27f0dc3ce944d814428e40708ef3e9202f4147d8f038c1f8a2571b2088531b35

Analysis

max time kernel
142s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 02:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

768854e8f7179287e2785e42f227e570_NeikiAnalytics.exe
Size

465KB
MD5

768854e8f7179287e2785e42f227e570
SHA1

84cbc7b45735ed94f091f713d2754790f52c700c
SHA256

27f0dc3ce944d814428e40708ef3e9202f4147d8f038c1f8a2571b2088531b35
SHA512

1cff4e2c878d32d19e076b3c9548eb5e4d21ae9ac15e61ee8f01adef3b2a1f9b20d1e1c4fd8daabaa8365f1f27fa456cc5efdb9496735aa4bef8aa90892e4952
SSDEEP

6144:cqwUvUmqOILKpn/a5/VF5V4lKjIbvBhRJfzSf9x7N/I7b9M:cNaoO8S/WNLKlUmpRe94a

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Pmmlla32.exeMhanngbl.exeNijqcf32.exeJhplpl32.exeIolhkh32.exeJbagbebm.exeIhkjno32.exeFnbcgn32.exeGghdaa32.exeHhdcmp32.exeJppnpjel.exeMledmg32.exeNcchae32.exeBklomh32.exeNmcpoedn.exeKlpakj32.exeBnoddcef.exeHpmhdmea.exePfccogfc.exeJghpbk32.exeGpdennml.exeObqanjdb.exeOonlfo32.exeLjhnlb32.exeHlmchoan.exeMomcpa32.exeObnehj32.exeEklajcmc.exeCammjakm.exeOclkgccf.exeDkndie32.exeGgkqgaol.exeJohggfha.exeMbibfm32.exeGanldgib.exePjjfdfbb.exePfagighf.exeAhfmpnql.exeIialhaad.exeJpnakk32.exeJekjcaef.exePaeelgnj.exeCpfcfmlp.exeFnfmbmbi.exeKiphjo32.exeKbhmbdle.exeCdmfllhn.exeLebijnak.exePjpfjl32.exeNqmojd32.exeGkaclqkk.exeGbiockdj.exeGaqhjggp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmmlla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhanngbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nijqcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jhplpl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iolhkh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbagbebm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihkjno32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnbcgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gghdaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhdcmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jppnpjel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mledmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncchae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bklomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmcpoedn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klpakj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnoddcef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpmhdmea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfccogfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jghpbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpdennml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obqanjdb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oonlfo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljhnlb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gghdaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlmchoan.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klpakj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Momcpa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obnehj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnoddcef.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eklajcmc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cammjakm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oclkgccf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkndie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ggkqgaol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Johggfha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbibfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jghpbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ganldgib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjfdfbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bklomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfagighf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahfmpnql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iialhaad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpnakk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jekjcaef.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Paeelgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpfcfmlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fnfmbmbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iialhaad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kiphjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbhmbdle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fnbcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdmfllhn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpdennml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lebijnak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjpfjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmojd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnfmbmbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkaclqkk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbiockdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jppnpjel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gaqhjggp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hhdcmp32.exe

Executes dropped EXE 64 IoCs

Processes:

Jghpbk32.exeJcfggkac.exeLqhdbm32.exeLopmii32.exeLjhnlb32.exeMnhdgpii.exeNmdgikhi.exeNcchae32.exeOcjoadei.exeOclkgccf.exeOcohmc32.exePaeelgnj.exePjpfjl32.exePpolhcnm.exePdmdnadc.exeQodeajbg.exeAagkhd32.exeAhfmpnql.exeBobabg32.exeBklomh32.exeBnoddcef.exeCammjakm.exeCdmfllhn.exeCpfcfmlp.exeDkndie32.exeDbocfo32.exeEhlhih32.exeEklajcmc.exeEdgbii32.exeFnbcgn32.exeFnfmbmbi.exeFqgedh32.exeFiqjke32.exeGbiockdj.exeGkaclqkk.exeGanldgib.exeGghdaa32.exeGaqhjggp.exeGgkqgaol.exeGacepg32.exeGpdennml.exeGiljfddl.exeHnibokbd.exeHlmchoan.exeHajkqfoe.exeHhdcmp32.exeHehdfdek.exeHpmhdmea.exeHifmmb32.exeHaaaaeim.exeIhkjno32.exeIhmfco32.exeIbcjqgnm.exeIhpcinld.exeIahgad32.exeIolhkh32.exeIialhaad.exeIamamcop.exeJpnakk32.exeJekjcaef.exeJppnpjel.exeJemfhacc.exeJbagbebm.exeJikoopij.exe

pid	process
560	Jghpbk32.exe
648	Jcfggkac.exe
1812	Lqhdbm32.exe
1068	Lopmii32.exe
3568	Ljhnlb32.exe
3732	Mnhdgpii.exe
5112	Nmdgikhi.exe
1680	Ncchae32.exe
4820	Ocjoadei.exe
2872	Oclkgccf.exe
2784	Ocohmc32.exe
2208	Paeelgnj.exe
3420	Pjpfjl32.exe
1744	Ppolhcnm.exe
972	Pdmdnadc.exe
4336	Qodeajbg.exe
2964	Aagkhd32.exe
3900	Ahfmpnql.exe
3460	Bobabg32.exe
2212	Bklomh32.exe
4608	Bnoddcef.exe
2172	Cammjakm.exe
5020	Cdmfllhn.exe
4020	Cpfcfmlp.exe
3308	Dkndie32.exe
1424	Dbocfo32.exe
4328	Ehlhih32.exe
532	Eklajcmc.exe
2376	Edgbii32.exe
2156	Fnbcgn32.exe
2196	Fnfmbmbi.exe
4160	Fqgedh32.exe
3356	Fiqjke32.exe
3256	Gbiockdj.exe
3068	Gkaclqkk.exe
4092	Ganldgib.exe
2224	Gghdaa32.exe
1144	Gaqhjggp.exe
3352	Ggkqgaol.exe
4680	Gacepg32.exe
3400	Gpdennml.exe
216	Giljfddl.exe
1836	Hnibokbd.exe
5036	Hlmchoan.exe
1756	Hajkqfoe.exe
3800	Hhdcmp32.exe
4740	Hehdfdek.exe
1044	Hpmhdmea.exe
4260	Hifmmb32.exe
2412	Haaaaeim.exe
3136	Ihkjno32.exe
1860	Ihmfco32.exe
2356	Ibcjqgnm.exe
4284	Ihpcinld.exe
4468	Iahgad32.exe
5100	Iolhkh32.exe
1724	Iialhaad.exe
2044	Iamamcop.exe
2776	Jpnakk32.exe
4388	Jekjcaef.exe
4428	Jppnpjel.exe
756	Jemfhacc.exe
4816	Jbagbebm.exe
3248	Jikoopij.exe

Drops file in System32 directory 64 IoCs

Processes:

Ljhnlb32.exeOcjoadei.exeJikoopij.exeKbhmbdle.exeNmcpoedn.exePjpfjl32.exeHajkqfoe.exeHehdfdek.exeIbcjqgnm.exeFiqjke32.exeGkaclqkk.exeGpdennml.exeMbibfm32.exeOonlfo32.exeLqhdbm32.exeHhdcmp32.exeHifmmb32.exe768854e8f7179287e2785e42f227e570_NeikiAnalytics.exeFqgedh32.exeHlmchoan.exeNqmojd32.exeMomcpa32.exePdmdnadc.exeHpmhdmea.exeMjidgkog.exeQodeajbg.exeBnoddcef.exeCdmfllhn.exeGanldgib.exeOokoaokf.exeCammjakm.exeFnfmbmbi.exeLebijnak.exeMofmobmo.exeJghpbk32.exeIamamcop.exeKidben32.exeKocgbend.exeJojdlfeo.exeJekjcaef.exeJbagbebm.exeOjnfihmo.exeLopmii32.exeOcohmc32.exeAagkhd32.exeBobabg32.exeDbocfo32.exeIahgad32.exeKlpakj32.exePjjfdfbb.exePidlqb32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Mnhdgpii.exe	Ljhnlb32.exe
File created	C:\Windows\SysWOW64\Ocgeag32.dll	Ocjoadei.exe
File created	C:\Windows\SysWOW64\Mjjkejin.dll	Jikoopij.exe
File created	C:\Windows\SysWOW64\Ablmdkdf.dll	Kbhmbdle.exe
File created	C:\Windows\SysWOW64\Llgdkbfj.dll	Nmcpoedn.exe
File created	C:\Windows\SysWOW64\Ppolhcnm.exe	Pjpfjl32.exe
File created	C:\Windows\SysWOW64\Hhdcmp32.exe	Hajkqfoe.exe
File opened for modification	C:\Windows\SysWOW64\Hpmhdmea.exe	Hehdfdek.exe
File opened for modification	C:\Windows\SysWOW64\Ihpcinld.exe	Ibcjqgnm.exe
File created	C:\Windows\SysWOW64\Bbdcakkc.dll	Fiqjke32.exe
File opened for modification	C:\Windows\SysWOW64\Ganldgib.exe	Gkaclqkk.exe
File opened for modification	C:\Windows\SysWOW64\Giljfddl.exe	Gpdennml.exe
File created	C:\Windows\SysWOW64\Momcpa32.exe	Mbibfm32.exe
File created	C:\Windows\SysWOW64\Obnehj32.exe	Oonlfo32.exe
File opened for modification	C:\Windows\SysWOW64\Lopmii32.exe	Lqhdbm32.exe
File created	C:\Windows\SysWOW64\Lfojfj32.dll	Hhdcmp32.exe
File created	C:\Windows\SysWOW64\Enndkpea.dll	Hifmmb32.exe
File created	C:\Windows\SysWOW64\Hlgdjg32.dll	768854e8f7179287e2785e42f227e570_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Ffeifdjo.dll	Fqgedh32.exe
File created	C:\Windows\SysWOW64\Hajkqfoe.exe	Hlmchoan.exe
File created	C:\Windows\SysWOW64\Nmcpoedn.exe	Nqmojd32.exe
File created	C:\Windows\SysWOW64\Nqmojd32.exe	Momcpa32.exe
File created	C:\Windows\SysWOW64\Dbmdml32.dll	Pdmdnadc.exe
File created	C:\Windows\SysWOW64\Fiqjke32.exe	Fqgedh32.exe
File created	C:\Windows\SysWOW64\Hiplgm32.dll	Hlmchoan.exe
File opened for modification	C:\Windows\SysWOW64\Hifmmb32.exe	Hpmhdmea.exe
File created	C:\Windows\SysWOW64\Npakijcp.dll	Mjidgkog.exe
File created	C:\Windows\SysWOW64\Pmpockdl.dll	Qodeajbg.exe
File opened for modification	C:\Windows\SysWOW64\Cammjakm.exe	Bnoddcef.exe
File created	C:\Windows\SysWOW64\Cpfcfmlp.exe	Cdmfllhn.exe
File created	C:\Windows\SysWOW64\Gghdaa32.exe	Ganldgib.exe
File opened for modification	C:\Windows\SysWOW64\Nmcpoedn.exe	Nqmojd32.exe
File opened for modification	C:\Windows\SysWOW64\Oonlfo32.exe	Ookoaokf.exe
File opened for modification	C:\Windows\SysWOW64\Cdmfllhn.exe	Cammjakm.exe
File created	C:\Windows\SysWOW64\Fqgedh32.exe	Fnfmbmbi.exe
File opened for modification	C:\Windows\SysWOW64\Gghdaa32.exe	Ganldgib.exe
File created	C:\Windows\SysWOW64\Jlmmnd32.dll	Lebijnak.exe
File created	C:\Windows\SysWOW64\Ceohefin.dll	Mofmobmo.exe
File created	C:\Windows\SysWOW64\Ojqhdcii.dll	Mbibfm32.exe
File opened for modification	C:\Windows\SysWOW64\Jcfggkac.exe	Jghpbk32.exe
File opened for modification	C:\Windows\SysWOW64\Cpfcfmlp.exe	Cdmfllhn.exe
File created	C:\Windows\SysWOW64\Cgmbbe32.dll	Iamamcop.exe
File opened for modification	C:\Windows\SysWOW64\Kekbjo32.exe	Kidben32.exe
File created	C:\Windows\SysWOW64\Knnele32.dll	Kocgbend.exe
File opened for modification	C:\Windows\SysWOW64\Kiphjo32.exe	Jojdlfeo.exe
File created	C:\Windows\SysWOW64\Gkoafbld.dll	Lqhdbm32.exe
File created	C:\Windows\SysWOW64\Gnobcjlg.dll	Gkaclqkk.exe
File opened for modification	C:\Windows\SysWOW64\Haaaaeim.exe	Hifmmb32.exe
File opened for modification	C:\Windows\SysWOW64\Jppnpjel.exe	Jekjcaef.exe
File created	C:\Windows\SysWOW64\Jikoopij.exe	Jbagbebm.exe
File opened for modification	C:\Windows\SysWOW64\Ookoaokf.exe	Ojnfihmo.exe
File created	C:\Windows\SysWOW64\Ljhnlb32.exe	Lopmii32.exe
File created	C:\Windows\SysWOW64\Paeelgnj.exe	Ocohmc32.exe
File created	C:\Windows\SysWOW64\Ahfmpnql.exe	Aagkhd32.exe
File created	C:\Windows\SysWOW64\Bljlpjaf.dll	Bobabg32.exe
File opened for modification	C:\Windows\SysWOW64\Hajkqfoe.exe	Hlmchoan.exe
File created	C:\Windows\SysWOW64\Lopmii32.exe	Lqhdbm32.exe
File opened for modification	C:\Windows\SysWOW64\Ehlhih32.exe	Dbocfo32.exe
File created	C:\Windows\SysWOW64\Qgiiak32.dll	Iahgad32.exe
File created	C:\Windows\SysWOW64\Dognaofl.dll	Klpakj32.exe
File opened for modification	C:\Windows\SysWOW64\Pfagighf.exe	Pjjfdfbb.exe
File opened for modification	C:\Windows\SysWOW64\Hehdfdek.exe	Hhdcmp32.exe
File created	C:\Windows\SysWOW64\Pififb32.exe	Pidlqb32.exe
File created	C:\Windows\SysWOW64\Cdmfllhn.exe	Cammjakm.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5920 5776 WerFault.exe Pififb32.exe

pid	pid_target	process	target process
5920	5776	WerFault.exe	Pififb32.exe

Modifies registry class 64 IoCs

Processes:

Lqhdbm32.exeKiphjo32.exeKlpakj32.exeMofmobmo.exePjjfdfbb.exePaeelgnj.exeFnbcgn32.exeHajkqfoe.exeIamamcop.exeMledmg32.exe768854e8f7179287e2785e42f227e570_NeikiAnalytics.exeIhmfco32.exeIialhaad.exeKekbjo32.exePcpnhl32.exeOcjoadei.exePjpfjl32.exeBklomh32.exeOonlfo32.exeGanldgib.exeIbcjqgnm.exeNijqcf32.exeOclkgccf.exeJojdlfeo.exeLoacdc32.exePdmdnadc.exeIhpcinld.exeIahgad32.exeNbbeml32.exeLjhnlb32.exeJbagbebm.exeKidben32.exeNmcpoedn.exeNmdgikhi.exePpolhcnm.exeQodeajbg.exeEklajcmc.exeHnibokbd.exeOjnfihmo.exeAhfmpnql.exeFqgedh32.exePfagighf.exeBobabg32.exeCpfcfmlp.exeDkndie32.exeHehdfdek.exeJikoopij.exeGiljfddl.exeKlggli32.exeMomcpa32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lqhdbm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kiphjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dognaofl.dll"	Klpakj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mofmobmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nffaen32.dll"	Pjjfdfbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpenegb.dll"	Paeelgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofblbapl.dll"	Fnbcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inclga32.dll"	Hajkqfoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgmbbe32.dll"	Iamamcop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anafep32.dll"	Mledmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	768854e8f7179287e2785e42f227e570_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ihmfco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aanfno32.dll"	Iialhaad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klpakj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kekbjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqkplq32.dll"	Pcpnhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocjoadei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Occmjg32.dll"	Pjpfjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bklomh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oonlfo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ganldgib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpiijfll.dll"	Ibcjqgnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dndhqgbm.dll"	Kiphjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nijqcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnahhegq.dll"	Oclkgccf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abbqppqg.dll"	Jojdlfeo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kekbjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkbcikkp.dll"	Loacdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbmdml32.dll"	Pdmdnadc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dagdgfkf.dll"	Ihpcinld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iahgad32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbbeml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljhnlb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Paeelgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgpfqchb.dll"	Jbagbebm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inmdohhp.dll"	Kidben32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmcpoedn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmcpoedn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkbfan32.dll"	Nmdgikhi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Paeelgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ppolhcnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmpockdl.dll"	Qodeajbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdepoj32.dll"	Eklajcmc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hnibokbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojnfihmo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahfmpnql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fqgedh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kiphjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcpnhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chjjqebm.dll"	Pfagighf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjpfjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahfmpnql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bobabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnpofk32.dll"	Cpfcfmlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkndie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hehdfdek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jikoopij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Giljfddl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ihpcinld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iamamcop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hapfpelh.dll"	Kekbjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeclnmik.dll"	Klggli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajhapb32.dll"	Momcpa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojnfihmo.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

768854e8f7179287e2785e42f227e570_NeikiAnalytics.exeJghpbk32.exeJcfggkac.exeLqhdbm32.exeLopmii32.exeLjhnlb32.exeMnhdgpii.exeNmdgikhi.exeNcchae32.exeOcjoadei.exeOclkgccf.exeOcohmc32.exePaeelgnj.exePjpfjl32.exePpolhcnm.exePdmdnadc.exeQodeajbg.exeAagkhd32.exeAhfmpnql.exeBobabg32.exeBklomh32.exeBnoddcef.exe

description	pid	process	target process
PID 3560 wrote to memory of 560	3560	768854e8f7179287e2785e42f227e570_NeikiAnalytics.exe	Jghpbk32.exe
PID 3560 wrote to memory of 560	3560	768854e8f7179287e2785e42f227e570_NeikiAnalytics.exe	Jghpbk32.exe
PID 3560 wrote to memory of 560	3560	768854e8f7179287e2785e42f227e570_NeikiAnalytics.exe	Jghpbk32.exe
PID 560 wrote to memory of 648	560	Jghpbk32.exe	Jcfggkac.exe
PID 560 wrote to memory of 648	560	Jghpbk32.exe	Jcfggkac.exe
PID 560 wrote to memory of 648	560	Jghpbk32.exe	Jcfggkac.exe
PID 648 wrote to memory of 1812	648	Jcfggkac.exe	Lqhdbm32.exe
PID 648 wrote to memory of 1812	648	Jcfggkac.exe	Lqhdbm32.exe
PID 648 wrote to memory of 1812	648	Jcfggkac.exe	Lqhdbm32.exe
PID 1812 wrote to memory of 1068	1812	Lqhdbm32.exe	Lopmii32.exe
PID 1812 wrote to memory of 1068	1812	Lqhdbm32.exe	Lopmii32.exe
PID 1812 wrote to memory of 1068	1812	Lqhdbm32.exe	Lopmii32.exe
PID 1068 wrote to memory of 3568	1068	Lopmii32.exe	Ljhnlb32.exe
PID 1068 wrote to memory of 3568	1068	Lopmii32.exe	Ljhnlb32.exe
PID 1068 wrote to memory of 3568	1068	Lopmii32.exe	Ljhnlb32.exe
PID 3568 wrote to memory of 3732	3568	Ljhnlb32.exe	Mnhdgpii.exe
PID 3568 wrote to memory of 3732	3568	Ljhnlb32.exe	Mnhdgpii.exe
PID 3568 wrote to memory of 3732	3568	Ljhnlb32.exe	Mnhdgpii.exe
PID 3732 wrote to memory of 5112	3732	Mnhdgpii.exe	Nmdgikhi.exe
PID 3732 wrote to memory of 5112	3732	Mnhdgpii.exe	Nmdgikhi.exe
PID 3732 wrote to memory of 5112	3732	Mnhdgpii.exe	Nmdgikhi.exe
PID 5112 wrote to memory of 1680	5112	Nmdgikhi.exe	Ncchae32.exe
PID 5112 wrote to memory of 1680	5112	Nmdgikhi.exe	Ncchae32.exe
PID 5112 wrote to memory of 1680	5112	Nmdgikhi.exe	Ncchae32.exe
PID 1680 wrote to memory of 4820	1680	Ncchae32.exe	Ocjoadei.exe
PID 1680 wrote to memory of 4820	1680	Ncchae32.exe	Ocjoadei.exe
PID 1680 wrote to memory of 4820	1680	Ncchae32.exe	Ocjoadei.exe
PID 4820 wrote to memory of 2872	4820	Ocjoadei.exe	Oclkgccf.exe
PID 4820 wrote to memory of 2872	4820	Ocjoadei.exe	Oclkgccf.exe
PID 4820 wrote to memory of 2872	4820	Ocjoadei.exe	Oclkgccf.exe
PID 2872 wrote to memory of 2784	2872	Oclkgccf.exe	Ocohmc32.exe
PID 2872 wrote to memory of 2784	2872	Oclkgccf.exe	Ocohmc32.exe
PID 2872 wrote to memory of 2784	2872	Oclkgccf.exe	Ocohmc32.exe
PID 2784 wrote to memory of 2208	2784	Ocohmc32.exe	Paeelgnj.exe
PID 2784 wrote to memory of 2208	2784	Ocohmc32.exe	Paeelgnj.exe
PID 2784 wrote to memory of 2208	2784	Ocohmc32.exe	Paeelgnj.exe
PID 2208 wrote to memory of 3420	2208	Paeelgnj.exe	Pjpfjl32.exe
PID 2208 wrote to memory of 3420	2208	Paeelgnj.exe	Pjpfjl32.exe
PID 2208 wrote to memory of 3420	2208	Paeelgnj.exe	Pjpfjl32.exe
PID 3420 wrote to memory of 1744	3420	Pjpfjl32.exe	Ppolhcnm.exe
PID 3420 wrote to memory of 1744	3420	Pjpfjl32.exe	Ppolhcnm.exe
PID 3420 wrote to memory of 1744	3420	Pjpfjl32.exe	Ppolhcnm.exe
PID 1744 wrote to memory of 972	1744	Ppolhcnm.exe	Pdmdnadc.exe
PID 1744 wrote to memory of 972	1744	Ppolhcnm.exe	Pdmdnadc.exe
PID 1744 wrote to memory of 972	1744	Ppolhcnm.exe	Pdmdnadc.exe
PID 972 wrote to memory of 4336	972	Pdmdnadc.exe	Qodeajbg.exe
PID 972 wrote to memory of 4336	972	Pdmdnadc.exe	Qodeajbg.exe
PID 972 wrote to memory of 4336	972	Pdmdnadc.exe	Qodeajbg.exe
PID 4336 wrote to memory of 2964	4336	Qodeajbg.exe	Aagkhd32.exe
PID 4336 wrote to memory of 2964	4336	Qodeajbg.exe	Aagkhd32.exe
PID 4336 wrote to memory of 2964	4336	Qodeajbg.exe	Aagkhd32.exe
PID 2964 wrote to memory of 3900	2964	Aagkhd32.exe	Ahfmpnql.exe
PID 2964 wrote to memory of 3900	2964	Aagkhd32.exe	Ahfmpnql.exe
PID 2964 wrote to memory of 3900	2964	Aagkhd32.exe	Ahfmpnql.exe
PID 3900 wrote to memory of 3460	3900	Ahfmpnql.exe	Bobabg32.exe
PID 3900 wrote to memory of 3460	3900	Ahfmpnql.exe	Bobabg32.exe
PID 3900 wrote to memory of 3460	3900	Ahfmpnql.exe	Bobabg32.exe
PID 3460 wrote to memory of 2212	3460	Bobabg32.exe	Bklomh32.exe
PID 3460 wrote to memory of 2212	3460	Bobabg32.exe	Bklomh32.exe
PID 3460 wrote to memory of 2212	3460	Bobabg32.exe	Bklomh32.exe
PID 2212 wrote to memory of 4608	2212	Bklomh32.exe	Bnoddcef.exe
PID 2212 wrote to memory of 4608	2212	Bklomh32.exe	Bnoddcef.exe
PID 2212 wrote to memory of 4608	2212	Bklomh32.exe	Bnoddcef.exe
PID 4608 wrote to memory of 2172	4608	Bnoddcef.exe	Cammjakm.exe

C:\Users\Admin\AppData\Local\Temp\768854e8f7179287e2785e42f227e570_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\768854e8f7179287e2785e42f227e570_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3560

C:\Windows\SysWOW64\Jghpbk32.exe
C:\Windows\system32\Jghpbk32.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:560

C:\Windows\SysWOW64\Jcfggkac.exe
C:\Windows\system32\Jcfggkac.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:648

C:\Windows\SysWOW64\Lqhdbm32.exe
C:\Windows\system32\Lqhdbm32.exe
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1812

C:\Windows\SysWOW64\Lopmii32.exe
C:\Windows\system32\Lopmii32.exe
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1068

C:\Windows\SysWOW64\Ljhnlb32.exe
C:\Windows\system32\Ljhnlb32.exe
6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3568

C:\Windows\SysWOW64\Mnhdgpii.exe
C:\Windows\system32\Mnhdgpii.exe
7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3732

C:\Windows\SysWOW64\Nmdgikhi.exe
C:\Windows\system32\Nmdgikhi.exe
8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5112

C:\Windows\SysWOW64\Ncchae32.exe
C:\Windows\system32\Ncchae32.exe
9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\SysWOW64\Ocjoadei.exe
C:\Windows\system32\Ocjoadei.exe
10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4820

C:\Windows\SysWOW64\Oclkgccf.exe
C:\Windows\system32\Oclkgccf.exe
11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2872

C:\Windows\SysWOW64\Ocohmc32.exe
C:\Windows\system32\Ocohmc32.exe
12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2784

C:\Windows\SysWOW64\Paeelgnj.exe
C:\Windows\system32\Paeelgnj.exe
13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\SysWOW64\Pjpfjl32.exe
C:\Windows\system32\Pjpfjl32.exe
14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3420

C:\Windows\SysWOW64\Ppolhcnm.exe
C:\Windows\system32\Ppolhcnm.exe
15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\SysWOW64\Pdmdnadc.exe
C:\Windows\system32\Pdmdnadc.exe
16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:972

C:\Windows\SysWOW64\Qodeajbg.exe
C:\Windows\system32\Qodeajbg.exe
17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4336

C:\Windows\SysWOW64\Aagkhd32.exe
C:\Windows\system32\Aagkhd32.exe
18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2964

C:\Windows\SysWOW64\Ahfmpnql.exe
C:\Windows\system32\Ahfmpnql.exe
19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3900

C:\Windows\SysWOW64\Bobabg32.exe
C:\Windows\system32\Bobabg32.exe
20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3460

C:\Windows\SysWOW64\Bklomh32.exe
C:\Windows\system32\Bklomh32.exe
21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2212

C:\Windows\SysWOW64\Bnoddcef.exe
C:\Windows\system32\Bnoddcef.exe
22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4608

C:\Windows\SysWOW64\Cammjakm.exe
C:\Windows\system32\Cammjakm.exe
23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2172

C:\Windows\SysWOW64\Cdmfllhn.exe
C:\Windows\system32\Cdmfllhn.exe
24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:5020

C:\Windows\SysWOW64\Cpfcfmlp.exe
C:\Windows\system32\Cpfcfmlp.exe
25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4020

C:\Windows\SysWOW64\Dkndie32.exe
C:\Windows\system32\Dkndie32.exe
26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3308

C:\Windows\SysWOW64\Dbocfo32.exe
C:\Windows\system32\Dbocfo32.exe
27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1424

C:\Windows\SysWOW64\Ehlhih32.exe
C:\Windows\system32\Ehlhih32.exe
28⤵
- Executes dropped EXE
PID:4328

C:\Windows\SysWOW64\Eklajcmc.exe
C:\Windows\system32\Eklajcmc.exe
29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:532

C:\Windows\SysWOW64\Edgbii32.exe
C:\Windows\system32\Edgbii32.exe
30⤵
- Executes dropped EXE
PID:2376

C:\Windows\SysWOW64\Fnbcgn32.exe
C:\Windows\system32\Fnbcgn32.exe
31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2156

C:\Windows\SysWOW64\Fnfmbmbi.exe
C:\Windows\system32\Fnfmbmbi.exe
32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2196

C:\Windows\SysWOW64\Fqgedh32.exe
C:\Windows\system32\Fqgedh32.exe
33⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4160

C:\Windows\SysWOW64\Fiqjke32.exe
C:\Windows\system32\Fiqjke32.exe
34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3356

C:\Windows\SysWOW64\Gbiockdj.exe
C:\Windows\system32\Gbiockdj.exe
35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3256

C:\Windows\SysWOW64\Gkaclqkk.exe
C:\Windows\system32\Gkaclqkk.exe
36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3068

C:\Windows\SysWOW64\Ganldgib.exe
C:\Windows\system32\Ganldgib.exe
37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4092

C:\Windows\SysWOW64\Gghdaa32.exe
C:\Windows\system32\Gghdaa32.exe
38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2224

C:\Windows\SysWOW64\Gaqhjggp.exe
C:\Windows\system32\Gaqhjggp.exe
39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1144

C:\Windows\SysWOW64\Ggkqgaol.exe
C:\Windows\system32\Ggkqgaol.exe
40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3352

C:\Windows\SysWOW64\Gacepg32.exe
C:\Windows\system32\Gacepg32.exe
41⤵
- Executes dropped EXE
PID:4680

C:\Windows\SysWOW64\Gpdennml.exe
C:\Windows\system32\Gpdennml.exe
42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3400

C:\Windows\SysWOW64\Giljfddl.exe
C:\Windows\system32\Giljfddl.exe
43⤵
- Executes dropped EXE
- Modifies registry class
PID:216

C:\Windows\SysWOW64\Hnibokbd.exe
C:\Windows\system32\Hnibokbd.exe
44⤵
- Executes dropped EXE
- Modifies registry class
PID:1836

C:\Windows\SysWOW64\Hlmchoan.exe
C:\Windows\system32\Hlmchoan.exe
45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:5036

C:\Windows\SysWOW64\Hajkqfoe.exe
C:\Windows\system32\Hajkqfoe.exe
46⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1756

C:\Windows\SysWOW64\Hhdcmp32.exe
C:\Windows\system32\Hhdcmp32.exe
47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3800

C:\Windows\SysWOW64\Hehdfdek.exe
C:\Windows\system32\Hehdfdek.exe
48⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4740

C:\Windows\SysWOW64\Hpmhdmea.exe
C:\Windows\system32\Hpmhdmea.exe
49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1044

C:\Windows\SysWOW64\Hifmmb32.exe
C:\Windows\system32\Hifmmb32.exe
50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4260

C:\Windows\SysWOW64\Haaaaeim.exe
C:\Windows\system32\Haaaaeim.exe
51⤵
- Executes dropped EXE
PID:2412

C:\Windows\SysWOW64\Ihkjno32.exe
C:\Windows\system32\Ihkjno32.exe
52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3136

C:\Windows\SysWOW64\Ihmfco32.exe
C:\Windows\system32\Ihmfco32.exe
53⤵
- Executes dropped EXE
- Modifies registry class
PID:1860

C:\Windows\SysWOW64\Ibcjqgnm.exe
C:\Windows\system32\Ibcjqgnm.exe
54⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2356

C:\Windows\SysWOW64\Ihpcinld.exe
C:\Windows\system32\Ihpcinld.exe
55⤵
- Executes dropped EXE
- Modifies registry class
PID:4284

C:\Windows\SysWOW64\Iahgad32.exe
C:\Windows\system32\Iahgad32.exe
56⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4468

C:\Windows\SysWOW64\Iolhkh32.exe
C:\Windows\system32\Iolhkh32.exe
57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5100

C:\Windows\SysWOW64\Iialhaad.exe
C:\Windows\system32\Iialhaad.exe
58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1724

C:\Windows\SysWOW64\Iamamcop.exe
C:\Windows\system32\Iamamcop.exe
59⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2044

C:\Windows\SysWOW64\Jpnakk32.exe
C:\Windows\system32\Jpnakk32.exe
60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2776

C:\Windows\SysWOW64\Jekjcaef.exe
C:\Windows\system32\Jekjcaef.exe
61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4388

C:\Windows\SysWOW64\Jppnpjel.exe
C:\Windows\system32\Jppnpjel.exe
62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4428

C:\Windows\SysWOW64\Jemfhacc.exe
C:\Windows\system32\Jemfhacc.exe
63⤵
- Executes dropped EXE
PID:756

C:\Windows\SysWOW64\Jbagbebm.exe
C:\Windows\system32\Jbagbebm.exe
64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4816

C:\Windows\SysWOW64\Jikoopij.exe
C:\Windows\system32\Jikoopij.exe
65⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3248

C:\Windows\SysWOW64\Johggfha.exe
C:\Windows\system32\Johggfha.exe
66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:488

C:\Windows\SysWOW64\Jhplpl32.exe
C:\Windows\system32\Jhplpl32.exe
67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3372

C:\Windows\SysWOW64\Jojdlfeo.exe
C:\Windows\system32\Jojdlfeo.exe
68⤵
- Drops file in System32 directory
- Modifies registry class
PID:404

C:\Windows\SysWOW64\Kiphjo32.exe
C:\Windows\system32\Kiphjo32.exe
69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4456

C:\Windows\SysWOW64\Kbhmbdle.exe
C:\Windows\system32\Kbhmbdle.exe
70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2388

C:\Windows\SysWOW64\Klpakj32.exe
C:\Windows\system32\Klpakj32.exe
71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1824

C:\Windows\SysWOW64\Kidben32.exe
C:\Windows\system32\Kidben32.exe
72⤵
- Drops file in System32 directory
- Modifies registry class
PID:1916

C:\Windows\SysWOW64\Kekbjo32.exe
C:\Windows\system32\Kekbjo32.exe
73⤵
- Modifies registry class
PID:1148

C:\Windows\SysWOW64\Kocgbend.exe
C:\Windows\system32\Kocgbend.exe
74⤵
- Drops file in System32 directory
PID:2060

C:\Windows\SysWOW64\Klggli32.exe
C:\Windows\system32\Klggli32.exe
75⤵
- Modifies registry class
PID:4568

C:\Windows\SysWOW64\Lebijnak.exe
C:\Windows\system32\Lebijnak.exe
76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4832

C:\Windows\SysWOW64\Loacdc32.exe
C:\Windows\system32\Loacdc32.exe
77⤵
- Modifies registry class
PID:232

C:\Windows\SysWOW64\Mledmg32.exe
C:\Windows\system32\Mledmg32.exe
78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1864

C:\Windows\SysWOW64\Mjidgkog.exe
C:\Windows\system32\Mjidgkog.exe
79⤵
- Drops file in System32 directory
PID:5044

C:\Windows\SysWOW64\Mofmobmo.exe
C:\Windows\system32\Mofmobmo.exe
80⤵
- Drops file in System32 directory
- Modifies registry class
PID:4908

C:\Windows\SysWOW64\Mhanngbl.exe
C:\Windows\system32\Mhanngbl.exe
81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4536

C:\Windows\SysWOW64\Mbibfm32.exe
C:\Windows\system32\Mbibfm32.exe
82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3292

C:\Windows\SysWOW64\Momcpa32.exe
C:\Windows\system32\Momcpa32.exe
83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1012

C:\Windows\SysWOW64\Nqmojd32.exe
C:\Windows\system32\Nqmojd32.exe
84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3496

C:\Windows\SysWOW64\Nmcpoedn.exe
C:\Windows\system32\Nmcpoedn.exe
85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1616

C:\Windows\SysWOW64\Nijqcf32.exe
C:\Windows\system32\Nijqcf32.exe
86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3584

C:\Windows\SysWOW64\Nbbeml32.exe
C:\Windows\system32\Nbbeml32.exe
87⤵
- Modifies registry class
PID:5152

C:\Windows\SysWOW64\Nbebbk32.exe
C:\Windows\system32\Nbebbk32.exe
88⤵
PID:5192

C:\Windows\SysWOW64\Ojnfihmo.exe
C:\Windows\system32\Ojnfihmo.exe
89⤵
- Drops file in System32 directory
- Modifies registry class
PID:5232

C:\Windows\SysWOW64\Ookoaokf.exe
C:\Windows\system32\Ookoaokf.exe
90⤵
- Drops file in System32 directory
PID:5284

C:\Windows\SysWOW64\Oonlfo32.exe
C:\Windows\system32\Oonlfo32.exe
91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5332

C:\Windows\SysWOW64\Obnehj32.exe
C:\Windows\system32\Obnehj32.exe
92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5396

C:\Windows\SysWOW64\Obqanjdb.exe
C:\Windows\system32\Obqanjdb.exe
93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5452

C:\Windows\SysWOW64\Pcpnhl32.exe
C:\Windows\system32\Pcpnhl32.exe
94⤵
- Modifies registry class
PID:5496

C:\Windows\SysWOW64\Pjjfdfbb.exe
C:\Windows\system32\Pjjfdfbb.exe
95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5540

C:\Windows\SysWOW64\Pfagighf.exe
C:\Windows\system32\Pfagighf.exe
96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5592

C:\Windows\SysWOW64\Pfccogfc.exe
C:\Windows\system32\Pfccogfc.exe
97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5632

C:\Windows\SysWOW64\Pmmlla32.exe
C:\Windows\system32\Pmmlla32.exe
98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5684

C:\Windows\SysWOW64\Pidlqb32.exe
C:\Windows\system32\Pidlqb32.exe
99⤵
- Drops file in System32 directory
PID:5732

C:\Windows\SysWOW64\Pififb32.exe
C:\Windows\system32\Pififb32.exe
100⤵
PID:5776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5776 -s 400
101⤵
- Program crash
PID:5920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5776 -ip 5776
1⤵
PID:5852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1312 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
1⤵
PID:5264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aagkhd32.exe
Filesize
465KB

MD5
7faf403858ad75aecf5bcfc931b24905

SHA1
0362e9a91e4010336e629ef616c774cd7ba32033

SHA256
a4fd7327b0f37c392bb1a2ff2ee8065ffb89609bb39044bc495094dcbeb9f692

SHA512
93614322bed89f99121ecda6d635f04f24e0ef7a6bdec4103d5f8f453c8931d916748c312074134cd1f364e8bf6d516eb6ac1a24100649dd5cfde7de03610d61

Download Submit
C:\Windows\SysWOW64\Ahfmpnql.exe
Filesize
465KB

MD5
5404f29eb604ffa80e48818cac65c74b

SHA1
28b76e34ef35cef07c59fcc87d548cfd4a60dde3

SHA256
beb4bceedfa8a7bbdbfd2d67e9f53885176dfae48f1d99a554e90c53c51a53d5

SHA512
fb11ab043204c4b59b9137a9d6ecc4b3f66faf5ef32e8d01a84fd672e151a6a285d010178ce07ed756caa320e4c74352eb6828c226f94f8c39bd6d0880fb126e

Download Submit
C:\Windows\SysWOW64\Bklomh32.exe
Filesize
465KB

MD5
7199546dfc4750d3f3ad315dfe8050f3

SHA1
de545b2b9176fc50c6285cc1ee35e3aa698900e5

SHA256
60719e6635064e6ba544204638cfe00f296f3d64128942fb6a4b729b731d3aee

SHA512
761bf5d216e4d26bf5d4152c2c3399412af0115ebcbb795bd84d5507e582c096e945ff9962ae5d799528e544adddd097089051caa2bb3cc017730336d3745a4e

Download Submit
C:\Windows\SysWOW64\Bnoddcef.exe
Filesize
465KB

MD5
74befc19eeefe769669e7947548a3c56

SHA1
793fcc45cbacb545051ff891ba01b2e2fbef8687

SHA256
ccda34c927b80d61c4c36026964ff3f5823a90462d23c8f022351e4ca495ad97

SHA512
17a9d0c5f369f8daac0df131d87ce1e3c1e14d72cc3d0060f3894a739df1c2169bd20d2da7af36b99000588cfb548c91d7935f20459433cf6cec0f681c124050

Download Submit
C:\Windows\SysWOW64\Bobabg32.exe
Filesize
465KB

MD5
01b4217f0a22c58436d13496135ef059

SHA1
581d1f3e71d2fdc0ae9168a9f6596b3bfa0c87e6

SHA256
feb46c94d7e20a0ed0ef5d9ccc903eb11e6a9d42b3d29f6cbb6e3f39e762d45b

SHA512
433fdb9eee140e4ebc501eb863c1d22456bbbb29dc76fa3c4622c506a0dd15e52fb713df96ee052cbb580afd2ae5418397d4600408bd3aab90eca60997c59061

Download Submit
C:\Windows\SysWOW64\Cammjakm.exe
Filesize
465KB

MD5
80251b1ee31d31d42f9f7842ceacfc4f

SHA1
0cb1fabe4c522d8ac37e293f2e4144479d1fbad8

SHA256
3064e5c8aa7b7e46b36c4fe0a480bc7aa7ea44d8691473d7f9f7b68d3a58b7e8

SHA512
4d4a1661680e494a668ff0c4f23b515aed991a58740b8a74dfa4f52800a754bff162c54dc05a7172e13a7424f201ce8f5a80d848a352767093cd26bf7729cc99

Download Submit
C:\Windows\SysWOW64\Cdmfllhn.exe
Filesize
465KB

MD5
8446ad4cc67c853124c083ad94cb577a

SHA1
35f1adccdb841cc5c59582b8363fe37c3871fb67

SHA256
0b441aeb08676d02f61472feb9eba2848d0a1dab292a2b88f5ca2dc91818f12f

SHA512
49017d8cac86c9fd99284f875552c3ce8cce69644d3f2d1c57059a90fdda0433f426bdfdabec0cdb00d062f464d881fb4a72190f8a9ebb625d4a012579c1ada2

Download Submit
C:\Windows\SysWOW64\Cpfcfmlp.exe
Filesize
465KB

MD5
d9ad2fc28895fc20f778f52f2bd67c92

SHA1
06ed3f900e0351e3be9b2175afdd435a0f90367b

SHA256
91fadc5878ef131e2c72f6713b404200e1591f19ad590c2a4e3e7b48ddeb3085

SHA512
47f237ed933f54132e0286bcef0f6164d02fd6399a6a1ccc41c53735ded9c70ff4248dd50e60a40fd0e2e6eaf949e55bccb2d4865e6ed4d1b7a40a5b56de392d

Download Submit
C:\Windows\SysWOW64\Dbocfo32.exe
Filesize
465KB

MD5
3c4987be1d437d11a1d749179e445d9a

SHA1
ac594a5696c735149e00a0059376c2435b52958c

SHA256
0e41e22f29bdf5adfa9b197dd9cd6e69ec1721f72b17d037338d2b000cff99b2

SHA512
54f3066c16b18e7dcd29e48437cb8567ed2e024551ae920813212c5ab8527011ce35623b64407779333b437d2d41bc52d235f3400ea77e603526f5073d68cf5e

Download Submit
C:\Windows\SysWOW64\Dkndie32.exe
Filesize
465KB

MD5
81f5e0448d2dc9e0cdb23add36873710

SHA1
ae2696d1ec282016bf58b37aa9aff571ec12d5f4

SHA256
0a03b156a164acd26865082d9d876a67597927a3bb003aac7f9e1591239ac552

SHA512
35ec34eac2684075ebd7d95a85e2aa41bf06084712d083f41f5fde08f1f6d7364275b333c121ba575f30d672742ec6200c819c3950f3495f29e02f9a6ff97575

Download Submit
C:\Windows\SysWOW64\Edgbii32.exe
Filesize
465KB

MD5
a349ff7407fe5522e4da32af2497354f

SHA1
5b85a4d1b61670e6065adacc10eb85d40205dd3e

SHA256
c07c30fc9a6880171ce454be2c69d22f29b37cf667799ae6109c890fbf78138f

SHA512
f1d8aa77239dd14ff73672ffd9e907bbcd95910231e38085fa67dabfc538a50d16fbab5e9c7837c7ef94fa43813786b0907da4b87b3fbddb704ed917d2f967d4

Download Submit
C:\Windows\SysWOW64\Ehlhih32.exe
Filesize
465KB

MD5
658a9181b91ec5de2becdf2054cbcc55

SHA1
cf711b3fa755666b252e40037c8bd99afbd3d16d

SHA256
cc6ca332f0417690c191bf44a400bcb23044e026deca0dc35c13e5d0e735a02a

SHA512
72b45ea1b8d7c07ff0b35cd63a60b6c46000df4c654a566de435405c476b87bf88d63dacd613177844cdfda19e5de3c4c48f2949d024b48943bc84899810e050

Download Submit
C:\Windows\SysWOW64\Eklajcmc.exe
Filesize
465KB

MD5
9b350116e0ef47a8bbbbc2302b6447c1

SHA1
d10dcf1bedbb7d90cd8146adc26a2834182b2835

SHA256
20d73e0cef3161f3b5963d544049c7ff1549f317c968761b8878482f1001ba8e

SHA512
1d9203b4e4dd0473db9f7d4fcdb4fc417b66c4af4045320f7120659b1a76226a2d54a5541f1b9facd16f2a1527c315370764394ce557fc263b609cbf9a6bed35

Download Submit
C:\Windows\SysWOW64\Fnbcgn32.exe
Filesize
465KB

MD5
2bac8097bee4ca6801accb240b406c85

SHA1
6094e89631f27ac64b477aa93d95767de7947b07

SHA256
9a12c118434ce536704711f4366e6d6ef75f2b5965f3529838c3631465214f9f

SHA512
88fcb41148a77a83173a5047a3302f75692e0c8ae01549d0e918d2e113561360d8d3d64a0a1196c278bebd05cc1a95e78a15ad2c415e32584532e96d8f253597

Download Submit
C:\Windows\SysWOW64\Fnfmbmbi.exe
Filesize
465KB

MD5
0ddaf049c7ba30fe05383db8e54df37d

SHA1
4dbb4d964b763f17faa65329bd08979738fde7d8

SHA256
7114bebd71abd12deca2f08caf44ace274ff986b17b4ced37d1c378f2e248bcc

SHA512
529d1a1e9f57b4a6ae6d506831bd454d44a24978557f0303755ecbda378471a67748c878d19fe1f061b0270e6719a818358093ccfc0f795513bb1886a93452a7

Download Submit
C:\Windows\SysWOW64\Fqgedh32.exe
Filesize
465KB

MD5
f2663dc11ec4db94cd4073dbb78cba40

SHA1
3890b8b00d5f0acb76400d776fc99016b7860cd4

SHA256
6b1e4e64602fa41d62678acc25755ffbe6fbe991d45dcc79ef21f60f5f4b80f8

SHA512
6a268c93e729ca845deea2110b5659f0a1022b421c708dbfc5883be5981c7b1c99482c47da7e20b01988ebc2de60fbe2ec9a99c47caf45b6f1d5c62fc3e4038f

Download Submit
C:\Windows\SysWOW64\Gacepg32.exe
Filesize
465KB

MD5
b8ee9f03ba96afb371d81fea6e6050cc

SHA1
66f5ce5483559c74be716cce9a3956e498a91429

SHA256
6c045a2d0f5c685c772d85bd71dabc0826f0c5c78e6ea06e211f7997320fa3d5

SHA512
86263c8bda76f28f86984758eba1516ab88c70b8a6fada6db69b0a7ca510ca9cbab63d16ec3efc2d84db43f1759f4def1352ba09215306e6129bd0b98022f757

Download Submit
C:\Windows\SysWOW64\Gaqhjggp.exe
Filesize
465KB

MD5
2f36e965be4eafb2e567ba05be17f233

SHA1
68314f0e31d1ff0358d4962f21c9a4d45eb27a88

SHA256
95261a8a625089e0cc79b447430760069e15fee2f3c3d578f566974cf01952bf

SHA512
a71439a8d18837aada295ca66515c0dc2c7f5daf68963b03ddcaebea00c20b385ffb26db8af6123045a220d48110034292ed4d6126b4f0ffdfff056648f5ad15

Download Submit
C:\Windows\SysWOW64\Iahgad32.exe
Filesize
465KB

MD5
132879f1fb44ba92d7e23cfd9661268c

SHA1
4eae6e57c2667ae69d5ac7d171ef0fc228765f87

SHA256
26578a0ab19f4ec0a0789c26425618a9b0e2abc431f5b1fdb7141ee02f425243

SHA512
6ad7e85a5e3d6f6030a06be71ce8a4a5079fb6fbf86bf91783bb04cbe162314d91ac017a2af91ccf65de875d7e2ece50edc6913a474d95cc12aca992604d1d33

Download Submit
C:\Windows\SysWOW64\Iialhaad.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\Jcfggkac.exe
Filesize
465KB

MD5
84e795e9f66d81dd3aff35985e1d30a5

SHA1
a9dd6014e7ded5bb418ae2e3f668cc2fd43c028a

SHA256
d05280ab41ef4ddbf43b648148b58a0f82bf2deb96396e0b51a68441fb00942d

SHA512
f1b4141fccca1764a6959825022ebf4cae03b3a4130da97167f2bdb7d8f90629c703e800fbd815fdf5fffeaf10e11a5b4d75cfe5a406318c9c02c52811138427

Download Submit
C:\Windows\SysWOW64\Jghpbk32.exe
Filesize
465KB

MD5
3518339df76caa886ebeb95862dfba47

SHA1
290e8982b3c5f85f38b1fe57a13bfbeff47fae1a

SHA256
ad6e604f3b37ba93accc23c2f3c0d34cf5233dfc994fe849fc93bc5b41c37e79

SHA512
91fc7f655d4641b46da297e55bc1ec0216538ff538ae2397bf0e380ca8d000f3c480cf74f9daa20b8379989632ce15ef8861936b2f52f692ad9c2b9500782ec4

Download Submit
C:\Windows\SysWOW64\Kidben32.exe
Filesize
465KB

MD5
1836f549310ef664427ed68489feb865

SHA1
a013cd66aec30ea34df09ca27e8f66d7f0fe1776

SHA256
5813238347b7cd8f36b644288db6e3f6a97e36c6588a2664e5b8663f1788e2a9

SHA512
41c131a86a48fc191710ea81b732aee28ca2aeedb19b4c078369e28ebd47262691c9a1bf3a0d6d59787672fb941e99c007bfa49b6d58202572a89195d7c3d30d

Download Submit
C:\Windows\SysWOW64\Klggli32.exe
Filesize
465KB

MD5
71ab425ec0a50857c7b17aaaae9e3c16

SHA1
6a2a8aa42f9605b7d744e5eb359e1b1aea25d8e5

SHA256
4c273c9cb103b4584f959ac4d19311dfeb0c873cbe774072a1fbf6614b4da577

SHA512
325b6ec0241e1430083e1787378cd67d77a1ba089aea55f350baf7dc4d047ffe6c954212110617772762d70034b8a7c3e6ceadb91790e1be3099cf38afde023f

Download Submit
C:\Windows\SysWOW64\Ljhnlb32.exe
Filesize
465KB

MD5
fdf8b3410e9aebcef1104c366a015ce9

SHA1
998a2c3e61c6362e16d18df7dcc2a7c88565399c

SHA256
237120b65ac259de5e73a9f2bd7733d0d0004e8647064d112bc4ec267c4a8d07

SHA512
8eaad19104519bcb58ed675b6d726168b1ff00fa742ebd61f1550544b836d94cf24043d6e0117002bf968af847726728ac5a579b6ab825e802fd445c93563f83

Download Submit
C:\Windows\SysWOW64\Lopmii32.exe
Filesize
465KB

MD5
41e6fd8b3f708228be809a8a9b96f48b

SHA1
577d396dee2e88c0ba3d340185f6d555db1a1de6

SHA256
620c21010b356eb7afb1e53fc2c90d1d514e98df1de15267d07c5f074fb6c178

SHA512
9ca5d22ddf705811ff9aa7f4995bb629a8bf53e90925e7294b741841c723ca18f1283e26156d1d3ce5f2163ccac8e11858276d4699c40385f044eb449b406776

Download Submit
C:\Windows\SysWOW64\Lqhdbm32.exe
Filesize
465KB

MD5
a0e09c883842b14ca8585b73248da018

SHA1
2be4734446b67427ed20ef0c0cff9dcf69886d05

SHA256
8b5a92c1f2425a7b58823127aeea25b7ee36dd55c65cc2a204226ea53788c739

SHA512
667b65c0a355eaeb99372f979df5dc898062796d3cbceb4b3392214e0ce0725524ff98d7d0665b200a261b4f9deaa0dbfcb3ab1e31de5fed5ef34a415cc8e513

Download Submit
C:\Windows\SysWOW64\Mjidgkog.exe
Filesize
465KB

MD5
2f43dab562b5e72e3678760ecd74f83f

SHA1
9e992b5c94af551f7e737e6724286dc1b5b33247

SHA256
5df6bab4d995512c7909bcf9451169f3c3404d3760128cb21eb933967fb26dbf

SHA512
92ecff7c85129e80f0f2e231b7cf1e5460f07766298c5593461fe96788ee6a2a874c987ff112968e20eeee2b7408bab7332fccc01861c1b2fed2f9d4e26575b6

Download Submit
C:\Windows\SysWOW64\Mnhdgpii.exe
Filesize
465KB

MD5
6e360d180cb355005e9135decd840a49

SHA1
829a754799a8dca8197ab24cd11b9112ff065cb2

SHA256
9cd1ced844e500c27a750f01ef6b7b05119f51d24e33f6685846323bf999e85c

SHA512
e231ff73c0abaa7c78d13e269787079526683a8882bdd94dabf1bad2bd3d74de1983b73dc1017434c2793874b371969ec3eac74f6dff4b2c6b33df364bf4481e

Download Submit
C:\Windows\SysWOW64\Ncchae32.exe
Filesize
465KB

MD5
97e820161f042c6d591021731aaf4717

SHA1
a08c5df26472567c5c407550a8319ad3e00119ed

SHA256
2cf45c660b48af8a8564acc32b2a5bd9d973951b7b661c667e0bac8889de83cc

SHA512
4b6c443079296c98f5cbdc14d8ac2099ce35798b83ec2d7bb129660f2deabf487424406f8b116094c7482764040020640724100c421d134bdc64a7a2dbe83270

Download Submit
C:\Windows\SysWOW64\Nmdgikhi.exe
Filesize
465KB

MD5
03766ff936bb19d9197f9410c2b2e5dd

SHA1
7e403b833c43fbb07346929671e592f51bccca4a

SHA256
9c787e77cbbb297750f4a5207d3b2ff7887c861be6f15845438e9530506b69ac

SHA512
454d248d3f73b733f8d6de6e303c37d8c981b66d6ded79f217594012c883d47bd99c4baeb0f1fed1a2a2104123cbd793d7335db3ada437c7645d0bbd78c72dda

Download Submit
C:\Windows\SysWOW64\Ocjoadei.exe
Filesize
465KB

MD5
5b3adf65a039d5e794b1a62ad39a73b3

SHA1
127e7fb2fdcaf5b64a82fb483aa4e107376b7413

SHA256
afefca16b54d9f1d6c5a3f8e23f15a725c3ca5afd1301961940b53eb03cdc29f

SHA512
f94462e3808139fbd951d3c32f7d5f7ef887a067aa24548832e7acd595f4b70908294582c39b7c17717b67775e4caf68dbe593fd0a47b7febd382400db01250d

Download Submit
C:\Windows\SysWOW64\Oclkgccf.exe
Filesize
465KB

MD5
b0fe7197bcfcd7a505049d35375f18fd

SHA1
d7b035841a42548b4a878a413df323099d8ef13c

SHA256
d11e27cb762ddfe005a11fe941a5882863cea7c067c0c9c84c57910bf140c874

SHA512
55a39d8abc774594039ab16509e14a3250a84158a446464ba7365583abe5cba97d1096597ea000a692b686fe515125ef8c9242f8278abcbb7d7e07e67ae1e4b3

Download Submit
C:\Windows\SysWOW64\Ocohmc32.exe
Filesize
465KB

MD5
7f9d78e9bc6bab62e024319c20e26403

SHA1
546814052cc860590160a1fad668a8ef29b720ab

SHA256
5ed17982d1249ec9a52945f5723f16edaa8e294a37716d70027a66ae1d72002d

SHA512
43ee99a50236529a7c6fe7b1deaaa8dc87b001ab3784f107b6846db429bcf267e396b95d8d2cbf78ac38c961fbf315e30d163267d59758b5f42d1e3ae74635a5

Download Submit
C:\Windows\SysWOW64\Oonlfo32.exe
Filesize
465KB

MD5
7c6225eeaa63cc67f15b4407e27ad28c

SHA1
88e78550d2921fb5db0ca1aa7aae8dda0ddee0c7

SHA256
c96b348ab271ace4c9b74a1773d7ec229d90668b8f113916abba82e5f12d31ec

SHA512
83e27235b8af7340d0d51fcac0861951edfb8ae7bc290cae8b2c2469551f1bddc474d3fbc8d9de95da8eb97b2e16b307c420bc068fa527cd382b20e67fad6218

Download Submit
C:\Windows\SysWOW64\Paeelgnj.exe
Filesize
465KB

MD5
48243e33af6a024bae996df96b5d70d5

SHA1
4b0d4f59a76828d03070830968971f80a0fb0a65

SHA256
22ed62aa3c33f5ed24651b2c73fd577948bad20f8101dc92b6ea90b11fbe3e4e

SHA512
0887b9d1f2bcbe4dfaa5cdac121241e1f8ea56b69583bd87f74675bce55e521da96e882fa1c8d88f555d8f918a5cc1cebaaba4a542235f6729d038b1fe4f3293

Download Submit
C:\Windows\SysWOW64\Pdmdnadc.exe
Filesize
465KB

MD5
1dedf464af556acde29421ce5480ae83

SHA1
694152d5ea8753b4f8018cc1de69257c02e8fd13

SHA256
75d205c1a0ac7884360ce3547dae329305455ea3dcd218e93c4467a90fe1376f

SHA512
2052bc8616044ddb9d916af72bb92e81b4d54cd641b888c448b5fc2da75ca533759f0fb5923d0700147a7ab4fff45666fc0148d57f419eec633c2f71ddaef99f

Download Submit
C:\Windows\SysWOW64\Pfagighf.exe
Filesize
465KB

MD5
78884138ae3d769c03a66b0c951defb6

SHA1
f11e38a5d42439e944579bb8e61ff952c984d338

SHA256
7a9e6309be5de83b94353f2f5db29bc07a6ea86fda220b3c8b1cf487b017ac74

SHA512
2874f537cedb450c296376c2786b8320a20589c5f214985ccdd1a8c30b91ba28c99821c21327bc3f704c24d25f40fb7b14196dc082e6baf0da4cb96a797ab014

Download Submit
C:\Windows\SysWOW64\Pjpfjl32.exe
Filesize
465KB

MD5
11e3b7a849e6b8c25156001d5d0313f1

SHA1
97711ae56784e90fb53b4e3e77f832f30afa26d8

SHA256
4007fa27e408014d015e31e5d409b8409304d63caa16dcc5fff7f6b3abb5ced5

SHA512
cf3bcfa4f997ca4beb558baffa1c8f05e07a5baa57bbcce6fa146002ee36ce90878af43cd3cfaf8a065ccc09049e6a95dada355bb11db9a1a37c5585f648f467

Download Submit
C:\Windows\SysWOW64\Ppolhcnm.exe
Filesize
465KB

MD5
f641e5dd743d641e68507a4285759214

SHA1
d9a1a77f8c8f857502b227295aa477e913b1a5d8

SHA256
6691893184743e2f67ab376fd643660f65ed19b8a393332a2fbd9ac8da799eb4

SHA512
7530d2ce556438d665c5a19c0b9744bc23c3c67c67d2ba47aa69ad2c136b1c859a798b783e48a728c10448df9cdd558049ae1d263deba631ab2c16145b1f2d72

Download Submit
C:\Windows\SysWOW64\Qodeajbg.exe
Filesize
465KB

MD5
dc957216ddbe66cc0cf61934b33fea7e

SHA1
96fb18c1623eb7d76966b4c5c10c43378fdc202b

SHA256
0c0f9f16252face9c8acc50205cc5c02986ecdb0df993c971dab7b2192e4b34a

SHA512
bdd3b0692d1db6f2874da599bd677640df7e53edfa5786b21bce3affe847ff6dc5674e7ef3ff2dde1555500ce2000eff8c16ed77d83db0039dc852fddfd2d84d

Download Submit
memory/216-317-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/232-525-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/404-469-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/488-456-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/532-724-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/532-224-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/560-449-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/560-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/648-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/648-468-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/756-437-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/972-120-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1012-563-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1044-353-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1068-518-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1068-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1144-293-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1148-499-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1424-208-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1424-721-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1616-580-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1680-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1680-600-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1724-407-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1744-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1756-335-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1812-517-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1812-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1824-487-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1836-323-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1860-377-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1864-531-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1916-493-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2044-413-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2060-505-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2156-240-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2156-727-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2172-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2172-692-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2196-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2196-728-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2208-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2208-631-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2212-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2212-690-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2224-287-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2356-383-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2376-726-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2376-232-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2388-481-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2412-365-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2776-419-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2784-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2784-624-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2872-615-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2872-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2964-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3068-275-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3136-371-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3248-450-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3256-269-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3292-556-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3308-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3308-695-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3352-299-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3356-263-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3372-462-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3400-311-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3420-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3460-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3496-569-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3560-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3560-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3568-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3568-537-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3584-582-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3732-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3732-562-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3800-341-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3900-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4020-694-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4020-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4092-281-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4160-256-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4260-359-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4284-389-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4328-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4328-722-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4336-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4388-425-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4428-431-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4456-475-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4468-395-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4536-550-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4536-739-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4568-511-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4608-691-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4608-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4680-305-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4740-347-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4816-443-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4820-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4820-607-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4832-519-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4908-544-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5020-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5020-693-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5036-329-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5044-540-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5100-401-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5112-575-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5112-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5152-588-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5192-594-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5232-601-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5284-608-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5332-616-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5396-626-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5540-705-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download