5a4300c69960a81874dc0f3da6b1ad749e4cde3eb121e0e022f9bb280ab449a5

Analysis

max time kernel
141s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 23:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5796fbbfa914ec4578ba4fb5fc8bca20_NeikiAnalytics.exe
Size

89KB
MD5

5796fbbfa914ec4578ba4fb5fc8bca20
SHA1

100ada18ee9d517e71e737f783a4f06da7feefc3
SHA256

5a4300c69960a81874dc0f3da6b1ad749e4cde3eb121e0e022f9bb280ab449a5
SHA512

ab96fddb9b20cdbb241447b358873386a7314ffdcc4dfa3c15168c5a7f5fc33ccd57ed2cb649c4db5bf4b765e3deeb5be70d0f535c129dd236cb2939ca087810
SSDEEP

1536:QvYt7xvSLyvKMdUE0xm60pEWSd5RU7kRsz8STLRQ+D68a+VMKKTRVGFtUhQfR1Wy:QvYLKLyvKYU5m65T5RU7xe3r4MKy3G7r

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Imfdff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kiidgeki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfmepi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmhja32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gokdeeec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hmfkoh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngdmod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fljcmlfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbeqmoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kmdqgd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baaplhef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cefoce32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibnccmbo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibcmom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jifhaenk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cacmah32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gicinj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imoneg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilghlc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfbploob.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfgjgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngdmod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Flnlhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ckedalaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkffog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hihbijhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hbeqmoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kpbmco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjghpn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldanqkki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ojllan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfkaag32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffgqqaip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Migjoaaf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nngokoej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eocenh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ibcmom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eofbch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jmmjgejj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkmlofol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iifokh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ghlcnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kebbafoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Likjcbkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Megdccmb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncbknfed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fojlngce.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckedalaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ghaliknf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieolehop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jlnnmb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdeoemeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lllcen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjghpn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lingibiq.exe

Malware Dropper & Backdoor - Berbew 58 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/files/0x000500000002328f-6.dat	family_berbew
behavioral2/files/0x00070000000233ee-14.dat	family_berbew
behavioral2/files/0x00070000000233f0-22.dat	family_berbew
behavioral2/files/0x00070000000233f2-30.dat	family_berbew
behavioral2/files/0x00070000000233f4-38.dat	family_berbew
behavioral2/files/0x00070000000233f6-47.dat	family_berbew
behavioral2/files/0x00070000000233f8-54.dat	family_berbew
behavioral2/files/0x00070000000233fa-62.dat	family_berbew
behavioral2/files/0x00070000000233fc-70.dat	family_berbew
behavioral2/files/0x00070000000233fe-78.dat	family_berbew
behavioral2/files/0x0007000000023400-90.dat	family_berbew
behavioral2/files/0x0007000000023402-91.dat	family_berbew
behavioral2/files/0x0007000000023404-105.dat	family_berbew
behavioral2/files/0x0007000000023406-114.dat	family_berbew
behavioral2/files/0x0007000000023408-118.dat	family_berbew
behavioral2/files/0x000700000002340a-132.dat	family_berbew
behavioral2/files/0x000700000002340c-141.dat	family_berbew
behavioral2/files/0x00090000000233ea-150.dat	family_berbew
behavioral2/files/0x000700000002340f-159.dat	family_berbew
behavioral2/files/0x0007000000023411-168.dat	family_berbew
behavioral2/files/0x0007000000023413-177.dat	family_berbew
behavioral2/files/0x0007000000023415-186.dat	family_berbew
behavioral2/files/0x0007000000023417-195.dat	family_berbew
behavioral2/files/0x0007000000023419-203.dat	family_berbew
behavioral2/files/0x000700000002341b-212.dat	family_berbew
behavioral2/files/0x000700000002341d-221.dat	family_berbew
behavioral2/files/0x000700000002341f-230.dat	family_berbew
behavioral2/files/0x0007000000023421-239.dat	family_berbew
behavioral2/files/0x0007000000023423-248.dat	family_berbew
behavioral2/files/0x0007000000023425-258.dat	family_berbew
behavioral2/files/0x0007000000023427-266.dat	family_berbew
behavioral2/files/0x000700000002342a-275.dat	family_berbew
behavioral2/files/0x000700000002343e-341.dat	family_berbew
behavioral2/files/0x000700000002347a-591.dat	family_berbew
behavioral2/files/0x0007000000023485-626.dat	family_berbew
behavioral2/files/0x00070000000234fd-1042.dat	family_berbew
behavioral2/files/0x0007000000023521-1166.dat	family_berbew
behavioral2/files/0x0007000000023527-1187.dat	family_berbew
behavioral2/files/0x000700000002352d-1208.dat	family_berbew
behavioral2/files/0x0007000000023535-1236.dat	family_berbew
behavioral2/files/0x0007000000023539-1250.dat	family_berbew
behavioral2/files/0x000700000002353d-1264.dat	family_berbew
behavioral2/files/0x000700000002353f-1272.dat	family_berbew
behavioral2/files/0x0007000000023543-1285.dat	family_berbew
behavioral2/files/0x000700000002354c-1313.dat	family_berbew
behavioral2/files/0x000700000002355e-1375.dat	family_berbew
behavioral2/files/0x0007000000023562-1389.dat	family_berbew
behavioral2/files/0x0007000000023566-1403.dat	family_berbew
behavioral2/files/0x000700000002356a-1417.dat	family_berbew
behavioral2/files/0x0007000000023578-1466.dat	family_berbew
behavioral2/files/0x000700000002357c-1480.dat	family_berbew
behavioral2/files/0x0007000000023588-1522.dat	family_berbew
behavioral2/files/0x000700000002359a-1584.dat	family_berbew
behavioral2/files/0x00070000000235a0-1605.dat	family_berbew
behavioral2/files/0x00070000000235a4-1619.dat	family_berbew
behavioral2/files/0x00070000000235b1-1661.dat	family_berbew
behavioral2/files/0x00070000000235bd-1704.dat	family_berbew
behavioral2/files/0x00070000000235c1-1717.dat	family_berbew

Executes dropped EXE 64 IoCs

pid	Process
3092	Blpnib32.exe
5084	Balfaiil.exe
1964	Bdkcmdhp.exe
1756	Bblckl32.exe
3396	Bhikcb32.exe
2240	Bjghpn32.exe
2184	Baaplhef.exe
3324	Blfdia32.exe
2660	Boepel32.exe
2308	Cacmah32.exe
4940	Cbcilkjg.exe
3116	Chpada32.exe
368	Cojjqlpk.exe
3792	Cecbmf32.exe
4804	Cefoce32.exe
1088	Conclk32.exe
2296	Cehkhecb.exe
3040	Ckedalaj.exe
3884	Ddmhja32.exe
404	Daaicfgd.exe
2596	Dhkapp32.exe
4768	Dbaemi32.exe
3908	Ddbbeade.exe
3768	Dccbbhld.exe
2740	Deanodkh.exe
3652	Dceohhja.exe
1724	Dedkdcie.exe
2168	Echknh32.exe
1496	Eefhjc32.exe
2960	Ekcpbj32.exe
1856	Eeidoc32.exe
3732	Ecmeig32.exe
688	Eekaebcm.exe
1728	Eleiam32.exe
3240	Eocenh32.exe
1864	Elgfgl32.exe
2364	Eofbch32.exe
3680	Eepjpb32.exe
1244	Fljcmlfd.exe
1424	Fafkecel.exe
2652	Fkopnh32.exe
5044	Fojlngce.exe
4912	Flnlhk32.exe
832	Fkalchij.exe
3516	Ffgqqaip.exe
908	Fooeif32.exe
416	Fbnafb32.exe
2444	Fkffog32.exe
4472	Fcmnpe32.exe
3880	Fdnjgmle.exe
3720	Gcojed32.exe
2272	Gfngap32.exe
1108	Ghlcnk32.exe
4360	Gkkojgao.exe
3048	Ghopckpi.exe
5048	Gkmlofol.exe
5024	Gbgdlq32.exe
4460	Gfbploob.exe
3848	Ghaliknf.exe
4332	Gmlhii32.exe
1472	Gokdeeec.exe
2892	Gbiaapdf.exe
2172	Gfembo32.exe
1844	Gicinj32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Gicinj32.exe	Gfembo32.exe
File opened for modification	C:\Windows\SysWOW64\Ifgbnlmj.exe	Icifbang.exe
File created	C:\Windows\SysWOW64\Mdckfk32.exe	Lllcen32.exe
File created	C:\Windows\SysWOW64\Jmhale32.exe	Jimekgff.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Akalojih.dll	Cecbmf32.exe
File created	C:\Windows\SysWOW64\Eeidoc32.exe	Ekcpbj32.exe
File created	C:\Windows\SysWOW64\Elgfgl32.exe	Eocenh32.exe
File opened for modification	C:\Windows\SysWOW64\Jimekgff.exe	Ibcmom32.exe
File created	C:\Windows\SysWOW64\Jmmjgejj.exe	Jefbfgig.exe
File opened for modification	C:\Windows\SysWOW64\Kpgfooop.exe	Kmijbcpl.exe
File opened for modification	C:\Windows\SysWOW64\Npmagine.exe	Ngdmod32.exe
File created	C:\Windows\SysWOW64\Ekphijkm.dll	Pdifoehl.exe
File created	C:\Windows\SysWOW64\Cacmah32.exe	Boepel32.exe
File created	C:\Windows\SysWOW64\Hfifmnij.exe	Hopnqdan.exe
File created	C:\Windows\SysWOW64\Iefioj32.exe	Hcdmga32.exe
File created	C:\Windows\SysWOW64\Memcpg32.dll	Jidklf32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Balfaiil.exe	Blpnib32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmhja32.exe	Ckedalaj.exe
File opened for modification	C:\Windows\SysWOW64\Deanodkh.exe	Dccbbhld.exe
File created	C:\Windows\SysWOW64\Ipdejo32.dll	Ikbnacmd.exe
File created	C:\Windows\SysWOW64\Kcdgpfak.dll	Jlnnmb32.exe
File created	C:\Windows\SysWOW64\Lbabgh32.exe	Lpcfkm32.exe
File opened for modification	C:\Windows\SysWOW64\Aglemn32.exe	Ajhddjfn.exe
File opened for modification	C:\Windows\SysWOW64\Blfdia32.exe	Baaplhef.exe
File opened for modification	C:\Windows\SysWOW64\Eepjpb32.exe	Eofbch32.exe
File opened for modification	C:\Windows\SysWOW64\Gcojed32.exe	Fdnjgmle.exe
File created	C:\Windows\SysWOW64\Hecmijim.exe	Hbeqmoji.exe
File created	C:\Windows\SysWOW64\Njohbh32.dll	Icgjmapi.exe
File opened for modification	C:\Windows\SysWOW64\Jlnnmb32.exe	Jbeidl32.exe
File created	C:\Windows\SysWOW64\Jfeopj32.exe	Jplfcpin.exe
File opened for modification	C:\Windows\SysWOW64\Liddbc32.exe	Lbjlfi32.exe
File opened for modification	C:\Windows\SysWOW64\Ekcpbj32.exe	Eefhjc32.exe
File created	C:\Windows\SysWOW64\Fojlngce.exe	Fkopnh32.exe
File created	C:\Windows\SysWOW64\Jgbcdnbb.dll	Gfembo32.exe
File created	C:\Windows\SysWOW64\Abkobg32.dll	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Ifjigbdo.dll	Hbeqmoji.exe
File created	C:\Windows\SysWOW64\Ceacpg32.dll	Immapg32.exe
File created	C:\Windows\SysWOW64\Jphopllo.dll	Lpcfkm32.exe
File created	C:\Windows\SysWOW64\Ohfjnoma.dll	Ildkgc32.exe
File created	C:\Windows\SysWOW64\Jcioiood.exe	Jlbgha32.exe
File created	C:\Windows\SysWOW64\Klngdpdd.exe	Kipkhdeq.exe
File created	C:\Windows\SysWOW64\Mdehlk32.exe	Mlopkm32.exe
File created	C:\Windows\SysWOW64\Panfqmhb.dll	Pgefeajb.exe
File opened for modification	C:\Windows\SysWOW64\Ghopckpi.exe	Gkkojgao.exe
File created	C:\Windows\SysWOW64\Ihjahg32.dll	Ghopckpi.exe
File created	C:\Windows\SysWOW64\Mgcdak32.dll	Hkdbpe32.exe
File created	C:\Windows\SysWOW64\Lnlden32.dll	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Beeoaapl.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Mfadpi32.dll	Iifokh32.exe
File created	C:\Windows\SysWOW64\Nloiakho.exe	Neeqea32.exe
File created	C:\Windows\SysWOW64\Bagflcje.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Eekaebcm.exe	Ecmeig32.exe
File created	C:\Windows\SysWOW64\Ffgqqaip.exe	Fkalchij.exe
File opened for modification	C:\Windows\SysWOW64\Fooeif32.exe	Ffgqqaip.exe
File created	C:\Windows\SysWOW64\Icpnnd32.dll	Kbceejpf.exe
File created	C:\Windows\SysWOW64\Njkdbljm.dll	Ecmeig32.exe
File created	C:\Windows\SysWOW64\Hafgeo32.dll	Gbiaapdf.exe
File created	C:\Windows\SysWOW64\Ocdfloja.dll	Kfjhkjle.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
8000	7872	WerFault.exe	335

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnaendmh.dll"	Bjghpn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Deanodkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohfjnoma.dll"	Ildkgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jcefno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpphah32.dll"	Jfeopj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Echknh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fojlngce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gfgjgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ibcmom32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kpbmco32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ldjhpl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Opdghh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ghlcnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hiefcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhbbhk32.dll"	Kpeiioac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdckfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgdjapoo.dll"	Ilghlc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lfhdlh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lljfpnjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fkalchij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fooeif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gfbploob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hmfkoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hmfkoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqplhmkl.dll"	Jcefno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpdkcl32.dll"	Klngdpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdhdajea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dccbbhld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fcmnpe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kfjhkjle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kebbafoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll"	Anogiicl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Baaplhef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Eefhjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kiidgeki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Blfdia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dbaemi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kfjhkjle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lfkaag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gmlhii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ickfifmb.dll"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ieolehop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmamoe32.dll"	Jefbfgig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kefkme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lbjlfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Megdccmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bjghpn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njohbh32.dll"	Icgjmapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ikbnacmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blleba32.dll"	Mlopkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jidklf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3576 wrote to memory of 3092	3576	5796fbbfa914ec4578ba4fb5fc8bca20_NeikiAnalytics.exe	83
PID 3576 wrote to memory of 3092	3576	5796fbbfa914ec4578ba4fb5fc8bca20_NeikiAnalytics.exe	83
PID 3576 wrote to memory of 3092	3576	5796fbbfa914ec4578ba4fb5fc8bca20_NeikiAnalytics.exe	83
PID 3092 wrote to memory of 5084	3092	Blpnib32.exe	84
PID 3092 wrote to memory of 5084	3092	Blpnib32.exe	84
PID 3092 wrote to memory of 5084	3092	Blpnib32.exe	84
PID 5084 wrote to memory of 1964	5084	Balfaiil.exe	85
PID 5084 wrote to memory of 1964	5084	Balfaiil.exe	85
PID 5084 wrote to memory of 1964	5084	Balfaiil.exe	85
PID 1964 wrote to memory of 1756	1964	Bdkcmdhp.exe	86
PID 1964 wrote to memory of 1756	1964	Bdkcmdhp.exe	86
PID 1964 wrote to memory of 1756	1964	Bdkcmdhp.exe	86
PID 1756 wrote to memory of 3396	1756	Bblckl32.exe	87
PID 1756 wrote to memory of 3396	1756	Bblckl32.exe	87
PID 1756 wrote to memory of 3396	1756	Bblckl32.exe	87
PID 3396 wrote to memory of 2240	3396	Bhikcb32.exe	88
PID 3396 wrote to memory of 2240	3396	Bhikcb32.exe	88
PID 3396 wrote to memory of 2240	3396	Bhikcb32.exe	88
PID 2240 wrote to memory of 2184	2240	Bjghpn32.exe	89
PID 2240 wrote to memory of 2184	2240	Bjghpn32.exe	89
PID 2240 wrote to memory of 2184	2240	Bjghpn32.exe	89
PID 2184 wrote to memory of 3324	2184	Baaplhef.exe	90
PID 2184 wrote to memory of 3324	2184	Baaplhef.exe	90
PID 2184 wrote to memory of 3324	2184	Baaplhef.exe	90
PID 3324 wrote to memory of 2660	3324	Blfdia32.exe	91
PID 3324 wrote to memory of 2660	3324	Blfdia32.exe	91
PID 3324 wrote to memory of 2660	3324	Blfdia32.exe	91
PID 2660 wrote to memory of 2308	2660	Boepel32.exe	92
PID 2660 wrote to memory of 2308	2660	Boepel32.exe	92
PID 2660 wrote to memory of 2308	2660	Boepel32.exe	92
PID 2308 wrote to memory of 4940	2308	Cacmah32.exe	93
PID 2308 wrote to memory of 4940	2308	Cacmah32.exe	93
PID 2308 wrote to memory of 4940	2308	Cacmah32.exe	93
PID 4940 wrote to memory of 3116	4940	Cbcilkjg.exe	94
PID 4940 wrote to memory of 3116	4940	Cbcilkjg.exe	94
PID 4940 wrote to memory of 3116	4940	Cbcilkjg.exe	94
PID 3116 wrote to memory of 368	3116	Chpada32.exe	95
PID 3116 wrote to memory of 368	3116	Chpada32.exe	95
PID 3116 wrote to memory of 368	3116	Chpada32.exe	95
PID 368 wrote to memory of 3792	368	Cojjqlpk.exe	96
PID 368 wrote to memory of 3792	368	Cojjqlpk.exe	96
PID 368 wrote to memory of 3792	368	Cojjqlpk.exe	96
PID 3792 wrote to memory of 4804	3792	Cecbmf32.exe	98
PID 3792 wrote to memory of 4804	3792	Cecbmf32.exe	98
PID 3792 wrote to memory of 4804	3792	Cecbmf32.exe	98
PID 4804 wrote to memory of 1088	4804	Cefoce32.exe	99
PID 4804 wrote to memory of 1088	4804	Cefoce32.exe	99
PID 4804 wrote to memory of 1088	4804	Cefoce32.exe	99
PID 1088 wrote to memory of 2296	1088	Conclk32.exe	101
PID 1088 wrote to memory of 2296	1088	Conclk32.exe	101
PID 1088 wrote to memory of 2296	1088	Conclk32.exe	101
PID 2296 wrote to memory of 3040	2296	Cehkhecb.exe	102
PID 2296 wrote to memory of 3040	2296	Cehkhecb.exe	102
PID 2296 wrote to memory of 3040	2296	Cehkhecb.exe	102
PID 3040 wrote to memory of 3884	3040	Ckedalaj.exe	103
PID 3040 wrote to memory of 3884	3040	Ckedalaj.exe	103
PID 3040 wrote to memory of 3884	3040	Ckedalaj.exe	103
PID 3884 wrote to memory of 404	3884	Ddmhja32.exe	105
PID 3884 wrote to memory of 404	3884	Ddmhja32.exe	105
PID 3884 wrote to memory of 404	3884	Ddmhja32.exe	105
PID 404 wrote to memory of 2596	404	Daaicfgd.exe	106
PID 404 wrote to memory of 2596	404	Daaicfgd.exe	106
PID 404 wrote to memory of 2596	404	Daaicfgd.exe	106
PID 2596 wrote to memory of 4768	2596	Dhkapp32.exe	107

C:\Users\Admin\AppData\Local\Temp\5796fbbfa914ec4578ba4fb5fc8bca20_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5796fbbfa914ec4578ba4fb5fc8bca20_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3576
- C:\Windows\SysWOW64\Blpnib32.exe
  C:\Windows\system32\Blpnib32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3092
- - C:\Windows\SysWOW64\Balfaiil.exe
    C:\Windows\system32\Balfaiil.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5084
  - - C:\Windows\SysWOW64\Bdkcmdhp.exe
      C:\Windows\system32\Bdkcmdhp.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1964
    - - C:\Windows\SysWOW64\Bblckl32.exe
        
        C:\Windows\system32\Bblckl32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1756
      - C:\Windows\SysWOW64\Bhikcb32.exe
        
        C:\Windows\system32\Bhikcb32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3396
        
        C:\Windows\SysWOW64\Bjghpn32.exe
        
        C:\Windows\system32\Bjghpn32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\SysWOW64\Baaplhef.exe
        
        C:\Windows\system32\Baaplhef.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\SysWOW64\Blfdia32.exe
        
        C:\Windows\system32\Blfdia32.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3324
        
        C:\Windows\SysWOW64\Boepel32.exe
        
        C:\Windows\system32\Boepel32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\SysWOW64\Cacmah32.exe
        
        C:\Windows\system32\Cacmah32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\SysWOW64\Cbcilkjg.exe
        
        C:\Windows\system32\Cbcilkjg.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\SysWOW64\Chpada32.exe
        
        C:\Windows\system32\Chpada32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\SysWOW64\Cojjqlpk.exe
        
        C:\Windows\system32\Cojjqlpk.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:368
        
        C:\Windows\SysWOW64\Cecbmf32.exe
        
        C:\Windows\system32\Cecbmf32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3792
        
        C:\Windows\SysWOW64\Cefoce32.exe
        
        C:\Windows\system32\Cefoce32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\SysWOW64\Conclk32.exe
        
        C:\Windows\system32\Conclk32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\SysWOW64\Cehkhecb.exe
        
        C:\Windows\system32\Cehkhecb.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\SysWOW64\Ckedalaj.exe
        
        C:\Windows\system32\Ckedalaj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\SysWOW64\Ddmhja32.exe
        
        C:\Windows\system32\Ddmhja32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3884
        
        C:\Windows\SysWOW64\Daaicfgd.exe
        
        C:\Windows\system32\Daaicfgd.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\SysWOW64\Dhkapp32.exe
        
        C:\Windows\system32\Dhkapp32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\SysWOW64\Dbaemi32.exe
        
        C:\Windows\system32\Dbaemi32.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4768
        
        C:\Windows\SysWOW64\Ddbbeade.exe
        
        C:\Windows\system32\Ddbbeade.exe
        24⤵
        Executes dropped EXE
        
        PID:3908
        
        C:\Windows\SysWOW64\Dccbbhld.exe
        
        C:\Windows\system32\Dccbbhld.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3768
        
        C:\Windows\SysWOW64\Deanodkh.exe
        
        C:\Windows\system32\Deanodkh.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Dceohhja.exe
        
        C:\Windows\system32\Dceohhja.exe
        27⤵
        Executes dropped EXE
        
        PID:3652
        
        C:\Windows\SysWOW64\Dedkdcie.exe
        
        C:\Windows\system32\Dedkdcie.exe
        28⤵
        Executes dropped EXE
        
        PID:1724
        
        C:\Windows\SysWOW64\Echknh32.exe
        
        C:\Windows\system32\Echknh32.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2168
        
        C:\Windows\SysWOW64\Eefhjc32.exe
        
        C:\Windows\system32\Eefhjc32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1496
        
        C:\Windows\SysWOW64\Ekcpbj32.exe
        
        C:\Windows\system32\Ekcpbj32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2960
        
        C:\Windows\SysWOW64\Eeidoc32.exe
        
        C:\Windows\system32\Eeidoc32.exe
        32⤵
        Executes dropped EXE
        
        PID:1856
        
        C:\Windows\SysWOW64\Ecmeig32.exe
        
        C:\Windows\system32\Ecmeig32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3732
        
        C:\Windows\SysWOW64\Eekaebcm.exe
        
        C:\Windows\system32\Eekaebcm.exe
        34⤵
        Executes dropped EXE
        
        PID:688
        
        C:\Windows\SysWOW64\Eleiam32.exe
        
        C:\Windows\system32\Eleiam32.exe
        35⤵
        Executes dropped EXE
        
        PID:1728
        
        C:\Windows\SysWOW64\Eocenh32.exe
        
        C:\Windows\system32\Eocenh32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3240
        
        C:\Windows\SysWOW64\Elgfgl32.exe
        
        C:\Windows\system32\Elgfgl32.exe
        37⤵
        Executes dropped EXE
        
        PID:1864
        
        C:\Windows\SysWOW64\Eofbch32.exe
        
        C:\Windows\system32\Eofbch32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2364
        
        C:\Windows\SysWOW64\Eepjpb32.exe
        
        C:\Windows\system32\Eepjpb32.exe
        39⤵
        Executes dropped EXE
        
        PID:3680
        
        C:\Windows\SysWOW64\Fljcmlfd.exe
        
        C:\Windows\system32\Fljcmlfd.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1244
        
        C:\Windows\SysWOW64\Fafkecel.exe
        
        C:\Windows\system32\Fafkecel.exe
        41⤵
        Executes dropped EXE
        
        PID:1424
        
        C:\Windows\SysWOW64\Fkopnh32.exe
        
        C:\Windows\system32\Fkopnh32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2652
        
        C:\Windows\SysWOW64\Fojlngce.exe
        
        C:\Windows\system32\Fojlngce.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5044
        
        C:\Windows\SysWOW64\Flnlhk32.exe
        
        C:\Windows\system32\Flnlhk32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4912
        
        C:\Windows\SysWOW64\Fkalchij.exe
        
        C:\Windows\system32\Fkalchij.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:832
        
        C:\Windows\SysWOW64\Ffgqqaip.exe
        
        C:\Windows\system32\Ffgqqaip.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3516
        
        C:\Windows\SysWOW64\Fooeif32.exe
        
        C:\Windows\system32\Fooeif32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:908
        
        C:\Windows\SysWOW64\Fbnafb32.exe
        
        C:\Windows\system32\Fbnafb32.exe
        48⤵
        Executes dropped EXE
        
        PID:416
        
        C:\Windows\SysWOW64\Fkffog32.exe
        
        C:\Windows\system32\Fkffog32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2444
        
        C:\Windows\SysWOW64\Fcmnpe32.exe
        
        C:\Windows\system32\Fcmnpe32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4472
        
        C:\Windows\SysWOW64\Fdnjgmle.exe
        
        C:\Windows\system32\Fdnjgmle.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3880
        
        C:\Windows\SysWOW64\Gcojed32.exe
        
        C:\Windows\system32\Gcojed32.exe
        52⤵
        Executes dropped EXE
        
        PID:3720
        
        C:\Windows\SysWOW64\Gfngap32.exe
        
        C:\Windows\system32\Gfngap32.exe
        53⤵
        Executes dropped EXE
        
        PID:2272
        
        C:\Windows\SysWOW64\Ghlcnk32.exe
        
        C:\Windows\system32\Ghlcnk32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1108
        
        C:\Windows\SysWOW64\Gkkojgao.exe
        
        C:\Windows\system32\Gkkojgao.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4360
        
        C:\Windows\SysWOW64\Ghopckpi.exe
        
        C:\Windows\system32\Ghopckpi.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3048
        
        C:\Windows\SysWOW64\Gkmlofol.exe
        
        C:\Windows\system32\Gkmlofol.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5048
        
        C:\Windows\SysWOW64\Gbgdlq32.exe
        
        C:\Windows\system32\Gbgdlq32.exe
        58⤵
        Executes dropped EXE
        
        PID:5024
        
        C:\Windows\SysWOW64\Gfbploob.exe
        
        C:\Windows\system32\Gfbploob.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4460
        
        C:\Windows\SysWOW64\Ghaliknf.exe
        
        C:\Windows\system32\Ghaliknf.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3848
        
        C:\Windows\SysWOW64\Gmlhii32.exe
        
        C:\Windows\system32\Gmlhii32.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4332
        
        C:\Windows\SysWOW64\Gokdeeec.exe
        
        C:\Windows\system32\Gokdeeec.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1472
        
        C:\Windows\SysWOW64\Gbiaapdf.exe
        
        C:\Windows\system32\Gbiaapdf.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2892
        
        C:\Windows\SysWOW64\Gfembo32.exe
        
        C:\Windows\system32\Gfembo32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2172
        
        C:\Windows\SysWOW64\Gicinj32.exe
        
        C:\Windows\system32\Gicinj32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1844
        
        C:\Windows\SysWOW64\Gmoeoidl.exe
        
        C:\Windows\system32\Gmoeoidl.exe
        66⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\Gkaejf32.exe
        
        C:\Windows\system32\Gkaejf32.exe
        67⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\Gcimkc32.exe
        
        C:\Windows\system32\Gcimkc32.exe
        68⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\Gblngpbd.exe
        
        C:\Windows\system32\Gblngpbd.exe
        69⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\Gfgjgo32.exe
        
        C:\Windows\system32\Gfgjgo32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1056
        
        C:\Windows\SysWOW64\Hiefcj32.exe
        
        C:\Windows\system32\Hiefcj32.exe
        71⤵
        Modifies registry class
        
        PID:1404
        
        C:\Windows\SysWOW64\Hkdbpe32.exe
        
        C:\Windows\system32\Hkdbpe32.exe
        72⤵
        Drops file in System32 directory
        
        PID:2396
        
        C:\Windows\SysWOW64\Hopnqdan.exe
        
        C:\Windows\system32\Hopnqdan.exe
        73⤵
        Drops file in System32 directory
        
        PID:3744
        
        C:\Windows\SysWOW64\Hfifmnij.exe
        
        C:\Windows\system32\Hfifmnij.exe
        74⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\Hihbijhn.exe
        
        C:\Windows\system32\Hihbijhn.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4168
        
        C:\Windows\SysWOW64\Heocnk32.exe
        
        C:\Windows\system32\Heocnk32.exe
        76⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\Hmfkoh32.exe
        
        C:\Windows\system32\Hmfkoh32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2860
        
        C:\Windows\SysWOW64\Hcpclbfa.exe
        
        C:\Windows\system32\Hcpclbfa.exe
        78⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\Hbbdholl.exe
        
        C:\Windows\system32\Hbbdholl.exe
        79⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\Hmhhehlb.exe
        
        C:\Windows\system32\Hmhhehlb.exe
        80⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\Hbeqmoji.exe
        
        C:\Windows\system32\Hbeqmoji.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1296
        
        C:\Windows\SysWOW64\Hecmijim.exe
        
        C:\Windows\system32\Hecmijim.exe
        82⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\Hoiafcic.exe
        
        C:\Windows\system32\Hoiafcic.exe
        83⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\Hcdmga32.exe
        
        C:\Windows\system32\Hcdmga32.exe
        84⤵
        Drops file in System32 directory
        
        PID:3188
        
        C:\Windows\SysWOW64\Iefioj32.exe
        
        C:\Windows\system32\Iefioj32.exe
        85⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\Immapg32.exe
        
        C:\Windows\system32\Immapg32.exe
        86⤵
        Drops file in System32 directory
        
        PID:4016
        
        C:\Windows\SysWOW64\Icgjmapi.exe
        
        C:\Windows\system32\Icgjmapi.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3380
        
        C:\Windows\SysWOW64\Iehfdi32.exe
        
        C:\Windows\system32\Iehfdi32.exe
        88⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\Imoneg32.exe
        
        C:\Windows\system32\Imoneg32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:620
        
        C:\Windows\SysWOW64\Ikbnacmd.exe
        
        C:\Windows\system32\Ikbnacmd.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Icifbang.exe
        
        C:\Windows\system32\Icifbang.exe
        91⤵
        Drops file in System32 directory
        
        PID:3932
        
        C:\Windows\SysWOW64\Ifgbnlmj.exe
        
        C:\Windows\system32\Ifgbnlmj.exe
        92⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Iifokh32.exe
        
        C:\Windows\system32\Iifokh32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5176
        
        C:\Windows\SysWOW64\Ildkgc32.exe
        
        C:\Windows\system32\Ildkgc32.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Ibnccmbo.exe
        
        C:\Windows\system32\Ibnccmbo.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5272
        
        C:\Windows\SysWOW64\Ilghlc32.exe
        
        C:\Windows\system32\Ilghlc32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Ibqpimpl.exe
        
        C:\Windows\system32\Ibqpimpl.exe
        97⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\Ieolehop.exe
        
        C:\Windows\system32\Ieolehop.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5412
        
        C:\Windows\SysWOW64\Imfdff32.exe
        
        C:\Windows\system32\Imfdff32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5456
        
        C:\Windows\SysWOW64\Ipdqba32.exe
        
        C:\Windows\system32\Ipdqba32.exe
        100⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\Ibcmom32.exe
        
        C:\Windows\system32\Ibcmom32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Jimekgff.exe
        
        C:\Windows\system32\Jimekgff.exe
        102⤵
        Drops file in System32 directory
        
        PID:5588
        
        C:\Windows\SysWOW64\Jmhale32.exe
        
        C:\Windows\system32\Jmhale32.exe
        103⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\Jpgmha32.exe
        
        C:\Windows\system32\Jpgmha32.exe
        104⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\Jbeidl32.exe
        
        C:\Windows\system32\Jbeidl32.exe
        105⤵
        Drops file in System32 directory
        
        PID:5716
        
        C:\Windows\SysWOW64\Jlnnmb32.exe
        
        C:\Windows\system32\Jlnnmb32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5760
        
        C:\Windows\SysWOW64\Jcefno32.exe
        
        C:\Windows\system32\Jcefno32.exe
        107⤵
        Modifies registry class
        
        PID:5804
        
        C:\Windows\SysWOW64\Jefbfgig.exe
        
        C:\Windows\system32\Jefbfgig.exe
        108⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5868
        
        C:\Windows\SysWOW64\Jmmjgejj.exe
        
        C:\Windows\system32\Jmmjgejj.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5908
        
        C:\Windows\SysWOW64\Jplfcpin.exe
        
        C:\Windows\system32\Jplfcpin.exe
        110⤵
        Drops file in System32 directory
        
        PID:5960
        
        C:\Windows\SysWOW64\Jfeopj32.exe
        
        C:\Windows\system32\Jfeopj32.exe
        111⤵
        Modifies registry class
        
        PID:6024
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        112⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\Jlbgha32.exe
        
        C:\Windows\system32\Jlbgha32.exe
        113⤵
        Drops file in System32 directory
        
        PID:5128
        
        C:\Windows\SysWOW64\Jcioiood.exe
        
        C:\Windows\system32\Jcioiood.exe
        114⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\Jfhlejnh.exe
        
        C:\Windows\system32\Jfhlejnh.exe
        115⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\Jifhaenk.exe
        
        C:\Windows\system32\Jifhaenk.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5392
        
        C:\Windows\SysWOW64\Jpppnp32.exe
        
        C:\Windows\system32\Jpppnp32.exe
        117⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\Kfjhkjle.exe
        
        C:\Windows\system32\Kfjhkjle.exe
        118⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5660
        
        C:\Windows\SysWOW64\Kmdqgd32.exe
        
        C:\Windows\system32\Kmdqgd32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5300
        
        C:\Windows\SysWOW64\Kpbmco32.exe
        
        C:\Windows\system32\Kpbmco32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        122⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\Kfmepi32.exe
        
        C:\Windows\system32\Kfmepi32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5928
        
        C:\Windows\SysWOW64\Kikame32.exe
        
        C:\Windows\system32\Kikame32.exe
        124⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        125⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        126⤵
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Kbceejpf.exe
        
        C:\Windows\system32\Kbceejpf.exe
        127⤵
        Drops file in System32 directory
        
        PID:5436
        
        C:\Windows\SysWOW64\Kebbafoj.exe
        
        C:\Windows\system32\Kebbafoj.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5552
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        129⤵
        Drops file in System32 directory
        
        PID:5668
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        130⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        131⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        132⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        133⤵
        Drops file in System32 directory
        
        PID:5220
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        134⤵
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5156
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        136⤵
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        137⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        138⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        139⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5540
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        140⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        141⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        142⤵
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        143⤵
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        144⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        145⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        146⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6244
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        148⤵
        Drops file in System32 directory
        
        PID:6288
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        149⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6376
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        151⤵
        Modifies registry class
        
        PID:6416
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6460
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        153⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6548
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6588
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        156⤵
        Modifies registry class
        
        PID:6632
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        157⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        158⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6724
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        159⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6812
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        161⤵
        Modifies registry class
        
        PID:6856
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        162⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        163⤵
        
        PID:6944
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        164⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7032
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        166⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        167⤵
        
        PID:7124
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6148
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        169⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6260
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6324
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        172⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        173⤵
        
        PID:6472
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        174⤵
        Drops file in System32 directory
        
        PID:6540
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        175⤵
        Modifies registry class
        
        PID:6628
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6684
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        177⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        178⤵
        
        PID:6824
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6896
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        180⤵
        
        PID:6964
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        181⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        182⤵
        Modifies registry class
        
        PID:7104
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        183⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4220
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        186⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        187⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        188⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        189⤵
        Drops file in System32 directory
        
        PID:6664
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        190⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        191⤵
        Drops file in System32 directory
        
        PID:6888
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        192⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6980
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        193⤵
        
        PID:7064
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        194⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        195⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6256
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        196⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        197⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        198⤵
        
        PID:6744
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        199⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        200⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        201⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        202⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        203⤵
        
        PID:6672
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        204⤵
        Modifies registry class
        
        PID:6920
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        205⤵
        Modifies registry class
        
        PID:7156
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        206⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        207⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        208⤵
        Drops file in System32 directory
        
        PID:6328
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        209⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        210⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        211⤵
        Drops file in System32 directory
        
        PID:7176
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        212⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7220
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        213⤵
        Drops file in System32 directory
        
        PID:7264
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        214⤵
        Modifies registry class
        
        PID:7308
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        215⤵
        
        PID:7352
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        216⤵
        
        PID:7396
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        217⤵
        Modifies registry class
        
        PID:7440
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        218⤵
        
        PID:7484
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        219⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7528
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        220⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7572
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        221⤵
        
        PID:7616
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        222⤵
        
        PID:7660
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        223⤵
        
        PID:7704
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        224⤵
        
        PID:7744
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        225⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7792
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        226⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7836
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        227⤵
        
        PID:7880
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        228⤵
        Modifies registry class
        
        PID:7924
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        229⤵
        Modifies registry class
        
        PID:7972
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        230⤵
        
        PID:8016
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        231⤵
        
        PID:8060
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        232⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8104
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        233⤵
        
        PID:8160
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        234⤵
        Drops file in System32 directory
        
        PID:7188
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        235⤵
        
        PID:7284
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        236⤵
        Drops file in System32 directory
        
        PID:7388
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        237⤵
        Modifies registry class
        
        PID:7464
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        238⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7512
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        239⤵
        Drops file in System32 directory
        
        PID:7592
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        240⤵
        
        PID:7668
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        241⤵
        
        PID:7740
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        242⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7812
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        243⤵
        
        PID:7872
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7872 -s 416
        244⤵
        Program crash
        
        PID:8000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 7872 -ip 7872
1⤵
PID:7980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
89KB

MD5
fa71e50d5dc04e9482e0ce0d11fe1fa6

SHA1
76544bea114b7a2ccb8082c2ff05fe94c9e2fb83

SHA256
1aa97cc44a3aa43808c87356d7586ae1344e10b392959a900ed5646a50ab457b

SHA512
682049a4334844f55cb477312d3a8508ea699241993f98801031e580118f040a59d88e780776b8b5f56ab631934ad699a0e313135f945c5f85f663cefa19b5b7

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
89KB

MD5
0d2548378da014c4274acef3428383c3

SHA1
236a65fb1a96a0a2ff755ea45f2db9a2a4a5b2d5

SHA256
f6ec4621305ae5a1353e5e400a27dd73426c06824bcf0befc6433b7cc68ee663

SHA512
e8a7c58dd16d1ac4da9546db11166bc596e0c79a8b79a9bebdc4310e2b5ac01eb881556a8db1d6c4d39944fe125a3ce4f5d46910bb932aa103f5f7c8775a00c1

Download Submit
C:\Windows\SysWOW64\Ajdhcbgd.dll

Filesize
7KB

MD5
edd914bdf86920a8baea5bbd233e6637

SHA1
9e7b8c8ffc074d9dd9707d26b07b55caf1a4ea27

SHA256
df648c64d5ea7571adeaca351cc0d75a2abb7c4e5733aa0c5888a3e10363efb7

SHA512
56e15a5160ee2d812e46a91062d8ee2571d48794cdb9256b2a3977847441a6ee23d28562d1ec73dbbff5e2b2feac925f206c576d2b0d10dc24eae32ff9ae7ec3

Download Submit
C:\Windows\SysWOW64\Baaplhef.exe

Filesize
89KB

MD5
4a7f70f7812c698a34f8c1c03e949efe

SHA1
ee87e4f74d33c4fdbbbf75ac0e06d24433b17635

SHA256
3b618f63573233de9464f9ebb5d36541ce4a3e734770b71cb3f205c866107f58

SHA512
79f1d09f7041809e2eaaa9be44f26a58295efcb45d29b301f0ccb0193c3f406ce51c3bdad4d70c8f5307503c2ed216d1f4f2698cd5455aec155b590ac323cb44

Download Submit
C:\Windows\SysWOW64\Balfaiil.exe

Filesize
89KB

MD5
c582e7cb4b710dd75001622d5cb95b22

SHA1
a22a937fc83f59ba43703b97b92341dcf547d150

SHA256
496a96bee8816d9a80db75b404f4e104757eb41893cb254ffe285d65a9b6b2e1

SHA512
92727631190996423a8f1ff88654961da62b0f5e516f0954d96260f950af42c624860c8a2a522b813b964bff341c01e0726eff4c95f769e55ea100d6b6d033f3

Download Submit
C:\Windows\SysWOW64\Bblckl32.exe

Filesize
89KB

MD5
2d2a19390a3c44c16aa9893c3ba5053e

SHA1
3ba9688a87a5fa4b3a77ed4845feb2caf0754134

SHA256
51544315b119b70c6ffd2f5e040150d91bfd854d8864560b6146d9782c057848

SHA512
538dfd78ee31ac871cc0a4d5310f5ac0e1035bffe8dd9ba961e1cd184e3dadb51b0edfb11dc19001ff521ee41309e6a6bf39c8fbbf6ab7bbe7cf912982c084c7

Download Submit
C:\Windows\SysWOW64\Bdkcmdhp.exe

Filesize
89KB

MD5
7f05ba932aa6d79027090d380668d23f

SHA1
491175de146d865d8318c2743e30c2b66bdfa66b

SHA256
1ba5a14139680a3ae745b0cd0456a40570af06cac08b8afbc861eb43d4ddac02

SHA512
90bd94e9a59d0bd0b4c5c975ce32d6676c1a706df520704f4c1759fe5ad0676f775b7e9061183fe71544d08fb634a0ff14f3597297bcfca2c513553ac56fb0e5

Download Submit
C:\Windows\SysWOW64\Bhikcb32.exe

Filesize
89KB

MD5
eb24ee2c505246763e3702702ef90840

SHA1
b79043fe9030035a0c79158c84e457b8417086c7

SHA256
2aa214c52977ca40113a24cd8f4f9c70574d60ed31a1b76e3ba1abad8a3b559d

SHA512
92093ede55cc4952dab626fe05632f571cf360b0f7716ba89816d65fc54dba93deb0c402e6709935c4fc28c69d13e201e529b631621f4d89ad365455a98df288

Download Submit
C:\Windows\SysWOW64\Bjghpn32.exe

Filesize
89KB

MD5
c9d9a07b4f4b530c07ee7db50da607d7

SHA1
b79eac53a859534e665989c713443e6ea83d33aa

SHA256
5019699d51120c12b6d35271a35c4b8f141b042bbec24a7df12667319d56bcec

SHA512
220be8e4283bfe1cf48ca33423d9156fa045fdf164012b7a8fc9c2bd3d5a5ef85228460923204d45a78b92bee2cc7aca002ff63c31731305f2344d622a2ff370

Download Submit
C:\Windows\SysWOW64\Blfdia32.exe

Filesize
89KB

MD5
71d50396954ecf034256809f018f2e51

SHA1
e328ee8e34a4356e23a4cabfa572c35a8d75dfd1

SHA256
4ba2e9f71b961069df5ce5f99d766e3e2c78a1aae53dab8045d11fea9174fc25

SHA512
8b4ff07610dcdb83d5dc518379f734b495b3cb2f63369cdd9e8ea7f4eb65c5a9647e420fd2b231e15e9330aaf9906988e01f02b4d4993c2160f4bc988c794dcb

Download Submit
C:\Windows\SysWOW64\Blpnib32.exe

Filesize
89KB

MD5
9ae998e1d5b339bd30bee9ba53463d23

SHA1
42caf999a9753952dd1c11fa58d4590dfc0ee3ed

SHA256
742b30b1e9d4d1019d361adb3cd393ec1328c5cd7903134416b0ee49d4adfbf6

SHA512
dcaeadf44aeef33d5a70e49bfffe888025577fc0c62adf3a280725a7d2ded96bf7e3fd768d07ec35a319469211e77c54d4ff13ae21d331b85215a6e8a3d14f18

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
89KB

MD5
0f4132caace1245aa3bfb22b00731b4a

SHA1
b7594eb790c5534bffe6da8e7f4daf645c691101

SHA256
6b3dd9b284c84a924ce01397cc1e12d8f0ca18f06fb42ed7289b730da58e5834

SHA512
31677da7263841d18c96c66073aa776d7f06184fd320e16759913ff637bb54c2613ce968d9c5de12bb383a14b433decc952ff4646a6c48d3c9ccb1824e464b86

Download Submit
C:\Windows\SysWOW64\Boepel32.exe

Filesize
89KB

MD5
613fcf22c25da17be17f1b6e4d116bd4

SHA1
fb148d444b254f433b8430ceda5d41d1a23a64e3

SHA256
222f7fa7729684e6ee8d986ae90e3062b0a137e87cd4ba6215df53e899fa35db

SHA512
bcd7a4a8d9a343099a675311b23293349d7a247ea9054efd3e0b29de3bf678c70f087e8429ce6afecf3a15461a856561822cea3e3982e05788652c1c7234a07d

Download Submit
C:\Windows\SysWOW64\Cacmah32.exe

Filesize
89KB

MD5
a3610d3cf353f435ef4f5170bfd741e3

SHA1
a5be6d9ca223364c72484318b0aa67dca0e94268

SHA256
c9d779db5a306ea82f5d9dda9a4ad0d01adabd61a421474bb1582c81f1a43bac

SHA512
ac37b6c5d03f8ae95d101b4a974d5c351bcafa2895e8c9bfb11f76da34498890529359806c8bc29721ac09fc66bef55e523de6a6e8bb1956e3673eef45504425

Download Submit
C:\Windows\SysWOW64\Cbcilkjg.exe

Filesize
89KB

MD5
ca1a1efa4098102379643da26ada478f

SHA1
5f9922641c0560d1716287d297ad34247f7e9937

SHA256
086d7c89aad947807779ac1e131da72fca1620dbe2fa99ef86ccc8dd1cd55aa6

SHA512
5c65c452140a1bb2817e69af4ba04139efb5d51258f2d96c8e071655f7e4f5b4d95cfcf8f21e627d8d4bddcd094ee3e69c01a242faee6bf49e0aae69ba9e970b

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
89KB

MD5
6cfa01c578fb8a2722b43c3884112f34

SHA1
0ac2c9bb5e0fd25eeccb44385e5eac47209b7c2d

SHA256
f18174dbc1769882ba4355cc200eb14127f6b7e51f434e18b9e7470202abd8a3

SHA512
f882a3b846b05c0cc1a4ea8e859bc51d5c6d08d31ef8143b61bd1c02706915a0e5fe72deb1429ac90f2e077fbbde78045f0883c6fe0a3b096ee2980f7fb8b8ac

Download Submit
C:\Windows\SysWOW64\Cecbmf32.exe

Filesize
89KB

MD5
bf0e39360278377605ae84aa6f2a4316

SHA1
ad83b1f68667a14e48621e720928f379f0123a85

SHA256
1832d0c70c9b8c0da54e9ab32dc36a5aaa6575f9ad634a81ec0290a16457578e

SHA512
145250f81a88a58bd9bc0b0d91d58c6d8bc18bf399e73d7837116e0bff6168e7e3f79aa1ddda2b23fd37167b26352ba4f7ddf0b54cd67be64392372c0d2bccc4

Download Submit
C:\Windows\SysWOW64\Cefoce32.exe

Filesize
89KB

MD5
1a2419ee3a792cd94f284eb0af986a66

SHA1
e6e58eb43fe484e1c6bce75482b39a5eb75883d8

SHA256
fb545862825995c86738a471e0d1c81a6ca2d0e20add711bca66ccd5d2b3f88b

SHA512
16e7660118ab5136f8806eb53b40d25d421b9e1efc414bde9eb315563c16aaf049c2150d9d07d0039bf8baec8580d298e0d3d46865c2ac79c40013e4103b5099

Download Submit
C:\Windows\SysWOW64\Cehkhecb.exe

Filesize
89KB

MD5
78899b4f53600be620db08332d08ddb2

SHA1
29f0530f2ac6992558c1ba34ee4667da23e4c265

SHA256
ad34e6d5f6a57e0d4f39d98e125d41dd83a2bed2ea3fae35642c2449f1726638

SHA512
8a5d8ee4495b0a7dfb2de0b50ab38e01637e6d05c3e5d122165e9228f83448c261ec216312bb22deb85b7b4cfb81cec6c5e391c8a7582270c6422d42fbcfb392

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
89KB

MD5
ac0ea4e7c159f9132fc56753469fab6f

SHA1
b6bb34d472e52a94ae2a1b048c28226f6c7d79c8

SHA256
ee892d09259e64b6d65d5f0013dd997fd4825948a43b3a4503d9eee13af523df

SHA512
59af33e558665d1c5d96eff94b87735a8b65af4f0d2352b420b267fe927bf078f99d3c61527856751089fa2e9f42dafa0163f233278ccc28493dae6cd0d52d2d

Download Submit
C:\Windows\SysWOW64\Chpada32.exe

Filesize
89KB

MD5
b2b69bd88eaa431aa071463fcf1b39f5

SHA1
9074cb12fcf66e067d7c55cb74222f8ed7121513

SHA256
76b564322f667b8397e57cffd7f179d4d267ee54d7e2183dc8412e2368ad4fe1

SHA512
05b99274c345843d4085cabf5adaa5d3ddbfcc79f2ab85864605fa2f12522790a21fddd34ebec08c5dbd653764414b1b636435a1577740e168c58e3ef5bdc23e

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
89KB

MD5
8fee44fd83d6630bba78aca4684f8b7f

SHA1
d479ecc7d2c61e4a73e681d8cff00291735321c7

SHA256
9c1c7d3ffd73a44cf58769338aa3345005cd94c17319b0307da60dbd29e242fe

SHA512
d936e8a4e7a12abc0760672668ab8b415a3c8f867a8778ec48e33ae6d26dba0d1eafe577e37a8e1dc67cf08b945fbf984469a6174338abd79c7c4ef93e019875

Download Submit
C:\Windows\SysWOW64\Ckedalaj.exe

Filesize
89KB

MD5
b3eca4bea6fd08ea36359e76612c6e4f

SHA1
e1301cfaa8cdee70c06d90ccea73b10b74c24108

SHA256
daebc585e81bf3d67e58cd6beb1f95a4f3fa7307324f0e065fc11e5d3b3e1877

SHA512
c84866bff1eb0e48819c4600da1d592ff6a915333fb45c98450edd17fa01e6a3c269e4af40cc26db3991c926cc4b1b516f94c093bc3a029da26a6f9ad326a5aa

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
64KB

MD5
6905bdc3e967251b41d4f4ebb815bc1d

SHA1
aa4cb846f252dcc7bf21836c5c4f0ce926b52a0b

SHA256
a978759b5be85bd2f2dd35fb4596f02f0582c36f899fe425099da2cd06595082

SHA512
3d2ea543856c171b774d0829edaa556686162149c97916eec0931a90e5eca7d4670bc1f32bed7fa8fb452f150b43b1c0f88d16345525cafbcc4fbef613c30a69

Download Submit
C:\Windows\SysWOW64\Cojjqlpk.exe

Filesize
89KB

MD5
afdd15f6fbe674b9122f36eed8f848a7

SHA1
62d6aae6240a6c139c027476e5db603b9b717da3

SHA256
484918ad250acfaee11d31fdc8330f97afffe56a49c1e3523b504734a8ed316a

SHA512
fc31f56980d8c97fd7ac09b0bafb1d01bfc9a271641224c746c6fda1de772024b71ed322c4d1f2d1d5c4310b67d4da66750ca5fc3ef5222fc89712067cbc6e17

Download Submit
C:\Windows\SysWOW64\Conclk32.exe

Filesize
89KB

MD5
8323d35f6e4dae151270ea4f45e468a2

SHA1
acd3500574a16a10a1d483cf26aa87d08a47eb13

SHA256
a4a26fb93fa710aa4be6958e3ce0a5e1e8d317258b765263120060f744638c37

SHA512
66affb49d27f1141fb3ec23fd70113b2801462b1de9a848908de3586f96466b55dfacc41e70628e0aada8c4f660c40354017c0fd0072620c8f539adcd9b3330e

Download Submit
C:\Windows\SysWOW64\Daaicfgd.exe

Filesize
89KB

MD5
1d6bb891de9f520d2dcd73d5afec42f6

SHA1
2c1d6ff045da6af5010dc004c228beea4becba58

SHA256
011329bbef3f0fe95a830a9f4f84319b9990f033a622c1da953482a5888260cd

SHA512
67c21585c958079cad643009fe508312d12108ae9f2e8952687f29227f8fa2a357a9ca54695bfa943263e8411446c9b4fa4882fcdd1a1c838a62c1e20181478c

Download Submit
C:\Windows\SysWOW64\Dbaemi32.exe

Filesize
89KB

MD5
998094c2466b560a50c8bf7c37232abe

SHA1
9ccf9e48d8f87a04fd493bb2957332659a8eb7f4

SHA256
8bd56f634e9d6eb01b16b63ce18b961348d240498e02b4fc124fc6463ead9c4b

SHA512
557b3b61ba1d2cc6bf64eb8f9d2dc6f2220b313bf923f48dfc934245d4088ce4d7a470931fc00cb7c980831ec28ae01f5badf0187dd884681a3dd3b5fd6b86d2

Download Submit
C:\Windows\SysWOW64\Dccbbhld.exe

Filesize
89KB

MD5
4c508404646191fe1ca71c5a84b1774f

SHA1
13bb2552aba39cc4b88e7d5e84d8ad8eceecf10d

SHA256
efdbbb3c7dc70abba5b6f71022c46940ad0d7e3ad9113763e6ba04e3b5ff4653

SHA512
17e5908528a0598d2763ee288446ca254fd96c6f78729aab3990645f4c611a6305693d1a9f3eb15baa420ea14136b5c0e848fcc3fbed33f4fc525bbea7e34cd9

Download Submit
C:\Windows\SysWOW64\Dceohhja.exe

Filesize
89KB

MD5
4d74d00cce5239288ceca5c684de40ef

SHA1
5a3f363e8a998498c7a6b85bd2ff668c8258d51e

SHA256
2ce63e6c87ccf5ab7dd8652033bbb7556f245b1f1cc48d5e587e5e87c506edd4

SHA512
f2843c0bed1bd2fecf0d28b6de4213a91ccf775079428b134eae372edab7fbd57531ce6dc13559fe35b5088626452800614ee91c4e3bd7a86d641d377af50bb7

Download Submit
C:\Windows\SysWOW64\Ddbbeade.exe

Filesize
89KB

MD5
ce55e58bfc1af3c48917c7723ae30f87

SHA1
c0417b48c7960e58962f649d6df2f819e96da82b

SHA256
4113c2b9119b6abdb9273d4799484c54ac1520783ee61c9f2116f7e4d2446328

SHA512
48195a07bbb39f862883d466bac69589f69a362a495f1fb3bc50527d9a8a8eced32948d3a0873de5c060f4fdfe4fcb94cd4c787f44246ef5ba966a5242fe5499

Download Submit
C:\Windows\SysWOW64\Ddmhja32.exe

Filesize
89KB

MD5
c94c7ef98605b21ebf99a191f4d52b81

SHA1
c383427067e87861191eae4b283e28ff9d390e04

SHA256
6eb5f6de3fde65097afe8e7901e20f3c31edadde69efcd7b18523bf04f2fe879

SHA512
736b5cb4de1bebdfc264e2a9fda32fcd0cb9754953c578dc178c10acecdcfe09f6c898d66584674c50d278729780dfd36a9c0307693c2bab14a9af682623681f

Download Submit
C:\Windows\SysWOW64\Deanodkh.exe

Filesize
89KB

MD5
c9dae7bed0141d7223270b8cba8ad4ba

SHA1
6b93c654256fba3acb427de915112093c781e14b

SHA256
91a104534bb2dd67f508f94b8fb65ffc59497389b426147046d0f396a21c6c7b

SHA512
023e5d9747997ba466118c758d3e52e037f28e7093bf3fb908ec96cde3413d36d4fcd2c94546c5f0f099f80be9cf0ef7a4d313efe7f9f9a28a176ebf1c38a405

Download Submit
C:\Windows\SysWOW64\Dedkdcie.exe

Filesize
89KB

MD5
876ce1b38c2e6ceb949e730e475f01b4

SHA1
971507d02a2031b72a463249935f8114414a06c3

SHA256
29115f4ad25af1ba43e3182eec843eac0d0949963306b02c627e4ed28cee3eac

SHA512
4bb8cc9fdc972e82f26998c8fe3c8acef30e73888c7e7c29bba1ea1de358113ee172ac18554d34b1af3b6e25116a7bf0b5cbe624cd25fd55275d4bc38d4b9b00

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
89KB

MD5
9e1879be6cb3d7e74f0adb848432f5a3

SHA1
3980c15952a1f678a8e78a54a285319bd7745304

SHA256
f40ce7603f033277ed4ced8600abfc00d5723d38fa0b420baadf4deaff125c4d

SHA512
2fb9843767966522969874335680ec9e579a76b9f41faf753a57628eebf7b8fe864c73c5e0b02157b8fb696ce99d73d0f5df90eb5f82ac70a2e12c6f2d6ece69

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
89KB

MD5
dc5c122133524abc20d9bacd5056961c

SHA1
141b17a683315b4840ab660114b1bd43f21e7912

SHA256
cf1e187af95b08689d9f9d67d00ee79945984d56a62d2ff05ba3e222e66ff187

SHA512
f4277c8162668e93b74872acc4733d5ce4f706246b059cf201d6740c581e5081e3831c8524fca0a0817e393015e4c004da2a7a2784d36bf3d917c8032099000d

Download Submit
C:\Windows\SysWOW64\Dhkapp32.exe

Filesize
89KB

MD5
84b2b1d0d00630d5778f28e3c54ea63e

SHA1
240de948933e69aaed7e4ed0b4924ec1db3e69b3

SHA256
3a67c5cde80b056e16a2be6afaa4339e46e1fb6539988b03b07de5a3f290f1f7

SHA512
33cff7630948d85bf68860bf614bf882eb92d49a5ac2e7d3fe31dd88c7fb2fff5f1a882aa661bf4477d9df8a4b7989e305f451056af16efc643c1245dc77f585

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
89KB

MD5
323183d0b49ebb7f5ed05eaba9712e61

SHA1
5ff4eb15324f81f16de457f8c3adfadd898b0987

SHA256
2d95f4bdebb585ab65d1b5302648539aa5c0418e848dbdceed12fdb868c9d1d4

SHA512
f822999458c850c4278cec4934fb52a3652b09ee505912f1251042af81dfc2bf3ac2f2499c745e499c9f2b5068b04ef91768d9a128e50d8337a76c215eb7e503

Download Submit
C:\Windows\SysWOW64\Echknh32.exe

Filesize
89KB

MD5
616ed3f8d040f36c751d4d242b41eb7b

SHA1
cd6651084bb38e3a5bf273f87cb3ab97273f8580

SHA256
feff7fa75e71516a11027c9ae1cfe6710a073868233d8e53406c5580333c2113

SHA512
16ff7502b7d15e5284e4cbfd6d0968b895aed399269e0200354cf2faa52511d28ff1a80d7a4ca9107249f0c9bcdc24b2383e8bccffb59bee0efb124bbc5118f3

Download Submit
C:\Windows\SysWOW64\Ecmeig32.exe

Filesize
89KB

MD5
e25a434e58e3bf3564fcacc66a043eee

SHA1
b712ceab15b91faab8be5a6e0cb183cda2e546e1

SHA256
aafed49dfbe6c18a7746be30658ebee0a1a8ab96d617879c3ce212e67805e88a

SHA512
3e31c0b0f2a324b72ead06ddeab6a3557a302349c79050339616df67b86873e994dbe026cb6cfcf446af6a8fb6d6ea9063472faa6a95a43d7190290a47b62358

Download Submit
C:\Windows\SysWOW64\Eefhjc32.exe

Filesize
89KB

MD5
7cf7330ec4445479b2f5b5e430c34c85

SHA1
2b3460d796b2d3e591ec6a6936097cbf82f5d721

SHA256
ce9bb78f8981462e106a316abc93fffcb8ff102196d54a18d19eb101150010f9

SHA512
31ef46bcd7dc5175e7623c5f048d12c2cbad58cbb9257dff3cbc367c4eed1b25ab964d42b0d0c8db655ca8f3b9a846221f861d7ca043cc4ae5307510f4524cc1

Download Submit
C:\Windows\SysWOW64\Eeidoc32.exe

Filesize
89KB

MD5
952bfa255b8e4c54ad8d9ed4d538b98d

SHA1
168a8476f3fb01b690202575fad839b203a2788e

SHA256
ebdea97fbe45c8ede10002ddb8c74629aff56fdca1840da6ad608d65c152ec5a

SHA512
12d9f30e6e80a0ccc6da5f88a2daf4903402bf5c77e8f8159beae1a31df33d75a5fefdfbe2394c065a6528225194f791c41f78148fa1da7368c97418a20d44b2

Download Submit
C:\Windows\SysWOW64\Ekcpbj32.exe

Filesize
89KB

MD5
44aaccd50801060b0e09618b0f1e3d4b

SHA1
d829fccb926c5cde4e8898f0d91f79fc12f16c6f

SHA256
6a298d1463d7b60a78d101850866af98322b448938a3d8a4ea7d6d23f743982c

SHA512
094d2b7afedbe8b992cdbb0279e79133c04794e4c7a76fbfbb6e3707ea42db3e75757dd634580d1d905f97646ada206eec03f132a0d2b2c81c5b580569f3d5b7

Download Submit
C:\Windows\SysWOW64\Fbnafb32.exe

Filesize
64KB

MD5
ab70bea0c571e56c81f032b853925c90

SHA1
5965bc9a4b7fffebf806f0d876992d495cad7d6e

SHA256
d1c9af9a0699271000b71ad8d448b0816ab14f0f41e39cdad89f26c588254c87

SHA512
36bc8c074ecb8e8793ea688367a56649c3db48d2559af8fca2b71f2d07c863641d4fed3add23e27c0ffc285c53a70fafe24b11ff8679893c83fceb102f67f7bd

Download Submit
C:\Windows\SysWOW64\Fojlngce.exe

Filesize
89KB

MD5
50ab900d9e4b68569d584274c584182c

SHA1
a716ed5006d764121325aff94f66aea030b4d086

SHA256
6c750b46cf25f114b7c5bc5fd8700c995be8993e1a0ec904ef0dac862b147b88

SHA512
0ad0977e68809b0f14c7c1934fca03b5fc51dd0b4c9a9974fa0a927154730922543a42056f5c9a87d590142d9a124c27ca46660618a14c2d807d0a8a22c67314

Download Submit
C:\Windows\SysWOW64\Hmhhehlb.exe

Filesize
89KB

MD5
4609e8829217910a9f2ba5d9539e6ddf

SHA1
62905abb62b847d2c74a4dfcaa3a38ea2a20e693

SHA256
90d05091e9ca47785ccd8e9ed3684b21446ad8fdd39541451304f22a6e9de8fc

SHA512
a5aadb0f791ab64377ed182f75be0f4876836570e8ce980e27eee7b0bf849024f44ca7f5ced5119a857d5d1947572eadc39c25bce3a9460f092b1bf7c520ba24

Download Submit
C:\Windows\SysWOW64\Iefioj32.exe

Filesize
89KB

MD5
54860a57578f984d948204321210c607

SHA1
9ee0ff117c403ff68423d0088a6c0aca1195a3f9

SHA256
d30ee27d79e53b9dfa6e2a51265f32f03b48d79647d305ec803a0bba1a9486b6

SHA512
534e6ac5ca3f742a02761a1f6253a6279cf29d92a293eb4fd5002a6c2171e3d21c6e6979ec9770693548eb3cc5e666120defa7ec8a9b1044a87c548970bde60e

Download Submit
C:\Windows\SysWOW64\Ldleel32.exe

Filesize
89KB

MD5
1cd3012426c92dcc9cad0a4c72b7185c

SHA1
9302a5d48fdf17c41b05719fb42fe9fe13073d86

SHA256
b09a4d4581ce13505e27bd4ffce4de46f5c39564beeb0b477854223dff93d542

SHA512
594909a566be7fab5a07f1eb3a60c1736cee49c2c929b047db52655d73404b9e0d7498fca87b0f40e0c4243125399a90d6124773f793f744a3ee536d5134d6bd

Download Submit
C:\Windows\SysWOW64\Mdjagjco.exe

Filesize
89KB

MD5
081b3ca45b7bd21850b763fd9b2b7d1f

SHA1
b2daa07b8ad094c33b62bb68c926a4a97b031d45

SHA256
71276679b1ca568ceeec5acf763074ac656acf72305465e65ad798ad01363d05

SHA512
d3a7a986854bafb967bbeade6228fb6ada707bc4c28380d9492da1ecc10e5004ad95758ccdf272de670b83a2a941499024e19f27fa55bb3f48001dd54b5c84c2

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
89KB

MD5
99f4cbd9c26666e334e4ff56e75715c3

SHA1
4796fa5790fe92ab3a6b480519b1b336c33d8dfb

SHA256
26de0fdcc47361367df07009cd79b8f1c03df725521f9f308f71d308a8a0266a

SHA512
7396954bcf0ec46918881a1696989ce4fc15070b454ea330ea4468eddf413c4a6cb7efe95c5ec7c2ce705b7846caae170fdadc3097901fd732457d97b4353629

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
89KB

MD5
500c88d9d3edc49ca85d979495eb9d3c

SHA1
c00397367d447bf3b83110abca8cbd81b69e6174

SHA256
cd4f5741f98ad780e95aa08af62aee66f35b4006d6dcb5613dc97f50c7b9cd8e

SHA512
c2feb8794ee25bac3ce56c6f9074388647ad151734e7822049861c29be912ef2b4724cf761fe8e0939ac7be627e394498867dc3fd14cee8709fd5d2bb44edfcd

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
89KB

MD5
71d0fc46fb275e17bc76df13d08cdb20

SHA1
99848be312b14412b0d1c6cc196d12095e53063e

SHA256
90e5daf2abf1d48ed466bb5d5ad9d037800e80ddefbf9679d1aab766b6739b55

SHA512
53dcf1a46be15b7d3f63ea468a52b693584f24e42d12695289e09e30e6209f5238769d786b86300e09f1aead73ec49a082c304f78e5338947d81ac6bde99849c

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
89KB

MD5
9d0b732600cc6439789b6a578c66bdde

SHA1
d0d77855d76285bb6bd5b58621488f42f251a1c6

SHA256
a7508438e0a9a4f6741d84ecf42f7b1d28d2b908628bb29fa689ae4b7dcd06d7

SHA512
6d8a444133fb554f377ffeffa2ca55e98555ea9cd2c1696610cc60c2f48be96f1ec15c448efd2352016a19d86aa8179d2693b1822eb6e9215de59aac7d94d4cc

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
89KB

MD5
69119542707a01aea8e5970672221c3d

SHA1
81d24fb30ad2a005f7a83493223b805d41dbc052

SHA256
b9b50846063e1402c98d7365f8608c634c37acfcbb43736459246f96a2dac15d

SHA512
420477662eba60d2c14aa73cdd6f84e6d90d250571c78d81d3137b8c6f6c32dce944362a86a3706b0fec4f3f307391d7c8210c46858cc59552ba6fed4f6a2922

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
89KB

MD5
ccbc994c2519072486bae91990a6984b

SHA1
6ef0f4a699a69dca93264428b8b461483f7c4c59

SHA256
ab750caf6b44bf97674f917830488033bed8c0d67b30e26ab7defef0a0e6818c

SHA512
9fc5917fb7d85adf1a3dd04aeec485810e903479c33f403b3cd387ac2bc6c6c276db1016d2f4649344d685cd0347afef67be877c0a4d0e892c74e176d7f46add

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
89KB

MD5
2a9cbf9f1bce4279efd04283db9462a3

SHA1
51914a5deb1c27f0f9612262ca886e1b906ddf16

SHA256
1499de8ddb6f5189337fb84f598f93dbc6963e4b555ba4480dc5bce4f82807ab

SHA512
d2271805e0576acc351e4d70517d991598fb6301dd42505f176f4a6eedc2a657962cfe74575b6fca95cc2ca67299fb6e2e146db6d2ffb399abed66fa351d16ad

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
89KB

MD5
bd102bd880ee6d672e2323114682fbbe

SHA1
fcf7c143aeee1c88c7392cb8dc929657d4d3d1c2

SHA256
c25a43e7b2b50a835e677281a5143bffd86734a93b37fba3d3c0d333041bf9f9

SHA512
2c7113aaa94446ec63d5b18cb4d59b393cab7964b708f4a5bb555f4ad38b4395a09e7c7bc9b0c184b95e20f13a6b72fbb4f1300a0c7252e5e9134d66db95ce7b

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
89KB

MD5
df971ae6c41612f3ed878ebfaae4eac1

SHA1
60691e7c8aad26169183aeb1f10054ffacb20394

SHA256
8d8896621af9ce4e7ece26f7ce093276812d363b477b9326ec02ba5c2c94f67e

SHA512
d4c346de9eb98b5d3f90c5d40534b18c6b7e48767bda7e6d54d6e137e25b52b6ca860e8070be1d596f06b522ef1cf17149c7ce088c34d3bd439babb39daec8e3

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
89KB

MD5
eafe32e5aafb7e2de15cebee2b7d2b61

SHA1
c135a2cbcf2c9c12fb7d9f79e88a598fd1c6dced

SHA256
5eab59d67deb8f3cbb4f5e34ece45451935554396bda8244020b8d9ddde9f003

SHA512
ac897bbbd2f68281e6b7fd6a8d6fb58e1b4e77def2429de26849c23f69f676170a665fb112c298107c4aa8d276e33252398d9d117c35ff7b1ef50b5fab2492c7

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
89KB

MD5
879dfb2cb694cfc7d45a4d10d1588744

SHA1
03b6be81a37d2bc36fb0d6c343448a5d1fa1536b

SHA256
47ac00b745370786f3510b66b635a06f58c8cf79f2cdeac0b33853aaa13bd349

SHA512
c4c1a578545d3be0451028ea473268e24a54cfc9ed39bdcbe5c8d669db79ae75762fd0a3e832a8323ec1dc735d99b83f3abf4fd1d3173819d94beb0030850861

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
89KB

MD5
4a75c72cdb05ed0ad188c5224419e3cf

SHA1
db638cc34a6004d23628e019b50b4851002483ac

SHA256
4e2b7b8329b1ce05179ef6177fc743d8e47b781c2d372288971f750ae020b181

SHA512
da45c907ffea41a57623dd323abd9bef72eae9dac936c8fda33481da4e224cf01b7c125d3724fbf00c392354474155fd2b2d54d7e2a8ae99e31c9e868e21a9f5

Download Submit
memory/368-112-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/404-170-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/404-259-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/416-379-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/688-352-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/688-284-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/832-359-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/832-427-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/908-373-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1088-135-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1088-223-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1108-425-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1244-326-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1244-396-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1424-333-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1424-399-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1496-251-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1496-325-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1724-233-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1724-317-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1728-297-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1756-32-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1756-115-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1856-268-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1856-339-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1864-306-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1864-372-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1964-24-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1964-111-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2168-246-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2184-56-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2184-143-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2240-134-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2240-48-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2272-414-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2296-144-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2296-232-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2308-169-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2308-80-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2364-318-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2444-386-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2596-267-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2596-180-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2652-340-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2652-406-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2660-76-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2660-160-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2740-215-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2740-298-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2960-332-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2960-260-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3040-245-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3040-153-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3092-88-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3092-7-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3116-99-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3116-187-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3240-365-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3240-299-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3324-64-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3324-151-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3396-39-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3396-124-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3516-366-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3516-438-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3576-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3576-79-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3652-305-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3652-224-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3680-385-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3680-319-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3720-411-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3732-283-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3768-206-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3768-296-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3792-205-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3792-116-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3880-400-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3884-250-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3884-161-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3908-285-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3908-197-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4360-428-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4472-397-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4768-282-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4768-188-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4804-126-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4804-214-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4912-353-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4912-424-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4940-89-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4940-179-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5044-413-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5044-346-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5084-98-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5084-16-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads