98559176c0e611fa4c8b93b134dd97820b29051df567f15805256266814524c2

Analysis

max time kernel
131s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
16/05/2024, 00:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d2f65b844213aa26a92e1e498b1e190_NeikiAnalytics.exe
Size

125KB
MD5

5d2f65b844213aa26a92e1e498b1e190
SHA1

5dc48ed340eaeefacc97fce386cc8d77515e62cf
SHA256

98559176c0e611fa4c8b93b134dd97820b29051df567f15805256266814524c2
SHA512

b77a6aea7d21bae021d778457b21d7029aa90e0f43b118b61d6a56375a0d8edfd31142786eb73b12ab1f000090fe9df9cc1eb31e2f7e448fa97fe4576a2da2a7
SSDEEP

3072:0sX8LIjaC82lBdGKcSZpTt4Haz5cM1WdTCn93OGey/ZhJakrPF:QLnngnHpTt4Haz5cjTCndOGeKTaG

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cafpanem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhqaefng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmfbjnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpnnig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ejgdpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fmclmabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cefemliq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hmklen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	5d2f65b844213aa26a92e1e498b1e190_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cedihl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epopgbia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbhdmd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beppmmoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cidncj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bammlomg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bpcgdfaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfdbojmq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejgdpg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chbedh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehekqe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecmlcmhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Epmcab32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipldfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfdida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhdibj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efpajh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fokbim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gpnhekgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dphifcoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hfachc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chphoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Goiojk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhqaefng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjcclf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Icljbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cohdebfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ecmlcmhe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjolnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bemcgmak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ffekegon.exe

Malware Dropper & Backdoor - Berbew 64 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/memory/704-0-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0005000000023284-6.dat	family_berbew
behavioral2/memory/3820-12-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x00070000000233fb-14.dat	family_berbew
behavioral2/memory/1140-16-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x00070000000233fd-22.dat	family_berbew
behavioral2/memory/1932-28-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x00070000000233ff-30.dat	family_berbew
behavioral2/memory/2416-31-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023401-38.dat	family_berbew
behavioral2/memory/3140-39-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023403-46.dat	family_berbew
behavioral2/memory/3564-48-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023405-54.dat	family_berbew
behavioral2/memory/2252-55-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023407-62.dat	family_berbew
behavioral2/memory/1440-64-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023409-70.dat	family_berbew
behavioral2/memory/3720-71-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000700000002340b-78.dat	family_berbew
behavioral2/memory/5036-80-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000700000002340d-86.dat	family_berbew
behavioral2/memory/4944-88-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000700000002340f-94.dat	family_berbew
behavioral2/memory/2420-96-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023411-102.dat	family_berbew
behavioral2/memory/2872-104-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023413-110.dat	family_berbew
behavioral2/memory/1656-112-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023415-118.dat	family_berbew
behavioral2/memory/2280-120-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023417-126.dat	family_berbew
behavioral2/memory/3580-128-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023419-134.dat	family_berbew
behavioral2/memory/1644-136-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000700000002341b-142.dat	family_berbew
behavioral2/memory/3916-144-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000700000002341d-150.dat	family_berbew
behavioral2/memory/3336-156-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000700000002341f-158.dat	family_berbew
behavioral2/memory/3236-160-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023421-166.dat	family_berbew
behavioral2/memory/908-167-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023423-174.dat	family_berbew
behavioral2/memory/5080-176-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023425-182.dat	family_berbew
behavioral2/memory/632-187-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023427-190.dat	family_berbew
behavioral2/memory/4320-191-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023429-193.dat	family_berbew
behavioral2/memory/548-200-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x00080000000233f7-202.dat	family_berbew
behavioral2/memory/3288-208-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000700000002342c-214.dat	family_berbew
behavioral2/memory/464-216-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000700000002342e-222.dat	family_berbew
behavioral2/memory/1184-228-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023430-230.dat	family_berbew
behavioral2/memory/4776-231-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023432-238.dat	family_berbew
behavioral2/memory/4312-240-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023434-246.dat	family_berbew
behavioral2/memory/4924-248-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023436-254.dat	family_berbew

Executes dropped EXE 64 IoCs

pid	Process
3820	Abedecjb.exe
1140	Aiolam32.exe
1932	Blnhni32.exe
2416	Bbhqjchp.exe
3140	Bhdibj32.exe
3564	Bpladg32.exe
2252	Bammlomg.exe
1440	Bhgehi32.exe
3720	Bpnnig32.exe
5036	Baojaoke.exe
4944	Bifbbllg.exe
2420	Bockjc32.exe
2872	Baaggo32.exe
1656	Bemcgmak.exe
2280	Bpcgdfaa.exe
3580	Boegpc32.exe
1644	Beppmmoi.exe
3916	Chnlihnl.exe
3336	Cohdebfi.exe
3236	Cafpanem.exe
908	Chphoh32.exe
5080	Cojqkbdf.exe
632	Cedihl32.exe
4320	Chbedh32.exe
548	Commqb32.exe
3288	Cefemliq.exe
464	Clqnjf32.exe
1184	Coojfa32.exe
4776	Ccjfgphj.exe
4312	Cidncj32.exe
4924	Coagla32.exe
1156	Cekohk32.exe
1988	Dhjkdg32.exe
4120	Dpacfd32.exe
4300	Dcopbp32.exe
2544	Denlnk32.exe
4816	Dhlhjf32.exe
1136	Dpcpkc32.exe
4184	Dcalgo32.exe
3080	Djlddi32.exe
3952	Dljqpd32.exe
1020	Dohmlp32.exe
3676	Dagiil32.exe
3176	Debeijoc.exe
1716	Dhqaefng.exe
4552	Dphifcoi.exe
2552	Dokjbp32.exe
4124	Dfdbojmq.exe
3232	Dhcnke32.exe
2972	Dchbhn32.exe
712	Efgodj32.exe
4664	Ehekqe32.exe
1364	Epmcab32.exe
2808	Ebnoikqb.exe
3612	Ehhgfdho.exe
1868	Epopgbia.exe
3712	Ecmlcmhe.exe
4076	Ejgdpg32.exe
3308	Eleplc32.exe
3740	Eodlho32.exe
2664	Efneehef.exe
3536	Ehlaaddj.exe
5108	Eqciba32.exe
4712	Ecbenm32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dcopbp32.exe	Dpacfd32.exe
File created	C:\Windows\SysWOW64\Bgkkkd32.dll	Dpacfd32.exe
File created	C:\Windows\SysWOW64\Efpajh32.exe	Ecbenm32.exe
File created	C:\Windows\SysWOW64\Ghiqbiae.dll	Kdffocib.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Qdqjmdmd.dll	Abedecjb.exe
File created	C:\Windows\SysWOW64\Bpcgdfaa.exe	Bemcgmak.exe
File created	C:\Windows\SysWOW64\Gameonno.exe	Gifmnpnl.exe
File created	C:\Windows\SysWOW64\Jiikak32.exe	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Kilhgk32.exe	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Oimhnoch.dll	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Lbhnnj32.dll	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Bejkjg32.dll	Hjhfnccl.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Dpacfd32.exe	Dhjkdg32.exe
File created	C:\Windows\SysWOW64\Ockmjg32.dll	Dfdbojmq.exe
File opened for modification	C:\Windows\SysWOW64\Hjolnb32.exe	Hbhdmd32.exe
File created	C:\Windows\SysWOW64\Ifopiajn.exe	Ipegmg32.exe
File created	C:\Windows\SysWOW64\Jkdnpo32.exe	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Jflepa32.dll	Jfkoeppq.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File opened for modification	C:\Windows\SysWOW64\Beppmmoi.exe	Boegpc32.exe
File created	C:\Windows\SysWOW64\Gbgkfg32.exe	Goiojk32.exe
File opened for modification	C:\Windows\SysWOW64\Hadkpm32.exe	Hmioonpn.exe
File created	C:\Windows\SysWOW64\Jgiacnii.dll	Jpgdbg32.exe
File created	C:\Windows\SysWOW64\Ggcjqj32.dll	Jiphkm32.exe
File created	C:\Windows\SysWOW64\Lcmofolg.exe	Lpocjdld.exe
File opened for modification	C:\Windows\SysWOW64\Laopdgcg.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Baojaoke.exe	Bpnnig32.exe
File created	C:\Windows\SysWOW64\Djlddi32.exe	Dcalgo32.exe
File created	C:\Windows\SysWOW64\Gmggiogn.dll	Ehlaaddj.exe
File created	C:\Windows\SysWOW64\Lgabcngj.dll	Hboagf32.exe
File opened for modification	C:\Windows\SysWOW64\Jjpeepnb.exe	Jfdida32.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Bifbbllg.exe	Baojaoke.exe
File opened for modification	C:\Windows\SysWOW64\Gfhqbe32.exe	Gbldaffp.exe
File created	C:\Windows\SysWOW64\Hjmoibog.exe	Hfachc32.exe
File created	C:\Windows\SysWOW64\Kgphpo32.exe	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Epopgbia.exe	Ehhgfdho.exe
File created	C:\Windows\SysWOW64\Gimjhafg.exe	Gfnnlffc.exe
File created	C:\Windows\SysWOW64\Ifegaglc.dll	Gfedle32.exe
File created	C:\Windows\SysWOW64\Ikjmhmfd.dll	Imdnklfp.exe
File created	C:\Windows\SysWOW64\Ehifigof.dll	Jpojcf32.exe
File opened for modification	C:\Windows\SysWOW64\Kmnjhioc.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Bhdibj32.exe	Bbhqjchp.exe
File created	C:\Windows\SysWOW64\Chphoh32.exe	Cafpanem.exe
File opened for modification	C:\Windows\SysWOW64\Dcalgo32.exe	Dpcpkc32.exe
File opened for modification	C:\Windows\SysWOW64\Epmcab32.exe	Ehekqe32.exe
File created	C:\Windows\SysWOW64\Ehonfc32.exe	Efpajh32.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Ffekegon.exe	Fokbim32.exe
File opened for modification	C:\Windows\SysWOW64\Hfachc32.exe	Hccglh32.exe
File created	C:\Windows\SysWOW64\Jpojcf32.exe	Jmpngk32.exe
File opened for modification	C:\Windows\SysWOW64\Clqnjf32.exe	Cefemliq.exe
File created	C:\Windows\SysWOW64\Mdmiambh.dll	Dhjkdg32.exe
File created	C:\Windows\SysWOW64\Kpepcedo.exe	Kmgdgjek.exe
File opened for modification	C:\Windows\SysWOW64\Kcifkp32.exe	Kdffocib.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7172	7800	WerFault.exe	337

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bpnnig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icnmgkke.dll"	Cekohk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgpjnm32.dll"	Dpcpkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bofjdo32.dll"	Ffbnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekmihm32.dll"	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgkkkd32.dll"	Dpacfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ecmlcmhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ffjdqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hclakimb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Debeijoc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fmclmabe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Giacca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Haggelfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feambf32.dll"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihgjcg32.dll"	Bpnnig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oijnep32.dll"	Ecdbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkmdbdbp.dll"	Gbgkfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ibmmhdhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmgkno32.dll"	Baaggo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fokbim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gameonno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipmack32.dll"	Ipegmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljmpfbln.dll"	Chphoh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Coojfa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpgbbq32.dll"	Dchbhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfnojog.dll"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pellipfm.dll"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqddbnon.dll"	Bhgehi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfhlfk32.dll"	Fjcclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dadofijl.dll"	Gjlfbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Haggelfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fcikolnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gmoliohh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nilhco32.dll"	Jangmibi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfiapa32.dll"	Fcikolnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gfnnlffc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dendnoah.dll"	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iljnde32.dll"	Jiikak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hcedaheh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bbhqjchp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 704 wrote to memory of 3820	704	5d2f65b844213aa26a92e1e498b1e190_NeikiAnalytics.exe	83
PID 704 wrote to memory of 3820	704	5d2f65b844213aa26a92e1e498b1e190_NeikiAnalytics.exe	83
PID 704 wrote to memory of 3820	704	5d2f65b844213aa26a92e1e498b1e190_NeikiAnalytics.exe	83
PID 3820 wrote to memory of 1140	3820	Abedecjb.exe	84
PID 3820 wrote to memory of 1140	3820	Abedecjb.exe	84
PID 3820 wrote to memory of 1140	3820	Abedecjb.exe	84
PID 1140 wrote to memory of 1932	1140	Aiolam32.exe	85
PID 1140 wrote to memory of 1932	1140	Aiolam32.exe	85
PID 1140 wrote to memory of 1932	1140	Aiolam32.exe	85
PID 1932 wrote to memory of 2416	1932	Blnhni32.exe	86
PID 1932 wrote to memory of 2416	1932	Blnhni32.exe	86
PID 1932 wrote to memory of 2416	1932	Blnhni32.exe	86
PID 2416 wrote to memory of 3140	2416	Bbhqjchp.exe	87
PID 2416 wrote to memory of 3140	2416	Bbhqjchp.exe	87
PID 2416 wrote to memory of 3140	2416	Bbhqjchp.exe	87
PID 3140 wrote to memory of 3564	3140	Bhdibj32.exe	88
PID 3140 wrote to memory of 3564	3140	Bhdibj32.exe	88
PID 3140 wrote to memory of 3564	3140	Bhdibj32.exe	88
PID 3564 wrote to memory of 2252	3564	Bpladg32.exe	89
PID 3564 wrote to memory of 2252	3564	Bpladg32.exe	89
PID 3564 wrote to memory of 2252	3564	Bpladg32.exe	89
PID 2252 wrote to memory of 1440	2252	Bammlomg.exe	90
PID 2252 wrote to memory of 1440	2252	Bammlomg.exe	90
PID 2252 wrote to memory of 1440	2252	Bammlomg.exe	90
PID 1440 wrote to memory of 3720	1440	Bhgehi32.exe	91
PID 1440 wrote to memory of 3720	1440	Bhgehi32.exe	91
PID 1440 wrote to memory of 3720	1440	Bhgehi32.exe	91
PID 3720 wrote to memory of 5036	3720	Bpnnig32.exe	92
PID 3720 wrote to memory of 5036	3720	Bpnnig32.exe	92
PID 3720 wrote to memory of 5036	3720	Bpnnig32.exe	92
PID 5036 wrote to memory of 4944	5036	Baojaoke.exe	93
PID 5036 wrote to memory of 4944	5036	Baojaoke.exe	93
PID 5036 wrote to memory of 4944	5036	Baojaoke.exe	93
PID 4944 wrote to memory of 2420	4944	Bifbbllg.exe	94
PID 4944 wrote to memory of 2420	4944	Bifbbllg.exe	94
PID 4944 wrote to memory of 2420	4944	Bifbbllg.exe	94
PID 2420 wrote to memory of 2872	2420	Bockjc32.exe	95
PID 2420 wrote to memory of 2872	2420	Bockjc32.exe	95
PID 2420 wrote to memory of 2872	2420	Bockjc32.exe	95
PID 2872 wrote to memory of 1656	2872	Baaggo32.exe	96
PID 2872 wrote to memory of 1656	2872	Baaggo32.exe	96
PID 2872 wrote to memory of 1656	2872	Baaggo32.exe	96
PID 1656 wrote to memory of 2280	1656	Bemcgmak.exe	97
PID 1656 wrote to memory of 2280	1656	Bemcgmak.exe	97
PID 1656 wrote to memory of 2280	1656	Bemcgmak.exe	97
PID 2280 wrote to memory of 3580	2280	Bpcgdfaa.exe	98
PID 2280 wrote to memory of 3580	2280	Bpcgdfaa.exe	98
PID 2280 wrote to memory of 3580	2280	Bpcgdfaa.exe	98
PID 3580 wrote to memory of 1644	3580	Boegpc32.exe	99
PID 3580 wrote to memory of 1644	3580	Boegpc32.exe	99
PID 3580 wrote to memory of 1644	3580	Boegpc32.exe	99
PID 1644 wrote to memory of 3916	1644	Beppmmoi.exe	100
PID 1644 wrote to memory of 3916	1644	Beppmmoi.exe	100
PID 1644 wrote to memory of 3916	1644	Beppmmoi.exe	100
PID 3916 wrote to memory of 3336	3916	Chnlihnl.exe	101
PID 3916 wrote to memory of 3336	3916	Chnlihnl.exe	101
PID 3916 wrote to memory of 3336	3916	Chnlihnl.exe	101
PID 3336 wrote to memory of 3236	3336	Cohdebfi.exe	102
PID 3336 wrote to memory of 3236	3336	Cohdebfi.exe	102
PID 3336 wrote to memory of 3236	3336	Cohdebfi.exe	102
PID 3236 wrote to memory of 908	3236	Cafpanem.exe	104
PID 3236 wrote to memory of 908	3236	Cafpanem.exe	104
PID 3236 wrote to memory of 908	3236	Cafpanem.exe	104
PID 908 wrote to memory of 5080	908	Chphoh32.exe	105

C:\Users\Admin\AppData\Local\Temp\5d2f65b844213aa26a92e1e498b1e190_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5d2f65b844213aa26a92e1e498b1e190_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:704
- C:\Windows\SysWOW64\Abedecjb.exe
  C:\Windows\system32\Abedecjb.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3820
- - C:\Windows\SysWOW64\Aiolam32.exe
    C:\Windows\system32\Aiolam32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1140
  - - C:\Windows\SysWOW64\Blnhni32.exe
      C:\Windows\system32\Blnhni32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1932
    - - C:\Windows\SysWOW64\Bbhqjchp.exe
        
        C:\Windows\system32\Bbhqjchp.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2416
      - C:\Windows\SysWOW64\Bhdibj32.exe
        
        C:\Windows\system32\Bhdibj32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3140
        
        C:\Windows\SysWOW64\Bpladg32.exe
        
        C:\Windows\system32\Bpladg32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3564
        
        C:\Windows\SysWOW64\Bammlomg.exe
        
        C:\Windows\system32\Bammlomg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Windows\SysWOW64\Bhgehi32.exe
        
        C:\Windows\system32\Bhgehi32.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Windows\SysWOW64\Bpnnig32.exe
        
        C:\Windows\system32\Bpnnig32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3720
        
        C:\Windows\SysWOW64\Baojaoke.exe
        
        C:\Windows\system32\Baojaoke.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\SysWOW64\Bifbbllg.exe
        
        C:\Windows\system32\Bifbbllg.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Windows\SysWOW64\Bockjc32.exe
        
        C:\Windows\system32\Bockjc32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\SysWOW64\Baaggo32.exe
        
        C:\Windows\system32\Baaggo32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\Bemcgmak.exe
        
        C:\Windows\system32\Bemcgmak.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\Bpcgdfaa.exe
        
        C:\Windows\system32\Bpcgdfaa.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\SysWOW64\Boegpc32.exe
        
        C:\Windows\system32\Boegpc32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3580
        
        C:\Windows\SysWOW64\Beppmmoi.exe
        
        C:\Windows\system32\Beppmmoi.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\Chnlihnl.exe
        
        C:\Windows\system32\Chnlihnl.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3916
        
        C:\Windows\SysWOW64\Cohdebfi.exe
        
        C:\Windows\system32\Cohdebfi.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3336
        
        C:\Windows\SysWOW64\Cafpanem.exe
        
        C:\Windows\system32\Cafpanem.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3236
        
        C:\Windows\SysWOW64\Chphoh32.exe
        
        C:\Windows\system32\Chphoh32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:908
        
        C:\Windows\SysWOW64\Cojqkbdf.exe
        
        C:\Windows\system32\Cojqkbdf.exe
        23⤵
        Executes dropped EXE
        
        PID:5080
        
        C:\Windows\SysWOW64\Cedihl32.exe
        
        C:\Windows\system32\Cedihl32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:632
        
        C:\Windows\SysWOW64\Chbedh32.exe
        
        C:\Windows\system32\Chbedh32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4320
        
        C:\Windows\SysWOW64\Commqb32.exe
        
        C:\Windows\system32\Commqb32.exe
        26⤵
        Executes dropped EXE
        
        PID:548
        
        C:\Windows\SysWOW64\Cefemliq.exe
        
        C:\Windows\system32\Cefemliq.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3288
        
        C:\Windows\SysWOW64\Clqnjf32.exe
        
        C:\Windows\system32\Clqnjf32.exe
        28⤵
        Executes dropped EXE
        
        PID:464
        
        C:\Windows\SysWOW64\Coojfa32.exe
        
        C:\Windows\system32\Coojfa32.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1184
        
        C:\Windows\SysWOW64\Ccjfgphj.exe
        
        C:\Windows\system32\Ccjfgphj.exe
        30⤵
        Executes dropped EXE
        
        PID:4776
        
        C:\Windows\SysWOW64\Cidncj32.exe
        
        C:\Windows\system32\Cidncj32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4312
        
        C:\Windows\SysWOW64\Coagla32.exe
        
        C:\Windows\system32\Coagla32.exe
        32⤵
        Executes dropped EXE
        
        PID:4924
        
        C:\Windows\SysWOW64\Cekohk32.exe
        
        C:\Windows\system32\Cekohk32.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1156
        
        C:\Windows\SysWOW64\Dhjkdg32.exe
        
        C:\Windows\system32\Dhjkdg32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1988
        
        C:\Windows\SysWOW64\Dpacfd32.exe
        
        C:\Windows\system32\Dpacfd32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4120
        
        C:\Windows\SysWOW64\Dcopbp32.exe
        
        C:\Windows\system32\Dcopbp32.exe
        36⤵
        Executes dropped EXE
        
        PID:4300
        
        C:\Windows\SysWOW64\Denlnk32.exe
        
        C:\Windows\system32\Denlnk32.exe
        37⤵
        Executes dropped EXE
        
        PID:2544
        
        C:\Windows\SysWOW64\Dhlhjf32.exe
        
        C:\Windows\system32\Dhlhjf32.exe
        38⤵
        Executes dropped EXE
        
        PID:4816
        
        C:\Windows\SysWOW64\Dpcpkc32.exe
        
        C:\Windows\system32\Dpcpkc32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1136
        
        C:\Windows\SysWOW64\Dcalgo32.exe
        
        C:\Windows\system32\Dcalgo32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4184
        
        C:\Windows\SysWOW64\Djlddi32.exe
        
        C:\Windows\system32\Djlddi32.exe
        41⤵
        Executes dropped EXE
        
        PID:3080
        
        C:\Windows\SysWOW64\Dljqpd32.exe
        
        C:\Windows\system32\Dljqpd32.exe
        42⤵
        Executes dropped EXE
        
        PID:3952
        
        C:\Windows\SysWOW64\Dohmlp32.exe
        
        C:\Windows\system32\Dohmlp32.exe
        43⤵
        Executes dropped EXE
        
        PID:1020
        
        C:\Windows\SysWOW64\Dagiil32.exe
        
        C:\Windows\system32\Dagiil32.exe
        44⤵
        Executes dropped EXE
        
        PID:3676
        
        C:\Windows\SysWOW64\Debeijoc.exe
        
        C:\Windows\system32\Debeijoc.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3176
        
        C:\Windows\SysWOW64\Dhqaefng.exe
        
        C:\Windows\system32\Dhqaefng.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1716
        
        C:\Windows\SysWOW64\Dphifcoi.exe
        
        C:\Windows\system32\Dphifcoi.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4552
        
        C:\Windows\SysWOW64\Dokjbp32.exe
        
        C:\Windows\system32\Dokjbp32.exe
        48⤵
        Executes dropped EXE
        
        PID:2552
        
        C:\Windows\SysWOW64\Dfdbojmq.exe
        
        C:\Windows\system32\Dfdbojmq.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4124
        
        C:\Windows\SysWOW64\Dhcnke32.exe
        
        C:\Windows\system32\Dhcnke32.exe
        50⤵
        Executes dropped EXE
        
        PID:3232
        
        C:\Windows\SysWOW64\Dchbhn32.exe
        
        C:\Windows\system32\Dchbhn32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\Efgodj32.exe
        
        C:\Windows\system32\Efgodj32.exe
        52⤵
        Executes dropped EXE
        
        PID:712
        
        C:\Windows\SysWOW64\Ehekqe32.exe
        
        C:\Windows\system32\Ehekqe32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4664
        
        C:\Windows\SysWOW64\Epmcab32.exe
        
        C:\Windows\system32\Epmcab32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1364
        
        C:\Windows\SysWOW64\Ebnoikqb.exe
        
        C:\Windows\system32\Ebnoikqb.exe
        55⤵
        Executes dropped EXE
        
        PID:2808
        
        C:\Windows\SysWOW64\Ehhgfdho.exe
        
        C:\Windows\system32\Ehhgfdho.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3612
        
        C:\Windows\SysWOW64\Epopgbia.exe
        
        C:\Windows\system32\Epopgbia.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1868
        
        C:\Windows\SysWOW64\Ecmlcmhe.exe
        
        C:\Windows\system32\Ecmlcmhe.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3712
        
        C:\Windows\SysWOW64\Ejgdpg32.exe
        
        C:\Windows\system32\Ejgdpg32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4076
        
        C:\Windows\SysWOW64\Eleplc32.exe
        
        C:\Windows\system32\Eleplc32.exe
        60⤵
        Executes dropped EXE
        
        PID:3308
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        61⤵
        Executes dropped EXE
        
        PID:3740
        
        C:\Windows\SysWOW64\Efneehef.exe
        
        C:\Windows\system32\Efneehef.exe
        62⤵
        Executes dropped EXE
        
        PID:2664
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3536
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        64⤵
        Executes dropped EXE
        
        PID:5108
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4712
        
        C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3360
        
        C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        67⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        68⤵
        Modifies registry class
        
        PID:656
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        69⤵
        Modifies registry class
        
        PID:1116
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        70⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        71⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3348
        
        C:\Windows\SysWOW64\Ffekegon.exe
        
        C:\Windows\system32\Ffekegon.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4336
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        74⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        75⤵
        Modifies registry class
        
        PID:4672
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1772
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        77⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        78⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        79⤵
        Modifies registry class
        
        PID:368
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        81⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        82⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        83⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        84⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4744
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        86⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        87⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        88⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5228
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        91⤵
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        92⤵
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        93⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        94⤵
        Drops file in System32 directory
        
        PID:5412
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        95⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        96⤵
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5544
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        98⤵
        Drops file in System32 directory
        
        PID:5608
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        99⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        100⤵
        Drops file in System32 directory
        
        PID:5700
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        101⤵
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        102⤵
        Modifies registry class
        
        PID:5776
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        103⤵
        Drops file in System32 directory
        
        PID:5828
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        104⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        105⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        106⤵
        Drops file in System32 directory
        
        PID:5976
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6028
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        108⤵
        Modifies registry class
        
        PID:6076
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        109⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        110⤵
        Drops file in System32 directory
        
        PID:1496
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        111⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        112⤵
        Drops file in System32 directory
        
        PID:5244
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5312
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        114⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5432
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        116⤵
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        117⤵
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5684
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5764
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        120⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5888
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        122⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        123⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        124⤵
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        125⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        126⤵
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        127⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        128⤵
        Modifies registry class
        
        PID:5516
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5644
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        130⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        131⤵
        Modifies registry class
        
        PID:5848
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        132⤵
        Drops file in System32 directory
        
        PID:5964
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        133⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        134⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        135⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        136⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        137⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        138⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        139⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        140⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        141⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        142⤵
        Drops file in System32 directory
        
        PID:5852
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        143⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        144⤵
        Drops file in System32 directory
        
        PID:5636
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        145⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        146⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        148⤵
        Modifies registry class
        
        PID:6180
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6216
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        150⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6300
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6340
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        153⤵
        
        PID:6376
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        154⤵
        Drops file in System32 directory
        
        PID:6420
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        155⤵
        Drops file in System32 directory
        
        PID:6464
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6508
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6552
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        158⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        159⤵
        Modifies registry class
        
        PID:6644
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        160⤵
        
        PID:6688
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        161⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        162⤵
        Drops file in System32 directory
        
        PID:6784
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6824
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        164⤵
        
        PID:6872
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        165⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        166⤵
        Modifies registry class
        
        PID:6960
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        167⤵
        Drops file in System32 directory
        
        PID:7004
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        168⤵
        
        PID:7040
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7080
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7128
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        171⤵
        Drops file in System32 directory
        
        PID:5660
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        172⤵
        
        PID:6172
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6248
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        174⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        175⤵
        Modifies registry class
        
        PID:6408
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        176⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6544
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        178⤵
        Modifies registry class
        
        PID:6632
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        179⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        180⤵
        Drops file in System32 directory
        
        PID:6756
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        181⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        182⤵
        Drops file in System32 directory
        
        PID:6900
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        183⤵
        Drops file in System32 directory
        
        PID:6944
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7012
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7088
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        186⤵
        
        PID:7152
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        187⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        188⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        189⤵
        Drops file in System32 directory
        
        PID:6452
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        190⤵
        
        PID:6540
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        191⤵
        
        PID:6668
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        192⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6780
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        193⤵
        Modifies registry class
        
        PID:6908
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        194⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        195⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        196⤵
        Modifies registry class
        
        PID:6320
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        197⤵
        Modifies registry class
        
        PID:6416
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        198⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        199⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        200⤵
        
        PID:7032
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        201⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        202⤵
        Drops file in System32 directory
        
        PID:6388
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        203⤵
        
        PID:6992
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        204⤵
        
        PID:6336
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        205⤵
        Drops file in System32 directory
        
        PID:7112
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        206⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        207⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6728
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        208⤵
        Modifies registry class
        
        PID:7192
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        209⤵
        
        PID:7240
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        210⤵
        
        PID:7280
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        211⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7320
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        212⤵
        Modifies registry class
        
        PID:7360
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        213⤵
        
        PID:7408
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        214⤵
        Modifies registry class
        
        PID:7456
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        215⤵
        Modifies registry class
        
        PID:7492
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        216⤵
        Drops file in System32 directory
        
        PID:7536
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        217⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7580
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        218⤵
        
        PID:7628
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        219⤵
        Drops file in System32 directory
        
        PID:7668
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        220⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7704
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        221⤵
        
        PID:7752
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        222⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7788
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        223⤵
        
        PID:7836
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        224⤵
        
        PID:7872
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        225⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7920
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        226⤵
        
        PID:7956
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        227⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8004
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        228⤵
        
        PID:8044
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        229⤵
        
        PID:8088
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        230⤵
        
        PID:8132
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        231⤵
        Drops file in System32 directory
        
        PID:8184
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        232⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7232
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        233⤵
        
        PID:7276
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        234⤵
        Modifies registry class
        
        PID:7348
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        235⤵
        Modifies registry class
        
        PID:7428
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        236⤵
        Drops file in System32 directory
        
        PID:7488
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        237⤵
        
        PID:7568
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        238⤵
        
        PID:7652
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        239⤵
        Drops file in System32 directory
        
        PID:7760
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        240⤵
        
        PID:7816
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        241⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7896
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        242⤵
        
        PID:7968
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        243⤵
        Modifies registry class
        
        PID:8052
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        244⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8124
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        245⤵
        Modifies registry class
        
        PID:8168
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        246⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7272
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        247⤵
        Drops file in System32 directory
        
        PID:7400
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        248⤵
        
        PID:7476
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        249⤵
        Drops file in System32 directory
        
        PID:7648
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        250⤵
        
        PID:7800
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7800 -s 412
        251⤵
        Program crash
        
        PID:7172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 7800 -ip 7800
1⤵
PID:7984

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:8052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abedecjb.exe

Filesize
125KB

MD5
05111b1315a05c8c591c07950c701bbc

SHA1
d816c84425be3797e29726d753884300a7ff176d

SHA256
eb5447061f292db5341523c2ff1f7e91b5099798207830ff62a673e484155058

SHA512
fdf029a26352d87425d935e5ec280a0d01f2844163cdbc912adecbacba7076006ced05b969cc8a2ca29ed6964a6442228ddcb6e09001b9c76c6a3ff412a3ab4a

Download Submit
C:\Windows\SysWOW64\Aiolam32.exe

Filesize
125KB

MD5
cda7d27f16aaefdd40b4df3810c24606

SHA1
f75ae9cd5c6fd14d453c2e3f9ebbe33fa0ca8cbe

SHA256
ac5733d01f3fcc4feb40a8eeb5e1af133c03020a5d0b6c88a3644791934157c6

SHA512
85876a685688f816578b98d10da99fc0542f1da789fe76a3d2ebe1b73488eabcdb10f2f6d3a9d2f802c483e92e06b44b8be0bc0e39bf5c2081c138c6bbcb56f6

Download Submit
C:\Windows\SysWOW64\Baaggo32.exe

Filesize
125KB

MD5
20bf9e242e8cb10b24d7b516d12c392f

SHA1
76568a4575c99ead81f73b116cbe3156e3989d86

SHA256
b10eb8c1ce6d42db5d28a1fa74aca1b2bfc9895be6806ab9e19f3787632e3d61

SHA512
02afd8819bb7ae046e571a34d72bd279e10055574a5b1c0e7e28e526e0362e76c4be680c6f450a1b9d232c6f0a0f6c18b20974e0d04a6f5e8cadc8f3b0b2d03d

Download Submit
C:\Windows\SysWOW64\Bammlomg.exe

Filesize
125KB

MD5
7911c55a7ce1b91dfa1246dec94565b9

SHA1
f393ed9cc27fcbbae93dace80c87c1633cae5a26

SHA256
31e3caa10a78df78856a2ae77db99c1d4c220490d89ade322c36b0e39a868e33

SHA512
1c47850fb5b23583ba329805a0177ef675a623feca49e0ad3f909a2b7a17e49ed170eb4ee0b4d07614a8409cc88a68572fc26e593ed7c7728dc4fb00efb617c1

Download Submit
C:\Windows\SysWOW64\Baojaoke.exe

Filesize
125KB

MD5
c504904eae87e14492547ad7a7f9bdb3

SHA1
6f9903a8ef0ee4a733d30a33c67b02461583af94

SHA256
1cee10585fd079068272e5d17e08798473d18e306a8dcdbaca6078acdec2ed18

SHA512
dd91ab2d59535795aea1ac6df878a4ca6bf6b2078f7122807dc712dfc2aeb8d75c4d4313bd09c3be59873f0b91a8c0643427791e1f3174b78e1baa5b80383f80

Download Submit
C:\Windows\SysWOW64\Bbhqjchp.exe

Filesize
125KB

MD5
b3dc0b11cf1a5788d2ab2a0840fcb318

SHA1
f3b60636e0ea79038b7960c43eb50c75e8ffded3

SHA256
f52e24ef5cd4defae76e3b515db048e85ad66e5c8eb06ab490fc68787503312a

SHA512
630bce28f872f96d17ec80cb73bed6e0a84cc8945ab9cf8ac8fc66a214f96cc9a4266de4cce35b1ef9ad99132d93f1f2f49cec50dde43103f79c08cde1e0889c

Download Submit
C:\Windows\SysWOW64\Bemcgmak.exe

Filesize
125KB

MD5
64baf34e4872f4c5ce9d03c8385c0252

SHA1
a416b175e1e00fb8291eeef5c33e003bd8a2c0d2

SHA256
de6aa0fca4aecc7efab69f455ba49c83f008e49062cb5214d180b217991ad24f

SHA512
c6fff8dddc106e926cc269fff5a51a862e887c25f8445a6fd13df537e76f0ab56a36fc16971632ae6a385fe44378e4fef8cd133ac025d723a6d03319ac2d354c

Download Submit
C:\Windows\SysWOW64\Beppmmoi.exe

Filesize
125KB

MD5
9498c8294a041c3451f8e1594415bfc4

SHA1
b1158b8509423a8a12d683f5fd4e1a1e1fc589d7

SHA256
34f138476497ace922b14d7da5137997afd2ee104de765e9be9c1afedf8b1a53

SHA512
7eb3aa31425ec1b1a78678ee736151273cbaa5be8f085e90e80d7fb534c268fcdade1cc38f2526ab75cc41e559f17335a66e708cd37bcda2d389c6c8df4c1895

Download Submit
C:\Windows\SysWOW64\Bhdibj32.exe

Filesize
125KB

MD5
202df19b0d7c2278fd608288d535cde4

SHA1
b935418b47a79da513d00ce00ac5475a77733e6c

SHA256
253d82457b18aa5720dd4b5d14dd1735dadd94a59cd54282807dee624158fb4b

SHA512
36fb707a8fa32b8a043d4dda9d885bfe0ee7448ab24c0c8405d2bab2f764c7452443e63b0ee7518882598b46982e116668668cf8b7818c91b0e0d5bf7ec62b0c

Download Submit
C:\Windows\SysWOW64\Bhgehi32.exe

Filesize
125KB

MD5
5a61d119d58da8c0d9d77f4e5235ff48

SHA1
9d752e616996495491a4071fa613e819116dabc0

SHA256
583cce604dee9e207724ce346f1ca3b6e6fb5293f0b313e6423b413e243d5ec0

SHA512
12f1e8649c17a759115361abf0beff7ab0e8968253d5027d8d7cfbd62dbfd5b75656414aa2efa417e884c102046f0c8e8af64df2e08868546c01482bed472367

Download Submit
C:\Windows\SysWOW64\Bifbbllg.exe

Filesize
125KB

MD5
868dde6c4b34aa8304e77049a857d468

SHA1
b8825c6ff1c2b4ed15c8715b49d97439125dcd08

SHA256
4b15ede77c39ccc1ca3574f430285cea649a38158adaa106676b393fb06d5651

SHA512
901282bad2fd848b8dd347fd609ba0b77f17ab18aaa819ff0d6ab3b8a6467309c02b1ab61dca4cfa8203b2e51227ca970da9ebd32f92ab86c603031222be5f11

Download Submit
C:\Windows\SysWOW64\Blnhni32.exe

Filesize
125KB

MD5
16939565150d6a309af0be3f1769efa4

SHA1
a70e9479f41a511e69e720610d960811d161fee7

SHA256
4b1659f3dcf83d28b4e4ab8b892b6eb957ea30e093a7819ab26b9bc52115d7e1

SHA512
6312473871f0303037ebbea635e7073a92a6bba897274ced0fef0fd54847cf74740cbb98a640c54b2f0d459431492690d0f942e2dd8ac0e2efd94ae90cc1ee95

Download Submit
C:\Windows\SysWOW64\Bockjc32.exe

Filesize
125KB

MD5
1db3197d9921d5b6f6004e3c1a5d6ff0

SHA1
af5d5b40133dbd6b0261ff78e849db4af37d72af

SHA256
0a6fb5e7fbecd8a5dd35e07e96cfbd83b257bd065291a26c82ea744a0789ce89

SHA512
dc708f1de164c11a5021ad367b5f7ff5ccaca6f6940d5204dfb7cdca6fa7d338dd809dc7de8263a17ed0ca08c83261cb486dba1699d38fcef3526fe4c87d9206

Download Submit
C:\Windows\SysWOW64\Boegpc32.exe

Filesize
125KB

MD5
4543979d24191623be1faf564755ba3e

SHA1
ce998b9a2d019468775bfd3bf0c9033584c30ac1

SHA256
22832823deffc76390508d5d877357dc4ec0632868a442e58989fedf06370551

SHA512
aeefad4dc051978d46a43c6d1340b71f7feea310afa42accb5c225fc36bd53ae60b89b926096f2d9db9344b87a5f0ed9d928064d06c39044a1a6deec097836c9

Download Submit
C:\Windows\SysWOW64\Bpcgdfaa.exe

Filesize
125KB

MD5
b0daa79fa3434d9ef0466c1d14836c59

SHA1
13e789ee6d9b2e09240bc5cc07c34cfac546ff60

SHA256
50de56359f2a0d4ba53bebb921d393f9dc867b745f9e15a96e99c481c0b99495

SHA512
e6065d25b16ddd5d10d2b346c6b8291c9bb87d1b3fba11522dbb309df0eaeeba883ed8f0f762f8fb7771f4d15690cd4a2260a5467ce1bedebe02fac36af0c6cb

Download Submit
C:\Windows\SysWOW64\Bpladg32.exe

Filesize
125KB

MD5
df4622f42431d5a57ec38430d907904e

SHA1
f5a86457f6d60c4184a5398e1dba8817302f1a04

SHA256
c7c0e6a571d5723d5f251b8ccb557f3046b88d8599ef808705c5e335472cb8ab

SHA512
91390e331b9e654cbf8609fb25619c62bad9a7db34fa4652f44dbbbea707240fd43fea23f078e795bdcd6af0dd2ad39848d528be53fe358837c0498bea0f89e6

Download Submit
C:\Windows\SysWOW64\Bpnnig32.exe

Filesize
125KB

MD5
57ff31770203a01ca9ad637c60529941

SHA1
f203ebb749ace73b2b0f09ece2d085a7e9e9dac9

SHA256
64ff5b30c0f872cf31e332e8d562244400e771baa95c05842107533b064c3abb

SHA512
de01451aefe1c2e40a2b70ff40076e136131434217436d69ccb64ac78707da250a4c9c43caeb1acbfabb049e9a440df85199fa5e92ccd735e732bb21447e9955

Download Submit
C:\Windows\SysWOW64\Cafpanem.exe

Filesize
125KB

MD5
ecbd9a8c9a37f28a1f3c7c3ad80aa5b8

SHA1
b9c347ed71068c1f34a4089d9ff2635cee9267df

SHA256
0eb05722933879599033524f0dfd361164340ab44d77702859289a8446635ea3

SHA512
af7cbb1ec0d0a44cd4828f722d345e3d91be082fbc0eeeeb539b4325e4b2bc4f1247bf5cb3e2687e92008577dd590cd7ade37722d82fdbcc21ac06000dbd111a

Download Submit
C:\Windows\SysWOW64\Ccjfgphj.exe

Filesize
125KB

MD5
395f40eb59023c1719278d715f73b168

SHA1
2487299be193ab67f396295667b656d5de225e9a

SHA256
280731bd58acd7bba1f9cb94268f57378f7bcf60c9064c3970f77c87d1693083

SHA512
9414f315c86a6bd750edf4220d3474cca36c9ff1607627e50b8038b25827bb519955d8c03bf595b6838ae40fa4221434c96e979af5a7ba9f2941884b7da67344

Download Submit
C:\Windows\SysWOW64\Cedihl32.exe

Filesize
125KB

MD5
a1713d8c4a0da69c31f1e8a9044cd3fa

SHA1
4654c9ad81278a22e37b3986d21e730e71765338

SHA256
94f1dee06485be14b97da5137207ba1e04c6e167666efaa399a67e0de21b1e41

SHA512
186e4448c21b64319d7fc7c14e8d51fb0dea10adb8db376aab1d1e8ff944d10d3edc68455ade398c7a04e1116d38de9dba168534621d5ee960ab19c17e55fbf8

Download Submit
C:\Windows\SysWOW64\Cefemliq.exe

Filesize
125KB

MD5
dbd2c068f1adfa5068b2522a7d227275

SHA1
15e27033e28c9dae5c3ef9f761d4484cd26ef332

SHA256
6805de9d27d4c74a550dedd3fe067e1859bbca38e4011c4c99b0bb8702f94fd8

SHA512
24e6c035c52bd556da8223ce9f02f18bee58ba7c1298b36d727a28bcd6b03d03ec6e3701c3411ed3e8144f34633691a015a7c200f5463bd46fa42ad86653118e

Download Submit
C:\Windows\SysWOW64\Cekohk32.exe

Filesize
125KB

MD5
91250748453bc6925cfe04a97172e297

SHA1
39f385787e5349fb39b68697a90b8f0e84ee203c

SHA256
2da91fada202c2e38fa80a3783a428a1d57f4208957c5cbe390ca3457dc4555e

SHA512
accca4868a357aae0427ff4efc82248417d0fee3a969c90970c4bbf5b073a2c3ac1db2ec1ece9c11ea2535f2f691b980512b7f4d3460fe58e212f626b167a47b

Download Submit
C:\Windows\SysWOW64\Chbedh32.exe

Filesize
125KB

MD5
8c289e67a506b575ee86a6730b96ef80

SHA1
70db41205d867eec841fb80fca64672835be72d2

SHA256
c9f085fa198bdb1809d2bd839797eb266966ade0bee7b13be408349c16b4b593

SHA512
7a43475ca6203ac8a8675fc136840a785410052b57634e5977cc18dfa8cdfabd8b0f31230520f2f6602d741f90b83c35b0dd9f582cf1aff6c166374fef959083

Download Submit
C:\Windows\SysWOW64\Chnlihnl.exe

Filesize
125KB

MD5
0b379f377cda9def499ac1916dc40ded

SHA1
fd74e0f8019c5b4d40858dbbba9b82ee42a03a23

SHA256
b3a1421777b4819be043c4cd26817cabcccc7ee248fa312b9999c6159d1f22fa

SHA512
33990c9de7e2ff5fca7a4dc17e8a82c7c6d00cf5f8ca0ffd31fc76ed9544e9193ed88960f141c837129ab5a499390bfc2eff5e81ccffecda3cef64866ce08be8

Download Submit
C:\Windows\SysWOW64\Chphoh32.exe

Filesize
125KB

MD5
a79b5689aa8ebb714665f17cd5ac97e0

SHA1
a1026d747f41fd098e3280d9ec75e71c809b9c59

SHA256
93aae2646fd879ff2b0266a8a25a136132c74521e4d45f01ef942f0d8965a92c

SHA512
f4741226d743e46e2f5ff46505cdaafa78ad24aca4f0932df949900bdb913c6429889f581f07ced07ce45c574caabc5cc1eeca4d3cced6772c231289131cae8d

Download Submit
C:\Windows\SysWOW64\Cidncj32.exe

Filesize
125KB

MD5
a96beeb20c723222480ec2c38407e43d

SHA1
846fe6f706e3bbff5812583604a1f6b3b5a8df2d

SHA256
70072cf7559cbc9d76348c17b83f187d730a0fe39f110e25820125590fecf5d4

SHA512
165536108aace83fe76d54510b5d2b626f1198f80545288508fdf5e4becc19398c86470b9ffbec5c27aa053b6db06e47ab60bd207a98acd97cdd23d11a74e3d2

Download Submit
C:\Windows\SysWOW64\Clqnjf32.exe

Filesize
125KB

MD5
17f87c729ceb1f08df96962d4be19470

SHA1
021a23f92a54e901cd077878f8bb71c9dc2f1f12

SHA256
915bd0818a328ddc6aeca2110432074aac68dd90ad59aaddc214e779df70a12d

SHA512
d52546273adad37567da0722127518e2dba044975c5b8a898803555014a93cf1b34e5749c86cad48d7ea85e3496cf229c9078d9d551fc0696e6042df6ba016f7

Download Submit
C:\Windows\SysWOW64\Coagla32.exe

Filesize
125KB

MD5
6cc0c65663084406443f0b4736afec09

SHA1
581b0e6f08ac65618d20fcc5bbc72919c1f191e9

SHA256
e75a97366c24b7c3e612c8e390a2a22b771442818b25a7742348b77c2e214d12

SHA512
63c69e4a5cc730d43bba04c74d95d4bfb3aad3b965d5a8230a1aabede85904734b4ff3f82076362ea7f11fd98b7cd3c8216e47d52c73f978b51aaf5e6b526c02

Download Submit
C:\Windows\SysWOW64\Cohdebfi.exe

Filesize
125KB

MD5
674357fa51afcadf06c2a87fe3546464

SHA1
3ca379d995ca47330f48cae6423652bcae3fb471

SHA256
eca23ac2f979cd2d9412603b65a5f12da74ae5d0ed88a5c96641db4fb98beec7

SHA512
c1ef1524444efd28b6e409fd1b70212d46d1ad8afd0b5209072a958b31eec61284f97b9169b1821c064324c2d6917dca8d45d21d14421bae3453c55939d23aef

Download Submit
C:\Windows\SysWOW64\Cojqkbdf.exe

Filesize
125KB

MD5
6f039db80744db785fbcafab0cb4186c

SHA1
c31911bbebf73f30f47d3785317fc1cadf104f1f

SHA256
2f5d497c0c23e2cac6fcd8893a6e72a09367c5284b34594cc98265a0cbcd8c80

SHA512
e219e0e99d123f4ef669e4573f0436d47697537e8cf4d998dcf9166291e7ca74d615d2f7b3bdcb0929101770e559f2a17eac2aa7d883d256239968e563c1fb8d

Download Submit
C:\Windows\SysWOW64\Commqb32.exe

Filesize
125KB

MD5
37ff66968ed790f1b33d27022d3098d8

SHA1
4f7da1014b0d9b81939c6b055fbbb0c6275d1b77

SHA256
d347a1903d8c42cbab31e5988ee3ee1fb97ec60497aa0afa08d8ca932927a14b

SHA512
64a59a38d6912b7a977eaa01820c1cef2845a729259160073e18ff4b2ba9dda64e77fd21c07d718f8c8a7d1ef6ca6ca3fd90ad236209e3d108e3bdadba907191

Download Submit
C:\Windows\SysWOW64\Coojfa32.exe

Filesize
125KB

MD5
75e20a2821e252a32bfc1c6e832543e1

SHA1
80e3fd31e87796812ed1d0281b66f9795a6fe3c9

SHA256
c1f5a5ac50b6ce2840624340802215515f9ac2e0adc9659dcf9ba4a36c5865c9

SHA512
d4adf26575518cf0ce88150438e28fdb0b34a4966e1f03d0851df9bdbd27747c91576980ccc705dda918e17028869829e623a67fe97bdcf02b753c7ac6283f7b

Download Submit
C:\Windows\SysWOW64\Dfdbojmq.exe

Filesize
125KB

MD5
ad9ecb73cfc5f0058161d0185edfdf5e

SHA1
281601aaaba623cda84b35ad7800e27a3e64f6fc

SHA256
b007097c35408cb239eac31653c8e8087c74e927a4843a1350335790e3543f08

SHA512
f0cab098f33ef93cf266b8ab7e41200a9954bdf3d6d11e4bdd2a7a51e8333c4e80af1967b34a8f0b9926ca6256460070859fbd347445d5ad8b27276fdaa77e9b

Download Submit
C:\Windows\SysWOW64\Ejgdpg32.exe

Filesize
125KB

MD5
d2da534f2c8fcd2073e24ed3cc19602f

SHA1
8f508d3974d2de69c22060b0627b18a4385d97ee

SHA256
525117cf7145889404a9b522fd04f9c01e266e4bc68613d23567faec6a11f0fe

SHA512
76b6f193bbdc31f7424edbd1eabb15923c7ed4e650a7a1b686c287ef88349db5ed406e389c24e6c72f27fd5064abb155e607ef2e455f6938371be620808e1dbd

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe

Filesize
125KB

MD5
61caba090123dc75e6f646899199b7df

SHA1
414f145b7a9f866193ac03b44235248c91f6bdd5

SHA256
f58a023a8b493958ea15084d949b80396cc1912c267fbfbab326eb105ddaf27d

SHA512
9e50f981da363b76ad3f86508094f9548ecbbbe554dd41080a9f0b72adaab9b2b8301a7bd3a8050e1bbc8cbffd8ca9ef1394c2fde2fd8afca11c963e6f6e3dd0

Download Submit
C:\Windows\SysWOW64\Ibojncfj.exe

Filesize
125KB

MD5
08ef5ddf869dde9087f1496244ab1994

SHA1
96542c01254cca631fe383b5f317a96a4de109a1

SHA256
9ad51e9292cf29a43066315715c6a692d6da723407ffc4f4488b09ee8788cee4

SHA512
237a8f57d569e4c7fb9ec0835b0879d8e5b42524dfaa68ce4c2976eb9136fab023ba8b6b0a8eecbb64696f2ef5655caa891f0c7f41393181fc11754bf5096bb5

Download Submit
C:\Windows\SysWOW64\Iikopmkd.exe

Filesize
125KB

MD5
bbbd30b21eac1fdec4b3f12b141cea0c

SHA1
89f959913752d9185e4d22cbd613793da8b50806

SHA256
00b0a8d6e41f9c365ce45b28e6bee55cd284ef2cb40494ca9648934d2d59c619

SHA512
777a99b0a85960b61351b47a92e6b7ba49590a94b182ec9c00e0341622582cc2e262a931db7176502be3932a90f5fb3ab191ea53331a41dc5902b75a3f16f73c

Download Submit
C:\Windows\SysWOW64\Jjifbkdl.dll

Filesize
7KB

MD5
247b4043a28d2828e47f8c5fadec1441

SHA1
c807454e725c8e5e5bf068a409c33c0d1d3097f4

SHA256
eb3a76c9add622e5e4a4a7b5a3ce397938dedd256ffa048dd0ee075c214e1f2d

SHA512
cdc54830f4b89a55854485041ddd7556d4015857967425c79f3ff1b4135d513511d2bf317b654258adcdc22b091e49b08d6305d6512306ba84bce78f7670a9ba

Download Submit
C:\Windows\SysWOW64\Jpojcf32.exe

Filesize
125KB

MD5
7540ad9e99cd1019e2867ca24ac7fd1a

SHA1
d67d8f2813b38405c925acf0c9fc820471b2285d

SHA256
ed1f3e8573fe7277909ae2db14df5f84ceb1b44d6576786983c25e8c489cd166

SHA512
e98e82ed945e019b0b754c724d370015ab5fd570929e9243a27a02028c065bced49199db4bc9539599b4d5854a1b25ac9a2b07a0677fc599d6cb20cf3385aed6

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
125KB

MD5
3507d734feba0e996f893091a2a5647c

SHA1
fc72ebc8531b452bab33d6f02f2d627930637625

SHA256
56a2052101f4d0e0dfed045d7d82f7595cc6e296fda0c50f9e121748bf43939c

SHA512
bcbf1760646c8017bbae11799dd30bef4adbb99281b028c0524076e65138c7f90b08ab4bc1891bee59d7956572f04bf73349bf992eb733011bdd36f49f5623e3

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
125KB

MD5
8b6385f7a8f6ddb1267a2d3ab7f9a66c

SHA1
bd1060015594fa78fa1a3f65689cfa82bb699f1f

SHA256
9c1742fdc9fc76d03381fb25b3ff2ae1390f227c31e1dfacef8723e76657a985

SHA512
e7b6072f59eb4e9d4458635f3544dcc03fe97118ec126e4de41ddfdddda326da4ed2b1e7a0f38fd0ebaf4c9f26f786d1343eead8ab3254e06c98bd215a77c2f1

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
125KB

MD5
96dbd708e1c186e163708cf82821582f

SHA1
7304a400fb86819730a7f8a3e856de18a34bf037

SHA256
b17d2214e3b902880006ab08c8536d7d64378c48bb48e3323a262f26254dc098

SHA512
299ee416f9eee6f768dcfec482d5eba097ef548589e8b62dc30e89191daf7a3d533db3467238f9750015e20592109385ba9f15141b942fccdfaabceb9f646331

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
125KB

MD5
d6bf6f68cb271fca3cef03368ead5f2d

SHA1
23637f5dd6134690d04cae5aba1f2df2d4d61861

SHA256
7ba62c275717407e7e48575397ba08e0b6fc38659f373f37029f4cb338c3ab42

SHA512
87bbd1450d0bd73e4d17ef4d3ceb8c6dc8b01b06a2a65f21fafe2ac75580b14b31b5d5f5100be4ed4b524273cbb42955fcb88d12a9639237a7f3e2cfa13ec9d5

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
125KB

MD5
1fbf8d0c797396468083cd36ba337a66

SHA1
d56c41f18c768bc43fa8e92943acf6eedec120c3

SHA256
b9d60af59d031df499b184d990d06497e267e8aaadf0ac157cd6fdd5b71a166b

SHA512
4bf943de944502842b06928191f953a475b9c4b9665aa717d586b85bb396b798b3bd731e2951caeb9bd30da7645d5e74cb6eca6196793fac767e867e9112d0b5

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
125KB

MD5
0324a6b2874679406d271ca4c2020d88

SHA1
cd44e6988921be7f09efff5c5b651bb759863139

SHA256
334409584624c7d017560b35d3df00e50055667d2224ebba3ef63254888ecd4b

SHA512
6a3081482b896e443cbd85f36ed355f493d52c70c5e14bc094e92e3196e4e4e4640b1615574ce4cb961044e212d1852eddfa8641f76feb5115f5831804ce649f

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
125KB

MD5
e8b0a127de8fa03e0e2f2fc308329499

SHA1
bf921ed0ebc8bb1ce557ff8896542acc4d0d8e60

SHA256
5f0f2232114f2e55682044ea07673e09afa87ed29ce5a7aa7f4c2abddda78460

SHA512
75dbef11f5e432c4c21b320ddeedbe78bc7bbe49b297cdeeb188d635d28023ba2bf7eac7675fc64cb64080005fb64c27c12528e7f17203118b26aacce477efce

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
125KB

MD5
aca3981042aba9380cfd96f1dd498d9a

SHA1
d1d4124e0f862854b7457ef2bb2b98d0cf773cc2

SHA256
43a199a20585eaf201b99befd49689102660749bc4a210ae79572ed9568dcb0e

SHA512
004148b4c25b3ed65a3b04b677c55fc6a8f00a252deebc8da22539998e56f2e7d6ff2ab012c5a1aae92a06880954c5c881d3851732a084e458823efac1e4062c

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
125KB

MD5
70c8123bd9e1ab1dfa11870bf4cab7f3

SHA1
a63272ce6c215ad3243c82a42c278fb5308deb28

SHA256
dd94808d9e9cdc0e7069b68b2b83b77874085103b3aed5e64946be154bb254ad

SHA512
4390cefde275dd1d4b847612b995099739f1017fb55aff8e2601fcee73e4e25f770505db77f3e62bfff61dafdc5bcbf9f545ee1f3fe1302632d9d0f7dad346b6

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
125KB

MD5
8c1d834821dba4a084616d6179c70eba

SHA1
3b884c592e914864e5490ff0eca1aff6607ce401

SHA256
ced412fc8278c4beca9cb99303b46bf9f88ce9702d65ba5dca9c8b66b34ecab5

SHA512
5fb44123f418d8cd70075288e96ca7d44e224b4056896859cc33657417e5a314ccd8dfb0465d9065d8a1835bb770511c5787f07681a0a3e868da0852bfc0aeb0

Download Submit
memory/368-532-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/464-216-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/548-200-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/632-187-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/656-470-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/704-544-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/704-0-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/712-374-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/908-167-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1020-316-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1116-476-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1136-292-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1140-16-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1140-557-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1156-256-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1184-228-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1364-382-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1440-599-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1440-64-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1644-136-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1656-112-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1716-338-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1772-514-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1868-400-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1884-549-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1932-564-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1932-28-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1988-262-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2012-558-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2128-579-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2252-55-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2252-596-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2280-120-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2376-591-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2416-31-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2416-571-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2420-96-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2544-285-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2552-346-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2664-434-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2768-488-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2808-388-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2872-104-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2972-368-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3080-304-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3140-572-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3140-39-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3176-328-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3232-358-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3236-160-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3288-208-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3304-464-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3308-418-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3336-156-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3348-494-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3360-457-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3536-440-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3564-48-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3564-590-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3580-128-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3612-394-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3676-322-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3712-406-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3720-71-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3740-428-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3820-12-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3916-144-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3952-310-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4076-412-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4120-268-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4124-352-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4184-298-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4264-506-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4300-274-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4312-240-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4320-191-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4336-496-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4552-345-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4664-376-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4672-508-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4680-551-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4712-452-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4732-568-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4744-577-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4776-231-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4816-290-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4864-538-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4872-520-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4876-526-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4924-248-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4944-88-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5036-80-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5080-176-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5104-482-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5108-446-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5124-597-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads