njrat | 195a03543f883c161541b80d2a069b1e81c314bf4fc2c880d6ffa2a79fb01e31

Analysis

max time kernel
140s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 23:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

359199dea208505e6754447260775220_NeikiAnalytics.exe
Size

337KB
MD5

359199dea208505e6754447260775220
SHA1

dd462bf8661d0267a06ce47bd9a68d2851066444
SHA256

195a03543f883c161541b80d2a069b1e81c314bf4fc2c880d6ffa2a79fb01e31
SHA512

d629d02368dda729b107a0193d57060e5c06c1e58e85ca37124fa2a8a97de7207abb759bd17ffc586659b52afdb5aeef56d960945510a0521352e3244ca6c1f5
SSDEEP

3072:H3z9gm27ccLhJfxokEgkgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:H3z9nYZxokEgk1+fIyG5jZkCwi8r

Score

10^/10

njrat persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Fqbliicp.exeFinnef32.exeGbbajjlp.exeIhbponja.exeGacepg32.exeMfenglqf.exeEnmjlojd.exeOmmceclc.exeCcblbb32.exeLokdnjkg.exeJmeede32.exeAhdpjn32.exeDdnobj32.exeEqdpgk32.exeJpgdai32.exeHmmfmhll.exeLancko32.exeKpiqfima.exeNciopppp.exeNckkfp32.exeBanjnm32.exeHahokfag.exeNnojho32.exeFgcjfbed.exeGpbpbecj.exeAmnebo32.exeKcapicdj.exeBdmmeo32.exeCalfpk32.exeMcgiefen.exeHnlodjpa.exeHlkfbocp.exeHfjdqmng.exeJphkkpbp.exe359199dea208505e6754447260775220_NeikiAnalytics.exeOblhcj32.exeLpgmhg32.exeMjggal32.exeEqgmmk32.exeHhdcmp32.exeBnoddcef.exeEnkmfolf.exeOmfekbdh.exeHppeim32.exeIfomll32.exeKeimof32.exeHihibbjo.exeIimcma32.exeHehdfdek.exeBfmolc32.exeDhdbhifj.exeAagkhd32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqbliicp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Finnef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbbajjlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ihbponja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gacepg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfenglqf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enmjlojd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ommceclc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccblbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lokdnjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmeede32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahdpjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddnobj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqdpgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpgdai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmmfmhll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lancko32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpiqfima.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nciopppp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckkfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banjnm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hahokfag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnojho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Finnef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgcjfbed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpbpbecj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amnebo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcapicdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdmmeo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihbponja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calfpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcgiefen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnojho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnlodjpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdmmeo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlkfbocp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfjdqmng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jphkkpbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	359199dea208505e6754447260775220_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oblhcj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpgmhg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjggal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqgmmk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhdcmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	359199dea208505e6754447260775220_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nciopppp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnoddcef.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enkmfolf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpgdai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omfekbdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmmfmhll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hppeim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifomll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Keimof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hihibbjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iimcma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpbpbecj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hehdfdek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omfekbdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hnlodjpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfmolc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhdbhifj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aagkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahdpjn32.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 64 IoCs

Processes:

Gpbpbecj.exeHmmfmhll.exeHfjdqmng.exeIfomll32.exeIbhkfm32.exeJcmdaljn.exeJmeede32.exeJphkkpbp.exeKeimof32.exeKnenkbio.exeLokdnjkg.exeLggejg32.exeMqafhl32.exeMqfpckhm.exeMcgiefen.exeNnojho32.exeNflkbanj.exeOffnhpfo.exeOaplqh32.exePjkmomfn.exePnifekmd.exePhfcipoo.exeQaqegecm.exeAagkhd32.exeAhdpjn32.exeBdmmeo32.exeBhmbqm32.exeBgbpaipl.exeBnoddcef.exeChfegk32.exeCaageq32.exeDpiplm32.exeDdgibkpc.exeDhdbhifj.exeDnajppda.exeDdnobj32.exeEqdpgk32.exeEqgmmk32.exeEnkmfolf.exeEnmjlojd.exeEgened32.exeEiekog32.exeFooclapd.exeFgjhpcmo.exeFqbliicp.exeFnfmbmbi.exeFilapfbo.exeFinnef32.exeFbgbnkfm.exeFgcjfbed.exeGgfglb32.exeGghdaa32.exeGaqhjggp.exeGacepg32.exeGbbajjlp.exeHlkfbocp.exeHahokfag.exeHnlodjpa.exeHhdcmp32.exeHehdfdek.exeHnphoj32.exeHppeim32.exeHihibbjo.exeInebjihf.exe

pid	process
1652	Gpbpbecj.exe
3824	Hmmfmhll.exe
1364	Hfjdqmng.exe
3468	Ifomll32.exe
2760	Ibhkfm32.exe
1804	Jcmdaljn.exe
4064	Jmeede32.exe
3984	Jphkkpbp.exe
2664	Keimof32.exe
1300	Knenkbio.exe
1352	Lokdnjkg.exe
5044	Lggejg32.exe
4684	Mqafhl32.exe
4480	Mqfpckhm.exe
404	Mcgiefen.exe
4076	Nnojho32.exe
3100	Nflkbanj.exe
4392	Offnhpfo.exe
3952	Oaplqh32.exe
3924	Pjkmomfn.exe
4772	Pnifekmd.exe
3152	Phfcipoo.exe
4584	Qaqegecm.exe
4316	Aagkhd32.exe
2216	Ahdpjn32.exe
568	Bdmmeo32.exe
1980	Bhmbqm32.exe
3368	Bgbpaipl.exe
2620	Bnoddcef.exe
4616	Chfegk32.exe
1860	Caageq32.exe
4620	Dpiplm32.exe
228	Ddgibkpc.exe
3144	Dhdbhifj.exe
2812	Dnajppda.exe
4836	Ddnobj32.exe
4840	Eqdpgk32.exe
832	Eqgmmk32.exe
1012	Enkmfolf.exe
3588	Enmjlojd.exe
2236	Egened32.exe
4428	Eiekog32.exe
4536	Fooclapd.exe
3424	Fgjhpcmo.exe
4604	Fqbliicp.exe
2248	Fnfmbmbi.exe
4472	Filapfbo.exe
3620	Finnef32.exe
4204	Fbgbnkfm.exe
660	Fgcjfbed.exe
860	Ggfglb32.exe
3648	Gghdaa32.exe
1380	Gaqhjggp.exe
4376	Gacepg32.exe
624	Gbbajjlp.exe
4168	Hlkfbocp.exe
2960	Hahokfag.exe
4848	Hnlodjpa.exe
1180	Hhdcmp32.exe
4212	Hehdfdek.exe
4424	Hnphoj32.exe
1988	Hppeim32.exe
4036	Hihibbjo.exe
5072	Inebjihf.exe

Drops file in System32 directory 64 IoCs

Processes:

Objkmkjj.exeOblhcj32.exeDhdbhifj.exeFgcjfbed.exeHlkfbocp.exeMfenglqf.exe359199dea208505e6754447260775220_NeikiAnalytics.exeDpiplm32.exeIlphdlqh.exeNckkfp32.exePhfcipoo.exeDdnobj32.exeHihibbjo.exeCalfpk32.exeOaplqh32.exeFgjhpcmo.exeBfmolc32.exeCcblbb32.exeEnkmfolf.exeEgened32.exeIpdndloi.exeBanjnm32.exeBipecnkd.exeLggejg32.exeMqafhl32.exePnifekmd.exeHppeim32.exeKnenkbio.exeMjggal32.exeOmmceclc.exeGaqhjggp.exeIhbponja.exeJlbejloe.exeKpiqfima.exeNnojho32.exePjkmomfn.exeBhmbqm32.exeCibain32.exeNmcpoedn.exeAmnebo32.exeFinnef32.exeLohqnd32.exeNciopppp.exeGghdaa32.exeJphkkpbp.exeMcgiefen.exeBdmmeo32.exeFnfmbmbi.exeChfegk32.exeBgbpaipl.exeBnoddcef.exeFbgbnkfm.exeKcapicdj.exeJpgdai32.exeGpbpbecj.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Holpib32.dll	Objkmkjj.exe
File created	C:\Windows\SysWOW64\Iaidib32.dll	Oblhcj32.exe
File created	C:\Windows\SysWOW64\Dnajppda.exe	Dhdbhifj.exe
File opened for modification	C:\Windows\SysWOW64\Ggfglb32.exe	Fgcjfbed.exe
File created	C:\Windows\SysWOW64\Ccegac32.dll	Hlkfbocp.exe
File created	C:\Windows\SysWOW64\Nciopppp.exe	Mfenglqf.exe
File created	C:\Windows\SysWOW64\Cnnbme32.dll	359199dea208505e6754447260775220_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Ddgibkpc.exe	Dpiplm32.exe
File opened for modification	C:\Windows\SysWOW64\Jlbejloe.exe	Ilphdlqh.exe
File opened for modification	C:\Windows\SysWOW64\Nmcpoedn.exe	Nckkfp32.exe
File opened for modification	C:\Windows\SysWOW64\Qaqegecm.exe	Phfcipoo.exe
File created	C:\Windows\SysWOW64\Clmipm32.dll	Ddnobj32.exe
File opened for modification	C:\Windows\SysWOW64\Inebjihf.exe	Hihibbjo.exe
File created	C:\Windows\SysWOW64\Jlojif32.dll	Calfpk32.exe
File created	C:\Windows\SysWOW64\Bdlgcp32.dll	Oaplqh32.exe
File created	C:\Windows\SysWOW64\Dkpqlc32.dll	Fgjhpcmo.exe
File opened for modification	C:\Windows\SysWOW64\Bipecnkd.exe	Bfmolc32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjmekgn.exe	Ccblbb32.exe
File opened for modification	C:\Windows\SysWOW64\Gpbpbecj.exe	359199dea208505e6754447260775220_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Enmjlojd.exe	Enkmfolf.exe
File created	C:\Windows\SysWOW64\Ccegpn32.dll	Egened32.exe
File created	C:\Windows\SysWOW64\Iimcma32.exe	Ipdndloi.exe
File created	C:\Windows\SysWOW64\Ilpgfc32.dll	Banjnm32.exe
File opened for modification	C:\Windows\SysWOW64\Cibain32.exe	Bipecnkd.exe
File created	C:\Windows\SysWOW64\Jlllhigk.dll	Lggejg32.exe
File created	C:\Windows\SysWOW64\Mqfpckhm.exe	Mqafhl32.exe
File created	C:\Windows\SysWOW64\Hehhjm32.dll	Pnifekmd.exe
File created	C:\Windows\SysWOW64\Hpceplkl.dll	Hppeim32.exe
File created	C:\Windows\SysWOW64\Ombnni32.dll	Knenkbio.exe
File opened for modification	C:\Windows\SysWOW64\Eiekog32.exe	Egened32.exe
File created	C:\Windows\SysWOW64\Mfenglqf.exe	Mjggal32.exe
File created	C:\Windows\SysWOW64\Ghaeocdd.dll	Ommceclc.exe
File opened for modification	C:\Windows\SysWOW64\Gacepg32.exe	Gaqhjggp.exe
File created	C:\Windows\SysWOW64\Ilphdlqh.exe	Ihbponja.exe
File created	C:\Windows\SysWOW64\Mneoha32.dll	Jlbejloe.exe
File created	C:\Windows\SysWOW64\Nphnbpql.dll	Kpiqfima.exe
File opened for modification	C:\Windows\SysWOW64\Nflkbanj.exe	Nnojho32.exe
File opened for modification	C:\Windows\SysWOW64\Pnifekmd.exe	Pjkmomfn.exe
File opened for modification	C:\Windows\SysWOW64\Bgbpaipl.exe	Bhmbqm32.exe
File created	C:\Windows\SysWOW64\Fqbliicp.exe	Fgjhpcmo.exe
File created	C:\Windows\SysWOW64\Calfpk32.exe	Cibain32.exe
File opened for modification	C:\Windows\SysWOW64\Mfenglqf.exe	Mjggal32.exe
File created	C:\Windows\SysWOW64\Ommceclc.exe	Nmcpoedn.exe
File opened for modification	C:\Windows\SysWOW64\Omfekbdh.exe	Oblhcj32.exe
File created	C:\Windows\SysWOW64\Cibain32.exe	Bipecnkd.exe
File created	C:\Windows\SysWOW64\Apmpkall.dll	Amnebo32.exe
File opened for modification	C:\Windows\SysWOW64\Mqafhl32.exe	Lggejg32.exe
File created	C:\Windows\SysWOW64\Fbgbnkfm.exe	Finnef32.exe
File opened for modification	C:\Windows\SysWOW64\Lpgmhg32.exe	Lohqnd32.exe
File opened for modification	C:\Windows\SysWOW64\Nckkfp32.exe	Nciopppp.exe
File created	C:\Windows\SysWOW64\Pmapoggk.dll	Gghdaa32.exe
File created	C:\Windows\SysWOW64\Qejpnh32.dll	Ihbponja.exe
File opened for modification	C:\Windows\SysWOW64\Keimof32.exe	Jphkkpbp.exe
File created	C:\Windows\SysWOW64\Nnojho32.exe	Mcgiefen.exe
File created	C:\Windows\SysWOW64\Bhmbqm32.exe	Bdmmeo32.exe
File created	C:\Windows\SysWOW64\Mkiongah.dll	Fnfmbmbi.exe
File created	C:\Windows\SysWOW64\Mcdibc32.dll	Chfegk32.exe
File created	C:\Windows\SysWOW64\Bnoddcef.exe	Bgbpaipl.exe
File created	C:\Windows\SysWOW64\Chfegk32.exe	Bnoddcef.exe
File created	C:\Windows\SysWOW64\Hpaoan32.dll	Fbgbnkfm.exe
File created	C:\Windows\SysWOW64\Lohqnd32.exe	Kcapicdj.exe
File opened for modification	C:\Windows\SysWOW64\Filapfbo.exe	Fnfmbmbi.exe
File opened for modification	C:\Windows\SysWOW64\Kpiqfima.exe	Jpgdai32.exe
File created	C:\Windows\SysWOW64\Ogigdpmb.dll	Gpbpbecj.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5408 5164 WerFault.exe Diqnjl32.exe

pid	pid_target	process	target process
5408	5164	WerFault.exe	Diqnjl32.exe

Modifies registry class 64 IoCs

Processes:

Qaqegecm.exeEqgmmk32.exeHihibbjo.exeOblhcj32.exeCibain32.exePhfcipoo.exeEnkmfolf.exeHehdfdek.exeMjggal32.exeOmmceclc.exeLggejg32.exeBnoddcef.exeHnphoj32.exeIhbponja.exeJpgdai32.exeJcmdaljn.exeBhmbqm32.exeDdgibkpc.exe359199dea208505e6754447260775220_NeikiAnalytics.exeNnojho32.exeFinnef32.exeGbbajjlp.exeNmcpoedn.exeChfegk32.exeGaqhjggp.exeKeimof32.exeAhdpjn32.exeBdmmeo32.exeDmjmekgn.exeFooclapd.exeJphkkpbp.exeHmmfmhll.exeDnajppda.exeHnlodjpa.exeCcblbb32.exeBanjnm32.exeMqafhl32.exeMcgiefen.exeOffnhpfo.exeObjkmkjj.exeIfomll32.exeFqbliicp.exeFilapfbo.exeHlkfbocp.exeJlbejloe.exeGpbpbecj.exeIbhkfm32.exeKpiqfima.exePimfpc32.exeAmnebo32.exeFgjhpcmo.exeHppeim32.exeDpiplm32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qaqegecm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekellcop.dll"	Eqgmmk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njlmnj32.dll"	Hihibbjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oblhcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cibain32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Phfcipoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enkmfolf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jggocdgo.dll"	Hehdfdek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdcajc32.dll"	Mjggal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ommceclc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lggejg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnflfgji.dll"	Bnoddcef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hnphoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ihbponja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpgdai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jcmdaljn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhmbqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfcjjj32.dll"	Ddgibkpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	359199dea208505e6754447260775220_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcokoohi.dll"	Nnojho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Finnef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbbajjlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmcpoedn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qaqegecm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chfegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eibmbgdm.dll"	Gaqhjggp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Keimof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahdpjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdmmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaidib32.dll"	Oblhcj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjmekgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocfgbfdm.dll"	Fooclapd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jphkkpbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlllhigk.dll"	Lggejg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qejpnh32.dll"	Ihbponja.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmmfmhll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnajppda.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hnlodjpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgqaip32.dll"	Ccblbb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Banjnm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mqafhl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcgiefen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnojho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Offnhpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fooclapd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmcpoedn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Objkmkjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifomll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofblbapl.dll"	Fqbliicp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnckgmik.dll"	Filapfbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plmell32.dll"	Gbbajjlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hlkfbocp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jlbejloe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogigdpmb.dll"	Gpbpbecj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibhkfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hnlodjpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpiqfima.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcckiibj.dll"	Pimfpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amnebo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fgjhpcmo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hppeim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilpgfc32.dll"	Banjnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nchkcb32.dll"	Dpiplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Filapfbo.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

359199dea208505e6754447260775220_NeikiAnalytics.exeGpbpbecj.exeHmmfmhll.exeHfjdqmng.exeIfomll32.exeIbhkfm32.exeJcmdaljn.exeJmeede32.exeJphkkpbp.exeKeimof32.exeKnenkbio.exeLokdnjkg.exeLggejg32.exeMqafhl32.exeMqfpckhm.exeMcgiefen.exeNnojho32.exeNflkbanj.exeOffnhpfo.exeOaplqh32.exePjkmomfn.exePnifekmd.exe

description	pid	process	target process
PID 2640 wrote to memory of 1652	2640	359199dea208505e6754447260775220_NeikiAnalytics.exe	Gpbpbecj.exe
PID 2640 wrote to memory of 1652	2640	359199dea208505e6754447260775220_NeikiAnalytics.exe	Gpbpbecj.exe
PID 2640 wrote to memory of 1652	2640	359199dea208505e6754447260775220_NeikiAnalytics.exe	Gpbpbecj.exe
PID 1652 wrote to memory of 3824	1652	Gpbpbecj.exe	Hmmfmhll.exe
PID 1652 wrote to memory of 3824	1652	Gpbpbecj.exe	Hmmfmhll.exe
PID 1652 wrote to memory of 3824	1652	Gpbpbecj.exe	Hmmfmhll.exe
PID 3824 wrote to memory of 1364	3824	Hmmfmhll.exe	Hfjdqmng.exe
PID 3824 wrote to memory of 1364	3824	Hmmfmhll.exe	Hfjdqmng.exe
PID 3824 wrote to memory of 1364	3824	Hmmfmhll.exe	Hfjdqmng.exe
PID 1364 wrote to memory of 3468	1364	Hfjdqmng.exe	Ifomll32.exe
PID 1364 wrote to memory of 3468	1364	Hfjdqmng.exe	Ifomll32.exe
PID 1364 wrote to memory of 3468	1364	Hfjdqmng.exe	Ifomll32.exe
PID 3468 wrote to memory of 2760	3468	Ifomll32.exe	Ibhkfm32.exe
PID 3468 wrote to memory of 2760	3468	Ifomll32.exe	Ibhkfm32.exe
PID 3468 wrote to memory of 2760	3468	Ifomll32.exe	Ibhkfm32.exe
PID 2760 wrote to memory of 1804	2760	Ibhkfm32.exe	Jcmdaljn.exe
PID 2760 wrote to memory of 1804	2760	Ibhkfm32.exe	Jcmdaljn.exe
PID 2760 wrote to memory of 1804	2760	Ibhkfm32.exe	Jcmdaljn.exe
PID 1804 wrote to memory of 4064	1804	Jcmdaljn.exe	Jmeede32.exe
PID 1804 wrote to memory of 4064	1804	Jcmdaljn.exe	Jmeede32.exe
PID 1804 wrote to memory of 4064	1804	Jcmdaljn.exe	Jmeede32.exe
PID 4064 wrote to memory of 3984	4064	Jmeede32.exe	Jphkkpbp.exe
PID 4064 wrote to memory of 3984	4064	Jmeede32.exe	Jphkkpbp.exe
PID 4064 wrote to memory of 3984	4064	Jmeede32.exe	Jphkkpbp.exe
PID 3984 wrote to memory of 2664	3984	Jphkkpbp.exe	Keimof32.exe
PID 3984 wrote to memory of 2664	3984	Jphkkpbp.exe	Keimof32.exe
PID 3984 wrote to memory of 2664	3984	Jphkkpbp.exe	Keimof32.exe
PID 2664 wrote to memory of 1300	2664	Keimof32.exe	Knenkbio.exe
PID 2664 wrote to memory of 1300	2664	Keimof32.exe	Knenkbio.exe
PID 2664 wrote to memory of 1300	2664	Keimof32.exe	Knenkbio.exe
PID 1300 wrote to memory of 1352	1300	Knenkbio.exe	Lokdnjkg.exe
PID 1300 wrote to memory of 1352	1300	Knenkbio.exe	Lokdnjkg.exe
PID 1300 wrote to memory of 1352	1300	Knenkbio.exe	Lokdnjkg.exe
PID 1352 wrote to memory of 5044	1352	Lokdnjkg.exe	Lggejg32.exe
PID 1352 wrote to memory of 5044	1352	Lokdnjkg.exe	Lggejg32.exe
PID 1352 wrote to memory of 5044	1352	Lokdnjkg.exe	Lggejg32.exe
PID 5044 wrote to memory of 4684	5044	Lggejg32.exe	Mqafhl32.exe
PID 5044 wrote to memory of 4684	5044	Lggejg32.exe	Mqafhl32.exe
PID 5044 wrote to memory of 4684	5044	Lggejg32.exe	Mqafhl32.exe
PID 4684 wrote to memory of 4480	4684	Mqafhl32.exe	Mqfpckhm.exe
PID 4684 wrote to memory of 4480	4684	Mqafhl32.exe	Mqfpckhm.exe
PID 4684 wrote to memory of 4480	4684	Mqafhl32.exe	Mqfpckhm.exe
PID 4480 wrote to memory of 404	4480	Mqfpckhm.exe	Mcgiefen.exe
PID 4480 wrote to memory of 404	4480	Mqfpckhm.exe	Mcgiefen.exe
PID 4480 wrote to memory of 404	4480	Mqfpckhm.exe	Mcgiefen.exe
PID 404 wrote to memory of 4076	404	Mcgiefen.exe	Nnojho32.exe
PID 404 wrote to memory of 4076	404	Mcgiefen.exe	Nnojho32.exe
PID 404 wrote to memory of 4076	404	Mcgiefen.exe	Nnojho32.exe
PID 4076 wrote to memory of 3100	4076	Nnojho32.exe	Nflkbanj.exe
PID 4076 wrote to memory of 3100	4076	Nnojho32.exe	Nflkbanj.exe
PID 4076 wrote to memory of 3100	4076	Nnojho32.exe	Nflkbanj.exe
PID 3100 wrote to memory of 4392	3100	Nflkbanj.exe	Offnhpfo.exe
PID 3100 wrote to memory of 4392	3100	Nflkbanj.exe	Offnhpfo.exe
PID 3100 wrote to memory of 4392	3100	Nflkbanj.exe	Offnhpfo.exe
PID 4392 wrote to memory of 3952	4392	Offnhpfo.exe	Oaplqh32.exe
PID 4392 wrote to memory of 3952	4392	Offnhpfo.exe	Oaplqh32.exe
PID 4392 wrote to memory of 3952	4392	Offnhpfo.exe	Oaplqh32.exe
PID 3952 wrote to memory of 3924	3952	Oaplqh32.exe	Pjkmomfn.exe
PID 3952 wrote to memory of 3924	3952	Oaplqh32.exe	Pjkmomfn.exe
PID 3952 wrote to memory of 3924	3952	Oaplqh32.exe	Pjkmomfn.exe
PID 3924 wrote to memory of 4772	3924	Pjkmomfn.exe	Pnifekmd.exe
PID 3924 wrote to memory of 4772	3924	Pjkmomfn.exe	Pnifekmd.exe
PID 3924 wrote to memory of 4772	3924	Pjkmomfn.exe	Pnifekmd.exe
PID 4772 wrote to memory of 3152	4772	Pnifekmd.exe	Phfcipoo.exe

C:\Users\Admin\AppData\Local\Temp\359199dea208505e6754447260775220_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\359199dea208505e6754447260775220_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Windows\SysWOW64\Gpbpbecj.exe
  C:\Windows\system32\Gpbpbecj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Windows\SysWOW64\Hmmfmhll.exe
    C:\Windows\system32\Hmmfmhll.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3824
  - - C:\Windows\SysWOW64\Hfjdqmng.exe
      C:\Windows\system32\Hfjdqmng.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1364
    - - C:\Windows\SysWOW64\Ifomll32.exe
        
        C:\Windows\system32\Ifomll32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3468
      - C:\Windows\SysWOW64\Ibhkfm32.exe
        
        C:\Windows\system32\Ibhkfm32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\SysWOW64\Jcmdaljn.exe
        
        C:\Windows\system32\Jcmdaljn.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\SysWOW64\Jmeede32.exe
        
        C:\Windows\system32\Jmeede32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\SysWOW64\Jphkkpbp.exe
        
        C:\Windows\system32\Jphkkpbp.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3984
        
        C:\Windows\SysWOW64\Keimof32.exe
        
        C:\Windows\system32\Keimof32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\SysWOW64\Knenkbio.exe
        
        C:\Windows\system32\Knenkbio.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Windows\SysWOW64\Lokdnjkg.exe
        
        C:\Windows\system32\Lokdnjkg.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\SysWOW64\Lggejg32.exe
        
        C:\Windows\system32\Lggejg32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\SysWOW64\Mqafhl32.exe
        
        C:\Windows\system32\Mqafhl32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\SysWOW64\Mqfpckhm.exe
        
        C:\Windows\system32\Mqfpckhm.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\SysWOW64\Mcgiefen.exe
        
        C:\Windows\system32\Mcgiefen.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\SysWOW64\Nnojho32.exe
        
        C:\Windows\system32\Nnojho32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Windows\SysWOW64\Nflkbanj.exe
        
        C:\Windows\system32\Nflkbanj.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        C:\Windows\SysWOW64\Offnhpfo.exe
        
        C:\Windows\system32\Offnhpfo.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        C:\Windows\SysWOW64\Oaplqh32.exe
        
        C:\Windows\system32\Oaplqh32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\SysWOW64\Pjkmomfn.exe
        
        C:\Windows\system32\Pjkmomfn.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3924
        
        C:\Windows\SysWOW64\Pnifekmd.exe
        
        C:\Windows\system32\Pnifekmd.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4772
        
        C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3152
        
        C:\Windows\SysWOW64\Qaqegecm.exe
        
        C:\Windows\system32\Qaqegecm.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\Aagkhd32.exe
        
        C:\Windows\system32\Aagkhd32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4316
        
        C:\Windows\SysWOW64\Ahdpjn32.exe
        
        C:\Windows\system32\Ahdpjn32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Bdmmeo32.exe
        
        C:\Windows\system32\Bdmmeo32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:568
        
        C:\Windows\SysWOW64\Bhmbqm32.exe
        
        C:\Windows\system32\Bhmbqm32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\Bgbpaipl.exe
        
        C:\Windows\system32\Bgbpaipl.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3368
        
        C:\Windows\SysWOW64\Bnoddcef.exe
        
        C:\Windows\system32\Bnoddcef.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2620
        
        C:\Windows\SysWOW64\Chfegk32.exe
        
        C:\Windows\system32\Chfegk32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4616
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        32⤵
        Executes dropped EXE
        
        PID:1860
        
        C:\Windows\SysWOW64\Dpiplm32.exe
        
        C:\Windows\system32\Dpiplm32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4620
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:228
        
        C:\Windows\SysWOW64\Dhdbhifj.exe
        
        C:\Windows\system32\Dhdbhifj.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3144
        
        C:\Windows\SysWOW64\Dnajppda.exe
        
        C:\Windows\system32\Dnajppda.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2812
        
        C:\Windows\SysWOW64\Ddnobj32.exe
        
        C:\Windows\system32\Ddnobj32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4836
        
        C:\Windows\SysWOW64\Eqdpgk32.exe
        
        C:\Windows\system32\Eqdpgk32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4840
        
        C:\Windows\SysWOW64\Eqgmmk32.exe
        
        C:\Windows\system32\Eqgmmk32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:832
        
        C:\Windows\SysWOW64\Enkmfolf.exe
        
        C:\Windows\system32\Enkmfolf.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1012
        
        C:\Windows\SysWOW64\Enmjlojd.exe
        
        C:\Windows\system32\Enmjlojd.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3588
        
        C:\Windows\SysWOW64\Egened32.exe
        
        C:\Windows\system32\Egened32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2236
        
        C:\Windows\SysWOW64\Eiekog32.exe
        
        C:\Windows\system32\Eiekog32.exe
        43⤵
        Executes dropped EXE
        
        PID:4428
        
        C:\Windows\SysWOW64\Fooclapd.exe
        
        C:\Windows\system32\Fooclapd.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\Fgjhpcmo.exe
        
        C:\Windows\system32\Fgjhpcmo.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3424
        
        C:\Windows\SysWOW64\Fqbliicp.exe
        
        C:\Windows\system32\Fqbliicp.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\Fnfmbmbi.exe
        
        C:\Windows\system32\Fnfmbmbi.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2248
        
        C:\Windows\SysWOW64\Filapfbo.exe
        
        C:\Windows\system32\Filapfbo.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4472
        
        C:\Windows\SysWOW64\Finnef32.exe
        
        C:\Windows\system32\Finnef32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3620
        
        C:\Windows\SysWOW64\Fbgbnkfm.exe
        
        C:\Windows\system32\Fbgbnkfm.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4204
        
        C:\Windows\SysWOW64\Fgcjfbed.exe
        
        C:\Windows\system32\Fgcjfbed.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:660
        
        C:\Windows\SysWOW64\Ggfglb32.exe
        
        C:\Windows\system32\Ggfglb32.exe
        52⤵
        Executes dropped EXE
        
        PID:860
        
        C:\Windows\SysWOW64\Gghdaa32.exe
        
        C:\Windows\system32\Gghdaa32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3648
        
        C:\Windows\SysWOW64\Gaqhjggp.exe
        
        C:\Windows\system32\Gaqhjggp.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1380
        
        C:\Windows\SysWOW64\Gacepg32.exe
        
        C:\Windows\system32\Gacepg32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4376
        
        C:\Windows\SysWOW64\Gbbajjlp.exe
        
        C:\Windows\system32\Gbbajjlp.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Hlkfbocp.exe
        
        C:\Windows\system32\Hlkfbocp.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4168
        
        C:\Windows\SysWOW64\Hahokfag.exe
        
        C:\Windows\system32\Hahokfag.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2960
        
        C:\Windows\SysWOW64\Hnlodjpa.exe
        
        C:\Windows\system32\Hnlodjpa.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Hhdcmp32.exe
        
        C:\Windows\system32\Hhdcmp32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1180
        
        C:\Windows\SysWOW64\Hehdfdek.exe
        
        C:\Windows\system32\Hehdfdek.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4212
        
        C:\Windows\SysWOW64\Hnphoj32.exe
        
        C:\Windows\system32\Hnphoj32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4424
        
        C:\Windows\SysWOW64\Hppeim32.exe
        
        C:\Windows\system32\Hppeim32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Hihibbjo.exe
        
        C:\Windows\system32\Hihibbjo.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4036
        
        C:\Windows\SysWOW64\Inebjihf.exe
        
        C:\Windows\system32\Inebjihf.exe
        65⤵
        Executes dropped EXE
        
        PID:5072
        
        C:\Windows\SysWOW64\Ipdndloi.exe
        
        C:\Windows\system32\Ipdndloi.exe
        66⤵
        Drops file in System32 directory
        
        PID:2204
        
        C:\Windows\SysWOW64\Iimcma32.exe
        
        C:\Windows\system32\Iimcma32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3452
        
        C:\Windows\SysWOW64\Ihbponja.exe
        
        C:\Windows\system32\Ihbponja.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\Ilphdlqh.exe
        
        C:\Windows\system32\Ilphdlqh.exe
        69⤵
        Drops file in System32 directory
        
        PID:3396
        
        C:\Windows\SysWOW64\Jlbejloe.exe
        
        C:\Windows\system32\Jlbejloe.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Jpgdai32.exe
        
        C:\Windows\system32\Jpgdai32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1160
        
        C:\Windows\SysWOW64\Kpiqfima.exe
        
        C:\Windows\system32\Kpiqfima.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3516
        
        C:\Windows\SysWOW64\Kabcopmg.exe
        
        C:\Windows\system32\Kabcopmg.exe
        73⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\Kcapicdj.exe
        
        C:\Windows\system32\Kcapicdj.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:440
        
        C:\Windows\SysWOW64\Lohqnd32.exe
        
        C:\Windows\system32\Lohqnd32.exe
        75⤵
        Drops file in System32 directory
        
        PID:1460
        
        C:\Windows\SysWOW64\Lpgmhg32.exe
        
        C:\Windows\system32\Lpgmhg32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4004
        
        C:\Windows\SysWOW64\Lakfeodm.exe
        
        C:\Windows\system32\Lakfeodm.exe
        77⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\Lancko32.exe
        
        C:\Windows\system32\Lancko32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4108
        
        C:\Windows\SysWOW64\Mjggal32.exe
        
        C:\Windows\system32\Mjggal32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Mfenglqf.exe
        
        C:\Windows\system32\Mfenglqf.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5188
        
        C:\Windows\SysWOW64\Nciopppp.exe
        
        C:\Windows\system32\Nciopppp.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5236
        
        C:\Windows\SysWOW64\Nckkfp32.exe
        
        C:\Windows\system32\Nckkfp32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5280
        
        C:\Windows\SysWOW64\Nmcpoedn.exe
        
        C:\Windows\system32\Nmcpoedn.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Ommceclc.exe
        
        C:\Windows\system32\Ommceclc.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Objkmkjj.exe
        
        C:\Windows\system32\Objkmkjj.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Oblhcj32.exe
        
        C:\Windows\system32\Oblhcj32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Omfekbdh.exe
        
        C:\Windows\system32\Omfekbdh.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5544
        
        C:\Windows\SysWOW64\Pimfpc32.exe
        
        C:\Windows\system32\Pimfpc32.exe
        88⤵
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Amnebo32.exe
        
        C:\Windows\system32\Amnebo32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Banjnm32.exe
        
        C:\Windows\system32\Banjnm32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Bfmolc32.exe
        
        C:\Windows\system32\Bfmolc32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5780
        
        C:\Windows\SysWOW64\Bipecnkd.exe
        
        C:\Windows\system32\Bipecnkd.exe
        92⤵
        Drops file in System32 directory
        
        PID:5836
        
        C:\Windows\SysWOW64\Cibain32.exe
        
        C:\Windows\system32\Cibain32.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Calfpk32.exe
        
        C:\Windows\system32\Calfpk32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5928
        
        C:\Windows\SysWOW64\Cigkdmel.exe
        
        C:\Windows\system32\Cigkdmel.exe
        95⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\Ccblbb32.exe
        
        C:\Windows\system32\Ccblbb32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6056
        
        C:\Windows\SysWOW64\Dmjmekgn.exe
        
        C:\Windows\system32\Dmjmekgn.exe
        97⤵
        Modifies registry class
        
        PID:6120
        
        C:\Windows\SysWOW64\Diqnjl32.exe
        
        C:\Windows\system32\Diqnjl32.exe
        98⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5164 -s 400
        99⤵
        Program crash
        
        PID:5408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5164 -ip 5164
1⤵
PID:5272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3636 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
1⤵
PID:3968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aagkhd32.exe

Filesize
337KB

MD5
191e7a610334f81160bef5bafb82897f

SHA1
6ee2a30723c7fd003cd098ec9bb0c5f602b9f0c2

SHA256
a315c52fb4c437d147c3337dabd12351f5cfb290b20c1198610957a1983b0947

SHA512
8ef3e995860fbb1195126e1e95d399b777c5746f5e9f1c29243086bb08dbef15275762b6f095341b39a9ed725fc6b33300ae706e8d3a8721c6fcbdadc2937944

Download Submit
C:\Windows\SysWOW64\Ahdpjn32.exe

Filesize
337KB

MD5
344eb4f3e8a77a5717fa7d5ffedc58d7

SHA1
105f8e57f6904d6bf3b1bf814c9c5337503cfb8e

SHA256
a341ff70828adbb960fd8f41f2548e5385d5478e918328efc62a053686400ee8

SHA512
caf324e9e09246211fb6a3ff16e76d6643ef689e5cee67379b569027bfcee23e03264b379dc6a53e8525abfa5c729a71836d4544be3d74f85b572c47a8f2359a

Download Submit
C:\Windows\SysWOW64\Bdmmeo32.exe

Filesize
337KB

MD5
2b7fc326ec2902079d063d21dcdcd408

SHA1
9041880ba044c254c93992c25de28ee446b4a741

SHA256
f1ef8a4674792d9c591540583e067ed7006b47f19176015dbae219f6b3e4880d

SHA512
aff6f2786cae79a4187a59d09af195e8d527ada3b3aad23669ac2f1ac05758fa45c1213db3c1b5b2f1e9641e24f1f601fb9087b862963e6c5a1b998230e436f8

Download Submit
C:\Windows\SysWOW64\Bgbpaipl.exe

Filesize
337KB

MD5
c2452bc54dd443d7aab55adc5257d6f5

SHA1
d21d78d96f2a6918e8a43ac1254d7615e50ec344

SHA256
4d72070dfe55d244e36d4a0b8dccc50ce7abf6a7e52a2f9a8ba2b9d08f553374

SHA512
3f9f1fd16f88d5f636ef5c28e41b24157714ce6b84b9ce30c1f3c6c075f67bcf4b4bbb13e7da3cc0fb732a01f32c8fff7149010acded3fe727c51ed70271cae3

Download Submit
C:\Windows\SysWOW64\Bhmbqm32.exe

Filesize
337KB

MD5
8e6dfda2493e4aafba6fe45689d7bfdf

SHA1
cd7569f2dd7751156918076d73e80e3a95b142de

SHA256
4b7ef189f3e052a47fd4fe96291f2268ad0341f4937546149e4ca5f6200f0a9d

SHA512
a255ecb61d6da297dd80515cafa6e0da7a68fc0aba58aeba900055e70514612ed86aca041358a42dcd94377cdc3e02d4fc50d8f9146c53464301a189396cda8d

Download Submit
C:\Windows\SysWOW64\Bnoddcef.exe

Filesize
337KB

MD5
041fd94c164f8460aa0d327c1c31b198

SHA1
306efcaf496500e7e49cc325faba995bfa35a1e5

SHA256
128cdf8a1031e24618629596eef308fc7a1abc76db9fb9351e8b05ac16c0657f

SHA512
56e1bfab8a8af378b72932104d134032449646d15fc2316af11f1d795b69215bc07a892e3344e0b6cadbd3a39b46d64a5c09fbb199ac567d04be5f5e7ca7151b

Download Submit
C:\Windows\SysWOW64\Caageq32.exe

Filesize
337KB

MD5
d8da56235ccdb7940bf83dad6a8d4dd0

SHA1
64016b4da3b3fc63368a7ec313e3411a425d71d1

SHA256
37b44ceaa08c3724158b581d54de016cbebb83266762984e562265e9d631591b

SHA512
71c071e5cdb9b00ebd577c0d5be2525e434505f87c56158b10dbb83fd14e188bd940bcfef2184ad0ded81dd76de6c74177bb6589bd85ed135abe871541e9268a

Download Submit
C:\Windows\SysWOW64\Chfegk32.exe

Filesize
337KB

MD5
0a6d559b8bb02fb187e1810f36a4f2ea

SHA1
ee1ce284de5b605819559c271d1f9455bd41b3b4

SHA256
e72719c51e57b08d65e5514941c0befba60fbec0a64d46d0deca558ba5fe242e

SHA512
e2437bf2d1e0a5496d9eae10587991aa354b3f81cc383964aa96340ba1643c328ea91d615c6d477e7240dd25bc45537c61ecf6e36e8a3556f6637ede57745dc5

Download Submit
C:\Windows\SysWOW64\Cigkdmel.exe

Filesize
337KB

MD5
51d18f6d5d5fcdfcdf13c4c17552bdb7

SHA1
29e2f960a01462554168c89896ba159be31a18ae

SHA256
65e34affa00e7256d5448953b3d1701a274a076668bb8d8503bed5aa189f41ec

SHA512
1c76710b5c10bf162f43e4de86350aab12b7163d7ae8755ff3b6e452a3c81fa144d4c7b2e25c357b8539aa6d050e03bda72e68b3587a1e98882299acffa95e73

Download Submit
C:\Windows\SysWOW64\Ddnobj32.exe

Filesize
337KB

MD5
efb3f08756cda0423db9807e6c79742e

SHA1
136ef832c3c34cf15da0f6b413e228ea6b01f064

SHA256
27bc0cffcd7b12dbb75a886506cdf80787b61c4931c36f304e3259361e272686

SHA512
1789ccafa69712b76f97559ab08cfb89f093f32e050bc0c0a031ccf3ca2fe60440aeb25c8655575ab4493d96121f61a93283ac5f3bc67155235b6bcffdaea7af

Download Submit
C:\Windows\SysWOW64\Diqnjl32.exe

Filesize
337KB

MD5
b4a8e10a14aba6634d066c395f63cc1e

SHA1
db6a38b81f6c6f47d05132dd34ba478e6c186624

SHA256
96e761b614b78fa098648fa8eff8fdd21189744ba8960a0e9e7e1a17044f5776

SHA512
e86215f4cb18d98fec6faa0d3870dee35f2a248598fe8b97b94202b4111f99d4def6196237f9c71becd5101fa1fa1f668a348b7b3a814237655f134f41463f3b

Download Submit
C:\Windows\SysWOW64\Dpiplm32.exe

Filesize
337KB

MD5
4f42cb44f38fddd30b8d23acb925ea2c

SHA1
0c14dea0a2f652ccb50055f90da05e25a4de3c30

SHA256
36cb680bec0ddfcaaa8a93a6b25e4b726a4a6507e41d20898b58d29857ee63a8

SHA512
0533d793bdc56f2cd5e95b5da18e5a2a811fbb6accf3dc031ddad36e341dae5bcef04120552cf8603dc8a9969a2f3f4a7d5dddbd1a365737de65a3c090633006

Download Submit
C:\Windows\SysWOW64\Fgcjfbed.exe

Filesize
337KB

MD5
222cd4caf43ea41bb1d4f3e30b7db209

SHA1
d23402167a991f3f5bca182cca6f71a7c6786a08

SHA256
2a88a4c93cf92f04862a33def715d119a80e2dbacb276d5d79b929067718f777

SHA512
8f7a35b8907eb7db36720dd54144f234c2114d7e2acbcead5b8d2310797f1b79d457e99815cc3693fe4e431c250588f29192a80a905914046b5e9f26576f465b

Download Submit
C:\Windows\SysWOW64\Fnfmbmbi.exe

Filesize
337KB

MD5
7a1aa03c3749bc8852992f0a5d26d8c6

SHA1
4209f77a2436e89c11558b585d56f1ff0ca79cda

SHA256
8e0bf5aa5a08e2e884c16cec124f5da11bd5ce9cbc49cd5979e8534717f0a79b

SHA512
09f0a98a081d4660cd64dd640843cbefedfa1db7dff822005011d24d9d430541e6e9888fc5ae03cd108a102448294dea03f81525294347fc9e61575ca34aa697

Download Submit
C:\Windows\SysWOW64\Gacepg32.exe

Filesize
337KB

MD5
7b3a3cd2e42817f19258b1278adf9206

SHA1
90ed22e60319649f41783e6afd0d814ab33e275c

SHA256
3688bd8b2a0799286d7131c81c34b01566616f63857b57a2f5820b91f3d9c872

SHA512
a51cd0e6d82aece2a93aeb02111bb224fc764bca93f383090dd2087cf5a4fcecd85e81a0dceb0a7856e4059a136ffdcc457232a338dd58bc6ba7b8920a1d201f

Download Submit
C:\Windows\SysWOW64\Gpbpbecj.exe

Filesize
337KB

MD5
17347474b9024950b48af1b744c96341

SHA1
f5abd274105816f3683020934c5aabc0f7c5a4b7

SHA256
a8a43f2498397d315ac420b48034a08251167f5703e581a4fb17503513230c5b

SHA512
15c638de72b6398acf36ed4e949facca69bff9798a0cb534c2e654eaa0b12c35023d06aa5e6705e195dcea72793f2bef291678e93d94fb5e221d8a5380cc0320

Download Submit
C:\Windows\SysWOW64\Hfjdqmng.exe

Filesize
337KB

MD5
d19b0d8c377e1b3b99558a6a9a8c7fcf

SHA1
761098250df1fd2e1d09d26ec183a9c3567cc7d4

SHA256
d36514f87f3ef60992992e7a018a9793d256761aa079f36ecf07f047ed3acd48

SHA512
f33b663b36f2b314751a80497cbc262077aadb2c7ebc1ba3f72992b20c1ba835d13d48df1b258c64aeb1fd0344edb545956ad7a94277d1347274ecec67617550

Download Submit
C:\Windows\SysWOW64\Hlkfbocp.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\Hmmfmhll.exe

Filesize
337KB

MD5
9d2c843b25e83355caef8d6a461645c0

SHA1
182247ffa29dd37e043e840a17b525c0d538b103

SHA256
4e374419ddc99d0d4b734e67fd2a9811fff60cba09c06ee30060518123157a01

SHA512
a3a74e3500df72cc26d88e4d6fec79ab5d6c58834c6db4a02aac81acbd638fe75b88661fefae388745aedb34ab1cc83bcd2ffe68cc9bd79a964a7e7b7abfc13e

Download Submit
C:\Windows\SysWOW64\Hppeim32.exe

Filesize
337KB

MD5
bbbb1cd271d39fd1c50fde43a05eaa7d

SHA1
03ee52f55a27891b94e34267ac8ad68b84394c87

SHA256
34eec8ce61a6dadb3e620cf3e6f4287f2482b7f9bd7a3cca8bcaed8a4b7acea9

SHA512
e798f1e797d2448dfea9ac8564a3f77ab5dbf07ed7cf26bf85f84ca03da0f119795b97c413c372e892b0c2ae69d25cb68e95a745a834833003aa3ab82d8d7846

Download Submit
C:\Windows\SysWOW64\Ibhkfm32.exe

Filesize
337KB

MD5
69282d4c8a7cb3feef6b1144f509bddf

SHA1
2f9c685f5957db8191b616431f085f286f73dab9

SHA256
2e2451407a91662e171fbb69c8eb4f2f74382e06a1ea3a2c6d27c6c47ef31822

SHA512
b19989219788209e22bc7fa452ba95fb7662941e37900319f96cf4cdd17d71dfe80d2998de1317b1f3c9cb222be1750ab11444e010cb5d46f871b82f9769b459

Download Submit
C:\Windows\SysWOW64\Ifomll32.exe

Filesize
337KB

MD5
18c612aaa80400693615fc6d9a8ec7b5

SHA1
930290834e0b35338ace1788c3b6f5d822ec4f42

SHA256
2fcae7290a5fb9bd4022dc81eec9a450e1204b9035add3759c3bcfde5d72c44a

SHA512
3630d9cf6ff9ea1420b0c26deffd661efc76396c84052319d25752f1de89b4d5b83ca9f17da8abe95e4327c30bb4db6aeaa22863da037fed2a749084edbc444f

Download Submit
C:\Windows\SysWOW64\Jcmdaljn.exe

Filesize
337KB

MD5
8c901ac2a9055c5d9e469a315ef69f82

SHA1
e9dd7f764ef3721b793cdfd0bd90ef2c7e9161d8

SHA256
f9f6d8ee4139c8695386710133ada0313a6d94b3a6bef8b26a2e6966afd20ff7

SHA512
54fbe36133bb7d7072cdb385cd11cb847907f2290e1edd586b504830fd3648f8765cedc8d8a8ca80bd6fcfb6ca713a746845d07eadec19eadafb027e8e74f4d9

Download Submit
C:\Windows\SysWOW64\Jmeede32.exe

Filesize
337KB

MD5
ce93ff8f18e171a26d22d99e0ef248a1

SHA1
e88618773b1be5c444bc3e76a3639c86351b392b

SHA256
d51f17239570508f1e443ae3b3149f71a0ed4ab3dbc9c8154b38668b1b3041e4

SHA512
8dacd098b50e652b87ac925878cc02efffcd322ff3a1601a7f4cb71794e7c53c0fd6cce100f27af77ac79a186ffdefa4012ea5b05e7861d021c1531ebb7c1cb2

Download Submit
C:\Windows\SysWOW64\Jphkkpbp.exe

Filesize
337KB

MD5
f1db4ab26af73e4af7dbd42d581fe4d2

SHA1
1ecc19dcb99a6d7e64df411c50f832e9bf486f9a

SHA256
c4a97acfd2abb3d0f5aab66bf7b9842709dd38c6e0be71fc1d4cebcc067b006f

SHA512
86153d95419741d196395bde4a0dcaf0bf517c2b409370e4bcfdd7f5e7ce05119734221e22bd83d0eb6c7ef5315c703e7f56634080c1cd8813a5568b436e286e

Download Submit
C:\Windows\SysWOW64\Kcapicdj.exe

Filesize
337KB

MD5
16ede0379fda06047d6725ab0d16bb5c

SHA1
838b9e758bc831d4f91dbbdefd9b25a02dcb1411

SHA256
ea19b3cc9a83475f8f196eb52c8e4e8f45ab95ac1ed11a9f798992442e96f619

SHA512
15e9a1b84eef7bd7982f9d21e62b154dda4f3cac14cc8cc738b5598ce8175848ac735a6774295b9e20006d33214ceb82a75f774b20c22bc3276d8e9b9884693c

Download Submit
C:\Windows\SysWOW64\Keimof32.exe

Filesize
337KB

MD5
286802265bc4482475c0053260c5ab40

SHA1
9ffe92680caa23bcc7ed98ac14b0f2a818af1744

SHA256
4ff4a673946c5c6ff811f8c0f414ab8b22ee511fe99b542bbe3adc4d3beffed2

SHA512
ff2629591c2558ed31180689522cdfe123c2058c471ecf02b1956477a61454e3c70ea69a2e09cc56af929fd561aac60b8cb3e10131a89fa57c0ece75a90a0295

Download Submit
C:\Windows\SysWOW64\Knenkbio.exe

Filesize
337KB

MD5
74c778664501881e2e0a03f211146733

SHA1
06a5947e4dd902469b396eb2b023ca2a14da526d

SHA256
e070ecf3ae254744c76d0761876fc9ef468ecc22b390a47a74c9e6283bb6a31d

SHA512
2ce72b9ab57b503b2937f5ff49defbe17382df5ac73af473fd8aac2dd9f9f41d5c4cc2675f4ee48a2d6695bfcac3a051c51de1b0dbcfd8d4b40d2b1a90ac3dee

Download Submit
C:\Windows\SysWOW64\Kpiqfima.exe

Filesize
337KB

MD5
e620c3f1fe476f7ea563220c795c86c2

SHA1
18ca3e89eca47ab6b986678f348ece537d937d5b

SHA256
1ec1f152de0694ce0c7f54b33e3aba694dbd813f4de4e57e9cd466d7a1b77fef

SHA512
6b1f4397e286b5c5037bcf8a5baac885bf71b34bc4750e6709ee884c19ba938c51455a3083d2013a07a0b2375b5f29dbdb105bc4e6df62eea064f5883253eea0

Download Submit
C:\Windows\SysWOW64\Lancko32.exe

Filesize
337KB

MD5
00da4924e40dccfbac5a8c086b891a1b

SHA1
276fa9feb2f764034ce879d3e34873cfb17983c5

SHA256
7fe4f5887b0b18f90577176036a077b39d384f08dfe12c3e5e87fdba13d0c6c0

SHA512
afa48cffa3c643b3f1364523d5c6979c0ddc6278bd9900a02c54606d0a87605c73b13761e32f93a6f5fed4f6c7dc78cac2f1dde3acc1d70655eb4094ce8bd408

Download Submit
C:\Windows\SysWOW64\Lggejg32.exe

Filesize
337KB

MD5
4fb7e02143a36291863eb03f50fe69fd

SHA1
c1be5f85541282debd6b752490005dd7e11303be

SHA256
4a0277995edb2af34c4441b6a3549ba10b9cfd5db591d6ac69c1b804e16dfa37

SHA512
16749b93081f912ad378efb37c6164273417b1a4f6076b7ed1f62f339050c0f88047eff2d879428b4f5d1f81500ccfbfaa94336a0d4d7fab73f4047417f0bfb7

Download Submit
C:\Windows\SysWOW64\Lokdnjkg.exe

Filesize
337KB

MD5
a46c7dfe92962aabb1a998e34896d8a7

SHA1
739e25eda6b8655151be4ef5adb451b08987de45

SHA256
e467de593184fab6899d1556a85ffe550e55532c5045cdb396f2a749d3637f90

SHA512
f6aeece04786f659221a0f20dd94361b862fe7cefa0587a61028767703955cd537a905d96cb44e1250e059c51e598a510266e19403d4bc3b62ecb612fb18e363

Download Submit
C:\Windows\SysWOW64\Lpgmhg32.exe

Filesize
337KB

MD5
c0527927a453b5f54c9208d8ad212080

SHA1
fb1760d79a51aac43493f33d8df1c1b2493e1615

SHA256
66d161286ad926646dea40575efa5f9c45bc0f61a831bf66acd7b7e8d5a87c1d

SHA512
0a695aaeb1a261cbf51e2fb408f68b0c628bf9ba9fb27acb67b3068060072d0c55da913f8fa09e97417a9c667336701b639bb338013c12730a054071de55e5e5

Download Submit
C:\Windows\SysWOW64\Mcgiefen.exe

Filesize
337KB

MD5
9a81381ce044fd92719a3fb9b324ab04

SHA1
7ed028dd573f7018f0d1c14bebdb62b6ab968db1

SHA256
8ff685d001d5ac2f9df211f132a49d87ce47bab3dcff4ad985ee6a7d9767c35a

SHA512
291edf33b5c93cb9c2492ef1093526adf3044440867092d12f3be5459d04a1403845e3c6d9e8a33e2783b21b4d9d56d311dc407cd2e89328da103c76eb9ecc00

Download Submit
C:\Windows\SysWOW64\Mqafhl32.exe

Filesize
337KB

MD5
53fdf87e3ee4152efafa03b01d787e89

SHA1
55da3a65f069b506a4ecb26f48516403d6997dde

SHA256
414bbe5c93e95da7cddb1c9f3461e95f57ca3826ac0fcb01819e7caa089d01d8

SHA512
90e18a17131765c85bc66f784a6483a14b1204bcb7df4c3093fd46db7b8b772fddb7d90be72cfc51397a3f7f451075e63afd588e48cbc5ca902558a46e42604c

Download Submit
C:\Windows\SysWOW64\Mqfpckhm.exe

Filesize
337KB

MD5
cf5b541d05e12b14ec0f154292476162

SHA1
748a8b43248d8e0b23aa19d1cb490fd82d5f7741

SHA256
ebf5071a0bdb3a8c09c2b1375a6ad86bf2a4f55fbf541607e64c4bc66849242d

SHA512
9ada8806aafaf13ba292f2e6263a49ef2feadae8cbc0fe16fead21ff1ddf09301573ebebd426fe44e6db1a3c325b5c2a02cf729e670df4d74fe5e2b892af70f6

Download Submit
C:\Windows\SysWOW64\Nciopppp.exe

Filesize
337KB

MD5
81b1ccea0d5fa29b6187e39f5ccd0a23

SHA1
159115fc30dc1dd269e737b9a35e3b320eab609b

SHA256
af57412aa4d7bc35029291be6b3b70abec4a49481aee51077273eee45a9c2266

SHA512
4dfe6dbe9252510a6cccca6d873f4664a73b869854eec5a7a09da029abe56d68e0f32f8e7e8675ad112784b305953e9e45efe5c8ab1a2f8183cebf39bc4d287f

Download Submit
C:\Windows\SysWOW64\Nflkbanj.exe

Filesize
337KB

MD5
a61ac998bb7d99bc4f2023988db3f7f7

SHA1
b4b74b52325a282469b2c88396b1c69396111147

SHA256
248cdfc8f9f6088aae4914fe5ee519d80baea35622a3dc4a5ebd9ec0c314d0be

SHA512
b06fe99f98e939ad58cb85b5378fe87e21407387146794e971503246141b1247e3e9b7d514913a050ea779678bbc952f28439dece940753193237611aac3e2d6

Download Submit
C:\Windows\SysWOW64\Nnojho32.exe

Filesize
337KB

MD5
e13ef6a4342da3e3ebdbb8f90284fbf2

SHA1
e35258b2267d64c5bb80570fa6d2bfca9df59072

SHA256
69c1519ef71f264adb018e5839f02924171a6dca92b7919b47c073d63b7a009f

SHA512
c461cde1a98620d61c197ef42811ef09942c9ade9142472187832e879d892d8742e11961a8527d42694dd1b924325878ba1993066acb3936ab4e98eb2eca5848

Download Submit
C:\Windows\SysWOW64\Oaplqh32.exe

Filesize
337KB

MD5
5a759989f900588b00d30e9a740fefa9

SHA1
f02505949c0cec81923c01c1062c15ddc57140d3

SHA256
c910a46c2c9aba37395b1b915aaa5b19a1a858a614243127444a4c7b7466ea31

SHA512
a4d6cb2015a711e32043f1af92c495b19f0761777b9de7bd0069313fbf9b91f76083e61296b259e7c6d935394a0728e0385f5d718a62dbeca0bc2dcc3e88b107

Download Submit
C:\Windows\SysWOW64\Objkmkjj.exe

Filesize
337KB

MD5
d511e8d27e3b2728e4cce50274ed36e6

SHA1
fd67ef91d3e5625209d2cd161358cc0cd4c28344

SHA256
45cab5154808e337cda2119ffd467394dae7593734694b98076e435a3296cd9b

SHA512
4e40a7c3505fa8090ef720cd721607057d34cd9dccbf7cfaccc28f3c64cc2bd933d855fd77f0c1720ba2f2926d9956b263611f97a93f7f36110681498c1e70a6

Download Submit
C:\Windows\SysWOW64\Offnhpfo.exe

Filesize
337KB

MD5
9c5915cb03caffdc73a064ea04bb72e5

SHA1
cd36f9266ccd43a7824e838e0502e4f68f828573

SHA256
7ddbee2064bfc5b7dee5497b9c004923abf7822bb444f3dd18c277fed37389f2

SHA512
732a337ce4bc8341c6650706a4d786e9fb672a12c1c398d11eb7a75d16ec1158f6e792188a82ec6299ea745fd6d8969a749c68f46e3c85cfd85f5878baf4e186

Download Submit
C:\Windows\SysWOW64\Phfcipoo.exe

Filesize
337KB

MD5
b3e88504808d0e859dca3f69588a51e6

SHA1
30413e29aef216f229bcab4ba13259afecb5959b

SHA256
cb9f0adcd2a8e5332838514ae76547bc263b9a75a5328aef92ef344dc153cfde

SHA512
4aafa76edfaf7dc84d816c0760df309c5df3065ec3376932df19d59c748463191741d01a1794c3de0cf3cd59e60f1d7e4dff01c37f888b0dbadec920fafff209

Download Submit
C:\Windows\SysWOW64\Pjkmomfn.exe

Filesize
337KB

MD5
27c7f33baa93af124719d09b84544daf

SHA1
e7950b11dc024666a5d127a7725cae300e4175cb

SHA256
2de327eaccce66666d81eb0d7f9585b5c0f6fb4146878c4b7dce7e783c41bac8

SHA512
23b50de5893219c5cd653fa0357adc12f97052caa57976adb579c60789aecafeded5d17936fb4de13b18c14942d0129e49c983c98566b458955283807e9edb46

Download Submit
C:\Windows\SysWOW64\Pnifekmd.exe

Filesize
337KB

MD5
d698b65c50283b5a5434008e692088f7

SHA1
8408325781ac97ec3a97f1135299ab911723b7a4

SHA256
b13b51c4f40b310a74fb1d3394816a1e6ad390ba4d8c9be31e13aa7437d6ee3d

SHA512
f912f55423d600257289bbe1f37ed398336469f296d7e88182c58f734f9a089eca90bf1031f6bec60eddc1f6fa179e57e2d096af360d355305c8f99f3365dfef

Download Submit
C:\Windows\SysWOW64\Qaqegecm.exe

Filesize
337KB

MD5
8eb90dcf8c48d436a1f23e22774a25ca

SHA1
75689ccdce5e8267d5047847658e1fbe77e55ce0

SHA256
c8547e2ced65809ea5360230e7c98779e04a60fea12c598b59aa131d771c811d

SHA512
e471586226b99f03fcb928c46d71b2853e367b46a9aeb254de8c73568267d328a8d585deea0a98a2fe53323e42b87c27c76fff54b52e00a9cb8f8d72b3de7149

Download Submit
memory/228-264-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/404-554-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/404-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/440-517-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/568-210-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/568-626-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/624-397-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/660-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/832-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/860-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1012-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1160-494-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1180-422-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1300-508-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1300-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1352-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1352-526-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1364-447-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1364-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1380-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1460-520-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1652-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1652-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1688-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1804-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1804-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1860-667-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1860-250-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1948-487-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1980-218-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1980-633-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1988-440-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2204-459-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2216-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2216-618-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2236-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2248-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2620-641-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2620-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2640-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2640-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2640-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2664-500-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2664-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2732-507-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2760-472-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2760-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2812-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2960-409-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3100-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3100-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3144-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3152-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3152-609-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3368-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3368-640-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3396-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3424-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3452-466-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3468-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3468-465-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3516-501-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3588-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3620-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3648-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3824-421-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3824-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3924-601-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3924-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3952-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3952-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3984-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3984-493-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4004-530-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4036-446-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4064-486-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4064-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4076-561-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4076-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4108-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4168-403-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4204-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4212-428-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4316-611-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4316-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4376-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4392-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4392-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4424-434-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4428-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4472-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4480-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4480-547-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4536-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4584-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4584-610-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4604-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4616-242-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4616-660-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4620-258-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4684-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4684-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4772-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4772-608-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4836-282-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4840-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4848-415-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4988-534-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5044-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5044-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5072-453-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5140-551-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5188-555-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5236-562-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5280-568-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5344-579-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5384-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5428-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5488-595-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5544-602-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5596-612-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5656-712-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5656-620-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5716-627-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5780-634-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5836-642-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5888-648-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5928-654-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5992-661-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download