85856935647812864f43e041fc91464c1f5c71e4f5a795e7df8507232b733368

Analysis

max time kernel
147s
max time network
122s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
15/05/2024, 09:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be3ab82923149984d4846d01993f68e0_NeikiAnalytics.exe
Size

1.3MB
MD5

be3ab82923149984d4846d01993f68e0
SHA1

c00a98c3dcdc85c3e150304395cbd7d72556dfbe
SHA256

85856935647812864f43e041fc91464c1f5c71e4f5a795e7df8507232b733368
SHA512

622105eb5b98b89cc24751dd15f19b7329baa0503beb4b0205fcb9ed064792178fabf9d9a0794d112c7eac5411eb0e40cadb2a4917af3c4ddea15148f3e51a4f
SSDEEP

24576:XZvr4B9f01ZmQvrb91v92W9C05wkEPSOdKkrzEoxrC9toC9Dq9onk8:XZkB9f0VP91v92W805IPSOdKgzEoxrl0

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Piehkkcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ekklaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fnbkddem.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkihhhnm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbkgnfbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gbkgnfbd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlcgeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pphjgfqq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cckace32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Doobajme.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpknlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hggomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cckace32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gobgcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gmgdddmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hpmgqnfl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hknach32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Henidd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pabjem32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekklaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efppoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hiqbndpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bebkpn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gieojq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gkihhhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hlcgeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhkpmjln.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmgdddmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gaemjbcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Okfencna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pphjgfqq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Begeknan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dchali32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gaemjbcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bpcbqk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dchali32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doobajme.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Flmefm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hiqbndpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hggomh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcplhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pabjem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Efppoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ffpmnf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gobgcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bkfjhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffpmnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hknach32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdlnkmha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ffbicfoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hcplhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okfencna.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piehkkcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qhmbagfa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebkpn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpmgqnfl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	be3ab82923149984d4846d01993f68e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gieojq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Henidd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkfjhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Flmefm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffbicfoc.exe

Malware Dropper & Backdoor - Berbew 39 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral1/files/0x000d000000012271-5.dat	family_berbew
behavioral1/files/0x0008000000015ce1-20.dat	family_berbew
behavioral1/files/0x0007000000015d02-32.dat	family_berbew
behavioral1/files/0x0007000000015d1e-52.dat	family_berbew
behavioral1/files/0x0007000000016ca1-59.dat	family_berbew
behavioral1/files/0x0006000000016ccd-72.dat	family_berbew
behavioral1/files/0x0006000000016d01-86.dat	family_berbew
behavioral1/files/0x0006000000016d19-101.dat	family_berbew
behavioral1/files/0x0006000000016d2d-114.dat	family_berbew
behavioral1/files/0x0006000000016d3e-127.dat	family_berbew
behavioral1/files/0x0006000000016d4f-140.dat	family_berbew
behavioral1/files/0x0006000000016d5f-154.dat	family_berbew
behavioral1/files/0x0006000000016d79-167.dat	family_berbew
behavioral1/files/0x0006000000016fa9-180.dat	family_berbew
behavioral1/files/0x00060000000171ad-193.dat	family_berbew
behavioral1/files/0x000600000001738f-206.dat	family_berbew
behavioral1/files/0x00060000000173e5-220.dat	family_berbew
behavioral1/files/0x00060000000174ef-230.dat	family_berbew
behavioral1/files/0x00060000000175f7-241.dat	family_berbew
behavioral1/files/0x0006000000017603-251.dat	family_berbew
behavioral1/files/0x00050000000186a2-259.dat	family_berbew
behavioral1/files/0x000500000001871c-268.dat	family_berbew
behavioral1/files/0x000500000001878f-281.dat	family_berbew
behavioral1/files/0x0005000000019254-291.dat	family_berbew
behavioral1/files/0x0005000000019276-301.dat	family_berbew
behavioral1/files/0x000500000001928e-312.dat	family_berbew
behavioral1/files/0x0005000000019392-325.dat	family_berbew
behavioral1/files/0x00050000000193d0-335.dat	family_berbew
behavioral1/files/0x00050000000193e1-348.dat	family_berbew
behavioral1/files/0x000500000001942a-357.dat	family_berbew
behavioral1/files/0x00050000000194e6-370.dat	family_berbew
behavioral1/files/0x00050000000195d0-380.dat	family_berbew
behavioral1/files/0x000500000001961b-390.dat	family_berbew
behavioral1/files/0x000500000001961f-401.dat	family_berbew
behavioral1/files/0x0005000000019623-410.dat	family_berbew
behavioral1/memory/2776-409-0x00000000002D0000-0x0000000000303000-memory.dmp	family_berbew
behavioral1/files/0x0005000000019627-420.dat	family_berbew
behavioral1/files/0x000500000001962b-433.dat	family_berbew
behavioral1/files/0x000500000001962f-440.dat	family_berbew

Executes dropped EXE 38 IoCs

pid	Process
1628	Okfencna.exe
2900	Pphjgfqq.exe
2788	Piehkkcl.exe
2716	Pabjem32.exe
2680	Qhmbagfa.exe
2560	Amndem32.exe
2516	Bebkpn32.exe
2164	Begeknan.exe
1836	Bkfjhd32.exe
1088	Bpcbqk32.exe
2172	Cckace32.exe
2580	Cdlnkmha.exe
1820	Dchali32.exe
2908	Doobajme.exe
2464	Ekklaj32.exe
304	Efppoc32.exe
348	Fnbkddem.exe
496	Fhkpmjln.exe
1524	Ffpmnf32.exe
2872	Flmefm32.exe
784	Ffbicfoc.exe
1544	Gpknlk32.exe
2032	Gbkgnfbd.exe
836	Gieojq32.exe
1604	Gobgcg32.exe
2232	Gkihhhnm.exe
2092	Gmgdddmq.exe
1580	Gaemjbcg.exe
1700	Hknach32.exe
2600	Hiqbndpb.exe
3048	Hpmgqnfl.exe
2748	Hggomh32.exe
2636	Hlcgeo32.exe
2776	Hodpgjha.exe
2632	Hcplhi32.exe
2932	Henidd32.exe
1912	Ioijbj32.exe
1936	Iagfoe32.exe

Loads dropped DLL 64 IoCs

pid	Process
2052	be3ab82923149984d4846d01993f68e0_NeikiAnalytics.exe
2052	be3ab82923149984d4846d01993f68e0_NeikiAnalytics.exe
1628	Okfencna.exe
1628	Okfencna.exe
2900	Pphjgfqq.exe
2900	Pphjgfqq.exe
2788	Piehkkcl.exe
2788	Piehkkcl.exe
2716	Pabjem32.exe
2716	Pabjem32.exe
2680	Qhmbagfa.exe
2680	Qhmbagfa.exe
2560	Amndem32.exe
2560	Amndem32.exe
2516	Bebkpn32.exe
2516	Bebkpn32.exe
2164	Begeknan.exe
2164	Begeknan.exe
1836	Bkfjhd32.exe
1836	Bkfjhd32.exe
1088	Bpcbqk32.exe
1088	Bpcbqk32.exe
2172	Cckace32.exe
2172	Cckace32.exe
2580	Cdlnkmha.exe
2580	Cdlnkmha.exe
1820	Dchali32.exe
1820	Dchali32.exe
2908	Doobajme.exe
2908	Doobajme.exe
2464	Ekklaj32.exe
2464	Ekklaj32.exe
304	Efppoc32.exe
304	Efppoc32.exe
348	Fnbkddem.exe
348	Fnbkddem.exe
496	Fhkpmjln.exe
496	Fhkpmjln.exe
1524	Ffpmnf32.exe
1524	Ffpmnf32.exe
2872	Flmefm32.exe
2872	Flmefm32.exe
784	Ffbicfoc.exe
784	Ffbicfoc.exe
1544	Gpknlk32.exe
1544	Gpknlk32.exe
2032	Gbkgnfbd.exe
2032	Gbkgnfbd.exe
836	Gieojq32.exe
836	Gieojq32.exe
1604	Gobgcg32.exe
1604	Gobgcg32.exe
2232	Gkihhhnm.exe
2232	Gkihhhnm.exe
2092	Gmgdddmq.exe
2092	Gmgdddmq.exe
1580	Gaemjbcg.exe
1580	Gaemjbcg.exe
1700	Hknach32.exe
1700	Hknach32.exe
2600	Hiqbndpb.exe
2600	Hiqbndpb.exe
3048	Hpmgqnfl.exe
3048	Hpmgqnfl.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Ioijbj32.exe
File created	C:\Windows\SysWOW64\Pjgjmd32.dll	be3ab82923149984d4846d01993f68e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Bkfjhd32.exe	Begeknan.exe
File created	C:\Windows\SysWOW64\Ddflckmp.dll	Begeknan.exe
File created	C:\Windows\SysWOW64\Fnbkddem.exe	Efppoc32.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Ioijbj32.exe
File created	C:\Windows\SysWOW64\Nobdlg32.dll	Cdlnkmha.exe
File created	C:\Windows\SysWOW64\Lkoabpeg.dll	Gbkgnfbd.exe
File created	C:\Windows\SysWOW64\Kqmoql32.dll	Piehkkcl.exe
File opened for modification	C:\Windows\SysWOW64\Doobajme.exe	Dchali32.exe
File created	C:\Windows\SysWOW64\Ekklaj32.exe	Doobajme.exe
File created	C:\Windows\SysWOW64\Maphhihi.dll	Doobajme.exe
File created	C:\Windows\SysWOW64\Ikkbnm32.dll	Fnbkddem.exe
File opened for modification	C:\Windows\SysWOW64\Bpcbqk32.exe	Bkfjhd32.exe
File opened for modification	C:\Windows\SysWOW64\Gieojq32.exe	Gbkgnfbd.exe
File created	C:\Windows\SysWOW64\Hggomh32.exe	Hpmgqnfl.exe
File created	C:\Windows\SysWOW64\Qahefm32.dll	Gpknlk32.exe
File created	C:\Windows\SysWOW64\Kjnifgah.dll	Hggomh32.exe
File created	C:\Windows\SysWOW64\Polebcgg.dll	Hcplhi32.exe
File created	C:\Windows\SysWOW64\Doobajme.exe	Dchali32.exe
File created	C:\Windows\SysWOW64\Gieojq32.exe	Gbkgnfbd.exe
File created	C:\Windows\SysWOW64\Fhkpmjln.exe	Fnbkddem.exe
File opened for modification	C:\Windows\SysWOW64\Hiqbndpb.exe	Hknach32.exe
File opened for modification	C:\Windows\SysWOW64\Efppoc32.exe	Ekklaj32.exe
File created	C:\Windows\SysWOW64\Gbolehjh.dll	Ekklaj32.exe
File created	C:\Windows\SysWOW64\Jnmgmhmc.dll	Ffpmnf32.exe
File created	C:\Windows\SysWOW64\Gobgcg32.exe	Gieojq32.exe
File created	C:\Windows\SysWOW64\Gaemjbcg.exe	Gmgdddmq.exe
File created	C:\Windows\SysWOW64\Amndem32.exe	Qhmbagfa.exe
File created	C:\Windows\SysWOW64\Qinopgfb.dll	Bkfjhd32.exe
File created	C:\Windows\SysWOW64\Chhpdp32.dll	Gieojq32.exe
File opened for modification	C:\Windows\SysWOW64\Flmefm32.exe	Ffpmnf32.exe
File created	C:\Windows\SysWOW64\Gpknlk32.exe	Ffbicfoc.exe
File opened for modification	C:\Windows\SysWOW64\Gkihhhnm.exe	Gobgcg32.exe
File created	C:\Windows\SysWOW64\Hiqbndpb.exe	Hknach32.exe
File created	C:\Windows\SysWOW64\Hcplhi32.exe	Hodpgjha.exe
File created	C:\Windows\SysWOW64\Dgnijonn.dll	Henidd32.exe
File opened for modification	C:\Windows\SysWOW64\Pabjem32.exe	Piehkkcl.exe
File created	C:\Windows\SysWOW64\Ipghqomc.dll	Qhmbagfa.exe
File opened for modification	C:\Windows\SysWOW64\Ekklaj32.exe	Doobajme.exe
File created	C:\Windows\SysWOW64\Flmefm32.exe	Ffpmnf32.exe
File opened for modification	C:\Windows\SysWOW64\Piehkkcl.exe	Pphjgfqq.exe
File created	C:\Windows\SysWOW64\Efppoc32.exe	Ekklaj32.exe
File created	C:\Windows\SysWOW64\Jpajnpao.dll	Gaemjbcg.exe
File opened for modification	C:\Windows\SysWOW64\Hggomh32.exe	Hpmgqnfl.exe
File created	C:\Windows\SysWOW64\Piehkkcl.exe	Pphjgfqq.exe
File created	C:\Windows\SysWOW64\Febhomkh.dll	Gkihhhnm.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Ioijbj32.exe
File created	C:\Windows\SysWOW64\Okfencna.exe	be3ab82923149984d4846d01993f68e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Qhmbagfa.exe	Pabjem32.exe
File created	C:\Windows\SysWOW64\Dchali32.exe	Cdlnkmha.exe
File created	C:\Windows\SysWOW64\Cillgpen.dll	Dchali32.exe
File created	C:\Windows\SysWOW64\Hpmgqnfl.exe	Hiqbndpb.exe
File opened for modification	C:\Windows\SysWOW64\Gpknlk32.exe	Ffbicfoc.exe
File created	C:\Windows\SysWOW64\Gmgdddmq.exe	Gkihhhnm.exe
File created	C:\Windows\SysWOW64\Kodppf32.dll	Pabjem32.exe
File opened for modification	C:\Windows\SysWOW64\Bebkpn32.exe	Amndem32.exe
File opened for modification	C:\Windows\SysWOW64\Begeknan.exe	Bebkpn32.exe
File created	C:\Windows\SysWOW64\Cckace32.exe	Bpcbqk32.exe
File created	C:\Windows\SysWOW64\Ffpmnf32.exe	Fhkpmjln.exe
File opened for modification	C:\Windows\SysWOW64\Ioijbj32.exe	Henidd32.exe
File created	C:\Windows\SysWOW64\Cdlnkmha.exe	Cckace32.exe
File opened for modification	C:\Windows\SysWOW64\Fhkpmjln.exe	Fnbkddem.exe
File created	C:\Windows\SysWOW64\Ahcocb32.dll	Gobgcg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
632	1936	WerFault.exe	65

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Amndem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bkfjhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjgjmd32.dll"	be3ab82923149984d4846d01993f68e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfoihbdp.dll"	Ffbicfoc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gbkgnfbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkoabpeg.dll"	Gbkgnfbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hknach32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	be3ab82923149984d4846d01993f68e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icplghmh.dll"	Amndem32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Doobajme.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fhkpmjln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Flmefm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ioijbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ekklaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gkihhhnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hiqbndpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hiqbndpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnmgmhmc.dll"	Ffpmnf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hknach32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fnbkddem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ffpmnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gaemjbcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liqebf32.dll"	Hlcgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obopfpji.dll"	Okfencna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fnbkddem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gpknlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpdcgoc.dll"	Hiqbndpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Okfencna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddflckmp.dll"	Begeknan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbolehjh.dll"	Ekklaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chhpdp32.dll"	Gieojq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpajnpao.dll"	Gaemjbcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hcplhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjnifgah.dll"	Hggomh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Henidd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	be3ab82923149984d4846d01993f68e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bioggp32.dll"	Bpcbqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdlnkmha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikkbnm32.dll"	Fnbkddem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ffpmnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Febhomkh.dll"	Gkihhhnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	be3ab82923149984d4846d01993f68e0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pabjem32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cckace32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fhkpmjln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bkfjhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bpcbqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nobdlg32.dll"	Cdlnkmha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gpknlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bebkpn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gobgcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kodppf32.dll"	Pabjem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnijonn.dll"	Henidd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Doobajme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Henidd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqmoql32.dll"	Piehkkcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dchali32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ekklaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polebcgg.dll"	Hcplhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pabjem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bebkpn32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 1628	2052	be3ab82923149984d4846d01993f68e0_NeikiAnalytics.exe	28
PID 2052 wrote to memory of 1628	2052	be3ab82923149984d4846d01993f68e0_NeikiAnalytics.exe	28
PID 2052 wrote to memory of 1628	2052	be3ab82923149984d4846d01993f68e0_NeikiAnalytics.exe	28
PID 2052 wrote to memory of 1628	2052	be3ab82923149984d4846d01993f68e0_NeikiAnalytics.exe	28
PID 1628 wrote to memory of 2900	1628	Okfencna.exe	29
PID 1628 wrote to memory of 2900	1628	Okfencna.exe	29
PID 1628 wrote to memory of 2900	1628	Okfencna.exe	29
PID 1628 wrote to memory of 2900	1628	Okfencna.exe	29
PID 2900 wrote to memory of 2788	2900	Pphjgfqq.exe	30
PID 2900 wrote to memory of 2788	2900	Pphjgfqq.exe	30
PID 2900 wrote to memory of 2788	2900	Pphjgfqq.exe	30
PID 2900 wrote to memory of 2788	2900	Pphjgfqq.exe	30
PID 2788 wrote to memory of 2716	2788	Piehkkcl.exe	31
PID 2788 wrote to memory of 2716	2788	Piehkkcl.exe	31
PID 2788 wrote to memory of 2716	2788	Piehkkcl.exe	31
PID 2788 wrote to memory of 2716	2788	Piehkkcl.exe	31
PID 2716 wrote to memory of 2680	2716	Pabjem32.exe	32
PID 2716 wrote to memory of 2680	2716	Pabjem32.exe	32
PID 2716 wrote to memory of 2680	2716	Pabjem32.exe	32
PID 2716 wrote to memory of 2680	2716	Pabjem32.exe	32
PID 2680 wrote to memory of 2560	2680	Qhmbagfa.exe	33
PID 2680 wrote to memory of 2560	2680	Qhmbagfa.exe	33
PID 2680 wrote to memory of 2560	2680	Qhmbagfa.exe	33
PID 2680 wrote to memory of 2560	2680	Qhmbagfa.exe	33
PID 2560 wrote to memory of 2516	2560	Amndem32.exe	34
PID 2560 wrote to memory of 2516	2560	Amndem32.exe	34
PID 2560 wrote to memory of 2516	2560	Amndem32.exe	34
PID 2560 wrote to memory of 2516	2560	Amndem32.exe	34
PID 2516 wrote to memory of 2164	2516	Bebkpn32.exe	35
PID 2516 wrote to memory of 2164	2516	Bebkpn32.exe	35
PID 2516 wrote to memory of 2164	2516	Bebkpn32.exe	35
PID 2516 wrote to memory of 2164	2516	Bebkpn32.exe	35
PID 2164 wrote to memory of 1836	2164	Begeknan.exe	36
PID 2164 wrote to memory of 1836	2164	Begeknan.exe	36
PID 2164 wrote to memory of 1836	2164	Begeknan.exe	36
PID 2164 wrote to memory of 1836	2164	Begeknan.exe	36
PID 1836 wrote to memory of 1088	1836	Bkfjhd32.exe	37
PID 1836 wrote to memory of 1088	1836	Bkfjhd32.exe	37
PID 1836 wrote to memory of 1088	1836	Bkfjhd32.exe	37
PID 1836 wrote to memory of 1088	1836	Bkfjhd32.exe	37
PID 1088 wrote to memory of 2172	1088	Bpcbqk32.exe	38
PID 1088 wrote to memory of 2172	1088	Bpcbqk32.exe	38
PID 1088 wrote to memory of 2172	1088	Bpcbqk32.exe	38
PID 1088 wrote to memory of 2172	1088	Bpcbqk32.exe	38
PID 2172 wrote to memory of 2580	2172	Cckace32.exe	39
PID 2172 wrote to memory of 2580	2172	Cckace32.exe	39
PID 2172 wrote to memory of 2580	2172	Cckace32.exe	39
PID 2172 wrote to memory of 2580	2172	Cckace32.exe	39
PID 2580 wrote to memory of 1820	2580	Cdlnkmha.exe	40
PID 2580 wrote to memory of 1820	2580	Cdlnkmha.exe	40
PID 2580 wrote to memory of 1820	2580	Cdlnkmha.exe	40
PID 2580 wrote to memory of 1820	2580	Cdlnkmha.exe	40
PID 1820 wrote to memory of 2908	1820	Dchali32.exe	41
PID 1820 wrote to memory of 2908	1820	Dchali32.exe	41
PID 1820 wrote to memory of 2908	1820	Dchali32.exe	41
PID 1820 wrote to memory of 2908	1820	Dchali32.exe	41
PID 2908 wrote to memory of 2464	2908	Doobajme.exe	42
PID 2908 wrote to memory of 2464	2908	Doobajme.exe	42
PID 2908 wrote to memory of 2464	2908	Doobajme.exe	42
PID 2908 wrote to memory of 2464	2908	Doobajme.exe	42
PID 2464 wrote to memory of 304	2464	Ekklaj32.exe	43
PID 2464 wrote to memory of 304	2464	Ekklaj32.exe	43
PID 2464 wrote to memory of 304	2464	Ekklaj32.exe	43
PID 2464 wrote to memory of 304	2464	Ekklaj32.exe	43

C:\Users\Admin\AppData\Local\Temp\be3ab82923149984d4846d01993f68e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\be3ab82923149984d4846d01993f68e0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Windows\SysWOW64\Okfencna.exe
  C:\Windows\system32\Okfencna.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Windows\SysWOW64\Pphjgfqq.exe
    C:\Windows\system32\Pphjgfqq.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\Windows\SysWOW64\Piehkkcl.exe
      C:\Windows\system32\Piehkkcl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2788
    - - C:\Windows\SysWOW64\Pabjem32.exe
        
        C:\Windows\system32\Pabjem32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2716
      - C:\Windows\SysWOW64\Qhmbagfa.exe
        
        C:\Windows\system32\Qhmbagfa.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\SysWOW64\Amndem32.exe
        
        C:\Windows\system32\Amndem32.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\SysWOW64\Bebkpn32.exe
        
        C:\Windows\system32\Bebkpn32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\SysWOW64\Begeknan.exe
        
        C:\Windows\system32\Begeknan.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\SysWOW64\Bkfjhd32.exe
        
        C:\Windows\system32\Bkfjhd32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\Windows\SysWOW64\Bpcbqk32.exe
        
        C:\Windows\system32\Bpcbqk32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\SysWOW64\Cckace32.exe
        
        C:\Windows\system32\Cckace32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\SysWOW64\Cdlnkmha.exe
        
        C:\Windows\system32\Cdlnkmha.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\SysWOW64\Dchali32.exe
        
        C:\Windows\system32\Dchali32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\SysWOW64\Doobajme.exe
        
        C:\Windows\system32\Doobajme.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\SysWOW64\Ekklaj32.exe
        
        C:\Windows\system32\Ekklaj32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\SysWOW64\Efppoc32.exe
        
        C:\Windows\system32\Efppoc32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:304
        
        C:\Windows\SysWOW64\Fnbkddem.exe
        
        C:\Windows\system32\Fnbkddem.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:348
        
        C:\Windows\SysWOW64\Fhkpmjln.exe
        
        C:\Windows\system32\Fhkpmjln.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:496
        
        C:\Windows\SysWOW64\Ffpmnf32.exe
        
        C:\Windows\system32\Ffpmnf32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\Flmefm32.exe
        
        C:\Windows\system32\Flmefm32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\Ffbicfoc.exe
        
        C:\Windows\system32\Ffbicfoc.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:784
        
        C:\Windows\SysWOW64\Gpknlk32.exe
        
        C:\Windows\system32\Gpknlk32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1544
        
        C:\Windows\SysWOW64\Gbkgnfbd.exe
        
        C:\Windows\system32\Gbkgnfbd.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Gieojq32.exe
        
        C:\Windows\system32\Gieojq32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:836
        
        C:\Windows\SysWOW64\Gobgcg32.exe
        
        C:\Windows\system32\Gobgcg32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Gkihhhnm.exe
        
        C:\Windows\system32\Gkihhhnm.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Gmgdddmq.exe
        
        C:\Windows\system32\Gmgdddmq.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2092
        
        C:\Windows\SysWOW64\Gaemjbcg.exe
        
        C:\Windows\system32\Gaemjbcg.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Hknach32.exe
        
        C:\Windows\system32\Hknach32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1700
        
        C:\Windows\SysWOW64\Hiqbndpb.exe
        
        C:\Windows\system32\Hiqbndpb.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\Hpmgqnfl.exe
        
        C:\Windows\system32\Hpmgqnfl.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:3048
        
        C:\Windows\SysWOW64\Hggomh32.exe
        
        C:\Windows\system32\Hggomh32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2748
        
        C:\Windows\SysWOW64\Hlcgeo32.exe
        
        C:\Windows\system32\Hlcgeo32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2636
        
        C:\Windows\SysWOW64\Hodpgjha.exe
        
        C:\Windows\system32\Hodpgjha.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2776
        
        C:\Windows\SysWOW64\Hcplhi32.exe
        
        C:\Windows\system32\Hcplhi32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2632
        
        C:\Windows\SysWOW64\Henidd32.exe
        
        C:\Windows\system32\Henidd32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2932
        
        C:\Windows\SysWOW64\Ioijbj32.exe
        
        C:\Windows\system32\Ioijbj32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1912
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        39⤵
        Executes dropped EXE
        
        PID:1936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 140
        40⤵
        Program crash
        
        PID:632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ffbicfoc.exe

Filesize
1.3MB

MD5
4df268a34bbe9213ad3d3dbe30dd53fd

SHA1
271577f47c988642b74cadcf02e0a22fb8ce1c5b

SHA256
01ffc5cc9a2d4036e46817c56de371e7b913aff465c2d7d0eafffe2c837b0f72

SHA512
ab5327b8a999e275aeedfd4dfda3111e2541a8a0dcf45d4280f1cb952d5df8388633babc4b95d54d3419f121044712ae4cfd9f0309d7d988eb2589874acc5d68

Download Submit
C:\Windows\SysWOW64\Ffpmnf32.exe

Filesize
1.3MB

MD5
d79b171be75fa98b04e0a5a00afc3a77

SHA1
fff8784f916efe52e766fd4efc59821f0ff29f31

SHA256
48bb7ae1ca82fa0ce4cacdacd545efc46989880da73b6880cef85b6ac5c329ea

SHA512
96a90a52ffd60fc7beff4806eca374d1f7e2ff20d93b63bdf41819bb54a7aef42ddae8cefcde3ef1a933a081f4ee00bdceae7e492b2e32782174a893d1fb4555

Download Submit
C:\Windows\SysWOW64\Fhkpmjln.exe

Filesize
1.3MB

MD5
b24882ecfd88d6c82f09737e39d0c0e2

SHA1
ac1658561e8ff24b372ceb8fff1070563ade730b

SHA256
f2fe48bcb6c7187e1ebdb99a471c19eb0db2ad41d7d9e72f7d86e3078179ac58

SHA512
4f5afd9eb56df4b6e418d441a718b4812556b4f142c08245b7af30752f02764121dc9854c80f6c9c95df70fcd5d08faa1be3a703c0a79e60ad3c7ac05dc57a10

Download Submit
C:\Windows\SysWOW64\Flmefm32.exe

Filesize
1.3MB

MD5
2be9e4988deb2549350a2a39a4c5de92

SHA1
348cb1c43dfbe1857920d86fa62737d71e702003

SHA256
4bf77dcda475404c91e042c0c5af3ccc825cc3e4fd09fad3786474631171f56b

SHA512
06a6c9ca0696dcbcc3d757f518e20612830e225c663d2fba19adb21551a50c0f8c93d875a094eb192d98fbff2e0fd5e565d7bfce3aafb028f6648e18d7fa517f

Download Submit
C:\Windows\SysWOW64\Fnbkddem.exe

Filesize
1.3MB

MD5
bf75e75cc9a2bdc9147de0549b63eb74

SHA1
661740808543c188dedb86e04d37ae80c0406699

SHA256
e43307258a414173f6b37e0b89c3ab8230449e484eb9fc81afa7bd20a816024f

SHA512
e20fe7e4a54263404b21823864baaee8e00e363569572f6b9d81aa0ac56cd60c8ba5c05894410835bf72c0ca07312a339dbf3b354dff5b4727e184b4f34e9001

Download Submit
C:\Windows\SysWOW64\Gaemjbcg.exe

Filesize
1.3MB

MD5
384c31d9f24d168c3014e9e42619bd72

SHA1
442f2c443746fb599e9cae794b902e10f957f298

SHA256
ef10a916d22650a3bff746225839372d22c45cddef195b4645efadb4b97a355b

SHA512
b8b41461212ec726e442031984af9a347ee58d70798d3f8dbaea1bbedd53af09ea8f8dba3879883174ca75d0d360636645ea4fc2735b200a5bf47dc3ad12f521

Download Submit
C:\Windows\SysWOW64\Gbkgnfbd.exe

Filesize
1.3MB

MD5
4529e03b7ea454b423fc8a8c0c7737fb

SHA1
ec51e7c00918b3f3d60d25f8bcba5949adacc7d7

SHA256
69a34174fdf3dd07e97fed3ab6cc1453f689ae2be4967b5a662a30121a77c5ed

SHA512
330badc410501fede83f7531b337cb66d1ebf5cf9bd7c9ae080f38a86b81ef759ce3d90463258f7b8947919ad901fd365aa4f1d80d00fcdccf5c2442ff8a0ff1

Download Submit
C:\Windows\SysWOW64\Gieojq32.exe

Filesize
1.3MB

MD5
a204baa7e84027637e5e051b1f7f3327

SHA1
15b6d33ba23d105d2e637a9aca2b51dc85e86692

SHA256
732430e437e91e3d068699987c633fd6db74929c988325f821beb28993b0d2b5

SHA512
3c0625dabcd2fa0e08b777baf4baaeb017793b1fef86c097eb7177fd8bfa3221f467f4ba644b463788016b8963d66490139cd8fbc653e0828d76bea0c0cb0169

Download Submit
C:\Windows\SysWOW64\Gkihhhnm.exe

Filesize
1.3MB

MD5
7fdaf97b6bd786beb3c6be3f829d88f8

SHA1
0ba51c818a3c0340587d727dc61d99d8846cab7e

SHA256
ddb0c3fa01f4afe1bcd2889fef14d36acc6d895fcc05c03a40e9c4ea868c2839

SHA512
18c71729b7830c99a4abc1da9de03ad91e71dda414952f225cb960fa8c870f2c6165594e9a16e49bbc6d7b7c83ff0c31efbcb1df78d119966d4df0641a9ac1ae

Download Submit
C:\Windows\SysWOW64\Gmgdddmq.exe

Filesize
1.3MB

MD5
2f64cbaaf3aabb82cebed4de486e5ade

SHA1
28735bd6996d83959440fbfd256ac8957385002a

SHA256
61d3943d9f619732289f8c91bed1bda1b649e9d4f7f22d33f920765477faa8e4

SHA512
d3493f4f85aaba9d109f1bb53a168f06137bdfa06943ab5990b8be311df3dd7edc88dddd584cead8a7ec74950930d45c556444616553d2e0da972b5b07569e10

Download Submit
C:\Windows\SysWOW64\Gobgcg32.exe

Filesize
1.3MB

MD5
543f550387b2dbafef52547302cc8bb3

SHA1
276023d3481cdd058d432ca3b7bd012faf51673e

SHA256
9f1463839977ec99d426eea83590bfcb7400a2c0332014b2af2ed96aa5cb7473

SHA512
8f12d5624c39735d07825db003be0d1b2c0c21a83be0bf8e7c6b1388addfdd395111f085c0751f31e0f5a022798ae09b12878c7903e5ee6ac4dc325cdcbb014a

Download Submit
C:\Windows\SysWOW64\Gpknlk32.exe

Filesize
1.3MB

MD5
79fcd152faf5ce95775728801358355d

SHA1
399f7c2898c08687dad65af73c98df91fcdacd97

SHA256
a2bf442242e003e8884feb18d731fd4de9b660058f8c382da82184db879a2d6f

SHA512
0dc9bb29a436cd5f51ee5ff314fdf0728e1f7f3788f7e3aeb78d16e0a9ae3881c6abdcf9f947cef859e41495464e7cfe6dbf9d7badde367119193b8dcdcf6f81

Download Submit
C:\Windows\SysWOW64\Hcplhi32.exe

Filesize
1.3MB

MD5
638ab28fd561be22f29386bac0ebf11f

SHA1
c3ab820d0104b81468df85845364f88d6e5c6b41

SHA256
635bb7125d5e3043ca1bcb8d3b77c76c77db9215928c56d6f9cf136bf6804d3f

SHA512
f4f2e89716220360302d33e2ce4e0339e84555d455c626db4660c88e700fbe110cfb7bb6d271a5c635c01a3fa365bc724b54a4925f1618dcea77ad7e7215dbde

Download Submit
C:\Windows\SysWOW64\Henidd32.exe

Filesize
1.3MB

MD5
d40027fba4d610dc38af172ba0256372

SHA1
aca3bd22f7c8b54200d384573c93a247328f0846

SHA256
4040025466feeaf6a3c5e2b6242d1f6202fe655c2396cbb2ec9d16961de4baa4

SHA512
81f1f51fd270e4eed2aa2e47f64a9672d6f6cc9da53535bf799482147b9f1488550953f1774d0294f1278bbcf5698dae84c20693c952b5f5b8b16cd9d4f6cf65

Download Submit
C:\Windows\SysWOW64\Hggomh32.exe

Filesize
1.3MB

MD5
ed6e1676aa9203cbca9d356088ec4ad9

SHA1
a9bddaec259d737c7d13d87d04dc8e099e84d71a

SHA256
d85a6e16914b17894391a901836c53559ac409063eafd35d109118d937111365

SHA512
30677bd03ef89686af5f054904928fb7e63404cec12b96d0ca68c90aa964045f25ff100c81aca5ee28b85f4fbe6c20953ee20fcfb495ac94d7a0e16b0d66a9a4

Download Submit
C:\Windows\SysWOW64\Hiqbndpb.exe

Filesize
1.3MB

MD5
9febaf2fdc1fa6b0de9bd79c712f83b7

SHA1
799faa371babfeaa8ed1c04bdf8d9ca480a82a47

SHA256
3050ddc2f9f4ade4cc1702dbdc579a06df5a3210e57d049a47a09b46b1d54610

SHA512
26a0f2c2a2fdc942296667e04f8777b3d9e48290f561b95959460da683e7dfcba2f11093d3b9b59717d29ab3738c8fcf538f57aef48955f06e00924958601e7a

Download Submit
C:\Windows\SysWOW64\Hknach32.exe

Filesize
1.3MB

MD5
a467cbce26c85b711be4897ada414653

SHA1
9103ec04b9e64dac4cb435705cafe7f71c31fd95

SHA256
49f4a3142e0f5fe0ba7a7cd183dc735dc049d684eaca199467a0849a8aa3a8dc

SHA512
6c96c09d54b081a134a9344de80c3da641f4c3c8743de76ad7cdd1bbd96a719f3c979bd314a372db6431035ce2148d523f64ee69659425f46e837fbcc91ac1af

Download Submit
C:\Windows\SysWOW64\Hlcgeo32.exe

Filesize
1.3MB

MD5
325d43982e637af58688b9bda321b002

SHA1
2a7be18f65e1c129b47de5d9b9609b83d6e21bff

SHA256
e1429aa004cb78a8c98942dbeb44e66417941b83464478c4f6533bc1ebf40723

SHA512
955dab59d84cd1eac2f2ffdaf98048b86915276c6b1c027e8da5418bef5c36df217337b2b5028f17a22b9d75242550fcefd56c06d5ee41aaba5ad9a21ae3adf6

Download Submit
C:\Windows\SysWOW64\Hodpgjha.exe

Filesize
1.3MB

MD5
c6af28e56341d7b45ab12709f47d8322

SHA1
27bfeff3dc4fdc1eeb15f7f32e67b58ea9ca6f38

SHA256
641620b91eb6ec6af8c62d05bb1b0a90e2c37a6b8b3bd54858eb5c34f8ebad4b

SHA512
fedf57b66a8204aecb7164c0f8bec713d668101abdd483d38a583add1f59485bc3b22ca7a04a5228184ab9c2546d44c2e4e39c845cf6b0433d93359a3acd4e8a

Download Submit
C:\Windows\SysWOW64\Hpmgqnfl.exe

Filesize
1.3MB

MD5
d3cbb0912599277141eab599c9e83b0a

SHA1
65b10a2e12e3c575e5ef78c5e8c442f06a7785e9

SHA256
8d4d925b13f234ce581998d51029d9db9a4a91c4168b53de5de5166c5c19a0a4

SHA512
d88b21348b5b7e576d0840e356de0589d2602dffa0b29d3aae6da4108a2c7907b4d38ddfb312aacd2cf91ef50e4e167e5810f5e056b9d17680909fd4b8426e87

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
1.3MB

MD5
d9ddfabfcd214644686f256c97efd638

SHA1
2975a40e1a1467a30ac2798cf8f728ac4e252788

SHA256
4a35476246388709dbc08c9137d98e2ebc0498cd2e54812f99544f2dbd9cd775

SHA512
84c81bf585b9f395094bc91d306d1f3e9921615ed54de33b4161c0f3d2ba9a825cd280c0470184c2181b06bcfcd56b24ea0b442c21a711f2df5ea49eb2e7565d

Download Submit
C:\Windows\SysWOW64\Ioijbj32.exe

Filesize
1.3MB

MD5
0c50f0f5e9dbe49dde928d6abe4b1894

SHA1
318568fe3171744dc0c546aa1a4ff93a896712b9

SHA256
ebcba21714c90c14f1752652182913aa86058f4ab672ee18e8427c9508b2b72f

SHA512
1c4a6ba2b87f5fcbca2656aac2debd91206b599734d90ed1440968bf9e8871235ffbf2d2088c2c19641d18ec0ac59e502b27622a76cba45e0cd1943e6cfc660e

Download Submit
C:\Windows\SysWOW64\Kodppf32.dll

Filesize
7KB

MD5
3f53a3c05904e6a999ccbf7eb12d8231

SHA1
b4a7913c8895180381a744f10182130b50307949

SHA256
bced725463f696232d2f8e9fa0e551e650593846b1c537fae77c902b2e1d5c1c

SHA512
974368bb09f2058c061dce36394e579c1dc5af55c12fa3469208bde1f8749d8791f482ccafb69d199f1c0ce0cabd15e6dda4f77004805d23c4f2d6583d87d9b9

Download Submit
C:\Windows\SysWOW64\Pabjem32.exe

Filesize
1.3MB

MD5
1726fc40e398873f997ae441fd885ef9

SHA1
8cbb7c857474e9d2f63aa7e52105c400c0a39121

SHA256
fa61aadf632e02680681cbfb0837222455bc14337fb1be5570e1ffbb54822c57

SHA512
d7d5789898a07dc95760d9522921c97bdba1a0bde81ab5ca0e156a608710f009d02ed4d0865eaf54334813fec83e925a347c58cffe4974e13bf823fcc1983991

Download Submit
\Windows\SysWOW64\Amndem32.exe

Filesize
1.3MB

MD5
9f005b3f48ecacc220a577094a9d13a2

SHA1
600ad3f8441373cad224644d61413eeddd7c5428

SHA256
927435f79c91ff11a9226e43172f2240578666f0f9d34f72c7030f29933d34c3

SHA512
dd12f520b6326d50fb56516d1c0ce7df8d3c924c723c7b16c94cba4c7b80108fac4512f74884d552665e47da44c63c73f22f44d74e805df32a92845eefb6a5a8

Download Submit
\Windows\SysWOW64\Bebkpn32.exe

Filesize
1.3MB

MD5
3f0b0a359ae8b3bcce0c91a8c9a996d3

SHA1
71d2741bb7f12b7aaa791cdf9c944b19cf9f8574

SHA256
cd585a6ac5747164ad27151ffe472517a304be73598b502853cd7213a0f9cf51

SHA512
671496541195bcf6e77f52df7c6c6037562613999590e0e0f7db6722109c9221badb5c79b00431774502c9412be9d27f6231877d8a6b229fb8e27a8dbafcd61a

Download Submit
\Windows\SysWOW64\Begeknan.exe

Filesize
1.3MB

MD5
153ecab637d1c071a742f8ad7e513415

SHA1
648c2b30a4dde4e933a115964934b198cf320521

SHA256
cfa8762225dfd998083074e0b997e0baebc48553b13ee7c7b07c0542e01443ad

SHA512
ff6686f8f76a48e57279b69a050893569ddf427020cfdbd97964b4e688070f95cfdf4529ec40e3d07f7608b64749411953d525c28f4d8542f647244b9b48fa4b

Download Submit
\Windows\SysWOW64\Bkfjhd32.exe

Filesize
1.3MB

MD5
721779d62b01e64681132da9e6950ed3

SHA1
e500a813e4e53b48f1f490f9bf5c4ed5e1c3ea21

SHA256
f4d0abece53effca83879385a38960982c8e417c936244c5c952dc3339edeb6a

SHA512
5d71b835f38fdcf3606a389cca68578b648cef2c19d88b01e2ea63cc43e9b7b1a80d8759a277c35f1a149712e35df45111494726faabbc84df2a504718e35ec2

Download Submit
\Windows\SysWOW64\Bpcbqk32.exe

Filesize
1.3MB

MD5
98fa93c6b9864e941921e77e7f5ae6bc

SHA1
82ec82e734cbea1db0e84db479cfbfbb36b1dcbb

SHA256
fc130b88f1d47ef5e3fd77eb2235c50aa5363188c5280c5f35fb2286289de573

SHA512
bff61718b31be96a06ff6ac3362d795cc7c4a1d1d65562b65f95c4b95a7a1d449d6c8e3a8bfbe3a0c47fe85c82822f880046e69f6bada294cff6147220e8168b

Download Submit
\Windows\SysWOW64\Cckace32.exe

Filesize
1.3MB

MD5
4f5712515958c6ab95efc3885c0e644e

SHA1
9814c7b59fabae14e3946444554bac09c90dfaee

SHA256
96b7bbb4658a86ec2622823782554e612caf16487cdf615fa8040d37f27277ab

SHA512
7bd68630d89470ed6176bbd360dbb17f89a26d2dd870e8adfd241632017441c92ea65ae91f670b2c2a9c5966786891060df5da7195778bffea5701feec65650f

Download Submit
\Windows\SysWOW64\Cdlnkmha.exe

Filesize
1.3MB

MD5
a8fca2228af8c4c9af95b7b0143821f6

SHA1
384fcb3f5a751791537904966820fbc3e211d0a3

SHA256
df565816455ade65c531907889293be93bc9e356d1ffa0c159825a6e151daef6

SHA512
b50c6680a4175f287d937408d7ebb21d9685718cf963c2ac3b776245c6ce44597a0195235773a57938375e7d4b0344ff0405dfdcdf6d9204df1f1d4250e00e00

Download Submit
\Windows\SysWOW64\Dchali32.exe

Filesize
1.3MB

MD5
15af40573179807303b47cb81b6334aa

SHA1
660471285aa88698a2a02b6ae12b8db8e85577af

SHA256
5dcc39bdce1d43fa235506a9213289d5a81683321c53b8ad022aeb7c9220f495

SHA512
97ad826cd158f42242fe83d7357f5be93a6650c91513551be63fff4994021079de613b5dd3f23b310ec93d3f0222857b2de5f8918a8f2acecd42cec1511fa39e

Download Submit
\Windows\SysWOW64\Doobajme.exe

Filesize
1.3MB

MD5
80607a5747d514213b8a3022b613b99f

SHA1
3cc28c66fbb4bc63d066bc0695a8bf2da2f9b416

SHA256
aa5bdf63cbf06f69a52b5660f755964137565ca1a6fe68f4a937b0db58ab803e

SHA512
3f3df42a3bd2fedb288007c61e5a25e9a17508f2eacd821d81d2f618b7ad92cb205a45a35377a70ce760c589b655b08ac52530f1a02d4c4abcf899964a53d1b7

Download Submit
\Windows\SysWOW64\Efppoc32.exe

Filesize
1.3MB

MD5
35cba3185c142dc8961148346e7edbf4

SHA1
673e5a5c7b3dc9b2d43a16941e7d1bd8fd5d9631

SHA256
7bde33df543ab9c577e9d4f4b0ae190d0e34f24cffece63c53bb5b877e567e93

SHA512
ac8617280f689d8b9b78ac281de6d47033bdb3e8eb2c0a963a5c774abd236570f8859de0afcdbc3f25078b4e487a14c81ea3681a2f569340a502c667cea348d5

Download Submit
\Windows\SysWOW64\Ekklaj32.exe

Filesize
1.3MB

MD5
f390fc937bf90b275d91948aa741324f

SHA1
db870bfb24854be2763db4e8b7ea953526981f58

SHA256
c486fdf3f66b353193f28a24edf019736524f047e235eda716cc796fe9611f68

SHA512
f76f38ed3944d786492b6b483e5342de047aab627d81f47f4a898a5ad88af04a2aa686a21a2948f103a6f99e8030b72c52b5f4afb57de540e3dc3df3f0cbab72

Download Submit
\Windows\SysWOW64\Okfencna.exe

Filesize
1.3MB

MD5
d49f7754771f4ec861a2d94ff27483f7

SHA1
4945b7b14d2b97d3493f4f3b31ad0e739062b240

SHA256
57d21dccab8ac8d62e26ade06887d1c3876220ffb9db3550fc8ee254766342c6

SHA512
f368a5c5da90650b5bb2e4a7b4f1d798f27ae14a20e5319a5647035c4cb4bff78e0af90e5f73c228bc70cc06a4e5d0b767152486d0b8de9e7548e8516362cad6

Download Submit
\Windows\SysWOW64\Piehkkcl.exe

Filesize
1.3MB

MD5
35e5f41d1a78191628bea4e3cf354b37

SHA1
599cb7f8e9346ddd60cca20cc1de084fc1d66d54

SHA256
57b594a892b077c6967a6dfdff6de11027dadf91a8f15620e6d2141468d83c90

SHA512
53b1190c6e2075f5941b3a1aa579e6f4144237263c0bbf942c96dc5950598a3703ee2d3a459204249565171da770f9597860120e38ed88a6f2c689740e3bc5bb

Download Submit
\Windows\SysWOW64\Pphjgfqq.exe

Filesize
1.3MB

MD5
e2237b7fd69a4cf6d15fa5da12f69feb

SHA1
f3aa3e383d007bd5469a71f72bc49986a0d2d6e0

SHA256
07a4830bf7210f8c980c2744dabfe2501075a92917a3e09e259d37eba218b024

SHA512
2918de4d4837d0c7cb0d84d60fb294a22b155cff32071ae2674b08995482b36b996be74f22e2dccf403b56e013acbaf20677818d92e993e6ac48892cbb97211b

Download Submit
\Windows\SysWOW64\Qhmbagfa.exe

Filesize
1.3MB

MD5
274c5b1baf582c1794351d40d1bc7a79

SHA1
7fb78822196604967e46856ba48d3d66b2aafe4d

SHA256
64ec16a418e3890631f2e6cfd722fae30bd0da88ed846cd3cc994eb76d54a814

SHA512
673cddf5c2471d2ffbe2e3ddfb87563e8726c9ca4f894acb416a544fa7c9b7b70dd3b0ca42b32cbd4f1c70cb3a1e7b926e99a7dfa6c71a3db3e081e9bd3bb63d

Download Submit
memory/304-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/304-223-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/304-462-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/348-227-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/348-233-0x0000000000450000-0x0000000000483000-memory.dmp

Filesize
204KB

Download
memory/348-463-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/496-464-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/496-243-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/496-242-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/784-266-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/784-272-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/784-271-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/836-304-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/836-470-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/836-295-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/836-305-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1088-148-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1088-456-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1088-134-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1524-465-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1524-252-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/1544-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1544-283-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/1544-282-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/1544-468-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-345-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1580-349-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1580-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-474-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1604-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1604-316-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1604-315-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1604-471-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1628-447-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1628-25-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1700-360-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1700-356-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1700-350-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1700-475-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1820-459-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1836-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1836-126-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1912-572-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1912-436-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1912-443-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/1912-444-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/1936-445-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2032-469-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2032-284-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2032-294-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2032-290-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2052-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2052-446-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2052-6-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2092-338-0x00000000004B0000-0x00000000004E3000-memory.dmp

Filesize
204KB

Download
memory/2092-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2092-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2092-334-0x00000000004B0000-0x00000000004E3000-memory.dmp

Filesize
204KB

Download
memory/2164-108-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2164-454-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2172-457-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2172-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2232-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2232-323-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2232-472-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2232-327-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2464-205-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2516-95-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2516-453-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2560-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2560-92-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2560-93-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2560-452-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2580-169-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2580-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2580-458-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2600-361-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2600-371-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2600-367-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2600-476-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2632-424-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2632-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2632-423-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2636-565-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2636-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2680-451-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2680-79-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2680-66-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2716-53-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2716-450-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2748-392-0x0000000000380000-0x00000000003B3000-memory.dmp

Filesize
204KB

Download
memory/2748-563-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2748-393-0x0000000000380000-0x00000000003B3000-memory.dmp

Filesize
204KB

Download
memory/2748-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-409-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2776-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-417-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2788-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2788-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2872-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2872-466-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-26-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-34-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2900-448-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2908-187-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2908-460-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2932-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2932-570-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3048-382-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/3048-381-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/3048-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3048-477-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads