3a1eefa727a0a0510a16807f7a90102f4719da04d22e4cf4d971d7e1dc0c9db8

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
16-06-2024 08:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e3acc3e467575550a4beecddc0844f90_NeikiAnalytics.exe
Size

64KB
MD5

e3acc3e467575550a4beecddc0844f90
SHA1

f45b9895297af9b55c9aad098bae872174b425c8
SHA256

3a1eefa727a0a0510a16807f7a90102f4719da04d22e4cf4d971d7e1dc0c9db8
SHA512

888d54499cf186ae4d38a64d56d9122c8e2ffa6e941ecdb2f1769f151a18060a95d5a631376030e37d8fe6b6c4923ba1a46a8fd4923c6a5a2a40601b1dc8f719
SSDEEP

1536:pVBAaWbWj8Z/qA3dQkSt7dDirjo2LloAMCeW:p7fUWj8dFRcw/5lopW

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqlfhjig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdnhih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gaebef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mledmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpffeaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kngkqbgl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nncccnol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqiibjlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eghkjdoa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kofdhd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lebijnak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Megljppl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddnfmqng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eicedn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpbpbecj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nncccnol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnifekmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlgepanl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caageq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpqjjjjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eaaiahei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agdcpkll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgjhpcmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lebijnak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Loacdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgeakekd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgeakekd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogekbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nimmifgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omjpeo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Flpmagqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kofkbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lobjni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afhfaddk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknnoofg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdmfllhn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fohfbpgi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipgkjlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjoppf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	e3acc3e467575550a4beecddc0844f90_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omjpeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibcaknbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cammjakm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqkhda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjjfdfbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlolpq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oplfkeob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Phcgcqab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Keifdpif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjhmbihg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iedjmioj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnifekmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adkqoohc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chnlgjlb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iibccgep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chdialdl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mohidbkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqikob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nclikl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojigdcll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfhndpol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Glipgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjlalkmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chiigadc.exe

Executes dropped EXE 64 IoCs

pid	Process
3168	Mepfiq32.exe
2040	Mkmkkjko.exe
1900	Meepdp32.exe
3548	Megljppl.exe
764	Nclikl32.exe
2472	Nlfnaicd.exe
4708	Nnfgcd32.exe
2036	Nmlddqem.exe
820	Nlmdbh32.exe
4600	Ohcegi32.exe
2272	Olanmgig.exe
2012	Ohhnbhok.exe
3552	Ojigdcll.exe
4908	Omjpeo32.exe
4444	Pecellgl.exe
4784	Pajeam32.exe
2312	Pehngkcg.exe
3196	Bebjdgmj.exe
3104	Cdlqqcnl.exe
2304	Chiigadc.exe
4284	Chlflabp.exe
2316	Cfpffeaj.exe
4016	Cbfgkffn.exe
4596	Dokgdkeh.exe
4780	Dbkqfe32.exe
4412	Dbnmke32.exe
4680	Ddnfmqng.exe
4668	Dbbffdlq.exe
4380	Efpomccg.exe
2188	Ebgpad32.exe
1112	Eicedn32.exe
512	Emanjldl.exe
60	Fpbflg32.exe
5048	Fbbpmb32.exe
628	Fpgpgfmh.exe
1972	Fmkqpkla.exe
1816	Flpmagqi.exe
316	Gfhndpol.exe
1908	Gldglf32.exe
1000	Gpbpbecj.exe
3436	Glipgf32.exe
4748	Geaepk32.exe
2488	Hmkigh32.exe
2956	Hibjli32.exe
1236	Hplbickp.exe
224	Hifcgion.exe
4388	Hiipmhmk.exe
1004	Iikmbh32.exe
4720	Ibcaknbi.exe
4372	Iedjmioj.exe
3852	Iibccgep.exe
432	Ilcldb32.exe
1008	Jocefm32.exe
5056	Jlgepanl.exe
3880	Jngbjd32.exe
2244	Jinboekc.exe
4636	Jlolpq32.exe
1348	Klcekpdo.exe
372	Kjgeedch.exe
8	Kofkbk32.exe
1956	Kngkqbgl.exe
3132	Ljnlecmp.exe
3356	Lnldla32.exe
4440	Lnoaaaad.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ajjokd32.exe	Apeknk32.exe
File created	C:\Windows\SysWOW64\Qgdcdg32.dll	Ajjokd32.exe
File opened for modification	C:\Windows\SysWOW64\Dhbebj32.exe	Dgcihgaj.exe
File created	C:\Windows\SysWOW64\Ofjqihnn.exe	Oophlo32.exe
File opened for modification	C:\Windows\SysWOW64\Nlmdbh32.exe	Nmlddqem.exe
File opened for modification	C:\Windows\SysWOW64\Fpbflg32.exe	Emanjldl.exe
File created	C:\Windows\SysWOW64\Olieecnn.dll	Jngbjd32.exe
File created	C:\Windows\SysWOW64\Lnldla32.exe	Ljnlecmp.exe
File created	C:\Windows\SysWOW64\Eapjpi32.dll	Paihlpfi.exe
File created	C:\Windows\SysWOW64\Mgnddp32.dll	Cammjakm.exe
File created	C:\Windows\SysWOW64\Caageq32.exe	Cdmfllhn.exe
File opened for modification	C:\Windows\SysWOW64\Mqjbddpl.exe	Mohidbkl.exe
File created	C:\Windows\SysWOW64\Paihlpfi.exe	Pjoppf32.exe
File opened for modification	C:\Windows\SysWOW64\Aaenbd32.exe	Qdaniq32.exe
File created	C:\Windows\SysWOW64\Mlbmonhi.dll	Fdnhih32.exe
File created	C:\Windows\SysWOW64\Mbddol32.dll	Bmidnm32.exe
File created	C:\Windows\SysWOW64\Mmihfl32.dll	Chdialdl.exe
File opened for modification	C:\Windows\SysWOW64\Hiacacpg.exe	Hioflcbj.exe
File opened for modification	C:\Windows\SysWOW64\Ipgkjlmg.exe	Hehdfdek.exe
File created	C:\Windows\SysWOW64\Jocnlg32.exe	Jekjcaef.exe
File opened for modification	C:\Windows\SysWOW64\Hplbickp.exe	Hibjli32.exe
File created	C:\Windows\SysWOW64\Hiipmhmk.exe	Hifcgion.exe
File created	C:\Windows\SysWOW64\Lmjhab32.dll	Jinboekc.exe
File opened for modification	C:\Windows\SysWOW64\Ngqagcag.exe	Ncchae32.exe
File created	C:\Windows\SysWOW64\Ajjokd32.exe	Apeknk32.exe
File opened for modification	C:\Windows\SysWOW64\Pecellgl.exe	Omjpeo32.exe
File created	C:\Windows\SysWOW64\Cjgjmg32.dll	Hibjli32.exe
File created	C:\Windows\SysWOW64\Mhelik32.dll	Jlolpq32.exe
File created	C:\Windows\SysWOW64\Mcdibc32.dll	Cdmfllhn.exe
File opened for modification	C:\Windows\SysWOW64\Hioflcbj.exe	Gaebef32.exe
File opened for modification	C:\Windows\SysWOW64\Keifdpif.exe	Klpakj32.exe
File created	C:\Windows\SysWOW64\Kqkplq32.dll	Oqoefand.exe
File created	C:\Windows\SysWOW64\Gpkpbaea.dll	Mnegbp32.exe
File opened for modification	C:\Windows\SysWOW64\Pjoppf32.exe	Pfagighf.exe
File created	C:\Windows\SysWOW64\Nclikl32.exe	Megljppl.exe
File opened for modification	C:\Windows\SysWOW64\Lnoaaaad.exe	Lnldla32.exe
File opened for modification	C:\Windows\SysWOW64\Lebijnak.exe	Kofdhd32.exe
File created	C:\Windows\SysWOW64\Lodabb32.dll	Omopjcjp.exe
File created	C:\Windows\SysWOW64\Hohahelb.dll	Hplbickp.exe
File created	C:\Windows\SysWOW64\Jkmjlphl.dll	Aaenbd32.exe
File opened for modification	C:\Windows\SysWOW64\Gkalbj32.exe	Gqkhda32.exe
File opened for modification	C:\Windows\SysWOW64\Jlolpq32.exe	Jinboekc.exe
File created	C:\Windows\SysWOW64\Ngqagcag.exe	Ncchae32.exe
File created	C:\Windows\SysWOW64\Lbandhne.dll	Qjfmkk32.exe
File opened for modification	C:\Windows\SysWOW64\Nncccnol.exe	Nopfpgip.exe
File opened for modification	C:\Windows\SysWOW64\Dgcihgaj.exe	Chnlgjlb.exe
File opened for modification	C:\Windows\SysWOW64\Gacepg32.exe	Gpaihooo.exe
File created	C:\Windows\SysWOW64\Idknpoad.dll	Hehdfdek.exe
File created	C:\Windows\SysWOW64\Nlfnaicd.exe	Nclikl32.exe
File opened for modification	C:\Windows\SysWOW64\Nlfnaicd.exe	Nclikl32.exe
File opened for modification	C:\Windows\SysWOW64\Fmkqpkla.exe	Fpgpgfmh.exe
File opened for modification	C:\Windows\SysWOW64\Gpbpbecj.exe	Gldglf32.exe
File opened for modification	C:\Windows\SysWOW64\Loacdc32.exe	Ljdkll32.exe
File created	C:\Windows\SysWOW64\Padnaq32.exe	Pjjfdfbb.exe
File opened for modification	C:\Windows\SysWOW64\Klndfj32.exe	Jpegkj32.exe
File created	C:\Windows\SysWOW64\Glipgf32.exe	Gpbpbecj.exe
File created	C:\Windows\SysWOW64\Klcekpdo.exe	Jlolpq32.exe
File created	C:\Windows\SysWOW64\Dgcihgaj.exe	Chnlgjlb.exe
File opened for modification	C:\Windows\SysWOW64\Hehdfdek.exe	Hiacacpg.exe
File created	C:\Windows\SysWOW64\Jlolpq32.exe	Jinboekc.exe
File created	C:\Windows\SysWOW64\Oplfkeob.exe	Ngqagcag.exe
File created	C:\Windows\SysWOW64\Agdcpkll.exe	Aaenbd32.exe
File created	C:\Windows\SysWOW64\Gimngjie.dll	Eqlfhjig.exe
File created	C:\Windows\SysWOW64\Kjeqge32.dll	Megljppl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6412	6552	WerFault.exe	269

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdnnlj32.dll"	Chlflabp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fopjdidn.dll"	Mnmmboed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkmjlphl.dll"	Aaenbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpmmljnd.dll"	Jocnlg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpegkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkmkkjko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehojko32.dll"	Bogkmgba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kiljgf32.dll"	Cbfgkffn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aablof32.dll"	Klcekpdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blqhpg32.dll"	Ngqagcag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fofobm32.dll"	Fnffhgon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fknajfhe.dll"	Fbbpmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdllgpbm.dll"	Lobjni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jocnlg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Paihlpfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjeqge32.dll"	Megljppl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hplbickp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgcihgaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nimmifgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnfgcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpdhj32.dll"	Glipgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeeape32.dll"	Bkibgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eqiibjlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Omopjcjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dbkqfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dempqa32.dll"	Ncchae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gpaihooo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chlflabp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpmdqpl.dll"	Dhdbhifj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajdggc32.dll"	Hioflcbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idknpoad.dll"	Hehdfdek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Keifdpif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khihgadg.dll"	Pbjddh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fnalmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aaenbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddnfmqng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Geaepk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbdlf32.dll"	Lnldla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Phcgcqab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljdkll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lodabb32.dll"	Omopjcjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	e3acc3e467575550a4beecddc0844f90_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hifcgion.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnldla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmimp32.dll"	Lnoaaaad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imqpnq32.dll"	Mohidbkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doogdl32.dll"	Nclikl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olieecnn.dll"	Jngbjd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgnddp32.dll"	Cammjakm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phgibp32.dll"	Ocdnln32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmidnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqhejb32.dll"	Gpbpbecj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjkakfla.dll"	Kngkqbgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqlfhjig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbfnhm32.dll"	Nnfgcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chdialdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nffaen32.dll"	Padnaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eegiklal.dll"	Mepfiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmedjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oplfkeob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdlqqcnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Efpomccg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ilcldb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlbmonhi.dll"	Fdnhih32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4140 wrote to memory of 3168	4140	e3acc3e467575550a4beecddc0844f90_NeikiAnalytics.exe	90
PID 4140 wrote to memory of 3168	4140	e3acc3e467575550a4beecddc0844f90_NeikiAnalytics.exe	90
PID 4140 wrote to memory of 3168	4140	e3acc3e467575550a4beecddc0844f90_NeikiAnalytics.exe	90
PID 3168 wrote to memory of 2040	3168	Mepfiq32.exe	91
PID 3168 wrote to memory of 2040	3168	Mepfiq32.exe	91
PID 3168 wrote to memory of 2040	3168	Mepfiq32.exe	91
PID 2040 wrote to memory of 1900	2040	Mkmkkjko.exe	92
PID 2040 wrote to memory of 1900	2040	Mkmkkjko.exe	92
PID 2040 wrote to memory of 1900	2040	Mkmkkjko.exe	92
PID 1900 wrote to memory of 3548	1900	Meepdp32.exe	93
PID 1900 wrote to memory of 3548	1900	Meepdp32.exe	93
PID 1900 wrote to memory of 3548	1900	Meepdp32.exe	93
PID 3548 wrote to memory of 764	3548	Megljppl.exe	94
PID 3548 wrote to memory of 764	3548	Megljppl.exe	94
PID 3548 wrote to memory of 764	3548	Megljppl.exe	94
PID 764 wrote to memory of 2472	764	Nclikl32.exe	95
PID 764 wrote to memory of 2472	764	Nclikl32.exe	95
PID 764 wrote to memory of 2472	764	Nclikl32.exe	95
PID 2472 wrote to memory of 4708	2472	Nlfnaicd.exe	96
PID 2472 wrote to memory of 4708	2472	Nlfnaicd.exe	96
PID 2472 wrote to memory of 4708	2472	Nlfnaicd.exe	96
PID 4708 wrote to memory of 2036	4708	Nnfgcd32.exe	97
PID 4708 wrote to memory of 2036	4708	Nnfgcd32.exe	97
PID 4708 wrote to memory of 2036	4708	Nnfgcd32.exe	97
PID 2036 wrote to memory of 820	2036	Nmlddqem.exe	98
PID 2036 wrote to memory of 820	2036	Nmlddqem.exe	98
PID 2036 wrote to memory of 820	2036	Nmlddqem.exe	98
PID 820 wrote to memory of 4600	820	Nlmdbh32.exe	99
PID 820 wrote to memory of 4600	820	Nlmdbh32.exe	99
PID 820 wrote to memory of 4600	820	Nlmdbh32.exe	99
PID 4600 wrote to memory of 2272	4600	Ohcegi32.exe	100
PID 4600 wrote to memory of 2272	4600	Ohcegi32.exe	100
PID 4600 wrote to memory of 2272	4600	Ohcegi32.exe	100
PID 2272 wrote to memory of 2012	2272	Olanmgig.exe	101
PID 2272 wrote to memory of 2012	2272	Olanmgig.exe	101
PID 2272 wrote to memory of 2012	2272	Olanmgig.exe	101
PID 2012 wrote to memory of 3552	2012	Ohhnbhok.exe	102
PID 2012 wrote to memory of 3552	2012	Ohhnbhok.exe	102
PID 2012 wrote to memory of 3552	2012	Ohhnbhok.exe	102
PID 3552 wrote to memory of 4908	3552	Ojigdcll.exe	103
PID 3552 wrote to memory of 4908	3552	Ojigdcll.exe	103
PID 3552 wrote to memory of 4908	3552	Ojigdcll.exe	103
PID 4908 wrote to memory of 4444	4908	Omjpeo32.exe	104
PID 4908 wrote to memory of 4444	4908	Omjpeo32.exe	104
PID 4908 wrote to memory of 4444	4908	Omjpeo32.exe	104
PID 4444 wrote to memory of 4784	4444	Pecellgl.exe	105
PID 4444 wrote to memory of 4784	4444	Pecellgl.exe	105
PID 4444 wrote to memory of 4784	4444	Pecellgl.exe	105
PID 4784 wrote to memory of 2312	4784	Pajeam32.exe	106
PID 4784 wrote to memory of 2312	4784	Pajeam32.exe	106
PID 4784 wrote to memory of 2312	4784	Pajeam32.exe	106
PID 2312 wrote to memory of 3196	2312	Pehngkcg.exe	107
PID 2312 wrote to memory of 3196	2312	Pehngkcg.exe	107
PID 2312 wrote to memory of 3196	2312	Pehngkcg.exe	107
PID 3196 wrote to memory of 3104	3196	Bebjdgmj.exe	108
PID 3196 wrote to memory of 3104	3196	Bebjdgmj.exe	108
PID 3196 wrote to memory of 3104	3196	Bebjdgmj.exe	108
PID 3104 wrote to memory of 2304	3104	Cdlqqcnl.exe	109
PID 3104 wrote to memory of 2304	3104	Cdlqqcnl.exe	109
PID 3104 wrote to memory of 2304	3104	Cdlqqcnl.exe	109
PID 2304 wrote to memory of 4284	2304	Chiigadc.exe	110
PID 2304 wrote to memory of 4284	2304	Chiigadc.exe	110
PID 2304 wrote to memory of 4284	2304	Chiigadc.exe	110
PID 4284 wrote to memory of 2316	4284	Chlflabp.exe	111

C:\Users\Admin\AppData\Local\Temp\e3acc3e467575550a4beecddc0844f90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\e3acc3e467575550a4beecddc0844f90_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4140
- C:\Windows\SysWOW64\Mepfiq32.exe
  C:\Windows\system32\Mepfiq32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3168
- - C:\Windows\SysWOW64\Mkmkkjko.exe
    C:\Windows\system32\Mkmkkjko.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\Windows\SysWOW64\Meepdp32.exe
      C:\Windows\system32\Meepdp32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1900
    - - C:\Windows\SysWOW64\Megljppl.exe
        
        C:\Windows\system32\Megljppl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3548
      - C:\Windows\SysWOW64\Nclikl32.exe
        
        C:\Windows\system32\Nclikl32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Windows\SysWOW64\Nlfnaicd.exe
        
        C:\Windows\system32\Nlfnaicd.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Windows\SysWOW64\Nnfgcd32.exe
        
        C:\Windows\system32\Nnfgcd32.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\SysWOW64\Nmlddqem.exe
        
        C:\Windows\system32\Nmlddqem.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\Nlmdbh32.exe
        
        C:\Windows\system32\Nlmdbh32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:820
        
        C:\Windows\SysWOW64\Ohcegi32.exe
        
        C:\Windows\system32\Ohcegi32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Windows\SysWOW64\Olanmgig.exe
        
        C:\Windows\system32\Olanmgig.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\SysWOW64\Ohhnbhok.exe
        
        C:\Windows\system32\Ohhnbhok.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\SysWOW64\Ojigdcll.exe
        
        C:\Windows\system32\Ojigdcll.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3552
        
        C:\Windows\SysWOW64\Omjpeo32.exe
        
        C:\Windows\system32\Omjpeo32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Windows\SysWOW64\Pecellgl.exe
        
        C:\Windows\system32\Pecellgl.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\SysWOW64\Pajeam32.exe
        
        C:\Windows\system32\Pajeam32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Windows\SysWOW64\Pehngkcg.exe
        
        C:\Windows\system32\Pehngkcg.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\SysWOW64\Bebjdgmj.exe
        
        C:\Windows\system32\Bebjdgmj.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3196
        
        C:\Windows\SysWOW64\Cdlqqcnl.exe
        
        C:\Windows\system32\Cdlqqcnl.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3104
        
        C:\Windows\SysWOW64\Chiigadc.exe
        
        C:\Windows\system32\Chiigadc.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\SysWOW64\Chlflabp.exe
        
        C:\Windows\system32\Chlflabp.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4284
        
        C:\Windows\SysWOW64\Cfpffeaj.exe
        
        C:\Windows\system32\Cfpffeaj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2316
        
        C:\Windows\SysWOW64\Cbfgkffn.exe
        
        C:\Windows\system32\Cbfgkffn.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4016
        
        C:\Windows\SysWOW64\Dokgdkeh.exe
        
        C:\Windows\system32\Dokgdkeh.exe
        25⤵
        Executes dropped EXE
        
        PID:4596
        
        C:\Windows\SysWOW64\Dbkqfe32.exe
        
        C:\Windows\system32\Dbkqfe32.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4780
        
        C:\Windows\SysWOW64\Dbnmke32.exe
        
        C:\Windows\system32\Dbnmke32.exe
        27⤵
        Executes dropped EXE
        
        PID:4412
        
        C:\Windows\SysWOW64\Ddnfmqng.exe
        
        C:\Windows\system32\Ddnfmqng.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4680
        
        C:\Windows\SysWOW64\Dbbffdlq.exe
        
        C:\Windows\system32\Dbbffdlq.exe
        29⤵
        Executes dropped EXE
        
        PID:4668
        
        C:\Windows\SysWOW64\Efpomccg.exe
        
        C:\Windows\system32\Efpomccg.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\Ebgpad32.exe
        
        C:\Windows\system32\Ebgpad32.exe
        31⤵
        Executes dropped EXE
        
        PID:2188
        
        C:\Windows\SysWOW64\Eicedn32.exe
        
        C:\Windows\system32\Eicedn32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1112
        
        C:\Windows\SysWOW64\Emanjldl.exe
        
        C:\Windows\system32\Emanjldl.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:512
        
        C:\Windows\SysWOW64\Fpbflg32.exe
        
        C:\Windows\system32\Fpbflg32.exe
        34⤵
        Executes dropped EXE
        
        PID:60
        
        C:\Windows\SysWOW64\Fbbpmb32.exe
        
        C:\Windows\system32\Fbbpmb32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5048
        
        C:\Windows\SysWOW64\Fpgpgfmh.exe
        
        C:\Windows\system32\Fpgpgfmh.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:628
        
        C:\Windows\SysWOW64\Fmkqpkla.exe
        
        C:\Windows\system32\Fmkqpkla.exe
        37⤵
        Executes dropped EXE
        
        PID:1972
        
        C:\Windows\SysWOW64\Flpmagqi.exe
        
        C:\Windows\system32\Flpmagqi.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1816
        
        C:\Windows\SysWOW64\Gfhndpol.exe
        
        C:\Windows\system32\Gfhndpol.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:316
        
        C:\Windows\SysWOW64\Gldglf32.exe
        
        C:\Windows\system32\Gldglf32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1908
        
        C:\Windows\SysWOW64\Gpbpbecj.exe
        
        C:\Windows\system32\Gpbpbecj.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1000
        
        C:\Windows\SysWOW64\Glipgf32.exe
        
        C:\Windows\system32\Glipgf32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3436
        
        C:\Windows\SysWOW64\Geaepk32.exe
        
        C:\Windows\system32\Geaepk32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4748
        
        C:\Windows\SysWOW64\Hmkigh32.exe
        
        C:\Windows\system32\Hmkigh32.exe
        44⤵
        Executes dropped EXE
        
        PID:2488
        
        C:\Windows\SysWOW64\Hibjli32.exe
        
        C:\Windows\system32\Hibjli32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2956
        
        C:\Windows\SysWOW64\Hplbickp.exe
        
        C:\Windows\system32\Hplbickp.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1236
        
        C:\Windows\SysWOW64\Hifcgion.exe
        
        C:\Windows\system32\Hifcgion.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Hiipmhmk.exe
        
        C:\Windows\system32\Hiipmhmk.exe
        48⤵
        Executes dropped EXE
        
        PID:4388
        
        C:\Windows\SysWOW64\Iikmbh32.exe
        
        C:\Windows\system32\Iikmbh32.exe
        49⤵
        Executes dropped EXE
        
        PID:1004
        
        C:\Windows\SysWOW64\Ibcaknbi.exe
        
        C:\Windows\system32\Ibcaknbi.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4720
        
        C:\Windows\SysWOW64\Iedjmioj.exe
        
        C:\Windows\system32\Iedjmioj.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4372
        
        C:\Windows\SysWOW64\Iibccgep.exe
        
        C:\Windows\system32\Iibccgep.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3852
        
        C:\Windows\SysWOW64\Ilcldb32.exe
        
        C:\Windows\system32\Ilcldb32.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:432
        
        C:\Windows\SysWOW64\Jocefm32.exe
        
        C:\Windows\system32\Jocefm32.exe
        54⤵
        Executes dropped EXE
        
        PID:1008
        
        C:\Windows\SysWOW64\Jlgepanl.exe
        
        C:\Windows\system32\Jlgepanl.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5056
        
        C:\Windows\SysWOW64\Jngbjd32.exe
        
        C:\Windows\system32\Jngbjd32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3880
        
        C:\Windows\SysWOW64\Jinboekc.exe
        
        C:\Windows\system32\Jinboekc.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2244
        
        C:\Windows\SysWOW64\Jlolpq32.exe
        
        C:\Windows\system32\Jlolpq32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4636
        
        C:\Windows\SysWOW64\Klcekpdo.exe
        
        C:\Windows\system32\Klcekpdo.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\Kjgeedch.exe
        
        C:\Windows\system32\Kjgeedch.exe
        60⤵
        Executes dropped EXE
        
        PID:372
        
        C:\Windows\SysWOW64\Kofkbk32.exe
        
        C:\Windows\system32\Kofkbk32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:8
        
        C:\Windows\SysWOW64\Kngkqbgl.exe
        
        C:\Windows\system32\Kngkqbgl.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Ljnlecmp.exe
        
        C:\Windows\system32\Ljnlecmp.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3132
        
        C:\Windows\SysWOW64\Lnldla32.exe
        
        C:\Windows\system32\Lnldla32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3356
        
        C:\Windows\SysWOW64\Lnoaaaad.exe
        
        C:\Windows\system32\Lnoaaaad.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Lggejg32.exe
        
        C:\Windows\system32\Lggejg32.exe
        66⤵
        
        PID:732
        
        C:\Windows\SysWOW64\Lobjni32.exe
        
        C:\Windows\system32\Lobjni32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4104
        
        C:\Windows\SysWOW64\Modgdicm.exe
        
        C:\Windows\system32\Modgdicm.exe
        68⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\Mnegbp32.exe
        
        C:\Windows\system32\Mnegbp32.exe
        69⤵
        Drops file in System32 directory
        
        PID:640
        
        C:\Windows\SysWOW64\Mcelpggq.exe
        
        C:\Windows\system32\Mcelpggq.exe
        70⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\Mmmqhl32.exe
        
        C:\Windows\system32\Mmmqhl32.exe
        71⤵
        
        PID:548
        
        C:\Windows\SysWOW64\Mnmmboed.exe
        
        C:\Windows\system32\Mnmmboed.exe
        72⤵
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Mgeakekd.exe
        
        C:\Windows\system32\Mgeakekd.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1096
        
        C:\Windows\SysWOW64\Nopfpgip.exe
        
        C:\Windows\system32\Nopfpgip.exe
        74⤵
        Drops file in System32 directory
        
        PID:4764
        
        C:\Windows\SysWOW64\Nncccnol.exe
        
        C:\Windows\system32\Nncccnol.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4592
        
        C:\Windows\SysWOW64\Ncchae32.exe
        
        C:\Windows\system32\Ncchae32.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4920
        
        C:\Windows\SysWOW64\Ngqagcag.exe
        
        C:\Windows\system32\Ngqagcag.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3100
        
        C:\Windows\SysWOW64\Oplfkeob.exe
        
        C:\Windows\system32\Oplfkeob.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Ogekbb32.exe
        
        C:\Windows\system32\Ogekbb32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3288
        
        C:\Windows\SysWOW64\Omgmeigd.exe
        
        C:\Windows\system32\Omgmeigd.exe
        80⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\Pmiikh32.exe
        
        C:\Windows\system32\Pmiikh32.exe
        81⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\Pnifekmd.exe
        
        C:\Windows\system32\Pnifekmd.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1600
        
        C:\Windows\SysWOW64\Phcgcqab.exe
        
        C:\Windows\system32\Phcgcqab.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\Palklf32.exe
        
        C:\Windows\system32\Palklf32.exe
        84⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\Qjfmkk32.exe
        
        C:\Windows\system32\Qjfmkk32.exe
        85⤵
        Drops file in System32 directory
        
        PID:5148
        
        C:\Windows\SysWOW64\Qdaniq32.exe
        
        C:\Windows\system32\Qdaniq32.exe
        86⤵
        Drops file in System32 directory
        
        PID:5192
        
        C:\Windows\SysWOW64\Aaenbd32.exe
        
        C:\Windows\system32\Aaenbd32.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Agdcpkll.exe
        
        C:\Windows\system32\Agdcpkll.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5280
        
        C:\Windows\SysWOW64\Ahdpjn32.exe
        
        C:\Windows\system32\Ahdpjn32.exe
        89⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\Adkqoohc.exe
        
        C:\Windows\system32\Adkqoohc.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5368
        
        C:\Windows\SysWOW64\Bkibgh32.exe
        
        C:\Windows\system32\Bkibgh32.exe
        91⤵
        Modifies registry class
        
        PID:5412
        
        C:\Windows\SysWOW64\Bogkmgba.exe
        
        C:\Windows\system32\Bogkmgba.exe
        92⤵
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Bnlhncgi.exe
        
        C:\Windows\system32\Bnlhncgi.exe
        93⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\Chdialdl.exe
        
        C:\Windows\system32\Chdialdl.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Cammjakm.exe
        
        C:\Windows\system32\Cammjakm.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5592
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5636
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5680
        
        C:\Windows\SysWOW64\Coegoe32.exe
        
        C:\Windows\system32\Coegoe32.exe
        98⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\Chnlgjlb.exe
        
        C:\Windows\system32\Chnlgjlb.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5772
        
        C:\Windows\SysWOW64\Dgcihgaj.exe
        
        C:\Windows\system32\Dgcihgaj.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Dhbebj32.exe
        
        C:\Windows\system32\Dhbebj32.exe
        101⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\Dhdbhifj.exe
        
        C:\Windows\system32\Dhdbhifj.exe
        102⤵
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Dgjoif32.exe
        
        C:\Windows\system32\Dgjoif32.exe
        103⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\Dglkoeio.exe
        
        C:\Windows\system32\Dglkoeio.exe
        104⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\Ebaplnie.exe
        
        C:\Windows\system32\Ebaplnie.exe
        105⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\Edbiniff.exe
        
        C:\Windows\system32\Edbiniff.exe
        106⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\Eqiibjlj.exe
        
        C:\Windows\system32\Eqiibjlj.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6140
        
        C:\Windows\SysWOW64\Eqlfhjig.exe
        
        C:\Windows\system32\Eqlfhjig.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Ekajec32.exe
        
        C:\Windows\system32\Ekajec32.exe
        109⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\Eghkjdoa.exe
        
        C:\Windows\system32\Eghkjdoa.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5312
        
        C:\Windows\SysWOW64\Fgjhpcmo.exe
        
        C:\Windows\system32\Fgjhpcmo.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5376
        
        C:\Windows\SysWOW64\Fdnhih32.exe
        
        C:\Windows\system32\Fdnhih32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Fbbicl32.exe
        
        C:\Windows\system32\Fbbicl32.exe
        113⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\Fohfbpgi.exe
        
        C:\Windows\system32\Fohfbpgi.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5588
        
        C:\Windows\SysWOW64\Gnpphljo.exe
        
        C:\Windows\system32\Gnpphljo.exe
        115⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Gghdaa32.exe
        
        C:\Windows\system32\Gghdaa32.exe
        116⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\Gpaihooo.exe
        
        C:\Windows\system32\Gpaihooo.exe
        117⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\Gacepg32.exe
        
        C:\Windows\system32\Gacepg32.exe
        118⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\Gaebef32.exe
        
        C:\Windows\system32\Gaebef32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5940
        
        C:\Windows\SysWOW64\Hioflcbj.exe
        
        C:\Windows\system32\Hioflcbj.exe
        120⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5992
        
        C:\Windows\SysWOW64\Hiacacpg.exe
        
        C:\Windows\system32\Hiacacpg.exe
        121⤵
        Drops file in System32 directory
        
        PID:6084
        
        C:\Windows\SysWOW64\Hehdfdek.exe
        
        C:\Windows\system32\Hehdfdek.exe
        122⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Ipgkjlmg.exe
        
        C:\Windows\system32\Ipgkjlmg.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5244
        
        C:\Windows\SysWOW64\Iiopca32.exe
        
        C:\Windows\system32\Iiopca32.exe
        124⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\Iialhaad.exe
        
        C:\Windows\system32\Iialhaad.exe
        125⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\Jhgiim32.exe
        
        C:\Windows\system32\Jhgiim32.exe
        126⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Jekjcaef.exe
        
        C:\Windows\system32\Jekjcaef.exe
        127⤵
        Drops file in System32 directory
        
        PID:5768
        
        C:\Windows\SysWOW64\Jocnlg32.exe
        
        C:\Windows\system32\Jocnlg32.exe
        128⤵
        Modifies registry class
        
        PID:5884
        
        C:\Windows\SysWOW64\Jbagbebm.exe
        
        C:\Windows\system32\Jbagbebm.exe
        129⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\Jpegkj32.exe
        
        C:\Windows\system32\Jpegkj32.exe
        130⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6116
        
        C:\Windows\SysWOW64\Klndfj32.exe
        
        C:\Windows\system32\Klndfj32.exe
        131⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\Klpakj32.exe
        
        C:\Windows\system32\Klpakj32.exe
        132⤵
        Drops file in System32 directory
        
        PID:5404
        
        C:\Windows\SysWOW64\Keifdpif.exe
        
        C:\Windows\system32\Keifdpif.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Khiofk32.exe
        
        C:\Windows\system32\Khiofk32.exe
        134⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\Kofdhd32.exe
        
        C:\Windows\system32\Kofdhd32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6044
        
        C:\Windows\SysWOW64\Lebijnak.exe
        
        C:\Windows\system32\Lebijnak.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5268
        
        C:\Windows\SysWOW64\Loofnccf.exe
        
        C:\Windows\system32\Loofnccf.exe
        137⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\Ljdkll32.exe
        
        C:\Windows\system32\Ljdkll32.exe
        138⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Loacdc32.exe
        
        C:\Windows\system32\Loacdc32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5356
        
        C:\Windows\SysWOW64\Mledmg32.exe
        
        C:\Windows\system32\Mledmg32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6020
        
        C:\Windows\SysWOW64\Mcaipa32.exe
        
        C:\Windows\system32\Mcaipa32.exe
        141⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\Mjlalkmd.exe
        
        C:\Windows\system32\Mjlalkmd.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6156
        
        C:\Windows\SysWOW64\Mohidbkl.exe
        
        C:\Windows\system32\Mohidbkl.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6200
        
        C:\Windows\SysWOW64\Mqjbddpl.exe
        
        C:\Windows\system32\Mqjbddpl.exe
        144⤵
        
        PID:6244
        
        C:\Windows\SysWOW64\Nodiqp32.exe
        
        C:\Windows\system32\Nodiqp32.exe
        145⤵
        
        PID:6288
        
        C:\Windows\SysWOW64\Nimmifgo.exe
        
        C:\Windows\system32\Nimmifgo.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6332
        
        C:\Windows\SysWOW64\Nfqnbjfi.exe
        
        C:\Windows\system32\Nfqnbjfi.exe
        147⤵
        
        PID:6376
        
        C:\Windows\SysWOW64\Ocdnln32.exe
        
        C:\Windows\system32\Ocdnln32.exe
        148⤵
        Modifies registry class
        
        PID:6460
        
        C:\Windows\SysWOW64\Ocgkan32.exe
        
        C:\Windows\system32\Ocgkan32.exe
        149⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\Omopjcjp.exe
        
        C:\Windows\system32\Omopjcjp.exe
        150⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6576
        
        C:\Windows\SysWOW64\Oophlo32.exe
        
        C:\Windows\system32\Oophlo32.exe
        151⤵
        Drops file in System32 directory
        
        PID:6620
        
        C:\Windows\SysWOW64\Ofjqihnn.exe
        
        C:\Windows\system32\Ofjqihnn.exe
        152⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\Oqoefand.exe
        
        C:\Windows\system32\Oqoefand.exe
        153⤵
        Drops file in System32 directory
        
        PID:6720
        
        C:\Windows\SysWOW64\Pjjfdfbb.exe
        
        C:\Windows\system32\Pjjfdfbb.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6772
        
        C:\Windows\SysWOW64\Padnaq32.exe
        
        C:\Windows\system32\Padnaq32.exe
        155⤵
        Modifies registry class
        
        PID:6820
        
        C:\Windows\SysWOW64\Pfagighf.exe
        
        C:\Windows\system32\Pfagighf.exe
        156⤵
        Drops file in System32 directory
        
        PID:6908
        
        C:\Windows\SysWOW64\Pjoppf32.exe
        
        C:\Windows\system32\Pjoppf32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6952
        
        C:\Windows\SysWOW64\Paihlpfi.exe
        
        C:\Windows\system32\Paihlpfi.exe
        158⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7004
        
        C:\Windows\SysWOW64\Pbjddh32.exe
        
        C:\Windows\system32\Pbjddh32.exe
        159⤵
        Modifies registry class
        
        PID:7064
        
        C:\Windows\SysWOW64\Apeknk32.exe
        
        C:\Windows\system32\Apeknk32.exe
        160⤵
        Drops file in System32 directory
        
        PID:7104
        
        C:\Windows\SysWOW64\Ajjokd32.exe
        
        C:\Windows\system32\Ajjokd32.exe
        161⤵
        Drops file in System32 directory
        
        PID:7152
        
        C:\Windows\SysWOW64\Afhfaddk.exe
        
        C:\Windows\system32\Afhfaddk.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6176
        
        C:\Windows\SysWOW64\Bpqjjjjl.exe
        
        C:\Windows\system32\Bpqjjjjl.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6260
        
        C:\Windows\SysWOW64\Bmidnm32.exe
        
        C:\Windows\system32\Bmidnm32.exe
        164⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6340
        
        C:\Windows\SysWOW64\Cmedjl32.exe
        
        C:\Windows\system32\Cmedjl32.exe
        165⤵
        Modifies registry class
        
        PID:6448
        
        C:\Windows\SysWOW64\Dknnoofg.exe
        
        C:\Windows\system32\Dknnoofg.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6560
        
        C:\Windows\SysWOW64\Eaaiahei.exe
        
        C:\Windows\system32\Eaaiahei.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6616
        
        C:\Windows\SysWOW64\Fnalmh32.exe
        
        C:\Windows\system32\Fnalmh32.exe
        168⤵
        Modifies registry class
        
        PID:6700
        
        C:\Windows\SysWOW64\Fjhmbihg.exe
        
        C:\Windows\system32\Fjhmbihg.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6784
        
        C:\Windows\SysWOW64\Fnffhgon.exe
        
        C:\Windows\system32\Fnffhgon.exe
        170⤵
        Modifies registry class
        
        PID:6880
        
        C:\Windows\SysWOW64\Fkjfakng.exe
        
        C:\Windows\system32\Fkjfakng.exe
        171⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\Fqikob32.exe
        
        C:\Windows\system32\Fqikob32.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7032
        
        C:\Windows\SysWOW64\Gqkhda32.exe
        
        C:\Windows\system32\Gqkhda32.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7120
        
        C:\Windows\SysWOW64\Gkalbj32.exe
        
        C:\Windows\system32\Gkalbj32.exe
        174⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\Gdiakp32.exe
        
        C:\Windows\system32\Gdiakp32.exe
        175⤵
        
        PID:6360
        
        C:\Windows\SysWOW64\Gbmadd32.exe
        
        C:\Windows\system32\Gbmadd32.exe
        176⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6552 -s 224
        177⤵
        Program crash
        
        PID:6412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6552 -ip 6552
1⤵
PID:6800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4080 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:3752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bebjdgmj.exe

Filesize
64KB

MD5
c4bc296dccc43ae51e9d449af5c5a3ef

SHA1
f931b3427c3f0a61f5b6f61acdf455799f5e02e4

SHA256
915381c1127a4ea4249f1846c6934e8fd176eb9d4bef50364364470fe0948e5b

SHA512
487647875ea1e642ea9174eeafe41b70a33062b7021a54582c5d35467b08ef080ccd63bceb082f4bc2a066b457f770b1e76d93e83b5fd9d90dfa377a38937036

Download Submit
C:\Windows\SysWOW64\Bmidnm32.exe

Filesize
64KB

MD5
348c4630d7b4669aacf6d8b8ff549ba6

SHA1
f245418626ff43f5989b016fb7a0403499624a7f

SHA256
cac69d9f79da09c3b6b29f7633d0af43ebbf658ad235abdda8e12fc10091b917

SHA512
0f8c4bd2201dfc3070cda4dbf37a165277a256e039bfa668cd743631ac9f1bdf5c4ccbbb35b42bea74ffad6ef6898da014434dc10a76dd60b09f2c533ef35bfc

Download Submit
C:\Windows\SysWOW64\Cbfgkffn.exe

Filesize
64KB

MD5
dd8fad4e563258f8b5f19b0178a61a0e

SHA1
e69ded481f4957b9fbb693ce32024dbca1bf206f

SHA256
73c3568a6aa12cd386d2e437c087a926a6487081599cec181c4958ccdcf2cfa7

SHA512
cc72053aceeed9db8104ab865caba3a97713d8aa2486865b92c323deb97eff9dd6e8953f8ebb47770ec4b8f54b81c084686ae080a8864e87296e8e70726e6c0e

Download Submit
C:\Windows\SysWOW64\Cdlqqcnl.exe

Filesize
64KB

MD5
a25e9ddd4d92d006cba1427afa400c43

SHA1
ebe59fcd90bcfec5af9d208b0f4a342a6e68a017

SHA256
fbed8b2250036be8bbaed45be528b6eb98ce4ec817045f6e780eab050aa6e335

SHA512
328443dcc206b0c862043e4cafece8850d40e865147cb42f54dfebec753b6d45a86ec7affb71edb2c133ceeda004bbbb57a3bf1106a39bf742f4372cc604381a

Download Submit
C:\Windows\SysWOW64\Cfpffeaj.exe

Filesize
64KB

MD5
cc6693db1b8d4c590d280880e8ec2dee

SHA1
e7170cf1ff12ad9a70541c2c79c0b2156508e3d4

SHA256
cbf9777e92525cb7fe1c8b7bd2b9153b9f3ad9e821bd0a04806cf3408e1af6bc

SHA512
fe8fd480b3e99e5b2a0876340fc26e230bc4ddaea2bbd3e24c3d232a8593de8ff1a4959d5b52d3d501a09bf7d7463f75c66b55f343bc1a3a44abad199cfbe2d5

Download Submit
C:\Windows\SysWOW64\Chiigadc.exe

Filesize
64KB

MD5
2c3d1327244d386a43749489c638ee1c

SHA1
38c4962620cc8c4f8d029a66a699a8ce31a83ee8

SHA256
e643f9169862d1232301aeb28717194bb69b9191cc37e5ac5732c09ebad98f9f

SHA512
c1cee865bed345f5ef4bbe4156609d9d7f62e2ee54b15e44f83b06a91f47a82277cac5ca8a1479e59333ff0d90760eeb1e1087c56efd0cfa78bbd90190dc3256

Download Submit
C:\Windows\SysWOW64\Chlflabp.exe

Filesize
64KB

MD5
07129b6c6c4626d410bb149556841fe8

SHA1
863283e71cf7b4552b14d9e2f77c1c564df98576

SHA256
845f90dd3703adc2fd02f65d7ab50affce91fc59da38a7ff4a278abdbf9751d3

SHA512
2824b43806f8737d985ff60628b08b95273cb3781f5c8151089a398a1d103891aed109da9ee96afd2037648d8df34c90c538498a14064cb7be19f9d9a1ba1faf

Download Submit
C:\Windows\SysWOW64\Dbbffdlq.exe

Filesize
64KB

MD5
907708e3f87fbbfea1533bd7100b91e0

SHA1
b8f6a9d941e4e23ef339bb73f13c101e13830317

SHA256
8dfcff0a2674bfc40991c906f368c8ceb6168d1c9b0722dbdda822fb16a015c7

SHA512
addb2ac94135e0be6eba17bffe95c5d339cda95f72bda2ffee49a846703c493e8e2f408933983a45fac54d2eac9b19be9c28c7fad135cdf7a83e8157cddeb2e4

Download Submit
C:\Windows\SysWOW64\Dbkqfe32.exe

Filesize
64KB

MD5
4449f503885b30f66ce9c61202c71cab

SHA1
6799916a27b257249654028fa14d97dc0c8afa46

SHA256
92c07c7dccf491512a7ce5d5d7e4f51e25b5905f0fd6ad934a619f14b3c70daf

SHA512
d43edefa8ba4518517a73c8c6f90de74bf615d4bac4fb473f355f4ecb60fcade9c30f85b15a051b79f5d67e328a0476f18d39e59888f8418315f792b0d6b5644

Download Submit
C:\Windows\SysWOW64\Dbnmke32.exe

Filesize
64KB

MD5
f899704f12e032e11303fb074bfecd32

SHA1
088a0c2275004b2f6ae50cdecbd52c8a0e92615d

SHA256
32157e21dc0aba19824bcd7561cf8d41d8d241eb2518fbc32008e470f9642d1a

SHA512
c54199a01a27b5f8ceecf42110b85f7e9ac9e0aad7152df0e0f73f4ccc41dec280c405f483e94098e4eaad85aa2a31030e759e1bc44474b4bc246930b585cc8a

Download Submit
C:\Windows\SysWOW64\Ddnfmqng.exe

Filesize
64KB

MD5
6a00876857fb19e38093e85ce5f3fcdf

SHA1
195df05051c5efc1a687b1be0471025f4eb19f5f

SHA256
f0055ccf052a0f31fff951e03e2971d68fbfc44a48d22268031a16f2c162d3b4

SHA512
038aa0360522ed5d1392295b3b459f8e2f574e5b6c01640df40b52126f875252794b5de079e7cb5b60d60175b5ebb0d1d3099ccfe29282569490a5c536c02581

Download Submit
C:\Windows\SysWOW64\Dhbebj32.exe

Filesize
64KB

MD5
318a102c8c0d5479eae49389cf44a19d

SHA1
bf01f50468cb2c865c7b59772b6d90f573b39c15

SHA256
5d668ddbb4bbabb6be2a0bfad5199f3d8e31d5a41e33f93f0425fc8a3252fbb2

SHA512
19f2b2f4d17e57935eeb187efb1eb9ed86be607e21d29f4f2ec1b29d5661f2ad121f0818598a69c6b1ae4da474842fcf7bc1bf0f74356074ef1a1ece8526e595

Download Submit
C:\Windows\SysWOW64\Dokgdkeh.exe

Filesize
64KB

MD5
18c58f2a715368f0bac98f3cfe0ea15f

SHA1
02f83a3f369712882c456e678fc15b00c95e6047

SHA256
1175b06d4282dee2a4bd16eb34b409614767e2823d0d6f6bbb6e9a242e295452

SHA512
d4b8429a5c029d7f612d74d445649e3ed20eb825d82c9a8dd9d786876d08aa51ece91a31d6468a5194ad9f95c712238fc8cd824ac12178b20ceea6d71fe01030

Download Submit
C:\Windows\SysWOW64\Ebgpad32.exe

Filesize
64KB

MD5
bfa30dcfa45906dce428761a9bd7208a

SHA1
37f2f2c946aef8db2163cb97f87559c609b032eb

SHA256
b5d0a9947daa651c49417e9758a94b88386fd9c14c37af14f39438e91ebf2c56

SHA512
972a601a124eb363c824663a7c79c9d0c8ab3c3d7f89a11933aeb42d4bdc3c00eba4cd1f7fdbcd86ac8a5cc98d1404cbea238259c36a4f26bff98821fee06689

Download Submit
C:\Windows\SysWOW64\Edbiniff.exe

Filesize
64KB

MD5
7742805b5666e440573b388d4f85fb21

SHA1
0cf9cd071ca7388f23d536fbb1b3ec617b07e5a3

SHA256
ea2736e0672b1118d95790667f6b898e59308a6604e8dfba17c2f7c5e04fdb65

SHA512
08e218e16c0144e3300a99fd9bd4273ec5c66f9b5904712b3b313acda8d84f91d04729a6e5cae30649cc223327061fb0574950e9f1241661767c540fd3af7679

Download Submit
C:\Windows\SysWOW64\Efpomccg.exe

Filesize
64KB

MD5
7ffe244507d854f30ad396934d9001b1

SHA1
800980434108e6c0cb9335686e66e535a2284191

SHA256
f630561deeffe5f41d2cf2e0f61a94491bd3c83247a45916cb6767de9db35c94

SHA512
9f741431ccd60ac01c0f0deedea5d1a168bdade3f00ed8229c35c93f5d0b97ca80d8d4c2b8ef86d8bd7b8ca583876ea213928170c987dbd48f509aa884558cac

Download Submit
C:\Windows\SysWOW64\Eicedn32.exe

Filesize
64KB

MD5
f398a5fc7803ef0573cffb4e32c217af

SHA1
8a57743cd4cb768a1d7b40b11f185e98bd3d352f

SHA256
d62a4a7a29ba42622a97c8f7dfa0511230c80dbaf8723d56f1028114aff25ada

SHA512
68704b6a7b0f5868be9cc5192ab6e768a797c4de4cc019cb48c98a76ecc06dc8162501bb2d1db112f45e860463c3b7966fe6bcf4472a207c53c6f9c74d769c90

Download Submit
C:\Windows\SysWOW64\Ekajec32.exe

Filesize
64KB

MD5
74a76797c14000750330b9d2dc3ba04c

SHA1
6c4f3c648aa89cb91094ef144b837bae37e99ed7

SHA256
3449272ed9e469de4e42028180eeab4a4eaa4cf3e97dd47260be0dac3e09be71

SHA512
289b733794128135731b075fd8242cbf1d741f2216794e2d9df60f196c0429053a64a697497480ce31e68b8f7161d8e61f5c08ca1c0586f6cf08afa5512892d1

Download Submit
C:\Windows\SysWOW64\Emanjldl.exe

Filesize
64KB

MD5
bee216085699d601c5971a1b09e133ba

SHA1
37d0417c9aa9afe4cb10090fb8f9ef2096c7ab47

SHA256
f29e874de0b34998122928736065b0e9e70216f5320702d0abb761e5d92fd192

SHA512
0fd693388705185f56fae2f14d80a123ba164185a8e7c51c9866ff8c14ce1786031aad833abba8f05693fe11302340e3edc7fae0ce5c5c8ce58526d30fc52207

Download Submit
C:\Windows\SysWOW64\Fbbicl32.exe

Filesize
64KB

MD5
bc43b82ab43ba2966a369fc06de25718

SHA1
286fe236101530a85a869030f7abe0200d8b5f9d

SHA256
db5930265c703066399a043a451f6d2329cc40537e7ef58ea370ad39051a89ca

SHA512
f7aef66d3c0b080a99351c08839731442bd9e3c0e2647811c53687e58b151c1f0a42f883bf46ef91b51eb5b855f5bef1a20b1a51a38fcd9149ab6f8eab9261cb

Download Submit
C:\Windows\SysWOW64\Fkjfakng.exe

Filesize
64KB

MD5
3eee0b3c26168c4d2495ae5c73345391

SHA1
5410e39ec92dc7fc747160bea38a16219a6b8b3f

SHA256
d86ce184caf2c48f7b3967cc35f862d91aee1ceabd248bae5241e5407dc787bf

SHA512
b3e075d6905e45c7ed77aea8d30f4a7f9ed2454031832ef0738607ff2da9739476a9a154a0c07c0b280fd739e0d55d61229084a931728e0b7b20ae93d917f246

Download Submit
C:\Windows\SysWOW64\Fmkqpkla.exe

Filesize
64KB

MD5
6dece775603333e0667f610cfc00b259

SHA1
f3398f5263c5aa3c1985e0aaedc03b0970671e5d

SHA256
1cd4b440e68155e222a7a6a01bbd06b83e8b5fae0403bc6f71b17b3666ee55aa

SHA512
82fa6c72c1f9f9982d5202bfbf20c5ff6630ca6f8316b439c5fe736de0ec1f607306e60372df6b1feb40c4de1c016f5741d96058832d257f66d4852feeebc4d6

Download Submit
C:\Windows\SysWOW64\Fnalmh32.exe

Filesize
64KB

MD5
3dae975800f2f1949ebc7b720447947b

SHA1
fbb620c54f6d8f39d77d145bf5a9dd86d04efe68

SHA256
eda90b173b624b38bf4df41559da07ac69cd56463ab19ef1aa54f8c9ac5456c7

SHA512
078acf8f889056fbdda981d82064bdf4f1f0697a299754ee6cbff1e0bb44fcf3dda2577b9ae7747efa2af9490702a0adae5781ef9e2b2f341f908dc356e714de

Download Submit
C:\Windows\SysWOW64\Geaepk32.exe

Filesize
64KB

MD5
58affb532da2c9ba4bda89bd8c8b84ac

SHA1
bb8b79d55050051be5c2a996b23c7d11a059b423

SHA256
2fc64f1c44d17129bfbf39a923831ce364619ef311e0d2110bb1e603ca8e8f53

SHA512
76b9d66f99d1b96d8ae575bb7f85c325ca8d38115b063dc2bb89b20dd814425b4770b9c0b2e50f92c3792e1f35ed8f35d72e1e76d2a47e7b23d6984636049a56

Download Submit
C:\Windows\SysWOW64\Gkalbj32.exe

Filesize
64KB

MD5
9899b01a4a88fe837f591a3e993ea4f0

SHA1
2dbeb57f61c7d26d8a707b1429f30b58fdffb179

SHA256
f7838c051e4ec133e15c9da509eaffc542e5d787218e52c6331b805dcd3f7fe8

SHA512
f4e2a861b3444e512da531d3493fc470f90bb0144e13bae842f835b9bcfdb1806663df22d0e96a096a91c6bac16e7bdfaff219a88ffe361c86a3bc72fcbe0f4a

Download Submit
C:\Windows\SysWOW64\Gpbpbecj.exe

Filesize
64KB

MD5
d750dfa3fa634107e502694d7c03918c

SHA1
4dd2690172d6eda406fda22cec9380d67bec9026

SHA256
1853f6d5541e0d03e6b8f719d35e2c10813c2a598f6c7bba41b10c03db7f7fa8

SHA512
6f36acded41de0fe44a4e3835e9434520f4f814fd33b0e4ec174b1760f2bbaf2ee22a64983b8fa9c58b93170f2b796fedfc03449b6509ba77975362386d6e01c

Download Submit
C:\Windows\SysWOW64\Hehdfdek.exe

Filesize
64KB

MD5
37729da735c057a7efdf0805e4dc1a63

SHA1
c354afc880990b252d53c72edee9e09ff65a6411

SHA256
4fdbe0a217642a8bdb17ef62aca77d717653d93db35456f60437dca91f0360f7

SHA512
d4e68e17371702aac2845d419cef02e66cdc0e8c920f27626c36c70c8a26b501b3c382d3fe713d2d60ccc9df76995ca3bfb875e661c60cc18050aaa27961d56a

Download Submit
C:\Windows\SysWOW64\Hplbickp.exe

Filesize
64KB

MD5
25266a2ee17477bbc8ef6324781dba45

SHA1
6ee85839fe7a85a681a2e72c2b44ab46689c7798

SHA256
4d3c436e1053d1b25a300b5193ee039bbe0d285fde4113accdc0cc53095719db

SHA512
fd765362b9b1f66d8f7a0fd3f29932905f35a1e0776f8454ac369b7c63ac059de4e07da360a451943a6e9f79018c2d8dcb3e048451d21d552e3da02bd1fd39d1

Download Submit
C:\Windows\SysWOW64\Iedjmioj.exe

Filesize
64KB

MD5
44df6447a068c974fb4fd3c4d8442812

SHA1
3a5ea5fae11801000163e251e599d1a3966b6f0f

SHA256
fae2073a891f709cddb9e3c8628765e87d6b87cef3eda0cdcc1d6dac90ba9ba3

SHA512
be7bcbefd6e963123f050b3015aae7b7b6663d0f8ac8a0e06f5951dbc5007ab50aee7155093331433d5abf890ab505f54bd931e059624b02c4c4b4a1a06d317a

Download Submit
C:\Windows\SysWOW64\Iiopca32.exe

Filesize
64KB

MD5
2884caca34cd44ef11956f7a9db67102

SHA1
8a44d72ff9014d50baeb743e17e87c5bcafef565

SHA256
3deb9c9827c2b97aa0d2e6e97e7c0848fe0b924d9eaf7d99854098de2145e7dd

SHA512
882e11100750e6d4a8b110692ea595b19b70294d53a04c7544118c378eb64976063cb966970fba0f0758438e891a9cdb743411d941a57f1df6e7195f9c5f3f2a

Download Submit
C:\Windows\SysWOW64\Jinboekc.exe

Filesize
64KB

MD5
091196102acf1ed4d5e07af0ba9324e1

SHA1
744ca1f026a4798a0371499ce4574bd39291cc3c

SHA256
ba6b7b2ea573acad50496c1020074ca12beb69dfb13748631b288befbc5c7030

SHA512
068436a22b319ec13a825a729ccbf29459fab1c9f279524ee1af37919dc7f0c8299c6c8c8719693e1ca6b5d9f6e1f19510285500284932c16817f1ae5326dbab

Download Submit
C:\Windows\SysWOW64\Jlgepanl.exe

Filesize
64KB

MD5
8c0e075d15e37d491a9efe4a555db51a

SHA1
c6a435a0ac7a730f0ec21988f5bb5ba1cd80fa6e

SHA256
d796aba118765980a6f0d538caabf95512321c87f0d0c642d0b09b0531585388

SHA512
3185f0f6a55fe04f8bdd13e0cef7ccd99cc078375b54a7ca9e4f198b6a4fc297c0a2da626c66a3fb85b4d964b03f07fc9301f3505378e1bdccbcf87b8b8c8453

Download Submit
C:\Windows\SysWOW64\Jpegkj32.exe

Filesize
64KB

MD5
550eb76c2b28f8a74b9f1bc4db6749f3

SHA1
53d0ceade9a82fe1acf6a291af7f1eef4ee68cba

SHA256
62878aefceebfb0c9193ce12a291979dc5e19e9610bc083ed2c88b1effd39867

SHA512
de67bbc634bd1b06486aa471e1aa424b3af7f908abd664547542150d081f8705f902fc3046d07f6c2f2e4038d5602b2c44258977b9360013e15eac2af9d5a1f1

Download Submit
C:\Windows\SysWOW64\Khiofk32.exe

Filesize
64KB

MD5
9df47ed46b0ed52a1f85960eace22e4f

SHA1
a06e181f109d324eba8d7cf40f998063407ed1b6

SHA256
82dd92f9457922d1fd5329a246a914b5a91d9dc3f4adbb33680d7b0a9ca0370b

SHA512
1ed7294295c55bad1b43830aabf37a4a0c96f4d5f7a09963309008906a19f4408aeebbea96f13a0317166bcced13271f33c2e9f7351b973de185a55292716c18

Download Submit
C:\Windows\SysWOW64\Klcekpdo.exe

Filesize
64KB

MD5
1af67306c4021ce7ec86d0808283aa56

SHA1
89fc2ff579e5210dd2e6e57778547f7f6303ab66

SHA256
386c365699df4ce86b667b762a1f6b937c1f0351f235338e0e27f8f4618af60c

SHA512
04bb4b04bf90aee7155353c0d1b934de59d09703847f436d4fc95118b5de49c926447d9debe28c7db0ad57a41c6a55ab3506b099cd87978eb524f91694ccb38f

Download Submit
C:\Windows\SysWOW64\Klpakj32.exe

Filesize
64KB

MD5
c754ead6f9d39b65823037593eb6ab2b

SHA1
3840380d41116e84242d9afe08a9cc7f7742b918

SHA256
2d52f5657a83e0072dbdbfb4d9cdc4dc4f986bcf1d708089ee03d2d3c86e8f14

SHA512
9920ad3e2ca03978fa0f5aa6cb8828b1ad64791b88b0c2e6c8ddf00933a7a59c64bd97b1c34b03e379e36b80a684c93e7584e96d29701ac7fe6dc5697d33991e

Download Submit
C:\Windows\SysWOW64\Lebijnak.exe

Filesize
64KB

MD5
67f9d59eb16cfde81119ec05db63e957

SHA1
bfb1a66455bfdea7b79bbdc7b100ed77baf30cbc

SHA256
2eced16d5cfc8c6520b5f1b20fac29a7ff8bad5b9dacd688adc635c5f31b99e4

SHA512
5526f1b2e4b22345dccb4951762041c444e79719d7a57ab1040a5effc388d497ceea32adcda301bf482ac82b4a650ef4a72133e36ce8a944c08120e92676cf46

Download Submit
C:\Windows\SysWOW64\Ljnlecmp.exe

Filesize
64KB

MD5
9abc738088b75a90bda631714e927b70

SHA1
b11955aa7c22762bbc2c40877e688cbc0374be76

SHA256
95560cf2643c6891b9fcd68c766c9398fe5d69fff6022ba9f1f2dea4ffbedcab

SHA512
d18339da8048c0021880c2c7a385d5a54b4fe8272c458bb8a5d57d4b8f2c27a924b2c4cdb771776428a27e8a0fcac39616287cb9913b229e3c19ae9fdb76dc86

Download Submit
C:\Windows\SysWOW64\Lnoaaaad.exe

Filesize
64KB

MD5
f31fa6f1c3ed1ef14c54437c1d3d6495

SHA1
5d28bd9b9200362f3382f457b667ced9bb58d899

SHA256
42757219b94d9d2a15d8b6661ed8cdabe337639f31556f7581f67d686add2099

SHA512
8113a0705d234044a7a29a04dde4ef0e0e63bb5c5a61a8df35c97b3c227e83f95ffb67ede9c7640793d0d40c8b6a8de0592bbd050bd73ffc0f07ce9f7d6d4af7

Download Submit
C:\Windows\SysWOW64\Loacdc32.exe

Filesize
64KB

MD5
5a0ea52344300e8ec7000dd184001545

SHA1
ce75c9339d0a064ea79e056ace584c210b5d4e99

SHA256
137ccd3163a7d8597f24571d6ee86e5c3c635eda37b3dab812071a7b352d5316

SHA512
ee9c08c37b171a56427499a707c2859b5e92798c2ff7c9883ed797be3d22ad11804080a6408ee6dfa26bebe2bcdf4c0ee7a17596e534b8385ecee8f4d7589f2c

Download Submit
C:\Windows\SysWOW64\Meepdp32.exe

Filesize
64KB

MD5
51c6deb0a560ec52e8269ccfe305f856

SHA1
5d586228175dc373858813551a818f276c5a7d14

SHA256
24c47a4731484cdd7f06a4bb65eafbe4e789929b738b93fd2cddac7727d17cd3

SHA512
a746a9e29c17759da248f36945c9205b3eceb24fd68b1cd108ccf1b30cca1f3b4ba64510f7085b2b973276a8792466d1d41e25d81c8aec82466ae8c307cb7939

Download Submit
C:\Windows\SysWOW64\Megljppl.exe

Filesize
64KB

MD5
0aadbc1f8aa2e177bc6f49d9a78e1c10

SHA1
5c8a2980284bd98a0dd72dbd842fc9e3b2d5b642

SHA256
024016558f7878547bf130ab84b5713e480cc8412e7ef5c4021813a855d288a2

SHA512
c957cf354dac8d686ae4b1047f30727dedec0dc77cb9693af7e1b3c1ae599dc1321e3f2a6be58648c7e67f970d2d5ea77dcfe89080914e6c67e17feb7278674e

Download Submit
C:\Windows\SysWOW64\Mepfiq32.exe

Filesize
64KB

MD5
45600b6cb71a9a706beb0435a6a01c1a

SHA1
3716484833fbdf61f90c067d3137426765d62138

SHA256
90e2cfe43d12ebcaa7926d56fd9b7ec9cae15cb12c36c642db5318d5a75e31f3

SHA512
a88ece1510d9e95d4c02c67112d59fb15c4ed61f355651d219f49233c121b7878d194e158e94c06ac64828421fe36f5a803f54b528e0f656a108d4963af5ebda

Download Submit
C:\Windows\SysWOW64\Mkmkkjko.exe

Filesize
64KB

MD5
3f22a7ead542e4ea58160ee10f85071f

SHA1
120fad56be9d14171b8c50410d7c7f434b27869d

SHA256
c8444f562596f7d06cbf3e80aa98dbd2b976125faa6a1e9591acb577e3c403b5

SHA512
46506f6da4bf80e41620cd51f3c2d2a25a01ae02d80690a539e9f54a7d60e633a5f2b48ddd884d1a18579c3336c5c48601ff12080639bc5221f50505f9fddfba

Download Submit
C:\Windows\SysWOW64\Mnegbp32.exe

Filesize
64KB

MD5
04bb32cdfa560dad0c8a9f48f6135015

SHA1
8465a47ebc0f56be83f147241f5dbddfcfd01adf

SHA256
c8112e7cbde6cedc0286305f6f350b4f281a891b53154267e709494d6bc42992

SHA512
5d6eb7e5ed266907aea1d998d17a9d1a964d86f09a0b32ed0118cc974c3b3564b644855a4b61b36fb26c832230d3d9e136ce294550dc744f1f43c6669b54777a

Download Submit
C:\Windows\SysWOW64\Ncchae32.exe

Filesize
64KB

MD5
5e1ce5e0b243dbd5b4a68ef29f3d65f0

SHA1
d3e1cc7fcff70b8f86f8f38b5d9c0ca20b5c762c

SHA256
76252a88753ddeb0befde8b96782b726e22fe37e47a0b3d02694f9c2a6754617

SHA512
9181860fc00867c0819386953cb59dd904c36e02a4782d9b9778160e49688122b50ee4367a98b3dbda9bc3f78c89f64e6faff94031e3a124e233a8dcd4c7536b

Download Submit
C:\Windows\SysWOW64\Nclikl32.exe

Filesize
64KB

MD5
59208abd917e6e86f6b8314dfe730fe9

SHA1
0472d0ae24fde552ab777ebc0bf19e603334eeaf

SHA256
7af7fa3e75e358cd871fc2c94d32790adfd84416510eced013c0e866af0e24ba

SHA512
68aa960048abaf03445857d6ea860969a816d460c39e720d11c07eee2171fcd01711517778e2af54bff4fbab942585926ea3856f136ff7668dcbc6f7228acffa

Download Submit
C:\Windows\SysWOW64\Nimmifgo.exe

Filesize
64KB

MD5
9e1310c463696cc865a88d3777b2c725

SHA1
16660aceed122db91ae8f2b2169433f0961dc94c

SHA256
9bb8b1dbe00ba1faf985df6bc125818d5d270cbbb3c80fced79cd31d77f0a321

SHA512
50facbc523c05bb1a2e10ca9f131ae27da5a2dac3c45dc5027b4e9a99ea2c478e5d98c86088494742ec5eb5e38a3f9d5d2e06d2bbd150f4f7f081b8454d594d9

Download Submit
C:\Windows\SysWOW64\Nlfnaicd.exe

Filesize
64KB

MD5
ab0cf28363dabd917a76df52018d53a4

SHA1
dca3014e25f2018c841451776d76a9c262326efb

SHA256
8c8174392f32bc9c85762fb8b782177c3d3621f87e32920221048e58a8ae6fab

SHA512
623553fb8943d515f239517420fa37ef31e86b5ef09d2f5f30b9d2c67e820a6165ed94470cfa280550968a548c938f8ce7950eb3c2d20da6bfca18b2600f6aab

Download Submit
C:\Windows\SysWOW64\Nlmdbh32.exe

Filesize
64KB

MD5
ed7e251b08955f539e7880b7aa9077e3

SHA1
c65298650051d48262ac0aa5c07aad1ec8992941

SHA256
506dab604de520723050a7f0af999799ceccc181fbe0524356d365f927882fef

SHA512
bb7ad11718605f37cd12e99ba8ab895434a59936218f54886c71cfe0dfff772a9134a0657eb006bceb20920f8df63336f1dd7ecbb3b1fb7677e898ba3e332396

Download Submit
C:\Windows\SysWOW64\Nmlddqem.exe

Filesize
64KB

MD5
4df1907a31c802257edbc3b0b82cf83d

SHA1
2e7e0065bb8bce69a22a3a7c26479aa395b2f294

SHA256
70a2a71bef4cf1434b3cdf81193a442bbb85ebf556cbbc0ec0b1d44c6e992e10

SHA512
5e379c9b4aea9699ee957ba1ba6f8e5b6baaf01c5cd0da1b05968441f43019def604eba03579f1c963dba2555486012aa9dc6d8eb597db16e4c23057c893d586

Download Submit
C:\Windows\SysWOW64\Nnfgcd32.exe

Filesize
64KB

MD5
0400c47519cf24503821009e66973e34

SHA1
e03c40c50aa452fb6732ec799d07f9e0b5df70ba

SHA256
922ade6db62aaec7c7cceb3803bde1ab0cac8f2d177c764daa46367b12ea2e8e

SHA512
6b28ed1b4cd414f0ca2fd66b03bfa9432d9666e516b551f846d4d919c49021c514ef01911e3c36809df65071d15062e86936d1d7ff0b431239f919ac4e22f707

Download Submit
C:\Windows\SysWOW64\Ogekbb32.exe

Filesize
64KB

MD5
84943f8b97e60609d81e6169eb9bbb12

SHA1
cc70ef08f28ab83aade4b6e514037deed56909d8

SHA256
cd4b43d996b5ff4aa6be84f581f13422a16406a77b26cb9b27e023eb0269078f

SHA512
8637faea4acfe5bcccda7f996f52da903ea3453e1bba026c9c674bba9ffd6d40a73be084585c8402a6013eb74d9b5763608a24e900f64e7e4afa3d2f0f9342c2

Download Submit
C:\Windows\SysWOW64\Ohcegi32.exe

Filesize
64KB

MD5
f1eeb0b005fe0ad442c7c09e0abbf994

SHA1
edb06879d8a69f95ffee171ce9ecfe51684805b7

SHA256
cd40d0229a3ac36484681bb04f665a7f793ea506aaf0c94b8a829b9a28b5a22a

SHA512
397d716b71e69a256f139092e012ac61069db5a5c0f3f2a7cba79b802b6d7b597c4e9da05fff8b3f3436c33ccebbfe169ccbabf93ea2bacc5186f1a9ea5082b0

Download Submit
C:\Windows\SysWOW64\Ohhnbhok.exe

Filesize
64KB

MD5
3951ed67bd7b47b384260b91451bdf4a

SHA1
61487d04fa1c23dcdc2d3ca6855b016593aa6317

SHA256
545849aa720d1c368e4654ebb2ba5adeb40887d1ea54324b4d4416643256ce38

SHA512
c038871ab4484fbea540b6e530b0346204c93421b0167a3fb3d26ff51fe70fc69cf3017f067632e488729a37089167d93393a34a3ce8d42831aeaa5cca87fa72

Download Submit
C:\Windows\SysWOW64\Ojigdcll.exe

Filesize
64KB

MD5
9394a9f323840cf582f09edd69913fd1

SHA1
0e4f909c7bec4ca929a8025a7f975e9b9128af43

SHA256
2474dd0ba4f21b4d6048b32e963ac57ce8fd2757f51686fec048669c9316f1ab

SHA512
89efc443da32ccb896e5ffcde0875051f18bc82db546cdf11cca691e29b8803fc4537ee5d49c153e98a4773686a52cb10f26934963c427ad432df886837a9a2c

Download Submit
C:\Windows\SysWOW64\Olanmgig.exe

Filesize
64KB

MD5
7ebd6d8a779290305abfd703f30615fd

SHA1
651b2fe6b96d16de4c8c74daf2b22795739d5c78

SHA256
ea3e5643ae8eed842f22db584e7088fb69974b66795e41ee600f49edec28c921

SHA512
7caeb2c393ed4c35744ed204e260387e76502d527e38e29456cad91f9d531f4f5e68603ac8d147757c67ab0035c94f9b1f7d7ca836337a85b5eea4cf64b2af39

Download Submit
C:\Windows\SysWOW64\Omjpeo32.exe

Filesize
64KB

MD5
a4fca13ef7afb997cb8bd83f64703262

SHA1
3da435fb96419336fa0113d4e4844f0eb90551bd

SHA256
02423ef257407e58c2285cb0cf864e39ac3fb558e2348789d37bba06d9ce02a4

SHA512
9c232c402d8689b44665479bdc6aee53a372a1f093bdd9f82c73aea000e3c542280ff4c3727c5252655e70e8c153809a38bf3c18fc0dd2aa65289900aca33a39

Download Submit
C:\Windows\SysWOW64\Pajeam32.exe

Filesize
64KB

MD5
b8731f3e4c367b945db26d7aa4368552

SHA1
9162037a788aed675d733fa4a1eb0743a9f31d1a

SHA256
80fb076df647a5bacf6201783ded9df96cfde77de317ce5d323094e579e967b1

SHA512
05c37f6ee74a368599e566777fb2dd935e6d826f08af2e867e26e3a7ba2b57f0de393a42534b3d81cfa8173dc8de84b0226ede67f46f9efab48978cff8a322fb

Download Submit
C:\Windows\SysWOW64\Pecellgl.exe

Filesize
64KB

MD5
5adc499e8d77d6f65f3d29621b6b1140

SHA1
3dee0ca6894c54cc0efecd2d24a3b1b4067b7b17

SHA256
03fda38d0f2d4765c413b3e4b573bf4dd531377c8002e37258181d3cec77dbc5

SHA512
94091e0ccc27cf3fcf8b5381b441fb1d51f3b1a916ebcda1a9bfd692156842e02818af7c3a498838fc6093cfa480f1d1b66b58e15af6299fb98babbc748c21a4

Download Submit
C:\Windows\SysWOW64\Pehngkcg.exe

Filesize
64KB

MD5
d4ecdcf24d4173d4018ea8ba909cb432

SHA1
d9f67fd062e035e284786f7fe78f9f24469bce64

SHA256
1afe46c270d98b1c33fee1e4d9de0a526ccb61c5ac5fd51be30d5afa88c29ca0

SHA512
e65d1f68ac02a0f9c35c746becc3c090120851d3f17da900d8367c13750333667429205acde1aaf8f2e7bcc1bedf2cc87b1e271d8dc8d0cc124333d45aa81bc7

Download Submit
C:\Windows\SysWOW64\Phcgcqab.exe

Filesize
64KB

MD5
a42b49dbdf744a69ddce5d4546ec8f46

SHA1
c669d9d10bf2959040c27fded2aad0a3b2ed39e8

SHA256
38b2987f155cb55594e3bee768cb4fbe7b02185e200103eb2b329b07ca4faed1

SHA512
1fd03291cc801411bf8f32d66c2bd8221de540bfbbd5c2b6ac45a7c88b8f2bda3d6c8223beb7084656794ae679624d8542e294aa947ed845e9f9b6023bddb7c8

Download Submit
C:\Windows\SysWOW64\Pmiikh32.exe

Filesize
64KB

MD5
b08aa2f01f351d46148d1f4b09d73fdd

SHA1
05863963899815f6491639909dee0b7b90732bfa

SHA256
4152682636e5c0acb85787dd42807852e9f8064f5689bf54bb55c3ebb37d2509

SHA512
7998c402eb7cffc004c237df733f2db92be5ae392defb9f6215706e8e6dc783a4b1c2d043eb9478014b07ba7b248ed0c4bde281f902648722e3cc634c1f8c5b2

Download Submit
C:\Windows\SysWOW64\Qjfmkk32.exe

Filesize
64KB

MD5
6ad36b372465b5f2f044f00342c7340a

SHA1
4b5cc490412ff1adef61f4b24601fa636c4ad224

SHA256
2ecd6f499d50988cda690bcd5d0d0377231e8031aeec38cdaa5636c725854ee8

SHA512
cc0f044e5ae5f0ba51104cc4d9253e3b04184c557eac1c06995840b2b388b65a698bf386dff8d6f03da1ff3a7dace790e58c238e6a78bbb178c57c50a1841fdc

Download Submit
memory/8-425-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/60-263-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/224-341-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/316-293-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/372-419-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/432-377-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/512-256-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/548-485-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/628-275-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/640-473-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/732-455-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/764-580-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/764-40-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/820-72-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1000-305-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1004-353-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1008-383-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1096-497-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1112-249-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1236-335-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1348-413-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1600-553-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1716-560-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1728-567-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1816-287-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1900-566-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1900-24-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1908-299-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1920-527-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1936-548-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1956-431-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1960-491-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1972-281-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2012-96-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2036-65-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2040-559-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2040-17-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2188-240-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2244-401-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2272-89-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2304-160-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2312-136-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2316-177-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2472-587-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2472-48-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2488-323-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2716-479-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2956-329-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3100-525-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3104-152-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3132-437-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3168-552-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3168-9-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3196-145-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3288-537-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3344-540-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3356-443-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3436-311-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3548-32-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3548-573-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3552-104-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3728-467-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3852-371-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3880-395-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4016-185-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4104-461-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4140-539-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4140-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4140-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4284-169-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4372-365-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4380-233-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4388-347-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4412-208-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4440-449-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4444-121-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4592-509-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4596-192-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4600-81-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4636-407-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4668-225-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4680-217-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4708-594-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4708-57-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4720-359-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4748-317-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4764-503-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4780-201-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4784-128-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4908-112-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4920-515-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5048-269-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5056-389-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5148-574-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5192-581-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5236-588-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads