c3f40e515a3a6709bbd777526212ae71a119094ba89a9889e105a49e5ed74982

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
02-06-2024 00:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12ac8ea9010ceefe5286df3af81834f0_NeikiAnalytics.exe
Size

1.2MB
MD5

12ac8ea9010ceefe5286df3af81834f0
SHA1

76e403efaee55bc918a41ced61c534f204cfb048
SHA256

c3f40e515a3a6709bbd777526212ae71a119094ba89a9889e105a49e5ed74982
SHA512

3f957309c064107deb003a3709461540ceecb020a88700f7a7387bfdf12a42c0b8e4cca3b35063088b44ccb8b2b5ffeb72774e65aed49fa9fc24098589faa223
SSDEEP

12288:7Eq6eUvYlFiWZCXwpnsKvNA+XTvZHWuEo3oWiQ4ca:hgvYlFiWZpsKv2EvZHp3oWiQ4ca

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcopbp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imihfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jangmibi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfnnlffc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idacmfkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqhbmqqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcgoilpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfcgge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfachc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kipabjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcbnejem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	12ac8ea9010ceefe5286df3af81834f0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmklen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecdbdl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hclakimb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpenfjad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djnaji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjnjqfij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dokjbp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcnejk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dlgdkeje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gidphq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Coojfa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daifnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe

Malware Dropper & Backdoor - Berbew 55 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/files/0x0006000000023298-7.dat	family_berbew
behavioral2/files/0x000700000002343e-16.dat	family_berbew
behavioral2/files/0x0007000000023440-19.dat	family_berbew
behavioral2/files/0x0007000000023443-32.dat	family_berbew
behavioral2/files/0x0007000000023445-40.dat	family_berbew
behavioral2/files/0x0007000000023447-48.dat	family_berbew
behavioral2/files/0x000700000002344b-64.dat	family_berbew
behavioral2/files/0x0007000000023449-56.dat	family_berbew
behavioral2/files/0x000700000002344d-72.dat	family_berbew
behavioral2/files/0x000700000002344f-80.dat	family_berbew
behavioral2/files/0x0007000000023455-103.dat	family_berbew
behavioral2/files/0x000b0000000233a0-121.dat	family_berbew
behavioral2/files/0x0007000000023457-112.dat	family_berbew
behavioral2/files/0x0007000000023453-96.dat	family_berbew
behavioral2/files/0x0007000000023460-160.dat	family_berbew
behavioral2/files/0x0007000000023462-168.dat	family_berbew
behavioral2/files/0x0007000000023466-185.dat	family_berbew
behavioral2/files/0x0007000000023468-200.dat	family_berbew
behavioral2/files/0x000700000002346c-216.dat	family_berbew
behavioral2/files/0x000700000002346e-224.dat	family_berbew
behavioral2/files/0x0007000000023476-251.dat	family_berbew
behavioral2/files/0x0007000000023486-300.dat	family_berbew
behavioral2/files/0x000700000002349b-360.dat	family_berbew
behavioral2/files/0x00070000000234b5-438.dat	family_berbew
behavioral2/files/0x00070000000234bb-456.dat	family_berbew
behavioral2/files/0x000700000002350d-721.dat	family_berbew
behavioral2/files/0x0007000000023554-958.dat	family_berbew
behavioral2/files/0x0007000000023564-1012.dat	family_berbew
behavioral2/files/0x000700000002355c-986.dat	family_berbew
behavioral2/files/0x0007000000023548-917.dat	family_berbew
behavioral2/files/0x0007000000023546-907.dat	family_berbew
behavioral2/files/0x000700000002353c-876.dat	family_berbew
behavioral2/files/0x0007000000023525-805.dat	family_berbew
behavioral2/files/0x000700000002351d-775.dat	family_berbew
behavioral2/files/0x0007000000023513-740.dat	family_berbew
behavioral2/files/0x0007000000023505-694.dat	family_berbew
behavioral2/files/0x00070000000234f3-633.dat	family_berbew
behavioral2/files/0x00070000000234ef-621.dat	family_berbew
behavioral2/files/0x00070000000234e9-600.dat	family_berbew
behavioral2/files/0x00070000000234df-566.dat	family_berbew
behavioral2/files/0x00070000000234cf-517.dat	family_berbew
behavioral2/files/0x00070000000234c3-480.dat	family_berbew
behavioral2/files/0x00070000000234b1-426.dat	family_berbew
behavioral2/files/0x00070000000234a3-383.dat	family_berbew
behavioral2/files/0x0007000000023474-248.dat	family_berbew
behavioral2/files/0x0007000000023474-242.dat	family_berbew
behavioral2/files/0x0007000000023470-231.dat	family_berbew
behavioral2/files/0x000700000002346a-208.dat	family_berbew
behavioral2/files/0x0007000000023466-192.dat	family_berbew
behavioral2/files/0x0007000000023464-176.dat	family_berbew
behavioral2/files/0x000700000002345e-152.dat	family_berbew
behavioral2/files/0x000a00000002339f-144.dat	family_berbew
behavioral2/files/0x000700000002345b-136.dat	family_berbew
behavioral2/files/0x000800000002343b-128.dat	family_berbew
behavioral2/files/0x0007000000023451-87.dat	family_berbew

Executes dropped EXE 64 IoCs

pid	Process
4420	Coojfa32.exe
3616	Ceibclgn.exe
2148	Capchmmb.exe
3000	Dpacfd32.exe
1052	Dcopbp32.exe
5080	Denlnk32.exe
1556	Dlgdkeje.exe
980	Dcalgo32.exe
2220	Dpemacql.exe
2076	Dcdimopp.exe
5072	Djnaji32.exe
4684	Dllmfd32.exe
3180	Dokjbp32.exe
3468	Daifnk32.exe
1688	Ehhgfdho.exe
4140	Emjjgbjp.exe
1636	Ecdbdl32.exe
3668	Fjnjqfij.exe
4300	Fqhbmqqg.exe
896	Fcgoilpj.exe
3596	Fjqgff32.exe
3960	Fomonm32.exe
5116	Ffggkgmk.exe
5044	Fmapha32.exe
3580	Fjepaecb.exe
1076	Fqohnp32.exe
552	Fcnejk32.exe
4048	Fmficqpc.exe
4988	Gcpapkgp.exe
1200	Gfnnlffc.exe
1716	Gmhfhp32.exe
1800	Gcbnejem.exe
4400	Gfcgge32.exe
4252	Gmmocpjk.exe
3308	Gcggpj32.exe
4896	Gidphq32.exe
944	Gjclbc32.exe
1900	Gmaioo32.exe
2340	Hclakimb.exe
388	Hfjmgdlf.exe
4452	Hihicplj.exe
2932	Hapaemll.exe
1008	Hcnnaikp.exe
640	Hmfbjnbp.exe
3484	Hpenfjad.exe
4676	Hfofbd32.exe
2856	Hccglh32.exe
3436	Hfachc32.exe
1668	Hmklen32.exe
4248	Hpihai32.exe
3344	Hbhdmd32.exe
712	Hibljoco.exe
4836	Hmmhjm32.exe
1208	Ipldfi32.exe
2904	Iffmccbi.exe
4172	Impepm32.exe
1548	Iannfk32.exe
4368	Icljbg32.exe
1020	Ijfboafl.exe
2568	Imdnklfp.exe
1660	Ipckgh32.exe
424	Ibagcc32.exe
4884	Ijhodq32.exe
1012	Iabgaklg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Dpemacql.exe	Dcalgo32.exe
File created	C:\Windows\SysWOW64\Jigollag.exe	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Gmaioo32.exe	Gjclbc32.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Jpckhigh.dll	Gfnnlffc.exe
File opened for modification	C:\Windows\SysWOW64\Jplmmfmi.exe	Jibeql32.exe
File created	C:\Windows\SysWOW64\Iljnde32.dll	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Jifkeoll.dll	Lalcng32.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Ceibclgn.exe	Coojfa32.exe
File opened for modification	C:\Windows\SysWOW64\Daifnk32.exe	Dokjbp32.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Dllmfd32.exe	Djnaji32.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mamleegg.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Dcalgo32.exe	Dlgdkeje.exe
File created	C:\Windows\SysWOW64\Cmafhe32.dll	Liggbi32.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Dpacfd32.exe	Capchmmb.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Kdffocib.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Laefdf32.exe
File opened for modification	C:\Windows\SysWOW64\Ijhodq32.exe	Ibagcc32.exe
File created	C:\Windows\SysWOW64\Lppaheqp.dll	Jigollag.exe
File created	C:\Windows\SysWOW64\Efhikhod.dll	Lmqgnhmp.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Fomonm32.exe	Fjqgff32.exe
File opened for modification	C:\Windows\SysWOW64\Hpenfjad.exe	Hmfbjnbp.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Odhibo32.dll	Gfcgge32.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Lalcng32.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Jgegko32.dll	Denlnk32.exe
File created	C:\Windows\SysWOW64\Hefffnbk.dll	Kipabjil.exe
File created	C:\Windows\SysWOW64\Ipckgh32.exe	Imdnklfp.exe
File opened for modification	C:\Windows\SysWOW64\Jidbflcj.exe	Jbkjjblm.exe
File created	C:\Windows\SysWOW64\Ogndib32.dll	Lmccchkn.exe
File opened for modification	C:\Windows\SysWOW64\Fmficqpc.exe	Fcnejk32.exe
File created	C:\Windows\SysWOW64\Gmmocpjk.exe	Gfcgge32.exe
File created	C:\Windows\SysWOW64\Jbkjjblm.exe	Jplmmfmi.exe
File created	C:\Windows\SysWOW64\Fqohnp32.exe	Fjepaecb.exe
File created	C:\Windows\SysWOW64\Pmcglkid.dll	Gcpapkgp.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Imdnklfp.exe	Ijfboafl.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Fcgoilpj.exe	Fqhbmqqg.exe
File created	C:\Windows\SysWOW64\Mdmiambh.dll	Capchmmb.exe
File created	C:\Windows\SysWOW64\Fkindkmi.dll	Dcopbp32.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Ifegaglc.dll	Gcggpj32.exe
File created	C:\Windows\SysWOW64\Mfogkh32.dll	Hpihai32.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Fqhbmqqg.exe	Fjnjqfij.exe
File opened for modification	C:\Windows\SysWOW64\Gmmocpjk.exe	Gfcgge32.exe
File created	C:\Windows\SysWOW64\Jangmibi.exe	Jigollag.exe
File created	C:\Windows\SysWOW64\Gcdihi32.dll	Kckbqpnj.exe
File opened for modification	C:\Windows\SysWOW64\Lpappc32.exe	Lmccchkn.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6176	3640	WerFault.exe	242

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkokhc32.dll"	Dokjbp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hapaemll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmklen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djnaji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hndnbj32.dll"	Fjqgff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kijjfe32.dll"	Hmfbjnbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbhdmd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ehhgfdho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfjmgdlf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	12ac8ea9010ceefe5286df3af81834f0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmihaj32.dll"	Ehhgfdho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmfbjnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmebabl.dll"	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anjekdho.dll"	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceibclgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjqgff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fomonm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmhfhp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Impoan32.dll"	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baefid32.dll"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdopod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkeebhjc.dll"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjnjqfij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpckhigh.dll"	Gfnnlffc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fcnejk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcnnaikp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4416 wrote to memory of 4420	4416	12ac8ea9010ceefe5286df3af81834f0_NeikiAnalytics.exe	81
PID 4416 wrote to memory of 4420	4416	12ac8ea9010ceefe5286df3af81834f0_NeikiAnalytics.exe	81
PID 4416 wrote to memory of 4420	4416	12ac8ea9010ceefe5286df3af81834f0_NeikiAnalytics.exe	81
PID 4420 wrote to memory of 3616	4420	Coojfa32.exe	82
PID 4420 wrote to memory of 3616	4420	Coojfa32.exe	82
PID 4420 wrote to memory of 3616	4420	Coojfa32.exe	82
PID 3616 wrote to memory of 2148	3616	Ceibclgn.exe	83
PID 3616 wrote to memory of 2148	3616	Ceibclgn.exe	83
PID 3616 wrote to memory of 2148	3616	Ceibclgn.exe	83
PID 2148 wrote to memory of 3000	2148	Capchmmb.exe	84
PID 2148 wrote to memory of 3000	2148	Capchmmb.exe	84
PID 2148 wrote to memory of 3000	2148	Capchmmb.exe	84
PID 3000 wrote to memory of 1052	3000	Dpacfd32.exe	85
PID 3000 wrote to memory of 1052	3000	Dpacfd32.exe	85
PID 3000 wrote to memory of 1052	3000	Dpacfd32.exe	85
PID 1052 wrote to memory of 5080	1052	Dcopbp32.exe	86
PID 1052 wrote to memory of 5080	1052	Dcopbp32.exe	86
PID 1052 wrote to memory of 5080	1052	Dcopbp32.exe	86
PID 5080 wrote to memory of 1556	5080	Denlnk32.exe	88
PID 5080 wrote to memory of 1556	5080	Denlnk32.exe	88
PID 5080 wrote to memory of 1556	5080	Denlnk32.exe	88
PID 1556 wrote to memory of 980	1556	Dlgdkeje.exe	89
PID 1556 wrote to memory of 980	1556	Dlgdkeje.exe	89
PID 1556 wrote to memory of 980	1556	Dlgdkeje.exe	89
PID 980 wrote to memory of 2220	980	Dcalgo32.exe	91
PID 980 wrote to memory of 2220	980	Dcalgo32.exe	91
PID 980 wrote to memory of 2220	980	Dcalgo32.exe	91
PID 2220 wrote to memory of 2076	2220	Dpemacql.exe	92
PID 2220 wrote to memory of 2076	2220	Dpemacql.exe	92
PID 2220 wrote to memory of 2076	2220	Dpemacql.exe	92
PID 2076 wrote to memory of 5072	2076	Dcdimopp.exe	93
PID 2076 wrote to memory of 5072	2076	Dcdimopp.exe	93
PID 2076 wrote to memory of 5072	2076	Dcdimopp.exe	93
PID 5072 wrote to memory of 4684	5072	Djnaji32.exe	95
PID 5072 wrote to memory of 4684	5072	Djnaji32.exe	95
PID 5072 wrote to memory of 4684	5072	Djnaji32.exe	95
PID 4684 wrote to memory of 3180	4684	Dllmfd32.exe	97
PID 4684 wrote to memory of 3180	4684	Dllmfd32.exe	97
PID 4684 wrote to memory of 3180	4684	Dllmfd32.exe	97
PID 3180 wrote to memory of 3468	3180	Dokjbp32.exe	98
PID 3180 wrote to memory of 3468	3180	Dokjbp32.exe	98
PID 3180 wrote to memory of 3468	3180	Dokjbp32.exe	98
PID 3468 wrote to memory of 1688	3468	Daifnk32.exe	99
PID 3468 wrote to memory of 1688	3468	Daifnk32.exe	99
PID 3468 wrote to memory of 1688	3468	Daifnk32.exe	99
PID 1688 wrote to memory of 4140	1688	Ehhgfdho.exe	100
PID 1688 wrote to memory of 4140	1688	Ehhgfdho.exe	100
PID 1688 wrote to memory of 4140	1688	Ehhgfdho.exe	100
PID 4140 wrote to memory of 1636	4140	Emjjgbjp.exe	101
PID 4140 wrote to memory of 1636	4140	Emjjgbjp.exe	101
PID 4140 wrote to memory of 1636	4140	Emjjgbjp.exe	101
PID 1636 wrote to memory of 3668	1636	Ecdbdl32.exe	102
PID 1636 wrote to memory of 3668	1636	Ecdbdl32.exe	102
PID 1636 wrote to memory of 3668	1636	Ecdbdl32.exe	102
PID 3668 wrote to memory of 4300	3668	Fjnjqfij.exe	103
PID 3668 wrote to memory of 4300	3668	Fjnjqfij.exe	103
PID 3668 wrote to memory of 4300	3668	Fjnjqfij.exe	103
PID 4300 wrote to memory of 896	4300	Fqhbmqqg.exe	104
PID 4300 wrote to memory of 896	4300	Fqhbmqqg.exe	104
PID 4300 wrote to memory of 896	4300	Fqhbmqqg.exe	104
PID 896 wrote to memory of 3596	896	Fcgoilpj.exe	105
PID 896 wrote to memory of 3596	896	Fcgoilpj.exe	105
PID 896 wrote to memory of 3596	896	Fcgoilpj.exe	105
PID 3596 wrote to memory of 3960	3596	Fjqgff32.exe	106

C:\Users\Admin\AppData\Local\Temp\12ac8ea9010ceefe5286df3af81834f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\12ac8ea9010ceefe5286df3af81834f0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4416
- C:\Windows\SysWOW64\Coojfa32.exe
  C:\Windows\system32\Coojfa32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4420
- - C:\Windows\SysWOW64\Ceibclgn.exe
    C:\Windows\system32\Ceibclgn.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3616
  - - C:\Windows\SysWOW64\Capchmmb.exe
      C:\Windows\system32\Capchmmb.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2148
    - - C:\Windows\SysWOW64\Dpacfd32.exe
        
        C:\Windows\system32\Dpacfd32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3000
      - C:\Windows\SysWOW64\Dcopbp32.exe
        
        C:\Windows\system32\Dcopbp32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\SysWOW64\Denlnk32.exe
        
        C:\Windows\system32\Denlnk32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\SysWOW64\Dlgdkeje.exe
        
        C:\Windows\system32\Dlgdkeje.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Windows\SysWOW64\Dcalgo32.exe
        
        C:\Windows\system32\Dcalgo32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:980
        
        C:\Windows\SysWOW64\Dpemacql.exe
        
        C:\Windows\system32\Dpemacql.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\SysWOW64\Dcdimopp.exe
        
        C:\Windows\system32\Dcdimopp.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\SysWOW64\Djnaji32.exe
        
        C:\Windows\system32\Djnaji32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\SysWOW64\Dllmfd32.exe
        
        C:\Windows\system32\Dllmfd32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\SysWOW64\Dokjbp32.exe
        
        C:\Windows\system32\Dokjbp32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3180
        
        C:\Windows\SysWOW64\Daifnk32.exe
        
        C:\Windows\system32\Daifnk32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3468
        
        C:\Windows\SysWOW64\Ehhgfdho.exe
        
        C:\Windows\system32\Ehhgfdho.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4140
        
        C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4300
        
        C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:896
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3596
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3960
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        24⤵
        Executes dropped EXE
        
        PID:5116
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        25⤵
        Executes dropped EXE
        
        PID:5044
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3580
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        27⤵
        Executes dropped EXE
        
        PID:1076
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:552
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        29⤵
        Executes dropped EXE
        
        PID:4048
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4988
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1200
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1800
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4400
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        35⤵
        Executes dropped EXE
        
        PID:4252
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3308
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4896
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:944
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        39⤵
        Executes dropped EXE
        
        PID:1900
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2340
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:388
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        42⤵
        Executes dropped EXE
        
        PID:4452
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2932
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1008
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3484
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        47⤵
        Executes dropped EXE
        
        PID:4676
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3436
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1668
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4248
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3344
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        53⤵
        Executes dropped EXE
        
        PID:712
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        54⤵
        Executes dropped EXE
        
        PID:4836
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1208
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2904
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4172
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        58⤵
        Executes dropped EXE
        
        PID:1548
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4368
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1020
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2568
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        62⤵
        Executes dropped EXE
        
        PID:1660
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:424
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4884
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1012
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3692
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1824
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        68⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        69⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        70⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        71⤵
        Modifies registry class
        
        PID:3184
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        72⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        74⤵
        Drops file in System32 directory
        
        PID:748
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        75⤵
        Drops file in System32 directory
        
        PID:4388
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2444
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        77⤵
        Modifies registry class
        
        PID:816
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3500
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3612
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:988
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4444
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2548
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        83⤵
        Drops file in System32 directory
        
        PID:1248
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        84⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        85⤵
        Modifies registry class
        
        PID:740
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        86⤵
        Modifies registry class
        
        PID:3952
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        87⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        88⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        89⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        90⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        91⤵
        Modifies registry class
        
        PID:4184
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        92⤵
        
        PID:512
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5048
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3032
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2832
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:544
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:848
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        98⤵
        Modifies registry class
        
        PID:3656
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        99⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        100⤵
        Drops file in System32 directory
        
        PID:5208
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5244
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        102⤵
        Drops file in System32 directory
        
        PID:5292
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5328
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        104⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5376
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        105⤵
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        106⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        107⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5508
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        108⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        109⤵
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5680
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        112⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        113⤵
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        114⤵
        Drops file in System32 directory
        
        PID:5816
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5856
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5900
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5944
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        118⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        119⤵
        Drops file in System32 directory
        
        PID:6036
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6096
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        121⤵
        Modifies registry class
        
        PID:6136
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        122⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        124⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        125⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        126⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        127⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        128⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        129⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5840
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        131⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        132⤵
        Drops file in System32 directory
        
        PID:5980
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        133⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        134⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4276
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5324
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        137⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5516
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        138⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5692
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        139⤵
        Drops file in System32 directory
        
        PID:5780
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5912
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        141⤵
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        142⤵
        Drops file in System32 directory
        
        PID:6132
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        143⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        144⤵
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5712
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        146⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        148⤵
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5536
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5824
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        151⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5620
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        153⤵
        Drops file in System32 directory
        
        PID:6024
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        155⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 400
        156⤵
        Program crash
        
        PID:6176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3640 -ip 3640
1⤵
PID:6152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Capchmmb.exe

Filesize
1.2MB

MD5
d69e7d469e445d9349fb8fb3966ecd78

SHA1
38810f74ee31b1e2658f58bf7fbddcccfb66b0a5

SHA256
ca2a02dd10e3405cbc802b37f8d667c213a6e6b3be06756e45c4f2aa2a86e35f

SHA512
239901bc72c8c7f5eb7642f4a7f63ba64c333ea4f7a901090401b82b4b886e4c373264499330f8fc9ff7fa5dce552f44ed8471eed86eb623163683a3759d168b

Download Submit
C:\Windows\SysWOW64\Ceibclgn.exe

Filesize
1.2MB

MD5
50b73a36e0432c71daa1741c2f0b9888

SHA1
ed185ed3290bb4a8f3d041338bb6d8a84d206485

SHA256
077d32b53cdfe912ed48ddb5e2da4a3cc1563b36dcd96a1bb5adb96925f33a65

SHA512
e1dd6824cef0c8e13fbff70bb0565f853022332dc5a2d1c63e6d5aa4255518115987ac40e8d947162cbfad2d2191cc7eac8639683f91153cb7f9a9dd07d7342c

Download Submit
C:\Windows\SysWOW64\Coojfa32.exe

Filesize
1.2MB

MD5
8ae859d8cc17c0471b30f3616d1d5718

SHA1
0a6d182b0bd450d8f9efd8b3fdbbe3d7b1fd81d4

SHA256
3c9408a9f2b1ad051229f737292ad41137be9438294878a7ef8e438517606ebc

SHA512
c230fd2788ddf31c4f7d60ebf86d4fc8285b794ddd91143e123e06ef7d4522c0443566d452b86eafe93c0a2a7b40c9737e1c5c8a8d458b3eb02249e02b09089f

Download Submit
C:\Windows\SysWOW64\Daifnk32.exe

Filesize
1.2MB

MD5
309ffedd854b515a730d4b1ce904775a

SHA1
b9903052ee29c7b378ea99b85d7237f56a522892

SHA256
cb237394df4418d12740b1ac45ed1008a662df93cb01ec3b3af1b665a348c952

SHA512
b7c7eb81bab0f9bbb40ed1864f223f3dcf0ba0207e9cd17ee094ce41dcf542364b20a82f411e5c29b68f86e900d0b789e4f336b4f3e9e1804cb042599be5904d

Download Submit
C:\Windows\SysWOW64\Dcalgo32.exe

Filesize
1.2MB

MD5
1c62a570333ee691697d7b586e302a8d

SHA1
f3b882824ea8a90b327bc8f9168fbbb5043a7ad0

SHA256
0ae81aefc7ee27b4d63b364390fe402fad1566674b285c00306bfb650fd9cdc5

SHA512
17429bd76a7436268bad8dff0cb56e844cbbeda1c268a2fad4c4be38cf0144ae066592a0ac64a9c63a513fcc6d00585f848a73e8777526bcf1532ffae71dfa1f

Download Submit
C:\Windows\SysWOW64\Dcdimopp.exe

Filesize
1.2MB

MD5
78dfa896a0342854cf9952c5c9225839

SHA1
fb2d37f55c4fa3428a8b98c2900250aa27bc9233

SHA256
2a4d6d8e8c41010f5a11f880e8146d48129a1b6881bb4e70b44285372aba9ac7

SHA512
07643c337bcf703ab5c465c7fee6016eb199c34f4a9ec0282a7f5bc92a973eab13e293eb18428b2867ae05d05efb6d75f57fb576a96260a558f1c0c5660731fe

Download Submit
C:\Windows\SysWOW64\Dcopbp32.exe

Filesize
1.2MB

MD5
f1e9911609ad16c7f075eea6ee35dd55

SHA1
8bb905fed8b77e20aa604d4a23781004e6b77213

SHA256
5e815d5e7c7dc2d156b8d9645e4bc55a950829c6f6d446a3969810792560d420

SHA512
60a9cc784e178e8c3594077575d3775463ffdda5b0b02bf13bd3010d69c5c5d94d620661eaa5670168d23c619c971133a85bf1e5540a4ec5a2db4274002a2da0

Download Submit
C:\Windows\SysWOW64\Denlnk32.exe

Filesize
1.2MB

MD5
ded5cf255963ab6a962b961dcb28514d

SHA1
83a6d943135923e79c242853facaa191a2530875

SHA256
d9e9def591eb0c0f6ad9d1e6dd805283bd780a547ba61605f98e2a982409abe1

SHA512
691a45b4aba2277b3c277fc718c442a09dca4f62acd90d1463ed75fb2c9a3632abbf229fa1ceb71e8ec194e9cdb78cf1c59f3584ab4b3d236763f0d7502d77fc

Download Submit
C:\Windows\SysWOW64\Djnaji32.exe

Filesize
1.2MB

MD5
feee0c41ff8888f9cfc35804c7214bc4

SHA1
988ac79c63e2d7963f8cbdd6922860a7e73dcf76

SHA256
686157061f908e3c2970fa6c2c8c012942c29bfe3e55f78099b1e04aa22d97bc

SHA512
271d714758e8d20aeb3eeb9aa07473a692500c79e2bdcb5162576afb611941a6384c48804bda9e41d9018e1a93c37002e8a0640c6b6e35b46e94b31fdf8497b4

Download Submit
C:\Windows\SysWOW64\Dlgdkeje.exe

Filesize
1.2MB

MD5
40b5967718785ea21cd675413bc42bf5

SHA1
181b813d69091863e4cacde98f13f99ebc24ad23

SHA256
4b71abf18f05895c052fc424f4b78ca3dfafefd5c8055cb81c26107baed88990

SHA512
51c0ab4107b67101c300597e987cc4e6285dc3b70246014849d9b5812ba00e12dd8abcd30ad6ee61c40fe67beea0c6fbf6253597cd6ac2ce37c1d278060fcc18

Download Submit
C:\Windows\SysWOW64\Dllmfd32.exe

Filesize
1.2MB

MD5
4e3f1778d88713f44211b98dd27ed3a7

SHA1
2aa4f6a3c2290c6b9b3bf24bc34f443af1b7d1c0

SHA256
3f19d20331b978deecb7c8b580a6a0735eb2aef018b91229797b4c52c215afd3

SHA512
f335b9fe22a7679385738948e08427c0e6dcc0cf0fa5fc78925ffc9ab18de292055eed48f8fb59426be5d70ec7cb078ab04c530f7ec6d9d34c2b6851adc21c28

Download Submit
C:\Windows\SysWOW64\Dokjbp32.exe

Filesize
1.2MB

MD5
087fb5d50b5b05e09a60e52d377d02e0

SHA1
d0c6ac10f29bec2dad003336e9f0b3796b2712cf

SHA256
4fc4ef7f7aa130a0e573b3ff436353efc85ba359e3800023f6c3be3e030a2327

SHA512
862878063a93684c50e4fbdda84b05c3388fb477773a381be94538e70de032e592b51f08b0b9972c326308f362b848a0017f63a9f278313d488efb43c69aaf79

Download Submit
C:\Windows\SysWOW64\Dpacfd32.exe

Filesize
1.2MB

MD5
25cda582f5240d651a4c16a6adc213a2

SHA1
bef67934cf91f360778b89f26c77f45efc950ecb

SHA256
8b18fa48be079512900b7801a9c27faaf0a27529f1c0695b8a4020566eabc4ea

SHA512
7d38a772ca5defa07e0e3a5d599952f3b2c6e7b3cdbc5e79642bcbe4053960994de81c3a2f83e58bde3a482742a62232dc41abe31ee89355523f6b2e25461db2

Download Submit
C:\Windows\SysWOW64\Dpemacql.exe

Filesize
1.2MB

MD5
b7ed7b90f3808fb5d4e171114dc9aa92

SHA1
710328a599d4610e355c1774572c6144ef885c86

SHA256
16ab96b88a6b7d7b2a3be800dfb0be76e8cb464b6f29ddb44ade12deca15eb3c

SHA512
df1860beb63b76a4d9155a03128d04dc8bab68de19580dfb00238cd19dc7e442dc8ef239639af96bfa2cea1d042baa3a2fae517e32d45c438213cdbc8b1e60f0

Download Submit
C:\Windows\SysWOW64\Ecdbdl32.exe

Filesize
1.2MB

MD5
dcf20128101e74bcd847ecdcf74aed7d

SHA1
d648df5a8532e9d9d5cf6be773b0ab837bedb2a9

SHA256
8a75cd56407200333917c3c6c544fa348b905ee503080cf14dc1937fa0e9a4f9

SHA512
defe2c78066d42b7fdd61a43376181cad070badbf127c0d6a1a45c67e339867315dd9479d651ae5e1b67cbfd1b8afd748c52e4befc23e57d9c63db60f31a4044

Download Submit
C:\Windows\SysWOW64\Ehhgfdho.exe

Filesize
1.2MB

MD5
ef6fd93c714464da2cadfabf68f74640

SHA1
f84d9a766dc54377c5a13437abf213f0d896fde9

SHA256
a12c69368e958a9a929b761ed74dba2c03ede69125932ba80fc7867e74703b1d

SHA512
fe521b30c1110dfa73fab09d1bb8d083508d259b41b926c359b060125262c59fd693b99bd13a1123c06ca791a5c0f65f111289cfb26780b242e18b04e0c7da7a

Download Submit
C:\Windows\SysWOW64\Emjjgbjp.exe

Filesize
1.2MB

MD5
3522b50787c1dbc0d4257a94b6d063a4

SHA1
8f2ad27d2dcec50330087659f253776931cc03fa

SHA256
d33fe90c6de9ef2041c2a40122254ae7274f1550ebbc5f5ca92e0f85e0c26f28

SHA512
1956b4a8734431c759adf0cc15064e73966debf410acb080ca65bd76a959c41776ea4b2d1a7aad99db4ed1821c1ce673078b3b6aa8ed58a1262aeb1b8ef1d53f

Download Submit
C:\Windows\SysWOW64\Fcgoilpj.exe

Filesize
1.2MB

MD5
2d6764a1165db7696d4ce94ce7bb8364

SHA1
e367eae227b60d08a67dc8c869687d86b25a87d5

SHA256
5cfa049e2fa4aa4cdd716a9195468a7418a4060902946ed3f9aa6cc63a6ebd9d

SHA512
5f4acd89fc399b4eb8de0e264db5c6da6555195ed124b46b7d02fd869093b078fc9eefc791a14c9e5dca76d457edde401c2481226bb1503f3aee36def343e1a4

Download Submit
C:\Windows\SysWOW64\Fcnejk32.exe

Filesize
1.2MB

MD5
6a6fcfaf6f94f6f9d778ecf634b3a587

SHA1
d43fd026a1af2b5cdafba9f22e2d71934a8a65fb

SHA256
ca7c3c180ba01e10ba6e20998df43e58153e4a641b0c3149965c9d60fe7d0ffc

SHA512
140c2a31ec60ad8ee8c1a5f8ef0446c9b8e18d6502496e287d4463e2a68f9508e955601f9fa0ac68e86706665d1224018966f7b78cc6755460dd046f3c45b851

Download Submit
C:\Windows\SysWOW64\Fjepaecb.exe

Filesize
1.2MB

MD5
ba55e37c35ce92c5884102dbf7d8bcbe

SHA1
98fb6848ee30ac99a7c41b20dfdf545b6e54c8e1

SHA256
a92ae7051a41c68667948358c423c4f5e10ab50a558e66649ee0d2a213d5ec27

SHA512
299cf37891bd33b4b9ed2248cc2331f8c05177ffe6ce1ad815a763a1827c2d0eec684ca03003e32e7c1b24b78a80039c80a3260bcaa7d1c21959d15e5189ed56

Download Submit
C:\Windows\SysWOW64\Fjnjqfij.exe

Filesize
1.1MB

MD5
bb49176bc588504629a90be17855f32b

SHA1
05a20e5603fe44798523a46e34a796feccdb320a

SHA256
eda3c156477c5613fb284baf6bd8fa0a2fc813476b1b87654c18dc8c910f4ba9

SHA512
de1bab10e3bc5186a58ad6594fc66ae381f07883bfeec4ce13edad3edfdc9b58347403e9ef9b027479735a024c464208371603c4fdb1f8f575e482b3af3e5b8e

Download Submit
C:\Windows\SysWOW64\Fjnjqfij.exe

Filesize
1.2MB

MD5
24f0d79a9c297e949bb74d8f446c6bfd

SHA1
6773e4062e3f9b9ffa81cada96adb14d34b8d234

SHA256
fabca2aeccbcc3a175fffd5fe544ab5f5250ac04f2777ebcd782bfcf15c64d27

SHA512
0b1fcb3e5d8ad528cf1b23c75fe1cf7498c0a3311f301c8dcd83859b6d317a27082f1b6e82a3240d2bd841682b9090dbb4e11f06f7e85fe74915a03e9a5afe9a

Download Submit
C:\Windows\SysWOW64\Fjqgff32.exe

Filesize
1.2MB

MD5
b32d37d423fcae13ba9bc4e30fefc5c0

SHA1
66e9af0fdf2c7b69a1d5001741ed266ec865a80c

SHA256
9268d92100ed22f99f5fc37f692cde785458db6575d62bb4979c4dd3ab92eb09

SHA512
7c08b7ca3644632bd0c887aa07a829edc1e89ce86c5656fa608169892e2c46ed18b59dbf27abcffd2fdfbe7ec82f6415445a69fee9fc4aed686d3bb66b39b8c9

Download Submit
C:\Windows\SysWOW64\Fmapha32.exe

Filesize
1.2MB

MD5
e13fbd290b1e85f6103443a531306c68

SHA1
61f719314b143871ac923af3995e7084e06bf37a

SHA256
7394bc3af4dc8ca06f5e2698a55deb18df1ca76fd7454decffa77c15f1a43a5f

SHA512
efe1237a585da767d0e249beb9f0b815fc0b85d16b2e285a817477f0d9248882251e515f98ad529e8c5a890005346861a6f424695b61dd07893bc9709f16dc55

Download Submit
C:\Windows\SysWOW64\Fmapha32.exe

Filesize
1.2MB

MD5
223173e1f1f07b6cae941614abcce282

SHA1
cf91fff6b33d40740b6a0eee23362f9fe5370026

SHA256
b176cc868eb4d0e2efeda91d184fa77587d61b84a3639dff3ab8fb4ffb35d86d

SHA512
e49b3d7f7bf1e8077cdbb849b2f86349833eea4078da81d76ab3d920cf0fff0d6e39c1a42a58675a3cd0d031394d68d0027f3848019fad83072dedfeb6726c46

Download Submit
C:\Windows\SysWOW64\Fmficqpc.exe

Filesize
1.2MB

MD5
d730eb35ccb6e8d5fbb8a7aa7695ed64

SHA1
f90171a4b28d922464c76e494a38a36ab79a2e97

SHA256
dc8bf5ac1a09dd7859935e6ec6254dde47c3c867f5c4a0edc062f8aea65c97b2

SHA512
8a44a6a5514fa24f7bd48b7ce4dcdd40bc3f70527d911c98922f24e6add06bb14b9d27aad46e522c831081945f30b1a1da18a0d4266063efcc6849eb8cb5a1bf

Download Submit
C:\Windows\SysWOW64\Fomonm32.exe

Filesize
1.2MB

MD5
4809d5b9356f6a57293e04b060c0ab2b

SHA1
dee9ed8c69d85bde36631911a2d5e1f61db1ac79

SHA256
b4e7089845c5626214001a65448cc1fbfc2cf06aeb830b83dd09e2bf8fea0cc2

SHA512
c8dcec62416662618dd6c22ab5316592f313f4be56ccd38e2309a72620381d02b77bcda0d58ec45ebc1b2e6f46a1073921863b0c64d209602753dd1594ec4262

Download Submit
C:\Windows\SysWOW64\Fqhbmqqg.exe

Filesize
1.2MB

MD5
091391717be31f31ecb11a37ac14b5b0

SHA1
10994fb74db815dfad73843c59774afe5059b974

SHA256
1f7b29612a0685725e3691261f1eefddf8fd8278aadd79c93431d08c7f5fee27

SHA512
4361a3d6bb2a37ee19ac04c0b2b30d1ae52e791614f28eedb1205360fdeed1a13d1bd3ea3e3e121e152dc36ced9cc700fe11333030d91c6a295ab9d2b920513b

Download Submit
C:\Windows\SysWOW64\Fqohnp32.exe

Filesize
1.2MB

MD5
8f4c29dd156c1eb57c45f9fa53517d9f

SHA1
8ee9b19340b306d7dcd5c698d59ff92066f66905

SHA256
a8efcfd586a525cd1b8074231ecc84021ea2d13c4b85988e1fd0440b314a34eb

SHA512
2658d54e4f47b34babf4af4c33463b8ff2f6e0814c990cf0f6a8bc6b8adb8ecd43c87477113cf0bde0c6fb943c3dbec15eec7bb470a4a7fb051834abbf8d3db6

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
1.2MB

MD5
bd90ec3dd29e6e443d23ef046f7b4ade

SHA1
9c9760617c6cbfd2121689cc889c25ab871ad0eb

SHA256
17aebe5564273359e6bb122453e43a0291045864b6dc7f87069a88154a4d2555

SHA512
f8318fdf7178d812e95d273d4dca23aaba6f1686622857726319bdda5338522b48a23c3f3475c3c043fe78c292e7fb04826cc2f66c75db25cc5ba72787f5b46e

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
1.2MB

MD5
a29dec4a52b85c8600f859c48c28da23

SHA1
43441c532e67fd341e1b6d3458cfa26f6aed2b38

SHA256
a6c42feecfa73611c8dcdf274f3ab13e273c7698326a5b1bd1f79596da8bc6e0

SHA512
bb9e07cc2ebc085e8ce4394d09f5717ca882330d29795ab704e5e82a08530e3fb0cb763ee27fdda2dec773bf4b08554adf7c7f9928ee18cdbde3439e2c3c3c8b

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
1.1MB

MD5
b5a7daa68f66e69a35dae95f3e536313

SHA1
78138f8d8168017b85b1ac2f06c12eb9293c6d2e

SHA256
e73a727432aa52633b153eae80e0a86de003844ee741fb2b8f83ae6678242dd3

SHA512
953c88675fe47f39bc7ddd56409dcc910a230b5b48a395e888f7ae66ccc0c2f5fc888d977f502361f4475fddf847971f30a61f72497a254771df2d80cbf16506

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe

Filesize
1.2MB

MD5
182d8fc27bb9b1c417a89cded08b6015

SHA1
d9b53a88d835beac95926e7c5a1824838efaee63

SHA256
155e4a0e0f0538566aec81c3656ba3ad53b0734854c47a354349b9d0e56a59a7

SHA512
c753f7602b16495f519d8d2d6b19e941426b6e88361c7a84163fbdf60a3d94e756980d7c0928183b16fdbbb33be4ff68387bc5636c99ab6de746cf315fdedd6f

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe

Filesize
1.2MB

MD5
a78da4c52a5ae06c290b0f87d6dcd5b6

SHA1
489a9a21c5911e58d1d1a092e5b3088134ca92ec

SHA256
aa3efdf7b112cbda57a1f29dd5d69363f584b24bc1d65f486d82a80840b2b7f9

SHA512
ad910530697dca4f8a9028679f7c2428c8f2de9c596381e585dd1903da9f22908d39e7bc4d65ceac5f50fcac3fc8f460e15c456ce9c9761dc158ab52196008ed

Download Submit
C:\Windows\SysWOW64\Hfjmgdlf.exe

Filesize
1.2MB

MD5
b7450a9e1148060b5fcf51696ceab927

SHA1
f3f413ad4578cfb5b2ba3ec873e95a0496490446

SHA256
aec44b3423cfe2c31a8c7367ec842b4cee23bd73211bbd56922b4e49ab51db2a

SHA512
f44062a8d21050321f5c8cd7578aa1553e27ace516871584d2b72f7c076289d507d75a5a6f19c0e81dfdc17435d679ccaf3f760feaea75b502a7e60339d0d9e6

Download Submit
C:\Windows\SysWOW64\Hpihai32.exe

Filesize
1.2MB

MD5
8a9958dea9b464f8442b49fcaa36fadd

SHA1
ca0656fb25e92694efe0b466aa14d8a8f29f06de

SHA256
37e7b422ce8623c6e93d6ae23a72ace1a4b667ba9921dfadc27a71e7627b443f

SHA512
095f05614a983c6f07bc1dff2670723b650adf18fa6d422b668b388addef2055a9db9a328876107c8c229c7fdb2d2d0300589016b7de0a59b90a1543531e4661

Download Submit
C:\Windows\SysWOW64\Ijhodq32.exe

Filesize
1.2MB

MD5
858d6a7dc05bc337ea660fd86449c240

SHA1
192f986b138d3c6b1e629a0b63504caf5d74e34b

SHA256
2afbeee73a1485097ea9956682033793b3fec99d98ae94af5b9b5f1f23b0445f

SHA512
a33eaca6becab02d23ad526a694208da86d9dd96c809733515fafb3e7050a9e5b89fa8c0346d36e9a5b60656f6b30e7767eb97d5d7b1f388d344be3211cea205

Download Submit
C:\Windows\SysWOW64\Imihfl32.exe

Filesize
1.2MB

MD5
b3fc730698379b8b3cd387d11af60ca3

SHA1
e4d49381ff2dcc6d13b3208090f7d95b29b8552d

SHA256
fd7ecaa71c5c2f430340f484f2d2cac828be8bead2f78430dfed5418da9d3cff

SHA512
6fe90b149f0759976ebeda13a8244ee84960d7084482bd41f8a49c8b09b1e9f8c48e30fe729e5c6e1937874cf513a22c00ab3473b4ebfe429b784663831fe0c3

Download Submit
C:\Windows\SysWOW64\Ipckgh32.exe

Filesize
1.2MB

MD5
5584fbec114cc194a0159ca5f7c2f498

SHA1
5c32a3bc67c03a268d87aaf33f08776fc91cfae2

SHA256
2efc186909e260bfb82fac372c62cd4e26a367cdc176896433d69a7606ae9094

SHA512
fa9f6e4b1369816c3d996a7afe6d762b0be79540ebe6f0a7fded33b6a006a4b9ac125f4c731dc773374cdcd82bf9dedfa1325e9e9518b9171664a07e1887e9c3

Download Submit
C:\Windows\SysWOW64\Ipldfi32.exe

Filesize
1.2MB

MD5
fcbfa4ab69533f2af80713ec41796f2d

SHA1
41004a2ec06355dc877a0c98bd9653d6159ad2e4

SHA256
4a040c6336d82dfbf897787e7fb3afcce597f9c59218fd1dc5f51345d0a44c94

SHA512
9fdf8d69d67d065ae4198aca7db733775719af9d018c5eacae62dbc1e4839d1ce2b87e76b427384ffe5f105074171d4ec7bdeaeaf5c40b4bfabb1da3ee7a2901

Download Submit
C:\Windows\SysWOW64\Jaljgidl.exe

Filesize
1.2MB

MD5
85fef927e5f9369ddca581a57e1c9228

SHA1
32ff874c0d8f3775e6e1e06d645e0fbc5c205022

SHA256
32a71cb05b30ba855d959f78ef75627eb88e7c563babc1692a001d5873a9e3bb

SHA512
eccf3126ca173b6fefc9c42286e9c3b7d25520ed2ac7cac632841bba4c217c0cd0da881c32ae8f91be5d0a1745ba16f6a03a65f8352a2ea69d21bbbd5a8b1903

Download Submit
C:\Windows\SysWOW64\Jdemhe32.exe

Filesize
1.2MB

MD5
767e00ce943a52c049c3ff0e7753b8bc

SHA1
87c93f202ac6ff2648b096367fd0b8b8092e2356

SHA256
e3136a31ae8d3e5101cc1a7b8062381e68eaf836d8c45720ccbe7fcf99aeba4f

SHA512
6f8479754f9aa5327062780b3c83bdd61896beb6b1052de1de4d40636460d7e9c35662c5024d4005fb2dc79387c49c32a1911d617837ed2fd6250c09bdfb72c9

Download Submit
C:\Windows\SysWOW64\Kagichjo.exe

Filesize
1.2MB

MD5
c733efff7ef9dd016b3aa6b90c65ca83

SHA1
6d83f25ea1ee06f44c6d839284cc5c7e394bfad0

SHA256
2eef121ab96cdab8eb2a8049c6337c8352a08c4df4c9db2321ca5f7cfb7c958d

SHA512
47a049337869fa1a6ada2bb04f87297b9c362d7fae2901e3e6ad6d757176245b44642ef1f09f55e1133e83ff2f0c3d6767dd99b20f364a50ff389cc86ad7b8d7

Download Submit
C:\Windows\SysWOW64\Kdopod32.exe

Filesize
1.2MB

MD5
88d0c9204c0f6bd5a891f38a8fea57f2

SHA1
1f97b1290445736f860fddc0c35877f865592d46

SHA256
c3f182cdfa0100161d2962bb5b31e1bf22e4db47fcbec832f7d0e236fa761240

SHA512
97751d49573126117b094ce96c63f64eeb07e9ed54fccb761a1ca45d910da963fcba0c8edfa4811e5fbef7198efa5234470c341506bf59c2419131a796790278

Download Submit
C:\Windows\SysWOW64\Kgbefoji.exe

Filesize
1.2MB

MD5
fe64cd3e876057802c70e53bad17f45f

SHA1
62b9a67e91b0ddcade789e3b3dc5c75ee19dd435

SHA256
a3d82b27b2110ba3d1a10bb0e1344b509f911b884e35016d16c2f34c122d1ae0

SHA512
ea26970e01d9a6e59dc65ac518caa06525ba8bf0a956f9bf82765c4de51bb9b448ce2b0b6eb074848a02b4e33b660d2846f7ede64e542ad1e9379f7c828963bb

Download Submit
C:\Windows\SysWOW64\Kinemkko.exe

Filesize
1.2MB

MD5
5f6b8aa9686af70d969ed2e711c2f5ab

SHA1
55c97e3501f350217cf13a68beffccf7aab1276f

SHA256
f9242ee40789fe3ac2054f97b08db0f019b812e59278342fe9339a79318dfae2

SHA512
28cdbd688ce774158f34539c885aceaeedd3c8476a6155fce97cc302468cd0cc32775f3ae39f39caf6a6be08c11c2b9c71fa42d8608d8abcc1afdeab647a641b

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
1.2MB

MD5
59ba55c77d46905786006f0f6aab4915

SHA1
3e13237ec06d092c7ca976d02a26e5652ac5a64d

SHA256
66bdf3320d87d2bb4eca82138b1cb2862c4e4f5c508923c395ceb41d9b7a4cc5

SHA512
cba78ecfd171c4bab0e7930df8d56422711c5ee59d991af2cced711f84c91f7cd5ce713f535be8cdd80181641a2155b71809ac3e30f62d1258614225c8b48469

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
1.2MB

MD5
ae8d9815273b2534f502a7c50a9d1bb0

SHA1
364bdc8afb744ae8d407d2e61ea8ffaef5457f96

SHA256
1e7c5651cb4504f975dc583f8f566b5a2e365e4d80b87142936d81fa3e524e97

SHA512
18f9981abe436ffebb5c3ccc72e9578c3c3e37f753cb9a7599bd54122ca357e1d28ff602dde03b4749b61dee69f20c0c3f564ec61ab52ac242efabeac92f13b7

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
1.2MB

MD5
99e54391628306077908ea6a2bdf0b92

SHA1
e902254c34677ab45efeffe2e126b58e5e7fafd4

SHA256
20e3605c18d2e1e288c40cd9d2c05466c0291256946168b9187b9200ca0f1f5c

SHA512
ace0018c14443d3ec6190c4acc0da042b745cfda4b8eb357f21d99cc49c5fcd023badcefa463c3c7a4eeb7e6786f33a5fcb8e24d1d6df3eb9028159f11f6bec5

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
1.2MB

MD5
7762967d30736f350685ff7e9865c118

SHA1
1be64299909199ab7eae08070882be55201411c9

SHA256
c3ed90b1a154f05c3e4d5cc778c76fb13c4590333e89e09ff52b5d5f2d90fa57

SHA512
0663627a1bd0e8f59e5a67e201c519a6adab4e29e9285adac2af56c02392d4d0d967960bce7f14b94f44e83ed81c8d09d87fec3e205e8c4052f029f8e0583861

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
1.2MB

MD5
1aca379516f7c2f948c1f29f1ddd5b56

SHA1
3fc798e735df854dca7d23160c01908bcce44642

SHA256
44810190f5ed14b6888cef5d467d8120c1f048ae6e767f4aa80acbc2caa166df

SHA512
c18ff3620aefd8a1543a74716dab272ff0eab04b158f3420b576d5698cccb0d00770b5067390d1682da840ba3fc9487951a560277760243c3f41e4f1e4e9f9a8

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
1.2MB

MD5
b3cfe95f70fde158b149a368db799344

SHA1
cdc1028ed8c632b069ffc4a13c4252b1a272b045

SHA256
53743f9c33a228769d23318ad85cf819ec41e9cef3e5307039817cb8c3e365ce

SHA512
2c1f7a89602f2736500ac9b1985e4c4d6190e7b5eb7388b3e9ae71926427ca7cb3334e4f2ec6f2a4853d2e7fd623aa17965457b4fad3324f312d702015d36da5

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
1.2MB

MD5
edc365d91d19717e52f0b62ac2603bc0

SHA1
c93e6a641f055ae0b9627a1062e120d6ebb77abb

SHA256
53761541984f7833bbc38f3f3aa68752fa353cd78765a7f2653e0aac8ecb534d

SHA512
6b09a5b0182bfd6501f5b258302d954cd61c16d1f761140821921caf76b6d012c1f2bf9998662b0560bf8e92682e006122cef36a10ff90cdae6a7b4630acedaa

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
1.2MB

MD5
b1f3976f2d92ed0c32fd2689197ef955

SHA1
a02e91247333b0953542a9a432d3c09edbf8026f

SHA256
6064b203e60180577830bd7522919b2be5ea89f3780be9d3684e9e17237f6d96

SHA512
2f598b10503baa1c301b5fb29d49665c12f2c713ce0b1c0052e2bc01075450c5656c0b1fc2ef23345e4e7392ad78dfdb1e025da5d6a6c9d5118b6846959ba2f4

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
1.2MB

MD5
35448c9f0cdb6941b9570408153ad8a8

SHA1
791e22dbf867f79997e6426d216ea7142bbe1450

SHA256
5da2a08586df5a16d5e347a35599edce8518a4fbb9c15ecfbe22945b6cc13224

SHA512
1772ef6caf4c87071bf1364a68bb00acd8c3a601eceab98367e49449d2b6ae1cb50f81fdb8465c9b4200309c5c6433646862d9fdc2ec0b20f1dee42ca348543c

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
1.2MB

MD5
0dc917a20a14ddbfd81415c3e8e58552

SHA1
16aaf6e5188093f90a971b02af54305b5a4e3dec

SHA256
010f050de33b1394f9ab8ac2c0b0e1744ad3c8c28b49cced9c4e646cd39a929d

SHA512
34243b76d788de05900bb084aae7ff1a868a60471586556c4c73a0c6bae33f1ca5667f79b3268ccd1d37a96130979e333933621246974c7734d2412f3e399f80

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
1.2MB

MD5
a80df0592eaa64a09f4af430ddfb897b

SHA1
c3ddb665df64a2a3d3074f4e3e7b74cc2389392c

SHA256
fe20f1500ecc478694a7f59c79961c7c4683901b1b67cfe6cbe1f48b27fb5793

SHA512
bcdf18d478d917c2b75c335027b6393ea81fb009a0bfa39de186948816a8fcecc5af87b4e40edb7dc7c23f36d2fc36107aa32f6cfc32a7cfadd78b3ee3cdc32e

Download Submit
memory/388-309-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/424-437-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/552-217-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/640-329-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/712-381-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/740-576-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/748-503-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/816-521-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/896-161-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/944-287-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/980-65-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/988-539-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1008-327-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1012-451-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1020-421-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1052-591-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1052-45-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1076-209-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1200-241-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1208-389-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1248-560-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1404-565-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1548-407-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1556-57-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1636-137-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1660-431-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1668-359-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1688-120-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1716-249-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1800-257-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1824-465-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1900-293-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1924-585-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2004-471-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2076-93-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2148-25-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2148-578-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2220-76-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2340-299-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2364-497-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2444-516-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2548-557-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2568-425-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2640-596-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2856-351-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2904-395-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2932-321-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3000-37-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3180-109-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3184-485-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3276-479-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3308-275-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3344-372-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3436-355-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3468-113-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3484-339-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3500-528-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3580-201-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3596-173-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3612-537-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3616-17-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3616-575-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3668-145-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3692-455-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3812-491-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3892-473-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3952-579-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3960-177-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4048-225-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4140-133-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4172-401-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4248-365-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4252-269-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4300-157-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4368-415-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4388-511-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4400-267-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4416-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4416-556-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4416-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4420-9-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4420-564-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4444-545-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4452-311-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4644-599-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4676-346-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4684-108-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4836-387-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4884-443-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4896-281-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4988-236-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5044-193-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5072-94-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5080-598-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5080-49-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5116-186-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads