c098a26a03358a23d4

SHA1
67ef5b30dba8a32964b585c1ea1d426ccd064ef7

SHA256
e101dac1ea33626314ab908c8c17eec4434afcbc8580dd05f3915949f32586b0

SHA512
b77df50b0cfc0a5975bdea3b361407895fd51ee44820f823b2387ce3ddc33cde66d91a7302091a9620410618f6aa8109f6e2989e29fd7c8b055dae564a37d566

Download Submit
C:\Windows\SysWOW64\Pnpemb32.exe

Filesize
300KB

MD5
62dc5818298c88517daf52a2f79dd2c0

SHA1
e2289753ad3b4687862f312a599ffe146b76b5cf

SHA256
e2cb50da08e5aa42ff3280a44728a267c3370f1867f8e32ac5db83ac7bc29de1

SHA512
21305ffff54e2edb4e683b471371e8cc8873371383509b7530833952f3c7338ee0a252a9df07146380322d676a9393b2c980c34138a07834c2fe854212ec5f65

Download Submit
C:\Windows\SysWOW64\Qloebdig.exe

Filesize
300KB

MD5
7ed0810a601479bf757a906745343002

SHA1
5b531e8b42cac1f4b009a78476d825be060a1ecf

SHA256
06e8960c416942cb523a4fbbc49440e62dc2a9df4e17aa6ee032ff1c2b9d0121

SHA512
0209cf44b7e5662faa51caf62c51d43eccd240c35e4b9fcc06e8b54df2a297434a42f93399c9390bdae4e027779835b77d9750796715deaa37d136318bd90524

Download Submit
C:\Windows\SysWOW64\Qnkdhpjn.exe

Filesize
300KB

MD5
d088057fc148d48721d674840c8fa5cf

SHA1
d8b7ab19b01c6b1e1c998cf54417e986b0fcb88c

SHA256
f466fa0b6921e618086891bf851dd8b08055e596f238d93ea0b4d5fc08309a42

SHA512
bd34d841465e056a6839fc8a00ef93b38ffcbf54d0394e8c6875968d060fbe1628f35a465665f452e158c1bc8a3238da33d62f0f4086ae99fd84ce535dadf652

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
300KB

MD5
6489e0365bdcef090858bb65cfc1dd9b

SHA1
620713924943bcbadc169d52378a88f66e4e488b

SHA256
922e7b107bebf0f2f7c026ec0d45c22ce5d4f11b7314d8a81056885e9ab30ee8

SHA512
f67b6942bef6458d3ddf50646dbf0f177ed3f3308f738107ed604f4d18e8641f2e1e8d14931ccf1569db3f9e0be11f280f45e28a6c76a1b4a34eb667779c3045

Download Submit
memory/232-565-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/232-24-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/400-36-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/400-572-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/424-383-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/740-287-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/808-273-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/836-467-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/884-508-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/996-521-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1032-413-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1064-527-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1176-509-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1224-495-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1272-129-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1328-323-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1356-113-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1480-473-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1632-240-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1668-425-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1704-266-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1708-293-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1712-144-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1900-185-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1920-577-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2076-437-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2080-479-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2088-431-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2124-449-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2320-257-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2328-225-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2368-137-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2408-546-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2452-567-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2576-407-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2604-371-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2660-201-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2908-233-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2960-559-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3004-351-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3056-455-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3060-395-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3088-161-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3096-552-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3096-9-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3124-365-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3132-275-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3164-333-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3188-89-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3208-152-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3244-53-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3288-443-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3308-281-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3428-312-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3584-580-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3608-419-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3656-586-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3680-341-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3696-168-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3712-80-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3880-305-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3996-359-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4020-540-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4084-461-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4092-401-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4148-192-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4164-497-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4184-105-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4196-216-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4216-299-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4376-389-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4408-251-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4484-596-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4484-56-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4496-21-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4500-5-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4500-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4500-539-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4568-340-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4580-519-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4600-209-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4640-553-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4672-317-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4740-96-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4776-598-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4816-599-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4816-65-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4832-353-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4852-40-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4852-579-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4864-489-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4880-377-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4932-533-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5004-181-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5012-73-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5036-121-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads