cb454f85aded0c04650f130100d6fadbf375f744b3fa6a2139260ec6019a175e

Analysis

max time kernel
143s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 05:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88ba484d0165624261a9b422583c37a0_NeikiAnalytics.exe
Size

96KB
MD5

88ba484d0165624261a9b422583c37a0
SHA1

65c44707c8b12acaa1ff67d5344fb816497568f9
SHA256

cb454f85aded0c04650f130100d6fadbf375f744b3fa6a2139260ec6019a175e
SHA512

6ee98f6a5b9d4e894e7d8cc3ed1a351db609d715d72e9f0acaa15db49b575b5485028aa8dddadf8585ad2819d5f02b2faca3bb5551f68a936696d32e4b7ad77c
SSDEEP

1536:gp19z38QoDMTFQf+6nafr2LwaIZTJ+7LhkiB0MPiKeEAgH:csQ5+JafIwaMU7uihJ5

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gegkpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oanokhdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppjbmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdlkdhnk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kakmna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcoljagj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Noblkqca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmipdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofhknodl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eiekog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Geoapenf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kedlip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcjjhdjb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mofmobmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Noblkqca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oanokhdb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkcndeen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kakmna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfkkqmiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmmqhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipbaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omopjcjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nagiji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhphmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppahmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qpcecb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmgelf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opeiadfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pffgom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ockdmmoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddnobj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omopjcjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddnobj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhgkgijg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpdgqmnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieagmcmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iialhaad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Joqafgni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mofmobmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opeiadfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pffgom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Heegad32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Halhfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Objkmkjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pplhhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebifmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdlkdhnk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Legben32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Legben32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhgkgijg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmgelf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ieagmcmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fiqjke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Geoapenf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcjjhdjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pccahbmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkcndeen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieccbbkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlikkkhn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogjdmbil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egohdegl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iialhaad.exe

Malware Dropper & Backdoor - Berbew 43 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/files/0x0008000000023272-7.dat	family_berbew
behavioral2/files/0x0008000000023276-15.dat	family_berbew
behavioral2/files/0x000800000002327a-23.dat	family_berbew
behavioral2/files/0x000700000002327c-31.dat	family_berbew
behavioral2/files/0x000700000002327e-38.dat	family_berbew
behavioral2/files/0x0007000000023280-47.dat	family_berbew
behavioral2/files/0x0007000000023282-55.dat	family_berbew
behavioral2/files/0x0007000000023284-58.dat	family_berbew
behavioral2/files/0x0007000000023286-71.dat	family_berbew
behavioral2/files/0x0007000000023288-80.dat	family_berbew
behavioral2/files/0x000700000002328a-88.dat	family_berbew
behavioral2/files/0x000700000002328c-97.dat	family_berbew
behavioral2/files/0x000700000002328f-106.dat	family_berbew
behavioral2/files/0x0007000000023291-115.dat	family_berbew
behavioral2/files/0x0007000000023293-123.dat	family_berbew
behavioral2/files/0x0007000000023295-133.dat	family_berbew
behavioral2/files/0x0007000000023297-137.dat	family_berbew
behavioral2/files/0x0007000000023299-151.dat	family_berbew
behavioral2/files/0x000700000002329b-160.dat	family_berbew
behavioral2/files/0x000700000002329d-169.dat	family_berbew
behavioral2/files/0x000700000002329f-178.dat	family_berbew
behavioral2/files/0x00070000000232a1-187.dat	family_berbew
behavioral2/files/0x00070000000232a4-196.dat	family_berbew
behavioral2/files/0x00070000000232a6-205.dat	family_berbew
behavioral2/files/0x00070000000232a8-214.dat	family_berbew
behavioral2/files/0x00070000000232aa-223.dat	family_berbew
behavioral2/files/0x00070000000232ac-232.dat	family_berbew
behavioral2/files/0x00070000000232ae-241.dat	family_berbew
behavioral2/files/0x00070000000232b0-250.dat	family_berbew
behavioral2/files/0x00070000000232b2-259.dat	family_berbew
behavioral2/files/0x00070000000232b4-268.dat	family_berbew
behavioral2/files/0x00070000000232b6-277.dat	family_berbew
behavioral2/files/0x00070000000232ba-288.dat	family_berbew
behavioral2/files/0x00070000000232c8-337.dat	family_berbew
behavioral2/files/0x00070000000232cf-365.dat	family_berbew
behavioral2/files/0x00070000000232d3-379.dat	family_berbew
behavioral2/files/0x00070000000232db-407.dat	family_berbew
behavioral2/files/0x00070000000232e1-428.dat	family_berbew
behavioral2/files/0x00070000000232e5-442.dat	family_berbew
behavioral2/files/0x00070000000232eb-463.dat	family_berbew
behavioral2/files/0x00070000000232f1-485.dat	family_berbew
behavioral2/files/0x00070000000232f9-512.dat	family_berbew
behavioral2/files/0x00070000000232fd-526.dat	family_berbew

Executes dropped EXE 64 IoCs

pid	Process
736	Mmmqhl32.exe
4592	Mcifkf32.exe
640	Nggnadib.exe
4028	Njhgbp32.exe
2196	Nmipdk32.exe
2592	Nagiji32.exe
3576	Oplfkeob.exe
4572	Ofhknodl.exe
1716	Oanokhdb.exe
3792	Ogjdmbil.exe
4496	Opeiadfg.exe
3968	Pccahbmn.exe
4616	Ppjbmc32.exe
4116	Pffgom32.exe
1092	Ppahmb32.exe
1444	Qpcecb32.exe
1440	Qmgelf32.exe
3420	Cpdgqmnb.exe
4940	Dhphmj32.exe
1768	Dhbebj32.exe
872	Dkcndeen.exe
3732	Ddnobj32.exe
2024	Egohdegl.exe
4392	Enkmfolf.exe
3824	Ebifmm32.exe
5060	Eiekog32.exe
1368	Fdlkdhnk.exe
3628	Fkhpfbce.exe
2540	Fiqjke32.exe
4048	Gegkpf32.exe
1548	Gghdaa32.exe
1164	Geoapenf.exe
2004	Hbenoi32.exe
1900	Heegad32.exe
2788	Halhfe32.exe
3380	Hejqldci.exe
2092	Hihibbjo.exe
2508	Ipbaol32.exe
4224	Ieagmcmq.exe
672	Ieccbbkn.exe
4880	Iialhaad.exe
5084	Joqafgni.exe
4312	Jpbjfjci.exe
4164	Jlikkkhn.exe
400	Kedlip32.exe
2072	Kakmna32.exe
1580	Kcjjhdjb.exe
3344	Kiikpnmj.exe
4476	Lljdai32.exe
1400	Lcfidb32.exe
2720	Legben32.exe
1376	Lhgkgijg.exe
3532	Mfkkqmiq.exe
4368	Mcoljagj.exe
864	Mofmobmo.exe
1408	Mpeiie32.exe
2988	Mqhfoebo.exe
2152	Mlofcf32.exe
2248	Noppeaed.exe
4004	Noblkqca.exe
216	Nmfmde32.exe
3092	Njljch32.exe
3808	Oiagde32.exe
1844	Objkmkjj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fdlkdhnk.exe	Eiekog32.exe
File created	C:\Windows\SysWOW64\Jklliiom.dll	Ieagmcmq.exe
File opened for modification	C:\Windows\SysWOW64\Mmmqhl32.exe	88ba484d0165624261a9b422583c37a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Ddnobj32.exe	Dkcndeen.exe
File opened for modification	C:\Windows\SysWOW64\Jpbjfjci.exe	Joqafgni.exe
File created	C:\Windows\SysWOW64\Kedlip32.exe	Jlikkkhn.exe
File opened for modification	C:\Windows\SysWOW64\Njljch32.exe	Nmfmde32.exe
File created	C:\Windows\SysWOW64\Eiekog32.exe	Ebifmm32.exe
File opened for modification	C:\Windows\SysWOW64\Kedlip32.exe	Jlikkkhn.exe
File opened for modification	C:\Windows\SysWOW64\Fdlkdhnk.exe	Eiekog32.exe
File opened for modification	C:\Windows\SysWOW64\Gegkpf32.exe	Fiqjke32.exe
File opened for modification	C:\Windows\SysWOW64\Kcjjhdjb.exe	Kakmna32.exe
File opened for modification	C:\Windows\SysWOW64\Legben32.exe	Lcfidb32.exe
File opened for modification	C:\Windows\SysWOW64\Noblkqca.exe	Noppeaed.exe
File created	C:\Windows\SysWOW64\Nmfmde32.exe	Noblkqca.exe
File created	C:\Windows\SysWOW64\Hkfoel32.dll	Ogjdmbil.exe
File created	C:\Windows\SysWOW64\Ajiqfi32.dll	Geoapenf.exe
File created	C:\Windows\SysWOW64\Oiagde32.exe	Njljch32.exe
File created	C:\Windows\SysWOW64\Cpfoag32.dll	Qmgelf32.exe
File created	C:\Windows\SysWOW64\Dgihjf32.dll	Dhphmj32.exe
File opened for modification	C:\Windows\SysWOW64\Nmfmde32.exe	Noblkqca.exe
File opened for modification	C:\Windows\SysWOW64\Ppjbmc32.exe	Pccahbmn.exe
File created	C:\Windows\SysWOW64\Legben32.exe	Lcfidb32.exe
File opened for modification	C:\Windows\SysWOW64\Pplhhm32.exe	Pfagighf.exe
File opened for modification	C:\Windows\SysWOW64\Pccahbmn.exe	Opeiadfg.exe
File created	C:\Windows\SysWOW64\Cjkhnd32.dll	Njljch32.exe
File created	C:\Windows\SysWOW64\Heegad32.exe	Hbenoi32.exe
File created	C:\Windows\SysWOW64\Khnhommq.dll	Jlikkkhn.exe
File opened for modification	C:\Windows\SysWOW64\Ogjdmbil.exe	Oanokhdb.exe
File opened for modification	C:\Windows\SysWOW64\Hbenoi32.exe	Geoapenf.exe
File created	C:\Windows\SysWOW64\Fiqjke32.exe	Fkhpfbce.exe
File created	C:\Windows\SysWOW64\Hjaqmkhl.dll	Joqafgni.exe
File created	C:\Windows\SysWOW64\Dpifjj32.dll	Mofmobmo.exe
File created	C:\Windows\SysWOW64\Jcleff32.dll	Nggnadib.exe
File created	C:\Windows\SysWOW64\Jponoqjl.dll	Pccahbmn.exe
File created	C:\Windows\SysWOW64\Mpaqbf32.dll	Heegad32.exe
File opened for modification	C:\Windows\SysWOW64\Kakmna32.exe	Kedlip32.exe
File created	C:\Windows\SysWOW64\Nmdkcj32.dll	Legben32.exe
File created	C:\Windows\SysWOW64\Noblkqca.exe	Noppeaed.exe
File created	C:\Windows\SysWOW64\Pfagighf.exe	Ockdmmoj.exe
File opened for modification	C:\Windows\SysWOW64\Ebifmm32.exe	Enkmfolf.exe
File created	C:\Windows\SysWOW64\Lbfecjhc.dll	Gghdaa32.exe
File opened for modification	C:\Windows\SysWOW64\Ipbaol32.exe	Hihibbjo.exe
File opened for modification	C:\Windows\SysWOW64\Omopjcjp.exe	Objkmkjj.exe
File created	C:\Windows\SysWOW64\Nmipdk32.exe	Njhgbp32.exe
File created	C:\Windows\SysWOW64\Gegkpf32.exe	Fiqjke32.exe
File opened for modification	C:\Windows\SysWOW64\Fkhpfbce.exe	Fdlkdhnk.exe
File created	C:\Windows\SysWOW64\Pififb32.exe	Pplhhm32.exe
File created	C:\Windows\SysWOW64\Jhkilook.dll	Ddnobj32.exe
File opened for modification	C:\Windows\SysWOW64\Enkmfolf.exe	Egohdegl.exe
File created	C:\Windows\SysWOW64\Pffgom32.exe	Ppjbmc32.exe
File opened for modification	C:\Windows\SysWOW64\Opeiadfg.exe	Ogjdmbil.exe
File created	C:\Windows\SysWOW64\Lkpemq32.dll	Jpbjfjci.exe
File created	C:\Windows\SysWOW64\Oanokhdb.exe	Ofhknodl.exe
File created	C:\Windows\SysWOW64\Kpibgp32.dll	Ofhknodl.exe
File created	C:\Windows\SysWOW64\Ogjdmbil.exe	Oanokhdb.exe
File created	C:\Windows\SysWOW64\Pjehnm32.dll	Ppjbmc32.exe
File opened for modification	C:\Windows\SysWOW64\Joqafgni.exe	Iialhaad.exe
File created	C:\Windows\SysWOW64\Cbqfhb32.dll	Lljdai32.exe
File created	C:\Windows\SysWOW64\Ldpnmg32.dll	Mmmqhl32.exe
File opened for modification	C:\Windows\SysWOW64\Nggnadib.exe	Mcifkf32.exe
File opened for modification	C:\Windows\SysWOW64\Pfagighf.exe	Ockdmmoj.exe
File created	C:\Windows\SysWOW64\Hihibbjo.exe	Hejqldci.exe
File created	C:\Windows\SysWOW64\Lnjkcfod.dll	Eiekog32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3264	3700	WerFault.exe	159

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcifkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhkilook.dll"	Ddnobj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gegkpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpbjfjci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Legben32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpibgp32.dll"	Ofhknodl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbenoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jlikkkhn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qpcecb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekellcop.dll"	Egohdegl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebifmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijcomn32.dll"	Lhgkgijg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgfnagdi.dll"	Nmipdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkcndeen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Legben32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjenfjo.dll"	Objkmkjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bihice32.dll"	Omopjcjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjehnm32.dll"	Ppjbmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpeiie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opeiadfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Geoapenf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jihiic32.dll"	Mcifkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpfoag32.dll"	Qmgelf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fiqjke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbqfhb32.dll"	Lljdai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oplfkeob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pffgom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqgnfcmm.dll"	Enkmfolf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohfkgknc.dll"	Mfkkqmiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfagighf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofhknodl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ppahmb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Omopjcjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnmodnoo.dll"	Njhgbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbfecjhc.dll"	Gghdaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Halhfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egopbhnc.dll"	Lcfidb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nggnadib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ppahmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mofmobmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ockdmmoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmmqhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlofcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndjaei32.dll"	Dhbebj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Enkmfolf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Joqafgni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kedlip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oanokhdb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Noppeaed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgfpihkg.dll"	Oanokhdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgihjf32.dll"	Dhphmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebifmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjmnkgfc.dll"	Ipbaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oanokhdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgccelpk.dll"	Mpeiie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpdgqmnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhphmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppadalgj.dll"	Kakmna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blcnqjjo.dll"	Pfagighf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmgelf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnjfof32.dll"	Hihibbjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cggkemhh.dll"	Ppahmb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gghdaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogjdmbil.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4664 wrote to memory of 736	4664	88ba484d0165624261a9b422583c37a0_NeikiAnalytics.exe	91
PID 4664 wrote to memory of 736	4664	88ba484d0165624261a9b422583c37a0_NeikiAnalytics.exe	91
PID 4664 wrote to memory of 736	4664	88ba484d0165624261a9b422583c37a0_NeikiAnalytics.exe	91
PID 736 wrote to memory of 4592	736	Mmmqhl32.exe	92
PID 736 wrote to memory of 4592	736	Mmmqhl32.exe	92
PID 736 wrote to memory of 4592	736	Mmmqhl32.exe	92
PID 4592 wrote to memory of 640	4592	Mcifkf32.exe	93
PID 4592 wrote to memory of 640	4592	Mcifkf32.exe	93
PID 4592 wrote to memory of 640	4592	Mcifkf32.exe	93
PID 640 wrote to memory of 4028	640	Nggnadib.exe	94
PID 640 wrote to memory of 4028	640	Nggnadib.exe	94
PID 640 wrote to memory of 4028	640	Nggnadib.exe	94
PID 4028 wrote to memory of 2196	4028	Njhgbp32.exe	95
PID 4028 wrote to memory of 2196	4028	Njhgbp32.exe	95
PID 4028 wrote to memory of 2196	4028	Njhgbp32.exe	95
PID 2196 wrote to memory of 2592	2196	Nmipdk32.exe	96
PID 2196 wrote to memory of 2592	2196	Nmipdk32.exe	96
PID 2196 wrote to memory of 2592	2196	Nmipdk32.exe	96
PID 2592 wrote to memory of 3576	2592	Nagiji32.exe	97
PID 2592 wrote to memory of 3576	2592	Nagiji32.exe	97
PID 2592 wrote to memory of 3576	2592	Nagiji32.exe	97
PID 3576 wrote to memory of 4572	3576	Oplfkeob.exe	98
PID 3576 wrote to memory of 4572	3576	Oplfkeob.exe	98
PID 3576 wrote to memory of 4572	3576	Oplfkeob.exe	98
PID 4572 wrote to memory of 1716	4572	Ofhknodl.exe	99
PID 4572 wrote to memory of 1716	4572	Ofhknodl.exe	99
PID 4572 wrote to memory of 1716	4572	Ofhknodl.exe	99
PID 1716 wrote to memory of 3792	1716	Oanokhdb.exe	100
PID 1716 wrote to memory of 3792	1716	Oanokhdb.exe	100
PID 1716 wrote to memory of 3792	1716	Oanokhdb.exe	100
PID 3792 wrote to memory of 4496	3792	Ogjdmbil.exe	101
PID 3792 wrote to memory of 4496	3792	Ogjdmbil.exe	101
PID 3792 wrote to memory of 4496	3792	Ogjdmbil.exe	101
PID 4496 wrote to memory of 3968	4496	Opeiadfg.exe	102
PID 4496 wrote to memory of 3968	4496	Opeiadfg.exe	102
PID 4496 wrote to memory of 3968	4496	Opeiadfg.exe	102
PID 3968 wrote to memory of 4616	3968	Pccahbmn.exe	103
PID 3968 wrote to memory of 4616	3968	Pccahbmn.exe	103
PID 3968 wrote to memory of 4616	3968	Pccahbmn.exe	103
PID 4616 wrote to memory of 4116	4616	Ppjbmc32.exe	104
PID 4616 wrote to memory of 4116	4616	Ppjbmc32.exe	104
PID 4616 wrote to memory of 4116	4616	Ppjbmc32.exe	104
PID 4116 wrote to memory of 1092	4116	Pffgom32.exe	105
PID 4116 wrote to memory of 1092	4116	Pffgom32.exe	105
PID 4116 wrote to memory of 1092	4116	Pffgom32.exe	105
PID 1092 wrote to memory of 1444	1092	Ppahmb32.exe	106
PID 1092 wrote to memory of 1444	1092	Ppahmb32.exe	106
PID 1092 wrote to memory of 1444	1092	Ppahmb32.exe	106
PID 1444 wrote to memory of 1440	1444	Qpcecb32.exe	107
PID 1444 wrote to memory of 1440	1444	Qpcecb32.exe	107
PID 1444 wrote to memory of 1440	1444	Qpcecb32.exe	107
PID 1440 wrote to memory of 3420	1440	Qmgelf32.exe	108
PID 1440 wrote to memory of 3420	1440	Qmgelf32.exe	108
PID 1440 wrote to memory of 3420	1440	Qmgelf32.exe	108
PID 3420 wrote to memory of 4940	3420	Cpdgqmnb.exe	109
PID 3420 wrote to memory of 4940	3420	Cpdgqmnb.exe	109
PID 3420 wrote to memory of 4940	3420	Cpdgqmnb.exe	109
PID 4940 wrote to memory of 1768	4940	Dhphmj32.exe	110
PID 4940 wrote to memory of 1768	4940	Dhphmj32.exe	110
PID 4940 wrote to memory of 1768	4940	Dhphmj32.exe	110
PID 1768 wrote to memory of 872	1768	Dhbebj32.exe	111
PID 1768 wrote to memory of 872	1768	Dhbebj32.exe	111
PID 1768 wrote to memory of 872	1768	Dhbebj32.exe	111
PID 872 wrote to memory of 3732	872	Dkcndeen.exe	112

C:\Users\Admin\AppData\Local\Temp\88ba484d0165624261a9b422583c37a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\88ba484d0165624261a9b422583c37a0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4664
- C:\Windows\SysWOW64\Mmmqhl32.exe
  C:\Windows\system32\Mmmqhl32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:736
- - C:\Windows\SysWOW64\Mcifkf32.exe
    C:\Windows\system32\Mcifkf32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4592
  - - C:\Windows\SysWOW64\Nggnadib.exe
      C:\Windows\system32\Nggnadib.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:640
    - - C:\Windows\SysWOW64\Njhgbp32.exe
        
        C:\Windows\system32\Njhgbp32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4028
      - C:\Windows\SysWOW64\Nmipdk32.exe
        
        C:\Windows\system32\Nmipdk32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\Nagiji32.exe
        
        C:\Windows\system32\Nagiji32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Windows\SysWOW64\Oplfkeob.exe
        
        C:\Windows\system32\Oplfkeob.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\SysWOW64\Ofhknodl.exe
        
        C:\Windows\system32\Ofhknodl.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4572
        
        C:\Windows\SysWOW64\Oanokhdb.exe
        
        C:\Windows\system32\Oanokhdb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Windows\SysWOW64\Ogjdmbil.exe
        
        C:\Windows\system32\Ogjdmbil.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3792
        
        C:\Windows\SysWOW64\Opeiadfg.exe
        
        C:\Windows\system32\Opeiadfg.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4496
        
        C:\Windows\SysWOW64\Pccahbmn.exe
        
        C:\Windows\system32\Pccahbmn.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3968
        
        C:\Windows\SysWOW64\Ppjbmc32.exe
        
        C:\Windows\system32\Ppjbmc32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4616
        
        C:\Windows\SysWOW64\Pffgom32.exe
        
        C:\Windows\system32\Pffgom32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4116
        
        C:\Windows\SysWOW64\Ppahmb32.exe
        
        C:\Windows\system32\Ppahmb32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Windows\SysWOW64\Qpcecb32.exe
        
        C:\Windows\system32\Qpcecb32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\SysWOW64\Qmgelf32.exe
        
        C:\Windows\system32\Qmgelf32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Windows\SysWOW64\Cpdgqmnb.exe
        
        C:\Windows\system32\Cpdgqmnb.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3420
        
        C:\Windows\SysWOW64\Dhphmj32.exe
        
        C:\Windows\system32\Dhphmj32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\SysWOW64\Dhbebj32.exe
        
        C:\Windows\system32\Dhbebj32.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\SysWOW64\Dkcndeen.exe
        
        C:\Windows\system32\Dkcndeen.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\SysWOW64\Ddnobj32.exe
        
        C:\Windows\system32\Ddnobj32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3732
        
        C:\Windows\SysWOW64\Egohdegl.exe
        
        C:\Windows\system32\Egohdegl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Enkmfolf.exe
        
        C:\Windows\system32\Enkmfolf.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4392
        
        C:\Windows\SysWOW64\Ebifmm32.exe
        
        C:\Windows\system32\Ebifmm32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3824
        
        C:\Windows\SysWOW64\Eiekog32.exe
        
        C:\Windows\system32\Eiekog32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5060
        
        C:\Windows\SysWOW64\Fdlkdhnk.exe
        
        C:\Windows\system32\Fdlkdhnk.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1368
        
        C:\Windows\SysWOW64\Fkhpfbce.exe
        
        C:\Windows\system32\Fkhpfbce.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3628
        
        C:\Windows\SysWOW64\Fiqjke32.exe
        
        C:\Windows\system32\Fiqjke32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2540
        
        C:\Windows\SysWOW64\Gegkpf32.exe
        
        C:\Windows\system32\Gegkpf32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4048
        
        C:\Windows\SysWOW64\Gghdaa32.exe
        
        C:\Windows\system32\Gghdaa32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1548
        
        C:\Windows\SysWOW64\Geoapenf.exe
        
        C:\Windows\system32\Geoapenf.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1164
        
        C:\Windows\SysWOW64\Hbenoi32.exe
        
        C:\Windows\system32\Hbenoi32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\Heegad32.exe
        
        C:\Windows\system32\Heegad32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1900
        
        C:\Windows\SysWOW64\Halhfe32.exe
        
        C:\Windows\system32\Halhfe32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Hejqldci.exe
        
        C:\Windows\system32\Hejqldci.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3380
        
        C:\Windows\SysWOW64\Hihibbjo.exe
        
        C:\Windows\system32\Hihibbjo.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\Ipbaol32.exe
        
        C:\Windows\system32\Ipbaol32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2508
        
        C:\Windows\SysWOW64\Ieagmcmq.exe
        
        C:\Windows\system32\Ieagmcmq.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4224
        
        C:\Windows\SysWOW64\Ieccbbkn.exe
        
        C:\Windows\system32\Ieccbbkn.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:672
        
        C:\Windows\SysWOW64\Iialhaad.exe
        
        C:\Windows\system32\Iialhaad.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4880
        
        C:\Windows\SysWOW64\Joqafgni.exe
        
        C:\Windows\system32\Joqafgni.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Jpbjfjci.exe
        
        C:\Windows\system32\Jpbjfjci.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4312
        
        C:\Windows\SysWOW64\Jlikkkhn.exe
        
        C:\Windows\system32\Jlikkkhn.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4164
        
        C:\Windows\SysWOW64\Kedlip32.exe
        
        C:\Windows\system32\Kedlip32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:400
        
        C:\Windows\SysWOW64\Kakmna32.exe
        
        C:\Windows\system32\Kakmna32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2072
        
        C:\Windows\SysWOW64\Kcjjhdjb.exe
        
        C:\Windows\system32\Kcjjhdjb.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1580
        
        C:\Windows\SysWOW64\Kiikpnmj.exe
        
        C:\Windows\system32\Kiikpnmj.exe
        49⤵
        Executes dropped EXE
        
        PID:3344
        
        C:\Windows\SysWOW64\Lljdai32.exe
        
        C:\Windows\system32\Lljdai32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\Lcfidb32.exe
        
        C:\Windows\system32\Lcfidb32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1400
        
        C:\Windows\SysWOW64\Legben32.exe
        
        C:\Windows\system32\Legben32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Lhgkgijg.exe
        
        C:\Windows\system32\Lhgkgijg.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1376
        
        C:\Windows\SysWOW64\Mfkkqmiq.exe
        
        C:\Windows\system32\Mfkkqmiq.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3532
        
        C:\Windows\SysWOW64\Mcoljagj.exe
        
        C:\Windows\system32\Mcoljagj.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4368
        
        C:\Windows\SysWOW64\Mofmobmo.exe
        
        C:\Windows\system32\Mofmobmo.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:864
        
        C:\Windows\SysWOW64\Mpeiie32.exe
        
        C:\Windows\system32\Mpeiie32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1408
        
        C:\Windows\SysWOW64\Mqhfoebo.exe
        
        C:\Windows\system32\Mqhfoebo.exe
        58⤵
        Executes dropped EXE
        
        PID:2988
        
        C:\Windows\SysWOW64\Mlofcf32.exe
        
        C:\Windows\system32\Mlofcf32.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2152
        
        C:\Windows\SysWOW64\Noppeaed.exe
        
        C:\Windows\system32\Noppeaed.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Noblkqca.exe
        
        C:\Windows\system32\Noblkqca.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4004
        
        C:\Windows\SysWOW64\Nmfmde32.exe
        
        C:\Windows\system32\Nmfmde32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:216
        
        C:\Windows\SysWOW64\Njljch32.exe
        
        C:\Windows\system32\Njljch32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3092
        
        C:\Windows\SysWOW64\Oiagde32.exe
        
        C:\Windows\system32\Oiagde32.exe
        64⤵
        Executes dropped EXE
        
        PID:3808
        
        C:\Windows\SysWOW64\Objkmkjj.exe
        
        C:\Windows\system32\Objkmkjj.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1844
        
        C:\Windows\SysWOW64\Omopjcjp.exe
        
        C:\Windows\system32\Omopjcjp.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4284
        
        C:\Windows\SysWOW64\Ockdmmoj.exe
        
        C:\Windows\system32\Ockdmmoj.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3128
        
        C:\Windows\SysWOW64\Pfagighf.exe
        
        C:\Windows\system32\Pfagighf.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Pplhhm32.exe
        
        C:\Windows\system32\Pplhhm32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:624
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        70⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 400
        71⤵
        Program crash
        
        PID:3264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3700 -ip 3700
1⤵
PID:2400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4292 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:5680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cpdgqmnb.exe

Filesize
96KB

MD5
57c9e508b2163432b10315c2ed10d47c

SHA1
319e34f7c4fe576b81319d1abe102273131c4f3b

SHA256
986432bffe8c1a66b552a19794621d2b936b7d3b493ec3631a3afb1f1207e245

SHA512
d81d7b47fd39e8fe6c68d53f230fc09c82691cf5f997e4ffeee496a5563488ca2d8348d1a295ad897fbafde9a52a391d77f26dbd19db94bbc6e737e2444473c9

Download Submit
C:\Windows\SysWOW64\Ddnobj32.exe

Filesize
96KB

MD5
a0f021fad621ddcc333267ecd57c198c

SHA1
620ed177e7c714dd5a1f974f2a40aef595b792f4

SHA256
1ad8958bae7e2633d953eb088d3e764a4178018cef6437a322c306400b09231e

SHA512
d7f92bc7a8c90f3ac427528f0b135709d064b02b333624dcc3e08781be2be9c9dec05fcbba48c4ec94dadf244d80df546768ae43ab099016263daa94275433a7

Download Submit
C:\Windows\SysWOW64\Dhbebj32.exe

Filesize
96KB

MD5
b087a0d57348b356f720cebcba2179cd

SHA1
9a2f05f178caa6c9a63651b996e015dc405e49fe

SHA256
eed9e45399ea88497a1421be1faa199edd74fd7f69fb50252727ec11ed365512

SHA512
c250b52f801073d4a49f39c8ec325fc3f240ebd9e183e6b29d6203d88317b8126150e4d1232565fad60b3562b94066dc0aa7ec6709b1e06e78473c31d2bdbf4d

Download Submit
C:\Windows\SysWOW64\Dhphmj32.exe

Filesize
96KB

MD5
fac5d460f16eff9d35daa52796ba25c7

SHA1
aadca8c26b79556976f6d28678924ea1ff507c93

SHA256
7b1c59b802dd9afc92034c4171a2cac761ad24b8e8c5a36a538e3839ea7713e6

SHA512
f22f389a7904f0fc11b51d5cb338fb2e4433c361c60c91b2b2693a54a8a2cda50f1710aab7271476424f19bd74721f2169cb68d7ee089cf05c8c9b4cbfd0bd3a

Download Submit
C:\Windows\SysWOW64\Dkcndeen.exe

Filesize
96KB

MD5
088b50360e05d4c312f5db38943a691a

SHA1
19f26dfe55da6bf421512535bf137702a8fa0784

SHA256
f310e379c8ffeae11078de4d19ac5f41d7fa307d18cdb338f76b361ec0af0c7d

SHA512
2f262fd5deb0be1445dff12360a2b12fcd4cd8d1a0062633e421f582ec7c57c84a4e0cb7bb84debf7147ec6395344af1d419867edcf3f54aa581a671009a988a

Download Submit
C:\Windows\SysWOW64\Ebifmm32.exe

Filesize
96KB

MD5
59252f360142ff3a43960ef98366d9ea

SHA1
818e8c509dd9550c122f146b353bbf39faf0572e

SHA256
234ddde589f18cdf9837b37db2d845aa215055566e2f708eb6e36b05e58d4b59

SHA512
b9ec7be31c57d959edea5f39840121e36a97fdf0a652961037a2db705286b9921b151fe2a6661043e2fdc28d2203139f4c34e0028e4b998048ac4e34404f8166

Download Submit
C:\Windows\SysWOW64\Egohdegl.exe

Filesize
96KB

MD5
9d5d9aa2db71a50381b0bd39d587cce1

SHA1
a1fdb96d2d4ed6087ddb775c1ac0b287cf9fcc15

SHA256
6d810ada7770edb85ce5253e16b3e31354edd47d93998957e4c375bfc01bf502

SHA512
7232cf68ccb3baeb96fb142072269b5586b9bf2850d8e26a5a6f35df2b9cef6f61a29641ba833dac7f075c9fc8a21bc8dd6977a519c5fc9580a5d3c6d1ee06f6

Download Submit
C:\Windows\SysWOW64\Eiekog32.exe

Filesize
96KB

MD5
f918b3a9d8d16bb031b6e5eb9a3bb9b0

SHA1
8fdd97d356a24ddc0b6008618e96078997686348

SHA256
fe9ae44e719abb777695e62cc402cc9433c9adaf32b98d367d4c429be55ddd26

SHA512
012adefc36f7fd2b11cbc8cb38ddd97b96071938eb02964af7447c066df2cbf3526633fac0c17e06f2ee0fc7d64711a6b9d2a303f5fd68e36f0c1822b605bacf

Download Submit
C:\Windows\SysWOW64\Enkmfolf.exe

Filesize
96KB

MD5
d49d93aee7cb9d2908dec033207ddf36

SHA1
76814e9a486ef4f29c9df31047826a6d522f1969

SHA256
4db9275f03da41bf0e2b4833f7ffd09b543f7276e4c478822a74b604e2390e8f

SHA512
3165c97f5c7ec5fce0ca5f80276f24b4b33d164c07406710efb28503b34d3aff11959116e56fefef0b80112e66f4d26dd3ad8ac05a3e0464c13b49cd75db3b70

Download Submit
C:\Windows\SysWOW64\Fdlkdhnk.exe

Filesize
96KB

MD5
727c832fdce2b0189b62a6dda96be18f

SHA1
1de9e74f0b70895f4f6ff64d7f7b4845f7ee920b

SHA256
a05ba74ee9ae908c80741bd3ccefbc0239a3ae18c6a408de0d6f3d0e37a20049

SHA512
e81f1f14a1369f0fcf75f4f9dc374c415f9220adf69ddb3c924abdb2ebe18965ed065f3d30a6b9c22fdea4596fc5f7c66c6a2285431054a4d8f7633edcfb957b

Download Submit
C:\Windows\SysWOW64\Fiqjke32.exe

Filesize
96KB

MD5
ba8178a8e38fe82c285aa9bfcf156276

SHA1
4a049292bf65481a9f0526109017435cb697b1f9

SHA256
40dc61ed2aec2d1ae3989fa33c4765d9f0a0ddd62e8c3cbf019a285dd6f63c68

SHA512
19a8b3cc0f359d586195f39b7266525220ad96f130b32fbb7dbcafa44e09644e5a57b8c6e439b776369bd78998f20e53e55b9f3911da71eff4fafa0b03f05e71

Download Submit
C:\Windows\SysWOW64\Fkhpfbce.exe

Filesize
96KB

MD5
f620bcee946571692eb13126572d0537

SHA1
39b662f91ae7588c3304c3b81423379d670c9ac3

SHA256
76286f11bc1645d83196f9e843c28c4a9fbc0b473c00d72bb1677ee6804e5f52

SHA512
ba26caa016e57651b918e30a9387b68cbb340778ac8772f0877ed8993489de79992e022e6fa8ce346c9db901e06d3f9c41f2f458083dc474a5df7dc827e246a4

Download Submit
C:\Windows\SysWOW64\Gegkpf32.exe

Filesize
96KB

MD5
c3612967f51d9843aa20695eba1a76a5

SHA1
1dc05c23adf2a24c7a6f0a67796cde311fd858cb

SHA256
5736a97d051cb879e1379bb8cd39bd494a9f5e775d90a5c8fa0c651924a91864

SHA512
7017e0d5e71c4fbbdc87494942159c058986be53398be2696847c470e47b9816c3f5d85dd0d646976940002eb885a1a95b6fac664f4a4089c26b303fa31b577f

Download Submit
C:\Windows\SysWOW64\Geoapenf.exe

Filesize
96KB

MD5
32bf44658ee06a7e8a1090fb1f221c8c

SHA1
29a1aa9a9a967bb79f96d6959b99dcb4f8ff641e

SHA256
fb2b923f5972b7195767048bc196aaa2a0bb721e332935a25e8734c582f32543

SHA512
23b8eedd6942b36a0e1fe8ddc79e3125da08a86e30e8c2e5f158fb346e5b50b255648b9486d07d6204e941c6e0836f4dde4332081074387c932f0973d01a10ff

Download Submit
C:\Windows\SysWOW64\Gghdaa32.exe

Filesize
96KB

MD5
5519f112efeeb1f84ff266416c13f9b1

SHA1
5dfd3e8a62a2ad664bf4849453e57550967fd31a

SHA256
a7ad2e98e3f02b28ec36d2c64d8268c7ec70ed33affc50df51f2a395985a8d28

SHA512
f48f85cc52781d3292bb4a5d65a9c1aed5de5572028343a11fb637716cb9c01722f16ab0407c65e4160516379ae4ebf5b6b41447b2fc2970678202bd2fe04db4

Download Submit
C:\Windows\SysWOW64\Heegad32.exe

Filesize
96KB

MD5
b1f4bc0a00f8deaf699c893e0041105d

SHA1
6f81f879f1e9eee00d1b32874e853de4b4ca10f0

SHA256
3a9402fe492d441c837e3c584393a48a3e215bd2d2397ff7decb6ee2b74c05a2

SHA512
9206355693b3b56590faf6d5d84ead9d0a1d167a9d15a48bd0551b33c483fe8f7a40a805d8ee83cbcc925e478867c3c63f86e365c93aa73bca8daec7dc8234f2

Download Submit
C:\Windows\SysWOW64\Iialhaad.exe

Filesize
96KB

MD5
7726426c8cf458f73d8a7fd6dfdb5daf

SHA1
7c0fdf31a3c6f3915459d14cc4905bc5b9bcc1d9

SHA256
8d8f652fa62f236dd635ffbebe56ddb7eb73d329403efb6a46aaf3a647b34ffc

SHA512
d9bf706d05b43f11452f55ab30e28511017063ef6ae0cc5f5c346b00f7c4d3b0ecb08aebe782305827d6724a50de4feadd6898f9ca6530dc9bcffc0317a28e19

Download Submit
C:\Windows\SysWOW64\Kcjjhdjb.exe

Filesize
96KB

MD5
3cfac25c0ced54b342367316a3b6540a

SHA1
f244db1d561b94de4b2ce7456ac48bbefe735b1f

SHA256
275431289c0e8ad68e0546b6dbfa8bf86ae457ce8c62f47a5c51e3ce5c8b65b4

SHA512
2447c366ce48b3ff91b091278100f13b3ceb38a8be34cfe59ab114160feb75eef63589f67e0af56e0c7ab9fedfb5541a59c95a67078295f0ed2ebbe25a46dcc2

Download Submit
C:\Windows\SysWOW64\Kedlip32.exe

Filesize
96KB

MD5
a93ccbe38cfef680238e0d370f710a2c

SHA1
762c87e22ffdd73ec116e90569d5838b98dc81c3

SHA256
4034046db53d302ebd345ed6adaa735335499a427327d8ed8ac524478386bd25

SHA512
6337d6bbc9988c958b45c25e24abaa1264fdb2a766ec5242e1a4a95afb1a61b8e3e95e12cfe3eacda5f3653b940793db9b45ab2f78eb915a4130d883369bb9a0

Download Submit
C:\Windows\SysWOW64\Legben32.exe

Filesize
96KB

MD5
4a86685f0f6bc64f50bd7b4794936961

SHA1
9d0685951660ae7037dc0fc24b792055977a6ab8

SHA256
dfad602898e336d52320f5e1c899bc828fc9d9c2e4e2ff1aff913bf72d39a382

SHA512
946307608c0b3166fc27057f370ed851839ff621d98442e323763c4a029127590e1de9545f2c808a195460bea2e3e88b6408c3a7319fc86f61868b4c0b358018

Download Submit
C:\Windows\SysWOW64\Mcifkf32.exe

Filesize
96KB

MD5
a24a1a7e1eee6c3025df6e4c1b65e56d

SHA1
ea1634fe53e4c4f2f40a46100ddd262f359a510a

SHA256
2d063ade212004d53fa9fd3513fa3d4535cd4aa592833fb30af4022c0f749eb0

SHA512
33daef1f9ae9475aa599d5d5fc698cb4c7b1620b7e6f04fee04e7f5d9559889adbce98f49edbed7900c2476655bc6ecb7d54b7f87327463ada16654098e80228

Download Submit
C:\Windows\SysWOW64\Mcoljagj.exe

Filesize
96KB

MD5
879145c08861cc60291b7f0d8a339d17

SHA1
36fe5a8e53f37bfcf98c890a1b1d837be59f9c3c

SHA256
445139e1ad63eecb40ab38e4ebe6a88b36f3d3020ba8364b77d1d55bc8ec2c21

SHA512
6ce2b5ec1394dca7f9129398e2195799d6acdbab966d8ff1a27ad3392fda1e56658f271d67484507fcd43c21980fb6e2e5da48dcc3c8853bafde3a4defe1507d

Download Submit
C:\Windows\SysWOW64\Mmmqhl32.exe

Filesize
96KB

MD5
872b995c55bba255a1da755ca302ca61

SHA1
f5d1a3c6686a0278e23419d31ebaad91d8bc584a

SHA256
46d0b0884f39f74e1d3068f877dcc16a3a14d0d1a59e6ca51b3bf20b339b470e

SHA512
06145f95b5b9ee9f431f389cb63b5e1de3b38412dc78e5a66e125db089e6b77ef89842b3b1c15c55cd7eced7503f5d4819a1914da2c177846ad051974670ed3f

Download Submit
C:\Windows\SysWOW64\Mpeiie32.exe

Filesize
96KB

MD5
f38413cefb9f262212d4b9741796b4cc

SHA1
cbea44879618b177e9d95831689d61049ce8bcf2

SHA256
7f847a6cf496305011c51d443c13b58f903ca65e15427b209761f6ccda8e01c8

SHA512
a20b4c35cf48189fcc2053de8bdec1c38c5970e8466ceda35e2d1ae70da35fd7bc63462fb572151c8f99e59ea122b5e06faaa5456ddb33e4d073d2b29de48627

Download Submit
C:\Windows\SysWOW64\Nagiji32.exe

Filesize
96KB

MD5
98ab50381ef6bfcbac1f28c2164f779d

SHA1
c9f6bf8c0779ff75e5a6264665ef42bf3f11a79e

SHA256
32d8b4ed81c3057f34bc88947ae7fb1c8d38ab3b153ddca79ebd3fc59432ab3d

SHA512
74807476048925601165744d2c9ea0802bf9d01ff0e51c605afd52f3223e81d7693c96970f989bc0aaa9ccb8896c8a0b4e3adfced598a278dc4b8a2f6f09a1d3

Download Submit
C:\Windows\SysWOW64\Nggnadib.exe

Filesize
96KB

MD5
ec5354450c5d226dbe6721944f6f0cc8

SHA1
a1d802f5896f6ca9f641e09ca94c6dd3c27d29df

SHA256
cded5151987c7218805c9209aa0f4d15b4de0c3cbafb42e150729e57a1f318a5

SHA512
278c1a0365976f870db02af3a88e2f7dee33da7d25d00c6186f4c79f9c81af3f9b0d5b9679f4d058fc22268d765309b945c846d1cccc2e70f66950d797728be4

Download Submit
C:\Windows\SysWOW64\Njhgbp32.exe

Filesize
96KB

MD5
2130a7fdebb3412652d8c66a7eab845b

SHA1
0f262b52d62fc330fb1598040107c84ede269171

SHA256
5b754eb37e26e9011a290fb5c2b3f265ca7b4a28e7cd5c789c06bd27e6353712

SHA512
bf40587cc03ff8cc8421475f208eab41cb1f87c269d94e388c4934da9ffd77291f76f74c10cc454cb7255fa9495d9e8ab86f12fb5112d11a782fdbdde7840819

Download Submit
C:\Windows\SysWOW64\Njljch32.exe

Filesize
96KB

MD5
606cb98de58db1c1a479077418433487

SHA1
42d668c1723540c54c986df5538bea245c85e788

SHA256
89d6737bc1f65b888ed57f106ad8cec5ecee22817528332a113301f317a8ab2c

SHA512
b9b456cbe2d611b6d858afca6fe369350a79323dac883ea857648a7d5dd590921725f9d6c571056d7dd2d48ecba2d023b66af3c3ef560b0f3099603d8dc7906f

Download Submit
C:\Windows\SysWOW64\Nmipdk32.exe

Filesize
96KB

MD5
f56e3dbaa972f4ed6cec814f31f9971a

SHA1
477d5dfba124cf2a918bcf6af668a74489817bd3

SHA256
b2d5af4d0e9cf978bbefc1e5136c6220d65c014ba240d74d364a1942b63bb2cf

SHA512
3111b9d4deab6e913090d1819aeb6072fe4fa7a4ae299f70b67577c5876a896a27867f0edcaa6abe3bf212263142df3ae121f9fa394b1842fdf02714eb87d0d3

Download Submit
C:\Windows\SysWOW64\Noppeaed.exe

Filesize
96KB

MD5
42b6a284a12a1e2909ebdcf9783fe975

SHA1
0234ca54506e6c3d54ee6dd02f1b1cc078d19e97

SHA256
f464a28bb1649e0c710c0ad817c456489a5c173a4ccebc3d837b8ddf9b5995f0

SHA512
44cfb344c1f109529e2ef2d4c6361bd925e265d4fbc2e1f40de85c5319a36cf3df6b01bfc64704fa2565d31f41de057d184924391c50333c0704d6fb76b2678b

Download Submit
C:\Windows\SysWOW64\Oanokhdb.exe

Filesize
96KB

MD5
1fdc3aaec12c6881245b55320ef54834

SHA1
4728a928771e78341f31e60ebac52df7fffac9b2

SHA256
12d638ad46a9e2084e7f207ea941bba193d37a14e7a502cc978848a070512d9d

SHA512
696d807689ec147ff7ea31b340a2eb5db963c395b5c427681e50e64d3e57a09e705d890477718cdc2167a876444abb3a950d453522ee364d1805f859a20e63ef

Download Submit
C:\Windows\SysWOW64\Ockdmmoj.exe

Filesize
96KB

MD5
75e82e2585cc97fa5fe0e36db36563eb

SHA1
374a888022e136a7180981498f81ed36fe7a6b03

SHA256
e9bab46a73048e23b122b37abb8563c2ab3e0efca0ba580c6d02f234d878e2a2

SHA512
f01e13dd5da3ea40cccc994ddda1d6519bba38a5c7d4c82bfe387b42e6abea9a1275cbe46a8fe63a034820993cb3180e4dac4466b6202e9c092a0ef9f5f93bcc

Download Submit
C:\Windows\SysWOW64\Ofhknodl.exe

Filesize
96KB

MD5
1191f3f21051f190b0aae2a2901e677a

SHA1
25ba98a66093d9bbaae2a8291d0a2fd685c29e67

SHA256
2c1786daf145ec96698bcf5da40ed39859cc0a532096ed32e1610edb746605b5

SHA512
b65af2798abde4155665c5c9178db27e3086c01a3379f8f192f792576f5b27cdbc8ecbb78d6ff0a8b2c9b4318d953f56e3453db8495db67c899b7aef829cf4a2

Download Submit
C:\Windows\SysWOW64\Ogjdmbil.exe

Filesize
96KB

MD5
992fa94e127bb3b4f9c1ab5656061f6a

SHA1
dc43d19c0a1a8dada9d323be0432ce79979dd38c

SHA256
a94d1783b4b3777a2e18cd27dd79b50f87a0fa69f1b3ed49fed0e96a7627b97c

SHA512
8e496e17e76fd63f5a5fedd9fb54ef583e7cbec37e941ce1810eb69456c46681cadb34064cff3b05def98e4ea7abadafc71835805b2fa58a3d00d67644532607

Download Submit
C:\Windows\SysWOW64\Opeiadfg.exe

Filesize
96KB

MD5
6de7404e80cdae8574cfdaaf04bb634e

SHA1
08aa334dd47df67797117b8f692c24e6949f6126

SHA256
80eeeb8e85eb3888009a59fa39b9efde5213a520a7741df8361773078ccce9ef

SHA512
6ae5c0d898f6f39b058c268af9a3a5364ab181676c31ae0f5866704eaa8fe366d1b4781073bf609386e8f3592b69a3eeffe65d1637401a67d1da7986e13f1ff9

Download Submit
C:\Windows\SysWOW64\Oplfkeob.exe

Filesize
96KB

MD5
70ebac3e71913454a9192ccdf099fdb7

SHA1
baba1b02416336a98a43041cd5187116b5ec60ea

SHA256
752320b1e32726baf3d2cbc77d89bb1ecd7957bb484b3d992723d287075e4415

SHA512
8814f0180676cc900a7e59278c1674a69e8b3cb1268c9e3aec8b286e90999d244638524e21f491c6e921ecf34f1ea9cf9e1f2ccc14578f0cafccaae9280a7004

Download Submit
C:\Windows\SysWOW64\Pccahbmn.exe

Filesize
96KB

MD5
cc5d12ef17f0e2b3cdaff93f7ae3aee7

SHA1
f84bcdcbf0f174dd391ecca3eb3b37e7ef4c66dd

SHA256
389a297b7562135789841ecec44fbb56b353c9f06613ff7f4d6f470985450a02

SHA512
2ef7df7f9ceddd4c4defa45d39080c71980041fb15c01bb78ff66954bf4b46fc94b137b89364a82b261eb3ca87fe5a92a1b895e5254c79d4c0d70b71a3c6bf42

Download Submit
C:\Windows\SysWOW64\Pffgom32.exe

Filesize
96KB

MD5
6a58e4a29d912371c57022fb746e040e

SHA1
c96f13a597334f175a4fe41264112a03aec51ac9

SHA256
78a62524f05185acb8b8067f06e5aec1e33bc98212b505fc9a1e2c884d4e3cbd

SHA512
3e2fbe6c48cfb85d45e8e414c9b1eefffdf13548ac863750616eea6f1b05969f2855a4ed9e8a52f38b4153bbd43162c064a5c855a86b8264135fdccc7908db33

Download Submit
C:\Windows\SysWOW64\Ppahmb32.exe

Filesize
96KB

MD5
45ff429116d1a50835aaa20114bde002

SHA1
c24370885cf9426dd6f9f3d7d874c6748be70b14

SHA256
25f90a25874751562fb816f25eab625c9383b50bed44e0ea30a07c6576b6d8b8

SHA512
a88443249bb8980a5b8973349c36e47f74972ee8a31451623b5b0c97ff01fd050863062f701299eec2f7da48a161edf6a2ccba1fe7f18f13480a81bc92fb0e22

Download Submit
C:\Windows\SysWOW64\Ppjbmc32.exe

Filesize
96KB

MD5
22e47cab4d4075dd88f72ed1b26be0c8

SHA1
374ef29aee061359b01ff9140dde6607d80adb0c

SHA256
dd3ba129da1789263082daf40f54b9abd28b299377bc79c0ea09eea969388239

SHA512
5c61a1d0b361c917b2c2e556bfc64e4b5ac21c6d13d12a6f5dc859be60d354abe36c48f4c23a0220ce00aaf2e45beb462d8a2932a70eddb47508ed0bab7614f6

Download Submit
C:\Windows\SysWOW64\Pplhhm32.exe

Filesize
96KB

MD5
6fe1d07aa8fcff71f0b738c0998dfbf7

SHA1
97cbec1b9fa59ae4eb33818a62210d1a59f0c764

SHA256
5d9b374ed750d6bc1774c0e3031a98b93a960cccad9a5504aab66278281aa182

SHA512
f3e530fdb8cb00ddcaf8681eac75b19bcaf3ddd23c258af0a93f79d3a78ac6615dbb600ec3c5809c2bd1dc17c70146bae70be5746e61acd98d6960a24659e063

Download Submit
C:\Windows\SysWOW64\Qmgelf32.exe

Filesize
96KB

MD5
dab15373d48565bb229770359c0931f9

SHA1
b0ce2d97611eaf680a1dcefa07c6df6f8cfea5de

SHA256
3434210bb5941d59a16f8e746cf304649abe9b4125b6ab41ef673e6bd3df807b

SHA512
3f8ba82aea9b2d8f648ae6ab0d1475cd822491679bacdf708b630976a2a5bbc47aad51285d934547f0ef5e33f3d6fbf915b0c95de53e86da0504b533bc7ebec2

Download Submit
C:\Windows\SysWOW64\Qpcecb32.exe

Filesize
96KB

MD5
a57711e469f00f45ebf77f3a82f2fba3

SHA1
2882328a9ab054bf48c95e83b7bce5b43245dd89

SHA256
f62557daae5a9c53873942ac139c950ae592c76e4f80c8ffc851d921d8eeb585

SHA512
e17502caf50fd3ac9e3eafe89e0756101a38ed652299e5ffd1c103a63292339d8e628fdf26b6f809c8ae2090eaacdd07d5141c628b730eb40b89e4d2b89e5dca

Download Submit
memory/400-371-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/640-25-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/640-107-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/672-405-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/672-336-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/736-89-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/736-9-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/872-269-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/872-180-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1092-126-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1092-215-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1164-279-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1164-349-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1368-314-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1368-235-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1400-406-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1440-233-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1440-144-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1444-136-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1444-224-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1548-342-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1548-271-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1580-385-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1716-73-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1716-161-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1768-172-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1768-261-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1900-363-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1900-294-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2004-287-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2004-356-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2024-286-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2024-199-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2072-378-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2092-315-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2092-384-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2196-125-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2196-40-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2508-322-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2508-391-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2540-253-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2540-328-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2592-134-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2592-49-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2720-413-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2788-370-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2788-301-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3344-392-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3380-308-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3380-377-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3420-154-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3420-242-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3576-143-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3576-56-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3628-243-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3628-321-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3732-278-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3732-189-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3792-81-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3792-170-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3824-216-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3824-300-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3968-188-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3968-99-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4028-32-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4028-116-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4048-262-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4048-335-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4116-206-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4116-117-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4164-364-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4224-398-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4224-329-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4312-357-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4392-207-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4392-293-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4476-399-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4496-90-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4496-179-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4572-152-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4572-64-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4592-16-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4592-98-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4616-108-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4616-197-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4664-72-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4664-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4664-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4880-412-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4880-343-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4940-163-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4940-251-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5060-307-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5060-226-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5084-419-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5084-350-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads