d9525a729b3426dcad309360e572d04b49058a670025dd49b7a19ededcd9beec

Analysis

max time kernel
130s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 09:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6e67b42307260fd24bcd5fd7f502db0_NeikiAnalytics.exe
Size

113KB
MD5

b6e67b42307260fd24bcd5fd7f502db0
SHA1

2ab6e21a0b699621861d38160d016cde0f5b9be1
SHA256

d9525a729b3426dcad309360e572d04b49058a670025dd49b7a19ededcd9beec
SHA512

bd642d15ea7cc37c546a8f689f49855cad75c991895deb0126724314e11a8a995d9f5652117eb86cedf4adefdfdba56b4aeec6a6074575557b00e7794a0a1c5f
SSDEEP

1536:1vnf23eSdsQTAqeaO617DWkZFfScD7SzCbHWrAW8wTWiliX:1eeUs+eaOuGkZFfFSebHWrH8wTW0

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fihqmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gimjhafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gqkhjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcekkjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbjhlfhb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcqjfh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idacmfkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fijmbb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmkbnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjclbc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Giacca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipldfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbenqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpihai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibagcc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfachc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbfpobpb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfnnlffc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jagqlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hapaemll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjhfnccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibjqcd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe

Malware Dropper & Backdoor - Berbew 64 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/memory/3944-4-0x0000000000400000-0x000000000043D000-memory.dmp	family_berbew
behavioral2/files/0x0006000000023298-6.dat	family_berbew
behavioral2/memory/3392-7-0x0000000000400000-0x000000000043D000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023452-14.dat	family_berbew
behavioral2/memory/4208-15-0x0000000000400000-0x000000000043D000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023454-22.dat	family_berbew
behavioral2/memory/4240-24-0x0000000000400000-0x000000000043D000-memory.dmp	family_berbew
behavioral2/memory/1928-32-0x0000000000400000-0x000000000043D000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023456-31.dat	family_berbew
behavioral2/files/0x0007000000023459-39.dat	family_berbew
behavioral2/memory/3032-40-0x0000000000400000-0x000000000043D000-memory.dmp	family_berbew
behavioral2/files/0x000700000002345b-48.dat	family_berbew
behavioral2/memory/1364-47-0x0000000000400000-0x000000000043D000-memory.dmp	family_berbew
behavioral2/files/0x000700000002345f-57.dat	family_berbew
behavioral2/memory/2716-55-0x0000000000400000-0x000000000043D000-memory.dmp	family_berbew
behavioral2/memory/3244-64-0x0000000000400000-0x000000000043D000-memory.dmp	family_berbew
behavioral2/files/0x000700000002345f-63.dat	family_berbew
behavioral2/files/0x0007000000023461-71.dat	family_berbew
behavioral2/memory/3688-76-0x0000000000400000-0x000000000043D000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023465-81.dat	family_berbew
behavioral2/memory/2144-80-0x0000000000400000-0x000000000043D000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023463-79.dat	family_berbew
behavioral2/memory/2992-88-0x0000000000400000-0x000000000043D000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023467-94.dat	family_berbew
behavioral2/memory/1508-100-0x0000000000400000-0x000000000043D000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023469-102.dat	family_berbew
behavioral2/memory/4920-107-0x0000000000400000-0x000000000043D000-memory.dmp	family_berbew
behavioral2/files/0x000700000002346b-110.dat	family_berbew
behavioral2/memory/3140-112-0x0000000000400000-0x000000000043D000-memory.dmp	family_berbew
behavioral2/files/0x000700000002346d-119.dat	family_berbew
behavioral2/memory/2988-120-0x0000000000400000-0x000000000043D000-memory.dmp	family_berbew
behavioral2/memory/4052-129-0x0000000000400000-0x000000000043D000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023471-134.dat	family_berbew
behavioral2/files/0x0007000000023473-142.dat	family_berbew
behavioral2/memory/564-152-0x0000000000400000-0x000000000043D000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023477-158.dat	family_berbew
behavioral2/files/0x0007000000023475-151.dat	family_berbew
behavioral2/files/0x0007000000023479-166.dat	family_berbew
behavioral2/memory/4752-164-0x0000000000400000-0x000000000043D000-memory.dmp	family_berbew
behavioral2/memory/4744-168-0x0000000000400000-0x000000000043D000-memory.dmp	family_berbew
behavioral2/files/0x000700000002347b-174.dat	family_berbew
behavioral2/memory/3648-144-0x0000000000400000-0x000000000043D000-memory.dmp	family_berbew
behavioral2/memory/3148-180-0x0000000000400000-0x000000000043D000-memory.dmp	family_berbew
behavioral2/memory/3912-139-0x0000000000400000-0x000000000043D000-memory.dmp	family_berbew
behavioral2/files/0x000700000002346f-127.dat	family_berbew
behavioral2/files/0x000700000002347d-183.dat	family_berbew
behavioral2/memory/3560-184-0x0000000000400000-0x000000000043D000-memory.dmp	family_berbew
behavioral2/files/0x000700000002347f-191.dat	family_berbew
behavioral2/memory/1192-192-0x0000000000400000-0x000000000043D000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023481-198.dat	family_berbew
behavioral2/memory/788-200-0x0000000000400000-0x000000000043D000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023483-206.dat	family_berbew
behavioral2/memory/448-208-0x0000000000400000-0x000000000043D000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023485-214.dat	family_berbew
behavioral2/memory/2356-216-0x0000000000400000-0x000000000043D000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023487-222.dat	family_berbew
behavioral2/memory/5012-224-0x0000000000400000-0x000000000043D000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023489-230.dat	family_berbew
behavioral2/memory/372-232-0x0000000000400000-0x000000000043D000-memory.dmp	family_berbew
behavioral2/files/0x000700000002348b-238.dat	family_berbew
behavioral2/memory/2496-244-0x0000000000400000-0x000000000043D000-memory.dmp	family_berbew
behavioral2/files/0x000700000002348d-246.dat	family_berbew
behavioral2/memory/4524-248-0x0000000000400000-0x000000000043D000-memory.dmp	family_berbew
behavioral2/files/0x000700000002348f-254.dat	family_berbew

Executes dropped EXE 64 IoCs

pid	Process
3392	Fihqmb32.exe
4208	Fobiilai.exe
4240	Fbqefhpm.exe
1928	Fflaff32.exe
3032	Fijmbb32.exe
1364	Fqaeco32.exe
2716	Gbcakg32.exe
3244	Gfnnlffc.exe
3688	Gimjhafg.exe
2144	Gqdbiofi.exe
2992	Gogbdl32.exe
1508	Gbenqg32.exe
4920	Gfqjafdq.exe
3140	Gjlfbd32.exe
2988	Gmkbnp32.exe
4052	Gcekkjcj.exe
3912	Gfcgge32.exe
3648	Giacca32.exe
564	Gmmocpjk.exe
4752	Gpklpkio.exe
4744	Gbjhlfhb.exe
3148	Gidphq32.exe
3560	Gqkhjn32.exe
1192	Gcidfi32.exe
788	Gjclbc32.exe
448	Gmaioo32.exe
2356	Gppekj32.exe
5012	Hboagf32.exe
372	Hjfihc32.exe
2496	Hapaemll.exe
4524	Hcnnaikp.exe
2864	Hjhfnccl.exe
4972	Habnjm32.exe
2536	Hcqjfh32.exe
2224	Hjjbcbqj.exe
4992	Hmioonpn.exe
1900	Hccglh32.exe
4772	Hfachc32.exe
4788	Hippdo32.exe
4100	Hpihai32.exe
2700	Hbhdmd32.exe
1256	Hjolnb32.exe
3144	Hmmhjm32.exe
4792	Ipldfi32.exe
1680	Ibjqcd32.exe
3908	Ijaida32.exe
2196	Impepm32.exe
1968	Iakaql32.exe
3364	Icjmmg32.exe
2324	Ifhiib32.exe
2712	Iiffen32.exe
2652	Iannfk32.exe
2996	Icljbg32.exe
5048	Ifjfnb32.exe
1496	Iiibkn32.exe
3876	Iapjlk32.exe
528	Ibagcc32.exe
1372	Ijhodq32.exe
760	Imgkql32.exe
3840	Idacmfkj.exe
1728	Ifopiajn.exe
3412	Iinlemia.exe
2176	Jaedgjjd.exe
2336	Jdcpcf32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ngiehn32.dll	Gfnnlffc.exe
File created	C:\Windows\SysWOW64\Gmaioo32.exe	Gjclbc32.exe
File opened for modification	C:\Windows\SysWOW64\Hboagf32.exe	Gppekj32.exe
File opened for modification	C:\Windows\SysWOW64\Hapaemll.exe	Hjfihc32.exe
File opened for modification	C:\Windows\SysWOW64\Jdmcidam.exe	Jangmibi.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Gfqjafdq.exe	Gbenqg32.exe
File opened for modification	C:\Windows\SysWOW64\Lnjjdgee.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Hcnnaikp.exe	Hapaemll.exe
File opened for modification	C:\Windows\SysWOW64\Habnjm32.exe	Hjhfnccl.exe
File created	C:\Windows\SysWOW64\Ecppdbpl.dll	Jangmibi.exe
File opened for modification	C:\Windows\SysWOW64\Kbapjafe.exe	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Akihmf32.dll	Kagichjo.exe
File created	C:\Windows\SysWOW64\Lalcng32.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Dempmq32.dll	Icjmmg32.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Dkfpkkqa.dll	Gjclbc32.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Hpihai32.exe	Hippdo32.exe
File created	C:\Windows\SysWOW64\Kckbqpnj.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Ehifigof.dll	Jaljgidl.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Jmkefnli.dll	Hjjbcbqj.exe
File created	C:\Windows\SysWOW64\Hbhdmd32.exe	Hpihai32.exe
File opened for modification	C:\Windows\SysWOW64\Kagichjo.exe	Kmlnbi32.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Kdcijcke.exe	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Pellipfm.dll	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Bgllgqcp.dll	Jagqlj32.exe
File created	C:\Windows\SysWOW64\Qgejif32.dll	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Impepm32.exe	Ijaida32.exe
File created	C:\Windows\SysWOW64\Gkillp32.dll	Ifhiib32.exe
File opened for modification	C:\Windows\SysWOW64\Jaedgjjd.exe	Iinlemia.exe
File created	C:\Windows\SysWOW64\Kagichjo.exe	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Ghiqbiae.dll	Kdffocib.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Jiikak32.exe	Jfkoeppq.exe
File opened for modification	C:\Windows\SysWOW64\Lcmofolg.exe	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Lgikfn32.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Mfogkh32.dll	Hpihai32.exe
File opened for modification	C:\Windows\SysWOW64\Jdhine32.exe	Jplmmfmi.exe
File opened for modification	C:\Windows\SysWOW64\Kdffocib.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Ljnnch32.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Ibagcc32.exe	Iapjlk32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6672	6584	WerFault.exe	250

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enbofg32.dll"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqncfneo.dll"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mngoghpn.dll"	Gmaioo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkbjnl32.dll"	Habnjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpfihl32.dll"	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhikhod.dll"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcekkjcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbjhlfhb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbdfmi32.dll"	b6e67b42307260fd24bcd5fd7f502db0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcbnd32.dll"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfqjafdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dendnoah.dll"	Iannfk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iblilb32.dll"	Fihqmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbajhpfb.dll"	Gidphq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgblndm.dll"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilaidmmo.dll"	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggdddife.dll"	Gpklpkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipmack32.dll"	Idacmfkj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbplof32.dll"	Gcidfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghiqbiae.dll"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Laciofpa.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3944 wrote to memory of 3392	3944	b6e67b42307260fd24bcd5fd7f502db0_NeikiAnalytics.exe	83
PID 3944 wrote to memory of 3392	3944	b6e67b42307260fd24bcd5fd7f502db0_NeikiAnalytics.exe	83
PID 3944 wrote to memory of 3392	3944	b6e67b42307260fd24bcd5fd7f502db0_NeikiAnalytics.exe	83
PID 3392 wrote to memory of 4208	3392	Fihqmb32.exe	84
PID 3392 wrote to memory of 4208	3392	Fihqmb32.exe	84
PID 3392 wrote to memory of 4208	3392	Fihqmb32.exe	84
PID 4208 wrote to memory of 4240	4208	Fobiilai.exe	85
PID 4208 wrote to memory of 4240	4208	Fobiilai.exe	85
PID 4208 wrote to memory of 4240	4208	Fobiilai.exe	85
PID 4240 wrote to memory of 1928	4240	Fbqefhpm.exe	86
PID 4240 wrote to memory of 1928	4240	Fbqefhpm.exe	86
PID 4240 wrote to memory of 1928	4240	Fbqefhpm.exe	86
PID 1928 wrote to memory of 3032	1928	Fflaff32.exe	87
PID 1928 wrote to memory of 3032	1928	Fflaff32.exe	87
PID 1928 wrote to memory of 3032	1928	Fflaff32.exe	87
PID 3032 wrote to memory of 1364	3032	Fijmbb32.exe	88
PID 3032 wrote to memory of 1364	3032	Fijmbb32.exe	88
PID 3032 wrote to memory of 1364	3032	Fijmbb32.exe	88
PID 1364 wrote to memory of 2716	1364	Fqaeco32.exe	89
PID 1364 wrote to memory of 2716	1364	Fqaeco32.exe	89
PID 1364 wrote to memory of 2716	1364	Fqaeco32.exe	89
PID 2716 wrote to memory of 3244	2716	Gbcakg32.exe	90
PID 2716 wrote to memory of 3244	2716	Gbcakg32.exe	90
PID 2716 wrote to memory of 3244	2716	Gbcakg32.exe	90
PID 3244 wrote to memory of 3688	3244	Gfnnlffc.exe	91
PID 3244 wrote to memory of 3688	3244	Gfnnlffc.exe	91
PID 3244 wrote to memory of 3688	3244	Gfnnlffc.exe	91
PID 3688 wrote to memory of 2144	3688	Gimjhafg.exe	92
PID 3688 wrote to memory of 2144	3688	Gimjhafg.exe	92
PID 3688 wrote to memory of 2144	3688	Gimjhafg.exe	92
PID 2144 wrote to memory of 2992	2144	Gqdbiofi.exe	93
PID 2144 wrote to memory of 2992	2144	Gqdbiofi.exe	93
PID 2144 wrote to memory of 2992	2144	Gqdbiofi.exe	93
PID 2992 wrote to memory of 1508	2992	Gogbdl32.exe	94
PID 2992 wrote to memory of 1508	2992	Gogbdl32.exe	94
PID 2992 wrote to memory of 1508	2992	Gogbdl32.exe	94
PID 1508 wrote to memory of 4920	1508	Gbenqg32.exe	95
PID 1508 wrote to memory of 4920	1508	Gbenqg32.exe	95
PID 1508 wrote to memory of 4920	1508	Gbenqg32.exe	95
PID 4920 wrote to memory of 3140	4920	Gfqjafdq.exe	96
PID 4920 wrote to memory of 3140	4920	Gfqjafdq.exe	96
PID 4920 wrote to memory of 3140	4920	Gfqjafdq.exe	96
PID 3140 wrote to memory of 2988	3140	Gjlfbd32.exe	97
PID 3140 wrote to memory of 2988	3140	Gjlfbd32.exe	97
PID 3140 wrote to memory of 2988	3140	Gjlfbd32.exe	97
PID 2988 wrote to memory of 4052	2988	Gmkbnp32.exe	98
PID 2988 wrote to memory of 4052	2988	Gmkbnp32.exe	98
PID 2988 wrote to memory of 4052	2988	Gmkbnp32.exe	98
PID 4052 wrote to memory of 3912	4052	Gcekkjcj.exe	99
PID 4052 wrote to memory of 3912	4052	Gcekkjcj.exe	99
PID 4052 wrote to memory of 3912	4052	Gcekkjcj.exe	99
PID 3912 wrote to memory of 3648	3912	Gfcgge32.exe	100
PID 3912 wrote to memory of 3648	3912	Gfcgge32.exe	100
PID 3912 wrote to memory of 3648	3912	Gfcgge32.exe	100
PID 3648 wrote to memory of 564	3648	Giacca32.exe	101
PID 3648 wrote to memory of 564	3648	Giacca32.exe	101
PID 3648 wrote to memory of 564	3648	Giacca32.exe	101
PID 564 wrote to memory of 4752	564	Gmmocpjk.exe	103
PID 564 wrote to memory of 4752	564	Gmmocpjk.exe	103
PID 564 wrote to memory of 4752	564	Gmmocpjk.exe	103
PID 4752 wrote to memory of 4744	4752	Gpklpkio.exe	104
PID 4752 wrote to memory of 4744	4752	Gpklpkio.exe	104
PID 4752 wrote to memory of 4744	4752	Gpklpkio.exe	104
PID 4744 wrote to memory of 3148	4744	Gbjhlfhb.exe	105

C:\Users\Admin\AppData\Local\Temp\b6e67b42307260fd24bcd5fd7f502db0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b6e67b42307260fd24bcd5fd7f502db0_NeikiAnalytics.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3944
- C:\Windows\SysWOW64\Fihqmb32.exe
  C:\Windows\system32\Fihqmb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3392
- - C:\Windows\SysWOW64\Fobiilai.exe
    C:\Windows\system32\Fobiilai.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4208
  - - C:\Windows\SysWOW64\Fbqefhpm.exe
      C:\Windows\system32\Fbqefhpm.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4240
    - - C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1928
      - C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1364
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3244
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3688
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3140
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4052
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3912
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3648
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:564
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4752
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4744
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3148
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3560
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1192
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:788
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:448
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2356
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        29⤵
        Executes dropped EXE
        
        PID:5012
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:372
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2496
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        32⤵
        Executes dropped EXE
        
        PID:4524
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2864
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4972
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2536
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2224
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        37⤵
        Executes dropped EXE
        
        PID:4992
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1900
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4772
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4788
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4100
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2700
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1256
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        44⤵
        Executes dropped EXE
        
        PID:3144
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4792
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1680
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3908
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2196
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        49⤵
        Executes dropped EXE
        
        PID:1968
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3364
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        52⤵
        Executes dropped EXE
        
        PID:2712
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2652
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        55⤵
        Executes dropped EXE
        
        PID:5048
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        56⤵
        Executes dropped EXE
        
        PID:1496
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3876
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:528
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        59⤵
        Executes dropped EXE
        
        PID:1372
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:760
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3840
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        62⤵
        Executes dropped EXE
        
        PID:1728
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3412
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2176
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        65⤵
        Executes dropped EXE
        
        PID:2336
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1300
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        67⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        68⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4020
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1464
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1304
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1208
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        74⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        75⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        76⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        77⤵
        Drops file in System32 directory
        
        PID:3624
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        78⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        79⤵
        Modifies registry class
        
        PID:2448
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4552
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2112
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4092
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        83⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4720
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        85⤵
        Modifies registry class
        
        PID:5000
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        86⤵
        Modifies registry class
        
        PID:3544
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        87⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2928
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        90⤵
        Drops file in System32 directory
        
        PID:2268
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        91⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:496
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        93⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        94⤵
        Drops file in System32 directory
        
        PID:5176
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        97⤵
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        98⤵
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        99⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        101⤵
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        102⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        104⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5644
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        106⤵
        Drops file in System32 directory
        
        PID:5692
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        107⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        108⤵
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        109⤵
        Drops file in System32 directory
        
        PID:5828
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        110⤵
        Modifies registry class
        
        PID:5864
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        111⤵
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        112⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6048
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6088
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6132
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        117⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5212
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        119⤵
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        120⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5420
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        122⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        123⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        124⤵
        Drops file in System32 directory
        
        PID:5632
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        125⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        126⤵
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        127⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        128⤵
        Drops file in System32 directory
        
        PID:5892
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5956
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6024
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        131⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        133⤵
        Drops file in System32 directory
        
        PID:5264
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        134⤵
        Drops file in System32 directory
        
        PID:5408
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5496
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        136⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        137⤵
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        138⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        140⤵
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        141⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5280
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5412
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        144⤵
        Drops file in System32 directory
        
        PID:5660
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6044
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6080
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5464
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5540
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        150⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5748
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        152⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5708
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        154⤵
        Drops file in System32 directory
        
        PID:6160
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6196
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        156⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        157⤵
        Drops file in System32 directory
        
        PID:6280
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6324
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        159⤵
        Drops file in System32 directory
        
        PID:6372
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6412
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        161⤵
        Drops file in System32 directory
        
        PID:6456
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        162⤵
        Modifies registry class
        
        PID:6500
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        163⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6540
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        164⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6584 -s 404
        165⤵
        Program crash
        
        PID:6672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6584 -ip 6584
1⤵
PID:6648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fbqefhpm.exe

Filesize
113KB

MD5
af7358daf7018c0d3b9d30c1e34e7b42

SHA1
ece03696a9d8d1be498ff085187da92782e1b710

SHA256
2b280a787829133c24c23881fc6c40fec39c1310b76a96df702662291fdd343a

SHA512
88cf0644d260757a144c369ff1a60af19bccc48d8c8daf1b3cfc294aa4c49119ccf5d3e4d0204a71938dc90ca45692c099ec886e1b34395087714b6abbd70fb6

Download Submit
C:\Windows\SysWOW64\Fflaff32.exe

Filesize
113KB

MD5
2bbbc29fc2e18a993ce45aa7872a681e

SHA1
0edc99c264bf954a375879a7f7f91638f16c4ec5

SHA256
265ca54320c043c0fd3b1a5c39ee2aebc103e1051fe7f5e89ce582439852be1c

SHA512
39017ee909ba709335544e099841f1a0f4c9f57bba415f11ff347da7c1e32ba7ced44fadf50e20f81d3530ed7ce76e64c8bab22b8eb405abb48728831bbf8dd5

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
113KB

MD5
19f0e9cdab94359bb3d3cacbf447fd90

SHA1
f80c81438c79d21c1ca760ed524cf9b95dec352f

SHA256
1ecaabecf1fafefb386394bf5902bad5db8a3927d4384ca8d13ac256fdfe3bfe

SHA512
9881c9263c2f4c36434221c122b0e06c8b635d5d01b2391527909c24536a5adf7c61c3cae021a8cc2f5d73a247ca6c1cea4b4c61d07b7051e35f2c2a212e2b9f

Download Submit
C:\Windows\SysWOW64\Fijmbb32.exe

Filesize
113KB

MD5
8c0854ef0de40b6c9aac80ae29fd83f8

SHA1
3b07f74ce7f201a1ed73dc7efb5dc976c49840ef

SHA256
56ea57d3118487e3fbd84c5e73ba3d56323b97afd277d15ad9c26d6f3078f338

SHA512
df675f43f490e5d2b4ec6d0e2314214888202112a6e4013594f31dd2f76ed0503448d815b00291499371b88b94c0b0a86fa5b985395284e480100d7b5c1e6e77

Download Submit
C:\Windows\SysWOW64\Fobiilai.exe

Filesize
113KB

MD5
600bd93474b623a9bdc38612b39b3f8c

SHA1
5a0bf8011a5e4e1fa9af64dcfac2f000273230ed

SHA256
886ea08368977199225a196d0c61d3ad246a747e130c8694e27004bf5287f80e

SHA512
230a1fbeeb02de4dbe0a12be98f31bed8288f344d88759bc3d02a733debacd6228987ba253dc88a948a098e335f5e5b7a3e03bce2d320bb56d35490c06ce6a93

Download Submit
C:\Windows\SysWOW64\Fqaeco32.exe

Filesize
113KB

MD5
6cb28b25b5f2fc36b977bfc6ba427e3f

SHA1
3b23ab99d51c9fc99c0440160f0106e1f078abea

SHA256
cb81172e792d34e064b93e5dfe475580a79f99e08d1eada1deb5aef87b7591a6

SHA512
75486d29caad72b3f23c3553fd92ae9ba2f779eabf83e5b112e8c5972e8969ad3aca1557fe4d6859eea09b91460802d700d92e78eebb90a2c9be31e34f6c4201

Download Submit
C:\Windows\SysWOW64\Gbenqg32.exe

Filesize
113KB

MD5
4718fcb1d7ed83d8e2eabf0dd39787a9

SHA1
b7d9944dc5c2e1c99efd75f4463f2d9b934a1a39

SHA256
ca46a9dd47660b95127079dfbeb08aacd17199bf82b7c4ca554b7931485f2d24

SHA512
63bf527efbfa05d716abe74c07ccce8d759f72f5219735d07a4f5c5b1e9589d59379049fcee83d43958ac258ce872ef50b2edc76752cdad65228bc0948eb51f9

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
113KB

MD5
afa297727ec9fb3e2eef4671fba278f3

SHA1
f331e1a4df7efe2c8e7b0af3bd36668b97c90a6e

SHA256
5628130c45d377d606724b1b60fc9ecaf5cc454f29403d32e1895fbeb05e2693

SHA512
a0ebc881b66ac82b77b98568b72ead01eb7021182f2e544dcef276f6f7665b9a186188660d06328325754a5d1b797b69891edcac7b4fdbc97ebc08f424a4ab61

Download Submit
C:\Windows\SysWOW64\Gcekkjcj.exe

Filesize
113KB

MD5
d42f7916f8b02c62df3f443ae5ac0c9a

SHA1
d735e27f24c11dbb2e9b98aa9ac6cfce9251a815

SHA256
54a5322bad3c843e620760df8402c816adeac21b54df4e6de265eedeedb4b078

SHA512
a1c8eba5eda88272079b2292a1dcd87fe36433d5c5d916b2a322668a685009a482537e7baab8c38394bd4c02578431f5c09c7d085995737a04f915cc4bc40a0a

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
113KB

MD5
b7196aaab1cd1aa24b9c0b8d4d937f30

SHA1
c25688c585b5250c50de4acaa992564f901b72ed

SHA256
89ba8d72b9c85e242f4ef854eb93c8606a280b4c85a20a247eb0cc311125d9db

SHA512
1c186adce4d270c20834a56df767dd98742c9b72f32b2f8a35d109f7db30893bc470225e04aee6ca1a1a75b778cdab1a69dcc70febf50c7712a5ba8a2f34e957

Download Submit
C:\Windows\SysWOW64\Gfcgge32.exe

Filesize
113KB

MD5
e072ad80f4e73bf512dc47bec81a7bff

SHA1
ac02b95902d30c9dd66fd334319d30dc26713de7

SHA256
1c4a16b94fb439349dc4fed9cb8c466f774fdc18c2d4edac1d10631cbbc11b11

SHA512
9c3d5d6e4dd7ad1138ee91936c4e2f04dd226a2da6a7ab7dbf6167f276bc51e9a67e5d5d46368a36713f2bae226cf68f880f300623f44489a05b1313280ad8f5

Download Submit
C:\Windows\SysWOW64\Gfnnlffc.exe

Filesize
113KB

MD5
4ae3aa1915fd2fddb85f62644a85d708

SHA1
f961f7345c2e853c3e170131f7ba66ea700900c2

SHA256
7d44044f7502452b8e0d6a086c30650af4a161772cf5fe4ea85ccd0a4da71de9

SHA512
c876dac85164f44a5b1fb25c9d16e8e1d608b4dfa747b569a7cf47c782ef745facc0dc5e05fb5305488b9e16d9e9ee94bf25a65e0eb29bb20494c82e3829a482

Download Submit
C:\Windows\SysWOW64\Gfnnlffc.exe

Filesize
113KB

MD5
dc1563252f698bdbd204c33a43be1808

SHA1
298e60a634532771509ffa3e292433133f3b3b86

SHA256
8072e2bc9a95e9bccaa7b34227269e6c463a00f8334131c47c149f8f9d2b6166

SHA512
0b4973af612a6dc75c699f93987ca47706db2904d2067470ca9c50213b81497f441a5ee71ef104f451683fc078fcf2dd5447847e42585a267884a0c0a86546ba

Download Submit
C:\Windows\SysWOW64\Gfqjafdq.exe

Filesize
113KB

MD5
5ffa19476270eeffc8af97af1da55b02

SHA1
879c76a0c7a7f18eee708731a3e52f7b737ca317

SHA256
e556d69488ec876d43b5a3aa48de1e7e14dd53c9ce19593aae610b961641a41e

SHA512
b1c6f2855ace72fd00dd0219b9418f4545d7dd4ef56251db6bcd2097b709cf9947c57dfc41c7ea1a0ac3b3e57c7e5900bc1b7843d02b66fc1965ac4e0d128d38

Download Submit
C:\Windows\SysWOW64\Giacca32.exe

Filesize
113KB

MD5
dbfe40ed5693d528af62443163122dcc

SHA1
ea28b4ffae7361bef4ca018123579c809ee14e49

SHA256
839aef9fc44accc60c25e2bd566860dde2e383943aee1459ac2b30a0f3edcbb1

SHA512
f39c7935a8ef2c00bd70af4ee3618e9227b1cdab737b4e4faa4646867312566dbb907a8a9e0580018b58ca05f12d90f567b9684c45c8001f0383dd6c6ee2f562

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
113KB

MD5
827cbb2f2024eaee9b21d54c135869ae

SHA1
9dd901f1202db52c10f50af13d865cdf1fbe0598

SHA256
e0f9325b78020f27d4b6e5d6ea71b7f88b735b02270b4ab30d8372cdf2730009

SHA512
f5939eb4a6f78758db8befbe4ca63cb37756b76ddbaeee3cf9625cdf1192e6d0553bcdf745d21b12c18a32a309eb52d13edac356131f08a4a9bfd35137f061a2

Download Submit
C:\Windows\SysWOW64\Gimjhafg.exe

Filesize
113KB

MD5
01baefd76864a0a19ff1f810d2158451

SHA1
914406db261f185aa256cd6b69fd863e5bb79bd8

SHA256
580a834dbbe2a211b5fc55b1ab7911fdfc4cb893f0b964b3c04a79f3d4694113

SHA512
53981bb7f08c1d36b380642c76cc76e1a64bf0fb6798d2f3aa5f2278f13036feff1ee1b24c14da182d389aad683a174a495b901aa0d99fd7e1b496ff3a87ac4a

Download Submit
C:\Windows\SysWOW64\Gjclbc32.exe

Filesize
113KB

MD5
b09bfb106a705f5e215b8744c1feb6b9

SHA1
dd611a996344abd7ad9df44cf8fb0731d31a94b5

SHA256
49b326b54d39e98a4188be9c2f79403c94bb9c7d6217ea8f688b98402d59674d

SHA512
f28d0e1559ef807ecaea6a0c811fce96c590bd51661e6a74444c2c1a5c2d423eac87ccbe981d202c009663a1369b3bbd375729b27d808ef30295103e7df6de09

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
113KB

MD5
ee930366165a119ad81d0232c66b6722

SHA1
aea9ff074ee65ad2dd9bfe2b8a38a329478ef240

SHA256
745a111de0fda8fb0a46c7f95a6d4521c83f64cfd84737345d746a77e354000e

SHA512
4348e1405f1171b50c6451278f9d444f75d001a3e720e153cff2d456cc36341d4e87fd18741dcb9b22706ec1b032155569622ce4e8701088bb80a389d1282aa0

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
113KB

MD5
0edb61d8ba6499b2f3baf3d27f8f7beb

SHA1
da36f6c08d1a95d94385e32147f3e78462d7fbde

SHA256
07f2c3f3172a650f09a77dbc1c06ca2ad1c2464eccb4c7322b2ca3225d9695ed

SHA512
fd922f28dbbe4ebfef9a9988f7475a5224461e2120d0b4c3e3a5cc1acfb174f0d3d922c86bd5f8732733d6c09af2fb17c4ca63f7450cff804ae6040ed38ff69d

Download Submit
C:\Windows\SysWOW64\Gmkbnp32.exe

Filesize
113KB

MD5
2d20a87036fbe4401a7485499d4726c6

SHA1
7eb6a8a2a103a442bfb981b0dd115aa98f264b3d

SHA256
e6e3b52227e4df41c89f26e73e9bfb66aa2e982c8e8463a7024f54d1cadcca75

SHA512
4f8a810b931a77756659a7bba34d830e38f65b2d5706d430e1f91c66e1e0ebea075e5fa20fc149c7e0027add8b11fcdbc291b6bd0d6f745b5c07948754b8e330

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
113KB

MD5
b4449888dfedbe6fe362f3720def502d

SHA1
d55d49824a2012852d6ec377b1972ee25e798c2e

SHA256
bc7aa20544c209ece57ad401afbc5dc6dd6982c0dd876b79c99c95fa583f8b7d

SHA512
44a446e5766e71f0eefc7317f189401234da5cdc56731429951d8920bb70048a1dd4e63a534810e0b93461d36eb4260ce58ecebcd8c3adb3f3bd694d45883d83

Download Submit
C:\Windows\SysWOW64\Gogbdl32.exe

Filesize
113KB

MD5
af7083c34d34e528d178f48e75a87bab

SHA1
88093603b7e05cd917fa3b7750f667204bc8a9dc

SHA256
ce5badfe03cbacd663478c11ad1273299a6f33921555b906511570b351eb0ed4

SHA512
1ba898fada9f89bb6912bf6eb9fde82100b00a67c8b61f69c128fa9f920fe0f704d2e511da77e5853a5ffa7579946e8f1e4dabec5169ec1f40f079f35cdbd42c

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
113KB

MD5
d5fb92d588e7accccfaeb1f6088bee1e

SHA1
8f90650e5e225dd16fb431e610daa353e0231f3f

SHA256
01892d59eab08d124e3125eb0e90a832aef0efa205985d87c922a89258a6937f

SHA512
f0101efd34491c63a0697755f6ac57d392893046a7888445eef63a25b894df17892704b4760d93b06cb1f66765af2cd2a6779f767d2172ee6c1a5bdb37c06b6a

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
113KB

MD5
613cf5ed6e5e158add1106fb0b8255bd

SHA1
5df34adeb5f2f4615ef6b69d93fefaba9c8881a2

SHA256
9497d263ac3736561506dde8829d4df09cbe605bf9474c2a8a8836c89300537c

SHA512
6bc8acf1ad2ac799f9b76d84bf83c01b861e2d6699518b943a0ee711b8bfdd38c32e1326b090b61dc0b70ef02ec4545a2c0ee8b90aa1981f412e149db44e11e4

Download Submit
C:\Windows\SysWOW64\Gqdbiofi.exe

Filesize
113KB

MD5
41a13e2d6244c15dd2a5bfe99d8a8a05

SHA1
1ca76eabcbf3f995d6adf40f59cf5504cc4c875c

SHA256
318c86ac41aea5d834d53b08ab0ce16e3ff17d3cfea80a9eefa2f96dcd630237

SHA512
0b903ad66ebaa7406166fc0c54d6dc6691c156694071a2184f235de53231d5311652236729da2ac49d5cd8174c900c08f5bae4bbc0c4e32798a2c678b4ae3824

Download Submit
C:\Windows\SysWOW64\Gqkhjn32.exe

Filesize
113KB

MD5
a1c3225e972c15fb3e820b261adbeb73

SHA1
19e651d3d1d0dab49f54d9f731b2d6f8d8a8f3bd

SHA256
ae37c4e486cf20d44bd3848f1dc1415a8b5700b94f63b986c25a04db3707814e

SHA512
2a6b13f4e9d0db0864a20499ece4632f93ba31868a4d1e3278c0a0510be5a04293c185722da1dbf7c6c22bed7f954945a30cdd9b8a11f64f277115e37e05a564

Download Submit
C:\Windows\SysWOW64\Hapaemll.exe

Filesize
113KB

MD5
5d5d2ec927f0af738348e4676c5f1914

SHA1
667b17c34868a4b78d866ee2cf2088f2464e32c6

SHA256
1d831131e2345af784bbb5e0cae25b4997b54cc200e99426108ab3e5fcea0311

SHA512
f8a8e53a4b76c18dbdf4dfbe7b9c1c715d26ead480964d6697cecd40ff81055b27b4a64292d8b54fa1bd15c7d98f5ee38b95230eb95f52a7915ae5c507df5470

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
113KB

MD5
ab783c441dbab4f8efd6ab2c292cd7c9

SHA1
06a599935ab82fda40af1d78c55f9f260b0ad786

SHA256
0f5dc52e96e87fc1bf7b5e527b60b7e11e39f2f46a0d19bd49877677087cd814

SHA512
fb2b9516f1e4fa11ecf15322a0c82b8bfb72d9679ed6d33c09438ed9bbfdf2034213119530dd029eda479257d8a6ca1fea25ece02d0f15247170a47884ece83e

Download Submit
C:\Windows\SysWOW64\Hcnnaikp.exe

Filesize
113KB

MD5
120ff9770874b63695febee891fefa6f

SHA1
cff65489a130d0421b124ca59c13b4425f825efd

SHA256
ddf4afa0111ba3ea113740e367ddb860bda9fb4bb084c55c9610103b3cf5af37

SHA512
5cfc8f45ff91129628a22257b114a12f5be1a99ebe06da5b2b7e14fe98a63b9c9bbcbca306a32f0af315e705363c9c8480e1d40838d95c7fe36289a2f1b3c37e

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
113KB

MD5
b6d1b074f7fdd95c3b557a0a6d53ace8

SHA1
c60cf67c2103d6bbeea7c3a178c329501b9fcfa9

SHA256
ecbeacd631904a75eb703188411c4e5e4db6bcb42eef96899b661c3313f9e8ee

SHA512
06c6f76fa4ea940b07b90df339c116048a9978915978fb2ff6007d7f57c8465816320f3bbee8ec34f4da7d972c4cfd5f62bfd58c5d9f9987cb2015503d3ff648

Download Submit
C:\Windows\SysWOW64\Hjhfnccl.exe

Filesize
113KB

MD5
759da3e72dd83c54ac24afd97778aa42

SHA1
43f59074ae150e445d2931dccaa133de00e89eeb

SHA256
593b1d6f40b6d3c00b1346b5aef8f1312dc90b138e685790f51cee2f15d5d1e7

SHA512
90cb48df1672367b383a2a54a414ee0c118367842bc0579101c87e0c26de9929d1877b8aaa74309b4c5ac34be88beda2aa29c533fcef90d174a48633c69ff6dd

Download Submit
C:\Windows\SysWOW64\Ibjqcd32.exe

Filesize
113KB

MD5
77c697ea7e01c413a224aceef3c71dd5

SHA1
cd15e5ebe992fb80a1f2051e13dc23cc05890735

SHA256
e6b2c3425d3d65d0d86adf11654ea17e33869bcde12dde7f620ec05a749ebdaa

SHA512
71d71de5bbd3f7f16994009943c4110f005059eb4e74c449c71c9cd9dc99d7297f351f70fd9f1a79c6fe976b314da200d537b512ab3b2181737db13cfa9b6460

Download Submit
C:\Windows\SysWOW64\Jaedgjjd.exe

Filesize
113KB

MD5
51a2987b6b34740df8d0764c3e0321f5

SHA1
c4259aa4c6671bd02261c2411402c62041f41155

SHA256
7290e55dde12515d6d613fc9732c11d2a7ec389d037c8a1716e9e05439fac97b

SHA512
9ff4b21db2f12c564a2310501e3624b97d7202f566c589aeae31be2d484f0dd4681a3b02c2cc2b5b8bf8018cd6dba8135b3f53d987ffd2cdaab46b630973afe0

Download Submit
C:\Windows\SysWOW64\Jdmcidam.exe

Filesize
113KB

MD5
7025c3878fc5e61abf6b845c9233a31f

SHA1
bb7d090255fc7674a8de5995fda8e8f99f6f1a7b

SHA256
4ddfb707ec8a364bd93fef8ac86f68f4157a11ab03fa844cfdb8b9c16a96bc36

SHA512
51ff5d4812c5ec4a09d62596edb30f12df6a262444084af075c1d7c41717a9ac25a0e583cc677b4153ebada5bad8976d3306d79946bba29f2050ea3c0daa4bef

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
113KB

MD5
b811e9a658ebd079fa856e25010f1b1c

SHA1
1ffd1044e2570700d77af6025dc81c4dba47f403

SHA256
7b3e6d15d9ae0ab1db3e76be6c20231da015bfca3b3759eaf675e47c1c97394c

SHA512
18b24f1842a9592487ec7000e709d03d9e18c4982430c5297b59f0766bd0782aaa31edd2575e87bfa9aa35b50bf2697fad4de685a24419460e7b8af9d567165f

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
113KB

MD5
026dd629225e4b9aaa533966f6b33331

SHA1
0c4b620bf21c1b3f5c014ef99936b54ce94d3193

SHA256
14ec17e28f0781a61f2cbbc3157bc8fd4399f9df09073343d57d086c82703cc5

SHA512
5dc02665c42b5afd5c17b8148bd6eded7b44943d2112ee7243aba0cc9a5aab1306337190bf110c2bd201f14cbd57154c218beaab6f24e7af684372ab34995627

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
113KB

MD5
a36f02f4d9f12bfa04d2cc0979faaa9b

SHA1
7bf80381b99057bc0a65c54226e270592bc1113a

SHA256
8e38fadb9b94f3707a24e316d10db5fa9e149296e824bd1f1a88d0630de8b387

SHA512
5cf5d963005c79b815b582ecc646478387ab480586d990291421e8ab25e9baaadede1fbd2e8ab2761a5d6e3733798f925dbf4c4745d0682382ca2881754742de

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
113KB

MD5
31b5564c02bc34c681b99120cf26903a

SHA1
ffd3f7dc47532cdab9b4d0036b1b88dee3145199

SHA256
aa538dc23fc001542395acd3cfd4787db277b5ab493e52f850e3a864497d82f6

SHA512
c34e4ab7c747bda521ce3ccf56633a5bc6ae5e9d51bf8c61b7360c2d415378ea2e6c9d8c81dc147da14cde1bc42dcd46799d5c4c6028f86b56d03583fe2347bd

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
113KB

MD5
740e73483f9a1a23c245ed2caf6598ef

SHA1
25dc1b45751e1382b0deffd06de5201a14385d2d

SHA256
4888869c391e77d1346f101e4b2745a654682a129bc5d7f7d40c4a31982aa721

SHA512
d1164971c28300304e7debeb635939ace04cf1098ef8f71753c3bf95544b074741ee91feba0213565c34263c6cca7c2b28f2b03104b899c2c9365bfefb688cf2

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
113KB

MD5
3651e3c3766ff5e2301b81c85595ad35

SHA1
486ed949fb223bc3cefc727127e01282a7335698

SHA256
a8d7e97147c5d2373f27b9d753c1e9da543ed69a02778048fca30377e9e30dea

SHA512
f45069a0d44ddc086d1965ad66d92a89f20ef6953f3082bc793b15f0f8f585082d04b8ff22c19cc89854eadd5247f0693ac4daf0a5432538f85f24796eee1449

Download Submit
memory/372-232-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/448-208-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/464-490-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/528-406-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/564-152-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/760-418-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/788-200-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1192-192-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1208-496-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1256-320-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1300-458-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1304-484-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1364-47-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1364-592-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1372-412-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1464-483-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1496-398-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1508-100-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1680-334-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1724-560-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1728-434-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1900-290-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1912-506-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1928-578-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1928-32-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1932-590-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1968-352-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2012-593-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2112-545-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2144-80-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2176-443-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2196-346-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2224-274-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2324-364-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2336-448-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2356-216-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2384-518-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2448-536-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2496-244-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2536-268-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2568-465-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2652-376-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2700-314-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2712-374-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2716-55-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2716-603-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2864-260-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2988-120-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2992-88-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2996-386-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3032-40-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3032-585-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3140-112-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3144-326-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3148-180-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3244-64-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3364-358-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3392-557-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3392-7-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3412-436-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3544-583-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3560-184-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3624-520-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3648-144-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3688-76-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3840-424-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3872-470-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3876-405-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3908-340-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3912-139-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3944-4-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3944-554-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4020-472-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4052-129-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4092-556-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4100-304-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4208-564-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4208-15-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4240-571-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4240-24-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4524-248-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4552-538-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4720-570-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4744-168-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4752-164-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4772-292-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4788-302-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4792-328-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4872-512-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4892-526-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4920-107-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4972-262-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4992-284-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5000-576-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5012-224-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5048-393-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads