305dcb5283d200f38eec2f5046c7457a4339e1d87de48e4c125c9b3f184e2762

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 00:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c6a00d44894021606b50c412fa93640_NeikiAnalytics.exe
Size

844KB
MD5

3c6a00d44894021606b50c412fa93640
SHA1

e4f58b25166d15770730132b49e5e11a1c811139
SHA256

305dcb5283d200f38eec2f5046c7457a4339e1d87de48e4c125c9b3f184e2762
SHA512

bb10052b6f8716d7ae54d732864f8ec03738bce166c1275ebabbfe4fd7c6a51e25b8abe203ff0f7346408d58e4d77700a417d49c259598e3aece1417b4f8e2a4
SSDEEP

24576:2bIkH5W3TnbQihMpQnqrdX72LbY6x46uR/qYglMi:qH5W3TbQihw+cdX2x46uhqllMi

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Ocnjidkf.exeOjoign32.exeDhfajjoj.exeDkifae32.exeNdcdmikd.exePfaigm32.exeAglemn32.exeCeehho32.exeKpeiioac.exeMedgncoe.exeAcnlgp32.exeAjhddjfn.exeDmefhako.exeDddhpjof.exeBfkedibe.exeBcoenmao.exeAqkgpedc.exeAjfhnjhq.exeCndikf32.exeDjgjlelk.exeBgehcmmm.exeCmiflbel.exeDelnin32.exePmidog32.exeDhhnpjmh.exeDmgbnq32.exeDknpmdfc.exeLenamdem.exeNdhmhh32.exeBmngqdpj.exeCmnpgb32.exeDhkjej32.exeDaekdooc.exeDkkcge32.exeOjllan32.exeAgoabn32.exeBgcknmop.exePmfhig32.exePcppfaka.exeQddfkd32.exeAmgapeea.exeAjkaii32.exeDdmaok32.exeOfnckp32.exeOlkhmi32.exeOncofm32.exeQnhahj32.exeChcddk32.exeDopigd32.exeNjqmepik.exeOfeilobp.exeAqncedbp.exeCalhnpgn.exeOjaelm32.exeCmlcbbcj.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpeiioac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Medgncoe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojoign32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndcdmikd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmidog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lenamdem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojllan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njqmepik.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe

Malware Dropper & Backdoor - Berbew 42 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
C:\Windows\SysWOW64\Jlkagbej.exe	family_berbew
C:\Windows\SysWOW64\Jlnnmb32.exe	family_berbew
C:\Windows\SysWOW64\Jfcbjk32.exe	family_berbew
C:\Windows\SysWOW64\Jianff32.exe	family_berbew
C:\Windows\SysWOW64\Jlednamo.exe	family_berbew
C:\Windows\SysWOW64\Kepelfam.exe	family_berbew
C:\Windows\SysWOW64\Kpeiioac.exe	family_berbew
C:\Windows\SysWOW64\Kfoafi32.exe	family_berbew
C:\Windows\SysWOW64\Klngdpdd.exe	family_berbew
C:\Windows\SysWOW64\Kibgmdcn.exe	family_berbew
C:\Windows\SysWOW64\Lffhfh32.exe	family_berbew
C:\Windows\SysWOW64\Lbmhlihl.exe	family_berbew
C:\Windows\SysWOW64\Lmbmibhb.exe	family_berbew
C:\Windows\SysWOW64\Lenamdem.exe	family_berbew
C:\Windows\SysWOW64\Lmiciaaj.exe	family_berbew
C:\Windows\SysWOW64\Medgncoe.exe	family_berbew
C:\Windows\SysWOW64\Mdhdajea.exe	family_berbew
C:\Windows\SysWOW64\Mcmabg32.exe	family_berbew
C:\Windows\SysWOW64\Mlefklpj.exe	family_berbew
C:\Windows\SysWOW64\Mlhbal32.exe	family_berbew
C:\Windows\SysWOW64\Nepgjaeg.exe	family_berbew
C:\Windows\SysWOW64\Nljofl32.exe	family_berbew
C:\Windows\SysWOW64\Ndcdmikd.exe	family_berbew
C:\Windows\SysWOW64\Njqmepik.exe	family_berbew
C:\Windows\SysWOW64\Nfgmjqop.exe	family_berbew
C:\Windows\SysWOW64\Ndhmhh32.exe	family_berbew
C:\Windows\SysWOW64\Ocnjidkf.exe	family_berbew
C:\Windows\SysWOW64\Oncofm32.exe	family_berbew
C:\Windows\SysWOW64\Ofnckp32.exe	family_berbew
C:\Windows\SysWOW64\Oneklm32.exe	family_berbew
C:\Windows\SysWOW64\Opdghh32.exe	family_berbew
C:\Windows\SysWOW64\Odmgcgbi.exe	family_berbew
C:\Windows\SysWOW64\Pmidog32.exe	family_berbew
C:\Windows\SysWOW64\Aqkgpedc.exe	family_berbew
C:\Windows\SysWOW64\Ajfhnjhq.exe	family_berbew
C:\Windows\SysWOW64\Ajkaii32.exe	family_berbew
C:\Windows\SysWOW64\Bgcknmop.exe	family_berbew
C:\Windows\SysWOW64\Bgehcmmm.exe	family_berbew
C:\Windows\SysWOW64\Cfpnph32.exe	family_berbew
C:\Windows\SysWOW64\Cdcoim32.exe	family_berbew
C:\Windows\SysWOW64\Deokon32.exe	family_berbew
C:\Windows\SysWOW64\Dmllipeg.exe	family_berbew

Executes dropped EXE 64 IoCs

Processes:

Jlkagbej.exeJlnnmb32.exeJfcbjk32.exeJianff32.exeJlednamo.exeKepelfam.exeKpeiioac.exeKfoafi32.exeKlngdpdd.exeKibgmdcn.exeLffhfh32.exeLbmhlihl.exeLmbmibhb.exeLenamdem.exeLmiciaaj.exeMedgncoe.exeMdhdajea.exeMcmabg32.exeMlefklpj.exeMlhbal32.exeNepgjaeg.exeNljofl32.exeNdcdmikd.exeNjqmepik.exeNfgmjqop.exeNdhmhh32.exeOcnjidkf.exeOncofm32.exeOdmgcgbi.exeOfnckp32.exeOneklm32.exeOpdghh32.exeOgnpebpj.exeOjllan32.exeOlkhmi32.exeOdapnf32.exeOgpmjb32.exeOjoign32.exeOnjegled.exeOqhacgdh.exeOcgmpccl.exeOfeilobp.exeOjaelm32.exePmoahijl.exePdfjifjo.exePjcbbmif.exePmfhig32.exePcppfaka.exePfolbmje.exePmidog32.exePfaigm32.exeQnhahj32.exeQqfmde32.exeQgqeappe.exeQjoankoi.exeQddfkd32.exeQgcbgo32.exeAnmjcieo.exeAqkgpedc.exeAnogiicl.exeAqncedbp.exeAclpap32.exeAjfhnjhq.exeAcnlgp32.exe

pid	process
4936	Jlkagbej.exe
4208	Jlnnmb32.exe
4416	Jfcbjk32.exe
1624	Jianff32.exe
4076	Jlednamo.exe
372	Kepelfam.exe
544	Kpeiioac.exe
3336	Kfoafi32.exe
4536	Klngdpdd.exe
3308	Kibgmdcn.exe
4412	Lffhfh32.exe
2888	Lbmhlihl.exe
1432	Lmbmibhb.exe
4512	Lenamdem.exe
4336	Lmiciaaj.exe
1896	Medgncoe.exe
4080	Mdhdajea.exe
2900	Mcmabg32.exe
3632	Mlefklpj.exe
1484	Mlhbal32.exe
4568	Nepgjaeg.exe
4308	Nljofl32.exe
4268	Ndcdmikd.exe
4972	Njqmepik.exe
388	Nfgmjqop.exe
3492	Ndhmhh32.exe
4312	Ocnjidkf.exe
2776	Oncofm32.exe
5008	Odmgcgbi.exe
1408	Ofnckp32.exe
4960	Oneklm32.exe
2976	Opdghh32.exe
4880	Ognpebpj.exe
3968	Ojllan32.exe
2584	Olkhmi32.exe
3268	Odapnf32.exe
1208	Ogpmjb32.exe
1404	Ojoign32.exe
4772	Onjegled.exe
2344	Oqhacgdh.exe
4040	Ocgmpccl.exe
2404	Ofeilobp.exe
3556	Ojaelm32.exe
3356	Pmoahijl.exe
4560	Pdfjifjo.exe
4952	Pjcbbmif.exe
1600	Pmfhig32.exe
4192	Pcppfaka.exe
4868	Pfolbmje.exe
2284	Pmidog32.exe
3256	Pfaigm32.exe
1212	Qnhahj32.exe
1096	Qqfmde32.exe
3752	Qgqeappe.exe
4136	Qjoankoi.exe
2084	Qddfkd32.exe
1592	Qgcbgo32.exe
5012	Anmjcieo.exe
1400	Aqkgpedc.exe
1728	Anogiicl.exe
4504	Aqncedbp.exe
1884	Aclpap32.exe
1664	Ajfhnjhq.exe
4824	Acnlgp32.exe

Drops file in System32 directory 64 IoCs

Processes:

Qjoankoi.exeBganhm32.exeBjokdipf.exeDhhnpjmh.exeJianff32.exeJlednamo.exeLmiciaaj.exeOfnckp32.exeNfgmjqop.exeCndikf32.exePfaigm32.exeAnogiicl.exeLmbmibhb.exeNepgjaeg.exeOdapnf32.exeDmgbnq32.exeDddhpjof.exeAglemn32.exeBgcknmop.exeDanecp32.exeDhkjej32.exeJlkagbej.exeLbmhlihl.exeAnmjcieo.exeBmemac32.exeKpeiioac.exeOcnjidkf.exeOdmgcgbi.exeOjllan32.exeDelnin32.exeNdhmhh32.exeOgnpebpj.exePdfjifjo.exeBeglgani.exeBebblb32.exeBmbplc32.exeCmlcbbcj.exeDmefhako.exeMlhbal32.exeNdcdmikd.exeAadifclh.exeDaekdooc.exeOnjegled.exePcppfaka.exeDkkcge32.exeOjoign32.exePmoahijl.exe3c6a00d44894021606b50c412fa93640_NeikiAnalytics.exeKlngdpdd.exeChcddk32.exeDdmaok32.exeDjgjlelk.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Hjfgfh32.dll	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Cdlgno32.dll	Bganhm32.exe
File created	C:\Windows\SysWOW64\Leqcid32.dll	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Bhoilahe.dll	Jianff32.exe
File created	C:\Windows\SysWOW64\Kepelfam.exe	Jlednamo.exe
File opened for modification	C:\Windows\SysWOW64\Medgncoe.exe	Lmiciaaj.exe
File created	C:\Windows\SysWOW64\Ladjgikj.dll	Ofnckp32.exe
File created	C:\Windows\SysWOW64\Fjegoh32.dll	Nfgmjqop.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Qnhahj32.exe	Pfaigm32.exe
File opened for modification	C:\Windows\SysWOW64\Qddfkd32.exe	Qjoankoi.exe
File opened for modification	C:\Windows\SysWOW64\Aqncedbp.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Lenamdem.exe	Lmbmibhb.exe
File opened for modification	C:\Windows\SysWOW64\Nljofl32.exe	Nepgjaeg.exe
File created	C:\Windows\SysWOW64\Oneklm32.exe	Ofnckp32.exe
File created	C:\Windows\SysWOW64\Ogpmjb32.exe	Odapnf32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Ajkaii32.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Beglgani.exe	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Iaheeaan.dll	Jlkagbej.exe
File opened for modification	C:\Windows\SysWOW64\Lmbmibhb.exe	Lbmhlihl.exe
File created	C:\Windows\SysWOW64\Aqkgpedc.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Ehfnmfki.dll	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Qamhhedg.dll	Kpeiioac.exe
File created	C:\Windows\SysWOW64\Oncofm32.exe	Ocnjidkf.exe
File opened for modification	C:\Windows\SysWOW64\Ofnckp32.exe	Odmgcgbi.exe
File created	C:\Windows\SysWOW64\Olkhmi32.exe	Ojllan32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Najmlf32.dll	Ndhmhh32.exe
File opened for modification	C:\Windows\SysWOW64\Ojllan32.exe	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Panfqmhb.dll	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bebblb32.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Nepgjaeg.exe	Mlhbal32.exe
File opened for modification	C:\Windows\SysWOW64\Njqmepik.exe	Ndcdmikd.exe
File created	C:\Windows\SysWOW64\Pkejdahi.dll	Anogiicl.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Ndhmhh32.exe	Nfgmjqop.exe
File opened for modification	C:\Windows\SysWOW64\Oqhacgdh.exe	Onjegled.exe
File created	C:\Windows\SysWOW64\Pfolbmje.exe	Pcppfaka.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Lenamdem.exe	Lmbmibhb.exe
File opened for modification	C:\Windows\SysWOW64\Onjegled.exe	Ojoign32.exe
File created	C:\Windows\SysWOW64\Oqhacgdh.exe	Onjegled.exe
File created	C:\Windows\SysWOW64\Pdfjifjo.exe	Pmoahijl.exe
File opened for modification	C:\Windows\SysWOW64\Jlkagbej.exe	3c6a00d44894021606b50c412fa93640_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Kibgmdcn.exe	Klngdpdd.exe
File created	C:\Windows\SysWOW64\Nhgaocmg.dll	Klngdpdd.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5508 5192 WerFault.exe Dmllipeg.exe

pid	pid_target	process	target process
5508	5192	WerFault.exe	Dmllipeg.exe

Modifies registry class 64 IoCs

Processes:

Bgehcmmm.exeLmiciaaj.exeAcnlgp32.exeBgcknmop.exeDaekdooc.exeQgqeappe.exeChcddk32.exeOfnckp32.exeOneklm32.exeQqfmde32.exeQjoankoi.exeMedgncoe.exePdfjifjo.exeOjllan32.exeNepgjaeg.exeNfgmjqop.exeOlkhmi32.exePmidog32.exeCmiflbel.exeCdcoim32.exeKepelfam.exePfaigm32.exeQddfkd32.exeBfkedibe.exeDdmaok32.exeKlngdpdd.exeLffhfh32.exeLbmhlihl.exeAmgapeea.exeBcoenmao.exeDeokon32.exeJlkagbej.exeNjqmepik.exeOcnjidkf.exeOfeilobp.exeMlhbal32.exePfolbmje.exeAqncedbp.exeBmngqdpj.exeDknpmdfc.exeMlefklpj.exeBebblb32.exeDelnin32.exeJlnnmb32.exeOgnpebpj.exeCmnpgb32.exeCalhnpgn.exeDhfajjoj.exeDanecp32.exeDkifae32.exeDddhpjof.exeBjokdipf.exeNdhmhh32.exeCmlcbbcj.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lmiciaaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qciaajej.dll"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aihbcp32.dll"	Medgncoe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chfgkj32.dll"	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kepelfam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmphmhjc.dll"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjegoh32.dll"	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhgaocmg.dll"	Klngdpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lffhfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Allebf32.dll"	Lbmhlihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jlkagbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjgaigfg.dll"	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mlhbal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lbmhlihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kepelfam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lafdhogo.dll"	Mlefklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jlnnmb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lffhfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmjdbam.dll"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najmlf32.dll"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3c6a00d44894021606b50c412fa93640_NeikiAnalytics.exeJlkagbej.exeJlnnmb32.exeJfcbjk32.exeJianff32.exeJlednamo.exeKepelfam.exeKpeiioac.exeKfoafi32.exeKlngdpdd.exeKibgmdcn.exeLffhfh32.exeLbmhlihl.exeLmbmibhb.exeLenamdem.exeLmiciaaj.exeMedgncoe.exeMdhdajea.exeMcmabg32.exeMlefklpj.exeMlhbal32.exeNepgjaeg.exe

description	pid	process	target process
PID 4188 wrote to memory of 4936	4188	3c6a00d44894021606b50c412fa93640_NeikiAnalytics.exe	Jlkagbej.exe
PID 4188 wrote to memory of 4936	4188	3c6a00d44894021606b50c412fa93640_NeikiAnalytics.exe	Jlkagbej.exe
PID 4188 wrote to memory of 4936	4188	3c6a00d44894021606b50c412fa93640_NeikiAnalytics.exe	Jlkagbej.exe
PID 4936 wrote to memory of 4208	4936	Jlkagbej.exe	Jlnnmb32.exe
PID 4936 wrote to memory of 4208	4936	Jlkagbej.exe	Jlnnmb32.exe
PID 4936 wrote to memory of 4208	4936	Jlkagbej.exe	Jlnnmb32.exe
PID 4208 wrote to memory of 4416	4208	Jlnnmb32.exe	Jfcbjk32.exe
PID 4208 wrote to memory of 4416	4208	Jlnnmb32.exe	Jfcbjk32.exe
PID 4208 wrote to memory of 4416	4208	Jlnnmb32.exe	Jfcbjk32.exe
PID 4416 wrote to memory of 1624	4416	Jfcbjk32.exe	Jianff32.exe
PID 4416 wrote to memory of 1624	4416	Jfcbjk32.exe	Jianff32.exe
PID 4416 wrote to memory of 1624	4416	Jfcbjk32.exe	Jianff32.exe
PID 1624 wrote to memory of 4076	1624	Jianff32.exe	Jlednamo.exe
PID 1624 wrote to memory of 4076	1624	Jianff32.exe	Jlednamo.exe
PID 1624 wrote to memory of 4076	1624	Jianff32.exe	Jlednamo.exe
PID 4076 wrote to memory of 372	4076	Jlednamo.exe	Kepelfam.exe
PID 4076 wrote to memory of 372	4076	Jlednamo.exe	Kepelfam.exe
PID 4076 wrote to memory of 372	4076	Jlednamo.exe	Kepelfam.exe
PID 372 wrote to memory of 544	372	Kepelfam.exe	Kpeiioac.exe
PID 372 wrote to memory of 544	372	Kepelfam.exe	Kpeiioac.exe
PID 372 wrote to memory of 544	372	Kepelfam.exe	Kpeiioac.exe
PID 544 wrote to memory of 3336	544	Kpeiioac.exe	Kfoafi32.exe
PID 544 wrote to memory of 3336	544	Kpeiioac.exe	Kfoafi32.exe
PID 544 wrote to memory of 3336	544	Kpeiioac.exe	Kfoafi32.exe
PID 3336 wrote to memory of 4536	3336	Kfoafi32.exe	Klngdpdd.exe
PID 3336 wrote to memory of 4536	3336	Kfoafi32.exe	Klngdpdd.exe
PID 3336 wrote to memory of 4536	3336	Kfoafi32.exe	Klngdpdd.exe
PID 4536 wrote to memory of 3308	4536	Klngdpdd.exe	Kibgmdcn.exe
PID 4536 wrote to memory of 3308	4536	Klngdpdd.exe	Kibgmdcn.exe
PID 4536 wrote to memory of 3308	4536	Klngdpdd.exe	Kibgmdcn.exe
PID 3308 wrote to memory of 4412	3308	Kibgmdcn.exe	Lffhfh32.exe
PID 3308 wrote to memory of 4412	3308	Kibgmdcn.exe	Lffhfh32.exe
PID 3308 wrote to memory of 4412	3308	Kibgmdcn.exe	Lffhfh32.exe
PID 4412 wrote to memory of 2888	4412	Lffhfh32.exe	Lbmhlihl.exe
PID 4412 wrote to memory of 2888	4412	Lffhfh32.exe	Lbmhlihl.exe
PID 4412 wrote to memory of 2888	4412	Lffhfh32.exe	Lbmhlihl.exe
PID 2888 wrote to memory of 1432	2888	Lbmhlihl.exe	Lmbmibhb.exe
PID 2888 wrote to memory of 1432	2888	Lbmhlihl.exe	Lmbmibhb.exe
PID 2888 wrote to memory of 1432	2888	Lbmhlihl.exe	Lmbmibhb.exe
PID 1432 wrote to memory of 4512	1432	Lmbmibhb.exe	Lenamdem.exe
PID 1432 wrote to memory of 4512	1432	Lmbmibhb.exe	Lenamdem.exe
PID 1432 wrote to memory of 4512	1432	Lmbmibhb.exe	Lenamdem.exe
PID 4512 wrote to memory of 4336	4512	Lenamdem.exe	Lmiciaaj.exe
PID 4512 wrote to memory of 4336	4512	Lenamdem.exe	Lmiciaaj.exe
PID 4512 wrote to memory of 4336	4512	Lenamdem.exe	Lmiciaaj.exe
PID 4336 wrote to memory of 1896	4336	Lmiciaaj.exe	Medgncoe.exe
PID 4336 wrote to memory of 1896	4336	Lmiciaaj.exe	Medgncoe.exe
PID 4336 wrote to memory of 1896	4336	Lmiciaaj.exe	Medgncoe.exe
PID 1896 wrote to memory of 4080	1896	Medgncoe.exe	Mdhdajea.exe
PID 1896 wrote to memory of 4080	1896	Medgncoe.exe	Mdhdajea.exe
PID 1896 wrote to memory of 4080	1896	Medgncoe.exe	Mdhdajea.exe
PID 4080 wrote to memory of 2900	4080	Mdhdajea.exe	Mcmabg32.exe
PID 4080 wrote to memory of 2900	4080	Mdhdajea.exe	Mcmabg32.exe
PID 4080 wrote to memory of 2900	4080	Mdhdajea.exe	Mcmabg32.exe
PID 2900 wrote to memory of 3632	2900	Mcmabg32.exe	Mlefklpj.exe
PID 2900 wrote to memory of 3632	2900	Mcmabg32.exe	Mlefklpj.exe
PID 2900 wrote to memory of 3632	2900	Mcmabg32.exe	Mlefklpj.exe
PID 3632 wrote to memory of 1484	3632	Mlefklpj.exe	Mlhbal32.exe
PID 3632 wrote to memory of 1484	3632	Mlefklpj.exe	Mlhbal32.exe
PID 3632 wrote to memory of 1484	3632	Mlefklpj.exe	Mlhbal32.exe
PID 1484 wrote to memory of 4568	1484	Mlhbal32.exe	Nepgjaeg.exe
PID 1484 wrote to memory of 4568	1484	Mlhbal32.exe	Nepgjaeg.exe
PID 1484 wrote to memory of 4568	1484	Mlhbal32.exe	Nepgjaeg.exe
PID 4568 wrote to memory of 4308	4568	Nepgjaeg.exe	Nljofl32.exe

C:\Users\Admin\AppData\Local\Temp\3c6a00d44894021606b50c412fa93640_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3c6a00d44894021606b50c412fa93640_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4188
- C:\Windows\SysWOW64\Jlkagbej.exe
  C:\Windows\system32\Jlkagbej.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4936
- - C:\Windows\SysWOW64\Jlnnmb32.exe
    C:\Windows\system32\Jlnnmb32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4208
  - - C:\Windows\SysWOW64\Jfcbjk32.exe
      C:\Windows\system32\Jfcbjk32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4416
    - - C:\Windows\SysWOW64\Jianff32.exe
        
        C:\Windows\system32\Jianff32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1624
      - C:\Windows\SysWOW64\Jlednamo.exe
        
        C:\Windows\system32\Jlednamo.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:372
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3336
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4536
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3308
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4512
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4080
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4568
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        23⤵
        Executes dropped EXE
        
        PID:4308
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4268
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4972
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:388
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3492
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4312
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2776
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5008
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1408
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4960
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        33⤵
        Executes dropped EXE
        
        PID:2976
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4880
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3968
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2584
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3268
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        38⤵
        Executes dropped EXE
        
        PID:1208
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1404
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4772
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        41⤵
        Executes dropped EXE
        
        PID:2344
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        42⤵
        Executes dropped EXE
        
        PID:4040
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2404
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3556
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3356
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4560
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        47⤵
        Executes dropped EXE
        
        PID:4952
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1600
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4192
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3256
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1212
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1096
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3752
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4136
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2084
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        58⤵
        Executes dropped EXE
        
        PID:1592
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5012
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1400
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1728
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4504
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        63⤵
        Executes dropped EXE
        
        PID:1884
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1664
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4824
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4084
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:60
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1652
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3344
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        70⤵
        Drops file in System32 directory
        
        PID:4316
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:884
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        72⤵
        
        PID:704
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4492
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        74⤵
        Drops file in System32 directory
        
        PID:5128
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        78⤵
        Drops file in System32 directory
        
        PID:5304
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        80⤵
        Drops file in System32 directory
        
        PID:5384
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5424
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        82⤵
        Drops file in System32 directory
        
        PID:5464
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5500
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5544
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        85⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        86⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        88⤵
        Modifies registry class
        
        PID:5708
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5768
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5804
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5844
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        93⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5964
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6012
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6052
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6140
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5164
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5256
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5352
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5524
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5612
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        106⤵
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5832
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        108⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6128
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        112⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5192 -s 408
        113⤵
        Program crash
        
        PID:5508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5192 -ip 5192
1⤵
PID:5376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
844KB

MD5
e766162c7d1c889914e969b6e383286b

SHA1
889e7f1addf69040751805b379dc0d2fe60562fa

SHA256
7a62b00a5270da759974d1c38be014410133e17299eb00e4b87254b71bf3cea4

SHA512
cd033ca8c4afca5d78ef636552d0b7060d549f306bdf2eaa2d22bc96918c786262b2145fc46d763d70bd712d6e38fec3415e2fd4474a0596fe1cf3211780026d

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
844KB

MD5
23e6f48d3f2eae1bc7f12982b9382e29

SHA1
5bcda02555367f1481d14a96b0cf09a68e11571c

SHA256
cf2319b39eb9678f3c1f3b23782d66e92fc7bee43a5bd08868889ee515e4676c

SHA512
7ecd6080e7c78dd2dc79391e6dd9098d59a39410d7a5f734ead71f99212a7d3c9202698f7146be7b33ef5b1f07fdea07a2a5e0613c5a1d02a2248bf0d8343e42

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
844KB

MD5
c05f4b17286391aa34d30916662cad1a

SHA1
d3d28c0197858d2d8143e7b1d563503f27f1ee00

SHA256
c0a69c88588d102406b04b3f440756951515a3e72bba4c70080be920148de61b

SHA512
99d36a76e6a9684061e242883820c545fe08b70a4455d50b92b20e6709547d13a71c073b8ec849335bda5cc78b9d39970213f8734acc787c6df235ba49c9c1c8

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
844KB

MD5
c52b5c8264ed1274a5848e7268f2748b

SHA1
b54f44eb7ef6c2599c6d6bed96b3f6eac7fd0f4b

SHA256
e9227feafeccaac74b503ab9da0992184be3a242052f2febd67f812ff4314ecd

SHA512
cf96b1e0572b040755480f7e981b4f4c3819958d6b3928141f3f9d5db107c5e348ebf749e569308f42de0abcebc82e8a580e97ba02eb1457090b2c5425bd1fbe

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
844KB

MD5
23a3e5962c20da38c5b88a8ba897033f

SHA1
b0e1c6c2f98cf0422a0710456a9dba03aa48a58b

SHA256
8ac70febb660709a37af1d8649b5039e34b2b845e2016afc7a41ac25e64e5c6c

SHA512
c7554408ba8b8ed2e46037c597b1765c3fb7e38df3ad2a5f6d61f9306f06ae369a656755686ee4cfea4404f10e5fe11b8d9b0a8999ba9e73b6cb4ec62b5c31b0

Download Submit
C:\Windows\SysWOW64\Bhoilahe.dll

Filesize
7KB

MD5
9eae00d32675e9d25214eb1413e5cc83

SHA1
7d6df3536eb8c21ee14980a12acb0af78d20b49a

SHA256
1b556e5f1ca865181fe1362c4a6296f3e428f5b968e9e52ea9a22511c7bdf23f

SHA512
cead9dec3550285bcf0b53bd36a5fc1425b1e184dacf8daf7faef256983288edb63b07a9708aae1b114583f6f98c36b0c31f64d3843cae41bc3d9ec4b4dadc32

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
844KB

MD5
4a8eb204ffeb5da6ab5a8bbb9db52ef3

SHA1
014fcaa0076144e0d816b096ea98b90f4765eab6

SHA256
6d2b226209faf472197cc20aaa2d90f57b952a10342d0d456d26e5b46ec86f14

SHA512
7cd9771ac781a790e091deee89bca962966d54b25a1250154f2e3070b0264532afb5cf11c4f3aba6ff34497acfa88fb337fa3685872a071f63358f7c4c5b92ea

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
844KB

MD5
993d3aacc6f6a0f57d8f8b2c3380d35a

SHA1
5f5921ad7160477a9a12a6a0e655578f282abce0

SHA256
555c325b1dcfd5729917f92cd09240d4c1d5ef43cba050355a5816c0061a0621

SHA512
df7917c378e5b033371f7e0adedba61116c0e84bf52de4f69241cfda9c3c35045065b7838a819fbff81d9622065800ce3a0b99c6f992a7a76d411ea6209ca369

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
844KB

MD5
b9eaf4ee72ec48e28f54b9b2a175ab5b

SHA1
d4ea647b4167ee1681f3b4aced9dd07d0f9d8186

SHA256
c06f3a6a071d81485151d035d4ff1f6a636264099797af6808768140caad7ed2

SHA512
535dc88469e215140a90025cde0ef3e0f556bf499138ee3784b9dcfd0d6279bb5aaec274d32c17427415df98dff1d0e8eb10b87bf217da52dbc45085b06f1fc1

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
844KB

MD5
fae84d9e2ee902e161f767682c1f54ed

SHA1
fd4d53d5ba1964ab6448267f86a71ed4a07532e8

SHA256
80ad9e0c0d6c256d8140dfe77cecbb179b15443763c02c6970c572bffbf6f79e

SHA512
9c435627fd189346db710d0c19c16a7d8dfd631f4b1d034477bc932ae79c5a949990f2977294ccb37ec068715c711558dffb4d4c7c8cf5fb4b3b99e3eb358cd5

Download Submit
C:\Windows\SysWOW64\Jfcbjk32.exe

Filesize
844KB

MD5
3864729861fabce39398423cfc4533a6

SHA1
c643edff966f262df46562947788de07e693f6c2

SHA256
fe9b3869be3d94e182c6408a60b09bf6ecf6d22146465ed33cbfd8e6d89619bc

SHA512
a66b5731b738a7f8ee77735b81db0cdeda04bce6920359598f07dde1356a36810bfdc5cadfe4ccd161efa26ba01550615b4876a4173b4ba5369dec49eeca0358

Download Submit
C:\Windows\SysWOW64\Jianff32.exe

Filesize
844KB

MD5
4bf0143d85868c0f893a9f67dfc6112a

SHA1
254ae01486c6e80fbac9a6fa775aeee32b819ef4

SHA256
80161c8daa078fc98b763e6aa74f2d5034195513e8c50bc582998b09a08de540

SHA512
3155ae4da05fd4b5ffb3fdbcb9b79d0d587636c56f0e2b1fa83704c2c7480a86f3f92e48e413cb562341a5a219e077487ce45b1581bf525ac5ffdf6271d0a802

Download Submit
C:\Windows\SysWOW64\Jlednamo.exe

Filesize
844KB

MD5
59432eed20d1985fcbaae20b62ec44a9

SHA1
fe186f7ead25e24a2a27b8b0afdfad650b0d3a81

SHA256
03179c03fa6c1af178da2040865c5f615c30908708c6991d561ce68a654d76ea

SHA512
93e2af847cbd051ab7c865ec6b20a0fd6f8413b66cdbce4cf2288a0469ec05ed7e4f267e45520792ed83925af999e8890098086050800f7e980160e8c1968463

Download Submit
C:\Windows\SysWOW64\Jlkagbej.exe

Filesize
844KB

MD5
967902f1fc05736b09399c921c285af0

SHA1
a5f7199111c61b77ce610d50e9973f28066c2406

SHA256
6f7d65df40ee7f5acaffab7067eb4a27703823deefc360d10bc0684a0f5f8f76

SHA512
d3fae9abd1ebe96fe5c4b234ca39df71e04820deca09e9c376c901778648da570d246ff1e1073e03b385e225da39e9d8c9bd684e1a0438181e2bfa010309b45c

Download Submit
C:\Windows\SysWOW64\Jlnnmb32.exe

Filesize
844KB

MD5
2378f496168b7b62bc1369104a9e5419

SHA1
95bae83404564bec7d1ab70c187ffc0695358862

SHA256
e474c506ccf4b53f50b683140f14f48b462614d587c6f19a3c2f4e2907a28ba6

SHA512
6add48897d1b7198db260bf74228f66b003e0e51d61fbb4cb19f7046bae7f05472a950f8b2381ea726d0a1ee1ecac25dea96245f3218020851f8898f7f599e84

Download Submit
C:\Windows\SysWOW64\Kepelfam.exe

Filesize
844KB

MD5
432f21688602745bf190f51def4ced85

SHA1
10dd9f04ac4012a24ad30034dc93fad064b715d7

SHA256
0c5ed59ccbd2ad13b9b6eb67701be3f1e6fe9b870202f6b5d23c86328634e481

SHA512
542ae1a74153be79898694a516bb128e67628640c8551c1a342c67dfa7d86eef9606989759653b904072a4aa060a57332acd1632c440699b5c098313d0bb8190

Download Submit
C:\Windows\SysWOW64\Kfoafi32.exe

Filesize
844KB

MD5
d08a917fddd728a458cc4dcab8fbb553

SHA1
6510d4b487c7f3dee96a1b339797daa58f79e88d

SHA256
6e1dbcb8b53a1b1ff36875e4935a4f3fed8707c41c0721551901c00c51733054

SHA512
24e1a87b979c4192efb67b94678830a2ab604b938edb4ed7d68035ee601805a30e8a6e650287736c46067cf0d3203ac31899810dff4190af3f54d57d407f2e3d

Download Submit
C:\Windows\SysWOW64\Kibgmdcn.exe

Filesize
844KB

MD5
68afedfa11f05ad55bc139d190c49e54

SHA1
b2035a3aa44c4bda93e70d604c011c172c0880ad

SHA256
0c9f7356c1894b311bf73ad1cd7f4de1db4122d618b1cf57702f759cc510e110

SHA512
9021707429f8e69fb916181998efef30c34757bcbc7aa6155ef4fcca521a74f3f91d8908c333f427f51baee35f047b7aa1662363033b4766744f4a9dcca3bc57

Download Submit
C:\Windows\SysWOW64\Klngdpdd.exe

Filesize
844KB

MD5
dffb7e8f9d0714e6b316f7480194ba0a

SHA1
c9003e88f2c2c6cab4aedfa2492ae31b14f8e542

SHA256
8f48abb0ba719b97778849afc70ef702f7417ef8b614038ed9f7d48161c9f18c

SHA512
d0b0e0d60edb712308eaf6c752a33389ee40a607b92553275a020d82f46dd6e2edeab42923e240923392a36044c0b7c7d8be0e94efbf034f9d80320963ce918a

Download Submit
C:\Windows\SysWOW64\Kpeiioac.exe

Filesize
844KB

MD5
e562b57b945250747bc116c641cef7f4

SHA1
38368bf66b3b177e2a052e4f3755437dc3191b08

SHA256
8f27ddf0976c434cddffc50bb542ce95ac5fc6825eb62aa44c15d1c2bd79f7fe

SHA512
a81c080a782e8c1aec476651a4c1781698f1c36648b6d64e801f42a9c49a486def88a5aced2fff097d3c2de7d12429043ec103e5d5521838392076a8d95ad298

Download Submit
C:\Windows\SysWOW64\Lbmhlihl.exe

Filesize
844KB

MD5
4af20c6e6ddcb5ef8a9f20ed8f50ef13

SHA1
327aa0fe26ba9dde5b19be744791c0ffc756a0f1

SHA256
4d910f299b6ef7a62d66cd5eacb869d0952a2d9e40657f6137c485d27a571bf5

SHA512
24853de62858668dae0c7d2d85747f961355cebf7b749896a049408ef98f6dc7d381b596e2c0ff05e63aa6e43e99f795a74fb94ba0a395e02f2883e51da07dc1

Download Submit
C:\Windows\SysWOW64\Lenamdem.exe

Filesize
844KB

MD5
11c85fbea8c1e53a97d2115d5524ab02

SHA1
8d1d865e12f5873c3924c41af6b9f064df37f4a2

SHA256
99dc3237d43ddafe390bc673a70725cb2e4bade50ba995064d4db7ba62605dcc

SHA512
347f48953f52250b1969b8ec0a9a7fc8197553026bae0c8e192a34a2e0ad72e48368b213e04ac8b708a140397809ab6c553e20d5fbf628f592736120b2468b88

Download Submit
C:\Windows\SysWOW64\Lffhfh32.exe

Filesize
844KB

MD5
eb950257135d701f55d13f54c5b70f41

SHA1
a4f035c3091be4dc66338b62ff0692a6ac978af8

SHA256
5a4f7ffc54c33853f486061e68a2194587d89c8f93a7737bc5f5ce7020ccb516

SHA512
9e576221dbd3661a236733da1f47995bdb45654214afdd5069affe13d166bc896e206b98d8657f304f26585527df004823a04286df9d3da7b9e641afd35b1029

Download Submit
C:\Windows\SysWOW64\Lmbmibhb.exe

Filesize
844KB

MD5
e0c1d7f70873131dea60b37ffdf78985

SHA1
f3974a4a779490bd917faa94a6c9dc3c3a5e60ae

SHA256
e8d96f21dc4f94054344c1c5441809758f35919f6ddc18d9d1bc2e8b96ea74ef

SHA512
b91d5eb866387f5f2805e3f2f9a3a271f0831ef1a4c210ff72d4a606b9e7a2045f23dc8a9eaf42bc9baf60600de8e8874cc9365cd91671609cea895df7ad3b90

Download Submit
C:\Windows\SysWOW64\Lmiciaaj.exe

Filesize
844KB

MD5
c74b370fbae71b5ed75a366edc234590

SHA1
3f2ad919180be195b32afe2d00e740fa3e52fb2a

SHA256
8c16e986d864391eb6aef931b98fe2234f255a2bede754103b303ea3bd7e747c

SHA512
ac746be4737a7cb74f6fab0be6e0cf1732f03fc7372e3a389cfccdb86f762da91e275de629300b65c2790c4f53961b10d58b2faccf466344c919a6e308b118b7

Download Submit
C:\Windows\SysWOW64\Mcmabg32.exe

Filesize
844KB

MD5
2ca303d8a32bad8c8f2351f4f0c3d343

SHA1
b21d0196c91614a16013703e73dfc54e5d89cb21

SHA256
4792b1877cc4964d4d68778790739a845b629724be5b1a7a66b385ffe7142a91

SHA512
8ed4c6fa7adee25d42a7e9aabda84355a5efca8bdf261dfd7e527e279714a71b70a955ba0c44e3500791bdec962feef9712a7a4d22e624c3bc4a54ce81b62a34

Download Submit
C:\Windows\SysWOW64\Mdhdajea.exe

Filesize
844KB

MD5
75bc40069c7522c37ae3bfc0aadef86d

SHA1
b68db3aab6a3b009ef16a44fe2ff07afd2328e63

SHA256
a56d96962e467fe1d54bdeac3b32a022a3d25962fc39f58a7f3aa7b1ddf9b484

SHA512
8bc3cd111115d173968292c988291fc4c4c55d7a19ca69fe1cd02838ef56e9fd9e7c7f8aca80b907066f6d7e4dbba344a8348d304132b10a52c8e7fc508f9b9d

Download Submit
C:\Windows\SysWOW64\Medgncoe.exe

Filesize
844KB

MD5
57594b1fa4bf02cdd45add7395ac8833

SHA1
c09b72ba611aaac2afe3d9251107396ca12de413

SHA256
0e1b48cc4fa82adc86bf09e5255b96c6208a445f552aa9e52dc05b67214ee99b

SHA512
9ef286703d64ca40f8eb6b340957e83203f5cc220d5a9f1247562fe475fe7893572b68ff57b6743cf8c50dcfe9725332e45520483538cd567e169b13fdd255a7

Download Submit
C:\Windows\SysWOW64\Mlefklpj.exe

Filesize
844KB

MD5
d7421f1c121326d428b5069df745e27d

SHA1
ff391a989ccef14bc8e273331cf63552f1840c43

SHA256
9b4a72f29a67bac31dd582b474c6643d1c3fdbadcb47fb11f46a947d06f0ced1

SHA512
02ed47ca4a025cb705f8e6ddc65282e7de2b6e918f5d7fa63d593a4edaaf597f46fe68d6bc2867e3800e6b1b97f988a1332329bf53b66a3b2a613906dd0f3d35

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
844KB

MD5
962a05a7df9e1b564d35be7550521fa9

SHA1
0f60602b1f0b4d7c65dfb460a13f714006c9c45a

SHA256
8e4e0afb0ee56410ed0059a8a4a279d7774e60148d069de27d45386079890ced

SHA512
33094c38f2b72eeb31af2214a931e36401d3a36c8903b34f9bdb9b6f909716b2f3f8579f3de1b6ea88ec404cf28fd04628b45f8f87953ceb250cb77837183655

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
844KB

MD5
c57f4795fa0d66009fac23dee8e6afea

SHA1
fcc39a2514a718a5484352e536b4cd05269cf72d

SHA256
29cde282995736aaf001e93f87ea4437b6e60f4fa106d0a06edfeced27189c4a

SHA512
91635d1b0198f460af5b4e6028964a2f6ad0266c3da5e0227094a5c26dcda50f44122e699211aadfa2bd3b7bea42c07f73fbbb046f762e359a7674c4df6f0e51

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
844KB

MD5
5bae30487970830519884ea20c41d24a

SHA1
d8b38282e18d9b9e0a104ca5a97817eb4756fb7e

SHA256
718dbd6e6a15535ab9dbfba5d3fa067ac27983bbd5c88f7f5b9314dcf66b3d41

SHA512
afe251be985e77cf4f175a48d35530e3d0da0bd603e26689a5e9b59d9c9f131a84f381814abd724df7aeb651b0bf19ec3569e584ebaf79d0247b046305ee85df

Download Submit
C:\Windows\SysWOW64\Nepgjaeg.exe

Filesize
844KB

MD5
14f49cf42ab6cca2ba1857761beaf965

SHA1
15bcba50c8dca89ab9ed948cc8f6aa582f64ae7e

SHA256
68325e3bd17f4a3887ea74c0c836b7c255cc5e5b55bf6617c3c5d16c2084ff2e

SHA512
29e48afafabd90d4ed7f9e333d03fc9f4f79b4983de0da67a36f8f88d5385f55db45e390b81131749b573f895b9cad16d6ebbc603164e466fde5c561a77d8974

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
844KB

MD5
4343dd6081fbb630610144984934ec80

SHA1
a91b89c1195656d2f164db1081e35e2407bcc552

SHA256
584b0a935ac91ad1e566619cedcb84c4c4c4afe04af2984055876a810d8d5337

SHA512
4d1b222a1334ac021366775ae80f3d9e9781d33f0a8bf3076c5b5620e15e57e803176422ec4fb166b8e1939136f849fefdfd1fbfe86166bf2bd8b172a8027121

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
844KB

MD5
33c7f55de9d39955835d10f6d066b1f9

SHA1
6f28aee91c2b25b54407e08535f51d036fc78f46

SHA256
0c775012a9d4de3eb72efb6ad9791e25e8c4625865caa733e0568430f7a06e97

SHA512
0cc62685d967d878f95a6a5cbe85ecf9bf7bf122cf7891f8d4ed039e5e9ba901512c072d9841573e2fdfc2ba74115ab6b41abbd0867c5f5a72a6a36a47d1f0a6

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
844KB

MD5
2b29343642f8f174ef30817193061268

SHA1
f21d8c9fc2175aaa128ac186d416e9c8d79786bf

SHA256
e7058b3b08a3f01a28d087db0a560fc9bdb7c2771ada41fa0d3edaf85a1e6eb3

SHA512
9ac367e345e29f62cfcad9912211e5709566b125a0305776229d22eeb669ed0e524ee656ae5d9333e317de9ee9c3cfbf1e6607d2ce70777c9ff2d02b037b349d

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
844KB

MD5
9861198e76488ed91bd6d06c0b59f48c

SHA1
330132c0449c730a84f50c4f679be41535fa1b12

SHA256
8c16ea32d603b532999293281d3b68cc6416ad52d7ff93a9e402806af85cb22f

SHA512
b540e8084032203415b41407a69834c5189ebb6bee9e85fcad933ad21e8dd8ee559469f03fcfe0b566d735a1821f94bf464e9a6458967e234fbea79375e117af

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
844KB

MD5
e16f561b2c9c532da3e43cbb00a1da42

SHA1
da886e4556b21fa61ab520be383083df64abbd62

SHA256
f1ed04eaf7dedb95695b8b4dde29315b4def00838d726b7c13e04ca943c8500c

SHA512
a894a454872a1e25f0d45dbb78c4d1bd592412884810788d219aed3e1a74283bc33f0fc532b9af94807dea479a3ef90e6341a8c372ca38798cc0723d79c3215c

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
844KB

MD5
493bbb79348761650f8947709d9981b4

SHA1
885765d5bcf4129bafd90a3c63d16de14be57a45

SHA256
d93809307b8f1b31294cbb545f9f35c6b61e22be460ce4692e6f22cc8f05bf26

SHA512
27e8cea5b37f26f105bcc4a56f5344eb1f2ed1e82e34149579d6381084747463270fc162f5a56e5423a5de06b36a1d702c648420282d3ddbdf9aaad5b59a921f

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
844KB

MD5
a9368cbecdb09369286d5c9d6d287227

SHA1
4358de7307ca2d52d1d4fe2019a1265ad20bad14

SHA256
d523e57ec547f0231524da105e0e9f9454b3176b7bb3f06e4746e0cae30b9858

SHA512
129bb110b5a4ea75d36ea7a09ff44c365b7cce63c24117c92ed759c1a4080cc849df193e0a83c3d8665cd6004d6a9e3b6d58b008d0a8630f1d36dcf73511b73d

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
844KB

MD5
20e377bd943b5813003c503448ee32b7

SHA1
3c06bf94842cfb324efa9933596a748e580b3912

SHA256
33fa0ad99eeafcac8009117ba93313cd1b1a13ef6a90100ebe295baddf46a185

SHA512
c5eb9feca2ea5671baa93f27eeb3f079b8c902267495a82594d32fd5d6e32f413bb953980bf2f9d541253571e0698385b14f9ec901429b0307296c044535abec

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
844KB

MD5
c1d605e5cee391a436579924f58fece8

SHA1
806ca3b68028aedbde2084b3b5bf43c4acec3a16

SHA256
0a09a46a3ca8e01017e07a98e371539d1e91f26b32b94d5ac54f8acbbe137cf4

SHA512
08fcf0fbabea6139a3de0af266fff8b5c7a3e2c6445c5cb62ba69d53ecae72930bfb8739b6ce709aa7b73c47f55943fce2ed95018ed8d24412076db6a251738d

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
844KB

MD5
d21afa1966ba5580a9fa80782aa77e63

SHA1
196cd57686ddb8b938d733dd75bfc52f879c5020

SHA256
375330e3dbe0bde6186d868d9e1526affe3893251b0f2434db8f618b234850a5

SHA512
964a3b786ddb7fd653d65d412cfa5d2ddf39b99a892c7e04ed82b793564bc82b6860b8d80a32a841516575ffd418b943fe82b1a028c375eab0cba5a17e0ad88e

Download Submit
memory/60-460-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/372-48-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/388-200-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/544-60-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/704-490-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/884-485-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1096-386-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1208-326-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1212-378-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1400-418-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1404-327-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1408-245-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1432-104-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1484-160-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1592-406-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1600-347-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1624-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1652-466-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1664-442-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1728-424-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1884-436-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1896-128-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2084-403-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2284-364-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2344-329-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2404-331-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2584-324-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2776-224-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2888-100-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2900-143-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2976-321-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3256-374-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3268-325-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3308-80-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3336-64-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3344-472-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3356-337-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3492-208-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3556-334-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3632-152-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3752-392-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3968-323-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4040-330-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4076-40-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4080-136-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4084-454-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4136-394-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4188-622-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4188-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4192-352-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4208-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4268-183-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4308-176-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4312-215-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4316-478-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4336-124-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4412-88-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4416-25-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4492-496-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4504-434-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4512-116-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4536-76-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4560-338-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4568-168-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4772-328-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4824-448-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4868-358-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4880-322-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4936-633-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4936-7-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4952-340-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4960-320-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4972-192-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5008-236-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5012-412-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5128-502-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5168-512-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5208-515-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5264-520-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5304-526-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5344-532-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5384-538-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5424-544-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5464-554-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5500-556-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5544-562-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5588-568-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5628-578-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5668-580-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5708-586-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5768-596-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5804-603-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5844-604-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5888-615-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5924-620-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5964-623-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download