Analysis

  • max time kernel
    141s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/06/2024, 01:36

General

  • Target

    1d5ec5f97bae451127227db2b0135c40_NeikiAnalytics.exe

  • Size

    60KB

  • MD5

    1d5ec5f97bae451127227db2b0135c40

  • SHA1

    d11da20f0c12ef0b5dcf4e3fd6a4d10f51b68621

  • SHA256

    72b7a422fba23237804c9976245c3a021bad84ceacb28584d058b62891bff668

  • SHA512

    90b6fab633bfcc52be11f625dc492e28b5cebc3f581ea7c6832f6c687bedc4a195d0af5bc4e32f275d95ff4b79ae23fd5284ec9a0d2182b625e6be3b5540b43f

  • SSDEEP

    1536:DUDkXcrWkqaH/AdPnDlzY2myn+JBsiuSJB86l1rs:IIsJnYhq2m/9umB86l1rs

Score
10/10

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
  • Executes dropped EXE 64 IoCs
  • Drops file in System32 directory 64 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1d5ec5f97bae451127227db2b0135c40_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\1d5ec5f97bae451127227db2b0135c40_NeikiAnalytics.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4156
    • C:\Windows\SysWOW64\Dpiplm32.exe
      C:\Windows\system32\Dpiplm32.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:5004
      • C:\Windows\SysWOW64\Ddifgk32.exe
        C:\Windows\system32\Ddifgk32.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:5100
        • C:\Windows\SysWOW64\Dhgonidg.exe
          C:\Windows\system32\Dhgonidg.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          PID:4412
          • C:\Windows\SysWOW64\Dkhgod32.exe
            C:\Windows\system32\Dkhgod32.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Drops file in System32 directory
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:4428
            • C:\Windows\SysWOW64\Enkmfolf.exe
              C:\Windows\system32\Enkmfolf.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Drops file in System32 directory
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:1752
              • C:\Windows\SysWOW64\Ekonpckp.exe
                C:\Windows\system32\Ekonpckp.exe
                7⤵
                • Executes dropped EXE
                • Drops file in System32 directory
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:2284
                • C:\Windows\SysWOW64\Ehbnigjj.exe
                  C:\Windows\system32\Ehbnigjj.exe
                  8⤵
                  • Executes dropped EXE
                  • Suspicious use of WriteProcessMemory
                  PID:2140
                  • C:\Windows\SysWOW64\Eghkjdoa.exe
                    C:\Windows\system32\Eghkjdoa.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:3540
                    • C:\Windows\SysWOW64\Fndpmndl.exe
                      C:\Windows\system32\Fndpmndl.exe
                      10⤵
                      • Adds autorun key to be loaded by Explorer.exe on startup
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:2176
                      • C:\Windows\SysWOW64\Fbbicl32.exe
                        C:\Windows\system32\Fbbicl32.exe
                        11⤵
                        • Adds autorun key to be loaded by Explorer.exe on startup
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • Suspicious use of WriteProcessMemory
                        PID:2304
                        • C:\Windows\SysWOW64\Fniihmpf.exe
                          C:\Windows\system32\Fniihmpf.exe
                          12⤵
                          • Adds autorun key to be loaded by Explorer.exe on startup
                          • Executes dropped EXE
                          • Drops file in System32 directory
                          • Modifies registry class
                          • Suspicious use of WriteProcessMemory
                          PID:4392
                          • C:\Windows\SysWOW64\Fbgbnkfm.exe
                            C:\Windows\system32\Fbgbnkfm.exe
                            13⤵
                            • Adds autorun key to be loaded by Explorer.exe on startup
                            • Executes dropped EXE
                            • Drops file in System32 directory
                            • Modifies registry class
                            • Suspicious use of WriteProcessMemory
                            PID:3860
                            • C:\Windows\SysWOW64\Gegkpf32.exe
                              C:\Windows\system32\Gegkpf32.exe
                              14⤵
                              • Executes dropped EXE
                              • Modifies registry class
                              • Suspicious use of WriteProcessMemory
                              PID:4984
                              • C:\Windows\SysWOW64\Gejhef32.exe
                                C:\Windows\system32\Gejhef32.exe
                                15⤵
                                • Executes dropped EXE
                                • Modifies registry class
                                • Suspicious use of WriteProcessMemory
                                PID:1628
                                • C:\Windows\SysWOW64\Gaqhjggp.exe
                                  C:\Windows\system32\Gaqhjggp.exe
                                  16⤵
                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                  • Executes dropped EXE
                                  • Drops file in System32 directory
                                  • Suspicious use of WriteProcessMemory
                                  PID:3888
                                  • C:\Windows\SysWOW64\Gndick32.exe
                                    C:\Windows\system32\Gndick32.exe
                                    17⤵
                                    • Executes dropped EXE
                                    • Drops file in System32 directory
                                    • Modifies registry class
                                    • Suspicious use of WriteProcessMemory
                                    PID:2532
                                    • C:\Windows\SysWOW64\Gaebef32.exe
                                      C:\Windows\system32\Gaebef32.exe
                                      18⤵
                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                      • Executes dropped EXE
                                      • Drops file in System32 directory
                                      • Modifies registry class
                                      • Suspicious use of WriteProcessMemory
                                      PID:2864
                                      • C:\Windows\SysWOW64\Hlkfbocp.exe
                                        C:\Windows\system32\Hlkfbocp.exe
                                        19⤵
                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                        • Executes dropped EXE
                                        • Drops file in System32 directory
                                        • Modifies registry class
                                        • Suspicious use of WriteProcessMemory
                                        PID:4052
                                        • C:\Windows\SysWOW64\Hecjke32.exe
                                          C:\Windows\system32\Hecjke32.exe
                                          20⤵
                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                          • Executes dropped EXE
                                          • Drops file in System32 directory
                                          • Modifies registry class
                                          • Suspicious use of WriteProcessMemory
                                          PID:3052
                                          • C:\Windows\SysWOW64\Hbgkei32.exe
                                            C:\Windows\system32\Hbgkei32.exe
                                            21⤵
                                            • Executes dropped EXE
                                            • Modifies registry class
                                            • Suspicious use of WriteProcessMemory
                                            PID:4840
                                            • C:\Windows\SysWOW64\Hbihjifh.exe
                                              C:\Windows\system32\Hbihjifh.exe
                                              22⤵
                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                              • Executes dropped EXE
                                              • Drops file in System32 directory
                                              • Modifies registry class
                                              • Suspicious use of WriteProcessMemory
                                              PID:3844
                                              • C:\Windows\SysWOW64\Hldiinke.exe
                                                C:\Windows\system32\Hldiinke.exe
                                                23⤵
                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                • Executes dropped EXE
                                                • Drops file in System32 directory
                                                • Modifies registry class
                                                PID:2964
                                                • C:\Windows\SysWOW64\Ipbaol32.exe
                                                  C:\Windows\system32\Ipbaol32.exe
                                                  24⤵
                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                  • Executes dropped EXE
                                                  • Modifies registry class
                                                  PID:4372
                                                  • C:\Windows\SysWOW64\Ipdndloi.exe
                                                    C:\Windows\system32\Ipdndloi.exe
                                                    25⤵
                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                    • Executes dropped EXE
                                                    PID:2280
                                                    • C:\Windows\SysWOW64\Ibegfglj.exe
                                                      C:\Windows\system32\Ibegfglj.exe
                                                      26⤵
                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                      • Executes dropped EXE
                                                      • Drops file in System32 directory
                                                      • Modifies registry class
                                                      PID:1780
                                                      • C:\Windows\SysWOW64\Iolhkh32.exe
                                                        C:\Windows\system32\Iolhkh32.exe
                                                        27⤵
                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                        • Executes dropped EXE
                                                        • Drops file in System32 directory
                                                        • Modifies registry class
                                                        PID:3884
                                                        • C:\Windows\SysWOW64\Iondqhpl.exe
                                                          C:\Windows\system32\Iondqhpl.exe
                                                          28⤵
                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                          • Executes dropped EXE
                                                          • Drops file in System32 directory
                                                          PID:8
                                                          • C:\Windows\SysWOW64\Joqafgni.exe
                                                            C:\Windows\system32\Joqafgni.exe
                                                            29⤵
                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                            • Executes dropped EXE
                                                            • Drops file in System32 directory
                                                            • Modifies registry class
                                                            PID:3104
                                                            • C:\Windows\SysWOW64\Jemfhacc.exe
                                                              C:\Windows\system32\Jemfhacc.exe
                                                              30⤵
                                                              • Executes dropped EXE
                                                              • Drops file in System32 directory
                                                              • Modifies registry class
                                                              PID:4832
                                                              • C:\Windows\SysWOW64\Jbagbebm.exe
                                                                C:\Windows\system32\Jbagbebm.exe
                                                                31⤵
                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                • Executes dropped EXE
                                                                PID:3896
                                                                • C:\Windows\SysWOW64\Kbhmbdle.exe
                                                                  C:\Windows\system32\Kbhmbdle.exe
                                                                  32⤵
                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                  • Executes dropped EXE
                                                                  • Drops file in System32 directory
                                                                  • Modifies registry class
                                                                  PID:4888
                                                                  • C:\Windows\SysWOW64\Koonge32.exe
                                                                    C:\Windows\system32\Koonge32.exe
                                                                    33⤵
                                                                    • Executes dropped EXE
                                                                    PID:5108
                                                                    • C:\Windows\SysWOW64\Kapfiqoj.exe
                                                                      C:\Windows\system32\Kapfiqoj.exe
                                                                      34⤵
                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                      • Executes dropped EXE
                                                                      • Drops file in System32 directory
                                                                      • Modifies registry class
                                                                      PID:1792
                                                                      • C:\Windows\SysWOW64\Khlklj32.exe
                                                                        C:\Windows\system32\Khlklj32.exe
                                                                        35⤵
                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                        • Executes dropped EXE
                                                                        • Drops file in System32 directory
                                                                        PID:3632
                                                                        • C:\Windows\SysWOW64\Likhem32.exe
                                                                          C:\Windows\system32\Likhem32.exe
                                                                          36⤵
                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                          • Executes dropped EXE
                                                                          • Drops file in System32 directory
                                                                          PID:2084
                                                                          • C:\Windows\SysWOW64\Laiipofp.exe
                                                                            C:\Windows\system32\Laiipofp.exe
                                                                            37⤵
                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                            • Executes dropped EXE
                                                                            • Drops file in System32 directory
                                                                            PID:1812
                                                                            • C:\Windows\SysWOW64\Ljbnfleo.exe
                                                                              C:\Windows\system32\Ljbnfleo.exe
                                                                              38⤵
                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                              • Executes dropped EXE
                                                                              • Drops file in System32 directory
                                                                              PID:4924
                                                                              • C:\Windows\SysWOW64\Lhgkgijg.exe
                                                                                C:\Windows\system32\Lhgkgijg.exe
                                                                                39⤵
                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                • Executes dropped EXE
                                                                                • Drops file in System32 directory
                                                                                PID:2120
                                                                                • C:\Windows\SysWOW64\Mapppn32.exe
                                                                                  C:\Windows\system32\Mapppn32.exe
                                                                                  40⤵
                                                                                  • Executes dropped EXE
                                                                                  • Drops file in System32 directory
                                                                                  PID:4176
                                                                                  • C:\Windows\SysWOW64\Mhldbh32.exe
                                                                                    C:\Windows\system32\Mhldbh32.exe
                                                                                    41⤵
                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                    • Executes dropped EXE
                                                                                    • Drops file in System32 directory
                                                                                    • Modifies registry class
                                                                                    PID:4944
                                                                                    • C:\Windows\SysWOW64\Mljmhflh.exe
                                                                                      C:\Windows\system32\Mljmhflh.exe
                                                                                      42⤵
                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                      • Executes dropped EXE
                                                                                      • Modifies registry class
                                                                                      PID:2876
                                                                                      • C:\Windows\SysWOW64\Nciopppp.exe
                                                                                        C:\Windows\system32\Nciopppp.exe
                                                                                        43⤵
                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                        • Executes dropped EXE
                                                                                        • Modifies registry class
                                                                                        PID:4032
                                                                                        • C:\Windows\SysWOW64\Noppeaed.exe
                                                                                          C:\Windows\system32\Noppeaed.exe
                                                                                          44⤵
                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                          • Executes dropped EXE
                                                                                          • Drops file in System32 directory
                                                                                          • Modifies registry class
                                                                                          PID:2136
                                                                                          • C:\Windows\SysWOW64\Nqaiecjd.exe
                                                                                            C:\Windows\system32\Nqaiecjd.exe
                                                                                            45⤵
                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                            • Executes dropped EXE
                                                                                            • Modifies registry class
                                                                                            PID:4108
                                                                                            • C:\Windows\SysWOW64\Nqfbpb32.exe
                                                                                              C:\Windows\system32\Nqfbpb32.exe
                                                                                              46⤵
                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                              • Executes dropped EXE
                                                                                              • Drops file in System32 directory
                                                                                              • Modifies registry class
                                                                                              PID:4760
                                                                                              • C:\Windows\SysWOW64\Ojqcnhkl.exe
                                                                                                C:\Windows\system32\Ojqcnhkl.exe
                                                                                                47⤵
                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                • Executes dropped EXE
                                                                                                • Modifies registry class
                                                                                                PID:1248
                                                                                                • C:\Windows\SysWOW64\Ojcpdg32.exe
                                                                                                  C:\Windows\system32\Ojcpdg32.exe
                                                                                                  48⤵
                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                  • Executes dropped EXE
                                                                                                  • Drops file in System32 directory
                                                                                                  PID:1988
                                                                                                  • C:\Windows\SysWOW64\Obnehj32.exe
                                                                                                    C:\Windows\system32\Obnehj32.exe
                                                                                                    49⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Drops file in System32 directory
                                                                                                    • Modifies registry class
                                                                                                    PID:4376
                                                                                                    • C:\Windows\SysWOW64\Oflmnh32.exe
                                                                                                      C:\Windows\system32\Oflmnh32.exe
                                                                                                      50⤵
                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                      • Executes dropped EXE
                                                                                                      • Drops file in System32 directory
                                                                                                      • Modifies registry class
                                                                                                      PID:2372
                                                                                                      • C:\Windows\SysWOW64\Pimfpc32.exe
                                                                                                        C:\Windows\system32\Pimfpc32.exe
                                                                                                        51⤵
                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                        • Executes dropped EXE
                                                                                                        • Modifies registry class
                                                                                                        PID:4048
                                                                                                        • C:\Windows\SysWOW64\Ppikbm32.exe
                                                                                                          C:\Windows\system32\Ppikbm32.exe
                                                                                                          52⤵
                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                          • Executes dropped EXE
                                                                                                          • Modifies registry class
                                                                                                          PID:2976
                                                                                                          • C:\Windows\SysWOW64\Qpbnhl32.exe
                                                                                                            C:\Windows\system32\Qpbnhl32.exe
                                                                                                            53⤵
                                                                                                            • Executes dropped EXE
                                                                                                            • Drops file in System32 directory
                                                                                                            PID:1456
                                                                                                            • C:\Windows\SysWOW64\Ajjokd32.exe
                                                                                                              C:\Windows\system32\Ajjokd32.exe
                                                                                                              54⤵
                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                              • Executes dropped EXE
                                                                                                              • Drops file in System32 directory
                                                                                                              PID:1028
                                                                                                              • C:\Windows\SysWOW64\Aibibp32.exe
                                                                                                                C:\Windows\system32\Aibibp32.exe
                                                                                                                55⤵
                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                • Executes dropped EXE
                                                                                                                • Modifies registry class
                                                                                                                PID:3764
                                                                                                                • C:\Windows\SysWOW64\Aidehpea.exe
                                                                                                                  C:\Windows\system32\Aidehpea.exe
                                                                                                                  56⤵
                                                                                                                  • Executes dropped EXE
                                                                                                                  • Drops file in System32 directory
                                                                                                                  • Modifies registry class
                                                                                                                  PID:556
                                                                                                                  • C:\Windows\SysWOW64\Bmdkcnie.exe
                                                                                                                    C:\Windows\system32\Bmdkcnie.exe
                                                                                                                    57⤵
                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                    • Executes dropped EXE
                                                                                                                    • Drops file in System32 directory
                                                                                                                    PID:2444
                                                                                                                    • C:\Windows\SysWOW64\Bbaclegm.exe
                                                                                                                      C:\Windows\system32\Bbaclegm.exe
                                                                                                                      58⤵
                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Modifies registry class
                                                                                                                      PID:2348
                                                                                                                      • C:\Windows\SysWOW64\Biklho32.exe
                                                                                                                        C:\Windows\system32\Biklho32.exe
                                                                                                                        59⤵
                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                        • Executes dropped EXE
                                                                                                                        • Drops file in System32 directory
                                                                                                                        • Modifies registry class
                                                                                                                        PID:1652
                                                                                                                        • C:\Windows\SysWOW64\Bbdpad32.exe
                                                                                                                          C:\Windows\system32\Bbdpad32.exe
                                                                                                                          60⤵
                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                          • Executes dropped EXE
                                                                                                                          PID:2164
                                                                                                                          • C:\Windows\SysWOW64\Binhnomg.exe
                                                                                                                            C:\Windows\system32\Binhnomg.exe
                                                                                                                            61⤵
                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Modifies registry class
                                                                                                                            PID:856
                                                                                                                            • C:\Windows\SysWOW64\Bagmdllg.exe
                                                                                                                              C:\Windows\system32\Bagmdllg.exe
                                                                                                                              62⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Drops file in System32 directory
                                                                                                                              PID:1820
                                                                                                                              • C:\Windows\SysWOW64\Bbhildae.exe
                                                                                                                                C:\Windows\system32\Bbhildae.exe
                                                                                                                                63⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                • Modifies registry class
                                                                                                                                PID:936
                                                                                                                                • C:\Windows\SysWOW64\Cpljehpo.exe
                                                                                                                                  C:\Windows\system32\Cpljehpo.exe
                                                                                                                                  64⤵
                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  PID:512
                                                                                                                                  • C:\Windows\SysWOW64\Cmbgdl32.exe
                                                                                                                                    C:\Windows\system32\Cmbgdl32.exe
                                                                                                                                    65⤵
                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • Drops file in System32 directory
                                                                                                                                    • Modifies registry class
                                                                                                                                    PID:1304
                                                                                                                                    • C:\Windows\SysWOW64\Cgklmacf.exe
                                                                                                                                      C:\Windows\system32\Cgklmacf.exe
                                                                                                                                      66⤵
                                                                                                                                      • Drops file in System32 directory
                                                                                                                                      • Modifies registry class
                                                                                                                                      PID:1172
                                                                                                                                      • C:\Windows\SysWOW64\Cmedjl32.exe
                                                                                                                                        C:\Windows\system32\Cmedjl32.exe
                                                                                                                                        67⤵
                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                        • Drops file in System32 directory
                                                                                                                                        • Modifies registry class
                                                                                                                                        PID:4648
                                                                                                                                        • C:\Windows\SysWOW64\Cildom32.exe
                                                                                                                                          C:\Windows\system32\Cildom32.exe
                                                                                                                                          68⤵
                                                                                                                                          • Modifies registry class
                                                                                                                                          PID:4904
                                                                                                                                          • C:\Windows\SysWOW64\Dphiaffa.exe
                                                                                                                                            C:\Windows\system32\Dphiaffa.exe
                                                                                                                                            69⤵
                                                                                                                                              PID:5048
                                                                                                                                              • C:\Windows\SysWOW64\Diqnjl32.exe
                                                                                                                                                C:\Windows\system32\Diqnjl32.exe
                                                                                                                                                70⤵
                                                                                                                                                  PID:948
                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 948 -s 400
                                                                                                                                                    71⤵
                                                                                                                                                    • Program crash
                                                                                                                                                    PID:5276
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 948 -ip 948
        1⤵
          PID:4568
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3808 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
          1⤵
            PID:724

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Windows\SysWOW64\Aidehpea.exe

                  Filesize

                  60KB

                  MD5

                  107bb795ddb91e375e502d960f7cba3e

                  SHA1

                  ec89346a759a8385550a7d31ea22ab7ef49022cc

                  SHA256

                  53b3401e4ef9a5818671d2b90282fe9b588b953c43c62368b9134a341d81f30b

                  SHA512

                  4eabe305fdf9d014cff97e7cc47ba9131c3e31f84edd1f947f62cea50f6aaefe94b7a0fc9b616579982b3864b8913350aae4db1290f812397b7160b24d521d03

                • C:\Windows\SysWOW64\Cpljehpo.exe

                  Filesize

                  60KB

                  MD5

                  fba5fec24ff21a98fc86a9932a52c33d

                  SHA1

                  73e806328aba02f872b69cf65ebff991442ad21f

                  SHA256

                  4229b488b8af1d2aed7acd551b915b95eb7d6ed289dfce633c691d5a7b789699

                  SHA512

                  be2a631a5125af5ce26e0a456d27c1d813d1ae241f5c2ac651611879bebb475d3647c270a3f1815d614f5eebf5aceddd05afcdd638cf6783e490355848bd943b

                • C:\Windows\SysWOW64\Ddifgk32.exe

                  Filesize

                  60KB

                  MD5

                  7cbc943f556f8219fe27573ac3f34422

                  SHA1

                  dfb2c3c199d7f557b27ecbaf270b1fbce2615f15

                  SHA256

                  3efa78a559ed26ba5bbbfe9cf0c5450ec5c0ce6b49d0798cd20bbf631bcb5223

                  SHA512

                  f740671b7ea0293430ed8a6f8f090938358c0f38189fefd49b558af0158d55e9e1a9016b5097b774bc0256321ef414bf699165405ef613f6e035e4a45b8923ae

                • C:\Windows\SysWOW64\Dhgonidg.exe

                  Filesize

                  60KB

                  MD5

                  db3d54d0d3233c92439eff6eef6fa51d

                  SHA1

                  94c00b438db630605b3a1233b3b46898509e6383

                  SHA256

                  40e2fb8091f9fa77311d1283abe763591daaf5a2d90c2ac01aece114550913f6

                  SHA512

                  7ab8da10f43ddc1acd0b966ed4ba2de06ab6f9826699c9a601b29a24e2430e1d3b1acdcfffeb2fb4763634e4d61864a23ba37e436d7035ec4e314cda57282457

                • C:\Windows\SysWOW64\Diqnjl32.exe

                  Filesize

                  60KB

                  MD5

                  8e0969b9a035f663b129ed3460659371

                  SHA1

                  82d1ad7785f67a42e702ebea8aef6e26371281fe

                  SHA256

                  7e54e4de50a8e24d8a58ba41a39e31d44ab9e47bebcc3da9f07875afcf4a3d2b

                  SHA512

                  25f07da656589b356c632712c0cb37466ff2a3fa72970d0b4c8a280d7bb579676f240e002a1885376cf496abc248e3c095ef2c5f521926e159897235449dcd02

                • C:\Windows\SysWOW64\Dkhgod32.exe

                  Filesize

                  60KB

                  MD5

                  72c98fdc1dfeeb741470d475a5c0d775

                  SHA1

                  1d4389a7a90d6b58c49bf64b16065391c51c31ef

                  SHA256

                  fd7daf3d85d4cb45d6a43362cdfab979ac03969520d7630d9cd61b5af490cfb3

                  SHA512

                  11afd6a375c2f3a752c07cfa4192a8f33ee318e99929cd3f7f07c4c0a002011249ae5d4eef3555f44bfdb6ebc1ccf2e378e9c58d0b2ee74d77c041a775fbc9bf

                • C:\Windows\SysWOW64\Dpiplm32.exe

                  Filesize

                  60KB

                  MD5

                  2982012fea3bcaeda32d6225d7623368

                  SHA1

                  4ec0583ccfba4d17eadec2530c4a1999d903dd89

                  SHA256

                  0bbeb4f3af0b4fd6259e33a8ea8f7759497ae7224d29c93590c677cb917f30f6

                  SHA512

                  692986b87c216006d5ce8e2250e3d9dfb03e3c73fc05c0f224531bf053e95103a9c21a5858d45c599d7830523c2f916192ef27ac9905054848eb48d82a2b75ce

                • C:\Windows\SysWOW64\Eghkjdoa.exe

                  Filesize

                  60KB

                  MD5

                  6b2b434344f179811f84d666a8e0485d

                  SHA1

                  216a451575aeed7d67d63f18df954766ad538cce

                  SHA256

                  510e6ab6bb375525ec3bfcd0241433ebfb5c944576a77e1483f7a8f50c0e58c0

                  SHA512

                  ed3fda09f5b765e84ac736c4a54c8a5d68d267e252fd310ebffaa558df5ab3b7f421c7b67f10a46d4f1cb1420fb2e04c58106232ef5f1c70ef76c36c6c44668f

                • C:\Windows\SysWOW64\Ehbnigjj.exe

                  Filesize

                  60KB

                  MD5

                  b820e17a6af1508e79787dbc101b9448

                  SHA1

                  69060623135af72c41671c6acf40ce267c1a4ee5

                  SHA256

                  425d7cd2c0037068af698f4b8d9852cf112d98b0fb8ad7047cfc6649603f9d63

                  SHA512

                  036297190cea7d25646080830e0d2ea1636717942a700c6cde25739316122934750b532f38321ad28b967245737646f3451943f291b0a6e9606a583b93ed4318

                • C:\Windows\SysWOW64\Ekonpckp.exe

                  Filesize

                  60KB

                  MD5

                  50a0a0df02739f6709bd987c4b4c63aa

                  SHA1

                  7f1f37d08c4993d5e206baaaf1100da90356d365

                  SHA256

                  8ab8371f464ece1826f83cfd38bc9ba6dc18ab26e5d2369f9d332e00fe8e5391

                  SHA512

                  c3f4ef41558c8be105d01d3a649062278df921cfca9c6917d1ec31beea39b4af2ba36bdaeae601196c8cd2a000b2246141263c16ff9b00da2f89d787e5917024

                • C:\Windows\SysWOW64\Enkmfolf.exe

                  Filesize

                  60KB

                  MD5

                  8b449d2dd1f894ad0f222eb38f420d8d

                  SHA1

                  798894c421ff74d316bfbc948e7f061db68f6a42

                  SHA256

                  99db45be741df7cebbc02ca5f5bd5a9799b1dd3826c1018780b8aba3f8955a53

                  SHA512

                  b28b604af169568b7c148372136d72a7ca46eda2907da8ec4fd67e2d6b06a2cd0aefab235d241493792920142446579851d61867ef5cd98693432b612237c651

                • C:\Windows\SysWOW64\Fbbicl32.exe

                  Filesize

                  60KB

                  MD5

                  f8d3b4fd0135e9c583daf06a1f5f2921

                  SHA1

                  d640de176e6c212770b5fd70d3afffcbccafa0c9

                  SHA256

                  9becb1b2adc4b0b0f5a44008ec575c1bef19173477b388aaba613156489d250d

                  SHA512

                  f4f0e734385ffdf624a7324f11d2ba8543788d8caf30c5c6b5c6eb63e2a503a527677297760076497107f34bf0d122d4532586d1d27e9fef889e52391683e5bd

                • C:\Windows\SysWOW64\Fbgbnkfm.exe

                  Filesize

                  60KB

                  MD5

                  87d9e13d231d752b633c7a94efb8548e

                  SHA1

                  dc771d9380a6722f1bba3c9fc22144ac3e11a328

                  SHA256

                  a619721c27066691116e2ced0ed4cc38e0d9173ba91e50252df47339f108839b

                  SHA512

                  9ee78cb1fb310438710a58df4c8945ab21dec2a459dee5f9374fbf9ac011ff625fea9d9dcc33c877d2fb7eabf96b40308ac1d035f6ad07c0dec878ef27ff2251

                • C:\Windows\SysWOW64\Fndpmndl.exe

                  Filesize

                  60KB

                  MD5

                  be7511381df227f2509d974cf44741a3

                  SHA1

                  0cca832619148c4983ddfbe13b7686e7e304485c

                  SHA256

                  0262a5b61b6251998f4ae58ce960ffb24b489e691a4034add5a6f42c334ca96f

                  SHA512

                  8f13489836ecc4ab1e236178690786ed6fbe1362b0f0f39b9df23f940de3091613b9508832b808afc25d7e07fcbf8836f109c3e298134f18c924de61ea3d7de5

                • C:\Windows\SysWOW64\Fniihmpf.exe

                  Filesize

                  60KB

                  MD5

                  2be8fd1efdb110e3ae077df2ab2c2787

                  SHA1

                  4b746e8c92df6ae9d122d0bc6e734f73bdcaf988

                  SHA256

                  7c42bf9c71cc20c4d7905093dde190a131a10038434bc2fa64d34cff69d86e9f

                  SHA512

                  90ecc0500d94aaec20391ef1e0fad779e2d61f5b58aa38eee9147b1e82b746d3e4d77987999af3ecf17e7751815457da6f1d496c68ea2dea13c74aff7f612e57

                • C:\Windows\SysWOW64\Gaebef32.exe

                  Filesize

                  60KB

                  MD5

                  3ee11ac3cd96dc9e81be6014d7b5e62a

                  SHA1

                  f0f6006c4fdc99646cb6f1442aaa95222180edc2

                  SHA256

                  b586472d14efaa56c89e0e3bf266fd94fdd3d4f1277e4cb9bac233eed27bfd1a

                  SHA512

                  d0a882609857346da9b05eb27a491b7cf04d0726cf39c206706477fb21a77bfb334e30e53579513cda4b82f84882b32bcf6293777a2f3ce1b3059718f9638aea

                • C:\Windows\SysWOW64\Gaqhjggp.exe

                  Filesize

                  60KB

                  MD5

                  49f3140e6cb6ce3248f2b9364528730b

                  SHA1

                  36319659719e520f815f35417eeb4553938b5954

                  SHA256

                  e96265354b1c8551a5a3366ea7e716214abcac0ca3597e1dd03f3c4d5dc1adb9

                  SHA512

                  43cd06152681b6c89359d3179d27a6bd4367776b18f6c89abd64e7580509844abd1042b5234bb307a715456e8ba5c8d9597c3553e0d1e15569e4c638da70018f

                • C:\Windows\SysWOW64\Gegkpf32.exe

                  Filesize

                  60KB

                  MD5

                  6088ff9ed1b90d5bdb8aa12ac0443adf

                  SHA1

                  01d5ea1fc5dac059cd3ea47d0cd96828de622f0d

                  SHA256

                  df7849e394034528b489dd2030ba2ac1ada79a977a347cbb85f3084d9c679068

                  SHA512

                  229f01eae420dd602f236c3169bc3fef01b10335c7aae701104dba17fe0e7ef6bcbe718b21ca58691688836badfacd6f669f304a74e762d2da39fe74125fd964

                • C:\Windows\SysWOW64\Gejhef32.exe

                  Filesize

                  60KB

                  MD5

                  4f68f8d2e2eed1e7f143a8fda891384a

                  SHA1

                  1ab014d124c4be7ee4743f366b6ffea25c95781d

                  SHA256

                  f21727e03fd91642473e4313e6551a4c2ecfbe929dccea3b8a5e82393bd67401

                  SHA512

                  da113a2206d2700ab80287b9fec0c987c2b7a198bec4ba391eef0a7ec0f2dcc9b0878c9c35bcc52ffea23a71050c05c1dd53d9271eaa99dda2f7689210afdc71

                • C:\Windows\SysWOW64\Gndick32.exe

                  Filesize

                  60KB

                  MD5

                  c11ade6f2e41440b53a13ed39fba22f3

                  SHA1

                  b68ca182d3f9164f561b2f69f4261195a1a41781

                  SHA256

                  a90b55636027c1341a27b05d2a2f4097041186d40c4ec12f25edaef2ca3c904b

                  SHA512

                  1ea96c0f4a7713425b24ded6c1bf3075d47f84325f126c1706b489ac0917221098ca5fe6e164b48ef89fbbb79264ccda777233e2124746752f772bb871688576

                • C:\Windows\SysWOW64\Hbgkei32.exe

                  Filesize

                  60KB

                  MD5

                  0a7ed02067ba9a02e8c94e69dfe4d8b4

                  SHA1

                  baebf26c49116585cda902ad7eec78cbc26457bd

                  SHA256

                  4673c55164ba7b77c7b23ac10f548ae664b4d40ea69f5c49618e56a340684d08

                  SHA512

                  26956fb41c95482d8b0894c3baef5013c1c150f1a483076aefa7bf8f1ea8727b96eeb2b966f8a132b0f6ebe0c14c23644c2238ffeba3c2f1a69d9abfa6297f6d

                • C:\Windows\SysWOW64\Hbihjifh.exe

                  Filesize

                  60KB

                  MD5

                  12241796c8d819593ff9445457672b4b

                  SHA1

                  6b04634c015290717c1f94ede727a70eeed18c7a

                  SHA256

                  ec9ed41023bc8518b98057d51df7b64eac048fb6fed8ffdafbfdc177ec98dde5

                  SHA512

                  995e92914a6a6fa245cddd15f522ca7b97ec14e8335b31a7e680737590e3b16877d8dbdaa6cc5e095921fd0f01d03f577aa57401baeaeec666f70dd85d74608d

                • C:\Windows\SysWOW64\Hecjke32.exe

                  Filesize

                  60KB

                  MD5

                  69875c49ed6b6f97d07464bf886bf43e

                  SHA1

                  39086887b6c1eb133641340553cac99c57bbd346

                  SHA256

                  63d4db8bdfe08f5d19ad9fd68d03fa0dfbd05ea9838a9c81b68c8dee9ddbd8f1

                  SHA512

                  38e90890cca76bb0c92bac021b51ee777e48a00564a804dd6bf6ed402a0e76fc327770d98b4c5284927ac21de2faf83fedd5949573384dce892156a897388d87

                • C:\Windows\SysWOW64\Hldiinke.exe

                  Filesize

                  60KB

                  MD5

                  6b48d5868ca6414499f2d3b2ef017808

                  SHA1

                  525cfa2f7556b646e9e42b029d74f2fa804b4dab

                  SHA256

                  8a7ecdaf67ee9482125dbe8765a68069394f12d7d332209a72efc63959219c98

                  SHA512

                  17f2cba4fb4187cda5855fea1d37c0ca5d3501eb34d733c6ddce46ba3b50083eaa6f86d2da4a78fb7389832dcd352af3b2578f10d08c3d5ac570eec799baac9d

                • C:\Windows\SysWOW64\Hlkfbocp.exe

                  Filesize

                  60KB

                  MD5

                  a4404a70083f79d65cba841f92e4e9dc

                  SHA1

                  a6c42846cb0805b87c61c86d859edf77c3436c69

                  SHA256

                  4ebe5b33a8b779c331aa5a2d743f2e193d355f8940aae492fb858ae879c893e1

                  SHA512

                  2fff215243d1a1736b600c244d5994f9f60545a1c3d7066755751aa1c58d0768c8dd369ed447565e20077574111d9d78d293e5e46ded67c9518a68a51b7066b9

                • C:\Windows\SysWOW64\Ibegfglj.exe

                  Filesize

                  60KB

                  MD5

                  4411dca5de0dd04e960a5d2b727f4638

                  SHA1

                  b25f8e4677307a5ac5dd6109b2aee0c123800090

                  SHA256

                  c23eeca8e1e889901e6a6140ae313b5a13579211b151199b3ae08000e47f4f14

                  SHA512

                  a6dcabec3285c4387b0d99c8eb434a440a6c7ddf1e51262c5227b01fb9e3cbfa3148088f46080d28e823c08628998e58512512a13be5df6f176a44b735aa1f46

                • C:\Windows\SysWOW64\Iolhkh32.exe

                  Filesize

                  60KB

                  MD5

                  81d9da5df957750e2bfbc6ed3b9d8d0f

                  SHA1

                  ae6d8cf8264f2c8286f35141886499f2df015cd1

                  SHA256

                  9e0534f0440d734df26ae50429f2c7b1acbb0836816df4a7c0bec26c06da64ef

                  SHA512

                  13e43c7f1e82e24f7c388ce52c1552895f6596e420d2f65d3651c760560369a329c598f7bdae262ff0a869b151b9e7c03f5a46cc3ae1e4c9116b6a64f120fa9d

                • C:\Windows\SysWOW64\Iondqhpl.exe

                  Filesize

                  60KB

                  MD5

                  e3b72d23c48a4bb7efe45c6a5a4ea1f1

                  SHA1

                  04281996f8ecd6b999c2a4b303db31201e48efd1

                  SHA256

                  99f2e0579208f66b26dd06d84a7b21fbf5184751d2e24ac011671f6f3310ce2b

                  SHA512

                  39e9e2ac4a54ebb81f9e01dd7f863e1d8fef4d8cb8c980eb9e88010ca3efebae423c3aa3e95c361340433b9974fe1f9b77bf744d55af4180af5e10d537b6379b

                • C:\Windows\SysWOW64\Ipbaol32.exe

                  Filesize

                  60KB

                  MD5

                  5fd1bb529cd05120ff39f1afc32d4fb6

                  SHA1

                  edf7380b692375bd6c38482f2ff4e2102b4e0d82

                  SHA256

                  ff6644c8cf779cb44c1b29598f094d6c6f5681ac610c9a49b0626cbafe175ec2

                  SHA512

                  a7f4c019a8419aef2a54bf5ca5476e1dd9171070b8ac8ad71ea98e39ef89b6e6105b73740dc6a5e02b9092ea701612ea479529e2093a73356cbde00dbcd59540

                • C:\Windows\SysWOW64\Ipdndloi.exe

                  Filesize

                  60KB

                  MD5

                  1a46bae6dc9badb4e9d4087cebf1a641

                  SHA1

                  9a4ebe1031b8b31b8186de01264b33b75c95c750

                  SHA256

                  a34ccbcc3d7b49a61e2e4414e26299a4aa1be90d44c4d9635697827aa64b9e22

                  SHA512

                  8ad66b84f2797ebc8bb5b1f8f24edd0aedae41dde814cb61068a66d983c4c2066b3f9dcfccc368ab7f028b6ee3fa62df544dff31a672cc57b342a08f6b2c6b20

                • C:\Windows\SysWOW64\Jbagbebm.exe

                  Filesize

                  60KB

                  MD5

                  18c6c7f9009465a6f709ba8d0e77ff20

                  SHA1

                  144fd65ae21ff55ec476bf55c0cef7c18aed8e5d

                  SHA256

                  89e3adb895a9bcfc8c640c43a5e1f25069be4b076ab934ad6af2372f57de1b03

                  SHA512

                  512a5a287392d03beee40ad80554383ac389fcc77942b940e746c6dbbdd838ebf3a145895da20428eea99e3c30f254ee9a6c5dbd165350a97ad0bbdd9809a276

                • C:\Windows\SysWOW64\Jemfhacc.exe

                  Filesize

                  60KB

                  MD5

                  bc52e70d0757f48dbe14d34b3bfc0a32

                  SHA1

                  5803e3a316fa0c6f92a63d82228d398ffb2c6735

                  SHA256

                  af49bb7b326fb389f65bebf2756daeb35866bed06204c4ca5543a664ad27de62

                  SHA512

                  31b65e93d11a90c046d6fcbfbfe4e5681b45cf82ac0e5b23059825ce8ebf1faf6c83152b4abea96f89436a6616bfc2fcd5358d9bb59bb7645881892a348f4fad

                • C:\Windows\SysWOW64\Joqafgni.exe

                  Filesize

                  60KB

                  MD5

                  94a5b0616e182e8ca94173751aaf3799

                  SHA1

                  38efa949a78cfd11eee8ab582ac039a64d69eb0b

                  SHA256

                  3000467dca8770a552db6ddcd8439b4feec4e67e45f42d80c09e0a1a5297822d

                  SHA512

                  7bf05bc9277754d81023fe8de8e97e09a7426a7d032a9f5a47291957c3aaafa7906bcca5b98b97704c1a1795023353ec09621cd6c330a72d406cf3e05cf04265

                • C:\Windows\SysWOW64\Kbhmbdle.exe

                  Filesize

                  60KB

                  MD5

                  0dfaa2f1b75802d9f44a26d2a31e4aac

                  SHA1

                  55f240a4f01355d9f686b2de6d0b694b3b134e3f

                  SHA256

                  2edb35fb68c21cded0884552d592d1d073096100ee620911c3dccfdc99a093ed

                  SHA512

                  b5263f1a0532238543d65685687a96b29ddba11506b406c78b1aec6c6fae3eea8900de9033edfa3dc61505b30de002bce022f1ec7315d06de6adfd61f23b43e0

                • C:\Windows\SysWOW64\Koonge32.exe

                  Filesize

                  60KB

                  MD5

                  cf95bd159a984158a613a4fa52205d34

                  SHA1

                  f11272fe74f8e967b7dd2dbd1e89bbf076dff34a

                  SHA256

                  255fcdc1bf9465a2bb6a2f01f3135ee6671554ec9b2e571c7e2fd4165bebe7d5

                  SHA512

                  e7ba4cedd8631599f067b1ebdee0a7af50182e9090d4766e4692acb79ee8195aef21db56266407ed01e2518599579a25e64abbc5227afd8b9a69ad01f3571003

                • C:\Windows\SysWOW64\Laiipofp.exe

                  Filesize

                  60KB

                  MD5

                  89bb0b1c194defa1a22c9f73f86fc4fc

                  SHA1

                  31648bab704c9999e4986720a0caa9f903e6a408

                  SHA256

                  394849ed31c49041cb5833339554ccbc99db24b5f41e6b21545cc095fa93f70d

                  SHA512

                  bbfbe838fc308ee4ce61f262d2cb6deafe9bf48d4eb9f6a1736e9310c890d233403eae1b6ec44f59e177e93fb52bebe58a8c1bfc08c8016e6afbf53323cc52ed

                • C:\Windows\SysWOW64\Mljmhflh.exe

                  Filesize

                  60KB

                  MD5

                  39e9592a0fc2d99aea2ae4910c0bd1c9

                  SHA1

                  650cf0aac4f799e1a9e2a257eb80e579c1061483

                  SHA256

                  1e423b1480bced79b670b6ef28b2b06a5c6d61e3d563657ca246343ae71dd5b4

                  SHA512

                  15e8ba161e382cf7d3ca0f9b21d936092cd0d8cf4db8b36968d830bdc26d04b48bdb5ee6c70bbefe95480ed69ef26f2e1d1a0eeff97d8693d17b482b776fc14a

                • C:\Windows\SysWOW64\Nqfbpb32.exe

                  Filesize

                  60KB

                  MD5

                  f19aa45f03fb38d416a8eb45a7f549d5

                  SHA1

                  51784602ef3194434ebad0d57f9af96ae59990af

                  SHA256

                  c3ded69c74c9fe6f99ceccd461080bc4a4b1872ff50e173d4aa2f772436e5165

                  SHA512

                  77e70b93160f50cacda67ce74ddf6a34647d537613b86a86e4b4914d8b15b6a0d53900ceacf68b0dca2a64f0eb1989b03173b792806d4f11a49771f1b1115d5b

                • C:\Windows\SysWOW64\Ojcpdg32.exe

                  Filesize

                  60KB

                  MD5

                  85c67b31c2d079dba4e48553398a9a5e

                  SHA1

                  0464bb920641a4ed17a80da1ad1c8bcec223da79

                  SHA256

                  92af83da200d70b8e70e2b4d88161f9c5ffeb5b8f2eaa38ee6291652bc36e207

                  SHA512

                  e3061cdef4e486b641a08a4942a508aa1900c40dfc52d9c5818f677f4a684be55508cb1f1686457908b539859c26e04c5d66172cf11f19d8a1a2966551d54b3c

                • memory/8-311-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/8-234-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/8-668-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/556-612-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/856-602-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/1028-422-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/1248-375-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/1456-416-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/1628-117-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/1628-206-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/1752-126-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/1752-41-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/1780-216-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/1780-297-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/1792-284-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/1792-353-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/1812-305-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/1812-374-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/1988-381-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/2084-298-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/2084-367-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/2120-319-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/2120-387-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/2136-354-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/2140-143-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/2140-58-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/2176-73-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/2176-162-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/2280-207-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/2280-290-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/2280-674-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/2284-53-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/2284-135-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/2304-169-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/2304-81-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/2372-395-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/2532-136-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/2532-225-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/2864-145-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/2864-233-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/2876-340-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/2876-640-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/2876-408-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/2964-188-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/2964-277-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/2976-409-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/3052-251-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/3104-243-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/3104-318-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/3540-65-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/3540-153-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/3632-360-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/3632-291-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/3764-429-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/3844-179-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/3844-680-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/3844-268-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/3860-99-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/3860-187-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/3884-304-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/3884-226-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/3888-215-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/3888-127-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/3896-662-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/3896-332-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/3896-259-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/4032-415-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/4032-347-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/4048-402-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/4052-154-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/4108-361-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/4108-428-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/4156-1-0x0000000000434000-0x0000000000435000-memory.dmp

                  Filesize

                  4KB

                • memory/4156-0-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/4156-56-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/4176-326-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/4176-394-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/4372-199-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/4376-388-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/4392-178-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/4392-90-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/4412-25-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/4412-107-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/4428-33-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/4428-116-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/4760-435-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/4760-368-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/4832-325-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/4840-170-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/4840-258-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/4888-339-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/4888-269-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/4924-312-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/4944-333-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/4944-401-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/4984-108-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/4984-198-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/5004-89-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/5004-8-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/5100-17-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/5100-98-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/5108-346-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB

                • memory/5108-278-0x0000000000400000-0x0000000000436000-memory.dmp

                  Filesize

                  216KB