a309998079db7bb71033d7abe4dcaff75f74270157bd6edda77dfe156f202699

Analysis

max time kernel
141s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04/06/2024, 02:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

229444bdfa5a7ce9ab425040a8fe9bb0_NeikiAnalytics.exe
Size

556KB
MD5

229444bdfa5a7ce9ab425040a8fe9bb0
SHA1

712da568ee3ea64723789c0e2146f5be0a770086
SHA256

a309998079db7bb71033d7abe4dcaff75f74270157bd6edda77dfe156f202699
SHA512

fc9dfc1a4aab9acf61c39ff4b1f34244164122d370f60558ef813eff24468c67b7903371100bfbf1a1eb4053bfdeb9c1f69ddc46178c1e7d64c13a3f745b8671
SSDEEP

12288:DsBM4zmEgW+4tv7aOlxzr3cOK3TajRfXFMKNxr9Z7tEGVqT4Df:oBM4zmEL+4tv7aOlxzLyTajRfXFMKNxP

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Llmhaold.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnoaaaad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mfchlbfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aphnnafb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgqlcg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnahdi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipeeobbe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpcdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojajin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaldccip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmhocd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chkobkod.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gblbca32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgkmgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmipdk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omdppiif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbbnpg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmadco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lqmmmmph.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cponen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bojomm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcimdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnbakghm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koaagkcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjjbjd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lckiihok.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjpfjl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qhhpop32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaoaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Glbjggof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbhoeid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbjoeojc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oanokhdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdbfab32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpimlfke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdbpgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mmhgmmbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogekbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Blgifbil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpkibf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bemqih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bepmoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpnoncim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnmmboed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcngpjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmiikh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aafemk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnfihkqm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcfggkac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aphnnafb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnfihkqm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkokcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfgipd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cocjiehd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfjdqmng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilcldb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afbgkl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aagkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Conanfli.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckeimm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iomoenej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdhkcb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdaniq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckmonl32.exe

Malware Dropper & Backdoor - Berbew 54 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/files/0x00070000000235c2-15.dat	family_berbew
behavioral2/files/0x00090000000235bb-7.dat	family_berbew
behavioral2/files/0x00070000000235c4-22.dat	family_berbew
behavioral2/files/0x00070000000235c6-30.dat	family_berbew
behavioral2/files/0x00070000000235cb-47.dat	family_berbew
behavioral2/files/0x00070000000235c9-39.dat	family_berbew
behavioral2/files/0x00070000000235cd-54.dat	family_berbew
behavioral2/files/0x00070000000235cf-58.dat	family_berbew
behavioral2/files/0x00070000000235d1-71.dat	family_berbew
behavioral2/files/0x00070000000235d3-80.dat	family_berbew
behavioral2/files/0x00070000000235d5-86.dat	family_berbew
behavioral2/files/0x00080000000235bf-95.dat	family_berbew
behavioral2/files/0x00070000000235dc-113.dat	family_berbew
behavioral2/files/0x00070000000235da-111.dat	family_berbew
behavioral2/files/0x00070000000235d8-103.dat	family_berbew
behavioral2/files/0x00070000000235e2-139.dat	family_berbew
behavioral2/files/0x00070000000235e4-147.dat	family_berbew
behavioral2/files/0x00070000000235e6-154.dat	family_berbew
behavioral2/files/0x00070000000235f0-189.dat	family_berbew
behavioral2/files/0x00070000000235fe-237.dat	family_berbew
behavioral2/files/0x00070000000235fc-231.dat	family_berbew
behavioral2/files/0x00070000000235fa-224.dat	family_berbew
behavioral2/files/0x00070000000235f8-217.dat	family_berbew
behavioral2/files/0x00070000000235f6-210.dat	family_berbew
behavioral2/files/0x00070000000235f4-203.dat	family_berbew
behavioral2/files/0x00070000000235f2-196.dat	family_berbew
behavioral2/files/0x00070000000235ee-182.dat	family_berbew
behavioral2/files/0x00070000000235ec-175.dat	family_berbew
behavioral2/files/0x00070000000235ea-168.dat	family_berbew
behavioral2/files/0x00070000000235e8-161.dat	family_berbew
behavioral2/files/0x00070000000235e0-133.dat	family_berbew
behavioral2/files/0x00070000000235de-126.dat	family_berbew
behavioral2/files/0x0007000000023654-521.dat	family_berbew
behavioral2/files/0x000700000002365e-550.dat	family_berbew
behavioral2/files/0x00070000000236a0-744.dat	family_berbew
behavioral2/files/0x00070000000236a6-762.dat	family_berbew
behavioral2/files/0x00070000000236d2-898.dat	family_berbew
behavioral2/files/0x00070000000236dc-931.dat	family_berbew
behavioral2/files/0x00070000000236e0-946.dat	family_berbew
behavioral2/files/0x00070000000236fc-1037.dat	family_berbew
behavioral2/files/0x000700000002370c-1090.dat	family_berbew
behavioral2/files/0x0007000000023710-1102.dat	family_berbew
behavioral2/files/0x0007000000023714-1115.dat	family_berbew
behavioral2/files/0x0007000000023741-1255.dat	family_berbew
behavioral2/files/0x0007000000023747-1275.dat	family_berbew
behavioral2/files/0x000700000002374f-1301.dat	family_berbew
behavioral2/files/0x0007000000023753-1313.dat	family_berbew
behavioral2/files/0x0007000000023755-1320.dat	family_berbew
behavioral2/files/0x0007000000023798-1564.dat	family_berbew
behavioral2/files/0x000700000002379f-1606.dat	family_berbew
behavioral2/files/0x00070000000237ad-1653.dat	family_berbew
behavioral2/files/0x00070000000237b3-1674.dat	family_berbew
behavioral2/files/0x00070000000237be-1707.dat	family_berbew
behavioral2/files/0x00070000000237c4-1727.dat	family_berbew

Executes dropped EXE 64 IoCs

pid	Process
2468	Pknqoc32.exe
1048	Pahilmoc.exe
1188	Pkbjjbda.exe
672	Plbfdekd.exe
4368	Pmcclm32.exe
3084	Paoollik.exe
4132	Qlimed32.exe
852	Aafemk32.exe
2700	Aknifq32.exe
788	Aednci32.exe
2352	Ahbjoe32.exe
1436	Akqfkp32.exe
3516	Aefjii32.exe
1708	Ahdged32.exe
2548	Anaomkdb.exe
4576	Akepfpcl.exe
3312	Anclbkbp.exe
2104	Aekddhcb.exe
4964	Alelqb32.exe
216	Bnfihkqm.exe
4516	Bemqih32.exe
660	Blgifbil.exe
2504	Boeebnhp.exe
3740	Bnhenj32.exe
2796	Bepmoh32.exe
3868	Bdbnjdfg.exe
1232	Bhnikc32.exe
2012	Bklfgo32.exe
3680	Bohbhmfm.exe
1996	Bafndi32.exe
2944	Bddjpd32.exe
3660	Bllbaa32.exe
4976	Bojomm32.exe
3304	Bahkih32.exe
4364	Blnoga32.exe
4600	Bkaobnio.exe
2540	Bnoknihb.exe
5100	Bffcpg32.exe
3496	Bheplb32.exe
4596	Ckclhn32.exe
4088	Cnahdi32.exe
4428	Cfipef32.exe
4072	Chglab32.exe
2788	Ckeimm32.exe
4888	Cndeii32.exe
3692	Cfkmkf32.exe
4696	Chiigadc.exe
1608	Ckhecmcf.exe
448	Cocacl32.exe
4592	Cbbnpg32.exe
5136	Cdpjlb32.exe
5172	Ckjbhmad.exe
5204	Cnindhpg.exe
5244	Cfpffeaj.exe
5284	Cdbfab32.exe
5320	Ckmonl32.exe
5352	Cohkokgj.exe
5392	Cbfgkffn.exe
5428	Cdecgbfa.exe
5468	Dmlkhofd.exe
5504	Dkokcl32.exe
5536	Dnmhpg32.exe
5576	Dfdpad32.exe
5612	Dhclmp32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ddjmba32.exe	Dbkqfe32.exe
File created	C:\Windows\SysWOW64\Efmnhl32.dll	Lmdnbn32.exe
File opened for modification	C:\Windows\SysWOW64\Mjcngpjh.exe	Mqkiok32.exe
File created	C:\Windows\SysWOW64\Hmdlmg32.exe	Hfjdqmng.exe
File created	C:\Windows\SysWOW64\Nceefd32.exe	Nagiji32.exe
File created	C:\Windows\SysWOW64\Paoollik.exe	Pmcclm32.exe
File created	C:\Windows\SysWOW64\Fmhdkknd.exe	Fbbpmb32.exe
File opened for modification	C:\Windows\SysWOW64\Pmiikh32.exe	Pjkmomfn.exe
File created	C:\Windows\SysWOW64\Kjamidgd.dll	Afbgkl32.exe
File created	C:\Windows\SysWOW64\Eoaedogc.dll	Pmcclm32.exe
File created	C:\Windows\SysWOW64\Jiibaffb.dll	Cbbnpg32.exe
File created	C:\Windows\SysWOW64\Gifjfmcq.dll	Jilfifme.exe
File opened for modification	C:\Windows\SysWOW64\Lgbloglj.exe	Lokdnjkg.exe
File opened for modification	C:\Windows\SysWOW64\Ddgibkpc.exe	Dnmaea32.exe
File created	C:\Windows\SysWOW64\Fdnnlj32.dll	Cnindhpg.exe
File opened for modification	C:\Windows\SysWOW64\Bmhocd32.exe	Bkibgh32.exe
File created	C:\Windows\SysWOW64\Bnhenj32.exe	Boeebnhp.exe
File created	C:\Windows\SysWOW64\Igdgglfl.exe	Iomoenej.exe
File created	C:\Windows\SysWOW64\Ilcldb32.exe	Igfclkdj.exe
File created	C:\Windows\SysWOW64\Ljqhkckn.exe	Lgbloglj.exe
File opened for modification	C:\Windows\SysWOW64\Mjjkaabc.exe	Mcpcdg32.exe
File opened for modification	C:\Windows\SysWOW64\Adkqoohc.exe	Aaldccip.exe
File opened for modification	C:\Windows\SysWOW64\Dhclmp32.exe	Dfdpad32.exe
File created	C:\Windows\SysWOW64\Flbfjl32.dll	Oakbehfe.exe
File opened for modification	C:\Windows\SysWOW64\Anaomkdb.exe	Ahdged32.exe
File created	C:\Windows\SysWOW64\Fpdcag32.exe	Fijkdmhn.exe
File created	C:\Windows\SysWOW64\Nfmifiap.dll	Fpdcag32.exe
File opened for modification	C:\Windows\SysWOW64\Hehkajig.exe	Hbjoeojc.exe
File opened for modification	C:\Windows\SysWOW64\Hoclopne.exe	Hmbphg32.exe
File created	C:\Windows\SysWOW64\Lgpoihnl.exe	Lljklo32.exe
File opened for modification	C:\Windows\SysWOW64\Boeebnhp.exe	Blgifbil.exe
File created	C:\Windows\SysWOW64\Nagiji32.exe	Nfaemp32.exe
File created	C:\Windows\SysWOW64\Jcgmgn32.dll	Pmnbfhal.exe
File opened for modification	C:\Windows\SysWOW64\Dmcain32.exe	Dfiildio.exe
File created	C:\Windows\SysWOW64\Dfjehbcf.dll	Imgicgca.exe
File created	C:\Windows\SysWOW64\Jihiic32.dll	Nopfpgip.exe
File opened for modification	C:\Windows\SysWOW64\Ahaceo32.exe	Aagkhd32.exe
File created	C:\Windows\SysWOW64\Fmmmfj32.exe	Ffceip32.exe
File created	C:\Windows\SysWOW64\Kpjgaoqm.exe	Jjpode32.exe
File created	C:\Windows\SysWOW64\Nnafno32.exe	Nggnadib.exe
File opened for modification	C:\Windows\SysWOW64\Pkbjjbda.exe	Pahilmoc.exe
File created	C:\Windows\SysWOW64\Chiigadc.exe	Cfkmkf32.exe
File opened for modification	C:\Windows\SysWOW64\Jilfifme.exe	Jcanll32.exe
File created	C:\Windows\SysWOW64\Aknifq32.exe	Aafemk32.exe
File created	C:\Windows\SysWOW64\Ahdged32.exe	Aefjii32.exe
File created	C:\Windows\SysWOW64\Cdbfab32.exe	Cfpffeaj.exe
File opened for modification	C:\Windows\SysWOW64\Gfjkjo32.exe	Gppcmeem.exe
File opened for modification	C:\Windows\SysWOW64\Lqkqhm32.exe	Ljqhkckn.exe
File opened for modification	C:\Windows\SysWOW64\Cnhgjaml.exe	Chkobkod.exe
File created	C:\Windows\SysWOW64\Cghane32.dll	Ckhecmcf.exe
File opened for modification	C:\Windows\SysWOW64\Cocacl32.exe	Ckhecmcf.exe
File opened for modification	C:\Windows\SysWOW64\Dfdpad32.exe	Dnmhpg32.exe
File created	C:\Windows\SysWOW64\Dckahb32.dll	Kpjgaoqm.exe
File opened for modification	C:\Windows\SysWOW64\Dmlkhofd.exe	Cdecgbfa.exe
File created	C:\Windows\SysWOW64\Jflbhhom.dll	Ffceip32.exe
File created	C:\Windows\SysWOW64\Gpojkp32.dll	Bhblllfo.exe
File created	C:\Windows\SysWOW64\Ieoacg32.dll	Ahbjoe32.exe
File opened for modification	C:\Windows\SysWOW64\Dmohno32.exe	Dhclmp32.exe
File created	C:\Windows\SysWOW64\Gmhgag32.dll	Hfjdqmng.exe
File created	C:\Windows\SysWOW64\Ifenan32.dll	Jjpode32.exe
File created	C:\Windows\SysWOW64\Dkokcl32.exe	Dmlkhofd.exe
File created	C:\Windows\SysWOW64\Bdmlme32.dll	Mfchlbfd.exe
File created	C:\Windows\SysWOW64\Giidol32.dll	Pfandnla.exe
File opened for modification	C:\Windows\SysWOW64\Akpoaj32.exe	Ahaceo32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
8996	8816	WerFault.exe	367

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bklfgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qffkpn32.dll"	Bnoknihb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Illfdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpanan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdmlfj.dll"	Aagkhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ljqhkckn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lncjlq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Npgmpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aijjhbli.dll"	Chfegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbenoa32.dll"	Cdpjlb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dnmaea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oddfcg32.dll"	Aednci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ignlbcmf.dll"	Jcfggkac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ogcnmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anclbkbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bllbaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnafno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gppcmeem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdmlme32.dll"	Mfchlbfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bhnikc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iomoenej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbhfhgch.dll"	Kjjbjd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aekddhcb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bdbnjdfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oanokhdb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ckclhn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bahdob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hoclopne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ipeeobbe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qmgelf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bklfgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fnipbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Glipgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogjembbd.dll"	Lqkqhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fadggj32.dll"	Aknifq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gmdcfidg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chkobkod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfnmog32.dll"	Gifkpknp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jpcapp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jebfng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojdgnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cggimh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gengje32.dll"	Pkbjjbda.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kgdpni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cncnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjjhhfnd.dll"	Bkaobnio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfqnichl.dll"	Ckclhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfdpad32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Omdppiif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cndeii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afbgkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Adkqoohc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgqlcg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aafemk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hekgfj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hmbphg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qedegh32.dll"	Oanokhdb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnahdi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hekgfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lljklo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lnoaaaad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjldplpd.dll"	Bnfihkqm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ifomll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifjfmcq.dll"	Jilfifme.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 2468	2692	229444bdfa5a7ce9ab425040a8fe9bb0_NeikiAnalytics.exe	90
PID 2692 wrote to memory of 2468	2692	229444bdfa5a7ce9ab425040a8fe9bb0_NeikiAnalytics.exe	90
PID 2692 wrote to memory of 2468	2692	229444bdfa5a7ce9ab425040a8fe9bb0_NeikiAnalytics.exe	90
PID 2468 wrote to memory of 1048	2468	Pknqoc32.exe	91
PID 2468 wrote to memory of 1048	2468	Pknqoc32.exe	91
PID 2468 wrote to memory of 1048	2468	Pknqoc32.exe	91
PID 1048 wrote to memory of 1188	1048	Pahilmoc.exe	92
PID 1048 wrote to memory of 1188	1048	Pahilmoc.exe	92
PID 1048 wrote to memory of 1188	1048	Pahilmoc.exe	92
PID 1188 wrote to memory of 672	1188	Pkbjjbda.exe	93
PID 1188 wrote to memory of 672	1188	Pkbjjbda.exe	93
PID 1188 wrote to memory of 672	1188	Pkbjjbda.exe	93
PID 672 wrote to memory of 4368	672	Plbfdekd.exe	94
PID 672 wrote to memory of 4368	672	Plbfdekd.exe	94
PID 672 wrote to memory of 4368	672	Plbfdekd.exe	94
PID 4368 wrote to memory of 3084	4368	Pmcclm32.exe	95
PID 4368 wrote to memory of 3084	4368	Pmcclm32.exe	95
PID 4368 wrote to memory of 3084	4368	Pmcclm32.exe	95
PID 3084 wrote to memory of 4132	3084	Paoollik.exe	96
PID 3084 wrote to memory of 4132	3084	Paoollik.exe	96
PID 3084 wrote to memory of 4132	3084	Paoollik.exe	96
PID 4132 wrote to memory of 852	4132	Qlimed32.exe	97
PID 4132 wrote to memory of 852	4132	Qlimed32.exe	97
PID 4132 wrote to memory of 852	4132	Qlimed32.exe	97
PID 852 wrote to memory of 2700	852	Aafemk32.exe	98
PID 852 wrote to memory of 2700	852	Aafemk32.exe	98
PID 852 wrote to memory of 2700	852	Aafemk32.exe	98
PID 2700 wrote to memory of 788	2700	Aknifq32.exe	99
PID 2700 wrote to memory of 788	2700	Aknifq32.exe	99
PID 2700 wrote to memory of 788	2700	Aknifq32.exe	99
PID 788 wrote to memory of 2352	788	Aednci32.exe	100
PID 788 wrote to memory of 2352	788	Aednci32.exe	100
PID 788 wrote to memory of 2352	788	Aednci32.exe	100
PID 2352 wrote to memory of 1436	2352	Ahbjoe32.exe	102
PID 2352 wrote to memory of 1436	2352	Ahbjoe32.exe	102
PID 2352 wrote to memory of 1436	2352	Ahbjoe32.exe	102
PID 1436 wrote to memory of 3516	1436	Akqfkp32.exe	103
PID 1436 wrote to memory of 3516	1436	Akqfkp32.exe	103
PID 1436 wrote to memory of 3516	1436	Akqfkp32.exe	103
PID 3516 wrote to memory of 1708	3516	Aefjii32.exe	104
PID 3516 wrote to memory of 1708	3516	Aefjii32.exe	104
PID 3516 wrote to memory of 1708	3516	Aefjii32.exe	104
PID 1708 wrote to memory of 2548	1708	Ahdged32.exe	105
PID 1708 wrote to memory of 2548	1708	Ahdged32.exe	105
PID 1708 wrote to memory of 2548	1708	Ahdged32.exe	105
PID 2548 wrote to memory of 4576	2548	Anaomkdb.exe	106
PID 2548 wrote to memory of 4576	2548	Anaomkdb.exe	106
PID 2548 wrote to memory of 4576	2548	Anaomkdb.exe	106
PID 4576 wrote to memory of 3312	4576	Akepfpcl.exe	108
PID 4576 wrote to memory of 3312	4576	Akepfpcl.exe	108
PID 4576 wrote to memory of 3312	4576	Akepfpcl.exe	108
PID 3312 wrote to memory of 2104	3312	Anclbkbp.exe	109
PID 3312 wrote to memory of 2104	3312	Anclbkbp.exe	109
PID 3312 wrote to memory of 2104	3312	Anclbkbp.exe	109
PID 2104 wrote to memory of 4964	2104	Aekddhcb.exe	110
PID 2104 wrote to memory of 4964	2104	Aekddhcb.exe	110
PID 2104 wrote to memory of 4964	2104	Aekddhcb.exe	110
PID 4964 wrote to memory of 216	4964	Alelqb32.exe	111
PID 4964 wrote to memory of 216	4964	Alelqb32.exe	111
PID 4964 wrote to memory of 216	4964	Alelqb32.exe	111
PID 216 wrote to memory of 4516	216	Bnfihkqm.exe	112
PID 216 wrote to memory of 4516	216	Bnfihkqm.exe	112
PID 216 wrote to memory of 4516	216	Bnfihkqm.exe	112
PID 4516 wrote to memory of 660	4516	Bemqih32.exe	113

C:\Users\Admin\AppData\Local\Temp\229444bdfa5a7ce9ab425040a8fe9bb0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\229444bdfa5a7ce9ab425040a8fe9bb0_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\SysWOW64\Pknqoc32.exe
  C:\Windows\system32\Pknqoc32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Windows\SysWOW64\Pahilmoc.exe
    C:\Windows\system32\Pahilmoc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1048
  - - C:\Windows\SysWOW64\Pkbjjbda.exe
      C:\Windows\system32\Pkbjjbda.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1188
    - - C:\Windows\SysWOW64\Plbfdekd.exe
        
        C:\Windows\system32\Plbfdekd.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:672
      - C:\Windows\SysWOW64\Pmcclm32.exe
        
        C:\Windows\system32\Pmcclm32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Windows\SysWOW64\Paoollik.exe
        
        C:\Windows\system32\Paoollik.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3084
        
        C:\Windows\SysWOW64\Qlimed32.exe
        
        C:\Windows\system32\Qlimed32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4132
        
        C:\Windows\SysWOW64\Aafemk32.exe
        
        C:\Windows\system32\Aafemk32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:852
        
        C:\Windows\SysWOW64\Aknifq32.exe
        
        C:\Windows\system32\Aknifq32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\SysWOW64\Aednci32.exe
        
        C:\Windows\system32\Aednci32.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:788
        
        C:\Windows\SysWOW64\Ahbjoe32.exe
        
        C:\Windows\system32\Ahbjoe32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\SysWOW64\Akqfkp32.exe
        
        C:\Windows\system32\Akqfkp32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\SysWOW64\Aefjii32.exe
        
        C:\Windows\system32\Aefjii32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3516
        
        C:\Windows\SysWOW64\Ahdged32.exe
        
        C:\Windows\system32\Ahdged32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\Anaomkdb.exe
        
        C:\Windows\system32\Anaomkdb.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\SysWOW64\Akepfpcl.exe
        
        C:\Windows\system32\Akepfpcl.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\SysWOW64\Anclbkbp.exe
        
        C:\Windows\system32\Anclbkbp.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3312
        
        C:\Windows\SysWOW64\Aekddhcb.exe
        
        C:\Windows\system32\Aekddhcb.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\SysWOW64\Alelqb32.exe
        
        C:\Windows\system32\Alelqb32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\SysWOW64\Bnfihkqm.exe
        
        C:\Windows\system32\Bnfihkqm.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Windows\SysWOW64\Bemqih32.exe
        
        C:\Windows\system32\Bemqih32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\SysWOW64\Blgifbil.exe
        
        C:\Windows\system32\Blgifbil.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:660
        
        C:\Windows\SysWOW64\Boeebnhp.exe
        
        C:\Windows\system32\Boeebnhp.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2504
        
        C:\Windows\SysWOW64\Bnhenj32.exe
        
        C:\Windows\system32\Bnhenj32.exe
        25⤵
        Executes dropped EXE
        
        PID:3740
        
        C:\Windows\SysWOW64\Bepmoh32.exe
        
        C:\Windows\system32\Bepmoh32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2796
        
        C:\Windows\SysWOW64\Bdbnjdfg.exe
        
        C:\Windows\system32\Bdbnjdfg.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3868
        
        C:\Windows\SysWOW64\Bhnikc32.exe
        
        C:\Windows\system32\Bhnikc32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1232
        
        C:\Windows\SysWOW64\Bklfgo32.exe
        
        C:\Windows\system32\Bklfgo32.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\Bohbhmfm.exe
        
        C:\Windows\system32\Bohbhmfm.exe
        30⤵
        Executes dropped EXE
        
        PID:3680
        
        C:\Windows\SysWOW64\Bafndi32.exe
        
        C:\Windows\system32\Bafndi32.exe
        31⤵
        Executes dropped EXE
        
        PID:1996
        
        C:\Windows\SysWOW64\Bddjpd32.exe
        
        C:\Windows\system32\Bddjpd32.exe
        32⤵
        Executes dropped EXE
        
        PID:2944
        
        C:\Windows\SysWOW64\Bllbaa32.exe
        
        C:\Windows\system32\Bllbaa32.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3660
        
        C:\Windows\SysWOW64\Bojomm32.exe
        
        C:\Windows\system32\Bojomm32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4976
        
        C:\Windows\SysWOW64\Bahkih32.exe
        
        C:\Windows\system32\Bahkih32.exe
        35⤵
        Executes dropped EXE
        
        PID:3304
        
        C:\Windows\SysWOW64\Blnoga32.exe
        
        C:\Windows\system32\Blnoga32.exe
        36⤵
        Executes dropped EXE
        
        PID:4364
        
        C:\Windows\SysWOW64\Bkaobnio.exe
        
        C:\Windows\system32\Bkaobnio.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4600
        
        C:\Windows\SysWOW64\Bnoknihb.exe
        
        C:\Windows\system32\Bnoknihb.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2540
        
        C:\Windows\SysWOW64\Bffcpg32.exe
        
        C:\Windows\system32\Bffcpg32.exe
        39⤵
        Executes dropped EXE
        
        PID:5100
        
        C:\Windows\SysWOW64\Bheplb32.exe
        
        C:\Windows\system32\Bheplb32.exe
        40⤵
        Executes dropped EXE
        
        PID:3496
        
        C:\Windows\SysWOW64\Ckclhn32.exe
        
        C:\Windows\system32\Ckclhn32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4596
        
        C:\Windows\SysWOW64\Cnahdi32.exe
        
        C:\Windows\system32\Cnahdi32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4088
        
        C:\Windows\SysWOW64\Cfipef32.exe
        
        C:\Windows\system32\Cfipef32.exe
        43⤵
        Executes dropped EXE
        
        PID:4428
        
        C:\Windows\SysWOW64\Chglab32.exe
        
        C:\Windows\system32\Chglab32.exe
        44⤵
        Executes dropped EXE
        
        PID:4072
        
        C:\Windows\SysWOW64\Ckeimm32.exe
        
        C:\Windows\system32\Ckeimm32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2788
        
        C:\Windows\SysWOW64\Cndeii32.exe
        
        C:\Windows\system32\Cndeii32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Cfkmkf32.exe
        
        C:\Windows\system32\Cfkmkf32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3692
        
        C:\Windows\SysWOW64\Chiigadc.exe
        
        C:\Windows\system32\Chiigadc.exe
        48⤵
        Executes dropped EXE
        
        PID:4696
        
        C:\Windows\SysWOW64\Ckhecmcf.exe
        
        C:\Windows\system32\Ckhecmcf.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1608
        
        C:\Windows\SysWOW64\Cocacl32.exe
        
        C:\Windows\system32\Cocacl32.exe
        50⤵
        Executes dropped EXE
        
        PID:448
        
        C:\Windows\SysWOW64\Cbbnpg32.exe
        
        C:\Windows\system32\Cbbnpg32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4592
        
        C:\Windows\SysWOW64\Cdpjlb32.exe
        
        C:\Windows\system32\Cdpjlb32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Ckjbhmad.exe
        
        C:\Windows\system32\Ckjbhmad.exe
        53⤵
        Executes dropped EXE
        
        PID:5172
        
        C:\Windows\SysWOW64\Cnindhpg.exe
        
        C:\Windows\system32\Cnindhpg.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5204
        
        C:\Windows\SysWOW64\Cfpffeaj.exe
        
        C:\Windows\system32\Cfpffeaj.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5244
        
        C:\Windows\SysWOW64\Cdbfab32.exe
        
        C:\Windows\system32\Cdbfab32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5284
        
        C:\Windows\SysWOW64\Ckmonl32.exe
        
        C:\Windows\system32\Ckmonl32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5320
        
        C:\Windows\SysWOW64\Cohkokgj.exe
        
        C:\Windows\system32\Cohkokgj.exe
        58⤵
        Executes dropped EXE
        
        PID:5352
        
        C:\Windows\SysWOW64\Cbfgkffn.exe
        
        C:\Windows\system32\Cbfgkffn.exe
        59⤵
        Executes dropped EXE
        
        PID:5392
        
        C:\Windows\SysWOW64\Cdecgbfa.exe
        
        C:\Windows\system32\Cdecgbfa.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5428
        
        C:\Windows\SysWOW64\Dmlkhofd.exe
        
        C:\Windows\system32\Dmlkhofd.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5468
        
        C:\Windows\SysWOW64\Dkokcl32.exe
        
        C:\Windows\system32\Dkokcl32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5504
        
        C:\Windows\SysWOW64\Dnmhpg32.exe
        
        C:\Windows\system32\Dnmhpg32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5536
        
        C:\Windows\SysWOW64\Dfdpad32.exe
        
        C:\Windows\system32\Dfdpad32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Dhclmp32.exe
        
        C:\Windows\system32\Dhclmp32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5612
        
        C:\Windows\SysWOW64\Dmohno32.exe
        
        C:\Windows\system32\Dmohno32.exe
        66⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\Domdjj32.exe
        
        C:\Windows\system32\Domdjj32.exe
        67⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Dbkqfe32.exe
        
        C:\Windows\system32\Dbkqfe32.exe
        68⤵
        Drops file in System32 directory
        
        PID:5720
        
        C:\Windows\SysWOW64\Ddjmba32.exe
        
        C:\Windows\system32\Ddjmba32.exe
        69⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\Dmadco32.exe
        
        C:\Windows\system32\Dmadco32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5788
        
        C:\Windows\SysWOW64\Dnbakghm.exe
        
        C:\Windows\system32\Dnbakghm.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5828
        
        C:\Windows\SysWOW64\Dfiildio.exe
        
        C:\Windows\system32\Dfiildio.exe
        72⤵
        Drops file in System32 directory
        
        PID:5904
        
        C:\Windows\SysWOW64\Dmcain32.exe
        
        C:\Windows\system32\Dmcain32.exe
        73⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\Fbpchb32.exe
        
        C:\Windows\system32\Fbpchb32.exe
        74⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\Fijkdmhn.exe
        
        C:\Windows\system32\Fijkdmhn.exe
        75⤵
        Drops file in System32 directory
        
        PID:1964
        
        C:\Windows\SysWOW64\Fpdcag32.exe
        
        C:\Windows\system32\Fpdcag32.exe
        76⤵
        Drops file in System32 directory
        
        PID:3284
        
        C:\Windows\SysWOW64\Fbbpmb32.exe
        
        C:\Windows\system32\Fbbpmb32.exe
        77⤵
        Drops file in System32 directory
        
        PID:5156
        
        C:\Windows\SysWOW64\Fmhdkknd.exe
        
        C:\Windows\system32\Fmhdkknd.exe
        78⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\Fnipbc32.exe
        
        C:\Windows\system32\Fnipbc32.exe
        79⤵
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Ffqhcq32.exe
        
        C:\Windows\system32\Ffqhcq32.exe
        80⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\Fmkqpkla.exe
        
        C:\Windows\system32\Fmkqpkla.exe
        81⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\Fpimlfke.exe
        
        C:\Windows\system32\Fpimlfke.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2284
        
        C:\Windows\SysWOW64\Ffceip32.exe
        
        C:\Windows\system32\Ffceip32.exe
        83⤵
        Drops file in System32 directory
        
        PID:5544
        
        C:\Windows\SysWOW64\Fmmmfj32.exe
        
        C:\Windows\system32\Fmmmfj32.exe
        84⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\Fpkibf32.exe
        
        C:\Windows\system32\Fpkibf32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2128
        
        C:\Windows\SysWOW64\Gehbjm32.exe
        
        C:\Windows\system32\Gehbjm32.exe
        86⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Glbjggof.exe
        
        C:\Windows\system32\Glbjggof.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5744
        
        C:\Windows\SysWOW64\Gblbca32.exe
        
        C:\Windows\system32\Gblbca32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1292
        
        C:\Windows\SysWOW64\Gifkpknp.exe
        
        C:\Windows\system32\Gifkpknp.exe
        89⤵
        Modifies registry class
        
        PID:1000
        
        C:\Windows\SysWOW64\Gppcmeem.exe
        
        C:\Windows\system32\Gppcmeem.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Gfjkjo32.exe
        
        C:\Windows\system32\Gfjkjo32.exe
        91⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\Gmdcfidg.exe
        
        C:\Windows\system32\Gmdcfidg.exe
        92⤵
        Modifies registry class
        
        PID:5900
        
        C:\Windows\SysWOW64\Gnepna32.exe
        
        C:\Windows\system32\Gnepna32.exe
        93⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Gikdkj32.exe
        
        C:\Windows\system32\Gikdkj32.exe
        94⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\Glipgf32.exe
        
        C:\Windows\system32\Glipgf32.exe
        95⤵
        Modifies registry class
        
        PID:6108
        
        C:\Windows\SysWOW64\Hbjoeojc.exe
        
        C:\Windows\system32\Hbjoeojc.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:848
        
        C:\Windows\SysWOW64\Hehkajig.exe
        
        C:\Windows\system32\Hehkajig.exe
        97⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\Hpnoncim.exe
        
        C:\Windows\system32\Hpnoncim.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5152
        
        C:\Windows\SysWOW64\Hekgfj32.exe
        
        C:\Windows\system32\Hekgfj32.exe
        99⤵
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Hmbphg32.exe
        
        C:\Windows\system32\Hmbphg32.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5412
        
        C:\Windows\SysWOW64\Hoclopne.exe
        
        C:\Windows\system32\Hoclopne.exe
        101⤵
        Modifies registry class
        
        PID:5484
        
        C:\Windows\SysWOW64\Hfjdqmng.exe
        
        C:\Windows\system32\Hfjdqmng.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5564
        
        C:\Windows\SysWOW64\Hmdlmg32.exe
        
        C:\Windows\system32\Hmdlmg32.exe
        103⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Hpchib32.exe
        
        C:\Windows\system32\Hpchib32.exe
        104⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\Ibaeen32.exe
        
        C:\Windows\system32\Ibaeen32.exe
        105⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\Imgicgca.exe
        
        C:\Windows\system32\Imgicgca.exe
        106⤵
        Drops file in System32 directory
        
        PID:5864
        
        C:\Windows\SysWOW64\Ipeeobbe.exe
        
        C:\Windows\system32\Ipeeobbe.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5944
        
        C:\Windows\SysWOW64\Ifomll32.exe
        
        C:\Windows\system32\Ifomll32.exe
        108⤵
        Modifies registry class
        
        PID:6068
        
        C:\Windows\SysWOW64\Iinjhh32.exe
        
        C:\Windows\system32\Iinjhh32.exe
        109⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\Illfdc32.exe
        
        C:\Windows\system32\Illfdc32.exe
        110⤵
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Ibfnqmpf.exe
        
        C:\Windows\system32\Ibfnqmpf.exe
        111⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Iedjmioj.exe
        
        C:\Windows\system32\Iedjmioj.exe
        112⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\Ilnbicff.exe
        
        C:\Windows\system32\Ilnbicff.exe
        113⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Iomoenej.exe
        
        C:\Windows\system32\Iomoenej.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\Igdgglfl.exe
        
        C:\Windows\system32\Igdgglfl.exe
        115⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\Iibccgep.exe
        
        C:\Windows\system32\Iibccgep.exe
        116⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\Iplkpa32.exe
        
        C:\Windows\system32\Iplkpa32.exe
        117⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\Igfclkdj.exe
        
        C:\Windows\system32\Igfclkdj.exe
        118⤵
        Drops file in System32 directory
        
        PID:5180
        
        C:\Windows\SysWOW64\Ilcldb32.exe
        
        C:\Windows\system32\Ilcldb32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5556
        
        C:\Windows\SysWOW64\Jcmdaljn.exe
        
        C:\Windows\system32\Jcmdaljn.exe
        120⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\Jekqmhia.exe
        
        C:\Windows\system32\Jekqmhia.exe
        121⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\Jmbhoeid.exe
        
        C:\Windows\system32\Jmbhoeid.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3412
        
        C:\Windows\SysWOW64\Jocefm32.exe
        
        C:\Windows\system32\Jocefm32.exe
        123⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\Jgkmgk32.exe
        
        C:\Windows\system32\Jgkmgk32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6080
        
        C:\Windows\SysWOW64\Jiiicf32.exe
        
        C:\Windows\system32\Jiiicf32.exe
        125⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\Jpcapp32.exe
        
        C:\Windows\system32\Jpcapp32.exe
        126⤵
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Jcanll32.exe
        
        C:\Windows\system32\Jcanll32.exe
        127⤵
        Drops file in System32 directory
        
        PID:5760
        
        C:\Windows\SysWOW64\Jilfifme.exe
        
        C:\Windows\system32\Jilfifme.exe
        128⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6188
        
        C:\Windows\SysWOW64\Jljbeali.exe
        
        C:\Windows\system32\Jljbeali.exe
        129⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\Johnamkm.exe
        
        C:\Windows\system32\Johnamkm.exe
        130⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\Jebfng32.exe
        
        C:\Windows\system32\Jebfng32.exe
        131⤵
        Modifies registry class
        
        PID:6308
        
        C:\Windows\SysWOW64\Jllokajf.exe
        
        C:\Windows\system32\Jllokajf.exe
        132⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\Jcfggkac.exe
        
        C:\Windows\system32\Jcfggkac.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6388
        
        C:\Windows\SysWOW64\Jjpode32.exe
        
        C:\Windows\system32\Jjpode32.exe
        134⤵
        Drops file in System32 directory
        
        PID:6424
        
        C:\Windows\SysWOW64\Kpjgaoqm.exe
        
        C:\Windows\system32\Kpjgaoqm.exe
        135⤵
        Drops file in System32 directory
        
        PID:6468
        
        C:\Windows\SysWOW64\Kgdpni32.exe
        
        C:\Windows\system32\Kgdpni32.exe
        136⤵
        Modifies registry class
        
        PID:6504
        
        C:\Windows\SysWOW64\Knnhjcog.exe
        
        C:\Windows\system32\Knnhjcog.exe
        137⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\Kpmdfonj.exe
        
        C:\Windows\system32\Kpmdfonj.exe
        138⤵
        
        PID:6592
        
        C:\Windows\SysWOW64\Kgflcifg.exe
        
        C:\Windows\system32\Kgflcifg.exe
        139⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\Knqepc32.exe
        
        C:\Windows\system32\Knqepc32.exe
        140⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\Koaagkcb.exe
        
        C:\Windows\system32\Koaagkcb.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6732
        
        C:\Windows\SysWOW64\Kjgeedch.exe
        
        C:\Windows\system32\Kjgeedch.exe
        142⤵
        
        PID:6772
        
        C:\Windows\SysWOW64\Kpanan32.exe
        
        C:\Windows\system32\Kpanan32.exe
        143⤵
        Modifies registry class
        
        PID:6820
        
        C:\Windows\SysWOW64\Kcpjnjii.exe
        
        C:\Windows\system32\Kcpjnjii.exe
        144⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\Kjjbjd32.exe
        
        C:\Windows\system32\Kjjbjd32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6904
        
        C:\Windows\SysWOW64\Klhnfo32.exe
        
        C:\Windows\system32\Klhnfo32.exe
        146⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\Kgnbdh32.exe
        
        C:\Windows\system32\Kgnbdh32.exe
        147⤵
        
        PID:6992
        
        C:\Windows\SysWOW64\Lljklo32.exe
        
        C:\Windows\system32\Lljklo32.exe
        148⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7040
        
        C:\Windows\SysWOW64\Lgpoihnl.exe
        
        C:\Windows\system32\Lgpoihnl.exe
        149⤵
        
        PID:7108
        
        C:\Windows\SysWOW64\Ljnlecmp.exe
        
        C:\Windows\system32\Ljnlecmp.exe
        150⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\Llmhaold.exe
        
        C:\Windows\system32\Llmhaold.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6196
        
        C:\Windows\SysWOW64\Lokdnjkg.exe
        
        C:\Windows\system32\Lokdnjkg.exe
        152⤵
        Drops file in System32 directory
        
        PID:6260
        
        C:\Windows\SysWOW64\Lgbloglj.exe
        
        C:\Windows\system32\Lgbloglj.exe
        153⤵
        Drops file in System32 directory
        
        PID:6332
        
        C:\Windows\SysWOW64\Ljqhkckn.exe
        
        C:\Windows\system32\Ljqhkckn.exe
        154⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6396
        
        C:\Windows\SysWOW64\Lqkqhm32.exe
        
        C:\Windows\system32\Lqkqhm32.exe
        155⤵
        Modifies registry class
        
        PID:6456
        
        C:\Windows\SysWOW64\Lcimdh32.exe
        
        C:\Windows\system32\Lcimdh32.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6560
        
        C:\Windows\SysWOW64\Lfgipd32.exe
        
        C:\Windows\system32\Lfgipd32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6644
        
        C:\Windows\SysWOW64\Lnoaaaad.exe
        
        C:\Windows\system32\Lnoaaaad.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6696
        
        C:\Windows\SysWOW64\Lqmmmmph.exe
        
        C:\Windows\system32\Lqmmmmph.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6768
        
        C:\Windows\SysWOW64\Lckiihok.exe
        
        C:\Windows\system32\Lckiihok.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6856
        
        C:\Windows\SysWOW64\Lfjfecno.exe
        
        C:\Windows\system32\Lfjfecno.exe
        161⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\Lmdnbn32.exe
        
        C:\Windows\system32\Lmdnbn32.exe
        162⤵
        Drops file in System32 directory
        
        PID:7004
        
        C:\Windows\SysWOW64\Lflbkcll.exe
        
        C:\Windows\system32\Lflbkcll.exe
        163⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\Lncjlq32.exe
        
        C:\Windows\system32\Lncjlq32.exe
        164⤵
        Modifies registry class
        
        PID:7152
        
        C:\Windows\SysWOW64\Mqafhl32.exe
        
        C:\Windows\system32\Mqafhl32.exe
        165⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\Mcpcdg32.exe
        
        C:\Windows\system32\Mcpcdg32.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6372
        
        C:\Windows\SysWOW64\Mjjkaabc.exe
        
        C:\Windows\system32\Mjjkaabc.exe
        167⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\Mmhgmmbf.exe
        
        C:\Windows\system32\Mmhgmmbf.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6604
        
        C:\Windows\SysWOW64\Mcbpjg32.exe
        
        C:\Windows\system32\Mcbpjg32.exe
        169⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\Mnhdgpii.exe
        
        C:\Windows\system32\Mnhdgpii.exe
        170⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\Mfchlbfd.exe
        
        C:\Windows\system32\Mfchlbfd.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7008
        
        C:\Windows\SysWOW64\Mcgiefen.exe
        
        C:\Windows\system32\Mcgiefen.exe
        172⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\Mnmmboed.exe
        
        C:\Windows\system32\Mnmmboed.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6296
        
        C:\Windows\SysWOW64\Mqkiok32.exe
        
        C:\Windows\system32\Mqkiok32.exe
        174⤵
        Drops file in System32 directory
        
        PID:6672
        
        C:\Windows\SysWOW64\Mjcngpjh.exe
        
        C:\Windows\system32\Mjcngpjh.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6828
        
        C:\Windows\SysWOW64\Nopfpgip.exe
        
        C:\Windows\system32\Nopfpgip.exe
        176⤵
        Drops file in System32 directory
        
        PID:6292
        
        C:\Windows\SysWOW64\Nggnadib.exe
        
        C:\Windows\system32\Nggnadib.exe
        177⤵
        Drops file in System32 directory
        
        PID:6848
        
        C:\Windows\SysWOW64\Nnafno32.exe
        
        C:\Windows\system32\Nnafno32.exe
        178⤵
        Modifies registry class
        
        PID:7140
        
        C:\Windows\SysWOW64\Nqpcjj32.exe
        
        C:\Windows\system32\Nqpcjj32.exe
        179⤵
        
        PID:7144
        
        C:\Windows\SysWOW64\Ngjkfd32.exe
        
        C:\Windows\system32\Ngjkfd32.exe
        180⤵
        
        PID:7184
        
        C:\Windows\SysWOW64\Njhgbp32.exe
        
        C:\Windows\system32\Njhgbp32.exe
        181⤵
        
        PID:7248
        
        C:\Windows\SysWOW64\Nqbpojnp.exe
        
        C:\Windows\system32\Nqbpojnp.exe
        182⤵
        
        PID:7300
        
        C:\Windows\SysWOW64\Ncqlkemc.exe
        
        C:\Windows\system32\Ncqlkemc.exe
        183⤵
        
        PID:7348
        
        C:\Windows\SysWOW64\Njjdho32.exe
        
        C:\Windows\system32\Njjdho32.exe
        184⤵
        
        PID:7428
        
        C:\Windows\SysWOW64\Nmipdk32.exe
        
        C:\Windows\system32\Nmipdk32.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7476
        
        C:\Windows\SysWOW64\Npgmpf32.exe
        
        C:\Windows\system32\Npgmpf32.exe
        186⤵
        Modifies registry class
        
        PID:7516
        
        C:\Windows\SysWOW64\Nfaemp32.exe
        
        C:\Windows\system32\Nfaemp32.exe
        187⤵
        Drops file in System32 directory
        
        PID:7564
        
        C:\Windows\SysWOW64\Nagiji32.exe
        
        C:\Windows\system32\Nagiji32.exe
        188⤵
        Drops file in System32 directory
        
        PID:7604
        
        C:\Windows\SysWOW64\Nceefd32.exe
        
        C:\Windows\system32\Nceefd32.exe
        189⤵
        
        PID:7648
        
        C:\Windows\SysWOW64\Nfcabp32.exe
        
        C:\Windows\system32\Nfcabp32.exe
        190⤵
        
        PID:7688
        
        C:\Windows\SysWOW64\Onkidm32.exe
        
        C:\Windows\system32\Onkidm32.exe
        191⤵
        
        PID:7736
        
        C:\Windows\SysWOW64\Oaifpi32.exe
        
        C:\Windows\system32\Oaifpi32.exe
        192⤵
        
        PID:7784
        
        C:\Windows\SysWOW64\Ogcnmc32.exe
        
        C:\Windows\system32\Ogcnmc32.exe
        193⤵
        Modifies registry class
        
        PID:7828
        
        C:\Windows\SysWOW64\Ojajin32.exe
        
        C:\Windows\system32\Ojajin32.exe
        194⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7880
        
        C:\Windows\SysWOW64\Oakbehfe.exe
        
        C:\Windows\system32\Oakbehfe.exe
        195⤵
        Drops file in System32 directory
        
        PID:7920
        
        C:\Windows\SysWOW64\Ogekbb32.exe
        
        C:\Windows\system32\Ogekbb32.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7964
        
        C:\Windows\SysWOW64\Ojdgnn32.exe
        
        C:\Windows\system32\Ojdgnn32.exe
        197⤵
        Modifies registry class
        
        PID:8008
        
        C:\Windows\SysWOW64\Oanokhdb.exe
        
        C:\Windows\system32\Oanokhdb.exe
        198⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8052
        
        C:\Windows\SysWOW64\Omdppiif.exe
        
        C:\Windows\system32\Omdppiif.exe
        199⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8092
        
        C:\Windows\SysWOW64\Ocohmc32.exe
        
        C:\Windows\system32\Ocohmc32.exe
        200⤵
        
        PID:8136
        
        C:\Windows\SysWOW64\Ofmdio32.exe
        
        C:\Windows\system32\Ofmdio32.exe
        201⤵
        
        PID:8180
        
        C:\Windows\SysWOW64\Ondljl32.exe
        
        C:\Windows\system32\Ondljl32.exe
        202⤵
        
        PID:7212
        
        C:\Windows\SysWOW64\Pjkmomfn.exe
        
        C:\Windows\system32\Pjkmomfn.exe
        203⤵
        Drops file in System32 directory
        
        PID:7288
        
        C:\Windows\SysWOW64\Pmiikh32.exe
        
        C:\Windows\system32\Pmiikh32.exe
        204⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7364
        
        C:\Windows\SysWOW64\Pfandnla.exe
        
        C:\Windows\system32\Pfandnla.exe
        205⤵
        Drops file in System32 directory
        
        PID:7456
        
        C:\Windows\SysWOW64\Pdenmbkk.exe
        
        C:\Windows\system32\Pdenmbkk.exe
        206⤵
        
        PID:7504
        
        C:\Windows\SysWOW64\Pjpfjl32.exe
        
        C:\Windows\system32\Pjpfjl32.exe
        207⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7588
        
        C:\Windows\SysWOW64\Pmnbfhal.exe
        
        C:\Windows\system32\Pmnbfhal.exe
        208⤵
        Drops file in System32 directory
        
        PID:7656
        
        C:\Windows\SysWOW64\Pdhkcb32.exe
        
        C:\Windows\system32\Pdhkcb32.exe
        209⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7744
        
        C:\Windows\SysWOW64\Ppolhcnm.exe
        
        C:\Windows\system32\Ppolhcnm.exe
        210⤵
        
        PID:7808
        
        C:\Windows\SysWOW64\Pnplfj32.exe
        
        C:\Windows\system32\Pnplfj32.exe
        211⤵
        
        PID:7872
        
        C:\Windows\SysWOW64\Ppahmb32.exe
        
        C:\Windows\system32\Ppahmb32.exe
        212⤵
        
        PID:7948
        
        C:\Windows\SysWOW64\Qhhpop32.exe
        
        C:\Windows\system32\Qhhpop32.exe
        213⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8016
        
        C:\Windows\SysWOW64\Qjfmkk32.exe
        
        C:\Windows\system32\Qjfmkk32.exe
        214⤵
        
        PID:8080
        
        C:\Windows\SysWOW64\Qaqegecm.exe
        
        C:\Windows\system32\Qaqegecm.exe
        215⤵
        
        PID:8160
        
        C:\Windows\SysWOW64\Qhjmdp32.exe
        
        C:\Windows\system32\Qhjmdp32.exe
        216⤵
        
        PID:7216
        
        C:\Windows\SysWOW64\Qmgelf32.exe
        
        C:\Windows\system32\Qmgelf32.exe
        217⤵
        Modifies registry class
        
        PID:7336
        
        C:\Windows\SysWOW64\Qdaniq32.exe
        
        C:\Windows\system32\Qdaniq32.exe
        218⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7524
        
        C:\Windows\SysWOW64\Afpjel32.exe
        
        C:\Windows\system32\Afpjel32.exe
        219⤵
        
        PID:7572
        
        C:\Windows\SysWOW64\Aogbfi32.exe
        
        C:\Windows\system32\Aogbfi32.exe
        220⤵
        
        PID:7716
        
        C:\Windows\SysWOW64\Aphnnafb.exe
        
        C:\Windows\system32\Aphnnafb.exe
        221⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7848
        
        C:\Windows\SysWOW64\Afbgkl32.exe
        
        C:\Windows\system32\Afbgkl32.exe
        222⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:8032
        
        C:\Windows\SysWOW64\Aoioli32.exe
        
        C:\Windows\system32\Aoioli32.exe
        223⤵
        
        PID:8132
        
        C:\Windows\SysWOW64\Aagkhd32.exe
        
        C:\Windows\system32\Aagkhd32.exe
        224⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7284
        
        C:\Windows\SysWOW64\Ahaceo32.exe
        
        C:\Windows\system32\Ahaceo32.exe
        225⤵
        Drops file in System32 directory
        
        PID:7560
        
        C:\Windows\SysWOW64\Akpoaj32.exe
        
        C:\Windows\system32\Akpoaj32.exe
        226⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\Aajhndkb.exe
        
        C:\Windows\system32\Aajhndkb.exe
        227⤵
        
        PID:8084
        
        C:\Windows\SysWOW64\Ahdpjn32.exe
        
        C:\Windows\system32\Ahdpjn32.exe
        228⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\Aonhghjl.exe
        
        C:\Windows\system32\Aonhghjl.exe
        229⤵
        
        PID:7596
        
        C:\Windows\SysWOW64\Aaldccip.exe
        
        C:\Windows\system32\Aaldccip.exe
        230⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7864
        
        C:\Windows\SysWOW64\Adkqoohc.exe
        
        C:\Windows\system32\Adkqoohc.exe
        231⤵
        Modifies registry class
        
        PID:8156
        
        C:\Windows\SysWOW64\Agimkk32.exe
        
        C:\Windows\system32\Agimkk32.exe
        232⤵
        
        PID:7632
        
        C:\Windows\SysWOW64\Aopemh32.exe
        
        C:\Windows\system32\Aopemh32.exe
        233⤵
        
        PID:8088
        
        C:\Windows\SysWOW64\Aaoaic32.exe
        
        C:\Windows\system32\Aaoaic32.exe
        234⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3228
        
        C:\Windows\SysWOW64\Bhhiemoj.exe
        
        C:\Windows\system32\Bhhiemoj.exe
        235⤵
        
        PID:7796
        
        C:\Windows\SysWOW64\Bkgeainn.exe
        
        C:\Windows\system32\Bkgeainn.exe
        236⤵
        
        PID:8204
        
        C:\Windows\SysWOW64\Baannc32.exe
        
        C:\Windows\system32\Baannc32.exe
        237⤵
        
        PID:8248
        
        C:\Windows\SysWOW64\Bhkfkmmg.exe
        
        C:\Windows\system32\Bhkfkmmg.exe
        238⤵
        
        PID:8292
        
        C:\Windows\SysWOW64\Bkibgh32.exe
        
        C:\Windows\system32\Bkibgh32.exe
        239⤵
        Drops file in System32 directory
        
        PID:8328
        
        C:\Windows\SysWOW64\Bmhocd32.exe
        
        C:\Windows\system32\Bmhocd32.exe
        240⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8372
        
        C:\Windows\SysWOW64\Bpfkpp32.exe
        
        C:\Windows\system32\Bpfkpp32.exe
        241⤵
        
        PID:8420
        
        C:\Windows\SysWOW64\Bhmbqm32.exe
        
        C:\Windows\system32\Bhmbqm32.exe
        242⤵
        
        PID:8460
        
        C:\Windows\SysWOW64\Bogkmgba.exe
        
        C:\Windows\system32\Bogkmgba.exe
        243⤵
        
        PID:8516
        
        C:\Windows\SysWOW64\Bhpofl32.exe
        
        C:\Windows\system32\Bhpofl32.exe
        244⤵
        
        PID:8556
        
        C:\Windows\SysWOW64\Bknlbhhe.exe
        
        C:\Windows\system32\Bknlbhhe.exe
        245⤵
        
        PID:8624
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        246⤵
        Modifies registry class
        
        PID:8672
        
        C:\Windows\SysWOW64\Bhblllfo.exe
        
        C:\Windows\system32\Bhblllfo.exe
        247⤵
        Drops file in System32 directory
        
        PID:8712
        
        C:\Windows\SysWOW64\Bkphhgfc.exe
        
        C:\Windows\system32\Bkphhgfc.exe
        248⤵
        
        PID:8764
        
        C:\Windows\SysWOW64\Bajqda32.exe
        
        C:\Windows\system32\Bajqda32.exe
        249⤵
        
        PID:8808
        
        C:\Windows\SysWOW64\Cggimh32.exe
        
        C:\Windows\system32\Cggimh32.exe
        250⤵
        Modifies registry class
        
        PID:8844
        
        C:\Windows\SysWOW64\Conanfli.exe
        
        C:\Windows\system32\Conanfli.exe
        251⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8896
        
        C:\Windows\SysWOW64\Cponen32.exe
        
        C:\Windows\system32\Cponen32.exe
        252⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8952
        
        C:\Windows\SysWOW64\Chfegk32.exe
        
        C:\Windows\system32\Chfegk32.exe
        253⤵
        Modifies registry class
        
        PID:9004
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        254⤵
        
        PID:9056
        
        C:\Windows\SysWOW64\Cncnob32.exe
        
        C:\Windows\system32\Cncnob32.exe
        255⤵
        Modifies registry class
        
        PID:9104
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        256⤵
        
        PID:9156
        
        C:\Windows\SysWOW64\Cocjiehd.exe
        
        C:\Windows\system32\Cocjiehd.exe
        257⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9200
        
        C:\Windows\SysWOW64\Cpdgqmnb.exe
        
        C:\Windows\system32\Cpdgqmnb.exe
        258⤵
        
        PID:8228
        
        C:\Windows\SysWOW64\Chkobkod.exe
        
        C:\Windows\system32\Chkobkod.exe
        259⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:8288
        
        C:\Windows\SysWOW64\Cnhgjaml.exe
        
        C:\Windows\system32\Cnhgjaml.exe
        260⤵
        
        PID:8368
        
        C:\Windows\SysWOW64\Cdbpgl32.exe
        
        C:\Windows\system32\Cdbpgl32.exe
        261⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8436
        
        C:\Windows\SysWOW64\Cgqlcg32.exe
        
        C:\Windows\system32\Cgqlcg32.exe
        262⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8496
        
        C:\Windows\SysWOW64\Cnjdpaki.exe
        
        C:\Windows\system32\Cnjdpaki.exe
        263⤵
        
        PID:8596
        
        C:\Windows\SysWOW64\Dhphmj32.exe
        
        C:\Windows\system32\Dhphmj32.exe
        264⤵
        
        PID:8660
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        265⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8732
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        266⤵
        
        PID:8752
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        267⤵
        
        PID:8816
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8816 -s 432
        268⤵
        Program crash
        
        PID:8996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4048,i,15140928051103392835,1612840580898364401,262144 --variations-seed-version --mojo-platform-channel-handle=3804 /prefetch:8
1⤵
PID:6112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 8816 -ip 8816
1⤵
PID:8940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aafemk32.exe

Filesize
556KB

MD5
9c8a19fdd670cbc2e13fec3108779b36

SHA1
93e6e08a49ce059b8272b1017ea699534e312161

SHA256
2ff6ed973608b1bd0fa70cdb07882b711ed8d321283a1c665efe08c05e0b9aa3

SHA512
aad21ce8a0cf61b8ee99d0285f0440e7175b0ce4602cdcbb77134e45dee354fd088a77f7117c008b7b46eef6dc7d421f39a690f590280622c68b74521ee1c753

Download Submit
C:\Windows\SysWOW64\Aednci32.exe

Filesize
556KB

MD5
5d51dec12046dab831a1244a503c3789

SHA1
fc0c3864606dca1022a340f04ccbad6014778556

SHA256
a1957ed0cf1a6c5e5cf99267457c3a94ebcb61e2e973e0ee592874aea2c8b41f

SHA512
3839e533f2a906b9c0240c536af34f26afddc84aadc9a7adb01eb349d9cf3b2a2cf9bb76f70f80be1c7756034eb05c1aeb4e230c344f4c1d41799ce95b568caf

Download Submit
C:\Windows\SysWOW64\Aefjii32.exe

Filesize
556KB

MD5
612eb524369ea6c1b4464a08447bd93e

SHA1
b35c6add06da3bf40a0ef4fd13aa8b32c0a16130

SHA256
64943d7ef154c0ae162549089e434496a68f0b9fa285d628e1aec63f75e7e9c0

SHA512
1cbb4b3440aaa59f60055d38c95e4763bd00049ef925ab2d1bb704d9208dbd8acc3bc666eeb3eda125ab1ee6a0eb8b92eb3835446816f04c2273494245bb20ea

Download Submit
C:\Windows\SysWOW64\Aekddhcb.exe

Filesize
556KB

MD5
07c990180c802650a9790972db086e07

SHA1
95fecd73fbc7c301c3942e996da9fc90f1090814

SHA256
de1086a934f5b27acb942ba635ddcbb03b738666cb7a95dbb05c5c963dd5273e

SHA512
284a210c7faa3f6b0fdd78da26045b12fc653d1a57fbae057fd7a7981589359c6c065c27d332435247c29774fdad2dc4fc39eb6ada12d9d3386602304777f844

Download Submit
C:\Windows\SysWOW64\Ahbjoe32.exe

Filesize
556KB

MD5
7ef7fa581919203083d0f7924502ef0e

SHA1
56fad7922dbec29a506201b123900e0e3146af1c

SHA256
f6c1b65c5a791fc6f297a1207ff02bbc635e3e5025929448b12b3937ce89c484

SHA512
39a13ba7e99d5a623f1882740a7e973f046a7d262451441e00bfc838444c6996cb56bb1d1b8a4ad68a7b50b2314c30e65973deb419f017079b30549f0bb867dd

Download Submit
C:\Windows\SysWOW64\Ahdged32.exe

Filesize
556KB

MD5
9797a5a093d29523acbd83fae1d4da4f

SHA1
0bed957412e1e5a889d269cf6b57f9bbf6cd931e

SHA256
374687fa3add9e20ae944ad963a700ca7eac54db3934035567d8282a151adf66

SHA512
6b842a3d9d66351df8b20fcf27f56af12c4afa044f083830940006baded0cc6be4f75157bf7f66a6b80de54fb648cffebd9a8815cc6b885fddfaab8874266b81

Download Submit
C:\Windows\SysWOW64\Akepfpcl.exe

Filesize
556KB

MD5
c1552017f57dc8418f9767864aabc03d

SHA1
c4e9224da40fb2b01bcf688b2402cb2792a1a771

SHA256
5c23709afc514eb7e0af5420fcf8c221b36ec53f1a9936260dd5ed26e7898967

SHA512
da363e9b326a158010547967ed5f073a015b6c3ee59515cc4965b6f24c85ee89d001d3c74df0c3571a5f9e92af7f1dc4ca52b8957667b853fdb86d9229d90b3c

Download Submit
C:\Windows\SysWOW64\Aknifq32.exe

Filesize
556KB

MD5
c0ef4a081743c0f6222a9046e939a3e1

SHA1
2d9e45088bc0555a732d6234e73e93e54dd369b0

SHA256
19e88505a0a3222ac8bbd170fe62d16aa9c682dacdcf9307a52528d1569602fe

SHA512
83cde84634ff5edaca000dee275a6484023be5788cb368b8b488ff36ca79f38604462d9de96c482ae6e8f8b9b884199bbf2cbf466e7e552d1c930676005e7eb1

Download Submit
C:\Windows\SysWOW64\Akqfkp32.exe

Filesize
556KB

MD5
ce9225b7d2b73b78040b97c98994e3bf

SHA1
6515ae70501b630cf82034e1ed740939182d0b39

SHA256
ad80b9825beae31d85c181d65319f8f2114361fcfba0d1b7904603abbbecfda1

SHA512
ecf20c8c7d78cdbd8b4ed454d45dafe1d8490b7f92e55a8bfadb41e6681246eba5d5e6bd2b452eb3bc7dbac2dcb07caa4c2c79a221df7550f01b2346a91f4163

Download Submit
C:\Windows\SysWOW64\Alelqb32.exe

Filesize
556KB

MD5
822e701672dbe186d35bc05f88dd6cbf

SHA1
055b577b0a7d6d43bf7b74160c743f1a2ad0642b

SHA256
62ce4a0d451cb9397a81ac5413a17f94929ce1e198ea4d6afe2c07c79873ca2e

SHA512
4763e98320a5a6760f9334657ce29e2f12ccef5da255c653325c8fac5a0558e0c86b6a5f32c89853ffe2e35380d8bd00af2756eaf671b6f7d75d0e44b3108735

Download Submit
C:\Windows\SysWOW64\Anaomkdb.exe

Filesize
556KB

MD5
109bb807effa7f8f17908a27462b1f56

SHA1
6e538119e7db349c958516965635580252558909

SHA256
0008f4a302b013c8bb7533390c27523d9d9ac48a0e3bc5c5052fc4814fc24d9c

SHA512
97bd155843919c1e2a4c710a5cf9633204d7fc8d1bdb6f7c56abf3d428b8541cde32fc9e8f16c44fa5f8349e4b10a2460bd051ba8b3f69ded2aebd6941cc9d29

Download Submit
C:\Windows\SysWOW64\Anclbkbp.exe

Filesize
556KB

MD5
32f8a2b5be16a5b16a7e6d85cb9c1ce4

SHA1
54da77684ba58ba2d1fd17abc54434d16a668a9c

SHA256
4ffa4c6cfc5c5799842790e0bb5a8d377ae4739d3ba8355687c1947bc0feabba

SHA512
4a7b96f248313d2e4b3d5645f17a44572af6230becb22f648301a5e87ba4b1ec74145f272843bc2333ffc9cdb9d972569da045f27bdbd3671a433f62dd1d58e3

Download Submit
C:\Windows\SysWOW64\Bafndi32.exe

Filesize
556KB

MD5
0553420bc8d45021bd920fa26e9866cb

SHA1
944660784a8fc7915af0f25a069e462b48212185

SHA256
b4eda2fa717ee645af4aec47afd068de2223b1029d74d2efe99d1c0f6a70326b

SHA512
b61b785f656849884530548aea2b1fba1c576106cdd0e86eaa2477590c791e7385ff2fa9344aa03b2786b65c2c03aa2f32e8da9422715e22e70b177a8019d48e

Download Submit
C:\Windows\SysWOW64\Bajqda32.exe

Filesize
556KB

MD5
f6474db46308708f31b9192508f27aa2

SHA1
495455288d7ff890e10f68867e1cbcb6c66912c1

SHA256
cebc2d0551ed8f87ec52f37020dc7bd6ab37db91a87dab652cd3ad7b44da11d1

SHA512
ce1f55a19bf0da19e5def0f9c68979a97c429a09b49bb87907ad812a96c7dcc77f4a534fb753781029643381be95f09ce66fd3887a96bf84153830d90325c736

Download Submit
C:\Windows\SysWOW64\Bdbnjdfg.exe

Filesize
556KB

MD5
0a733fc9c67c0ca8bb5edb8930cc0fd9

SHA1
606fd0d538398d43d812f23fdb939ef74012ba2a

SHA256
3c727dfceff3d79e1682c60a1a90ec95004df5d1e1e603e07b1db42acd463c73

SHA512
cb79dc8b70f333cbe950922376cb14b5b022ed81788ff68f09f1c23592a7634d5c5fff540c412cf5cadaff755352d14892883bfef6c973e7cd9cf16d03648924

Download Submit
C:\Windows\SysWOW64\Bddjpd32.exe

Filesize
556KB

MD5
fbce03874c076f2407c9b35f47663501

SHA1
15b6d515406427da830c425547b99bd76cb92c7c

SHA256
2ee22da2f5517dcab1f30470fb01477444e0a892326cc74952bbeb654cf09431

SHA512
2deef3b59c6c2261434d5e16e19fdc956ab4c11a95516d3be195a5f7bb798f298ce1f35f9107c94c23d5215924e99ef37eeec627ea3ef4f6215555f81776f7dc

Download Submit
C:\Windows\SysWOW64\Bemqih32.exe

Filesize
556KB

MD5
37280fe161dfdc96f5e3383a9d5419ad

SHA1
3f7bcb1ff998ece0c784e12b5217c14fa1729b23

SHA256
d15eebaa9ef44ed60469e2e85d3d224db01e03fe2f6ac673ebe24200f6e1bbb5

SHA512
ae130e13e78993f3629d6e4fdb54fa98d3bbee9485651f8df8eb7fc76abbc292bdc393673de339ab9a32113114e658816fb919d7b91cf0c623b5c72496c2a23b

Download Submit
C:\Windows\SysWOW64\Bepmoh32.exe

Filesize
556KB

MD5
785a1d14a26eb346cfa1babd58244991

SHA1
5899c33a6460c599921cccb49d835f0dbbf62f4e

SHA256
1cae2b35440fec457ba0c0eb7cc4eb0ee3d3eea5fd538f2b6b240e85868d80ef

SHA512
001f1b72d75fb834927a6526dfaea0deb476feb93e7d01cd05ef19219c4cb228ef555f4ba878be38cae005220963f9e67b3fca7ae5458918c99234549c8688e9

Download Submit
C:\Windows\SysWOW64\Bhnikc32.exe

Filesize
556KB

MD5
6605888bb0bc881c162e9c2952f2b64e

SHA1
1aa7754a8e0648f3f8587a82779d5ead5c6c90d6

SHA256
96fb05250984195b2565db0d564592ac12bdbc67a1a454d096860232e27b49a9

SHA512
a409563a0da7fa45c918316fda2dccc4a713aa71862e5e5fa113b41f8ee5cb22a358c37b08e272694665718462a4a65af76aa212c285ffba9a507593dc048e79

Download Submit
C:\Windows\SysWOW64\Bklfgo32.exe

Filesize
556KB

MD5
ec4fab825cbbc85751ae7af1f3673c70

SHA1
3f86b9a40c9ef20532883bf7648e352ccaee6109

SHA256
e5d056e0c7821de2cce4c4dd96e1c5c56ffbccc5649f717120312b5487b6a092

SHA512
925081e4b9a8cacf3e3a6f8643170d0ff7683cd8b4160d99077ebb5f3f3b13d6ace29278b89ca43acb4a9ef92013ca6328fb4ea4b32478f8a2a7b7decadc9d5d

Download Submit
C:\Windows\SysWOW64\Blgifbil.exe

Filesize
556KB

MD5
453009cb719de2e08742bc1ab36eb490

SHA1
42098861b2631e20d63d3df1efe550c4c484ccbf

SHA256
704a14cb01f8259d7e47b5333240d0f609feec381018eed9f5ae42ccfea306fd

SHA512
ae10751976a7ed32485b0555f0c3f478a6fbab37c29222fc46d3af2770efcffed34818588c5f9d96e127f853e5479c99be5106a373d59fab0d1ff6fca0bc43bb

Download Submit
C:\Windows\SysWOW64\Bllbaa32.exe

Filesize
556KB

MD5
85310057a2c3dea0bee437227b7aefd0

SHA1
a79e243999c6856f9d1f2597f27a2ec1b0d1ea9c

SHA256
5b085fac0007ed8c11539595379419c4f3cd2b546bad12b845b62143ddbed7f7

SHA512
0bcae8fb18e835d32121d79923f9e4dca2f43242529925b2e2a294a981579e4b6869348056d6149ca0b8a721f14ec9adfb72baa3a5654665d056f2a724a0bbb0

Download Submit
C:\Windows\SysWOW64\Bnfihkqm.exe

Filesize
556KB

MD5
4532392e4ea6a993b4f3da22c0d967b5

SHA1
5568bd71e073a16c73093beb10f09be48e373404

SHA256
06e94b6245e6566b6f5bacbeecb7620a477117c9c70b324c9211d2db90ff050b

SHA512
b2f2257c361ae886222a2b9b847808ac60ba51da3019ac33527237456544ae0987ac5f8205f39b69bdf1c8a33ab9604d4ca388e1b850e526ad5d8aab23f0994d

Download Submit
C:\Windows\SysWOW64\Bnhenj32.exe

Filesize
556KB

MD5
6acc7b69b13b2194cef7cc007a5f4e9f

SHA1
a166992a3e4ccff474aaea25743216399a216fe6

SHA256
d42c2842ea2c845741235a187b31a5d3aaf58dc2be52903beccf19c81e3bd04b

SHA512
e45b3e56d34f8a0b30f657eed68d53472a081efe2bf7ca3de500515f2a122d8a67e3d7bdf56caa10015b244c256f5352d1a12c908e4dae04ab04266f4210fd1a

Download Submit
C:\Windows\SysWOW64\Boeebnhp.exe

Filesize
556KB

MD5
42b578d31e53be5dc5b987adfdf2c38b

SHA1
ea12c3a6d753bb022fa81ac90246597848296938

SHA256
0e567d90b774b7688db0648dbdf5c4d24e89e0d381c5869b5e7fcca2932f6fcd

SHA512
9efd7dcdcac1bbc6e15a71659e2af0f891fa7e46d3edc68a2e8a8dc7c8eeddef5ea9c186d60835c80b086e5f40e15ae3a093adda54d38b6291a9b02383169fb1

Download Submit
C:\Windows\SysWOW64\Bogkmgba.exe

Filesize
556KB

MD5
1861520afecfa41ef21ea4dacc6e6cd1

SHA1
0348b0a7780b9223e416c6baa06f015294cfbc42

SHA256
0266087b0678213c80f6b3d17e6884007255d28e749ac87b8667e0f59890d30b

SHA512
7dabf922b0541ce68c63b25e28efa4aadaaf22bc01d5c74f6ac2c34184ae37e4e71301b50e93bcdd7ba518156ea0cd689d3fe1f50591118cf5e7b2c5cf16705a

Download Submit
C:\Windows\SysWOW64\Bohbhmfm.exe

Filesize
556KB

MD5
20259b015072a0aaa4df47889c39e8a2

SHA1
764e56c5aa064838efc2ce6cf872edcc22d0d3b8

SHA256
f881c102238f9a66a9852f74714f9b4d29c7f003b801536fd1319702408beff0

SHA512
490cbcf5a4b5f73caf028a2a57f0a8c419cdbc5aea52c07ffdf7015a5e1d555313183066047aa5831c1540432dcc02726b8738ed9ffac2f87e5a174ca3590fae

Download Submit
C:\Windows\SysWOW64\Cdmfllhn.exe

Filesize
556KB

MD5
216726165a9a9e42606bc0610294da5d

SHA1
d7edebcabf603db4ad76a92ff89aad4b177fe9d8

SHA256
9a15c1e45c3a5d40c6d71ee6b90186b0936421b34face77bf44aea7ef17c7de9

SHA512
615718182a11b6e4fa43334434509475ff59c7f13f70a48f07483160648766f92775569247eeebc9624b5a91802359506fb7ad5d2856a264f07b09e3a26ff1ac

Download Submit
C:\Windows\SysWOW64\Chkobkod.exe

Filesize
556KB

MD5
073611abda18d3e9f7408fc2f63c9840

SHA1
d07e5a0fcfc2bc58935ddcaa46cb0ac1e06a3770

SHA256
38fd20668794abb1b7b2897c21df71c0f21b14bbdc86cbf20a2966efbdd486f2

SHA512
5a1e9102bfc78eb61c7cf3a141a52881b1397937f0da6bdaabe456f5c64fa1511fb0ecc513abc820a3d5702e708a98f75ec392138a8aed19162d3ed0be7b8a17

Download Submit
C:\Windows\SysWOW64\Dhphmj32.exe

Filesize
556KB

MD5
4bbb52f08220596d633d0057b9c0baa4

SHA1
95b3f18178769ed4c4b1b1bd5cc87d50b757be2f

SHA256
b663037de06020d831f9f891e5156bc16e6e18f9e4187f9c6d00ede15a82ac8c

SHA512
91f2c1f6921cb0c8b92f3d3195ee9c4c0b924c9aa605cd5c2ea9dd321c098342818d76081ed139e740933ade0db7889799e7c9843e32ca8f0ddd47dc54a42001

Download Submit
C:\Windows\SysWOW64\Dkqaoe32.exe

Filesize
556KB

MD5
c7d487ea878ded242d1cab979e2a818b

SHA1
cdc58c908da95a66b5eecc43c1f674ac725bd7a5

SHA256
b86d0125735332aef3ed7fa84a94b4002ee58914bb80cb5e8aed9674a8324dce

SHA512
15f9e033844110c0cc4dca07a4e9226338627fb20f589958dee814bd7fcbbc4d79d8e5ce8ca589d4ccb89a1f84bfb59e6e09b8f59783ec8f338f3d15fe33df9c

Download Submit
C:\Windows\SysWOW64\Ffceip32.exe

Filesize
556KB

MD5
f7bab9d740df0cfc705a8c3ba926c0ea

SHA1
434481b356a287b9908ae48981fc1a6ce34f1ec7

SHA256
6333160f6d1975c0e97f9ba8a2fa3b1d11df9ed856c696acbd9b2cb9c4773e0b

SHA512
eaec356d1fdbf73312a1389821439c116d235cc235629dd00c8dce71425377268c177ed83bbc24c460b86bebb84342d9c4be764a875b4331b6cfd3352075fa57

Download Submit
C:\Windows\SysWOW64\Fmhdkknd.exe

Filesize
556KB

MD5
7e920dbcfbbeac4a296f176823f1dc24

SHA1
69687468ecadbd269f19145d5660b5d52df1ad3b

SHA256
bc97f7be59a346b34dbf468fd24de19eec6f5d3e7d7d98639e5671faf4e20784

SHA512
41b78eed3b9680d61b537fc0702ec376fb457b607906f6499ca92c86d27afc5a187bb69fddf6e33ca96cbf8f5670c59e3f7a6bafd40fb62efa0b5eeb80f89cd0

Download Submit
C:\Windows\SysWOW64\Hffpdd32.dll

Filesize
7KB

MD5
9583bad4ceaafa84d1832dd9048fd59a

SHA1
f8a3ed57dce2f46fd80004c49833b46316f4930d

SHA256
eae210204398331e59d1c8da98d09cf1de9c30a00e17d44e9d8412cb05be5d3c

SHA512
4a6e7246ee7951e8240f86e4d557a1cd9db0a25fe9ffdd55b5940be7462aeba28cd501d2edc06f96f44c920b9fe7480f1009550d99e3bb9e838dd4b7aee280f7

Download Submit
C:\Windows\SysWOW64\Iibccgep.exe

Filesize
556KB

MD5
6fabbef19b725a15886353528bd6ca45

SHA1
215dd7538d28e9c3898ce1dd347bbc8b22768835

SHA256
4c46370ddbd4c37a222af2c04e8520e2a75b2bb99cd9f202bdebf1d72e7d2620

SHA512
ed7d32e2bff37678e3aad178630c679449b2d4b39eb50e0a0f482772c21339fa4fdd9ac067e6185cfd9f774acf3083f9496dcede8c9bbae386f5152ef44b990c

Download Submit
C:\Windows\SysWOW64\Ilcldb32.exe

Filesize
556KB

MD5
794523da16751f451d2886c8a1b8ad9e

SHA1
860592689d650b1548dd9866bdb3ec31fd8d7926

SHA256
1b11d599062b8da6cc980ba42e21467d0ec89e69f527665f10c63646b53350a4

SHA512
1d0c2e85bb14cce3538eb1621663577c9fc8fdb315d9186055595660f6031fc10e85dbf24c9dd501e64945489524d36564c1177ee50176551684b1a6cdeba6c4

Download Submit
C:\Windows\SysWOW64\Klhnfo32.exe

Filesize
556KB

MD5
bcbd1d98874e9014da7be9ba2027c886

SHA1
275c79920c43431c5123e40e65ddf2306afacefe

SHA256
74414d0966a45b50c71c473c85eb2eabef38450a0f6aa5fc3ee7257c04c09c9a

SHA512
f3aa0e7dbdf41264239978030e5cda604fb25cb1579618e83f39becdded19eb925c8bfddcc2ed7269145fbc3c8051a69f38cba1ed8f3b3fc4e4b34aa9a41e399

Download Submit
C:\Windows\SysWOW64\Koaagkcb.exe

Filesize
556KB

MD5
c3fe761d0a4587deefa8e48d15551175

SHA1
415c7109fb10357bd67cb9afcc85acf654859596

SHA256
731a8b6c6052036966c2d26ca6c1e30f4dc67a5c46c7b2e6b60d4f7c7d9417a1

SHA512
d496af03b6b2ab5ec710ea1ab79efb5ce3389bd7410aeacd31bf882de74ac6328426cefcc1a74818d80ffd49410c57c447413baa956675c30ada014811f98c88

Download Submit
C:\Windows\SysWOW64\Lljklo32.exe

Filesize
556KB

MD5
1239ddd89b612f32dd8589c714bad812

SHA1
f1ac9986c27c7e2a4e9c6118d783310a4febc401

SHA256
ff26c1950eab0401a0cc9e0867c1e215395b1c54c529d3abb3b9ba66667612b5

SHA512
3f823e5777695d69a8f7001f3054a5de5785f7fa46a06c921cacdd2c71b376f6a372eaefc29074747eadede0327d16d57c238fe56d84f5c46f5d6889ca85cebf

Download Submit
C:\Windows\SysWOW64\Lmdnbn32.exe

Filesize
556KB

MD5
4acc37b23355cdff17caa93b1e8d8424

SHA1
dbdae37053cbe362b182fcbd81bc237854e7aff9

SHA256
1382a3cc01e9fac57e52e7dd13be2a0a05efa89b4bc42ac3dd647773b2ce01d2

SHA512
e3788fe85667a422cbe06b6a16cc62e22d660c1aed6e2cd782228da248f280c0f047b4baed4a30abd4d066a252dee848340ab0c9afda1be73649c954d63d1b98

Download Submit
C:\Windows\SysWOW64\Mcgiefen.exe

Filesize
556KB

MD5
14760800282d7090011659170982a92f

SHA1
a4140959bd6b973226a647a11eb61b0167672460

SHA256
9c803a3896d545675f36b2d3799fc5beb85976d96c37f5ee39d6edceb999beaf

SHA512
94c8b41d69029223d263ae317d0ba7ca1ed046071c515efeb4a114210e7ab943fbd16abdfa30dd11500deaa90607aeb23b4178924273fbd38f05ced3c75fa295

Download Submit
C:\Windows\SysWOW64\Mnhdgpii.exe

Filesize
556KB

MD5
dbf91ad4f33d942d7934dbf8fc7a3fbf

SHA1
9add1a8253ce71c539efa3d87884722094d60d6d

SHA256
913d01813691710125946b24c75758aa193323983f595f8fee7abf91d3ed18ec

SHA512
c3e7d619f20998e17e06ac7aec9fdeff60991278c30046805a152a4367a2ea4cdb7e1b84b53e3dfa3089e93c3ecf41713be3ee574af774e017a46908ad08a64a

Download Submit
C:\Windows\SysWOW64\Mqkiok32.exe

Filesize
556KB

MD5
bf39b6abf053f95385ea892682382038

SHA1
fa850f9ad63576c8997d4cc4c8d6e85978d179ef

SHA256
a4f07ccfeb5d6a92983ae3eba45a9fea34f11e289969ef733551857baf564276

SHA512
4e6d388aa1baf54e1407a3d88d9ed5e08e8ed649af2d148bb88ccf386445406f1eadcf0de4a0c126f2da7acf01d445422bc1617aac3ecac71d4c99ad0c75e1be

Download Submit
C:\Windows\SysWOW64\Oakbehfe.exe

Filesize
556KB

MD5
fadc1780782c7f6361cdcd9581bdd77b

SHA1
4ef0cd97d3a64aa9cb46456f99fb30c48b3f3193

SHA256
1c358aba5d822390af879be2d52fc3e0a56eef5b61aea23fed21ebbe3edef0df

SHA512
bd54997e082004b6ed703776d93bc59e006f61a04ce6d1ebe5ef959482e89573c9e75948a685204a9a302a7d8872a4dd5634fdcbef15828d0297efbecc4de48b

Download Submit
C:\Windows\SysWOW64\Oanokhdb.exe

Filesize
556KB

MD5
776b5db26e50481f7b32b64c1cb7a692

SHA1
41ce11422c968ce9c66715bdff26a99d99284051

SHA256
af956a6aaa6929dccf03d49e5534fb0d31c79fc32c6c67c7d4de58d61ddd4e68

SHA512
ba538af4e2d37da6ad3f5f45517828f4d8e2209f44b34e87204b0fa33714a34fefeeb4457f8a87260c51507009219cc4349303bb6c8397030fe0589a9f128dce

Download Submit
C:\Windows\SysWOW64\Ondljl32.exe

Filesize
556KB

MD5
6989a851e7bf93aae4881a247e9788b0

SHA1
aade41d915f60e07d089dff9a3e5d0c65f855066

SHA256
d41350dadf71b3b9f3795f27c2128958a23978e9ec6cd2d1c2fac771f07be5e9

SHA512
2b5daabc6d110385bbd6ec0eff89adad3845b68fb1adc474088b3ad5cfce51cf553481b4203a181c56e4494668e531565b6145f26f9cccc6251b0d5474cca3ef

Download Submit
C:\Windows\SysWOW64\Pahilmoc.exe

Filesize
556KB

MD5
0e01d766fa8553e9fba0c9b0350eef9d

SHA1
f26ef682f2d1c981958b10f77d9badbb424b13a0

SHA256
02aad28a9d902012d726ae47af30cae6a678265318b11016b257bed7fe5d9906

SHA512
a9d7ad013e4f4d5589934b9c67c402b822b9ededbd1d37f254d1574c832ee6298f2c258583c250260718e600b03a386d14acee5a81cd6aadb747161ddd029958

Download Submit
C:\Windows\SysWOW64\Paoollik.exe

Filesize
556KB

MD5
be06653299131313c0937d2b80834477

SHA1
c165057671d11eded235e15f38409800c69fce6d

SHA256
dc576bcde323ab98e7b3b5c1e0a7daea56ccb12633ace3ee0cf8588248c2b78d

SHA512
041183b9aa5c0a5bccc47048d5ff02d7e5a0abab0c84137f8fe6a9eae0b10b0e4eef9e2d35390e6c18324be97f299114cd8b3a2fc7890e599c0d2cf454e4686d

Download Submit
C:\Windows\SysWOW64\Pfandnla.exe

Filesize
556KB

MD5
7414690917f9256764b844f975f0a8ae

SHA1
10c208aa036a18dc8524261338e323ac07292c9e

SHA256
9d44f1810f6c0f006bebd386ad375d63ef5b0a51d775eb7cad07b175019b59af

SHA512
5ab8e79dea8025085a3598ab41f0ef2b9a2857436bebdd5da60625c91e4233e67f1bd4508c570c1ed4bee31e5638997a8b82add378547e8ba8e1ad5ffb61edee

Download Submit
C:\Windows\SysWOW64\Pkbjjbda.exe

Filesize
556KB

MD5
c205d8e6e1c86c7226550f53a145f494

SHA1
5ca09d8fb6b7c311b479d6c1e0177cbe257297ef

SHA256
b37eacd7621e1e030cc8640e390fe470dbfcbd82647626f3280b08a247f8272e

SHA512
5d4d10eecfa55d1f3ff07cd444fa955b6fab12b475875d33b1c1c8e107b4d33eb633d5f61cfedb5b4002a4158e17e87546c99dbf852478613f9e0211cf650230

Download Submit
C:\Windows\SysWOW64\Pknqoc32.exe

Filesize
556KB

MD5
c6ff08d60ba55886df9ac907510cacdc

SHA1
d2a6460ce36e37ee0404410c57e839cad40e36f1

SHA256
98783736d902a219675c8dcd4bdde6705fee39f9c9c52e30ca164d2521fdb60f

SHA512
e01ea371264330383aefdbc26b7dbb666df974e2bb6d73675e791709af860939d740189315c111a1a808018539da40fc51db6239d09df05f8b9552ddaefebb49

Download Submit
C:\Windows\SysWOW64\Plbfdekd.exe

Filesize
556KB

MD5
f9a534d45be8a0cce04200ce82527724

SHA1
e14c067e6c5d4edb2e65d0773383e769b4ba778a

SHA256
a8981c83e01b6bddd5cbde5ab0d6367e0ed90d4104d30d51a417d258c8bff659

SHA512
681684657de89f9cfe8da70b0327d28d5eae09d80a95276da2d7a7dd1fabf536775f1a5efb16107bb43556f67d26a22b7320fc6551f9dc4d5119cf37fdfc2a59

Download Submit
C:\Windows\SysWOW64\Pmcclm32.exe

Filesize
556KB

MD5
802f081cf0a7781838ca5e2c70076bd4

SHA1
a12d28a9f1d48285ba4e6c8a79c574dfa57212f0

SHA256
72a83d30a9d434448c03bfb3975ab7759da2c7063842cc9a2286f66c894178d9

SHA512
8a92655776c16021a47c2f3f0695647e8730195d4102aa361d1a12f1d69c91e19efe62c78c544516165deeb979099e76a125aaf642de9d700d491869ca22c53b

Download Submit
C:\Windows\SysWOW64\Pmiikh32.exe

Filesize
556KB

MD5
bd28e12afdafc4c4de2f9e1191dd7f59

SHA1
7d54c96888ded3763197b77d0b91a27057396caa

SHA256
fabeb8cce5a754d59fe5948a6100c2535bf204d472b74fe45304584c6fcd7fbc

SHA512
7ebd0c5516004070e7c06d140d0c56f4ea21ec80c8804b5a3bb7e02c325127e46e0bab9514dd1ebb36864f237434161977752d449460579c08b99a8be8dde681

Download Submit
C:\Windows\SysWOW64\Qlimed32.exe

Filesize
556KB

MD5
cac6d7ee52a469587959191a0b9a5e60

SHA1
856c857f72986ebbfaceaa55a077f17448a2323f

SHA256
66c3dfab61ebb3c50e0ad1beaf2bb6abf338f6ec3bf5804005a130b28ef2a855

SHA512
9ae88b37aa237ea3d0a85c57e26cc3650363ef112cdade5d4d505868f01cdf3385eadf5df56fd543aa929ff3af35bb02772be2778496399cc2536d84953e9a55

Download Submit
memory/216-438-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/448-473-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/660-440-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/672-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/788-79-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/848-634-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/852-64-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1000-591-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1048-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1188-24-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1232-446-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1292-581-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1436-96-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1608-472-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1708-112-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1964-512-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1996-449-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2012-447-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2104-432-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2128-568-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2244-526-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2284-551-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2352-90-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2468-8-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2504-441-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2540-456-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2548-429-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2692-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2700-72-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2788-467-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2796-444-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2944-450-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3084-48-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3220-562-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3284-518-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3304-453-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3312-431-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3496-458-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3516-108-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3660-451-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3680-448-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3692-470-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3740-442-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3868-445-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4072-466-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4088-464-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4132-55-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4364-454-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4368-44-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4428-465-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4480-506-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4516-439-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4576-430-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4592-474-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4596-460-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4600-455-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4696-471-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4888-469-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4964-434-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4976-452-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5100-457-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5136-475-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5156-520-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5172-476-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5204-477-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5244-478-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5268-537-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5284-479-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5320-480-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5344-543-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5352-481-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5392-482-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5420-549-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5428-483-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5468-484-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5504-485-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5536-486-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5544-561-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5576-487-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5612-488-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5648-489-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5656-569-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5684-490-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5720-491-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5744-579-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5752-492-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5788-493-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5828-494-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5900-605-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5904-495-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5984-614-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/6004-593-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/6020-496-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/6040-604-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/6064-617-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/6108-628-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads