e7c3e57ef144e9098b657bfaaaf668fb996688e78a250ab945a440bdf4b8859d

Analysis

max time kernel
136s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40aa049b1be8f9824f4411367a6b9ff0_NeikiAnalytics.exe
Size

844KB
MD5

40aa049b1be8f9824f4411367a6b9ff0
SHA1

695e92e56ed592891e1bbec2e47a1154a5d13938
SHA256

e7c3e57ef144e9098b657bfaaaf668fb996688e78a250ab945a440bdf4b8859d
SHA512

731ce01e37d3d2faa94c9784559d193719b3cbcd180a37129fb07fbec18575843f7d0d57d65219eac6e122028010d4e835c0711a7838caaf0b0495fb1503445c
SSDEEP

24576:AzqH5W3TnbQihMpQnqrdX72LbY6x46uR/qYglMi:uqH5W3TbQihw+cdX2x46uhqllMi

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Llcpoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lbdolh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mchhggno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eabbjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kplpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lfkaag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lingibiq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Echknh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fcmnpe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmfmmcbo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kedoge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffgqqaip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmfmmcbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Likjcbkc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlampmdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldleel32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fooeif32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfmepi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmhja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dldpkoil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Imdgqfbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ifllil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Opdghh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldleel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kplpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mmpijp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deoaid32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngmgne32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmidog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkljak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdnidn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbfbkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Npjebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdiooblp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmabdibj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mbfkbhpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npjebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngdmod32.exe

Malware Dropper & Backdoor - Berbew 57 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/files/0x0008000000022f51-6.dat	family_berbew
behavioral2/files/0x0007000000023410-14.dat	family_berbew
behavioral2/files/0x0007000000023412-22.dat	family_berbew
behavioral2/files/0x0007000000023414-30.dat	family_berbew
behavioral2/files/0x0007000000023416-39.dat	family_berbew
behavioral2/files/0x0007000000023418-46.dat	family_berbew
behavioral2/files/0x000700000002341a-54.dat	family_berbew
behavioral2/files/0x000700000002341c-63.dat	family_berbew
behavioral2/files/0x000800000002340c-65.dat	family_berbew
behavioral2/files/0x000800000002340c-70.dat	family_berbew
behavioral2/files/0x000700000002341f-78.dat	family_berbew
behavioral2/files/0x0007000000023422-86.dat	family_berbew
behavioral2/files/0x0007000000023424-94.dat	family_berbew
behavioral2/files/0x0007000000023426-102.dat	family_berbew
behavioral2/files/0x0007000000023428-110.dat	family_berbew
behavioral2/files/0x000700000002342a-118.dat	family_berbew
behavioral2/files/0x000700000002342c-127.dat	family_berbew
behavioral2/files/0x000700000002342e-135.dat	family_berbew
behavioral2/files/0x0007000000023430-143.dat	family_berbew
behavioral2/files/0x0007000000023432-151.dat	family_berbew
behavioral2/files/0x0004000000022ac7-158.dat	family_berbew
behavioral2/files/0x0008000000023388-166.dat	family_berbew
behavioral2/files/0x000800000002338e-174.dat	family_berbew
behavioral2/files/0x000800000002338c-191.dat	family_berbew
behavioral2/files/0x0008000000023395-199.dat	family_berbew
behavioral2/files/0x0009000000023373-183.dat	family_berbew
behavioral2/files/0x000c00000002336c-207.dat	family_berbew
behavioral2/files/0x0008000000023392-215.dat	family_berbew
behavioral2/files/0x0008000000023386-222.dat	family_berbew
behavioral2/files/0x0007000000023436-230.dat	family_berbew
behavioral2/files/0x0007000000023438-238.dat	family_berbew
behavioral2/files/0x000700000002343c-246.dat	family_berbew
behavioral2/files/0x000700000002343e-249.dat	family_berbew
behavioral2/files/0x0007000000023444-269.dat	family_berbew
behavioral2/files/0x000700000002344b-287.dat	family_berbew
behavioral2/files/0x000700000002344d-294.dat	family_berbew
behavioral2/files/0x0007000000023455-317.dat	family_berbew
behavioral2/files/0x000d0000000006c5-341.dat	family_berbew
behavioral2/files/0x0007000000023470-390.dat	family_berbew
behavioral2/files/0x0007000000023474-402.dat	family_berbew
behavioral2/files/0x0007000000023484-450.dat	family_berbew
behavioral2/files/0x00070000000234a2-561.dat	family_berbew
behavioral2/files/0x00070000000234b3-616.dat	family_berbew
behavioral2/files/0x00070000000234bf-655.dat	family_berbew
behavioral2/files/0x00070000000234d1-715.dat	family_berbew
behavioral2/files/0x00070000000234d5-729.dat	family_berbew
behavioral2/files/0x00070000000234db-751.dat	family_berbew
behavioral2/files/0x00070000000234e1-770.dat	family_berbew
behavioral2/files/0x00070000000234eb-805.dat	family_berbew
behavioral2/files/0x00070000000234ee-820.dat	family_berbew
behavioral2/files/0x00070000000234f2-834.dat	family_berbew
behavioral2/files/0x0007000000023500-882.dat	family_berbew
behavioral2/files/0x0007000000023504-895.dat	family_berbew
behavioral2/files/0x000700000002350c-924.dat	family_berbew
behavioral2/files/0x0007000000023510-938.dat	family_berbew
behavioral2/files/0x0007000000023519-966.dat	family_berbew
behavioral2/files/0x0007000000023521-994.dat	family_berbew

Executes dropped EXE 64 IoCs

pid	Process
2772	Colffknh.exe
4856	Cdiooblp.exe
4792	Ddmhja32.exe
4360	Dldpkoil.exe
2108	Deoaid32.exe
3516	Dkljak32.exe
3656	Echknh32.exe
4896	Edihepnm.exe
3760	Eapedd32.exe
1616	Eabbjc32.exe
4280	Ehljfnpn.exe
380	Eepjpb32.exe
4248	Fljcmlfd.exe
1736	Fhcpgmjf.exe
4836	Ffgqqaip.exe
208	Fooeif32.exe
4940	Ffimfqgm.exe
4908	Flceckoj.exe
1468	Fcmnpe32.exe
4636	Ghaliknf.exe
2100	Gfgjgo32.exe
3332	Hmabdibj.exe
2036	Hkfoeega.exe
1528	Hbpgbo32.exe
4420	Heocnk32.exe
4364	Imoneg32.exe
2412	Ipnjab32.exe
4904	Imdgqfbd.exe
3480	Ifllil32.exe
1796	Jlkagbej.exe
932	Jpijnqkp.exe
4916	Jfcbjk32.exe
4512	Jblpek32.exe
4208	Jpppnp32.exe
2568	Kfjhkjle.exe
4304	Kdnidn32.exe
3452	Kfmepi32.exe
2800	Kmfmmcbo.exe
3672	Kfoafi32.exe
3836	Kbfbkj32.exe
4944	Kedoge32.exe
4284	Kpjcdn32.exe
4600	Kfckahdj.exe
3996	Kplpjn32.exe
2864	Lbjlfi32.exe
1200	Leihbeib.exe
1504	Llcpoo32.exe
756	Ldleel32.exe
4240	Lfkaag32.exe
1044	Lmdina32.exe
4460	Ldoaklml.exe
2768	Likjcbkc.exe
3604	Lljfpnjg.exe
2364	Lbdolh32.exe
3576	Lingibiq.exe
464	Mbfkbhpa.exe
436	Medgncoe.exe
4688	Mchhggno.exe
1092	Megdccmb.exe
3328	Mlampmdo.exe
968	Mdhdajea.exe
1800	Mmpijp32.exe
4124	Mpoefk32.exe
4704	Migjoaaf.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Pjjhbl32.exe	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Hbpgbo32.exe	Hkfoeega.exe
File created	C:\Windows\SysWOW64\Kbfbkj32.exe	Kfoafi32.exe
File created	C:\Windows\SysWOW64\Iihqganf.dll	Lfkaag32.exe
File created	C:\Windows\SysWOW64\Jgefkimp.dll	Migjoaaf.exe
File opened for modification	C:\Windows\SysWOW64\Opdghh32.exe	Opakbi32.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Mbfkbhpa.exe	Lingibiq.exe
File created	C:\Windows\SysWOW64\Onhhamgg.exe	Ognpebpj.exe
File opened for modification	C:\Windows\SysWOW64\Pgefeajb.exe	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Bqbodd32.dll	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Aclpap32.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Colffknh.exe	40aa049b1be8f9824f4411367a6b9ff0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Kpjcdn32.exe	Kedoge32.exe
File created	C:\Windows\SysWOW64\Laqpgflj.dll	Qqijje32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Ndcdmikd.exe	Nnjlpo32.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Heocnk32.exe	Hbpgbo32.exe
File created	C:\Windows\SysWOW64\Lafdhogo.dll	Mdmnlj32.exe
File created	C:\Windows\SysWOW64\Oadacmff.dll	Ogifjcdp.exe
File created	C:\Windows\SysWOW64\Gdeahgnm.dll	Aclpap32.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Pohkbc32.dll	Ghaliknf.exe
File opened for modification	C:\Windows\SysWOW64\Ofeilobp.exe	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Acqimo32.exe
File created	C:\Windows\SysWOW64\Ifoihl32.dll	Pqbdjfln.exe
File opened for modification	C:\Windows\SysWOW64\Kfmepi32.exe	Kdnidn32.exe
File created	C:\Windows\SysWOW64\Jcjpfk32.dll	Ldoaklml.exe
File created	C:\Windows\SysWOW64\Lljfpnjg.exe	Likjcbkc.exe
File opened for modification	C:\Windows\SysWOW64\Nljofl32.exe	Ngmgne32.exe
File created	C:\Windows\SysWOW64\Jfpbkoql.dll	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Cdiooblp.exe	Colffknh.exe
File created	C:\Windows\SysWOW64\Kfoafi32.exe	Kmfmmcbo.exe
File opened for modification	C:\Windows\SysWOW64\Aeklkchg.exe	Aclpap32.exe
File opened for modification	C:\Windows\SysWOW64\Hbpgbo32.exe	Hkfoeega.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Nnneknob.exe	Ngdmod32.exe
File created	C:\Windows\SysWOW64\Jfnbea32.dll	Kfoafi32.exe
File created	C:\Windows\SysWOW64\Qjkmdp32.dll	Ndaggimg.exe
File created	C:\Windows\SysWOW64\Pjcbbmif.exe	Pgefeajb.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Fooeif32.exe	Ffgqqaip.exe
File created	C:\Windows\SysWOW64\Namdcd32.dll	Kfckahdj.exe
File opened for modification	C:\Windows\SysWOW64\Nnjlpo32.exe	Ngpccdlj.exe
File created	C:\Windows\SysWOW64\Qgcbgo32.exe	Qqijje32.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Beihma32.exe
File created	C:\Windows\SysWOW64\Dnqmalhn.dll	Cdiooblp.exe
File opened for modification	C:\Windows\SysWOW64\Dkljak32.exe	Deoaid32.exe
File created	C:\Windows\SysWOW64\Pdifoehl.exe	Pmannhhj.exe
File opened for modification	C:\Windows\SysWOW64\Pdifoehl.exe	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Qfcfml32.exe	Qdbiedpa.exe
File opened for modification	C:\Windows\SysWOW64\Eabbjc32.exe	Eapedd32.exe
File created	C:\Windows\SysWOW64\Deeiam32.dll	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Oqfdnhfk.exe	Onhhamgg.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Hmabdibj.exe	Gfgjgo32.exe
File created	C:\Windows\SysWOW64\Jpppnp32.exe	Jblpek32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6524	6436	WerFault.exe	241

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnlhfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oponmilc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gfgjgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Likjcbkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lbdolh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijlbqboa.dll"	Hmabdibj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jlkagbej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Leihbeib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Likjcbkc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Madnnmem.dll"	Leihbeib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaiann32.dll"	Mdhdajea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdmnlj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpppnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbfbkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhaoapj.dll"	Lmbmibhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbejge32.dll"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldleel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldleel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kfckahdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oadacmff.dll"	Ogifjcdp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mchhggno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgdelcpg.dll"	Jpijnqkp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jpppnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ehljfnpn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lingibiq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdkfmkdc.dll"	Kplpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kiaefcan.dll"	Deoaid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fooeif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdiooblp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddmhja32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kfoafi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Linjpeof.dll"	Echknh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngmgne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmfmmcbo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 216 wrote to memory of 2772	216	40aa049b1be8f9824f4411367a6b9ff0_NeikiAnalytics.exe	85
PID 216 wrote to memory of 2772	216	40aa049b1be8f9824f4411367a6b9ff0_NeikiAnalytics.exe	85
PID 216 wrote to memory of 2772	216	40aa049b1be8f9824f4411367a6b9ff0_NeikiAnalytics.exe	85
PID 2772 wrote to memory of 4856	2772	Colffknh.exe	86
PID 2772 wrote to memory of 4856	2772	Colffknh.exe	86
PID 2772 wrote to memory of 4856	2772	Colffknh.exe	86
PID 4856 wrote to memory of 4792	4856	Cdiooblp.exe	88
PID 4856 wrote to memory of 4792	4856	Cdiooblp.exe	88
PID 4856 wrote to memory of 4792	4856	Cdiooblp.exe	88
PID 4792 wrote to memory of 4360	4792	Ddmhja32.exe	89
PID 4792 wrote to memory of 4360	4792	Ddmhja32.exe	89
PID 4792 wrote to memory of 4360	4792	Ddmhja32.exe	89
PID 4360 wrote to memory of 2108	4360	Dldpkoil.exe	90
PID 4360 wrote to memory of 2108	4360	Dldpkoil.exe	90
PID 4360 wrote to memory of 2108	4360	Dldpkoil.exe	90
PID 2108 wrote to memory of 3516	2108	Deoaid32.exe	91
PID 2108 wrote to memory of 3516	2108	Deoaid32.exe	91
PID 2108 wrote to memory of 3516	2108	Deoaid32.exe	91
PID 3516 wrote to memory of 3656	3516	Dkljak32.exe	92
PID 3516 wrote to memory of 3656	3516	Dkljak32.exe	92
PID 3516 wrote to memory of 3656	3516	Dkljak32.exe	92
PID 3656 wrote to memory of 4896	3656	Echknh32.exe	93
PID 3656 wrote to memory of 4896	3656	Echknh32.exe	93
PID 3656 wrote to memory of 4896	3656	Echknh32.exe	93
PID 4896 wrote to memory of 3760	4896	Edihepnm.exe	94
PID 4896 wrote to memory of 3760	4896	Edihepnm.exe	94
PID 4896 wrote to memory of 3760	4896	Edihepnm.exe	94
PID 3760 wrote to memory of 1616	3760	Eapedd32.exe	95
PID 3760 wrote to memory of 1616	3760	Eapedd32.exe	95
PID 3760 wrote to memory of 1616	3760	Eapedd32.exe	95
PID 1616 wrote to memory of 4280	1616	Eabbjc32.exe	96
PID 1616 wrote to memory of 4280	1616	Eabbjc32.exe	96
PID 1616 wrote to memory of 4280	1616	Eabbjc32.exe	96
PID 4280 wrote to memory of 380	4280	Ehljfnpn.exe	98
PID 4280 wrote to memory of 380	4280	Ehljfnpn.exe	98
PID 4280 wrote to memory of 380	4280	Ehljfnpn.exe	98
PID 380 wrote to memory of 4248	380	Eepjpb32.exe	99
PID 380 wrote to memory of 4248	380	Eepjpb32.exe	99
PID 380 wrote to memory of 4248	380	Eepjpb32.exe	99
PID 4248 wrote to memory of 1736	4248	Fljcmlfd.exe	100
PID 4248 wrote to memory of 1736	4248	Fljcmlfd.exe	100
PID 4248 wrote to memory of 1736	4248	Fljcmlfd.exe	100
PID 1736 wrote to memory of 4836	1736	Fhcpgmjf.exe	101
PID 1736 wrote to memory of 4836	1736	Fhcpgmjf.exe	101
PID 1736 wrote to memory of 4836	1736	Fhcpgmjf.exe	101
PID 4836 wrote to memory of 208	4836	Ffgqqaip.exe	102
PID 4836 wrote to memory of 208	4836	Ffgqqaip.exe	102
PID 4836 wrote to memory of 208	4836	Ffgqqaip.exe	102
PID 208 wrote to memory of 4940	208	Fooeif32.exe	103
PID 208 wrote to memory of 4940	208	Fooeif32.exe	103
PID 208 wrote to memory of 4940	208	Fooeif32.exe	103
PID 4940 wrote to memory of 4908	4940	Ffimfqgm.exe	104
PID 4940 wrote to memory of 4908	4940	Ffimfqgm.exe	104
PID 4940 wrote to memory of 4908	4940	Ffimfqgm.exe	104
PID 4908 wrote to memory of 1468	4908	Flceckoj.exe	105
PID 4908 wrote to memory of 1468	4908	Flceckoj.exe	105
PID 4908 wrote to memory of 1468	4908	Flceckoj.exe	105
PID 1468 wrote to memory of 4636	1468	Fcmnpe32.exe	106
PID 1468 wrote to memory of 4636	1468	Fcmnpe32.exe	106
PID 1468 wrote to memory of 4636	1468	Fcmnpe32.exe	106
PID 4636 wrote to memory of 2100	4636	Ghaliknf.exe	107
PID 4636 wrote to memory of 2100	4636	Ghaliknf.exe	107
PID 4636 wrote to memory of 2100	4636	Ghaliknf.exe	107
PID 2100 wrote to memory of 3332	2100	Gfgjgo32.exe	108

C:\Users\Admin\AppData\Local\Temp\40aa049b1be8f9824f4411367a6b9ff0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\40aa049b1be8f9824f4411367a6b9ff0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:216
- C:\Windows\SysWOW64\Colffknh.exe
  C:\Windows\system32\Colffknh.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\SysWOW64\Cdiooblp.exe
    C:\Windows\system32\Cdiooblp.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4856
  - - C:\Windows\SysWOW64\Ddmhja32.exe
      C:\Windows\system32\Ddmhja32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4792
    - - C:\Windows\SysWOW64\Dldpkoil.exe
        
        C:\Windows\system32\Dldpkoil.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4360
      - C:\Windows\SysWOW64\Deoaid32.exe
        
        C:\Windows\system32\Deoaid32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\Dkljak32.exe
        
        C:\Windows\system32\Dkljak32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3516
        
        C:\Windows\SysWOW64\Echknh32.exe
        
        C:\Windows\system32\Echknh32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3656
        
        C:\Windows\SysWOW64\Edihepnm.exe
        
        C:\Windows\system32\Edihepnm.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\Eapedd32.exe
        
        C:\Windows\system32\Eapedd32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3760
        
        C:\Windows\SysWOW64\Eabbjc32.exe
        
        C:\Windows\system32\Eabbjc32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\SysWOW64\Ehljfnpn.exe
        
        C:\Windows\system32\Ehljfnpn.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\SysWOW64\Eepjpb32.exe
        
        C:\Windows\system32\Eepjpb32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:380
        
        C:\Windows\SysWOW64\Fljcmlfd.exe
        
        C:\Windows\system32\Fljcmlfd.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        C:\Windows\SysWOW64\Fhcpgmjf.exe
        
        C:\Windows\system32\Fhcpgmjf.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\SysWOW64\Ffgqqaip.exe
        
        C:\Windows\system32\Ffgqqaip.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\SysWOW64\Fooeif32.exe
        
        C:\Windows\system32\Fooeif32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:208
        
        C:\Windows\SysWOW64\Ffimfqgm.exe
        
        C:\Windows\system32\Ffimfqgm.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\SysWOW64\Flceckoj.exe
        
        C:\Windows\system32\Flceckoj.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Windows\SysWOW64\Fcmnpe32.exe
        
        C:\Windows\system32\Fcmnpe32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\SysWOW64\Ghaliknf.exe
        
        C:\Windows\system32\Ghaliknf.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4636
        
        C:\Windows\SysWOW64\Gfgjgo32.exe
        
        C:\Windows\system32\Gfgjgo32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\Hmabdibj.exe
        
        C:\Windows\system32\Hmabdibj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3332
        
        C:\Windows\SysWOW64\Hkfoeega.exe
        
        C:\Windows\system32\Hkfoeega.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2036
        
        C:\Windows\SysWOW64\Hbpgbo32.exe
        
        C:\Windows\system32\Hbpgbo32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1528
        
        C:\Windows\SysWOW64\Heocnk32.exe
        
        C:\Windows\system32\Heocnk32.exe
        26⤵
        Executes dropped EXE
        
        PID:4420
        
        C:\Windows\SysWOW64\Imoneg32.exe
        
        C:\Windows\system32\Imoneg32.exe
        27⤵
        Executes dropped EXE
        
        PID:4364
        
        C:\Windows\SysWOW64\Ipnjab32.exe
        
        C:\Windows\system32\Ipnjab32.exe
        28⤵
        Executes dropped EXE
        
        PID:2412
        
        C:\Windows\SysWOW64\Imdgqfbd.exe
        
        C:\Windows\system32\Imdgqfbd.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4904
        
        C:\Windows\SysWOW64\Ifllil32.exe
        
        C:\Windows\system32\Ifllil32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3480
        
        C:\Windows\SysWOW64\Jlkagbej.exe
        
        C:\Windows\system32\Jlkagbej.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1796
        
        C:\Windows\SysWOW64\Jpijnqkp.exe
        
        C:\Windows\system32\Jpijnqkp.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:932
        
        C:\Windows\SysWOW64\Jfcbjk32.exe
        
        C:\Windows\system32\Jfcbjk32.exe
        33⤵
        Executes dropped EXE
        
        PID:4916
        
        C:\Windows\SysWOW64\Jblpek32.exe
        
        C:\Windows\system32\Jblpek32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4512
        
        C:\Windows\SysWOW64\Jpppnp32.exe
        
        C:\Windows\system32\Jpppnp32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4208
        
        C:\Windows\SysWOW64\Kfjhkjle.exe
        
        C:\Windows\system32\Kfjhkjle.exe
        36⤵
        Executes dropped EXE
        
        PID:2568
        
        C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4304
        
        C:\Windows\SysWOW64\Kfmepi32.exe
        
        C:\Windows\system32\Kfmepi32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3452
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3672
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3836
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4944
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        43⤵
        Executes dropped EXE
        
        PID:4284
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4600
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3996
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        46⤵
        Executes dropped EXE
        
        PID:2864
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1200
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1504
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        49⤵
        Modifies registry class
        
        PID:2896
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:756
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4240
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        52⤵
        Executes dropped EXE
        
        PID:1044
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4460
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        55⤵
        Executes dropped EXE
        
        PID:3604
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3576
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:464
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        59⤵
        Executes dropped EXE
        
        PID:436
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4688
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        61⤵
        Executes dropped EXE
        
        PID:1092
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3328
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:968
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1800
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        65⤵
        Executes dropped EXE
        
        PID:4124
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        66⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4704
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4244
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        68⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        69⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2152
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        71⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4784
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3568
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:684
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        75⤵
        
        PID:324
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        76⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        77⤵
        Modifies registry class
        
        PID:4576
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1180
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1660
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        80⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        81⤵
        
        PID:668
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        82⤵
        
        PID:376
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4920
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4900
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5128
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        87⤵
        Drops file in System32 directory
        
        PID:5184
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        88⤵
        Drops file in System32 directory
        
        PID:5228
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5304
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        90⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        91⤵
        Drops file in System32 directory
        
        PID:5456
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5632
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5676
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5720
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5764
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5800
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        99⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        100⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        102⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6036
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6076
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        105⤵
        Modifies registry class
        
        PID:6120
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5136
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        108⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        109⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        110⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        111⤵
        Drops file in System32 directory
        
        PID:5672
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        112⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5836
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5924
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5988
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        116⤵
        Drops file in System32 directory
        
        PID:6056
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6140
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        118⤵
        Drops file in System32 directory
        
        PID:5220
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        119⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        120⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        121⤵
        Modifies registry class
        
        PID:5728
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        122⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        123⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5980
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5216
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        126⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5904
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        130⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5508
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        131⤵
        Modifies registry class
        
        PID:5860
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        132⤵
        Drops file in System32 directory
        
        PID:6068
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        133⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        134⤵
        Drops file in System32 directory
        
        PID:1040
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1256
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        136⤵
        Drops file in System32 directory
        
        PID:636
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        137⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        139⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        140⤵
        Drops file in System32 directory
        
        PID:5708
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        141⤵
        Modifies registry class
        
        PID:4488
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        142⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        143⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6212
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        145⤵
        Modifies registry class
        
        PID:6256
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        146⤵
        
        PID:6300
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        147⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6340
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        148⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6388
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        149⤵
        
        PID:6436
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6436 -s 416
        150⤵
        Program crash
        
        PID:6524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 6436 -ip 6436
1⤵
PID:6500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aclpap32.exe

Filesize
844KB

MD5
72fc117f9bc7ab71ffebdff6d4b5bc62

SHA1
0ab997fae8d9bc71a0b61de9da0722a0003e3f71

SHA256
3705816af136b05c541a597c94ac40c2a7e79da0588cbf5251007a42846fed03

SHA512
c83ec2013bdf4a03144543d362b6bb6fc9833f89b0285b791de979c90d337d515aa825fa567d86a15658de8411c94a0aa335a73a831bc266bc8dc2abcfbe44bc

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
844KB

MD5
7d35e43cbdd136ff6b27df592dc6b23d

SHA1
bf0f97aea0fc3e2eb4660796d72048fee4e56dd3

SHA256
28364213a64999d4d2096df7bbe91223b86adddd3ab6f6f3fbd52b6d3586dbce

SHA512
777ebc79fdadea738c24612fba411531d1d86124763c5423f2051956f25023b132a6aee5b67f0098ec40245a6a14eb9652efb7356213e6fc46d700fc9181e02c

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
844KB

MD5
f26908eacdb11ce088f68c9680c0ded2

SHA1
9a96c68a5be8534886032f2d8e2550cf2a591a09

SHA256
3da287d63f7248ccb33b07a978729fe9d6da0870fc9c42b3bad11af5f3497c6c

SHA512
9d995877b84975b8ef9d9a58a05c1bb49c5fb9aaada2289ece5a0fb9b284c39fcf2acba26bebc506fe478a49c8944b5b736dfdfff8637c145e62af92ee02c6b3

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
844KB

MD5
672c11bbcf0fc619d83a4e3b7cfc9e34

SHA1
9c213ddcd03586c0c214212ed07a4c24d4829db6

SHA256
94cf62d7a2805be73f93808c020a06dcc05d34a0eb90d88039a181697ac2e9a2

SHA512
f18b7d00393978646ca582814e3f553b8e7f98079924cebb9056f5e45957417424fe2c0e28555e5a9cfac57ae4e149bd31170d8748547ab58c38e08cc4d61961

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
844KB

MD5
61673d904741fbfa9bd752a2d823106f

SHA1
7815007bc0676b86b7c0f85cfda270d6d5881a0f

SHA256
b5b78fcc9037c72128e57240b5a25b8a7a8dcfccb3ce0b9c2b95710f5652d6a8

SHA512
9c1e78c988bdb1b6ac4c25efc2446e116bd38f2fbb898bfe7eee66604f9182b218c4cc62a86a86764131f34817fcb3c009e69a26819c249ccd69e92df6225c05

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
844KB

MD5
0f5b7e7c5088a56a64a2b381a981fbff

SHA1
18912e8b96b5740cef1fec1e3d7c2bebeadb3165

SHA256
18a46a0072d47b37dc989c3aafb190afee8177538fed3a84b8687976a62c58f3

SHA512
b952b5652c91a26bfae30f7efd7ec50ba049a3f28fea61fd4b76989085d11d30b9d06d52d7349b607356642ef988c96cd263e84dd7125de2248ebc907e2243e6

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
844KB

MD5
7323c4d011effe4b581c89ac4f711822

SHA1
442ed0f84ebf8bce3b375a5e11251e63bc53b1af

SHA256
3ff980d5c8ac44f082eb781741ddbb11d723bac980865193c09985e549bfe5f9

SHA512
fc1b9163f553df0dd20c19d267d4e02acb00eb8b70e3f60e28de0a3eef427c1df8369389adbcacaeb04178d5660d3e0e065f30b6685f2065b2b934dad1a6d7ab

Download Submit
C:\Windows\SysWOW64\Cdiooblp.exe

Filesize
844KB

MD5
b48ec92949bba4a005e232ac3caf379f

SHA1
67eb96e61ba107cd9edc0ae3c089ae15bfe590bf

SHA256
78143300df0a78375f7bb122a65fad7a88b2866531fa49a4aa8d909c0b759b7a

SHA512
e6f284d63a22c50669f349f5c5a008797ee53972ef368120a8f9719679351c7d101652b2acb14a4f099e1a7159eecc99a32df6f18e088b21f8c4c6816539841e

Download Submit
C:\Windows\SysWOW64\Cecenn32.dll

Filesize
7KB

MD5
a44a93ef9a47c0f1d020d274c5db6602

SHA1
d97dc3518423813edf4bc04673a325074b099a6b

SHA256
6b785b4385cd7e07125e1f06da6635c8fbbc1c07b64904a91e617a9739347d38

SHA512
896e6674a55ead4faad6b4b9c25df57bb6fcc739b8e4c9d65fa3ddd306827645b0cdbd5a4b67f6f7a36aa29a35ed75eeeef143faa76869c393baafc66ee1647c

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
844KB

MD5
5450e59fa065e5b6f83955721f824f06

SHA1
48b9924422acdf9f0e6858d342031f39586130e8

SHA256
9f1dfc02f8e244f0ec6ab69bcf87122ae9d2348290bace581f0a5e68f44d1c67

SHA512
2227fd59398a0af889bfddc715a104a78e67fc8fafcf132404de23fbd289f7c21d09044e0a86332399faa191f7e5cfb35007197dc11871bd4edd673304f98539

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
844KB

MD5
7a30a1258aeab36adba5a4e83931ae96

SHA1
5a62b53a3b84373134104cd0de4379327910eae9

SHA256
229496384ef3f1d0a0feeb8c97d3a7910fe6aed5debeac6c52f224482e85a86b

SHA512
65e97369d79cf23fdac9538bdf3908db8e0554e3017472b41a3badfc7974fd84d681dab0c0ab099c7ca198007703ae640f3d5ce55ee0306be91f06a7bf50d1a2

Download Submit
C:\Windows\SysWOW64\Colffknh.exe

Filesize
844KB

MD5
7a1e49295e6d00bb4537628d2b02f976

SHA1
64e5ab77267d1dae849f10d6f8de64563285e298

SHA256
a7bbdcc3fda12220d244dbc35502b5eecb507b2d49fe587fee4ce46cde36722c

SHA512
0181620e39ed1c6f9458393fe85f69037af752eafc1a60db096e6c6ad29aefc4e2e9b95253858248055f8bc005c3786d6b6d0beb3b828c42432dcf4a388880fe

Download Submit
C:\Windows\SysWOW64\Ddmhja32.exe

Filesize
844KB

MD5
22bed9ae57871ef0f63c4e57639368f0

SHA1
e00d5203001bcb95aeb7077c7407e705229281e8

SHA256
17c895dfc0656dec7dc9c871021acb26c73a49bc8f7d219b0a310c4d2733d9c4

SHA512
064b40e96bce53bafb99ce556e09716737edf25040169cdbb13a8f58dcfb55fdffa715440b654c924228915a6695497c573b6b3a869b2b0cdb41b54eafaaeed9

Download Submit
C:\Windows\SysWOW64\Deoaid32.exe

Filesize
844KB

MD5
e0c25ee64cc90edb9c7cb2ff2ad75c17

SHA1
501a07890f52e22d027ad094faae9e614faf0038

SHA256
03ddcd7a2c7ad37f61363ef5ddf7b9145948e4dc0eace975d0e1e5e291077721

SHA512
9fc1ab3d45a39097f19c5110605ff0a545f124e8660ab674dd85b91273c0731d32957a2126c3a3895b20221d57baf482567fcad69e69ebe82b985abf3bf56613

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
844KB

MD5
72a56c396e6c41206c319be1cd39790b

SHA1
4e4a9ab029d71aa582390c08af58f27faf7c7abb

SHA256
bd264a051628e0efe31476a72b50e306a454f7313087221e7bb6de76217b08c5

SHA512
aaf8167acbfb8a817a1fadc74427af0dafe106095b433b98f6313952fe4e7798d8f55a3f6b0f6e0f4ccf5cc6184729c0275cdd3c7e69d8e8fab8d362af61e407

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
844KB

MD5
797c12adb24f6374586e7f6015a52b55

SHA1
dd444d8438b576da81a45b2b29c84aa51ed9a18f

SHA256
1d08516b7ec1e5807b5a2ea26d8602302319d44a33c3b26eaad72243173e41aa

SHA512
b47bbde1125ef5d4387b7f190f4bbde109a3e84682efaf74d6880e64f6b3028b43df49a677e39758e11376740cd49e7f7c70b740cf8646d45fb22f800a21d92b

Download Submit
C:\Windows\SysWOW64\Dkljak32.exe

Filesize
844KB

MD5
111d25bfe202c55d913d2266602cd467

SHA1
7b67df51db20ebd83cc88f7514aec0ad4d045586

SHA256
f5a4c54bd6643013f4be335c5018e4d1c1c34249045ae743ea9b224b94b4945b

SHA512
b0a35d5d03ea30d330710cf48754933fdebe322b65c6a40146cd2516d2108bef9567ae08edce0723c6371a73b91107e92a27b698306fc8e7195bbe0781b7589a

Download Submit
C:\Windows\SysWOW64\Dldpkoil.exe

Filesize
844KB

MD5
e70a2eba83e629f91a2c1e06c54f1e8f

SHA1
c62bcd9832e682d0da4c40db2892e25b6978a690

SHA256
7d2093f43187399616af221638a68ed17ad1969fc9f503126c9885c252ddef26

SHA512
681171307c1782c3352491c6ce1a97a8cfeb131dee3b91aa394b3cc96e47f679d2d00b284c79c2df86846c7f951832235c12440e1e1dcfc71170f5c13cef22f8

Download Submit
C:\Windows\SysWOW64\Eabbjc32.exe

Filesize
844KB

MD5
1578ca5019f6078275bd44c2acf348bd

SHA1
c84f483e4663089f2c69d92ce805f9feaf8b974b

SHA256
f36a1d7911aa274982b973ff2c71d3d6a5aa38fc2cc4560358ab37f5260a7010

SHA512
f28aca58009daf2731dce374fabcb62ea6ed67646c19feb982c1f189b7ca4dc284983f13083d2e47c0a7b0feb88b42a5becc32e8aba2ce7e1892a561f619dae0

Download Submit
C:\Windows\SysWOW64\Eapedd32.exe

Filesize
844KB

MD5
320343aacdf4ccc88c42eb5449b16b39

SHA1
d3f20fc27b661d28ddd0ac5344c5fd1bcf8b633a

SHA256
71fab3440422c08b5c1140850a7b65e713bbaadfcc2a232d853da46666be3fb6

SHA512
3249b7deebcd9a792b1fb38cd7c63a9fab4514c5986b4e8cb280c3af0eec0e05e8c2527ee97d99e7c4edb60f5fb62531db09a51afea455abc63bc06cdc1a6484

Download Submit
C:\Windows\SysWOW64\Eapedd32.exe

Filesize
844KB

MD5
9a9ab6665f4e33cbee0a51bf14e157ad

SHA1
aee1ef3ff0ca2a7da0a7d737ec93c055f46426fc

SHA256
f4ae52c33db56ce681bdc2585a90effb4d3c2fcd73eb7014cb18a7c24b049a55

SHA512
6f68b152bfb4a338d3ed92e80951b9e80915bd914037da640cd03f4003d5ebfb787456b87eb42117ea3b71e7e049758e78640d5016c3d953fccbcb0ed62e270d

Download Submit
C:\Windows\SysWOW64\Echknh32.exe

Filesize
844KB

MD5
b90f853317e5b11df5ef040d41f20fbd

SHA1
e893aea945e3bb24e83aea9a8033f8fd769fa719

SHA256
36c0e6565f30c575610e122005cf335eac3bf1e89f144aed48f99b87d7d8e061

SHA512
227ca32e1dd5c0c7f2be2aca037f28430889f68fa93b12c07f7b25cd337ade5e98f5083663ab7ea5371de13e55bcb99b6c9ad0cd4297461bb6dca79e0a7d01ea

Download Submit
C:\Windows\SysWOW64\Edihepnm.exe

Filesize
844KB

MD5
500d5bb16fde11871f40b5c1cb0ce616

SHA1
fd4045a5d47e7ef81740f1f05179735c46dc506d

SHA256
a71612492a5c0a4bf02d02a56f4ad79585973fdfc7e36078c6667d9a2c470abd

SHA512
c0b528e2ca191c5e6bc44ef95b204753f19b732b0f3e6c039b8c7493cbbee85d9b952ff30ec638acfa76bae97ec92d0214e6add0dcf0281da8e66b38f2ac4123

Download Submit
C:\Windows\SysWOW64\Eepjpb32.exe

Filesize
844KB

MD5
7812d0301c8bb8db71287c43b3d3d90e

SHA1
d001283ec454a63edf715574aa0025062f97d0be

SHA256
d4cc6986eb53cf15ec0289dc74df9f1bd6a92c9dacc6336fc43d2caa3ae5dd5c

SHA512
db3005d12fae2f25ecbb5d9bce55f9d86c9f5794457fcfa0510b6842d3983dc1d6deb4a913bec2af6bcaee670db882c72b0945ec33940954e313a6771248a25f

Download Submit
C:\Windows\SysWOW64\Ehljfnpn.exe

Filesize
844KB

MD5
12b9d116d31e8fae206dc4c3d04c87f2

SHA1
0f90f3e6c741b43733a246d33bef94c94b431f35

SHA256
99e87632d03dfac1a8473d8d7e25e532010f2c51babc4b692670177a83121e1f

SHA512
abdfb8c23ea45b7545662a982980800b3ec79dff45534ff0780a16b51bb4283531ffe5aaa14c487dc8b37d4b3b503f4165b33b0cb12fa5289883e24053eaa62f

Download Submit
C:\Windows\SysWOW64\Fcmnpe32.exe

Filesize
844KB

MD5
327c8f1232a72e29c8e5a67b544ed928

SHA1
754270f0318d4f83fecb584871f305c449225357

SHA256
caf002af691d7c2bc8f959145669784111f4483624d2342c96adc153bcdc7428

SHA512
93c9cd78593e570fa8f89fda5558cf14f6604c542c1633dc6486c04aa444cfe96f7392e7a2297fc853dd6d07fca22fea3cc31049e42c33e62feccc923ef05870

Download Submit
C:\Windows\SysWOW64\Ffgqqaip.exe

Filesize
844KB

MD5
87f9d88f168ef4c39ec70d27decb1bce

SHA1
3ab17fbf79c1261fa4605c75ad0039cf000ba9f9

SHA256
efb496f14081fe4f65e8c03415ab8cb3369e675025624a8ff965ab80a4dc8c8f

SHA512
4a4887ddd46700e4e71c928d23c27a8a5503dd9feefc3b0205656301bd26d12c53e5e6790ff051991de3462bde17e97988671d0f9d7a8db1d574037152d881ca

Download Submit
C:\Windows\SysWOW64\Ffimfqgm.exe

Filesize
844KB

MD5
811a123c60ae289c017298c45b815577

SHA1
af564896bdc893914c37eb825c97c817bc884136

SHA256
4047a1910a4657e856a8533a0f2d92b5866d0e3d732039d1499d7bc804a164d5

SHA512
1cf85b6c4c4a9db70182933c4197dba2618da6d638daadfa53790eec3fcc874c1a0e6ed2079c3ac3ac1b3f3ad5fefe24882e2ef9d4742c85a04f08789fa736fa

Download Submit
C:\Windows\SysWOW64\Fhcpgmjf.exe

Filesize
844KB

MD5
e8120305f971daee7f0a53b1f18c5080

SHA1
13cc1a2a36effa30f8e848ac71470203469122c5

SHA256
35148d69d8c1f7d40f1e5bdfcc14ccc80060b666115144c45391d86e2e3fb28b

SHA512
39120a6f0886f7d6f3b28f6a8027a308f75f245f628b4e315d674dbd211b7e096cf5a411550721cddfc89083f5c6f5f2cf08d330ed647c24e48ed67bb9dd27c5

Download Submit
C:\Windows\SysWOW64\Flceckoj.exe

Filesize
844KB

MD5
f32d854c0e2cdc6db87f0ee52f749058

SHA1
ba69069161b471293b21a01273d7caeb328f37ae

SHA256
24689dee4594b3fe64d7a75d95c23ddf72711246aa26be6a9285a7b11a9b4bf4

SHA512
c4d0fa166b4e599ce61a86104b99fa35ef3ec5fa48f7b8f5504eb975df556ad8e476f9bb6972fe0d496857dd6caafa2a868adeccf8b2dd0cad3a89fd7095e705

Download Submit
C:\Windows\SysWOW64\Fljcmlfd.exe

Filesize
844KB

MD5
23da3f5a567aba6d23d91c7c91182794

SHA1
e24018687b6a849792e1ab52686ed26c51aef8c9

SHA256
f98ab13610af3ae5c7a3fc980c6e911ee1e518dc65f29fa610416a61e5f6e6b1

SHA512
c24f0d5d36f0419be279c00b5093441f6428c3fd571de99ffc5c121cf58de9119774ae1abb0ac220e79afcf7f1813c39879e6c846eb2ad6458e5c0307304fdf0

Download Submit
C:\Windows\SysWOW64\Fooeif32.exe

Filesize
844KB

MD5
c63434acea3e06ae94eec4a9d36c1724

SHA1
18ef8b35d17da308bda01f7b97059f2845920546

SHA256
f41d0822137cec51a7e719e2650574f6ca983edf067e66a210887b339b3397d9

SHA512
b3b4457591e6bc8d07d5849f906d09efb8aaff86d6130d140e454a277f29084aea0ef1179ea9427f9e1741414401c11c530f4bf10e33993ab4818706e55b4595

Download Submit
C:\Windows\SysWOW64\Gfgjgo32.exe

Filesize
844KB

MD5
6d559a9eb89ca4c163f50dc4af58531b

SHA1
f691c19fb0aac201e60be90efcb483fc38a859f6

SHA256
751e558528bd9641493465fa16e3c8a16f1342b5778258d37fe61cc7b991f886

SHA512
65d99cd5821f1f988461b89555ab4eb3388c28e759d4efa2e60cf49ec86908adc50dfb14fd30845019a89a6583277a54b10a7fd19abe4a85af2b0f95ff30dc49

Download Submit
C:\Windows\SysWOW64\Ghaliknf.exe

Filesize
844KB

MD5
1b5394e6d5db100a86a10b215ff2b41f

SHA1
63116a3f46cfab282f6bfee5675feed588737f08

SHA256
b06088f268df6c3dc3a32c5f94c1f9d29db292f1cc1e4170e3fe391fc949acdd

SHA512
f579340467cbd56dafd881013ecebe41ef3cf9594e59b6474350661dc0d88f872c3286cdb0099203763a5770ed14b0473cc5e1345df15f180d008cbd860c3b4f

Download Submit
C:\Windows\SysWOW64\Hbpgbo32.exe

Filesize
844KB

MD5
60b06d7d370a5da6a3df189dcb1470e7

SHA1
f4662382bd4c9419b19c59ba2ded482cff36c147

SHA256
0cfd22eda662f58a0d0ee05ce88cf1882cc24bc825e9839eba08b86701862be7

SHA512
5f1bcfe5816a50790887b3c15c8f08b9607b3df69abe330c8562147c5038a70177e479ca916e037cdb19d62c5dbc2d97f2207b6c6c7354410a4440c77ae27f7c

Download Submit
C:\Windows\SysWOW64\Heocnk32.exe

Filesize
844KB

MD5
360d565c78ed793c347e47e12477537e

SHA1
929f41f7fce48e48ae656ddc02571798600bc886

SHA256
96836c9c15413456210225e2d3cec73545fc185a1993b1bf6b2e1922cfd28146

SHA512
f5709c061ab896d2703eb734d3663e5fcfd41ab6141db39af7512fcb231663b4dc24938d91c3f9e1766dfd2fe1bbd93153ce1cfec974eded6bb1f68f266b97b0

Download Submit
C:\Windows\SysWOW64\Hkfoeega.exe

Filesize
844KB

MD5
0062e2f7f8fb2a7da7c08ad344b667a4

SHA1
e07207d519d81799f172a12b400d878d3d9b9bc9

SHA256
1a671f7f8d33fd1f329effd1e478553b90d5208dc584bfce67460e926869d911

SHA512
7a323c6fb88045c865a9e0c531544344e2dc177b4f01d5dc5e67bfd365b733ddffed07840a8b02791584bbf043badf34170782eac91dd98b501d60817e83c29a

Download Submit
C:\Windows\SysWOW64\Hmabdibj.exe

Filesize
844KB

MD5
b4a2a88b20296179dba16944164df256

SHA1
fce0f8820fc6071fc755a9df64d84e0432820b98

SHA256
19086dbba6840f24adcd683680d3a7b5fc8480093b7f07517495ebf01f8ea734

SHA512
6c606e58269c5bde49a24ef0de589a45a26c92d9b8724188b0faa459f3b9df241cc955c64c20a8bd5b2e217ae85da7add16dab852c2ca48048114e9c82dd1a7f

Download Submit
C:\Windows\SysWOW64\Ifllil32.exe

Filesize
844KB

MD5
2a34d5442925513db6d5978a15e26a8c

SHA1
259f5efeb4debebb4d1bd1ce0b2a5a6675bbd3a2

SHA256
ac84c0b6d41618fa1db3edbfa68ad7a1bf857d9e8a711a6bf7a014d48ac65ef2

SHA512
26a4c42c63bfe16e02d0edc6d1f20b3c4a247ce9ac8144e637ce9dc2ae2a4f84c1444256fa6466e1710ffd2aabc6d1ecf107f9fc505629828b643aa11f4f4164

Download Submit
C:\Windows\SysWOW64\Imdgqfbd.exe

Filesize
844KB

MD5
1192dee50271bd357e85df49cc628f7b

SHA1
84f7abe7289d73a8cc780fc40a0961073e5b0970

SHA256
174b40c803111157c5ad578d9bfa69807843195e56799c6a73f5cc327881dd43

SHA512
5ee68ece515c8043dc5b04fa2f540343687362a0bc5bdc9e65eb176a45e3a694841e3c4b0d553272ecf58a2a3ec79635a1f83cca115f568a9ebcc419cd5e318d

Download Submit
C:\Windows\SysWOW64\Imoneg32.exe

Filesize
844KB

MD5
8148d25b2273045b681e97efc1fd1b8a

SHA1
db9364ca7d8c95e200be49a36298c3c33ff93c60

SHA256
78fdc89db9d4bfdb5ef86cc022fc896af27c8b6823685c8dcf246a5ccaf03a85

SHA512
b6f982dccd06c8575d378935345fe9d77e27903a60d3969b0407e7ac2acc4ce7ff10bc87627e6bc904f5cee3f8f4d76d61163feecf805cf6dd28c9be9ee3579b

Download Submit
C:\Windows\SysWOW64\Ipnjab32.exe

Filesize
844KB

MD5
d28533575940c867100617e494c6f62f

SHA1
8c3565ef6b6b0ca92b4e1739b96d82dd8c44bb4d

SHA256
ee391c25b8f58965a8f9fb9f05d8769c826033b4e2085fd877150908298d7702

SHA512
2ba7c4bfa002bc6fbc4ac760c6ce10c46649d13f6e03cdde9c2d864a9fabdaaa44b2cb5ddb70c7425b343945fc3768e5cbb92148df968a15606da565af92e778

Download Submit
C:\Windows\SysWOW64\Jfcbjk32.exe

Filesize
844KB

MD5
cd36cce749477277e9fe8a122676db9e

SHA1
4773c5dfc2fad762ec094d5542e582da73988b08

SHA256
33c57b4ce7b101a966c2a1b33a5c35536f03da7f0c85f9315832db5b85fad887

SHA512
7ea0eb922eeb00d8c53617c3d123e82766ab06e164c9ea5018f0e37e5a975db5cfb5f06b88424dcd5160fc0b2b876eed28b037de10bc33a9a02c961c33ffb901

Download Submit
C:\Windows\SysWOW64\Jlkagbej.exe

Filesize
844KB

MD5
ee2044ad3249f7018b697d548bbbb0ce

SHA1
62e4b7edacba792cf266aad3d604618450685d88

SHA256
02d77d3c2ed9cf3a5600eec77b20da06a27e0b0387b5ddacddf19ace1c8b15de

SHA512
0f4419637cfe60427bc238cb1d90d8bc5a42611af2aa2040d41e70bfb04bf81fc10243ded73596ce1bea94b07ad370c1f5f618c846596d64e80c913751868488

Download Submit
C:\Windows\SysWOW64\Jpijnqkp.exe

Filesize
844KB

MD5
e1e5a2f558beab51b496939007963e6c

SHA1
4ae58b47e45fa65116e7fa04c5cdd1bee5a446a4

SHA256
ac7513208febba3ecb60df7855886b3f012b62106ad8d3077d881c710505033f

SHA512
47dab0956c77078ccd8b7559aaa99ea1f3059f4cf33e4dac87b4e3c1bd5e8390294b8adcdc8758a2b8b42740c6819b1dabdb3035ebfb5884cfaf727f2542c985

Download Submit
C:\Windows\SysWOW64\Kfckahdj.exe

Filesize
844KB

MD5
7dd329def750aaa8baafc400414fd58e

SHA1
8d02f2d164cae415fc97163c20bdeb237cd1a3da

SHA256
0243ba636b131720119391c2b798b5427b20593b18891a063d2e0526aa2813e2

SHA512
ec505c9a6c5e85ce9a44d547162a58f1c38ac8d4ad57b4a6432cced9e72940510c056bcb36e4446f692119819bd7455d02764f36318068115601365d624a6c0f

Download Submit
C:\Windows\SysWOW64\Kfjhkjle.exe

Filesize
844KB

MD5
bda7f613799d73f28b755459cb749a52

SHA1
1f9b39d2543a6c7278b179c572c51e08ba3d56ea

SHA256
ae8b2af3258cac45b7fb83a73d80d9fedfab73e9c44b6668c892a07717682484

SHA512
b8fa6e706282a35af06d48cc8b5e4e0463460266bc6bc4d8c1238db5693d977a11ccc1a52b1f57f85a80c94bb3ae2e509ff4fc9ae2effaa43a084f30f9cf7063

Download Submit
C:\Windows\SysWOW64\Kfoafi32.exe

Filesize
844KB

MD5
f18ab3516c1f0d65eca88b2c7b5dc275

SHA1
2226ca6b6a9a400dc4cbf3a16860cf187a007053

SHA256
6c8c3fad6b55e4b354040f1b545021ddf8190cd7db9d7da99f00649cdc647f46

SHA512
c90404016c50e087271bbe5c43f0d528900adb7e71be34b77ec8f92341c76e9a8b20604bf56fa9e86b6b87c3b0a8d3063594d35402ae217dd523cfb27ced550f

Download Submit
C:\Windows\SysWOW64\Kmfmmcbo.exe

Filesize
844KB

MD5
945133add1f05a965ce09bf2ae2f1aa9

SHA1
bc2e57bae595346f2bf2b1c9bafe073b7dd9a4ea

SHA256
58d1886e12fe08703404266bf6a2d8febbec38c9f4e7e7c0d759d6bf03c673cc

SHA512
0dd33ff6114c838b45ae82af03e9a8298db49923e14915843f1ed3d7e8050703ddc5dad688d71dcba5522cd1d9bf2093795a19b9a23adf81c9e1ebdf93f5626e

Download Submit
C:\Windows\SysWOW64\Lingibiq.exe

Filesize
844KB

MD5
690bc1c8f5478154e7ba68676e4eeec5

SHA1
f472aae191cdd922c2614edf0faa66a4ef9435d6

SHA256
b0f8201a77b79fdcc7673fbb0c328e41a9950c41458d6b5481188cb396ebd343

SHA512
fd0e19091ab2a945e59b55efd085f1b567832bad74e10dcbb2b3ddfefa19d5dfb662303295cad36895e5839637959ba956b23e8ee0c2e2906cffd86ca070dd8d

Download Submit
C:\Windows\SysWOW64\Llcpoo32.exe

Filesize
844KB

MD5
5320fba75b7c59cb095b7c847a6a2bcd

SHA1
4a59acf770c6611351fe2e3db8be173142541231

SHA256
4fb0944c240edc800f2062b6b3f5a62abfe59736afb7a93120c4f2934aecb4b4

SHA512
04f12dc09f09a6690c506e3f4344e131d8aab0c98a759f2429519b0864a7c56071b86a01fd9e96c8476350165d087413c65937aad055176a55707d2090fddae1

Download Submit
C:\Windows\SysWOW64\Mdmnlj32.exe

Filesize
844KB

MD5
9397e4235235222fb9b6702867a68e97

SHA1
3ed2b3c33808e0da3025d95dfeb0e320ac480a19

SHA256
3a30df62dc0db3b8d68b82c8163dfdc97c302806a0168ec31a50d6df7a3be018

SHA512
75ec6e70bd7e4c5c23ca88aa38cba5f566568cb04ce585e0f988b6c76b7ce95fd1d572a6aca18972901fba2b840159cbd168b99dad13f179e232b9b764500a41

Download Submit
C:\Windows\SysWOW64\Medgncoe.exe

Filesize
844KB

MD5
7681d3e99512273f004eb0fee3a3ef4c

SHA1
5f9bda44af609c845d57ce1d3414961d384456a8

SHA256
e7b3be5d89b8413a687566900fed6feadd1d6d75b4f036f05bddb5505f2df13c

SHA512
85ebdb3bccd9707d35c92b228cff86ac0e10b08573da313cc078ff41cfc788c44469a8a64d3ebb5bff277d3535318921824c2e1854491771c9f3f7a656cf12a6

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
844KB

MD5
17dc3e68870caac0bcdb5516c033502b

SHA1
f322450beefbc374ab764389be57a78e3a06885b

SHA256
345d8d357045e13b8426983cef303934049587b2936fb5e3ca0d412ffb9a8090

SHA512
370ef9067f186cb1d11251e77024a1c5efc4576066d852c40f875f6d932f23286b202eaffb41cd2578670770807b64a19965f687a594eda7500f923a1bf4146c

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
844KB

MD5
6b23b1d7f7d9910dcf5d58e41bb0ae37

SHA1
836315c5919e45d7811333dddf5a515de65d767d

SHA256
0ed3852ee9dd59185baa52e077a8668cc17e71b8006fe8619c3b56afd9a53bb8

SHA512
8f785fe55799ceb9d75fa45ffd50ec116746d1befcd96ed1e33fb733432681e6b2f77d8eb696cfdc7f80442293650ae572bb7956acec84886988d1ce82aca3c1

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
844KB

MD5
126d18a4644e8f3c41b0b13aacf33a61

SHA1
42046ffdb73816b898f0caeab4565e1b7cf87967

SHA256
90e23fad2e5998bef97e7bc63691685191b20986f1125479d83dd4bde7d431ea

SHA512
da8f5751de10bdacc4611dc3903586c66fc05051d432bbf3cfbc4faa95731c11816615420be2aaebe16ffd71db0317d6064a91df3dd735437a5ff77b7c6f60d8

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
844KB

MD5
226a0d89cc5f6334a642fbd2f1f9a38d

SHA1
ec4ac455563817dfbfea8dd5eba05a8ad964b17f

SHA256
0cb0237df13600863a6c668a1008e9a1aa563ddc16911a8958cf475579211e2b

SHA512
1022b609506bee2f1623aafaff21c1d85a8567b5a4989a8a91899c3dac63700ff49dd5a3e2f95d2f6f50984f7da4ee6b5e0e0183c19365a6cbcdabc6b231eab1

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
844KB

MD5
6f6a2343ea6d56d8ebf16d114dc822d9

SHA1
f1610833cf282c92285a5f84b00d00f6f11c934b

SHA256
325a327a2545991a4eb04ea2b98289e2a9db9e8ae819c8d9e47ee8d8dcbe97bd

SHA512
9332a95cd5eb266c35ec3dfa25321097e50a817bfb8da7cc019b99ad3f8d221b4cb39bdefebbd536e89ea0bc344872175ff40fadbad9dbd268d35ac8b41a8559

Download Submit
memory/208-132-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/216-539-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/216-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/324-503-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/376-551-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/380-100-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/436-407-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/464-401-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/668-540-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/684-497-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/756-353-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/932-248-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/968-431-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1044-365-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1092-419-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1180-521-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1200-340-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1468-152-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1504-346-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1528-197-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1600-560-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1616-80-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1660-527-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1736-112-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1796-239-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1800-437-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2036-188-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2100-172-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2108-44-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2152-473-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2364-389-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2392-483-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2412-216-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2568-274-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2760-509-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2768-377-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2772-546-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2772-7-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2800-293-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2864-338-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2896-347-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3056-467-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3328-425-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3332-175-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3452-286-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3480-232-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3516-579-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3516-48-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3568-491-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3576-395-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3604-383-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3656-55-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3656-590-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3672-298-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3760-72-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3836-304-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3996-328-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4124-443-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4128-533-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4208-268-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4240-359-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4244-455-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4248-104-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4280-88-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4284-316-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4304-280-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4360-566-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4360-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4364-208-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4420-200-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4460-371-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4512-262-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4576-516-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4600-326-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4636-159-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4688-413-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4704-449-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4784-485-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4792-28-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4836-125-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4856-553-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4856-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4896-64-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4896-593-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4900-567-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4904-223-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4908-145-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4916-256-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4920-558-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4940-136-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4944-310-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5100-465-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5128-573-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5184-580-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5228-592-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5304-594-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads