a14f3335e4d992184afa0d68e45b8ffa4b98db5d7b8ef40f2e783adcf8a0471c

Analysis

max time kernel
140s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 16:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a62ceffb900486ca2b07a13f2a2f4cc0_NeikiAnalytics.exe
Size

113KB
MD5

a62ceffb900486ca2b07a13f2a2f4cc0
SHA1

2fda6ad070f4208291987caa4758ab8aa19e6af7
SHA256

a14f3335e4d992184afa0d68e45b8ffa4b98db5d7b8ef40f2e783adcf8a0471c
SHA512

54ea8b4268be5303903ab17f4ca7f091198840a3bc789bc30b956f04b3c6311439c4c0191020c0489359ab45055b94b0d28279f60c44bf5b83f9d1215272090b
SSDEEP

3072:x68BIE0kd7i8ftkOuGkZFfFSebHWrH8wTW0:AE1d7BtZ7otSeWrP

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oneklm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Melnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jianff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdgljmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liddbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lepncd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbdolh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mipcob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odocigqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibgmdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbjlfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jeaikh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imakkfdg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ickchq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibqpimpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfjhkjle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdckfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfjhkjle.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ikbnacmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmbmibhb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kboljk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iihkpg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgagbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlbgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kikame32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldjhpl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnonbk32.exe

Malware Dropper & Backdoor - Berbew 64 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/memory/3692-0-0x0000000000400000-0x000000000043D000-memory.dmp	family_berbew
behavioral2/memory/4168-7-0x0000000000400000-0x000000000043D000-memory.dmp	family_berbew
behavioral2/files/0x0008000000023405-6.dat	family_berbew
behavioral2/files/0x000700000002340d-14.dat	family_berbew
behavioral2/memory/2700-20-0x0000000000400000-0x000000000043D000-memory.dmp	family_berbew
behavioral2/files/0x000700000002340f-23.dat	family_berbew
behavioral2/memory/60-28-0x0000000000400000-0x000000000043D000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023411-30.dat	family_berbew
behavioral2/memory/3696-36-0x0000000000400000-0x000000000043D000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023413-38.dat	family_berbew
behavioral2/files/0x0007000000023415-46.dat	family_berbew
behavioral2/memory/2724-44-0x0000000000400000-0x000000000043D000-memory.dmp	family_berbew
behavioral2/memory/4868-48-0x0000000000400000-0x000000000043D000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023417-54.dat	family_berbew
behavioral2/memory/5024-56-0x0000000000400000-0x000000000043D000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023419-62.dat	family_berbew
behavioral2/memory/4148-64-0x0000000000400000-0x000000000043D000-memory.dmp	family_berbew
behavioral2/files/0x000700000002341b-70.dat	family_berbew
behavioral2/memory/884-72-0x0000000000400000-0x000000000043D000-memory.dmp	family_berbew
behavioral2/files/0x000700000002341d-78.dat	family_berbew
behavioral2/memory/2008-79-0x0000000000400000-0x000000000043D000-memory.dmp	family_berbew
behavioral2/files/0x000700000002341f-86.dat	family_berbew
behavioral2/memory/1704-88-0x0000000000400000-0x000000000043D000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023421-94.dat	family_berbew
behavioral2/memory/5064-96-0x0000000000400000-0x000000000043D000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023423-102.dat	family_berbew
behavioral2/memory/1160-103-0x0000000000400000-0x000000000043D000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023425-110.dat	family_berbew
behavioral2/memory/4008-111-0x0000000000400000-0x000000000043D000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023427-118.dat	family_berbew
behavioral2/memory/3292-120-0x0000000000400000-0x000000000043D000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023429-126.dat	family_berbew
behavioral2/memory/3976-127-0x0000000000400000-0x000000000043D000-memory.dmp	family_berbew
behavioral2/files/0x000700000002342b-134.dat	family_berbew
behavioral2/memory/2192-136-0x0000000000400000-0x000000000043D000-memory.dmp	family_berbew
behavioral2/files/0x000700000002342d-142.dat	family_berbew
behavioral2/memory/4164-148-0x0000000000400000-0x000000000043D000-memory.dmp	family_berbew
behavioral2/files/0x000700000002342f-150.dat	family_berbew
behavioral2/memory/4572-151-0x0000000000400000-0x000000000043D000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023431-158.dat	family_berbew
behavioral2/memory/4072-160-0x0000000000400000-0x000000000043D000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023433-166.dat	family_berbew
behavioral2/memory/1720-167-0x0000000000400000-0x000000000043D000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023435-174.dat	family_berbew
behavioral2/memory/1072-176-0x0000000000400000-0x000000000043D000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023437-182.dat	family_berbew
behavioral2/memory/3468-184-0x0000000000400000-0x000000000043D000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023439-190.dat	family_berbew
behavioral2/memory/4764-192-0x0000000000400000-0x000000000043D000-memory.dmp	family_berbew
behavioral2/files/0x000700000002343b-199.dat	family_berbew
behavioral2/memory/4992-200-0x0000000000400000-0x000000000043D000-memory.dmp	family_berbew
behavioral2/files/0x000700000002343d-206.dat	family_berbew
behavioral2/memory/2312-208-0x0000000000400000-0x000000000043D000-memory.dmp	family_berbew
behavioral2/files/0x000700000002343f-214.dat	family_berbew
behavioral2/memory/4972-220-0x0000000000400000-0x000000000043D000-memory.dmp	family_berbew
behavioral2/files/0x0008000000023409-222.dat	family_berbew
behavioral2/memory/4412-224-0x0000000000400000-0x000000000043D000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023442-230.dat	family_berbew
behavioral2/memory/1592-232-0x0000000000400000-0x000000000043D000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023444-238.dat	family_berbew
behavioral2/memory/4292-244-0x0000000000400000-0x000000000043D000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023446-246.dat	family_berbew
behavioral2/memory/2228-248-0x0000000000400000-0x000000000043D000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023448-254.dat	family_berbew

Executes dropped EXE 64 IoCs

pid	Process
4168	Iehfdi32.exe
2700	Ikbnacmd.exe
60	Icifbang.exe
3696	Ifgbnlmj.exe
2724	Iifokh32.exe
4868	Imakkfdg.exe
5024	Ickchq32.exe
4148	Ifjodl32.exe
884	Iihkpg32.exe
2008	Ipbdmaah.exe
1704	Ibqpimpl.exe
5064	Ieolehop.exe
1160	Ilidbbgl.exe
4008	Icplcpgo.exe
3292	Jeaikh32.exe
3976	Jmhale32.exe
2192	Jcbihpel.exe
4164	Jfaedkdp.exe
4572	Jioaqfcc.exe
4072	Jpijnqkp.exe
1720	Jbhfjljd.exe
1072	Jianff32.exe
3468	Jlpkba32.exe
4764	Jbjcolha.exe
4992	Jlbgha32.exe
2312	Jcioiood.exe
4972	Jfhlejnh.exe
4412	Jmbdbd32.exe
1592	Kboljk32.exe
4292	Kfjhkjle.exe
2228	Kiidgeki.exe
4544	Kpbmco32.exe
3744	Kfmepi32.exe
3828	Kikame32.exe
4080	Klimip32.exe
2528	Kdqejn32.exe
3348	Kbceejpf.exe
1572	Kebbafoj.exe
3812	Kimnbd32.exe
4060	Kpgfooop.exe
348	Kfankifm.exe
116	Kipkhdeq.exe
2964	Klngdpdd.exe
3436	Kdeoemeg.exe
2824	Kfckahdj.exe
404	Kibgmdcn.exe
4660	Kplpjn32.exe
3448	Kdgljmcd.exe
456	Lbjlfi32.exe
2348	Liddbc32.exe
3028	Llcpoo32.exe
3032	Ldjhpl32.exe
4284	Lfhdlh32.exe
432	Lekehdgp.exe
2472	Lmbmibhb.exe
4152	Lpqiemge.exe
4560	Lboeaifi.exe
3008	Lenamdem.exe
4440	Lmdina32.exe
372	Lpcfkm32.exe
4036	Lbabgh32.exe
4400	Lepncd32.exe
3120	Lmgfda32.exe
3172	Lpebpm32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bagplp32.dll	Jcioiood.exe
File opened for modification	C:\Windows\SysWOW64\Kimnbd32.exe	Kebbafoj.exe
File opened for modification	C:\Windows\SysWOW64\Mgfqmfde.exe	Mdhdajea.exe
File opened for modification	C:\Windows\SysWOW64\Melnob32.exe	Mdjagjco.exe
File opened for modification	C:\Windows\SysWOW64\Ndokbi32.exe	Mlhbal32.exe
File created	C:\Windows\SysWOW64\Jbaqqh32.dll	Opdghh32.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Nmpmkplp.dll	Jpijnqkp.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Lebkhc32.exe	Lbdolh32.exe
File created	C:\Windows\SysWOW64\Mmbfpp32.exe	Melnob32.exe
File created	C:\Windows\SysWOW64\Mdmnlj32.exe	Mmbfpp32.exe
File created	C:\Windows\SysWOW64\Lcnhho32.dll	Odmgcgbi.exe
File created	C:\Windows\SysWOW64\Beglgani.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Jjbedgde.dll	Jianff32.exe
File opened for modification	C:\Windows\SysWOW64\Kfmepi32.exe	Kpbmco32.exe
File opened for modification	C:\Windows\SysWOW64\Lpcfkm32.exe	Lmdina32.exe
File opened for modification	C:\Windows\SysWOW64\Mipcob32.exe	Mgagbf32.exe
File created	C:\Windows\SysWOW64\Mdhdajea.exe	Mplhql32.exe
File opened for modification	C:\Windows\SysWOW64\Ojgbfocc.exe	Ocnjidkf.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Iehfdi32.exe	a62ceffb900486ca2b07a13f2a2f4cc0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Qoecnk32.dll	Kiidgeki.exe
File opened for modification	C:\Windows\SysWOW64\Kikame32.exe	Kfmepi32.exe
File created	C:\Windows\SysWOW64\Lemphdgj.dll	Menjdbgj.exe
File opened for modification	C:\Windows\SysWOW64\Nilcjp32.exe	Ngmgne32.exe
File created	C:\Windows\SysWOW64\Npmagine.exe	Nlaegk32.exe
File created	C:\Windows\SysWOW64\Qnhahj32.exe	Pfaigm32.exe
File opened for modification	C:\Windows\SysWOW64\Qffbbldm.exe	Qgcbgo32.exe
File opened for modification	C:\Windows\SysWOW64\Imakkfdg.exe	Iifokh32.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Beeoaapl.exe	Bmngqdpj.exe
File opened for modification	C:\Windows\SysWOW64\Qgcbgo32.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Lmdina32.exe	Lenamdem.exe
File created	C:\Windows\SysWOW64\Djkahqga.dll	Kikame32.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Mkoqfnpl.dll	Jfhlejnh.exe
File created	C:\Windows\SysWOW64\Flfelggh.dll	Mdhdajea.exe
File created	C:\Windows\SysWOW64\Miemjaci.exe	Mgfqmfde.exe
File opened for modification	C:\Windows\SysWOW64\Njnpppkn.exe	Ngpccdlj.exe
File opened for modification	C:\Windows\SysWOW64\Afhohlbj.exe	Ampkof32.exe
File opened for modification	C:\Windows\SysWOW64\Mplhql32.exe	Mmnldp32.exe
File created	C:\Windows\SysWOW64\Menjdbgj.exe	Mdmnlj32.exe
File created	C:\Windows\SysWOW64\Ndcdmikd.exe	Nlmllkja.exe
File opened for modification	C:\Windows\SysWOW64\Odapnf32.exe	Olkhmi32.exe
File created	C:\Windows\SysWOW64\Kboeke32.dll	Ampkof32.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Kpbmco32.exe	Kiidgeki.exe
File created	C:\Windows\SysWOW64\Pdfjifjo.exe	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Fjbnapki.dll	Pfhfan32.exe
File opened for modification	C:\Windows\SysWOW64\Ampkof32.exe	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Bchomn32.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Jioaqfcc.exe	Jfaedkdp.exe
File created	C:\Windows\SysWOW64\Ghngib32.dll	Pnakhkol.exe
File opened for modification	C:\Windows\SysWOW64\Qfcfml32.exe	Qdbiedpa.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Pgefeajb.exe	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Kibgmdcn.exe	Kfckahdj.exe
File created	C:\Windows\SysWOW64\Njnpppkn.exe	Ngpccdlj.exe
File created	C:\Windows\SysWOW64\Cihmlb32.dll	Ndcdmikd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7752	7672	WerFault.exe	302

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lbabgh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapgdeib.dll"	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahioknai.dll"	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njnpppkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlaegk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iifokh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eghpcp32.dll"	Mdjagjco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgppolie.dll"	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kplpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiecmmbf.dll"	Lfhdlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lenamdem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empbnb32.dll"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbnaa32.dll"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iihkpg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lboeaifi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpebpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lllcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ickchq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlineehd.dll"	Llcpoo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgfqmfde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ikbnacmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbceejpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odgdacjh.dll"	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmbdbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdjagjco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eonefj32.dll"	Mgddhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejfenk32.dll"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pacghh32.dll"	Iihkpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpebpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlgbon32.dll"	Lbjlfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmmfbg32.dll"	Lbabgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Caebma32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3692 wrote to memory of 4168	3692	a62ceffb900486ca2b07a13f2a2f4cc0_NeikiAnalytics.exe	85
PID 3692 wrote to memory of 4168	3692	a62ceffb900486ca2b07a13f2a2f4cc0_NeikiAnalytics.exe	85
PID 3692 wrote to memory of 4168	3692	a62ceffb900486ca2b07a13f2a2f4cc0_NeikiAnalytics.exe	85
PID 4168 wrote to memory of 2700	4168	Iehfdi32.exe	86
PID 4168 wrote to memory of 2700	4168	Iehfdi32.exe	86
PID 4168 wrote to memory of 2700	4168	Iehfdi32.exe	86
PID 2700 wrote to memory of 60	2700	Ikbnacmd.exe	87
PID 2700 wrote to memory of 60	2700	Ikbnacmd.exe	87
PID 2700 wrote to memory of 60	2700	Ikbnacmd.exe	87
PID 60 wrote to memory of 3696	60	Icifbang.exe	88
PID 60 wrote to memory of 3696	60	Icifbang.exe	88
PID 60 wrote to memory of 3696	60	Icifbang.exe	88
PID 3696 wrote to memory of 2724	3696	Ifgbnlmj.exe	89
PID 3696 wrote to memory of 2724	3696	Ifgbnlmj.exe	89
PID 3696 wrote to memory of 2724	3696	Ifgbnlmj.exe	89
PID 2724 wrote to memory of 4868	2724	Iifokh32.exe	90
PID 2724 wrote to memory of 4868	2724	Iifokh32.exe	90
PID 2724 wrote to memory of 4868	2724	Iifokh32.exe	90
PID 4868 wrote to memory of 5024	4868	Imakkfdg.exe	91
PID 4868 wrote to memory of 5024	4868	Imakkfdg.exe	91
PID 4868 wrote to memory of 5024	4868	Imakkfdg.exe	91
PID 5024 wrote to memory of 4148	5024	Ickchq32.exe	92
PID 5024 wrote to memory of 4148	5024	Ickchq32.exe	92
PID 5024 wrote to memory of 4148	5024	Ickchq32.exe	92
PID 4148 wrote to memory of 884	4148	Ifjodl32.exe	93
PID 4148 wrote to memory of 884	4148	Ifjodl32.exe	93
PID 4148 wrote to memory of 884	4148	Ifjodl32.exe	93
PID 884 wrote to memory of 2008	884	Iihkpg32.exe	94
PID 884 wrote to memory of 2008	884	Iihkpg32.exe	94
PID 884 wrote to memory of 2008	884	Iihkpg32.exe	94
PID 2008 wrote to memory of 1704	2008	Ipbdmaah.exe	95
PID 2008 wrote to memory of 1704	2008	Ipbdmaah.exe	95
PID 2008 wrote to memory of 1704	2008	Ipbdmaah.exe	95
PID 1704 wrote to memory of 5064	1704	Ibqpimpl.exe	96
PID 1704 wrote to memory of 5064	1704	Ibqpimpl.exe	96
PID 1704 wrote to memory of 5064	1704	Ibqpimpl.exe	96
PID 5064 wrote to memory of 1160	5064	Ieolehop.exe	97
PID 5064 wrote to memory of 1160	5064	Ieolehop.exe	97
PID 5064 wrote to memory of 1160	5064	Ieolehop.exe	97
PID 1160 wrote to memory of 4008	1160	Ilidbbgl.exe	98
PID 1160 wrote to memory of 4008	1160	Ilidbbgl.exe	98
PID 1160 wrote to memory of 4008	1160	Ilidbbgl.exe	98
PID 4008 wrote to memory of 3292	4008	Icplcpgo.exe	99
PID 4008 wrote to memory of 3292	4008	Icplcpgo.exe	99
PID 4008 wrote to memory of 3292	4008	Icplcpgo.exe	99
PID 3292 wrote to memory of 3976	3292	Jeaikh32.exe	100
PID 3292 wrote to memory of 3976	3292	Jeaikh32.exe	100
PID 3292 wrote to memory of 3976	3292	Jeaikh32.exe	100
PID 3976 wrote to memory of 2192	3976	Jmhale32.exe	101
PID 3976 wrote to memory of 2192	3976	Jmhale32.exe	101
PID 3976 wrote to memory of 2192	3976	Jmhale32.exe	101
PID 2192 wrote to memory of 4164	2192	Jcbihpel.exe	102
PID 2192 wrote to memory of 4164	2192	Jcbihpel.exe	102
PID 2192 wrote to memory of 4164	2192	Jcbihpel.exe	102
PID 4164 wrote to memory of 4572	4164	Jfaedkdp.exe	103
PID 4164 wrote to memory of 4572	4164	Jfaedkdp.exe	103
PID 4164 wrote to memory of 4572	4164	Jfaedkdp.exe	103
PID 4572 wrote to memory of 4072	4572	Jioaqfcc.exe	104
PID 4572 wrote to memory of 4072	4572	Jioaqfcc.exe	104
PID 4572 wrote to memory of 4072	4572	Jioaqfcc.exe	104
PID 4072 wrote to memory of 1720	4072	Jpijnqkp.exe	105
PID 4072 wrote to memory of 1720	4072	Jpijnqkp.exe	105
PID 4072 wrote to memory of 1720	4072	Jpijnqkp.exe	105
PID 1720 wrote to memory of 1072	1720	Jbhfjljd.exe	106

C:\Users\Admin\AppData\Local\Temp\a62ceffb900486ca2b07a13f2a2f4cc0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a62ceffb900486ca2b07a13f2a2f4cc0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3692
- C:\Windows\SysWOW64\Iehfdi32.exe
  C:\Windows\system32\Iehfdi32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4168
- - C:\Windows\SysWOW64\Ikbnacmd.exe
    C:\Windows\system32\Ikbnacmd.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\Windows\SysWOW64\Icifbang.exe
      C:\Windows\system32\Icifbang.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:60
    - - C:\Windows\SysWOW64\Ifgbnlmj.exe
        
        C:\Windows\system32\Ifgbnlmj.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3696
      - C:\Windows\SysWOW64\Iifokh32.exe
        
        C:\Windows\system32\Iifokh32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\SysWOW64\Imakkfdg.exe
        
        C:\Windows\system32\Imakkfdg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Windows\SysWOW64\Ickchq32.exe
        
        C:\Windows\system32\Ickchq32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\SysWOW64\Ifjodl32.exe
        
        C:\Windows\system32\Ifjodl32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4148
        
        C:\Windows\SysWOW64\Iihkpg32.exe
        
        C:\Windows\system32\Iihkpg32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Windows\SysWOW64\Ipbdmaah.exe
        
        C:\Windows\system32\Ipbdmaah.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\Ibqpimpl.exe
        
        C:\Windows\system32\Ibqpimpl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\SysWOW64\Ieolehop.exe
        
        C:\Windows\system32\Ieolehop.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\SysWOW64\Ilidbbgl.exe
        
        C:\Windows\system32\Ilidbbgl.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\SysWOW64\Icplcpgo.exe
        
        C:\Windows\system32\Icplcpgo.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4008
        
        C:\Windows\SysWOW64\Jeaikh32.exe
        
        C:\Windows\system32\Jeaikh32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3292
        
        C:\Windows\SysWOW64\Jmhale32.exe
        
        C:\Windows\system32\Jmhale32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3976
        
        C:\Windows\SysWOW64\Jcbihpel.exe
        
        C:\Windows\system32\Jcbihpel.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\SysWOW64\Jfaedkdp.exe
        
        C:\Windows\system32\Jfaedkdp.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4164
        
        C:\Windows\SysWOW64\Jioaqfcc.exe
        
        C:\Windows\system32\Jioaqfcc.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4572
        
        C:\Windows\SysWOW64\Jpijnqkp.exe
        
        C:\Windows\system32\Jpijnqkp.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4072
        
        C:\Windows\SysWOW64\Jbhfjljd.exe
        
        C:\Windows\system32\Jbhfjljd.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\SysWOW64\Jianff32.exe
        
        C:\Windows\system32\Jianff32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1072
        
        C:\Windows\SysWOW64\Jlpkba32.exe
        
        C:\Windows\system32\Jlpkba32.exe
        24⤵
        Executes dropped EXE
        
        PID:3468
        
        C:\Windows\SysWOW64\Jbjcolha.exe
        
        C:\Windows\system32\Jbjcolha.exe
        25⤵
        Executes dropped EXE
        
        PID:4764
        
        C:\Windows\SysWOW64\Jlbgha32.exe
        
        C:\Windows\system32\Jlbgha32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4992
        
        C:\Windows\SysWOW64\Jcioiood.exe
        
        C:\Windows\system32\Jcioiood.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2312
        
        C:\Windows\SysWOW64\Jfhlejnh.exe
        
        C:\Windows\system32\Jfhlejnh.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4972
        
        C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1592
        
        C:\Windows\SysWOW64\Kfjhkjle.exe
        
        C:\Windows\system32\Kfjhkjle.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4292
        
        C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2228
        
        C:\Windows\SysWOW64\Kpbmco32.exe
        
        C:\Windows\system32\Kpbmco32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4544
        
        C:\Windows\SysWOW64\Kfmepi32.exe
        
        C:\Windows\system32\Kfmepi32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3744
        
        C:\Windows\SysWOW64\Kikame32.exe
        
        C:\Windows\system32\Kikame32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3828
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        36⤵
        Executes dropped EXE
        
        PID:4080
        
        C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        37⤵
        Executes dropped EXE
        
        PID:2528
        
        C:\Windows\SysWOW64\Kbceejpf.exe
        
        C:\Windows\system32\Kbceejpf.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3348
        
        C:\Windows\SysWOW64\Kebbafoj.exe
        
        C:\Windows\system32\Kebbafoj.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1572
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        40⤵
        Executes dropped EXE
        
        PID:3812
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        41⤵
        Executes dropped EXE
        
        PID:4060
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        42⤵
        Executes dropped EXE
        
        PID:348
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        43⤵
        Executes dropped EXE
        
        PID:116
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        44⤵
        Executes dropped EXE
        
        PID:2964
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        45⤵
        Executes dropped EXE
        
        PID:3436
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2824
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:404
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4660
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3448
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:456
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2348
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3032
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4284
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        55⤵
        Executes dropped EXE
        
        PID:432
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2472
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        57⤵
        Executes dropped EXE
        
        PID:4152
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4560
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4440
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        61⤵
        Executes dropped EXE
        
        PID:372
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4036
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4400
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        64⤵
        Executes dropped EXE
        
        PID:3120
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3172
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3640
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        67⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        68⤵
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4268
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4604
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:244
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        72⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        73⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        74⤵
        Modifies registry class
        
        PID:2404
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        75⤵
        Drops file in System32 directory
        
        PID:3188
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        76⤵
        Drops file in System32 directory
        
        PID:3248
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        77⤵
        Drops file in System32 directory
        
        PID:2356
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        79⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        80⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        81⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3612
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4900
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        83⤵
        Drops file in System32 directory
        
        PID:2148
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4160
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        85⤵
        Drops file in System32 directory
        
        PID:5088
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        86⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1192
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        88⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        90⤵
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        91⤵
        Modifies registry class
        
        PID:5300
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5344
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        94⤵
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5480
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        96⤵
        Drops file in System32 directory
        
        PID:5528
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        97⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        98⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        99⤵
        Modifies registry class
        
        PID:5660
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        100⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        101⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5796
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5840
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5884
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        105⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5932
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5980
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6024
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        108⤵
        Modifies registry class
        
        PID:6076
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6112
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4600
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        112⤵
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        113⤵
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        114⤵
        Drops file in System32 directory
        
        PID:5376
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        115⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5520
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        117⤵
        Drops file in System32 directory
        
        PID:5600
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5656
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        119⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        120⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        121⤵
        Drops file in System32 directory
        
        PID:5848
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5924
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5988
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        124⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        125⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        126⤵
        Modifies registry class
        
        PID:3140
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        127⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        128⤵
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        129⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        130⤵
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5700
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        132⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5912
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        134⤵
        Drops file in System32 directory
        
        PID:6060
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3168
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5440
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        139⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        140⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6120
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        142⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5552
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5920
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        145⤵
        Modifies registry class
        
        PID:3956
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        146⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        147⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        148⤵
        Modifies registry class
        
        PID:228
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        149⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5808
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        150⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        151⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        152⤵
        Drops file in System32 directory
        
        PID:6204
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        153⤵
        
        PID:6252
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6288
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        155⤵
        Modifies registry class
        
        PID:6340
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6400
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6452
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        158⤵
        Drops file in System32 directory
        
        PID:6512
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        159⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6560
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        160⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        161⤵
        Modifies registry class
        
        PID:6648
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        162⤵
        
        PID:6688
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        163⤵
        
        PID:6732
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6776
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6816
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6868
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        167⤵
        
        PID:6908
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        168⤵
        Drops file in System32 directory
        
        PID:6944
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        169⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        170⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7088
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7132
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        173⤵
        Modifies registry class
        
        PID:6048
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        174⤵
        Modifies registry class
        
        PID:6240
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        175⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6440
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        177⤵
        Modifies registry class
        
        PID:6492
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6592
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        179⤵
        
        PID:6716
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        180⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        181⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        182⤵
        Drops file in System32 directory
        
        PID:6980
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        183⤵
        Drops file in System32 directory
        
        PID:7060
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        184⤵
        
        PID:7124
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        185⤵
        Modifies registry class
        
        PID:6160
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        186⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        187⤵
        Modifies registry class
        
        PID:6548
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        188⤵
        Drops file in System32 directory
        
        PID:6724
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        189⤵
        Modifies registry class
        
        PID:6840
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        190⤵
        Drops file in System32 directory
        
        PID:7072
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        191⤵
        Modifies registry class
        
        PID:7160
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        192⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        193⤵
        Modifies registry class
        
        PID:6772
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        194⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6996
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        195⤵
        
        PID:6376
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6824
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        197⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        198⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        199⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6612
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        200⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        201⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7204
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        202⤵
        
        PID:7240
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        203⤵
        
        PID:7292
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        204⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7336
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        205⤵
        Drops file in System32 directory
        
        PID:7376
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        206⤵
        Drops file in System32 directory
        
        PID:7420
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        207⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7464
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        208⤵
        
        PID:7504
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        209⤵
        
        PID:7540
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        210⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7588
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        211⤵
        Drops file in System32 directory
        
        PID:7632
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        212⤵
        
        PID:7672
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7672 -s 404
        213⤵
        Program crash
        
        PID:7752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 7672 -ip 7672
1⤵
PID:7728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
113KB

MD5
4e16e37bca7d9dde1bedab7edfd1742c

SHA1
a65d407e4a969c36521a10d116f36cff448377b0

SHA256
e58f3dc6ecaa33ce64c39d09611a04e3d224a897702a36c5e7b77867a015dce6

SHA512
e42ccb678418fa159f4199da61d29c794ace95ac342911a907d2a868b1cc81541513f6385c55f73b563300d1d5b1de330ce329b26ee5a8a29181681bf0103606

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
113KB

MD5
022535a66328c891d24995dfb8d3b9bd

SHA1
a7203d324b00375133521b3cfbcde8a2f7981147

SHA256
be1ac5160365be1bec32fc7b3975d3e90f9d7110adc885beca696aa42e63046a

SHA512
fbbed8124808a35c6f21906213253c56fe92cb708dbe7bd3557fe522a0914d80f8fe3490a5cb43441ddd4ac3392f20b60a2c6e66eae132079a604b14fa50610d

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
113KB

MD5
1a2e72ec5bd1d2a8c9410acebd9259e9

SHA1
e6be3f1a68f1af6f38f8d79cf1c473a2e9699956

SHA256
0c5f4b20ad579a54306ce39517570846c737784b80c34a0c62fcc1b4080a8ca4

SHA512
9a13fb3b2bf9a69a6b793924973c3ee64ff9473c22c214ac9bda666a71f1acc76b26eb6e66e7e2c26581b1d5dbef2d9da60400c2dde3cf0b8b39e02bfefab186

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
113KB

MD5
b2e906da12ae2fe20440c874a40daff5

SHA1
43cbb39d41258dc195eb5633ed491739b1b80711

SHA256
ae51690b441b1c6a1eb2217d787e2eb50765297eb38dc88e20eaf28cdb3a7c16

SHA512
104f0a9b2e2387456bcb02dc9e8efb89b46c7bb236e339aa7e7c1cca7098e42327c99d76ed509d55d96c1a30f254b9311b248d92b0e0c5a0a5e1b6bcf838ade8

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
113KB

MD5
a7ad47547e2100aa265331ec677aa99f

SHA1
402c587a5d464611d73d2b5acbab3ae9f4943672

SHA256
acfaa2ad3b46b88245fb4462a89058757e09b7bd9742992d3b2879959b083047

SHA512
03e9c0c8fc488e15902ae50e7e9ae700b037293178d2a9830d9897ad1617beb9c1f1edab82e524a89318b94bf8688e6d5bba09a2ef4d54629db0115fd46af734

Download Submit
C:\Windows\SysWOW64\Ibqpimpl.exe

Filesize
113KB

MD5
69e8aa1b803b4a24c52f6aa0736fdb32

SHA1
5b94fc30e1bc22650b62652ae2924912daa7dd66

SHA256
e5670371c54653e5a6ee4e6e770883292aa6d91ab1968ccc8d71ebc20edef4c6

SHA512
b620cfa26e74591230438115306dd84cfa990732bdb8394db3ebb7c6e652215a670d1fe80461fa42348474772f75aa0b7f386ef2b4e4e42bc6c79aa0c8943691

Download Submit
C:\Windows\SysWOW64\Icifbang.exe

Filesize
113KB

MD5
1b725a15221b7418adfe7872816b9b29

SHA1
761acc7349af2ee3a5a43f8f5c1d74892ccf263b

SHA256
70deec6ea95a7eeea761f5eb1d9a7bcfb508c76a697c44ebcaa9ccc4c6f8c55a

SHA512
0686b43207a893c715f8ed942d4470bba9a1d49f77847286dd4b063ca3d7f9b79b2ade2d746a3569e5fa2e6e32009dd0ff62c9f8c16cc051f862bd61748e466a

Download Submit
C:\Windows\SysWOW64\Ickchq32.exe

Filesize
113KB

MD5
d2d55e5e71af244171290214a8ed372b

SHA1
5985c9e25bbc4b1d0bf35c979535cbe03544cc55

SHA256
15445e2ee35f6213fb877ed1608a5d82d0128c875ed739fa5b76ca982f071565

SHA512
5092e7efa72d64236c03afaa9ffe48932930628ff10c6651d56ece650a095a59034e22cd466803e12e9787407bd56e3d620f9b92de210869331669c5150a0a44

Download Submit
C:\Windows\SysWOW64\Icplcpgo.exe

Filesize
113KB

MD5
9e59e449a088029fe8320752d9e6859a

SHA1
421a407a4ef948257b87c481bfbc2f6b6e5c25cb

SHA256
4b2e551c7938689fd97071c90367ab00c5a7f04c0d3419d5e68fd3c816877ac5

SHA512
381cae0d1537636773225a7679c44faac04500e8f90feddb9655db01750e20516b08edcaf6f58a0293cfd57b8d4ae8e88143aa31cd3202989d6ab297e8bd967e

Download Submit
C:\Windows\SysWOW64\Iehfdi32.exe

Filesize
113KB

MD5
12be99c962903e2725dab674db22e554

SHA1
ef55437c213d4ac37cf5a262bfd2c2f444d24c8c

SHA256
57380b8b94964e6164846b91ee4a07dee50fd182da8cbf4e6bcc39036535a9fb

SHA512
314d8aba3a54c2b8fa4f60d22d4bd9c80b020ccf33df66b16ec2010c16e5b5a8933ec98ca5b1dc6d4f5f8cbbd44a3cffd70fb5bba967cf04f037a74f3b661712

Download Submit
C:\Windows\SysWOW64\Ieolehop.exe

Filesize
113KB

MD5
d30a493a89442f738e8ad46c60c4a53c

SHA1
0fa4a5912e06db2043d6df13af035642eefa7227

SHA256
e322cb233b5cb751429cfe7d7bb8930082b61b5e8668080e79fddb5d6fcc1554

SHA512
2d1438a0cf161d4c45be459e3d869da32d4cc2649e7b48ad905fbaef7d67b8f8365f72fc42cbf868d955a8e9cf11bb7a9513a4d4d2469b17e0feda4e38f483b6

Download Submit
C:\Windows\SysWOW64\Ifgbnlmj.exe

Filesize
113KB

MD5
17117d35160a624e547a429710259177

SHA1
9dbd92bd6571f53c0f60d805abc55ff57bada6d2

SHA256
3471c75a316e9bfc421686b71dc337f47a92bed62e9c377a084b6a8a6d2e11b8

SHA512
a066476283f0da0bb530e4c62b1189fd49bc9a79e31b1618333a67f23b193c1fefcf053da64d98923c5286b7c5803872b6a4593d537d9e7e9351a5e7df696435

Download Submit
C:\Windows\SysWOW64\Ifjodl32.exe

Filesize
113KB

MD5
306ec72d4b1a3dd4d04e80a558cb31ac

SHA1
5c3592c0652780a65c8679aaa9a0cadc43c81a5d

SHA256
f0aa8c47852b2edcca3212de93d1723065bea4f7b4b74b25f59729dbc160b778

SHA512
59cdd25b243909f78a084376139edcff9a715c3c4bb50e6251db615d0fc85dc18bad8322c49d7a67506b6bdccdec6283d73f6106b303a7b6f4ecb17f81ef2730

Download Submit
C:\Windows\SysWOW64\Iifokh32.exe

Filesize
113KB

MD5
51b1841c3487d55302fb63010265cfc2

SHA1
22d39adb7722965caab29123a530e3baabe56054

SHA256
cecb8a5489cabb3d866c52cf24cf363f7ca7113a63055e7a40eacf4effad9a20

SHA512
db3812b6bea7a98ab34398aba351be4dcafe1bc998779d202b21820a2312672d1a484d879204ab094dafc75bc0ec3c2dfcbed205453447545db8b996595e83de

Download Submit
C:\Windows\SysWOW64\Iihkpg32.exe

Filesize
113KB

MD5
39e9afc9dfc076945651d8ed9a939837

SHA1
0101023c6aa9643a74ee34699be81a69966f1d8d

SHA256
b18e59acfae889a9c53bd978fd01bc5ed997b0d8ae61994ef14c9d0376b5d491

SHA512
20f59fea193486657a12d92420c2f49124070e01cb7993c256b995b72dc564fbe9b5c3378dcc6d19e635d20300a0817e49f93d27d84fd3a0e0e63a8206def858

Download Submit
C:\Windows\SysWOW64\Ikbnacmd.exe

Filesize
113KB

MD5
643a6dd9a391055ff5d4fa43c99c2f84

SHA1
29519e9b27c3cf8bfd2ccf2a3e96951ae2379613

SHA256
bbec959fae64a7c9e3ea4dfa754e13343eda8a134167bd43384b617278d5fdf4

SHA512
6f167ec77aa644f79804796a19ba39ebc3febf62a0f69680200c31226c3be58dbe45a2a0fbcab544736dab1d4ca04a1b4f284fe61a7572f1d8a8a73388fba6cb

Download Submit
C:\Windows\SysWOW64\Ilidbbgl.exe

Filesize
113KB

MD5
02eea286f1b3822da6dbf90a807337f7

SHA1
fd8fbd4096b26d627b05704c82ca7c999e7af343

SHA256
151294f7a1cef068eca31ba96c5a44202c9212900804240e690bc9a08710a42c

SHA512
303b6bfb65bd601dc67098e5aeb3df43a15c898eb98cf0360e8918c41fdaadd43dc742cfb7b9896a30573a3824710ecc1a91af5824524422ac05242ed869dff0

Download Submit
C:\Windows\SysWOW64\Imakkfdg.exe

Filesize
113KB

MD5
a77c37a22fcf36d2b4f5794869e90cf9

SHA1
3ed49e399232ca4fc3a0f51743645e137c40930b

SHA256
27dfcbd2e1cb2e03355e1eed5c25b8013dd993306ad0651f8b2ae5190941b464

SHA512
ac0744fd2a81e347deae1c6a4d0afd376aae8596d7b0fc54f556b84a1d106e4f7f8158626a1ccff7ae57f8e10d7b666c90d25386340c524f25c974cf455a7056

Download Submit
C:\Windows\SysWOW64\Ipbdmaah.exe

Filesize
113KB

MD5
538e612d7111515cc6b1515c04cfe26b

SHA1
81168bf95cf3a0b7320d68a3405f1bb45d8671b1

SHA256
3bcff2591b9320883ebd95d2e2704b2680853e0753bf272bbfeb990e7f27019e

SHA512
05ed33e0e45f9abe80ce66441ba84393a1c68cfc8c3440913cda00d45dd7275421a24a04acb8a2f291c9868b46b5a790d6f9fd07f53639ceb81b6f502eb5586b

Download Submit
C:\Windows\SysWOW64\Jbhfjljd.exe

Filesize
113KB

MD5
83938b3de2659a525fb4b6e0405a2bc6

SHA1
f5ec4e94104fe705a047e2d0c809fba216d34d80

SHA256
c7e32f657317a5acafb6fe0ff8b82e8f6847c017ec4a4836514df9716a89cf5d

SHA512
8e613c2d0d0c3438eeff73567a13b6fc01c2e33f9a6cadf1e4e2854757d60976bfc842e6c26eba5d48d5c02e0c5c63da3460f8d6e864693e9cfe6a53e76c4f7f

Download Submit
C:\Windows\SysWOW64\Jbjcolha.exe

Filesize
113KB

MD5
5a07781c90ff9413e4b357aee3e5a2fc

SHA1
3f8f7e8427f683d1a7934b98f0832d5d9bb0a7de

SHA256
c4cf0e174eec4d2f9143366e115f95fa94e9664808f68ccd0a927fd69f78910b

SHA512
fb009f4eebbbd0f0796398f57276d5576af336c3097f207305e38678f16adb9379a3641c0714834af4fd31d68d7cc4db0fab8797bc30df9998ac3161825b680f

Download Submit
C:\Windows\SysWOW64\Jcbihpel.exe

Filesize
113KB

MD5
cb343089836bf97676836bee67654b47

SHA1
b1fada4e1c435175f8823eb62071b0de6bf07967

SHA256
e024b8c6e0b115740b7d44f64b6aa13c31f90e18ade870713094e4fc65efe955

SHA512
79fa6f6ba7bf76e4af75458cf46123233c76b3606024e656b029d7668c200923f8e0403793f61ff8cca13388b1dcba2ac122b4343f49cfed39a36274be509206

Download Submit
C:\Windows\SysWOW64\Jcioiood.exe

Filesize
113KB

MD5
fb802c5f2d5898aa3f066d210a9a7aaa

SHA1
106cf1884ff062cc328b9226cd7edddc091f8397

SHA256
3a63cdd6b7fcdbe00bc35acc235013ef8368238a703426c1a03de3432de94ef0

SHA512
b01f51e467364d047bf3c17a76fb88d4048c8648f01dcfa82a227740da2c2d208c693c5606a23320503e38b9006e5be27e34d0025adc230b4d5a96db94959b4f

Download Submit
C:\Windows\SysWOW64\Jeaikh32.exe

Filesize
113KB

MD5
50b56df1942466cbe6f48d834f87d8ca

SHA1
49b2e34fb869db09971787d18bd00e8e42adbb55

SHA256
e2561aa04d8175946f57a615e14bda27c1f10cff81360767eb0a2e4795b4716a

SHA512
05de7b2afc0d050d5f93901273c5aa4d92e327c9755e6da7df54aa6a84774329fe6a3d66fc6a1655d8df8666c2c0870304d964d1709a5d1d6c70496b1e75d2a6

Download Submit
C:\Windows\SysWOW64\Jfaedkdp.exe

Filesize
113KB

MD5
7d59f991a639b42eb0bee474897f8fd8

SHA1
d907cd99b73319a2791beeb3cbabef7d49bc824d

SHA256
9a208594e1b9c0215a4aaae0d411be7ae10eb7f934a5b173fc75742620557c5a

SHA512
498d8cb000017af7bd4d4e89101ebe8e29ff5440d9a8643e919261329235963f6c36d66a1b554d4ba907c41d8fb20bc6f5be1e4d6cf869c783481f69c856b59e

Download Submit
C:\Windows\SysWOW64\Jfhlejnh.exe

Filesize
113KB

MD5
a055ae8a3cb71a8f286a69cf20649968

SHA1
eb3a432e9b50f838c332bcf3893f7489d5b4296c

SHA256
9e1e52ffc6973052ff87968d304b3dc48bb2be7a95e4549d9f6f5a4bac1438af

SHA512
71514562f5e8f753c337acd14a3284b1c53a6a70a1464996e4e3a7f471dc80b5019823e304273b1b0c8078b49e0fcaef02e3e3690734590bb0110d0336b740cc

Download Submit
C:\Windows\SysWOW64\Jianff32.exe

Filesize
113KB

MD5
0d5eeb6ee9e70046785f07448b5a8e01

SHA1
32aeca2e98597c93b2616669d6347ec20155dc76

SHA256
500b22d40c1eca5e3bc40060c7e74e15d61f2ad1c571870a0e428aa70523d907

SHA512
a0ab950ea48518fe1cfd36fe0448d107c14268bc3c0a99f0bee959c26635551e220e7f4a22537cc10587a6e8c83d371d8c8b485f19f571fecb376e617607cb58

Download Submit
C:\Windows\SysWOW64\Jioaqfcc.exe

Filesize
113KB

MD5
e3cdbc6cf2fa763bd4d3a5a6c67ec4ae

SHA1
efe146eb7e17f8f4598996c2c59b2f6f3469ef2b

SHA256
cf9d8e8f4d65ae239c06869953847afe388f7396664d62029220ea986c0a2bba

SHA512
a4fa7d7b7c60addafa910d865916e9fdfc34b03eec26cca9990a6c1e39965a1bc90480435f2219c19ff04bcb982219de6e17d25c486a01a26de13a8ae57ce737

Download Submit
C:\Windows\SysWOW64\Jlbgha32.exe

Filesize
113KB

MD5
70900eb50702bff44ec61b6ff70c8f84

SHA1
ad7327b86bffa894c57c0c7174a2b31b754869ec

SHA256
9f06461c011f1bc05685e1e5e2abf6a2bcd183a5a6bfc1b18549464a1cb46088

SHA512
d1cab8efd797d45766c4e8ba230139ca7f73bfd853c53b688ecc6206b8899004bfd9e9272535ece42685598d174ca138d95fed063b7933e23a5dd89af70341a0

Download Submit
C:\Windows\SysWOW64\Jlpkba32.exe

Filesize
113KB

MD5
29e9638269ad5454071df979a409d138

SHA1
b1a23f33637bb0a7664f86b5db00b344b0a193eb

SHA256
52ca8ae4a795bb7d5e7e8977265c92626f089d724d79666087b56470ee251196

SHA512
f1e8be8185fa39a78b350afcfc6a7d6b6fa01999f7595467357dcfc0455fa675047cdf078ff767e8eadc1ef992bc3d755c99947cf6328206fd25abfbdbb60854

Download Submit
C:\Windows\SysWOW64\Jmbdbd32.exe

Filesize
113KB

MD5
1779a17f59442b6407490e26031dade4

SHA1
15adf83d4e15406bff63b280961d03327f2b066b

SHA256
b1643f0d61798b6274a7a62ded69c2e72fc609ab4894e19a60429df7df80ee19

SHA512
6853d89bb732b2d2dd1a320ee76a3d9a6ae152e1bcefcb48ea592dfce6782f5be72fe3db37e776a004fbadc639ca49890416e82e0da149ecb374d693bc7cada4

Download Submit
C:\Windows\SysWOW64\Jmhale32.exe

Filesize
113KB

MD5
321a323c4405288259f42d5004244a6d

SHA1
00d73fb4b4e22006c85451babbe24b30836c7ae5

SHA256
4a6219367c8a1e019fa76282ca1d3d629a153a5119274f38969b2adf0c5bbe69

SHA512
58970b0a3b38d84bd5563338532f49b47f8eacba74ea2894829b690e7eca5d0b8fc51f1d0add5d59b35bac7c5b048a8b1490b814b181a60cf008e206792d6659

Download Submit
C:\Windows\SysWOW64\Jpijnqkp.exe

Filesize
113KB

MD5
6456c127f515fb49a297f44e0cd2b394

SHA1
1569f2806ffac56a3ecca82754685c279a480ee9

SHA256
7e365e9d17e51d8fc8a975a8c4ea8f2c448c0692c69b7dd419b8b703d79b6199

SHA512
fdf6621928adc2fd60fe3c4e1af9f0afc702a44f6ed2d5dd005d8a89188e3a673ec8976aa95c369f3a706692ce279db1c90ae8acba062e3d9368a4bdd1a011a8

Download Submit
C:\Windows\SysWOW64\Kboljk32.exe

Filesize
113KB

MD5
c0bc2fa887ac40633ee7f63f14791c22

SHA1
b4bbe234563d9970b4ab597e998ce16dbc5ee182

SHA256
6afee190de78806248ce1cdeccce74e51c87b311887d7b90cf8160e08e949c6a

SHA512
f0f0aa872c38b6a297231dd2069cb44c94c4b78fa9ac32601cb83751ec8954c5973844713fbad1d92c1d5e5947b5c12b4a1b53c1af36b5df1f0c2410fa6276f6

Download Submit
C:\Windows\SysWOW64\Kfjhkjle.exe

Filesize
113KB

MD5
1ab219d825285c4533b99248b7e6b0a7

SHA1
24d87c94a0cd31656dc708aceeb573cfe0ad9bb7

SHA256
32824d711ab6466dfadab532a830d2e34ff7f18fbb79e809f4b4f777f75837cc

SHA512
ec676933ecdb26de0aa74e0cd77d88b8db9d84a428ac46eb1d7589a965203023478df8a49b33b568e069f9b49ce03649475bf91ea3c3d35edcf275f90c672fd7

Download Submit
C:\Windows\SysWOW64\Kiidgeki.exe

Filesize
113KB

MD5
a4975dce915eb5140430e6bedbd9eb51

SHA1
f5c2bbca7cc89fe3de02bac6b60346b535745793

SHA256
2b412828a5e3665e5a2c851c86bbb70aecf975544d8a1600a2bed0ec82754c19

SHA512
dccb554160e2420b40f4e29450a2c153c5255a2906f77c6eb668bf254034e63ebcf15d7554cad3b79877cb7bd6fee1a562b54a485d138585eaaf0e3b9839da72

Download Submit
C:\Windows\SysWOW64\Kpbmco32.exe

Filesize
113KB

MD5
44e117cfd9e53fee4103950589f31e5b

SHA1
cd8ec1ef2e88ffe97d51c76a18ac7d126fe93a21

SHA256
ae82ad2269abd7c8b743d57552e7ad63fdfc27f459672a18b72c13af04d2e529

SHA512
dfffd276c0f835443dace74901b3f10f58ac86caf930b21e5f40cb77789ea1a18800d9107b02202a00e9c429e49cfbf79632fe5f03071447feb585c8129c8198

Download Submit
C:\Windows\SysWOW64\Lpebpm32.exe

Filesize
113KB

MD5
e26ad189f0f8257efb944b49c4cde18a

SHA1
41485af8f8678ad7cb44828cef76e3a83ddd84a1

SHA256
1167c9f67b1e00759759eff59266d3b9d16ca3c012d0672ac3f0fb1955219f28

SHA512
049fd50752bd4cf814ef947bd0d2640c54bdb32bfa425592660df36afbb9078184e34e97585b4bc97318b4c8ddf6456f40968c403e4569dd25a2c450f17557f2

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
113KB

MD5
adbfb471ab435cbfb2bc6fa7e916aded

SHA1
882cf223b306f64da74db5dddd9310404ad8a409

SHA256
94bb3779675535381d9c584bf166a9e7e51588b94115e1d1c390444a3f874c9f

SHA512
77986bcde53f31187e28c2ddfbe5bbbee8537d0057d4ddb78430a1f311465839504aa7fa874e48aaf6d3a494b23b912fa9e99a0903d3e8a661e67aadf189de9a

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
113KB

MD5
2f09a7b583e26f10e525d6c1d6cf661d

SHA1
28a4d4861c6c1a56c456377463c6435d07c9d072

SHA256
e70514b671385546cc2147adc369b123adddecc4487163854909ecfb0efe1468

SHA512
0842724cf4c36eaf45c84f31b13bcc545ef47b40afb79b7a0f3c2c814e98a4a8e3dbb5405c786fb7d4e75966415feb8d5ff8c713477927f42c168036dbc3ab85

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
113KB

MD5
ff2fdba0e45432c68db85bee81678bbe

SHA1
ad44a213d0bf381c7be7ce5c18a669f9487ce5c0

SHA256
a18193eb2a38d273b7028fd284ce21a24e8e8abfe6bf834de07849479b3e278a

SHA512
04374f3968e9acad0857d05d37e8c7530e0681a6a7dd6dee071dc04fde5b35bc37dd484ec071c30a49506ec1f25f6de82a4cc14968eea9e6624d35a8b94f88ba

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
113KB

MD5
92ee2beccab6445ff933d2b7d09fa249

SHA1
239423b3aeb3f7998c572ae8e131be4675e0cac2

SHA256
80baca8763828ea428ba006fd470530583c869141ba1cf7b3e4ae0dcf2b0b558

SHA512
861a1fbffb237f95e85d106e33803775055a785edb37ff8ab383a5be54f464ab88ab94282db0804bddbd61d271c26fb5e7dcd8487a1635c5105c042810e6fcb2

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
113KB

MD5
88df4a42b045d4eaecf341c4f5069037

SHA1
7589e8d1394cc21c255288ebd1cd2c5c1702a648

SHA256
b3610eb553c2f5bd7e1344de261ce05316f3db1e07cdc5318dc031dff8e5bfe7

SHA512
e5ac59180a9b400d83dce1ee097924bc9a80c885b71009e4bd73705a192cf2978ec26a16078b01bf9559bec9514339891c301440884046b32ca1a55b5dae2f24

Download Submit
memory/60-28-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/116-316-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/244-485-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/348-310-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/372-424-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/404-340-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/432-388-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/456-358-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/884-72-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1072-176-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1160-103-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1192-589-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1572-297-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1592-232-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1704-88-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1720-167-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2008-79-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2148-558-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2192-136-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2228-248-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2312-208-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2348-368-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2356-524-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2404-502-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2472-399-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2528-284-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2700-20-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2724-577-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2724-44-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2824-334-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2964-322-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3008-412-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3028-374-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3032-376-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3120-443-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3172-452-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3188-508-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3248-514-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3292-120-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3312-536-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3348-290-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3436-328-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3448-357-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3468-184-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3472-496-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3612-545-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3640-458-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3692-544-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3692-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3696-574-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3696-36-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3744-266-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3800-460-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3812-298-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3828-268-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3976-127-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4008-111-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4036-434-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4060-304-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4072-160-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4080-274-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4092-578-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4148-602-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4148-64-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4152-404-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4160-564-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4164-148-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4168-7-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4168-555-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4268-476-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4284-382-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4292-244-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4400-436-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4412-224-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4440-423-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4544-256-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4560-408-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4572-151-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4604-478-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4648-538-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4660-346-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4764-192-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4868-584-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4868-48-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4900-557-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4956-490-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4972-220-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4992-200-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5008-526-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5024-56-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5024-591-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5064-96-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5068-466-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5088-576-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5156-592-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5200-603-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads