22e091f7b41b91da2951c08616c4e0f46edade248f73eb643fcd0c1d0e4f9223

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 08:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22e091f7b41b91da2951c08616c4e0f46edade248f73eb643fcd0c1d0e4f9223_NeikiAnalytics.exe
Size

233KB
MD5

24c2fc078770466d241362ea91b4a7f0
SHA1

c64c90598d82554dde475a703230adc262f01920
SHA256

22e091f7b41b91da2951c08616c4e0f46edade248f73eb643fcd0c1d0e4f9223
SHA512

0304f7496d17a7acfa3185c2578b30f630bbde68d34afb253eceba0492f3c6dd31bdcb51fca75f32d9b40d376bee7dd4a101cfd29909830dfc81c202c3351e8b
SSDEEP

6144:ramCzIJKvaHEDpfRKB3A4U2dga1mcyw7I6BjtCYYs2:bCzIYvakF5WHR1mK7fVtXP2

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fcmnpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffgqqaip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fckajehi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfaedkdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kipkhdeq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgkjhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Icnpmp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceoibflm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkgqfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jcllonma.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdehlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcmabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndaggimg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Edbklofb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mipcob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkjmlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpeiioac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhemmlhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hkmefd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hcdmga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpnchp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eofbch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gblngpbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpnlpnih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldoaklml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Clkndpag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbdgfa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeflhdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hbpgbo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jianff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kfmepi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kibgmdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbbkaako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Immapg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcbom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdehlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nljofl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dceohhja.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icnpmp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpijnqkp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbhfjljd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jplfcpin.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhlejnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfhlejnh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cahfmgoo.exe

Malware Dropper & Backdoor - Berbew 58 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/files/0x000700000002328e-7.dat	family_berbew
behavioral2/files/0x0007000000023402-15.dat	family_berbew
behavioral2/files/0x0007000000023409-39.dat	family_berbew
behavioral2/files/0x0007000000023406-31.dat	family_berbew
behavioral2/files/0x0007000000023406-25.dat	family_berbew
behavioral2/files/0x0007000000023404-23.dat	family_berbew
behavioral2/files/0x000700000002340b-46.dat	family_berbew
behavioral2/files/0x000700000002340d-54.dat	family_berbew
behavioral2/files/0x000700000002340f-62.dat	family_berbew
behavioral2/files/0x0007000000023411-70.dat	family_berbew
behavioral2/files/0x0007000000023413-78.dat	family_berbew
behavioral2/files/0x0007000000023415-86.dat	family_berbew
behavioral2/files/0x0007000000023417-94.dat	family_berbew
behavioral2/files/0x0007000000023419-102.dat	family_berbew
behavioral2/files/0x000700000002341b-110.dat	family_berbew
behavioral2/files/0x000700000002341d-118.dat	family_berbew
behavioral2/files/0x000700000002341f-126.dat	family_berbew
behavioral2/files/0x0007000000023421-134.dat	family_berbew
behavioral2/files/0x0007000000023422-142.dat	family_berbew
behavioral2/files/0x0007000000023424-150.dat	family_berbew
behavioral2/files/0x0007000000023426-158.dat	family_berbew
behavioral2/files/0x0007000000023428-166.dat	family_berbew
behavioral2/files/0x000700000002342a-174.dat	family_berbew
behavioral2/files/0x000700000002342c-182.dat	family_berbew
behavioral2/files/0x000700000002342e-185.dat	family_berbew
behavioral2/files/0x0007000000023430-199.dat	family_berbew
behavioral2/files/0x0007000000023432-207.dat	family_berbew
behavioral2/files/0x0007000000023434-214.dat	family_berbew
behavioral2/files/0x0007000000023437-223.dat	family_berbew
behavioral2/files/0x0007000000023439-230.dat	family_berbew
behavioral2/files/0x000700000002343b-238.dat	family_berbew
behavioral2/files/0x000700000002343d-246.dat	family_berbew
behavioral2/files/0x000700000002343f-255.dat	family_berbew
behavioral2/files/0x0007000000023467-371.dat	family_berbew
behavioral2/files/0x000700000002348e-485.dat	family_berbew
behavioral2/files/0x0007000000023494-503.dat	family_berbew
behavioral2/files/0x00070000000234d2-694.dat	family_berbew
behavioral2/files/0x00070000000234dc-729.dat	family_berbew
behavioral2/files/0x0007000000023507-891.dat	family_berbew
behavioral2/files/0x0007000000023515-940.dat	family_berbew
behavioral2/files/0x0007000000023535-1049.dat	family_berbew
behavioral2/files/0x000700000002353b-1069.dat	family_berbew
behavioral2/files/0x0007000000023541-1088.dat	family_berbew
behavioral2/files/0x0007000000023545-1101.dat	family_berbew
behavioral2/files/0x0007000000023551-1141.dat	family_berbew
behavioral2/files/0x0007000000023559-1168.dat	family_berbew
behavioral2/files/0x0007000000023569-1220.dat	family_berbew
behavioral2/files/0x0007000000023597-1371.dat	family_berbew
behavioral2/files/0x00070000000235a4-1410.dat	family_berbew
behavioral2/files/0x00070000000235ac-1436.dat	family_berbew
behavioral2/files/0x00070000000235b4-1464.dat	family_berbew
behavioral2/files/0x00070000000235bc-1491.dat	family_berbew
behavioral2/files/0x00070000000235d0-1555.dat	family_berbew
behavioral2/files/0x00070000000235d6-1576.dat	family_berbew
behavioral2/files/0x00070000000235dc-1595.dat	family_berbew
behavioral2/files/0x00070000000235f4-1678.dat	family_berbew
behavioral2/files/0x000700000002360c-1758.dat	family_berbew
behavioral2/files/0x0007000000023627-1841.dat	family_berbew

Executes dropped EXE 64 IoCs

pid	Process
3212	Bjpaooda.exe
3244	Bbgipldd.exe
1816	Beeflhdh.exe
4020	Bjbndobo.exe
4248	Bnnjen32.exe
1940	Bblckl32.exe
2632	Bejogg32.exe
3188	Bdmpcdfm.exe
4584	Bldgdago.exe
4164	Blfdia32.exe
4640	Ceoibflm.exe
1548	Cliaoq32.exe
4204	Cafigg32.exe
964	Clkndpag.exe
4048	Cahfmgoo.exe
4716	Cbgbgj32.exe
5004	Chdkoa32.exe
3736	Conclk32.exe
656	Chghdqbf.exe
3980	Ckedalaj.exe
1840	Dekhneap.exe
3780	Dkgqfl32.exe
3800	Demecd32.exe
3956	Dkjmlk32.exe
3356	Doeiljfn.exe
4776	Dhnnep32.exe
3552	Dccbbhld.exe
1656	Dhpjkojk.exe
800	Dllfkn32.exe
3084	Dceohhja.exe
1164	Echknh32.exe
2436	Eefhjc32.exe
3732	Elppfmoo.exe
4920	Eoolbinc.exe
740	Ehgqln32.exe
2548	Ekemhj32.exe
448	Eapedd32.exe
1748	Ekhjmiad.exe
1448	Eemnjbaj.exe
1780	Eofbch32.exe
1524	Eadopc32.exe
1224	Edbklofb.exe
2164	Fohoigfh.exe
1040	Fdegandp.exe
1580	Fkopnh32.exe
4252	Fcfhof32.exe
4768	Fdgdgnbm.exe
3792	Fomhdg32.exe
4564	Ffgqqaip.exe
4040	Fhemmlhc.exe
4216	Fkciihgg.exe
3644	Fckajehi.exe
2096	Flceckoj.exe
3700	Fcmnpe32.exe
4440	Ffkjlp32.exe
2408	Glebhjlg.exe
456	Gododflk.exe
5028	Gbbkaako.exe
2192	Ghlcnk32.exe
2016	Gkkojgao.exe
1764	Gbdgfa32.exe
1216	Gdcdbl32.exe
3096	Gkmlofol.exe
4120	Gcddpdpo.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nconcm32.dll	Bdmpcdfm.exe
File created	C:\Windows\SysWOW64\Kemhff32.exe	Kboljk32.exe
File opened for modification	C:\Windows\SysWOW64\Mlcifmbl.exe	Meiaib32.exe
File created	C:\Windows\SysWOW64\Hjgaigfg.dll	Ncianepl.exe
File created	C:\Windows\SysWOW64\Gnpllc32.dll	Nckndeni.exe
File created	C:\Windows\SysWOW64\Llmglb32.dll	Opdghh32.exe
File opened for modification	C:\Windows\SysWOW64\Qmkadgpo.exe	Pjmehkqk.exe
File opened for modification	C:\Windows\SysWOW64\Aqkgpedc.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Hipfji32.dll	22e091f7b41b91da2951c08616c4e0f46edade248f73eb643fcd0c1d0e4f9223_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Lcjnop32.dll	Imakkfdg.exe
File opened for modification	C:\Windows\SysWOW64\Jpijnqkp.exe	Jmknaell.exe
File opened for modification	C:\Windows\SysWOW64\Likjcbkc.exe	Ldoaklml.exe
File created	C:\Windows\SysWOW64\Lpqiemge.exe	Lmbmibhb.exe
File created	C:\Windows\SysWOW64\Oaeokj32.dll	Lpqiemge.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Elppfmoo.exe	Eefhjc32.exe
File created	C:\Windows\SysWOW64\Mlopkm32.exe	Mipcob32.exe
File created	C:\Windows\SysWOW64\Flnakb32.dll	Echknh32.exe
File created	C:\Windows\SysWOW64\Gokdeeec.exe	Gmlhii32.exe
File opened for modification	C:\Windows\SysWOW64\Llcpoo32.exe	Liddbc32.exe
File opened for modification	C:\Windows\SysWOW64\Kmfmmcbo.exe	Kikame32.exe
File created	C:\Windows\SysWOW64\Oolpjdob.dll	Lboeaifi.exe
File opened for modification	C:\Windows\SysWOW64\Lmdina32.exe	Liimncmf.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Nnenbk32.dll	Conclk32.exe
File created	C:\Windows\SysWOW64\Ebinhj32.dll	Mdehlk32.exe
File opened for modification	C:\Windows\SysWOW64\Pqdqof32.exe	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Clkndpag.exe	Cafigg32.exe
File created	C:\Windows\SysWOW64\Heocnk32.exe	Hbpgbo32.exe
File created	C:\Windows\SysWOW64\Ibcmom32.exe	Icplcpgo.exe
File created	C:\Windows\SysWOW64\Kbejge32.dll	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Nnqbanmo.exe	Nckndeni.exe
File created	C:\Windows\SysWOW64\Ghekgcil.dll	Aqkgpedc.exe
File opened for modification	C:\Windows\SysWOW64\Bejogg32.exe	Bblckl32.exe
File created	C:\Windows\SysWOW64\Demecd32.exe	Dkgqfl32.exe
File opened for modification	C:\Windows\SysWOW64\Hmfkoh32.exe	Heocnk32.exe
File created	C:\Windows\SysWOW64\Ejckel32.dll	Jmknaell.exe
File created	C:\Windows\SysWOW64\Kjhcgd32.dll	Gfbploob.exe
File created	C:\Windows\SysWOW64\Bhbopgfn.dll	Nnlhfn32.exe
File created	C:\Windows\SysWOW64\Nmpmkplp.dll	Jpijnqkp.exe
File created	C:\Windows\SysWOW64\Aipoal32.dll	Dceohhja.exe
File opened for modification	C:\Windows\SysWOW64\Immapg32.exe	Iefioj32.exe
File created	C:\Windows\SysWOW64\Iikhfg32.exe	Ifllil32.exe
File opened for modification	C:\Windows\SysWOW64\Ibcmom32.exe	Icplcpgo.exe
File opened for modification	C:\Windows\SysWOW64\Beeflhdh.exe	Bbgipldd.exe
File created	C:\Windows\SysWOW64\Oponmilc.exe	Nnqbanmo.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Mnodjf32.dll	Ogifjcdp.exe
File created	C:\Windows\SysWOW64\Ehfnmfki.dll	Anmjcieo.exe
File opened for modification	C:\Windows\SysWOW64\Cahfmgoo.exe	Clkndpag.exe
File created	C:\Windows\SysWOW64\Conclk32.exe	Chdkoa32.exe
File created	C:\Windows\SysWOW64\Kfankifm.exe	Kdcbom32.exe
File opened for modification	C:\Windows\SysWOW64\Lphoelqn.exe	Lingibiq.exe
File created	C:\Windows\SysWOW64\Icplcpgo.exe	Imfdff32.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Dceohhja.exe	Dllfkn32.exe
File created	C:\Windows\SysWOW64\Fckajehi.exe	Fkciihgg.exe
File created	C:\Windows\SysWOW64\Ldoaklml.exe	Lmdina32.exe
File created	C:\Windows\SysWOW64\Collmj32.dll	Eemnjbaj.exe
File opened for modification	C:\Windows\SysWOW64\Eadopc32.exe	Eofbch32.exe
File created	C:\Windows\SysWOW64\Mdehlk32.exe	Mlopkm32.exe
File opened for modification	C:\Windows\SysWOW64\Ocbddc32.exe	Opdghh32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
8720	8628	WerFault.exe	372

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dccbbhld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmogab32.dll"	Dkjmlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiclgb32.dll"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hcpclbfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfmccd32.dll"	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lmdina32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkjmlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ehgqln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciopbjik.dll"	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oehldcbk.dll"	Bblckl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgdelcpg.dll"	Jbhfjljd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpnlpnih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkgqfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eapedd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceoibflm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flnakb32.dll"	Echknh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olgkhn32.dll"	Eoolbinc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mckemg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naekcf32.dll"	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkjmlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Klngdpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cefofm32.dll"	Jedeph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjkmdp32.dll"	Ndaggimg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kfckahdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbeedbdm.dll"	Llcpoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqgmgehp.dll"	Mlefklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fkciihgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gkmlofol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phkjck32.dll"	Lingibiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfilim32.dll"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnenbk32.dll"	Conclk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgagbf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bchdhnom.dll"	Mgkjhe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jeklag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iikhfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmpmkplp.dll"	Jpijnqkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Doilmc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 940 wrote to memory of 3212	940	22e091f7b41b91da2951c08616c4e0f46edade248f73eb643fcd0c1d0e4f9223_NeikiAnalytics.exe	83
PID 940 wrote to memory of 3212	940	22e091f7b41b91da2951c08616c4e0f46edade248f73eb643fcd0c1d0e4f9223_NeikiAnalytics.exe	83
PID 940 wrote to memory of 3212	940	22e091f7b41b91da2951c08616c4e0f46edade248f73eb643fcd0c1d0e4f9223_NeikiAnalytics.exe	83
PID 3212 wrote to memory of 3244	3212	Bjpaooda.exe	84
PID 3212 wrote to memory of 3244	3212	Bjpaooda.exe	84
PID 3212 wrote to memory of 3244	3212	Bjpaooda.exe	84
PID 3244 wrote to memory of 1816	3244	Bbgipldd.exe	85
PID 3244 wrote to memory of 1816	3244	Bbgipldd.exe	85
PID 3244 wrote to memory of 1816	3244	Bbgipldd.exe	85
PID 1816 wrote to memory of 4020	1816	Beeflhdh.exe	86
PID 1816 wrote to memory of 4020	1816	Beeflhdh.exe	86
PID 1816 wrote to memory of 4020	1816	Beeflhdh.exe	86
PID 4020 wrote to memory of 4248	4020	Bjbndobo.exe	87
PID 4020 wrote to memory of 4248	4020	Bjbndobo.exe	87
PID 4020 wrote to memory of 4248	4020	Bjbndobo.exe	87
PID 4248 wrote to memory of 1940	4248	Bnnjen32.exe	88
PID 4248 wrote to memory of 1940	4248	Bnnjen32.exe	88
PID 4248 wrote to memory of 1940	4248	Bnnjen32.exe	88
PID 1940 wrote to memory of 2632	1940	Bblckl32.exe	89
PID 1940 wrote to memory of 2632	1940	Bblckl32.exe	89
PID 1940 wrote to memory of 2632	1940	Bblckl32.exe	89
PID 2632 wrote to memory of 3188	2632	Bejogg32.exe	90
PID 2632 wrote to memory of 3188	2632	Bejogg32.exe	90
PID 2632 wrote to memory of 3188	2632	Bejogg32.exe	90
PID 3188 wrote to memory of 4584	3188	Bdmpcdfm.exe	92
PID 3188 wrote to memory of 4584	3188	Bdmpcdfm.exe	92
PID 3188 wrote to memory of 4584	3188	Bdmpcdfm.exe	92
PID 4584 wrote to memory of 4164	4584	Bldgdago.exe	93
PID 4584 wrote to memory of 4164	4584	Bldgdago.exe	93
PID 4584 wrote to memory of 4164	4584	Bldgdago.exe	93
PID 4164 wrote to memory of 4640	4164	Blfdia32.exe	94
PID 4164 wrote to memory of 4640	4164	Blfdia32.exe	94
PID 4164 wrote to memory of 4640	4164	Blfdia32.exe	94
PID 4640 wrote to memory of 1548	4640	Ceoibflm.exe	96
PID 4640 wrote to memory of 1548	4640	Ceoibflm.exe	96
PID 4640 wrote to memory of 1548	4640	Ceoibflm.exe	96
PID 1548 wrote to memory of 4204	1548	Cliaoq32.exe	97
PID 1548 wrote to memory of 4204	1548	Cliaoq32.exe	97
PID 1548 wrote to memory of 4204	1548	Cliaoq32.exe	97
PID 4204 wrote to memory of 964	4204	Cafigg32.exe	98
PID 4204 wrote to memory of 964	4204	Cafigg32.exe	98
PID 4204 wrote to memory of 964	4204	Cafigg32.exe	98
PID 964 wrote to memory of 4048	964	Clkndpag.exe	99
PID 964 wrote to memory of 4048	964	Clkndpag.exe	99
PID 964 wrote to memory of 4048	964	Clkndpag.exe	99
PID 4048 wrote to memory of 4716	4048	Cahfmgoo.exe	101
PID 4048 wrote to memory of 4716	4048	Cahfmgoo.exe	101
PID 4048 wrote to memory of 4716	4048	Cahfmgoo.exe	101
PID 4716 wrote to memory of 5004	4716	Cbgbgj32.exe	102
PID 4716 wrote to memory of 5004	4716	Cbgbgj32.exe	102
PID 4716 wrote to memory of 5004	4716	Cbgbgj32.exe	102
PID 5004 wrote to memory of 3736	5004	Chdkoa32.exe	103
PID 5004 wrote to memory of 3736	5004	Chdkoa32.exe	103
PID 5004 wrote to memory of 3736	5004	Chdkoa32.exe	103
PID 3736 wrote to memory of 656	3736	Conclk32.exe	104
PID 3736 wrote to memory of 656	3736	Conclk32.exe	104
PID 3736 wrote to memory of 656	3736	Conclk32.exe	104
PID 656 wrote to memory of 3980	656	Chghdqbf.exe	105
PID 656 wrote to memory of 3980	656	Chghdqbf.exe	105
PID 656 wrote to memory of 3980	656	Chghdqbf.exe	105
PID 3980 wrote to memory of 1840	3980	Ckedalaj.exe	106
PID 3980 wrote to memory of 1840	3980	Ckedalaj.exe	106
PID 3980 wrote to memory of 1840	3980	Ckedalaj.exe	106
PID 1840 wrote to memory of 3780	1840	Dekhneap.exe	107

C:\Users\Admin\AppData\Local\Temp\22e091f7b41b91da2951c08616c4e0f46edade248f73eb643fcd0c1d0e4f9223_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\22e091f7b41b91da2951c08616c4e0f46edade248f73eb643fcd0c1d0e4f9223_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:940
- C:\Windows\SysWOW64\Bjpaooda.exe
  C:\Windows\system32\Bjpaooda.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3212
- - C:\Windows\SysWOW64\Bbgipldd.exe
    C:\Windows\system32\Bbgipldd.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3244
  - - C:\Windows\SysWOW64\Beeflhdh.exe
      C:\Windows\system32\Beeflhdh.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1816
    - - C:\Windows\SysWOW64\Bjbndobo.exe
        
        C:\Windows\system32\Bjbndobo.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4020
      - C:\Windows\SysWOW64\Bnnjen32.exe
        
        C:\Windows\system32\Bnnjen32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        C:\Windows\SysWOW64\Bblckl32.exe
        
        C:\Windows\system32\Bblckl32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\SysWOW64\Bejogg32.exe
        
        C:\Windows\system32\Bejogg32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\SysWOW64\Bdmpcdfm.exe
        
        C:\Windows\system32\Bdmpcdfm.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3188
        
        C:\Windows\SysWOW64\Bldgdago.exe
        
        C:\Windows\system32\Bldgdago.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\SysWOW64\Blfdia32.exe
        
        C:\Windows\system32\Blfdia32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4164
        
        C:\Windows\SysWOW64\Ceoibflm.exe
        
        C:\Windows\system32\Ceoibflm.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\SysWOW64\Cliaoq32.exe
        
        C:\Windows\system32\Cliaoq32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\SysWOW64\Cafigg32.exe
        
        C:\Windows\system32\Cafigg32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4204
        
        C:\Windows\SysWOW64\Clkndpag.exe
        
        C:\Windows\system32\Clkndpag.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:964
        
        C:\Windows\SysWOW64\Cahfmgoo.exe
        
        C:\Windows\system32\Cahfmgoo.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4048
        
        C:\Windows\SysWOW64\Cbgbgj32.exe
        
        C:\Windows\system32\Cbgbgj32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Windows\SysWOW64\Chdkoa32.exe
        
        C:\Windows\system32\Chdkoa32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\SysWOW64\Conclk32.exe
        
        C:\Windows\system32\Conclk32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3736
        
        C:\Windows\SysWOW64\Chghdqbf.exe
        
        C:\Windows\system32\Chghdqbf.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:656
        
        C:\Windows\SysWOW64\Ckedalaj.exe
        
        C:\Windows\system32\Ckedalaj.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3980
        
        C:\Windows\SysWOW64\Dekhneap.exe
        
        C:\Windows\system32\Dekhneap.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Windows\SysWOW64\Dkgqfl32.exe
        
        C:\Windows\system32\Dkgqfl32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3780
        
        C:\Windows\SysWOW64\Demecd32.exe
        
        C:\Windows\system32\Demecd32.exe
        24⤵
        Executes dropped EXE
        
        PID:3800
        
        C:\Windows\SysWOW64\Dkjmlk32.exe
        
        C:\Windows\system32\Dkjmlk32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3956
        
        C:\Windows\SysWOW64\Doeiljfn.exe
        
        C:\Windows\system32\Doeiljfn.exe
        26⤵
        Executes dropped EXE
        
        PID:3356
        
        C:\Windows\SysWOW64\Dhnnep32.exe
        
        C:\Windows\system32\Dhnnep32.exe
        27⤵
        Executes dropped EXE
        
        PID:4776
        
        C:\Windows\SysWOW64\Dccbbhld.exe
        
        C:\Windows\system32\Dccbbhld.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3552
        
        C:\Windows\SysWOW64\Dhpjkojk.exe
        
        C:\Windows\system32\Dhpjkojk.exe
        29⤵
        Executes dropped EXE
        
        PID:1656
        
        C:\Windows\SysWOW64\Dllfkn32.exe
        
        C:\Windows\system32\Dllfkn32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:800
        
        C:\Windows\SysWOW64\Dceohhja.exe
        
        C:\Windows\system32\Dceohhja.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3084
        
        C:\Windows\SysWOW64\Echknh32.exe
        
        C:\Windows\system32\Echknh32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1164
        
        C:\Windows\SysWOW64\Eefhjc32.exe
        
        C:\Windows\system32\Eefhjc32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2436
        
        C:\Windows\SysWOW64\Elppfmoo.exe
        
        C:\Windows\system32\Elppfmoo.exe
        34⤵
        Executes dropped EXE
        
        PID:3732
        
        C:\Windows\SysWOW64\Eoolbinc.exe
        
        C:\Windows\system32\Eoolbinc.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4920
        
        C:\Windows\SysWOW64\Ehgqln32.exe
        
        C:\Windows\system32\Ehgqln32.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:740
        
        C:\Windows\SysWOW64\Ekemhj32.exe
        
        C:\Windows\system32\Ekemhj32.exe
        37⤵
        Executes dropped EXE
        
        PID:2548
        
        C:\Windows\SysWOW64\Eapedd32.exe
        
        C:\Windows\system32\Eapedd32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:448
        
        C:\Windows\SysWOW64\Ekhjmiad.exe
        
        C:\Windows\system32\Ekhjmiad.exe
        39⤵
        Executes dropped EXE
        
        PID:1748
        
        C:\Windows\SysWOW64\Eemnjbaj.exe
        
        C:\Windows\system32\Eemnjbaj.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1448
        
        C:\Windows\SysWOW64\Eofbch32.exe
        
        C:\Windows\system32\Eofbch32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1780
        
        C:\Windows\SysWOW64\Eadopc32.exe
        
        C:\Windows\system32\Eadopc32.exe
        42⤵
        Executes dropped EXE
        
        PID:1524
        
        C:\Windows\SysWOW64\Edbklofb.exe
        
        C:\Windows\system32\Edbklofb.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1224
        
        C:\Windows\SysWOW64\Fohoigfh.exe
        
        C:\Windows\system32\Fohoigfh.exe
        44⤵
        Executes dropped EXE
        
        PID:2164
        
        C:\Windows\SysWOW64\Fdegandp.exe
        
        C:\Windows\system32\Fdegandp.exe
        45⤵
        Executes dropped EXE
        
        PID:1040
        
        C:\Windows\SysWOW64\Fkopnh32.exe
        
        C:\Windows\system32\Fkopnh32.exe
        46⤵
        Executes dropped EXE
        
        PID:1580
        
        C:\Windows\SysWOW64\Fcfhof32.exe
        
        C:\Windows\system32\Fcfhof32.exe
        47⤵
        Executes dropped EXE
        
        PID:4252
        
        C:\Windows\SysWOW64\Fdgdgnbm.exe
        
        C:\Windows\system32\Fdgdgnbm.exe
        48⤵
        Executes dropped EXE
        
        PID:4768
        
        C:\Windows\SysWOW64\Fomhdg32.exe
        
        C:\Windows\system32\Fomhdg32.exe
        49⤵
        Executes dropped EXE
        
        PID:3792
        
        C:\Windows\SysWOW64\Ffgqqaip.exe
        
        C:\Windows\system32\Ffgqqaip.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4564
        
        C:\Windows\SysWOW64\Fhemmlhc.exe
        
        C:\Windows\system32\Fhemmlhc.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4040
        
        C:\Windows\SysWOW64\Fkciihgg.exe
        
        C:\Windows\system32\Fkciihgg.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4216
        
        C:\Windows\SysWOW64\Fckajehi.exe
        
        C:\Windows\system32\Fckajehi.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3644
        
        C:\Windows\SysWOW64\Flceckoj.exe
        
        C:\Windows\system32\Flceckoj.exe
        54⤵
        Executes dropped EXE
        
        PID:2096
        
        C:\Windows\SysWOW64\Fcmnpe32.exe
        
        C:\Windows\system32\Fcmnpe32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3700
        
        C:\Windows\SysWOW64\Ffkjlp32.exe
        
        C:\Windows\system32\Ffkjlp32.exe
        56⤵
        Executes dropped EXE
        
        PID:4440
        
        C:\Windows\SysWOW64\Glebhjlg.exe
        
        C:\Windows\system32\Glebhjlg.exe
        57⤵
        Executes dropped EXE
        
        PID:2408
        
        C:\Windows\SysWOW64\Gododflk.exe
        
        C:\Windows\system32\Gododflk.exe
        58⤵
        Executes dropped EXE
        
        PID:456
        
        C:\Windows\SysWOW64\Gbbkaako.exe
        
        C:\Windows\system32\Gbbkaako.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5028
        
        C:\Windows\SysWOW64\Ghlcnk32.exe
        
        C:\Windows\system32\Ghlcnk32.exe
        60⤵
        Executes dropped EXE
        
        PID:2192
        
        C:\Windows\SysWOW64\Gkkojgao.exe
        
        C:\Windows\system32\Gkkojgao.exe
        61⤵
        Executes dropped EXE
        
        PID:2016
        
        C:\Windows\SysWOW64\Gbdgfa32.exe
        
        C:\Windows\system32\Gbdgfa32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1764
        
        C:\Windows\SysWOW64\Gdcdbl32.exe
        
        C:\Windows\system32\Gdcdbl32.exe
        63⤵
        Executes dropped EXE
        
        PID:1216
        
        C:\Windows\SysWOW64\Gkmlofol.exe
        
        C:\Windows\system32\Gkmlofol.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3096
        
        C:\Windows\SysWOW64\Gcddpdpo.exe
        
        C:\Windows\system32\Gcddpdpo.exe
        65⤵
        Executes dropped EXE
        
        PID:4120
        
        C:\Windows\SysWOW64\Gfbploob.exe
        
        C:\Windows\system32\Gfbploob.exe
        66⤵
        Drops file in System32 directory
        
        PID:3312
        
        C:\Windows\SysWOW64\Gmlhii32.exe
        
        C:\Windows\system32\Gmlhii32.exe
        67⤵
        Drops file in System32 directory
        
        PID:4132
        
        C:\Windows\SysWOW64\Gokdeeec.exe
        
        C:\Windows\system32\Gokdeeec.exe
        68⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\Gbiaapdf.exe
        
        C:\Windows\system32\Gbiaapdf.exe
        69⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\Gdhmnlcj.exe
        
        C:\Windows\system32\Gdhmnlcj.exe
        70⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\Gkaejf32.exe
        
        C:\Windows\system32\Gkaejf32.exe
        71⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\Gblngpbd.exe
        
        C:\Windows\system32\Gblngpbd.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1332
        
        C:\Windows\SysWOW64\Hmabdibj.exe
        
        C:\Windows\system32\Hmabdibj.exe
        73⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\Hckjacjg.exe
        
        C:\Windows\system32\Hckjacjg.exe
        74⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\Hbpgbo32.exe
        
        C:\Windows\system32\Hbpgbo32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4848
        
        C:\Windows\SysWOW64\Heocnk32.exe
        
        C:\Windows\system32\Heocnk32.exe
        76⤵
        Drops file in System32 directory
        
        PID:2800
        
        C:\Windows\SysWOW64\Hmfkoh32.exe
        
        C:\Windows\system32\Hmfkoh32.exe
        77⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\Hcpclbfa.exe
        
        C:\Windows\system32\Hcpclbfa.exe
        78⤵
        Modifies registry class
        
        PID:2976
        
        C:\Windows\SysWOW64\Heapdjlp.exe
        
        C:\Windows\system32\Heapdjlp.exe
        79⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\Hmhhehlb.exe
        
        C:\Windows\system32\Hmhhehlb.exe
        80⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\Hbeqmoji.exe
        
        C:\Windows\system32\Hbeqmoji.exe
        81⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\Hecmijim.exe
        
        C:\Windows\system32\Hecmijim.exe
        82⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\Hkmefd32.exe
        
        C:\Windows\system32\Hkmefd32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3636
        
        C:\Windows\SysWOW64\Hcdmga32.exe
        
        C:\Windows\system32\Hcdmga32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2200
        
        C:\Windows\SysWOW64\Iefioj32.exe
        
        C:\Windows\system32\Iefioj32.exe
        85⤵
        Drops file in System32 directory
        
        PID:1416
        
        C:\Windows\SysWOW64\Immapg32.exe
        
        C:\Windows\system32\Immapg32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1996
        
        C:\Windows\SysWOW64\Ibjjhn32.exe
        
        C:\Windows\system32\Ibjjhn32.exe
        87⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\Iehfdi32.exe
        
        C:\Windows\system32\Iehfdi32.exe
        88⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\Imoneg32.exe
        
        C:\Windows\system32\Imoneg32.exe
        89⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\Iblfnn32.exe
        
        C:\Windows\system32\Iblfnn32.exe
        90⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\Imakkfdg.exe
        
        C:\Windows\system32\Imakkfdg.exe
        91⤵
        Drops file in System32 directory
        
        PID:5228
        
        C:\Windows\SysWOW64\Ippggbck.exe
        
        C:\Windows\system32\Ippggbck.exe
        92⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\Ibnccmbo.exe
        
        C:\Windows\system32\Ibnccmbo.exe
        93⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\Ifjodl32.exe
        
        C:\Windows\system32\Ifjodl32.exe
        94⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\Iihkpg32.exe
        
        C:\Windows\system32\Iihkpg32.exe
        95⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\Ilghlc32.exe
        
        C:\Windows\system32\Ilghlc32.exe
        96⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\Icnpmp32.exe
        
        C:\Windows\system32\Icnpmp32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5496
        
        C:\Windows\SysWOW64\Ifllil32.exe
        
        C:\Windows\system32\Ifllil32.exe
        98⤵
        Drops file in System32 directory
        
        PID:5536
        
        C:\Windows\SysWOW64\Iikhfg32.exe
        
        C:\Windows\system32\Iikhfg32.exe
        99⤵
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Imfdff32.exe
        
        C:\Windows\system32\Imfdff32.exe
        100⤵
        Drops file in System32 directory
        
        PID:5628
        
        C:\Windows\SysWOW64\Icplcpgo.exe
        
        C:\Windows\system32\Icplcpgo.exe
        101⤵
        Drops file in System32 directory
        
        PID:5668
        
        C:\Windows\SysWOW64\Ibcmom32.exe
        
        C:\Windows\system32\Ibcmom32.exe
        102⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\Jeaikh32.exe
        
        C:\Windows\system32\Jeaikh32.exe
        103⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Jmhale32.exe
        
        C:\Windows\system32\Jmhale32.exe
        104⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\Jlkagbej.exe
        
        C:\Windows\system32\Jlkagbej.exe
        105⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Jpgmha32.exe
        
        C:\Windows\system32\Jpgmha32.exe
        106⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\Jfaedkdp.exe
        
        C:\Windows\system32\Jfaedkdp.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5924
        
        C:\Windows\SysWOW64\Jedeph32.exe
        
        C:\Windows\system32\Jedeph32.exe
        108⤵
        Modifies registry class
        
        PID:5972
        
        C:\Windows\SysWOW64\Jmknaell.exe
        
        C:\Windows\system32\Jmknaell.exe
        109⤵
        Drops file in System32 directory
        
        PID:6024
        
        C:\Windows\SysWOW64\Jpijnqkp.exe
        
        C:\Windows\system32\Jpijnqkp.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6056
        
        C:\Windows\SysWOW64\Jbhfjljd.exe
        
        C:\Windows\system32\Jbhfjljd.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Jfcbjk32.exe
        
        C:\Windows\system32\Jfcbjk32.exe
        112⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Jianff32.exe
        
        C:\Windows\system32\Jianff32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5224
        
        C:\Windows\SysWOW64\Jlpkba32.exe
        
        C:\Windows\system32\Jlpkba32.exe
        114⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Jplfcpin.exe
        
        C:\Windows\system32\Jplfcpin.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5392
        
        C:\Windows\SysWOW64\Jbjcolha.exe
        
        C:\Windows\system32\Jbjcolha.exe
        116⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\Jfeopj32.exe
        
        C:\Windows\system32\Jfeopj32.exe
        117⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        118⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Jpnchp32.exe
        
        C:\Windows\system32\Jpnchp32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5736
        
        C:\Windows\SysWOW64\Jcioiood.exe
        
        C:\Windows\system32\Jcioiood.exe
        120⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\Jfhlejnh.exe
        
        C:\Windows\system32\Jfhlejnh.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5908
        
        C:\Windows\SysWOW64\Jeklag32.exe
        
        C:\Windows\system32\Jeklag32.exe
        122⤵
        Modifies registry class
        
        PID:388
        
        C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        123⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\Jlednamo.exe
        
        C:\Windows\system32\Jlednamo.exe
        124⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\Jcllonma.exe
        
        C:\Windows\system32\Jcllonma.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5216
        
        C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        126⤵
        Drops file in System32 directory
        
        PID:5460
        
        C:\Windows\SysWOW64\Kemhff32.exe
        
        C:\Windows\system32\Kemhff32.exe
        127⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        128⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\Kpbmco32.exe
        
        C:\Windows\system32\Kpbmco32.exe
        129⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        130⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\Kfmepi32.exe
        
        C:\Windows\system32\Kfmepi32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6096
        
        C:\Windows\SysWOW64\Kikame32.exe
        
        C:\Windows\system32\Kikame32.exe
        132⤵
        Drops file in System32 directory
        
        PID:5416
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        133⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5872
        
        C:\Windows\SysWOW64\Kbceejpf.exe
        
        C:\Windows\system32\Kbceejpf.exe
        135⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        136⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        137⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        138⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5684
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        140⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5880
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        142⤵
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        143⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        144⤵
        Modifies registry class
        
        PID:6204
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6248
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        146⤵
        
        PID:6296
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        147⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        148⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        149⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        150⤵
        Drops file in System32 directory
        
        PID:6464
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        151⤵
        Modifies registry class
        
        PID:6504
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6544
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        153⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        154⤵
        Drops file in System32 directory
        
        PID:6640
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        155⤵
        Drops file in System32 directory
        
        PID:6684
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        156⤵
        Drops file in System32 directory
        
        PID:6728
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        157⤵
        Drops file in System32 directory
        
        PID:6772
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        158⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6812
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6860
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        160⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        161⤵
        
        PID:6944
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        162⤵
        
        PID:6984
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        163⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7028
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        164⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        165⤵
        Modifies registry class
        
        PID:7112
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7152
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        167⤵
        Drops file in System32 directory
        
        PID:6196
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6244
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        169⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        170⤵
        
        PID:6388
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        171⤵
        Modifies registry class
        
        PID:6452
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        172⤵
        Drops file in System32 directory
        
        PID:6528
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        173⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        174⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6736
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        176⤵
        Modifies registry class
        
        PID:6804
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        177⤵
        Modifies registry class
        
        PID:6868
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        178⤵
        
        PID:6936
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7016
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        180⤵
        Modifies registry class
        
        PID:7080
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        181⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        182⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6304
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        184⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        185⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6648
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6756
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        188⤵
        Modifies registry class
        
        PID:6896
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        189⤵
        
        PID:6964
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        190⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6148
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        192⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6288
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        193⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6516
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        194⤵
        
        PID:6624
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        195⤵
        Drops file in System32 directory
        
        PID:6848
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        196⤵
        
        PID:7064
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        197⤵
        Drops file in System32 directory
        
        PID:6232
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        198⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        199⤵
        
        PID:6716
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        200⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        201⤵
        Drops file in System32 directory
        
        PID:6428
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        202⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6820
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        203⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6192
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        204⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6992
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        205⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        206⤵
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        207⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        208⤵
        Drops file in System32 directory
        
        PID:1328
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        209⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        210⤵
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        211⤵
        Modifies registry class
        
        PID:7208
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        212⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7252
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        213⤵
        Modifies registry class
        
        PID:7300
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        214⤵
        
        PID:7340
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        215⤵
        Modifies registry class
        
        PID:7380
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        216⤵
        
        PID:7424
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        217⤵
        
        PID:7468
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        218⤵
        
        PID:7504
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        219⤵
        Modifies registry class
        
        PID:7556
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        220⤵
        
        PID:7592
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        221⤵
        Modifies registry class
        
        PID:7644
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        222⤵
        Modifies registry class
        
        PID:7688
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        223⤵
        Modifies registry class
        
        PID:7728
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        224⤵
        Drops file in System32 directory
        
        PID:7768
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        225⤵
        
        PID:7808
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        226⤵
        Drops file in System32 directory
        
        PID:7852
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        227⤵
        
        PID:7892
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        228⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7936
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        229⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7980
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        230⤵
        Drops file in System32 directory
        
        PID:8024
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        231⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8064
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        232⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8104
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        233⤵
        
        PID:8148
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        234⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        235⤵
        
        PID:7228
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        236⤵
        
        PID:7288
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        237⤵
        
        PID:7368
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        238⤵
        
        PID:7416
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        239⤵
        
        PID:7496
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        240⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7572
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        241⤵
        
        PID:7636
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        242⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7736
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        243⤵
        
        PID:7804
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        244⤵
        Drops file in System32 directory
        
        PID:7880
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        245⤵
        
        PID:7948
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        246⤵
        Modifies registry class
        
        PID:8020
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        247⤵
        
        PID:8080
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        248⤵
        
        PID:8156
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        249⤵
        Modifies registry class
        
        PID:7200
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        250⤵
        
        PID:7320
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        251⤵
        Modifies registry class
        
        PID:7432
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        252⤵
        
        PID:7552
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        253⤵
        Modifies registry class
        
        PID:7640
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        254⤵
        
        PID:7784
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        255⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7900
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        256⤵
        Drops file in System32 directory
        
        PID:7988
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        257⤵
        
        PID:8112
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        258⤵
        
        PID:7196
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        259⤵
        Modifies registry class
        
        PID:7400
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        260⤵
        Modifies registry class
        
        PID:7520
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        261⤵
        Drops file in System32 directory
        
        PID:7792
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        262⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7924
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        263⤵
        
        PID:8060
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        264⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7316
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        265⤵
        
        PID:7584
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        266⤵
        Modifies registry class
        
        PID:7840
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        267⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8188
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        268⤵
        
        PID:7476
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        269⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7352
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        270⤵
        Drops file in System32 directory
        
        PID:8216
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        271⤵
        Modifies registry class
        
        PID:8260
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        272⤵
        Modifies registry class
        
        PID:8300
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        273⤵
        Drops file in System32 directory
        
        PID:8340
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        274⤵
        
        PID:8384
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        275⤵
        Modifies registry class
        
        PID:8424
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        276⤵
        
        PID:8468
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        277⤵
        
        PID:8508
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        278⤵
        
        PID:8548
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        279⤵
        Modifies registry class
        
        PID:8588
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        280⤵
        
        PID:8628
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8628 -s 408
        281⤵
        Program crash
        
        PID:8720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 8628 -ip 8628
1⤵
PID:8692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
233KB

MD5
0b0bfa73fb366f06dff140d3ce5096e1

SHA1
98a771d07dda366fd1268be63c18830f2ab1a65a

SHA256
f9edf59107ca483990a52fecae0d99599fc4ffb65490870f9b8e72cad81505cc

SHA512
34ec498d9d6cbc0b0a017ea8e343a804dfb38bb6969f47a9c4053561c1140ea7034cc36e035d43ecefdc47bf4db109cc8449e30650d640699a47495892dea19b

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
233KB

MD5
5d3a50bf8509671fcbf918ef229f391e

SHA1
df446b34f7641decfc77e8add92b8f8c152a21f7

SHA256
fb4a492ad6437930d249503dd409fde6211253a1fcf6ac735f27fb23258dff62

SHA512
d389620e5bc7236eaa6ce283d1488d092158aa96433b431571ec7d42a92516e3426a7dbc254d92dbcd63bcb6f8ecf312dda616f240e078367fd37c49a60f9baa

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
233KB

MD5
27535b0e0b676735fa9f09c5215a45ec

SHA1
9b95e83c67a9b54072f97547202ad8eb404d668d

SHA256
7c1c21d338e19fd5e136ebf91d6f5941a1b3af3a790d7084706e5b124e56f8e3

SHA512
841bf3e7391e4dd8304c3dc9b6580c60f2e8e470295a056cfa9491e554f2ad5c9b80d4ba9a730f4dc6062b1b9b19e18e9abf502caed62a7150fd38c81bbb9e1d

Download Submit
C:\Windows\SysWOW64\Bbgipldd.exe

Filesize
233KB

MD5
f9f12c17350b818c45b1032dabe493d8

SHA1
f2c1236a26183e8ff79aa9696068dd0733d557e9

SHA256
8364cd2224e6d29d25601ae96d71d6a2330159ff7bad38fd8990f89a72fd0b7c

SHA512
d1cac8a91300aa3157a9682236cc0c3bce7a00e9ec8baa3d48587f2b2b0ace9bab8d5a82db5c5af7b0aab69c84603f37c10fbfe50151353dd89e907b0ab78d21

Download Submit
C:\Windows\SysWOW64\Bblckl32.exe

Filesize
233KB

MD5
5ca9a006a0e153bca644a867a8cccf23

SHA1
86fe4355486c0c580dfe3188aebb8a4cb9f00d7b

SHA256
030ae4b88386f2acc4c406f4e8d222306ffe20f0cc47d93eb3a3998eb4f51ffc

SHA512
49a5aef81b52f721be5cc57d21bd6d52f7aa98bdff5f4d8e5f8978839d2d12abf580c9b9576c409636599e589ed8690242628de2af4196d549d25fe0be35d420

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
233KB

MD5
cdd07c3f939a623669b9f8d01ab86dc2

SHA1
431c9705b83e3e3767b80591cb8c16a042f05559

SHA256
4e1f0311366628f68faa1ab67ff87943af00c498d668ef6907f3434d9541b51f

SHA512
95b3b10561ae3427e920e67fbc32bcafb5009d62b50d84ee5300e57eac5e8f04d3609267c86fa3e27c4657f93d385c37f3cd941245a263710c140b59cc6a3fc5

Download Submit
C:\Windows\SysWOW64\Bdmpcdfm.exe

Filesize
233KB

MD5
502f09498bad2101a9d991ee68d4c410

SHA1
c3649602e2ea3f5d1cabfaef229dc0c98cfa4ad8

SHA256
83a70f291b49aa588dcb39a11bd7881f748416192b1a521df1da4b21828d0d7b

SHA512
151d43ac3c6ba2fce6eb0b1f5581a6303cb8c4b2cc4e425f2793ed9509431557bda816ed319a33b074780a6086d890a24303e9db1db12b3d83aab2e3703298b1

Download Submit
C:\Windows\SysWOW64\Beeflhdh.exe

Filesize
233KB

MD5
47d70d057a17b91679f5904670a69d1c

SHA1
9aa6c93975eb6bbf0ce32f69b927387800f53716

SHA256
77b6560645e9fcd7b888b69033a102a34e984bf0b4deeb0f413934cba896bdc7

SHA512
5f5064b7566449efc403de87736e2b5729b29adbc875f95133b599e9008fc0b0ff23aebafcf3c08f830cd62412520b2a7e7a0dd41688b4d934ec70b2e0041508

Download Submit
C:\Windows\SysWOW64\Bejogg32.exe

Filesize
233KB

MD5
375ad3312d8dcda39092ce5fdb7933ba

SHA1
8fc31254e16f6830971ec8d0fcbcf0c70d0d3007

SHA256
935e412861488e0b823c7d89d735cbeea712d19205eaa86b97cd686a9c25a8f4

SHA512
33b70b413134698c6fd4cb733563b2a9ed220ab4981f1cf75259a2f4c610ddf915091de8a1e54ae079582ccaac2f361d417a60c2c4f5a99e7d8c0b36b7a5832b

Download Submit
C:\Windows\SysWOW64\Bjbndobo.exe

Filesize
233KB

MD5
da220a6688526243e38fbcfb04c47913

SHA1
8cbdbbfaa716914867d824002761f6b1c59f85af

SHA256
1333276bd41c479d3d7c0e38a32921e61fc99eef9b2dd28381269302b36062df

SHA512
5ffb1e4ef40d7d60dba0eaa9c4f8342c295fd96332ddbede1138460fac09699ae6ac817fda49291975f87fd8bc07e806a2abf8b161b0158fc6e7c6c4115eca45

Download Submit
C:\Windows\SysWOW64\Bjbndobo.exe

Filesize
233KB

MD5
5ffb8d7cfcabf50235af43313fc3cb82

SHA1
d7572c7dd56bb01cfecb647419337458e77f434b

SHA256
06c189fdebd112fc17a036917a23145f66b3f2a30023990bb758b99b876344df

SHA512
cbbeb49a760fb9a20828f795fa941169646adb4e379663612c4256ddf8c4002c88156e15f5173cf564f444239e84d07b92757bf3c3bf911feeedaaccc9553ad7

Download Submit
C:\Windows\SysWOW64\Bjpaooda.exe

Filesize
233KB

MD5
abb3f92f5efe789f87a3390777cb83ef

SHA1
649bcfde438c9bbd30d6706e4ba29f30fcc87c97

SHA256
af8a8ceca17696266663d2a930728b8d2eb6671f16601a3f48c5a2d07d1bcfc8

SHA512
5a172e771cbd44bf9027bb118b25247dce9fcfa945ecb1d5d4addcce1aef41a7d5875dbb5afe3d82f55c2c5a5bb032d296bfd2d8e79654177329e968358ff54f

Download Submit
C:\Windows\SysWOW64\Bldgdago.exe

Filesize
233KB

MD5
f412fd71c45b753a3f1a98010eb2784e

SHA1
0b8af0c4e5b0861ddf782a3d34fea1f799830a59

SHA256
74316608badbad8b72ce184584d3f5d16e93998b9d4cd5c057df72f6ae1fc494

SHA512
a07ffc32bfd8f156947117c3fc646a5d5b468aa38943132b51f6d030118279e43790f12a0634fb8e02c20e4cbf7bd77f336c0f91af6836a6b77823a255024651

Download Submit
C:\Windows\SysWOW64\Blfdia32.exe

Filesize
233KB

MD5
0aaaf2a29759a93fb8926d90352736ca

SHA1
4e1b38cc197ebe60dba1901552a0d1bc6ab99c39

SHA256
db76dcd7cbb3d827b99a525df9abe68b874e6acc20767556a6d2113f2c1e10e3

SHA512
e6c260740f230448b9acb700c05411b4f479ce819fffed7a33ba6a1533ae73aa7ddc1acb4a75dcd37e4cb15da45c78e7c44351b66916a55046f3439f5f961367

Download Submit
C:\Windows\SysWOW64\Bnnjen32.exe

Filesize
233KB

MD5
2dbe4b64a2cb411c93f7aef0f07edb77

SHA1
e9000f4d6b8993404b68bae6fa128a05b577789b

SHA256
ed405562ea2f16a754df44739ffb021515ec127d6b648cf581f43b85c8bf8cfb

SHA512
c03c34c701f75a843498729e994b0eabcbf81c03ca39a29c24cc678df45113f792729e06fadf1f0a57cf019cce1d2bcbe91bec56ba553c5aa0a1fc167fab0f96

Download Submit
C:\Windows\SysWOW64\Cafigg32.exe

Filesize
233KB

MD5
d0dded9e86c728eb7ff6997833758cca

SHA1
58e58c6f437d20fdda9aa7556022a7e96c849635

SHA256
c2490e5c021da244e81fe554c24db76f8e581448a03a0b7d78b2fa724e76260d

SHA512
a13354033cf361d1f823d75ccd85e5ee00c81599e908abf586b3d5a5be9638051dbbf4bf7339a17358497454b298699a14a51f30d1a81013486efa3d674965d3

Download Submit
C:\Windows\SysWOW64\Cahfmgoo.exe

Filesize
233KB

MD5
48429c472bbb5fccdd7706fff1a2ca56

SHA1
e780ca722bf023942d7f049f81a878d127d89329

SHA256
196dbac2f9a0a4899960784bdc3e45e86c95f6df6c95c8666263fbbee376dc5c

SHA512
ca3a1e63445d220f16907a9a47772a233e9954513afb7f8a140bede6e19fa238ca33811d70fce9ebd7e973d147fecb6e43fcaf1f992f630ef53add10fe1d47a2

Download Submit
C:\Windows\SysWOW64\Cbgbgj32.exe

Filesize
233KB

MD5
c5b1e1ace99b6a017526d6490b0b9cf7

SHA1
2180bd1b91637bc8ebee97a44db0bba26fdc2938

SHA256
3ab8142b3cf8defd56756d80a1660c07f1d242763e69956d8e3c0a7094ffaac4

SHA512
427819ad0841f2ca458b40d241564f9868b18c8bc0066da0c34d07435709349aea410ef1cf1e84494aabf0c3bc3f4aa83aa02bba317beff27e5d042e6f3fcb02

Download Submit
C:\Windows\SysWOW64\Ceoibflm.exe

Filesize
233KB

MD5
c25a627fa8fd9b060b986f7679a4ec68

SHA1
b14d1e5b8af67712b76987565af152e016c62f91

SHA256
7c09cc4023f15791e8a04d378b11532670de94505ce97f2bb791bfea3dfa399a

SHA512
8cf38236c803f78223f92f5ff00cef15f6f795ec239d29470818e567fcdbf35e58aaf61d67de176b1858c22287982bc9469980ff5f9b1d8b5ffbc6a0864edd69

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
233KB

MD5
4a83753e5c14c47eb870bf90b3918621

SHA1
c1f4f0bc07b78f50e06d2d432729da4f8599583b

SHA256
fcca16716be1d41c68fb33704e751db8a33727ad4a1a4522a2edb9d23934733b

SHA512
b86f6ce2fcd6f0ea7cc30b5415d18f4375a7c46885be2e46f964ec9e43ed2b07a927cc33cc54ab4ff773ccc63e48af2202d837c1966de55d614a54a38ddc98da

Download Submit
C:\Windows\SysWOW64\Chdkoa32.exe

Filesize
233KB

MD5
175645ddb0a9ac933b7c51ca348c6619

SHA1
be236fb8083bdde01058d131a16b827fededd5dc

SHA256
fe0d7d150021a06c059f173f6c9b1da285a30d8924e64c2ff5f52deaf6cf3988

SHA512
7357fcf0a63e3967aa97554fb492eff6accb4e1570c8d3b9f91578ad41b92e796606f3a61b7cb80088de00fd4eda16680eee022d31e67b33bd5527ead49c95ef

Download Submit
C:\Windows\SysWOW64\Chghdqbf.exe

Filesize
233KB

MD5
4b1249a4e908e5ba10c6abe0041900e5

SHA1
5448e2b1378a807f05407b2bafd3b0e8d70a086b

SHA256
15a0c8783fe70b483fbfa8eef265e23ec61ec4218a293da385908700aff89fcb

SHA512
cf3811d5016353e12a6fed8dacd618e9b328322520756447d51ca0da58b67c81815daaf9c1eba8115258f5cdc4df65fe51d3e7cf4e710e616e6c456e2a222632

Download Submit
C:\Windows\SysWOW64\Ckedalaj.exe

Filesize
233KB

MD5
cd161415843ee7224bd4ed47ae87f3bf

SHA1
96a9fa6a5ee3334b8803fe80a284fc5dbc55983e

SHA256
77761385012fbfae4bae8bb203164a7443910dc1d0402e8deef98d4e95b38869

SHA512
81fad88be644041bba254b81b5974c672fd7585e1be7e7de363d1f8642d04ef47026dfc98ee1d3b875beb62c154cd7e26b65e2735bfef93c0ee17c2aa2494e9a

Download Submit
C:\Windows\SysWOW64\Cliaoq32.exe

Filesize
233KB

MD5
b1eeb4ef2383ebc116db7923a25e0a6c

SHA1
e71f2bdefbd0edaaba4f6a2c56a17353f6aa1eb3

SHA256
5d5e57cf472ae435806a42a127b59ba2849058114b16115561046f671a6dd59e

SHA512
99d6c2f24839b4abc3dc41638b729c51e691c4d661f6196b20fd63026a0b76b5f774678fe1347f4739c16f060e6fb0c3d75105d4355f4246a7fd5b471bd2d9a0

Download Submit
C:\Windows\SysWOW64\Clkndpag.exe

Filesize
233KB

MD5
356a1617c9a3d948f1a8b88c1fb24556

SHA1
dda946e4933e67266923cb6ecb4a2e5672630bf8

SHA256
f1666a447023cf8cbd47475d468fc26dce5fe171fb45c4b0e23313bec991e712

SHA512
1ad65dbc5d46b52bb25e18f8a8176b4652ce323b2c40c5c2573a9e80ea886e475bdf0cae9d065aeeffc0f7e07368ace3487d482a7e72b2649b4dc6e3443cc8c0

Download Submit
C:\Windows\SysWOW64\Conclk32.exe

Filesize
233KB

MD5
20bd495aeb2fd33834baf693efc3316b

SHA1
feb4eb81acdf27ac089db701b241a640edd75fa0

SHA256
048245e09cbaebee143645ce6858d03124a681eeda6b81253517fcc69fc832c0

SHA512
0d49d9dd70ba9cd12c2c21acc96a84f8d0d7c832037ecaeb288c21296a113d6d00ec9b953b8da71db6548f6672d7a62e78193adc88c7d5b6d805420d94d22dff

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
233KB

MD5
41261dbd779c06c35013180f901a9ba0

SHA1
e1b22c8fa2f35c1e288f6ea4d2ad193104db7a31

SHA256
210cb1bdcbdb004dd1ae065ea351c6e5559fe20a404211ac318ba6057227ff81

SHA512
917880aa64e928f55b2e58785a29842839acb13934deaf103f1858f690816cb9a0c42685eb7b190960a3d86f58f33774f00cd40e0beb719ec30e41c1bb429f99

Download Submit
C:\Windows\SysWOW64\Dccbbhld.exe

Filesize
233KB

MD5
66b47d98c46fd876a2cdc7ccdd270ac1

SHA1
2a2de82ead8991b7eb3012f9c7d10478854952df

SHA256
bb249f34cb462e9252f6241ef68731f63a70e389d8a4d85d5cef54b57777f4bd

SHA512
1835cad250066429b608e0ab635ebe5c5274df78f1db8a23f663809bdccd8347932f9be6248e667532d8a4bd94d5c118d2edf37ec85ee5e008168babcc9a7854

Download Submit
C:\Windows\SysWOW64\Dceohhja.exe

Filesize
233KB

MD5
2c5803f9fc363c0cc6fd691e870c975a

SHA1
f45d07e4640d749ba6761928629b57c437830f1e

SHA256
99756f1c42772ce9a69927fdbcfcdfdb8bd1e403376e6be8f49f460576302cf0

SHA512
430f90a50372ce9a7c0ede742df37829f3d4658fe659317ce830bedf22e53e426a53823207efbe1d910fffcce37eed302f3a174dc847347a9a60392aad6730d7

Download Submit
C:\Windows\SysWOW64\Dekhneap.exe

Filesize
233KB

MD5
357c6103119847d37ea66ac3b1967fe4

SHA1
4d7f90d458312afc1d9dd89ecfe529c7d73a2bd4

SHA256
969a910ec1d90d629d238f40177f930d71fa5fa092f6f83fb6ac18008159b40a

SHA512
80a60d7303274d41bf37b458d9310eeeee7b2cee5658638f8059c1d23b86ff5854eddac63e4179cb3a0064fb6b96f05caa1acbc50001294f1ef92f2d53404f94

Download Submit
C:\Windows\SysWOW64\Demecd32.exe

Filesize
233KB

MD5
8f288d5de9a87557c3ae07320e454812

SHA1
0d20d7012ebb7924485e68e7f60587676fe9cc28

SHA256
2f3f27cb4b7b8cba7216bfc2138694a80842ed005badb20a71fc74acb5366354

SHA512
e21d2b2dbdd31e2f731f344ca1c07feb08afbbb9aeb82c8fae0f54fe6b1c21918281f5c266ab3a7d6de387aa96d51fdbb2881951190f11233b8a9b2fdaacf0a5

Download Submit
C:\Windows\SysWOW64\Dhnnep32.exe

Filesize
233KB

MD5
309be194a93f7d5255f765d441522ad6

SHA1
afc24fa9fa09d8556a6265745f1525b440dff14b

SHA256
98d7220905580337b25391b975d2fe78efc3df92491bbbf4dcb316cfa70756cf

SHA512
d4150db9aeb020732aa9b690760cb39fdd6f624a6923cfa2f468a7cfce9c22eb39dba51be251498483129cb06ec4b22ea98674090d5000e9d4d4c1ffffa6035a

Download Submit
C:\Windows\SysWOW64\Dhpjkojk.exe

Filesize
233KB

MD5
a5d5f65849107659b7ff247aeb85a447

SHA1
6f86441f6a521f8fa5ce19878d4ea5af3b880589

SHA256
490d6b22b51dc5f53cb9a365d78393011409b0fcf104e60cf180f43ec24b01f4

SHA512
55ec3c370b0f37a8785f2f351c4742b3027aaa09a3204647d0ab4e1bf8c25b12ce2f70ad5852a6332b24db75b7f5a3b15b8723470e54eb334d8ef6008f625488

Download Submit
C:\Windows\SysWOW64\Dkgqfl32.exe

Filesize
233KB

MD5
836b738cff2d4c636323b7807dd2c235

SHA1
954cd76e3a3ece070ac78f6d14e8c01ce1b6c16f

SHA256
80de31a6b398e9fb66a5639d257d3b92dc353a71a1eeedb2b597ae7c1230545b

SHA512
4b0b165802f955fdf31d08af43c90346aed200627b92cdd94d169e9c58d367834194e86cabfeced6b7d2d89a2af1d276ab7b1caada961888a97815972bc39e82

Download Submit
C:\Windows\SysWOW64\Dkjmlk32.exe

Filesize
233KB

MD5
566ad35bc3e25085636bff2c66ef3528

SHA1
795931e9eed0f305e7f741ccc6932f958df6e31d

SHA256
272a9504055ebf8bdd4f76b6910f422b7c9e25f402adc75b1f7b584d7dd22cfa

SHA512
ccf85cacec14a2b6b471485662376a86b0fb0be9a022715857d00815c8d228751fe9e1a57f9650e4bbd117bbc15e48dd74df45a412b5e8e802b9ec7d63b5553e

Download Submit
C:\Windows\SysWOW64\Dllfkn32.exe

Filesize
233KB

MD5
f3fcae0f50044ddc8f0d623898e116f8

SHA1
8787b313fb31111fc789b89ca23b59508de68b6f

SHA256
137f29c32960f88e27109187f06046648a7f12f69139f0458e77e32972d4a49a

SHA512
b5283a2ec63b2d94dd12447fe3365c75fa60555952291753b67bb4bb25a8e149b8644fc3890c5ae939614af9db8bb7462d0880905034427e25ebeb1fa3f01467

Download Submit
C:\Windows\SysWOW64\Doeiljfn.exe

Filesize
233KB

MD5
4066a164dfdb3f34296b999d71fbc9a0

SHA1
a102ce70f2df6d501820b52e1170513703af05eb

SHA256
5791d283dc336b3b4ffb8545f4bc10b74e2a557cbd5c8c67e71ee164b1ad59aa

SHA512
1197c8648f4d91f003c34ba77643cbcd3e31d7027140cebc3da66ecac0ed7e6ed238ed3d1ba915aa24acb943393fd5a187aa7e07fffd5c981dff42014cb009e0

Download Submit
C:\Windows\SysWOW64\Echknh32.exe

Filesize
233KB

MD5
90bd3bd92b807a0819b8946072cbb33f

SHA1
9d312ef2e6b3e9d1987319402d369af87c1cedfb

SHA256
eff079b8241e2636c92005691d5d320c23eeda11921c6507c0e79049aacc25c2

SHA512
4882f09e48abbf39775fd9d7d88b570d99532b8563b555ca4a970da4c06bda07e3ad4ec485b8a0a03b514b80f528bf382bd545945a933116ee79ef94d3b96167

Download Submit
C:\Windows\SysWOW64\Eefhjc32.exe

Filesize
233KB

MD5
ca72458163ef8616a5362fe996affa69

SHA1
55ab6d1ddca74b8a03e57ba4f9b8c22031a5214f

SHA256
9008080e283564eb27f37f9cfd1885078846dcda67f439425206eb2802fba967

SHA512
05583f50d174142119176636588620b40faaed8e84c5ba5782814f8b379e549a92f4556422c0da52e9bb9eb6727dac888e5e6a9d963995835e424ef428cffb7d

Download Submit
C:\Windows\SysWOW64\Fckajehi.exe

Filesize
233KB

MD5
f139f92145ce7b8a4822961297abedae

SHA1
bb55a24d7eeda34c01d8543382f65a350f4ca4e9

SHA256
830d63c704c0e2f2541d213a2563de7b49070caad2f86f4ac0bdd737e995368a

SHA512
3e08cf1a89edbc9abc74338623cd2049b6eccde2d6c9d2355ba833470f5f0784978a5e0b853a447fd0a82a8b91b62252fc0781735a2d61f0533e8576b61e5dde

Download Submit
C:\Windows\SysWOW64\Gblngpbd.exe

Filesize
233KB

MD5
2099e03e4c00beb1ecfd4e2252a12921

SHA1
8112b0296722f564ad32ad1c7bac6217bc9eb2cc

SHA256
abed943fc3dcb24d4ccc6cfef8c36438386f5eabfa1c803fcef0085a3a46cf8f

SHA512
f68fa1855ef26a0098a330e800fa653306023564c863dd30bdff241bcc6dacd5807cbcf5233f7d547720ceedbd588087f170dd95d8a8161c79b57958f284875d

Download Submit
C:\Windows\SysWOW64\Hbpgbo32.exe

Filesize
233KB

MD5
05c52ed31a98195bfaa13b916924cc28

SHA1
b58baee3367478d59c9c0b8e0182c282c0fffff5

SHA256
6eeaa893e5987a1da3609de95d332f0e3e71297b30738fbce6a704a52cbdae42

SHA512
0b16d6ff557f84457244a471b30b43d35f29574307e202fe33cf51f447edf62021ad5becff5cfb44079808cdcdb8ca43dc4cea8306eda03565841db3a8ca6758

Download Submit
C:\Windows\SysWOW64\Jmhale32.exe

Filesize
233KB

MD5
57d5420df255fb9c955314c3d1b9a3f1

SHA1
f3e4369f6b89c0d29198b5a633e253c5971adc16

SHA256
db35d0329b5d4ab3b0c7e811587d415bc68ac5f2f1819a4a593800a92fc20a27

SHA512
b24c6a48e500fad73c934e8d591f02fbed8e4eac89d691212c1d13d87497f58b5fa397d85053b6e2b07a2c0422036056cc0527762765f8311785bfa3743441d0

Download Submit
C:\Windows\SysWOW64\Jmknaell.exe

Filesize
233KB

MD5
b9a01d06e0585142eedf52ed056cb2d5

SHA1
41cde1daff5d35d7f6826ab3d4959351eadb15d9

SHA256
83c48a59cc5089d068487e85d696815f0f69716bb4ad589e1f2da2ff2d2ff1cb

SHA512
ad052f0fe3706c9096d5d54eb588eac2cd7833c088ebdfa6ac59efa2bce12356b3f18a05af79ccf6499e83fca8a682cccea605c5f64cbe0b4d78b8c8fa8b5ab9

Download Submit
C:\Windows\SysWOW64\Kfankifm.exe

Filesize
233KB

MD5
ee52e196f6ee0372e2ff93c6ef4ef095

SHA1
bf1fa6b5af707ade1b9a8b7fd34717a8b13e42b0

SHA256
8b9f9e44b6afc3f27900eb5e51cfdf9377c09791e79cb160bdd868671b6c7b4c

SHA512
862e56c0b7caf630592d5cb1a7719a4be70b73ec43bd91e58e12d50d9cd18403f77e51a436b94ed6614563d58605415c655f366f3ff7da475761874fe6e054c7

Download Submit
C:\Windows\SysWOW64\Kmfmmcbo.exe

Filesize
233KB

MD5
367aa801cabefad539f34532c8bedea8

SHA1
d586aa035778a5486f61e013b238c9350b262b7e

SHA256
39897f43d177133eb5f772addf5563b5102db7895f5e2f8f8d7f785426c8ed5a

SHA512
31ecc3d3805d258bdc5820e08905861d50c63b1b9985df1f7325ab3f8b3beecc5f9683a3f46a2b1379f77c6d020a2faca747a50185e08ce34531f15b6080cce3

Download Submit
C:\Windows\SysWOW64\Lboeaifi.exe

Filesize
233KB

MD5
c8e8f97e5cf3b0e604c08c3ce520f983

SHA1
798607e25b9736f09a3c401d02dba24cb3dc27f9

SHA256
96c2fa8d0e0cb44749ff090bd904ebad7e68b6184c81f461f2316d1c75cd7ac7

SHA512
10ebe94bd3d5d17ea7d6f091bcf06d38d73ff50289af01c8efeecd6699056a8e29bc2030d75b3d01854f95ca1da1245e576e093633a18cc88772df5d12dce74c

Download Submit
C:\Windows\SysWOW64\Ldanqkki.exe

Filesize
233KB

MD5
79f05a971156b74eae4b4477a0295a75

SHA1
6529657a0a472fc9645f6e36d89929ef2b666170

SHA256
7de4c10749ecbb9075108bb684f8db9fdc8d6d6f44d0410ca73905b0079c0c4e

SHA512
26cd95a5b3ae851753d985dd987946a0a9a7f1d7a97dfbf0a8c8374da2f77047bd9be1cf90f6f2ffcf5843bf041cbc86898ae15c6368c2e2fb761ca2121d2ec8

Download Submit
C:\Windows\SysWOW64\Ldoaklml.exe

Filesize
233KB

MD5
e152e0fc0494bd8d858d5efc2c6009bb

SHA1
2f87cafc47b029f70f43abd02813f642e10dc62c

SHA256
4a9285726b875a9520c566a17446e5cd7a6e36484e98b0a0129ebeea0f311eea

SHA512
3155b8c1df4e72ed680cc18b3eb02befde36c6ec681b8d7e29f7ad11ebb58ee709c57a09ad08f2261cc675ae973e4bc3b32637452985b02a98f713d971464478

Download Submit
C:\Windows\SysWOW64\Lphoelqn.exe

Filesize
233KB

MD5
bfeac016b39c6fc15fa594e9dffbcd42

SHA1
f51d7d1b3d9e3cddb8e3b4d0fd639ecbffb2f6e2

SHA256
03998ff028ad0cedb8090e90c0ce44bfaaf935102bfa58871f761a50315ca302

SHA512
8de90840e39b33a2f60a2e3188abe5ff42f552e0bb762d718cd693fc9ef2110190c1ee136f50c09feb44f0758ca7ad371cb3868293201b6fc5b058a6bea13dcd

Download Submit
C:\Windows\SysWOW64\Megkhf32.dll

Filesize
7KB

MD5
ba8b0e0427f5c1a93b7bbb4104242bf1

SHA1
b851f9ca0a2f90e8d47d6a38ffe1d84aa0ace3a3

SHA256
625f08c2107111064a8443ce43b8a4418380a5da2df923cda95915eaca7f6217

SHA512
94fc2dc4c9577b7a41f8e16b960ad8eaf50acc72d8dbfa41aa2dd0c7f0fda0c41b8754bcc799917df69f3403ad67615ba4a5daf9f64da81a5b9efc9488afe569

Download Submit
C:\Windows\SysWOW64\Mlampmdo.exe

Filesize
233KB

MD5
e6dd9d228dcbcb52e8b41cc3a8b36306

SHA1
b5ddf198b4b634b040fb718f314b6777811b1b3d

SHA256
28fc3c0892b0072eb1a7d156975a7fc636bbe71a1367806cf7748a9853ce9971

SHA512
f225e5de288f9a155ca2d32960a094a56bcd0909c2aa348eac7d1941f1f3fee331b668473f1fbc0e030f6bde85ad1d40fd8d94357a2c4201ca0f4623736a8ab7

Download Submit
C:\Windows\SysWOW64\Mpoefk32.exe

Filesize
233KB

MD5
19242657fc0415f9f6b4de58da87855c

SHA1
09fe277194ec691e3d07048b5f7a506e96856a41

SHA256
2db56d1d1e21f536f171e8186bf591cfe8409e4ee365736da23b01f269b4c60d

SHA512
140339c4401c74200b47856bb66ab593627aafde2d47d27d072beeb8ccc49b912d7b05d5de80aeb5cd62d2c36f8aff52a308689505aa494831f397901eb4caef

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
64KB

MD5
d3cee757cb3672371843daa9564afae7

SHA1
5279149f74002d028226a78b7e15df62f3a995c9

SHA256
e4ff1ccb5733e1a06154f4f50122591c8a80c96cebea283cba6582cd65c2a385

SHA512
a2999446eef724643a1a9fd739bc93178652f75dea497bab241814af773562bac619b5ffa631146822c1cfde7d567a5c53fc0371de42a8cb91d1fa39d228e4fd

Download Submit
C:\Windows\SysWOW64\Npcoakfp.exe

Filesize
233KB

MD5
50efa02c61d63e59f1acc618d64d9687

SHA1
0a89af1e22d2b86852f603f9234be9b8b7e760d0

SHA256
ed0da95e21238ac31da4757e5320ed94b46882cada3d13b3b3f0f9a7c59fa357

SHA512
f02758b3a1e40229623598bb3a2a2990dddd397edf977d6d8948897572da655ce65affff9b633fe3c3fe37a7337cd5d5c55c220db7fbbe4a35797765fd76e0c3

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
233KB

MD5
5f7663cd8ebf026f53dee380ad6d231e

SHA1
ddc424828c92908ccabe5562c6e85ba30218efd2

SHA256
4cfecd31a0477a077f78a0565ba0f3139fb2d28c22eb67f130735a5e8c6e259f

SHA512
522dab3faf26fcbf9bd0012df612ee1bb8695881a8961eb806ebeaf521970a847a7e4b26230ffd43a11866bcd8aebcad343aff3d6f0b2b59c90b9965d352015b

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
233KB

MD5
b7673c2fa119f1f8a7b78792372444ff

SHA1
5189c3c1c30b8bfd8469ea4bf3d1ac45092346a2

SHA256
a4a8654ca8bd26b68e4c42b25373ce246a7f84c6740bca65c0806f1753d614db

SHA512
d23f13ed40c81f5ce12e88b796b31ed8ff7ed34da2ee66b649d1a8b1344645ebf15706441827f749317626adfeb6d7e1e38e1ed3987e1afcae7846427a0d1a3a

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
233KB

MD5
7dac2a196b09302655480b1ed1fb2c88

SHA1
c023d9f0305f5aafc547e3d7aa603650c9735d30

SHA256
e3f2e2f78ee69b49fe3b1a1329acbb9144dc0caf90e845562c2662ef82557386

SHA512
afe66c21d660b8cdb53430e5ef5dc0b72e1b10e723148b8d08967b70ce49f1bb1016c3455a0fe614ee6f9eca82f1f46b39b2b8dd45ea2281047ab0174e28e43c

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
233KB

MD5
f3f20b22f71f11c6cfdb6c7092857243

SHA1
a848a9b2a4e7369f7ed9b66212c3ab0606a261ab

SHA256
b5d657dc02899cc53445fbbe9ad71c28ac83b1c40e1f2669767c9a49176c2620

SHA512
32cc10f540323e2e3c87da60eb7d4bb6bd460ba6830de7de7195784310a2a90efd6b2e2eca373723ade5bfc5e70f57385d4fd0472f79623a395ab59d17d89aba

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
233KB

MD5
a38fb1b261380b2d86c653e407a7b8e4

SHA1
a0c432e4fc9c9e9cbfffa6296a218292ff535ca0

SHA256
01935fa14a614586e9f7db0aecdf01ab451973193e9cf6c4285cfc14e78ff778

SHA512
10c55e79dd7598067296b41c8909bc7ae7377e4b890f72e90815499b256ba63593c347b5d9b460a6df366c5824dd9b3f60aebabbe95d132e821748a6abc45006

Download Submit
memory/448-286-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/456-410-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/656-156-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/740-274-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/800-236-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/940-544-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/940-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/964-112-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1040-328-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1164-248-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1216-436-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1224-316-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1332-490-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1360-496-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1416-575-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1424-484-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1448-298-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1524-310-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1544-473-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1548-96-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1576-550-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1580-334-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1656-228-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1748-292-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1764-433-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1780-308-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1816-563-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1816-24-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1840-168-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1940-55-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1996-577-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2016-424-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2096-382-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2164-322-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2192-422-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2200-568-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2216-538-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2408-400-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2436-256-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2548-280-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2632-589-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2632-60-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2800-514-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2976-530-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3084-240-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3096-443-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3188-68-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3204-470-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3212-12-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3244-20-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3312-454-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3352-594-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3356-200-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3472-556-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3552-215-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3600-502-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3636-557-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3644-376-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3700-392-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3732-262-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3736-144-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3780-176-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3792-356-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3800-183-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3836-520-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3956-192-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3980-160-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4020-36-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4040-369-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4048-119-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4120-450-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4132-464-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4164-613-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4164-80-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4204-104-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4216-370-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4248-576-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4248-40-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4252-344-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4392-536-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4440-394-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4564-358-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4580-478-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4584-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4584-602-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4640-87-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4716-128-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4768-346-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4776-208-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4848-508-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4920-268-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5004-139-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5028-412-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5104-583-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5136-596-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5180-603-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads