a5ddc26ff17d13fe6cb9092bb1e2000bf44ef28e1046bacbde384c10c1d3868b

Analysis

max time kernel
138s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
13/05/2024, 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01957e27e5c47c81d20b8680fa6d4240_NeikiAnalytics.exe
Size

80KB
MD5

01957e27e5c47c81d20b8680fa6d4240
SHA1

72d7f11044abd8207847d838a65f937b0cae61f2
SHA256

a5ddc26ff17d13fe6cb9092bb1e2000bf44ef28e1046bacbde384c10c1d3868b
SHA512

60d497d0d160c9ce0f2985ffb62051d6f576bb22a601202ba7620673b2bf928fa274665103ed9bb16c78f9a9c0e1322613d5bfe3f9fa274e1acf687c617c82c7
SSDEEP

1536:0bpuk2i2hUFa+cX6tBOMReUuz5vDeD2L+CYrum8SPG2:0bpuc2uFXPtBVgDj+VT8SL

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fijmbb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iidipnal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqhbmqqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlojkddn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Elagacbk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejlmkgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hibljoco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iapjlk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djpnohej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpnhekgl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gppekj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfdida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfnnlffc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpihai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjnjqfij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebeejijj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejbkehcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giacca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcnnaikp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dchbhn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcikolnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iffmccbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chebighd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcopbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clnadfbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gqkhjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Domfgpca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dabpnlkp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efneehef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqohnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccfmla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejlmkgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjnjqfij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gogbdl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmkbnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpklpkio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efikji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcpapkgp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpgkkioa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fifdgblo.exe

Executes dropped EXE 64 IoCs

pid	Process
1844	Aahdqp32.exe
3360	Blnhni32.exe
3100	Boldjd32.exe
1508	Bakqfp32.exe
5080	Bhdibj32.exe
3336	Booaodnd.exe
4076	Bidemmnj.exe
1920	Bpnnig32.exe
3708	Bbljeb32.exe
2396	Bifbbllg.exe
4788	Bpqjofcd.exe
1960	Bbofkbbh.exe
5016	Biiohl32.exe
1216	Bpcgdfaa.exe
2216	Badcln32.exe
880	Chnlihnl.exe
4572	Cpedjf32.exe
4368	Cccpfa32.exe
4560	Ceblbm32.exe
844	Chphoh32.exe
2672	Cpgqpe32.exe
416	Ccfmla32.exe
2324	Cedihl32.exe
1524	Clnadfbp.exe
2440	Cakjmm32.exe
3776	Chebighd.exe
2500	Coojfa32.exe
4816	Ceibclgn.exe
3224	Cidncj32.exe
2296	Clckpf32.exe
444	Capchmmb.exe
4356	Digkijmd.exe
4352	Dlegeemh.exe
4472	Dcopbp32.exe
2360	Dabpnlkp.exe
3988	Dlgdkeje.exe
4024	Dadlclim.exe
2800	Dephckaf.exe
4072	Dhnepfpj.exe
520	Dohmlp32.exe
1116	Dcdimopp.exe
2712	Debeijoc.exe
3260	Dhqaefng.exe
1724	Dphifcoi.exe
4116	Dokjbp32.exe
5108	Daifnk32.exe
1028	Djpnohej.exe
344	Dlojkddn.exe
1872	Domfgpca.exe
2548	Dchbhn32.exe
3092	Efgodj32.exe
2168	Ejbkehcg.exe
2328	Elagacbk.exe
4060	Eoocmoao.exe
5044	Ebnoikqb.exe
4588	Efikji32.exe
4932	Ehhgfdho.exe
2408	Epopgbia.exe
4004	Ecmlcmhe.exe
4620	Eflhoigi.exe
4760	Ehjdldfl.exe
2172	Eqalmafo.exe
4120	Eodlho32.exe
4568	Ebbidj32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kbbfkb32.dll	Elagacbk.exe
File opened for modification	C:\Windows\SysWOW64\Eodlho32.exe	Eqalmafo.exe
File opened for modification	C:\Windows\SysWOW64\Gjlfbd32.exe	Gogbdl32.exe
File created	C:\Windows\SysWOW64\Jmnaakne.exe	Jfdida32.exe
File created	C:\Windows\SysWOW64\Imppcc32.dll	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Liggbi32.exe	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Jehocmdp.dll	Dohmlp32.exe
File created	C:\Windows\SysWOW64\Gbjgbh32.dll	Eqalmafo.exe
File opened for modification	C:\Windows\SysWOW64\Jaimbj32.exe	Jmnaakne.exe
File created	C:\Windows\SysWOW64\Laopdgcg.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Majopeii.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Aamgnn32.dll	Chnlihnl.exe
File created	C:\Windows\SysWOW64\Gifmnpnl.exe	Gjclbc32.exe
File opened for modification	C:\Windows\SysWOW64\Iapjlk32.exe	Iiibkn32.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Nceonl32.exe
File created	C:\Windows\SysWOW64\Lpacnb32.dll	Gqkhjn32.exe
File created	C:\Windows\SysWOW64\Gbajhpfb.dll	Gidphq32.exe
File created	C:\Windows\SysWOW64\Hfachc32.exe	Hccglh32.exe
File opened for modification	C:\Windows\SysWOW64\Kibnhjgj.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Eoodnhmi.dll	Epopgbia.exe
File opened for modification	C:\Windows\SysWOW64\Hcnnaikp.exe	Hpbaqj32.exe
File created	C:\Windows\SysWOW64\Hfljmdjc.exe	Hcnnaikp.exe
File created	C:\Windows\SysWOW64\Pkbjnl32.dll	Habnjm32.exe
File created	C:\Windows\SysWOW64\Ibccic32.exe	Imgkql32.exe
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	Laopdgcg.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Dmnlpfhd.dll	Fcikolnh.exe
File created	C:\Windows\SysWOW64\Dohmlp32.exe	Dhnepfpj.exe
File created	C:\Windows\SysWOW64\Ejlmkgkl.exe	Ebeejijj.exe
File created	C:\Windows\SysWOW64\Odhibo32.dll	Giacca32.exe
File created	C:\Windows\SysWOW64\Ibadbaha.dll	Hippdo32.exe
File opened for modification	C:\Windows\SysWOW64\Haidklda.exe	Hibljoco.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Icpdfeeb.dll	Bifbbllg.exe
File opened for modification	C:\Windows\SysWOW64\Dephckaf.exe	Dadlclim.exe
File opened for modification	C:\Windows\SysWOW64\Ebeejijj.exe	Eqciba32.exe
File opened for modification	C:\Windows\SysWOW64\Fqkocpod.exe	Ficgacna.exe
File opened for modification	C:\Windows\SysWOW64\Gogbdl32.exe	Gmhfhp32.exe
File created	C:\Windows\SysWOW64\Gqkhjn32.exe	Gidphq32.exe
File opened for modification	C:\Windows\SysWOW64\Iiffen32.exe	Ijdeiaio.exe
File created	C:\Windows\SysWOW64\Kdopod32.exe	Jiikak32.exe
File created	C:\Windows\SysWOW64\Gdibmd32.dll	Biiohl32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Ecdbdl32.exe	Eqfeha32.exe
File created	C:\Windows\SysWOW64\Ogedoeae.dll	Eqfeha32.exe
File opened for modification	C:\Windows\SysWOW64\Kdcijcke.exe	Kmjqmi32.exe
File opened for modification	C:\Windows\SysWOW64\Laopdgcg.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Lgneampk.exe
File created	C:\Windows\SysWOW64\Dlegeemh.exe	Digkijmd.exe
File opened for modification	C:\Windows\SysWOW64\Jbfpobpb.exe	Ibccic32.exe
File created	C:\Windows\SysWOW64\Anjekdho.dll	Jbhmdbnp.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Gppekj32.exe	Gmaioo32.exe
File created	C:\Windows\SysWOW64\Gcjdcc32.dll	Bpcgdfaa.exe
File opened for modification	C:\Windows\SysWOW64\Clnadfbp.exe	Cedihl32.exe
File created	C:\Windows\SysWOW64\Hjhfnccl.exe	Hfljmdjc.exe
File opened for modification	C:\Windows\SysWOW64\Iiibkn32.exe	Ijfboafl.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Goohek32.dll	Boldjd32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7680	7384	WerFault.exe	339

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pellipfm.dll"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blnhni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dlegeemh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggdddife.dll"	Gcggpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibilnj32.dll"	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aamgnn32.dll"	Chnlihnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dakcla32.dll"	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmcglkid.dll"	Gcpapkgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmjdia32.dll"	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Idofhfmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbfpobpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebeejijj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imppcc32.dll"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccfmla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eddbig32.dll"	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejif32.dll"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boldjd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boldjd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dadlclim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Domfgpca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpgbbq32.dll"	Dchbhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fcikolnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Efgodj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gpnhekgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diblfl32.dll"	Blnhni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfhehdem.dll"	Ceblbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knceql32.dll"	Dhqaefng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogedoeae.dll"	Eqfeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjnjqfij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oggipmfe.dll"	Fbioei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adfpgmlj.dll"	Aahdqp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhqaefng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chkede32.dll"	Eoocmoao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebeejijj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbljeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqlqig32.dll"	Dlgdkeje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbioei32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnckcnhb.dll"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Genjanmh.dll"	Dephckaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odhibo32.dll"	Giacca32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 1844	1752	01957e27e5c47c81d20b8680fa6d4240_NeikiAnalytics.exe	85
PID 1752 wrote to memory of 1844	1752	01957e27e5c47c81d20b8680fa6d4240_NeikiAnalytics.exe	85
PID 1752 wrote to memory of 1844	1752	01957e27e5c47c81d20b8680fa6d4240_NeikiAnalytics.exe	85
PID 1844 wrote to memory of 3360	1844	Aahdqp32.exe	86
PID 1844 wrote to memory of 3360	1844	Aahdqp32.exe	86
PID 1844 wrote to memory of 3360	1844	Aahdqp32.exe	86
PID 3360 wrote to memory of 3100	3360	Blnhni32.exe	87
PID 3360 wrote to memory of 3100	3360	Blnhni32.exe	87
PID 3360 wrote to memory of 3100	3360	Blnhni32.exe	87
PID 3100 wrote to memory of 1508	3100	Boldjd32.exe	88
PID 3100 wrote to memory of 1508	3100	Boldjd32.exe	88
PID 3100 wrote to memory of 1508	3100	Boldjd32.exe	88
PID 1508 wrote to memory of 5080	1508	Bakqfp32.exe	89
PID 1508 wrote to memory of 5080	1508	Bakqfp32.exe	89
PID 1508 wrote to memory of 5080	1508	Bakqfp32.exe	89
PID 5080 wrote to memory of 3336	5080	Bhdibj32.exe	90
PID 5080 wrote to memory of 3336	5080	Bhdibj32.exe	90
PID 5080 wrote to memory of 3336	5080	Bhdibj32.exe	90
PID 3336 wrote to memory of 4076	3336	Booaodnd.exe	91
PID 3336 wrote to memory of 4076	3336	Booaodnd.exe	91
PID 3336 wrote to memory of 4076	3336	Booaodnd.exe	91
PID 4076 wrote to memory of 1920	4076	Bidemmnj.exe	92
PID 4076 wrote to memory of 1920	4076	Bidemmnj.exe	92
PID 4076 wrote to memory of 1920	4076	Bidemmnj.exe	92
PID 1920 wrote to memory of 3708	1920	Bpnnig32.exe	93
PID 1920 wrote to memory of 3708	1920	Bpnnig32.exe	93
PID 1920 wrote to memory of 3708	1920	Bpnnig32.exe	93
PID 3708 wrote to memory of 2396	3708	Bbljeb32.exe	94
PID 3708 wrote to memory of 2396	3708	Bbljeb32.exe	94
PID 3708 wrote to memory of 2396	3708	Bbljeb32.exe	94
PID 2396 wrote to memory of 4788	2396	Bifbbllg.exe	95
PID 2396 wrote to memory of 4788	2396	Bifbbllg.exe	95
PID 2396 wrote to memory of 4788	2396	Bifbbllg.exe	95
PID 4788 wrote to memory of 1960	4788	Bpqjofcd.exe	96
PID 4788 wrote to memory of 1960	4788	Bpqjofcd.exe	96
PID 4788 wrote to memory of 1960	4788	Bpqjofcd.exe	96
PID 1960 wrote to memory of 5016	1960	Bbofkbbh.exe	97
PID 1960 wrote to memory of 5016	1960	Bbofkbbh.exe	97
PID 1960 wrote to memory of 5016	1960	Bbofkbbh.exe	97
PID 5016 wrote to memory of 1216	5016	Biiohl32.exe	98
PID 5016 wrote to memory of 1216	5016	Biiohl32.exe	98
PID 5016 wrote to memory of 1216	5016	Biiohl32.exe	98
PID 1216 wrote to memory of 2216	1216	Bpcgdfaa.exe	99
PID 1216 wrote to memory of 2216	1216	Bpcgdfaa.exe	99
PID 1216 wrote to memory of 2216	1216	Bpcgdfaa.exe	99
PID 2216 wrote to memory of 880	2216	Badcln32.exe	100
PID 2216 wrote to memory of 880	2216	Badcln32.exe	100
PID 2216 wrote to memory of 880	2216	Badcln32.exe	100
PID 880 wrote to memory of 4572	880	Chnlihnl.exe	101
PID 880 wrote to memory of 4572	880	Chnlihnl.exe	101
PID 880 wrote to memory of 4572	880	Chnlihnl.exe	101
PID 4572 wrote to memory of 4368	4572	Cpedjf32.exe	102
PID 4572 wrote to memory of 4368	4572	Cpedjf32.exe	102
PID 4572 wrote to memory of 4368	4572	Cpedjf32.exe	102
PID 4368 wrote to memory of 4560	4368	Cccpfa32.exe	103
PID 4368 wrote to memory of 4560	4368	Cccpfa32.exe	103
PID 4368 wrote to memory of 4560	4368	Cccpfa32.exe	103
PID 4560 wrote to memory of 844	4560	Ceblbm32.exe	104
PID 4560 wrote to memory of 844	4560	Ceblbm32.exe	104
PID 4560 wrote to memory of 844	4560	Ceblbm32.exe	104
PID 844 wrote to memory of 2672	844	Chphoh32.exe	105
PID 844 wrote to memory of 2672	844	Chphoh32.exe	105
PID 844 wrote to memory of 2672	844	Chphoh32.exe	105
PID 2672 wrote to memory of 416	2672	Cpgqpe32.exe	106

C:\Users\Admin\AppData\Local\Temp\01957e27e5c47c81d20b8680fa6d4240_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\01957e27e5c47c81d20b8680fa6d4240_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Windows\SysWOW64\Aahdqp32.exe
  C:\Windows\system32\Aahdqp32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1844
- - C:\Windows\SysWOW64\Blnhni32.exe
    C:\Windows\system32\Blnhni32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3360
  - - C:\Windows\SysWOW64\Boldjd32.exe
      C:\Windows\system32\Boldjd32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3100
    - - C:\Windows\SysWOW64\Bakqfp32.exe
        
        C:\Windows\system32\Bakqfp32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1508
      - C:\Windows\SysWOW64\Bhdibj32.exe
        
        C:\Windows\system32\Bhdibj32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\SysWOW64\Booaodnd.exe
        
        C:\Windows\system32\Booaodnd.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3336
        
        C:\Windows\SysWOW64\Bidemmnj.exe
        
        C:\Windows\system32\Bidemmnj.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Windows\SysWOW64\Bpnnig32.exe
        
        C:\Windows\system32\Bpnnig32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\SysWOW64\Bbljeb32.exe
        
        C:\Windows\system32\Bbljeb32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3708
        
        C:\Windows\SysWOW64\Bifbbllg.exe
        
        C:\Windows\system32\Bifbbllg.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\SysWOW64\Bpqjofcd.exe
        
        C:\Windows\system32\Bpqjofcd.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4788
        
        C:\Windows\SysWOW64\Bbofkbbh.exe
        
        C:\Windows\system32\Bbofkbbh.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\SysWOW64\Biiohl32.exe
        
        C:\Windows\system32\Biiohl32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\SysWOW64\Bpcgdfaa.exe
        
        C:\Windows\system32\Bpcgdfaa.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1216
        
        C:\Windows\SysWOW64\Badcln32.exe
        
        C:\Windows\system32\Badcln32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\SysWOW64\Chnlihnl.exe
        
        C:\Windows\system32\Chnlihnl.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:880
        
        C:\Windows\SysWOW64\Cpedjf32.exe
        
        C:\Windows\system32\Cpedjf32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4572
        
        C:\Windows\SysWOW64\Cccpfa32.exe
        
        C:\Windows\system32\Cccpfa32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Windows\SysWOW64\Ceblbm32.exe
        
        C:\Windows\system32\Ceblbm32.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\Chphoh32.exe
        
        C:\Windows\system32\Chphoh32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:844
        
        C:\Windows\SysWOW64\Cpgqpe32.exe
        
        C:\Windows\system32\Cpgqpe32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\Ccfmla32.exe
        
        C:\Windows\system32\Ccfmla32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:416
        
        C:\Windows\SysWOW64\Cedihl32.exe
        
        C:\Windows\system32\Cedihl32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2324
        
        C:\Windows\SysWOW64\Clnadfbp.exe
        
        C:\Windows\system32\Clnadfbp.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1524
        
        C:\Windows\SysWOW64\Cakjmm32.exe
        
        C:\Windows\system32\Cakjmm32.exe
        26⤵
        Executes dropped EXE
        
        PID:2440
        
        C:\Windows\SysWOW64\Chebighd.exe
        
        C:\Windows\system32\Chebighd.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3776
        
        C:\Windows\SysWOW64\Coojfa32.exe
        
        C:\Windows\system32\Coojfa32.exe
        28⤵
        Executes dropped EXE
        
        PID:2500
        
        C:\Windows\SysWOW64\Ceibclgn.exe
        
        C:\Windows\system32\Ceibclgn.exe
        29⤵
        Executes dropped EXE
        
        PID:4816
        
        C:\Windows\SysWOW64\Cidncj32.exe
        
        C:\Windows\system32\Cidncj32.exe
        30⤵
        Executes dropped EXE
        
        PID:3224
        
        C:\Windows\SysWOW64\Clckpf32.exe
        
        C:\Windows\system32\Clckpf32.exe
        31⤵
        Executes dropped EXE
        
        PID:2296
        
        C:\Windows\SysWOW64\Capchmmb.exe
        
        C:\Windows\system32\Capchmmb.exe
        32⤵
        Executes dropped EXE
        
        PID:444
        
        C:\Windows\SysWOW64\Digkijmd.exe
        
        C:\Windows\system32\Digkijmd.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4356
        
        C:\Windows\SysWOW64\Dlegeemh.exe
        
        C:\Windows\system32\Dlegeemh.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Dcopbp32.exe
        
        C:\Windows\system32\Dcopbp32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4472
        
        C:\Windows\SysWOW64\Dabpnlkp.exe
        
        C:\Windows\system32\Dabpnlkp.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2360
        
        C:\Windows\SysWOW64\Dlgdkeje.exe
        
        C:\Windows\system32\Dlgdkeje.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3988
        
        C:\Windows\SysWOW64\Dadlclim.exe
        
        C:\Windows\system32\Dadlclim.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4024
        
        C:\Windows\SysWOW64\Dephckaf.exe
        
        C:\Windows\system32\Dephckaf.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Dhnepfpj.exe
        
        C:\Windows\system32\Dhnepfpj.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4072
        
        C:\Windows\SysWOW64\Dohmlp32.exe
        
        C:\Windows\system32\Dohmlp32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:520
        
        C:\Windows\SysWOW64\Dcdimopp.exe
        
        C:\Windows\system32\Dcdimopp.exe
        42⤵
        Executes dropped EXE
        
        PID:1116
        
        C:\Windows\SysWOW64\Debeijoc.exe
        
        C:\Windows\system32\Debeijoc.exe
        43⤵
        Executes dropped EXE
        
        PID:2712
        
        C:\Windows\SysWOW64\Dhqaefng.exe
        
        C:\Windows\system32\Dhqaefng.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3260
        
        C:\Windows\SysWOW64\Dphifcoi.exe
        
        C:\Windows\system32\Dphifcoi.exe
        45⤵
        Executes dropped EXE
        
        PID:1724
        
        C:\Windows\SysWOW64\Dokjbp32.exe
        
        C:\Windows\system32\Dokjbp32.exe
        46⤵
        Executes dropped EXE
        
        PID:4116
        
        C:\Windows\SysWOW64\Daifnk32.exe
        
        C:\Windows\system32\Daifnk32.exe
        47⤵
        Executes dropped EXE
        
        PID:5108
        
        C:\Windows\SysWOW64\Djpnohej.exe
        
        C:\Windows\system32\Djpnohej.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1028
        
        C:\Windows\SysWOW64\Dlojkddn.exe
        
        C:\Windows\system32\Dlojkddn.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:344
        
        C:\Windows\SysWOW64\Domfgpca.exe
        
        C:\Windows\system32\Domfgpca.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1872
        
        C:\Windows\SysWOW64\Dchbhn32.exe
        
        C:\Windows\system32\Dchbhn32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2548
        
        C:\Windows\SysWOW64\Efgodj32.exe
        
        C:\Windows\system32\Efgodj32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3092
        
        C:\Windows\SysWOW64\Ejbkehcg.exe
        
        C:\Windows\system32\Ejbkehcg.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2168
        
        C:\Windows\SysWOW64\Elagacbk.exe
        
        C:\Windows\system32\Elagacbk.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2328
        
        C:\Windows\SysWOW64\Eoocmoao.exe
        
        C:\Windows\system32\Eoocmoao.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4060
        
        C:\Windows\SysWOW64\Ebnoikqb.exe
        
        C:\Windows\system32\Ebnoikqb.exe
        56⤵
        Executes dropped EXE
        
        PID:5044
        
        C:\Windows\SysWOW64\Efikji32.exe
        
        C:\Windows\system32\Efikji32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4588
        
        C:\Windows\SysWOW64\Ehhgfdho.exe
        
        C:\Windows\system32\Ehhgfdho.exe
        58⤵
        Executes dropped EXE
        
        PID:4932
        
        C:\Windows\SysWOW64\Epopgbia.exe
        
        C:\Windows\system32\Epopgbia.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2408
        
        C:\Windows\SysWOW64\Ecmlcmhe.exe
        
        C:\Windows\system32\Ecmlcmhe.exe
        60⤵
        Executes dropped EXE
        
        PID:4004
        
        C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        61⤵
        Executes dropped EXE
        
        PID:4620
        
        C:\Windows\SysWOW64\Ehjdldfl.exe
        
        C:\Windows\system32\Ehjdldfl.exe
        62⤵
        Executes dropped EXE
        
        PID:4760
        
        C:\Windows\SysWOW64\Eqalmafo.exe
        
        C:\Windows\system32\Eqalmafo.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2172
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        64⤵
        Executes dropped EXE
        
        PID:4120
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        65⤵
        Executes dropped EXE
        
        PID:4568
        
        C:\Windows\SysWOW64\Efneehef.exe
        
        C:\Windows\system32\Efneehef.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3804
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        67⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        68⤵
        Drops file in System32 directory
        
        PID:4752
        
        C:\Windows\SysWOW64\Ebeejijj.exe
        
        C:\Windows\system32\Ebeejijj.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5000
        
        C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4544
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        72⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3324
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2560
        
        C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        75⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        76⤵
        Modifies registry class
        
        PID:2504
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        77⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        78⤵
        Drops file in System32 directory
        
        PID:3140
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        79⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1184
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        81⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4168
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        83⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        84⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        85⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        86⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2428
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        88⤵
        
        PID:820
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        89⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3252
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        91⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4820
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5148
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        94⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        95⤵
        Drops file in System32 directory
        
        PID:5236
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5284
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        97⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5368
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        99⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        100⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        101⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        103⤵
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5680
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        105⤵
        Modifies registry class
        
        PID:5728
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        106⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        107⤵
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        108⤵
        Drops file in System32 directory
        
        PID:5848
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5900
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        111⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        112⤵
        Drops file in System32 directory
        
        PID:6056
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        113⤵
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        114⤵
        Drops file in System32 directory
        
        PID:6136
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5188
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        116⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        117⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        118⤵
        Drops file in System32 directory
        
        PID:5400
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5468
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        120⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        121⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        122⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        123⤵
        Drops file in System32 directory
        
        PID:5756
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        124⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        125⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5980
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        127⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        128⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5164
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        130⤵
        Drops file in System32 directory
        
        PID:5268
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        131⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        132⤵
        Drops file in System32 directory
        
        PID:5540
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5672
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        134⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5880
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6012
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        137⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5272
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5592
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        140⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6124
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        142⤵
        Drops file in System32 directory
        
        PID:5632
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        144⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        145⤵
        
        PID:6232
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        146⤵
        
        PID:6296
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        147⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6340
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        148⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6384
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6424
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        150⤵
        Modifies registry class
        
        PID:6472
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        151⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        152⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        153⤵
        Drops file in System32 directory
        
        PID:6624
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        154⤵
        Drops file in System32 directory
        
        PID:6668
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        155⤵
        Modifies registry class
        
        PID:6712
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        156⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        157⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6836
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6880
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        160⤵
        Drops file in System32 directory
        
        PID:6920
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        161⤵
        
        PID:6964
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        162⤵
        Modifies registry class
        
        PID:7008
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7052
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7096
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        165⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5924
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        167⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6304
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        169⤵
        Drops file in System32 directory
        
        PID:6368
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        170⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6512
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6620
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        173⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        174⤵
        Drops file in System32 directory
        
        PID:6728
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6808
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        176⤵
        Modifies registry class
        
        PID:6888
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6972
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        178⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        179⤵
        
        PID:7092
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        180⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        181⤵
        Drops file in System32 directory
        
        PID:6324
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        182⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        183⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6724
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        185⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        186⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6984
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        187⤵
        
        PID:7116
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        188⤵
        
        PID:6216
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        189⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6432
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        190⤵
        Drops file in System32 directory
        
        PID:6748
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        191⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6868
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        192⤵
        Drops file in System32 directory
        
        PID:6992
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        193⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7160
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        194⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        195⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        196⤵
        Drops file in System32 directory
        
        PID:7132
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        197⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2812
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        198⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        199⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        200⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        201⤵
        Modifies registry class
        
        PID:7176
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        202⤵
        Modifies registry class
        
        PID:7212
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        203⤵
        
        PID:7256
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        204⤵
        
        PID:7296
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        205⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7344
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        206⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7388
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        207⤵
        Drops file in System32 directory
        
        PID:7424
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        208⤵
        
        PID:7476
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        209⤵
        Modifies registry class
        
        PID:7520
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        210⤵
        
        PID:7564
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        211⤵
        Drops file in System32 directory
        
        PID:7608
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        212⤵
        
        PID:7648
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        213⤵
        Modifies registry class
        
        PID:7692
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        214⤵
        Drops file in System32 directory
        
        PID:7740
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        215⤵
        
        PID:7780
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        216⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7828
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        217⤵
        Drops file in System32 directory
        
        PID:7872
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        218⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7912
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        219⤵
        
        PID:7956
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        220⤵
        
        PID:7996
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        221⤵
        Modifies registry class
        
        PID:8040
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        222⤵
        
        PID:8080
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        223⤵
        
        PID:8116
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        224⤵
        
        PID:8164
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        225⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        226⤵
        
        PID:7248
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        227⤵
        
        PID:7304
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        228⤵
        
        PID:7376
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        229⤵
        
        PID:7760
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        230⤵
        
        PID:7852
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        231⤵
        Drops file in System32 directory
        
        PID:7928
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        232⤵
        Drops file in System32 directory
        
        PID:8024
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        233⤵
        Modifies registry class
        
        PID:8100
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        234⤵
        
        PID:8172
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        235⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7220
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        236⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7372
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        237⤵
        
        PID:7420
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        238⤵
        Modifies registry class
        
        PID:7508
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        239⤵
        
        PID:7504
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        240⤵
        
        PID:7644
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        241⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7688
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        242⤵
        Drops file in System32 directory
        
        PID:7868
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        243⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8004
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        244⤵
        
        PID:8156
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        245⤵
        
        PID:7196
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        246⤵
        
        PID:7384
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7384 -s 408
        247⤵
        Program crash
        
        PID:7680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 7384 -ip 7384
1⤵
PID:7512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aahdqp32.exe

Filesize
80KB

MD5
fe3eb6a359383a46f81666f8ab9ccc94

SHA1
d84531759b4838c144d71b76a89f5c8a69ffcffe

SHA256
08f121338690a925f5f08798811d1fcfc55d64ad861062b7163158b8973ef0f5

SHA512
293e2faf41eb80b1b59a60bea714d4d2d5814d934f0690cce1d9ccac30233ed3db0ce5c2220a2a7918345e597faac6e4bf5ce1a1421dd03673ec2e1cc7dd002e

Download Submit
C:\Windows\SysWOW64\Badcln32.exe

Filesize
80KB

MD5
3989fedccfc679247770667356300871

SHA1
e4a14b4100e57cc8518f2eff8635902e80b982af

SHA256
567bb1d79a33a033bf3a294a6a4160d240548e76817fda3f16997ff9468cb2dc

SHA512
c2053bf6f2ad662f0653926906de4b992cb19430a65676aa6b568b1af545134f5e8b9ebc41ea70c44179bbbface054bcdc6df94e612f98846885100056900eb9

Download Submit
C:\Windows\SysWOW64\Bakqfp32.exe

Filesize
80KB

MD5
d64c1f7b3872d58ad8cce0fcba420dd3

SHA1
320865df1a50732a9c0b05b4c1a28a170a8acf13

SHA256
b7ce0442080ac1a16206baac246843e2044f792199e153ef9e7d1774561ffc99

SHA512
ef4852dd45062762898425f6f3dc1684adba6d46e86ff18b4015cf8bc4c4d98f73f2f2bb9663a53f74dca3514e670e7474f60e82e815ed7aeaf50a70c3458489

Download Submit
C:\Windows\SysWOW64\Bbljeb32.exe

Filesize
80KB

MD5
3ac63c3f2128a8fd35ed609c7595c6f9

SHA1
8324aab80dd171be2ae66171e94ff7d050547377

SHA256
eae378d885638aa5c00c4f6d2e0eb9d1417cd118af65fa7421bff651d846c253

SHA512
575a683285e4620298e1118d960e6881c627bdf50ebfaed5d64103408ec8c9a3e619c2d3c281790b6f8d106cf1ff6b6e10d52546576b6357ec0b8eb4f5b3596f

Download Submit
C:\Windows\SysWOW64\Bbofkbbh.exe

Filesize
80KB

MD5
0457afb21cced918c691679249dc05f9

SHA1
ba3e33f32e85f5fa966d75e34a93594ceff7c451

SHA256
c8e7f6e08f6a08d099a29f7e88ffed012f24c67ec464673518a786c2cd59f1d9

SHA512
106f32b576f3ea8b00be7feaf6551ed34533a628a24b10eeca96cce2ed70c73f505cbe67ec766e0a6041433cb1292f71dadfa8851f9d98eccdde7cb6ba91f42a

Download Submit
C:\Windows\SysWOW64\Bhdibj32.exe

Filesize
80KB

MD5
920aa2d1371b3a46a26a87df63fac030

SHA1
8f8517afa49b9be53291d7f4b40c92246a1628d1

SHA256
1719c526c00c3d859ed0cb4cb8be7f062fa2ac5774f7ee435463816b77771622

SHA512
c85f135f14f983dc6209f22d9deb77260ebb41cc11cb4ef91f77c886e259f6acb08ed51ac52ec8577847d23117a1a3e8bb4e5ceb7332631334371f1a05f1f96a

Download Submit
C:\Windows\SysWOW64\Bidemmnj.exe

Filesize
80KB

MD5
4ffb8b803b0a3890a40ebecbbee87a8e

SHA1
d0e9a7275acd13db0302b141f37084b138d96925

SHA256
37a3ddafffc488bb4f2b33ee531735866c20bce12bc9a3df91899677a3dddcc5

SHA512
372413acb947af81fd5008389b68a834e6042ee1f0c95c17f03cff05845b5dd3157cd84d989e5eefff409e711c1cf6cc10da620c68ca2a17d35ebb9365ee1cf4

Download Submit
C:\Windows\SysWOW64\Bifbbllg.exe

Filesize
80KB

MD5
099ff64a522d0a24f9a72f94c1c3c1ea

SHA1
19b85ca3319fc486390d85bfc61f4208b7de29b4

SHA256
4018f1b6ec11e4d66d978a75e5f2a974185a87ebb20aa21b5264b3a2300a921b

SHA512
1e280b5df845af3012e844ebd1f0b8daf2a9cbaab68bdbb2d7081c0ae7b30510081807bbc6e28b66de697d381be5a3918a2fb8ab799dce960afe0098e5816c88

Download Submit
C:\Windows\SysWOW64\Biiohl32.exe

Filesize
80KB

MD5
baf864bff9dd110bdfd78959e6c2a0d3

SHA1
654d0e16850bcd081ee06b3c64a24d4dc2fb30db

SHA256
db266ec293923b94a88d5a142596196045cd719d3c5ac6201cd2a97d7d8bf1dd

SHA512
80689f0a4ce12c980e9f9e31c9251d7d241a7098f5d92b434f890e8fd2c36301daf87961f0f5788625fb5193526649199925fe13b35a334014920254145c7a7b

Download Submit
C:\Windows\SysWOW64\Blnhni32.exe

Filesize
80KB

MD5
6d6da7e0fc5d0f3d9e5f17574aab55a5

SHA1
7db37d23f0f947dab36f6033774e9db5875c99da

SHA256
72dfe6a7a1be7e3d0fa59ba09e69be53c94ec0257a1a62c263707be2a4923b36

SHA512
47d63f0e2540d6e7188cdabaf0d80cd750e1aa5edbd456b75408516043d180010fb4915bf049ab25c472101e5b2043782a0d7ac251aad98baa0c219f46c13ac5

Download Submit
C:\Windows\SysWOW64\Boldjd32.exe

Filesize
80KB

MD5
ae99a62756609da9a500af8107af6f50

SHA1
137584c8ec84db512f88a4bb38afcd0afc3a2edf

SHA256
ea9ce3c42ec4cb934f06bff9c7813b897d5f91d63e0621e3b72928591a5a1e3b

SHA512
5506380538b0beb26c2c4344ba8e83eb774f1d67b034d999f92c1b1108066ba0e6f6b397201fda0156fcf60378ad75835f6b2e9ad5e0ffe9de36cc84aa4aa3f2

Download Submit
C:\Windows\SysWOW64\Booaodnd.exe

Filesize
80KB

MD5
6ab18f5e87fbd562ff4656bd2175506f

SHA1
33bc90a34b07ebc2c007715636ad62c54ba04442

SHA256
94957a657c79c533cbeec38caa41f29df88d05070d34476f226b827d09bead82

SHA512
d85446529afa13cc7347bd499620ed822eb1575183ad59f219ca22baf3d29db6db7ba97ae2e66d235dca3e558e780d8c43db5defd140cd6b263c68a430494705

Download Submit
C:\Windows\SysWOW64\Bpcgdfaa.exe

Filesize
80KB

MD5
59563e60169356840897a9ac91cf2b3d

SHA1
8d8208a0c1dbafb28eed678181e904f3f53b8dda

SHA256
95f93223dc7438416c03171415b2e12996370f69d313f6ed28c6c7125c6ac406

SHA512
bc08356e4bc893a30a34202397c5894d6e7f5b3857f9fdfd84d2819cc61323bf6c1958f8f7e4d77e4a9baa541c0538b68fd5b21ab1c814ab01d4d29d7d97d1f0

Download Submit
C:\Windows\SysWOW64\Bpnnig32.exe

Filesize
80KB

MD5
dea404c2e2666bf34666cfd78904cc7e

SHA1
c62b03df3ba1014261be644a05b6ccf32139f5ee

SHA256
90b67bf7b2a9045fabfa903ff17f976b242771de6f66951ccd9078b8d8d04107

SHA512
a2784d2049ca31d3d8fc4a4a147bfbcdc7fa948236224ecfb38f424fc2b12e19af871fd8ee3e34f6c3d352f185db1ad9e4108c4692ab1bfb4cda8de7c9edc816

Download Submit
C:\Windows\SysWOW64\Bpqjofcd.exe

Filesize
80KB

MD5
96983ba13de0b39cf1c0df35ac67debd

SHA1
f07aa4515eca3396f2a47fdac42a8a88ea195979

SHA256
c5c8e5f9d9e0e1c7a912f60e169dc4f6fd4515a6d9f3ef5295d33e216f174d32

SHA512
fe1bec8cb663d46527aebf15e88c0247881b947ac450745456b6c7b5dad831ed17dc46ecfb9f62f5ae9b0685ffe987a3a026d3cc2076728610329a938e87845a

Download Submit
C:\Windows\SysWOW64\Cakjmm32.exe

Filesize
80KB

MD5
d9f1f2d70d6ec7efacd83c6ff51f7cdc

SHA1
626920cbfd0ff7cc65e45601f4a5963c8089395e

SHA256
ecba0ddc9a7a163fb7815ec5fafde770f138630bc354f9a841b95416a9b74ab4

SHA512
26a2dfda0977ac7e2083aa8c6c87c0bbde538752ed41900d0017db3bd060bf304b40bc7cc59a616839c36e26ae5ac0d00357f4de503e20d5ef94b1c8f3ed8c0d

Download Submit
C:\Windows\SysWOW64\Capchmmb.exe

Filesize
80KB

MD5
19f7f3c6cf6af37fd710d9e0d16b48d9

SHA1
6fd33dec07f9eb299e17b663f594c44e0eb8e899

SHA256
2d1151d24c49d5d578e2408e8cb4c8d5869e2fde185dc31e61e3ed2dce2f3667

SHA512
285e57bb056dba41b87f4d5a78afa6ccce886cc3b1e13a7b88d3b7337fa1021518fb38db5de6bc1b9d9fbba45ae4e5419cc923c29079510a818f8757495392a9

Download Submit
C:\Windows\SysWOW64\Cccpfa32.exe

Filesize
80KB

MD5
d76cfe8601601c785cc0646359f97a7d

SHA1
dda340d03422f4fcf711c49e38a64ee108f22bc1

SHA256
fa73a74bb8e2325c237aeac5cfd58dbc56e4d0bbc5420dd84eda51fabe5b935a

SHA512
0daf62d26be77faea4966a0861b179e4d80cf108506e5fac172328dcab7c017bd40d36e9daaba39f75859f883783b1cf59d59ac4767913ed403f2df6b249b1d0

Download Submit
C:\Windows\SysWOW64\Ccfmla32.exe

Filesize
80KB

MD5
3d618d6ac514aeed17404ee2747b7c18

SHA1
367b139cc268864658cff40c771aea9da8a98afe

SHA256
46dc5c9d573da6f5b52790ef05a83905e4af0d059622c6bc7489f2675a719aee

SHA512
d4de29c2774823b0f209f6a7f9bcb2ac820a378f6d2c510a4b2097d5c809385cf7cbfd19627b82fe838bbef6196f0efcb6a3b0e2175032a6db60a28153ab548a

Download Submit
C:\Windows\SysWOW64\Ceblbm32.exe

Filesize
80KB

MD5
c1e239ae3c166c7b7198be8c7fc04635

SHA1
befe5c82fb3af41197365d4a6c002d1f8df61e08

SHA256
18e2bbafd306055332305ba346e9685377f98dcfb318b0b98952143efbf6c1e2

SHA512
54545368d036189a42778c7f0a9cc5d05f4b634f23f4729f5bf07450ca7d6fea5f42b309ab06d43ad0591eb4704f3bc7b80fabde8860c40350c9ab9d9d137646

Download Submit
C:\Windows\SysWOW64\Cedihl32.exe

Filesize
80KB

MD5
913b9b294fa67eda560e2bf155e9f498

SHA1
a68069840ce4b47003fb0304cdf4eccdd3ad8412

SHA256
8eee5032e4b6d0a368acb4a6ba477d7e7fc26aaa438e8db8c7730eabcbdf83a8

SHA512
1c857a925c8488e221a0ee943ceed6c7c27753817fc19f48f383e076efd13d80d741ca19180a8aebdedda13e7518a9f2e353af3a4cfff666167ec925a93132b2

Download Submit
C:\Windows\SysWOW64\Ceibclgn.exe

Filesize
80KB

MD5
ed53bed153032b8cbc3b3ef3814fbcec

SHA1
725b3fbff65c03a906144488cee6f14cfd7b5e5d

SHA256
e8dad8c93c3e420471806e6914a3828446d44b19b3cb619480b67b8448a25b07

SHA512
f1ae0cd0dbebe7f6f3028988dcfbbea8ccf22ee55ea894825e8d0810048643f40600e577c9c51484fa4a0ec75732dcb28b361f4a597a4b2afa121c2067b6f32b

Download Submit
C:\Windows\SysWOW64\Chebighd.exe

Filesize
80KB

MD5
34faf8f7955843ef7c1f85d8b7aa93e4

SHA1
8f0c99b0284995d978e0f236cb06dd39d7482688

SHA256
513dcdc20d76bec2e8b7c2b6cd836533cfce1ab16e82968bdd804c39c530e686

SHA512
49fe66848ea441816381ffe9ac067a6cff395da4de19f26f56e5f5fd917d979a043ace0a892eb99167dbb47f908314f0a887c4f1746f5e2607c96d629300f36c

Download Submit
C:\Windows\SysWOW64\Chnlihnl.exe

Filesize
80KB

MD5
dbd8c3a6666042c440182c0aadfa478b

SHA1
60a4442f48e196efc30180ee5001723036598925

SHA256
e0c90191e51f35d381a4628c0b3be86633921c8e6f2def68976aea46e8df19e1

SHA512
57e8876f16e457cfe2ac6c1c7889c42ac93a0a6c506fadbe9dccfce5789009c3378b749aa237fbaecda502bfc699f6b08f7d072e4e9c485089971fc726a40a6e

Download Submit
C:\Windows\SysWOW64\Chphoh32.exe

Filesize
80KB

MD5
b5794d3d3fb1364bf115a8a14bbaea51

SHA1
275b9a8f3070593cce2429ed8da119d80f7027e0

SHA256
94aae8613e16b3f0a68095454445cfcb6abe731c6347dec869008e4c49f149dd

SHA512
d4fdccc1a79b472b417c05ba3b74e41cf608ec5e3c05b239b68ffaaa9de5594b745b61e9c0369db6921b7b95698cf12fe0c7001f3e16cee98ec20a22f0bccb28

Download Submit
C:\Windows\SysWOW64\Cidncj32.exe

Filesize
80KB

MD5
31cbabd3e43e823d25173cc2184a81e4

SHA1
d7825b876a6a360f84b7851a9ed7ecbaeb309d17

SHA256
f94a2a092d6c9698cce593d18dab50f35bdc8209affe347ebe3cc7c1010b9ca1

SHA512
9424fbadf63333242a5411693f49f0a767c43f40ad5c80a5984615f5e39bfe814a3b12fbefe2082e103fb49b9888c969e4f8db57262b343a40f0976dc74d2ce7

Download Submit
C:\Windows\SysWOW64\Clckpf32.exe

Filesize
80KB

MD5
715a0155690fe8d0207aaf862269e2ab

SHA1
c17f073aa30463a47b4060367d7c1b8c403110a5

SHA256
942fbe47b475a0a1cac83a39e919b4a923285ce70e023b5905f1621277798b34

SHA512
6a0ad8f2de2fe52760570801e66c3b5903d5827190d4bdc8910abaa18cbecf71242ce49a86a7512bbde342cfa5e49666f4913046f02b41bce98bd86dede0491b

Download Submit
C:\Windows\SysWOW64\Clnadfbp.exe

Filesize
80KB

MD5
29a2f3fb5fd4a4f9fa51eaf1b53e1d5c

SHA1
eb6c439231962c0dcf5d46ecf911fd3a3794ca2b

SHA256
2860f505e3443d7e9afa599ffe7e5d8b4f625af0fb4d791a0d55428691b1eceb

SHA512
4e062b8b596f53623e52b099f271555291c5cceb6b9e4e3db5cbaa361869f0beb776099d85609781f97480a2088c7d375e292bd4c3146a5ce4c6bcc0a1470db4

Download Submit
C:\Windows\SysWOW64\Coojfa32.exe

Filesize
80KB

MD5
adeb4424dac1c889b1aa737234cf4cf9

SHA1
cec552ce33990693bb49171641785e4de700d56b

SHA256
84e5353f4f9b27843b3bc2515c994f84aa47c69c928a34da4b30b4329462d9bc

SHA512
6177b2eb4c221407e3703ccc0044b4a5d662e18395b2f8203143366e1e9ce31012f17c502fffa895ab9906003bfdfcae708205e153ac5fd6858bb118f703c13e

Download Submit
C:\Windows\SysWOW64\Cpedjf32.exe

Filesize
80KB

MD5
5ffac5883f39b6da4ab9370d35da0c9f

SHA1
8d68e9a492114677eb743a311170e8014113c0e1

SHA256
deeefb428eeaac5beec158c7200e7bd6d39b15d126d4273322907319064b493f

SHA512
f8e2788baf4d143c46c9cb7f55b801ca81da0259e30e747d401dc8f50cce52e96f25549d71f3c886c3f617c04dd60aedd6bcb4a1a6ef3d88e785ba14ab7a9264

Download Submit
C:\Windows\SysWOW64\Cpgqpe32.exe

Filesize
80KB

MD5
e252e791195f1348ff1c54681497e142

SHA1
c312386c3022f9da772d299f57db77053235081f

SHA256
84bc3e318593b407046f2ef3e7c87dd07567f743b318015c92a6e8826a12c033

SHA512
58639768b4a7c821f90d7de541693be1cfb489d6c5137c5012de2fcf91ae36bb7a68ff1f917982f83103d3c0a1cd53afa8cdf44ae2900994c68085d1c219a63c

Download Submit
C:\Windows\SysWOW64\Debeijoc.exe

Filesize
80KB

MD5
b705ccef5e6781336cad351871729a6b

SHA1
eb28b0693e52f2d9b6e8c1785be103627133849b

SHA256
356d5049fb48e2b513b7e147e75849c4687e927981aed3c37224387360e0b1ef

SHA512
202f37b88ad20f20caa33ce29d0d4fdd16fcdf922c190ad98199093e875332ed14813ae27ccdc181acce44510dcdf015871ac5e243c9471741a1fa93571f6e86

Download Submit
C:\Windows\SysWOW64\Digkijmd.exe

Filesize
80KB

MD5
1d79331d6363b702f40b940dfe3b6279

SHA1
113b3071db0557e53a5c60e5e855aa9db802e0ff

SHA256
3659f14d065a16b3f1b05e7e0a1bd9507ea0ee97627693dbba9a81107fc500aa

SHA512
ca31efc5b90d02d7acfcaec30fa855b29535e1dcedcb696dbd6bad574ee62158bbe78af7982adef888b708b00c50c98ab0fcc648076bda77d4ab773315f4ebaa

Download Submit
C:\Windows\SysWOW64\Ficgacna.exe

Filesize
80KB

MD5
e923feb2160b245baaa19b6044859bad

SHA1
d6e3e3697a9c72a2bbf24bb0a5ecac2e3a49f7d9

SHA256
b197e43cd55d08aa2c0a5deb52ddd7cf711c68ab388276cf9b5b837e6cf3a90d

SHA512
764ced56797de682bb82264fd9647713315a0a228e42f5f2b0c7dff78dd67bab1690a1ac36bc6072f35c55bed695e248691dacc1b464cbd0bf38ac7957d809b2

Download Submit
C:\Windows\SysWOW64\Gmkbnp32.exe

Filesize
80KB

MD5
0e4a9877b110c0ab912d712664c81354

SHA1
e4277a8cb023cd4da62b08316020340e191de29d

SHA256
e5747410e21e7d17b53f68869f95643b3327a9a64679be769b25a05aa8ac2049

SHA512
6c8cafd01a402ef43e24806036f835a1c7f6dd49a11d83657d9264bc72015f939fe0310275a4a059af2a750292ffad7979a92739d02d0a4bbb3a8b0a9ff5a03f

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
80KB

MD5
736685807d762b1b7c88fbd5d5e33a8a

SHA1
8b450ed34d99ed2c56468c734cb80929388472a6

SHA256
acea19c5069ca725dd6ece4ded68807f2f3e5d7d8f91692dd7fba87609984288

SHA512
6c36642ecf3ec7307d710f1c1ed0dc3bd53a5144b677a255867ccd275f1154baa8e631db37f309e218311badbccd88328cc55601c6108b43ec12e426f8a3defe

Download Submit
C:\Windows\SysWOW64\Himcoo32.exe

Filesize
80KB

MD5
1eaff9e61dba58a2790f5114880e6c03

SHA1
b2c80a8d0b3ff55dd05f2e46ed25b6b9da497a6a

SHA256
50ac0b08503be5dc533425f0c352955d65560b83bf349bc65c8fe8089f708a31

SHA512
5e1f450d65326074ed165e16d54bf6188590578c82b33f84919ae78156549f1a9139388abefc7f97a43a5dd5fdf3f9c68f3da886e6f676d3432aa1a251d8d857

Download Submit
C:\Windows\SysWOW64\Iapjlk32.exe

Filesize
80KB

MD5
bfa7f00681623eb29254d2af3786fa67

SHA1
3d39cb712d57badebf9d69fafc3451c60b7ca54c

SHA256
8e3a665b34bc01cd0e758a45cafeab47ff3c70dd5f1586d97346ffda60b77562

SHA512
5f8b0b578068c63451492b411dd7a86f6e88790d02296015803df8f18071fbf21fef47f733beef5b185674c948d50de7cfbf8cf19f8b5a0000db961d6e17cbbe

Download Submit
C:\Windows\SysWOW64\Ijhodq32.exe

Filesize
80KB

MD5
a4f76e2297e925f05816e8fe22a08313

SHA1
251e5303ab911071c11c6ef5bfec7b58a7eb56b3

SHA256
eb96c45170230abd565c38369b126dc6c57fb1267ea22b6b132536af33ce9e3d

SHA512
3a6e3fcace492e797be29a0804c52dc7ae5362e58e9db543f26d2a869871d4aa08023feceb854741e6016ac6111f5d17766ccb47213d8d5434f2c96bce0e419f

Download Submit
C:\Windows\SysWOW64\Jbhmdbnp.exe

Filesize
80KB

MD5
0b6fbef4c0abe3fc400e4aa483799b42

SHA1
c8abfd1e338d4771c00174d4f18129904a2baf32

SHA256
d7a03d6178096bcc329e3314df0cd3391e39e92495a264b006fa97813a4edc46

SHA512
7d685f3a3b354d3425bacfcec6a9997ae08812ce6c163624248883898b9b674fd3e2fd85fd5f35c71b4a6b81c3348cdfbffade121ae6ca7eb75369deb5ca4566

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
80KB

MD5
d21b84c7862bae76d25112b565dce0bb

SHA1
5c04cf0a40510a8cee84fc7db1c5160bb546658f

SHA256
a0a5f61bfc5e6749774200ef1ad583ab86dff4a7940742b7dc9a928c6cc439e7

SHA512
e93ec2a83c725d5d5aa8a35fa727142162794b38945a36c54376e2be2e9a67b09c620d9f49c6787ab13bc9ebfa972223270d34f1fcbd706ab8cafcc20508bd25

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
80KB

MD5
aca579987367af4d3fb02210fc0b9f57

SHA1
747758b607e10afa3ed9f111f32d6857fd4cd7dd

SHA256
4288fb8f5e4bd20a9b6551c86e7bc5d2ef9a139e564af38e396cb89abf18274e

SHA512
1f2b731968d83d0056aae4d622bdc4f72570f1aa5d968da3232c49a240517499dbf382e4efc419a12165853738649c82373ba8b52307e6cc47525b85d092b331

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
80KB

MD5
0b96f5d59d524685e62fc8c7a177049a

SHA1
ef2b8662271195d958892fa34c028e567fe0bbea

SHA256
9c9ac2b2715410ff61f17bc6ecd4d614f8ee24edf5739301cffcbac9db9b4178

SHA512
7dab29080ea35dac9c2bdf92db6b60baae445e192272ffd8f2325135cd6432d85bfa236dd99a5b148b0cb1119a42ed0b49b9e02b7fc3843917ed542266d79659

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
80KB

MD5
aa272e531dc2f435526b781c244a2083

SHA1
a0605527d024bf56df580c710eb0b364338e6247

SHA256
3b798ce805ed621b765049b5dbdcfc97e79ff24ed99e102e46fa1f83745cdb3f

SHA512
bf09fa9dcd8153f8d2b78fb604a4638d8b926ab4f4160017c345ea25d88d5f07d4520a3114885f97e8b08bd91133747be236f3806774db66f2e6e21cc973854d

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
80KB

MD5
dbe2aa371a845f5d82e820ad6709fa17

SHA1
a2897776d5ac5d284a75bb2b2e118d12dd9ad1e1

SHA256
005c109a7e1cba31821efb1556ff0ff8bdc310d83634dd84c0b15e3e6a4be107

SHA512
59ba222540bdf16896e04f47b5c5b9687e427562c5b6ccc7e6ad76c7d9d560f188562771c44c9393ff72836aa0f077516603cba21c21545b167f8fafb2a44a5e

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
80KB

MD5
7e55284465f696a60a26a0ddeb8c3fb9

SHA1
801b7bae46b2623c52916588dec0a057d53ba23f

SHA256
ffd6df87652d05db0efcf0b05b209b2a5a2b9106f84e022e359c4b596d0de382

SHA512
0450485ec26b56523d6c924a9f281b561b41c052ceb62cea46e6c86edf84666722dc6fe8346f2f2521641c62d6b87a7492a654d9dd8d6828ac45340e4d595940

Download Submit
memory/344-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/416-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/444-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/520-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/844-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/880-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1028-349-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1116-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1184-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1216-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1508-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1508-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1524-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1612-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1656-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1688-489-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1724-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1752-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1752-7-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1752-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1844-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1844-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1872-363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1920-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2168-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2172-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2216-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2296-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2324-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2328-387-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2360-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2396-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2408-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2428-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2440-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2500-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2504-519-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2512-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2548-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2560-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2620-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2672-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2712-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2800-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3092-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3100-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3100-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3140-531-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3224-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3260-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3324-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3336-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3336-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3360-561-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3360-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3396-571-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3708-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3776-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3804-459-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3980-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3988-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4004-423-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4024-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4060-393-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4072-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4076-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4076-599-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4116-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4120-445-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4168-557-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4352-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4356-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4368-148-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4388-564-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4472-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4476-586-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4532-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4544-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4560-157-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4568-453-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4572-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4580-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4588-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4620-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4752-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4760-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4788-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4816-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5000-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5016-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5044-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5080-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5080-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5108-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7196-1651-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7868-1656-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/8100-1671-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads