c2ffd9805a89659e13de9191b33d2dbae294c664750cd20534507adf40ce9ba1

Analysis

max time kernel
343s
max time network
332s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2022 09:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2ffd9805a89659e13de9191b33d2dbae294c664750cd20534507adf40ce9ba1.exe
Size

50KB
MD5

2ead60e5e118c5cc2a460dcd0c163150
SHA1

a589a282a123506d9d3709c9490db2aca6ec4e98
SHA256

c2ffd9805a89659e13de9191b33d2dbae294c664750cd20534507adf40ce9ba1
SHA512

53c671646f8e2e469009e66867828472764787a42f20f017b50834e6e45f27ddb9a60601a7bc8030511672ffa6ffd717df634f6e2bcbfca0ffaa8268fd65442c
SSDEEP

768:WBRP29o4N7kB4aVBTLdNoK1R3Rjw4yL71i+G0Z13apopqTslDUXNiB6/gNGy0eFO:LE48aoRhjw3LRiYKpNQOXNiBhNT

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Ncjdeooo.exeEaekgjjn.exeNcmajo32.exeNlefcddl.exeOofoeo32.exeDgndbq32.exeHlnjeqpd.exeNkeiia32.exeOfpgaihj.exeLhbkkipn.exeDjmpnlle.exeNkapnbqo.exeNchhooaa.exeNhgmmfnf.exeOdpjhfag.exec2ffd9805a89659e13de9191b33d2dbae294c664750cd20534507adf40ce9ba1.exeObfhgj32.exeQbimch32.exeNffdkkqe.exeEeggopkn.exeGlkdicpi.exeNlplhe32.exeOconpn32.exeCimcdidb.exeLomooj32.exeAfhokgme.exeAnbklj32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncjdeooo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eaekgjjn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncmajo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlefcddl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oofoeo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgndbq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgndbq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlnjeqpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkeiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofpgaihj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhbkkipn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djmpnlle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkapnbqo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djmpnlle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nchhooaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhgmmfnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odpjhfag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c2ffd9805a89659e13de9191b33d2dbae294c664750cd20534507adf40ce9ba1.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nchhooaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofpgaihj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obfhgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qbimch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	c2ffd9805a89659e13de9191b33d2dbae294c664750cd20534507adf40ce9ba1.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhbkkipn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkeiia32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oofoeo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nffdkkqe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odpjhfag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eeggopkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glkdicpi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlefcddl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qbimch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncmajo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlplhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlplhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncjdeooo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oconpn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cimcdidb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Glkdicpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nffdkkqe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lomooj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhokgme.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cimcdidb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oconpn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obfhgj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkapnbqo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhgmmfnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lomooj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afhokgme.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eaekgjjn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eeggopkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlnjeqpd.exe

Executes dropped EXE 27 IoCs

Processes:

Lhbkkipn.exeNkapnbqo.exeNchhooaa.exeNffdkkqe.exeNlplhe32.exeNcjdeooo.exeNhgmmfnf.exeNkeiia32.exeNcmajo32.exeNlefcddl.exeOconpn32.exeOdpjhfag.exeOofoeo32.exeOfpgaihj.exeObfhgj32.exeQbimch32.exeEeggopkn.exeLomooj32.exeAnbklj32.exeAfhokgme.exeEaekgjjn.exeCimcdidb.exeDgndbq32.exeDjmpnlle.exeGlkdicpi.exeHlnjeqpd.exeAfhdgh32.exe

pid	process
4948	Lhbkkipn.exe
3916	Nkapnbqo.exe
4508	Nchhooaa.exe
3992	Nffdkkqe.exe
5072	Nlplhe32.exe
4168	Ncjdeooo.exe
4412	Nhgmmfnf.exe
4556	Nkeiia32.exe
60	Ncmajo32.exe
1004	Nlefcddl.exe
1800	Oconpn32.exe
1828	Odpjhfag.exe
2184	Oofoeo32.exe
3620	Ofpgaihj.exe
4844	Obfhgj32.exe
3644	Qbimch32.exe
4304	Eeggopkn.exe
4956	Lomooj32.exe
1136	Anbklj32.exe
3536	Afhokgme.exe
4660	Eaekgjjn.exe
2368	Cimcdidb.exe
4688	Dgndbq32.exe
4396	Djmpnlle.exe
4668	Glkdicpi.exe
3252	Hlnjeqpd.exe
4292	Afhdgh32.exe

Drops file in System32 directory 64 IoCs

Processes:

Nhgmmfnf.exeObfhgj32.exeHlnjeqpd.exeNkapnbqo.exeNffdkkqe.exeNlplhe32.exeOconpn32.exeOfpgaihj.exeQbimch32.exeAnbklj32.exeDgndbq32.exeLhbkkipn.exeNkeiia32.exeDjmpnlle.exeNcjdeooo.exeNcmajo32.exeEeggopkn.exeEaekgjjn.exeAfhdgh32.exeNchhooaa.exeOdpjhfag.exeAfhokgme.exec2ffd9805a89659e13de9191b33d2dbae294c664750cd20534507adf40ce9ba1.exeLomooj32.exeNlefcddl.exeCimcdidb.exeGlkdicpi.exeOofoeo32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Dbkhph32.dll	Nhgmmfnf.exe
File opened for modification	C:\Windows\SysWOW64\Qbimch32.exe	Obfhgj32.exe
File opened for modification	C:\Windows\SysWOW64\Afhdgh32.exe	Hlnjeqpd.exe
File created	C:\Windows\SysWOW64\Nchhooaa.exe	Nkapnbqo.exe
File created	C:\Windows\SysWOW64\Nlplhe32.exe	Nffdkkqe.exe
File created	C:\Windows\SysWOW64\Ncjdeooo.exe	Nlplhe32.exe
File created	C:\Windows\SysWOW64\Ndbpgg32.dll	Oconpn32.exe
File created	C:\Windows\SysWOW64\Obfhgj32.exe	Ofpgaihj.exe
File created	C:\Windows\SysWOW64\Eeggopkn.exe	Qbimch32.exe
File created	C:\Windows\SysWOW64\Afhokgme.exe	Anbklj32.exe
File opened for modification	C:\Windows\SysWOW64\Djmpnlle.exe	Dgndbq32.exe
File created	C:\Windows\SysWOW64\Abddepbk.dll	Lhbkkipn.exe
File created	C:\Windows\SysWOW64\Nfncofih.dll	Nffdkkqe.exe
File opened for modification	C:\Windows\SysWOW64\Ncmajo32.exe	Nkeiia32.exe
File opened for modification	C:\Windows\SysWOW64\Glkdicpi.exe	Djmpnlle.exe
File opened for modification	C:\Windows\SysWOW64\Nhgmmfnf.exe	Ncjdeooo.exe
File created	C:\Windows\SysWOW64\Laannbam.dll	Ncmajo32.exe
File created	C:\Windows\SysWOW64\Djmpnlle.exe	Dgndbq32.exe
File created	C:\Windows\SysWOW64\Lomooj32.exe	Eeggopkn.exe
File opened for modification	C:\Windows\SysWOW64\Afhokgme.exe	Anbklj32.exe
File created	C:\Windows\SysWOW64\Cimcdidb.exe	Eaekgjjn.exe
File created	C:\Windows\SysWOW64\Bckpcnjd.exe	Afhdgh32.exe
File created	C:\Windows\SysWOW64\Nffdkkqe.exe	Nchhooaa.exe
File created	C:\Windows\SysWOW64\Ncmajo32.exe	Nkeiia32.exe
File created	C:\Windows\SysWOW64\Cnqodkkb.dll	Obfhgj32.exe
File opened for modification	C:\Windows\SysWOW64\Oofoeo32.exe	Odpjhfag.exe
File created	C:\Windows\SysWOW64\Eojmki32.dll	Odpjhfag.exe
File created	C:\Windows\SysWOW64\Fopionfo.dll	Afhokgme.exe
File created	C:\Windows\SysWOW64\Pfngeecn.dll	Eaekgjjn.exe
File created	C:\Windows\SysWOW64\Hjbafgha.dll	Dgndbq32.exe
File opened for modification	C:\Windows\SysWOW64\Lhbkkipn.exe	c2ffd9805a89659e13de9191b33d2dbae294c664750cd20534507adf40ce9ba1.exe
File opened for modification	C:\Windows\SysWOW64\Nkeiia32.exe	Nhgmmfnf.exe
File created	C:\Windows\SysWOW64\Odpjhfag.exe	Oconpn32.exe
File created	C:\Windows\SysWOW64\Nlefcddl.exe	Ncmajo32.exe
File opened for modification	C:\Windows\SysWOW64\Nkapnbqo.exe	Lhbkkipn.exe
File created	C:\Windows\SysWOW64\Lfhadgdo.dll	Nchhooaa.exe
File opened for modification	C:\Windows\SysWOW64\Eeggopkn.exe	Qbimch32.exe
File created	C:\Windows\SysWOW64\Ekiphn32.dll	Qbimch32.exe
File opened for modification	C:\Windows\SysWOW64\Lomooj32.exe	Eeggopkn.exe
File created	C:\Windows\SysWOW64\Anbklj32.exe	Lomooj32.exe
File opened for modification	C:\Windows\SysWOW64\Anbklj32.exe	Lomooj32.exe
File created	C:\Windows\SysWOW64\Bmgidpdo.dll	Lomooj32.exe
File opened for modification	C:\Windows\SysWOW64\Oconpn32.exe	Nlefcddl.exe
File created	C:\Windows\SysWOW64\Oofoeo32.exe	Odpjhfag.exe
File opened for modification	C:\Windows\SysWOW64\Obfhgj32.exe	Ofpgaihj.exe
File created	C:\Windows\SysWOW64\Dgndbq32.exe	Cimcdidb.exe
File created	C:\Windows\SysWOW64\Ieeimi32.dll	Anbklj32.exe
File created	C:\Windows\SysWOW64\Ialeehof.dll	Nkapnbqo.exe
File opened for modification	C:\Windows\SysWOW64\Nlplhe32.exe	Nffdkkqe.exe
File opened for modification	C:\Windows\SysWOW64\Ncjdeooo.exe	Nlplhe32.exe
File created	C:\Windows\SysWOW64\Eaekgjjn.exe	Afhokgme.exe
File created	C:\Windows\SysWOW64\Oconpn32.exe	Nlefcddl.exe
File opened for modification	C:\Windows\SysWOW64\Odpjhfag.exe	Oconpn32.exe
File created	C:\Windows\SysWOW64\Qbimch32.exe	Obfhgj32.exe
File created	C:\Windows\SysWOW64\Aoaafi32.dll	Ofpgaihj.exe
File opened for modification	C:\Windows\SysWOW64\Cimcdidb.exe	Eaekgjjn.exe
File created	C:\Windows\SysWOW64\Mhjhgfae.dll	Djmpnlle.exe
File opened for modification	C:\Windows\SysWOW64\Hlnjeqpd.exe	Glkdicpi.exe
File opened for modification	C:\Windows\SysWOW64\Nchhooaa.exe	Nkapnbqo.exe
File opened for modification	C:\Windows\SysWOW64\Nffdkkqe.exe	Nchhooaa.exe
File created	C:\Windows\SysWOW64\Dddehmba.dll	Nlefcddl.exe
File created	C:\Windows\SysWOW64\Kopapn32.dll	Oofoeo32.exe
File created	C:\Windows\SysWOW64\Gffdbo32.dll	Cimcdidb.exe
File created	C:\Windows\SysWOW64\Mcbjlflk.dll	Nlplhe32.exe

Modifies registry class 64 IoCs

Processes:

Anbklj32.exeDgndbq32.exeLhbkkipn.exeNchhooaa.exeNcjdeooo.exeOfpgaihj.exeObfhgj32.exeGlkdicpi.exeNlplhe32.exeEeggopkn.exeLomooj32.exeEaekgjjn.exec2ffd9805a89659e13de9191b33d2dbae294c664750cd20534507adf40ce9ba1.exeOconpn32.exeQbimch32.exeNhgmmfnf.exeNkeiia32.exeOofoeo32.exeCimcdidb.exeDjmpnlle.exeNcmajo32.exeHlnjeqpd.exeNffdkkqe.exeNkapnbqo.exeNlefcddl.exeOdpjhfag.exeAfhokgme.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anbklj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgndbq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lhbkkipn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfhadgdo.dll"	Nchhooaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncjdeooo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofpgaihj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Obfhgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maghed32.dll"	Glkdicpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlplhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcbjlflk.dll"	Nlplhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eeggopkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmgidpdo.dll"	Lomooj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eaekgjjn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	c2ffd9805a89659e13de9191b33d2dbae294c664750cd20534507adf40ce9ba1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lhbkkipn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oconpn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoaafi32.dll"	Ofpgaihj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiphn32.dll"	Qbimch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfngeecn.dll"	Eaekgjjn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjbafgha.dll"	Dgndbq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Glkdicpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	c2ffd9805a89659e13de9191b33d2dbae294c664750cd20534507adf40ce9ba1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nchhooaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nhgmmfnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkeiia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oofoeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eaekgjjn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cimcdidb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djmpnlle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcfcbib.dll"	Ncjdeooo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laannbam.dll"	Ncmajo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oconpn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qbimch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lomooj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cimcdidb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhjhgfae.dll"	Djmpnlle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Glkdicpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hlnjeqpd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nchhooaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfncofih.dll"	Nffdkkqe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkeiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncmajo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofpgaihj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkapnbqo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlefcddl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nlefcddl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ialeehof.dll"	Nkapnbqo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nhgmmfnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odpjhfag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gffdbo32.dll"	Cimcdidb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djmpnlle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	c2ffd9805a89659e13de9191b33d2dbae294c664750cd20534507adf40ce9ba1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abddepbk.dll"	Lhbkkipn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odpjhfag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieeimi32.dll"	Anbklj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afhokgme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afhokgme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idjhbepa.dll"	Hlnjeqpd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	c2ffd9805a89659e13de9191b33d2dbae294c664750cd20534507adf40ce9ba1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nffdkkqe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nffdkkqe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eeggopkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lomooj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anbklj32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c2ffd9805a89659e13de9191b33d2dbae294c664750cd20534507adf40ce9ba1.exeLhbkkipn.exeNkapnbqo.exeNchhooaa.exeNffdkkqe.exeNlplhe32.exeNcjdeooo.exeNhgmmfnf.exeNkeiia32.exeNcmajo32.exeNlefcddl.exeOconpn32.exeOdpjhfag.exeOofoeo32.exeOfpgaihj.exeObfhgj32.exeQbimch32.exeEeggopkn.exeLomooj32.exeAnbklj32.exeAfhokgme.exeEaekgjjn.exe

description	pid	process	target process
PID 4452 wrote to memory of 4948	4452	c2ffd9805a89659e13de9191b33d2dbae294c664750cd20534507adf40ce9ba1.exe	Lhbkkipn.exe
PID 4452 wrote to memory of 4948	4452	c2ffd9805a89659e13de9191b33d2dbae294c664750cd20534507adf40ce9ba1.exe	Lhbkkipn.exe
PID 4452 wrote to memory of 4948	4452	c2ffd9805a89659e13de9191b33d2dbae294c664750cd20534507adf40ce9ba1.exe	Lhbkkipn.exe
PID 4948 wrote to memory of 3916	4948	Lhbkkipn.exe	Nkapnbqo.exe
PID 4948 wrote to memory of 3916	4948	Lhbkkipn.exe	Nkapnbqo.exe
PID 4948 wrote to memory of 3916	4948	Lhbkkipn.exe	Nkapnbqo.exe
PID 3916 wrote to memory of 4508	3916	Nkapnbqo.exe	Nchhooaa.exe
PID 3916 wrote to memory of 4508	3916	Nkapnbqo.exe	Nchhooaa.exe
PID 3916 wrote to memory of 4508	3916	Nkapnbqo.exe	Nchhooaa.exe
PID 4508 wrote to memory of 3992	4508	Nchhooaa.exe	Nffdkkqe.exe
PID 4508 wrote to memory of 3992	4508	Nchhooaa.exe	Nffdkkqe.exe
PID 4508 wrote to memory of 3992	4508	Nchhooaa.exe	Nffdkkqe.exe
PID 3992 wrote to memory of 5072	3992	Nffdkkqe.exe	Nlplhe32.exe
PID 3992 wrote to memory of 5072	3992	Nffdkkqe.exe	Nlplhe32.exe
PID 3992 wrote to memory of 5072	3992	Nffdkkqe.exe	Nlplhe32.exe
PID 5072 wrote to memory of 4168	5072	Nlplhe32.exe	Ncjdeooo.exe
PID 5072 wrote to memory of 4168	5072	Nlplhe32.exe	Ncjdeooo.exe
PID 5072 wrote to memory of 4168	5072	Nlplhe32.exe	Ncjdeooo.exe
PID 4168 wrote to memory of 4412	4168	Ncjdeooo.exe	Nhgmmfnf.exe
PID 4168 wrote to memory of 4412	4168	Ncjdeooo.exe	Nhgmmfnf.exe
PID 4168 wrote to memory of 4412	4168	Ncjdeooo.exe	Nhgmmfnf.exe
PID 4412 wrote to memory of 4556	4412	Nhgmmfnf.exe	Nkeiia32.exe
PID 4412 wrote to memory of 4556	4412	Nhgmmfnf.exe	Nkeiia32.exe
PID 4412 wrote to memory of 4556	4412	Nhgmmfnf.exe	Nkeiia32.exe
PID 4556 wrote to memory of 60	4556	Nkeiia32.exe	Ncmajo32.exe
PID 4556 wrote to memory of 60	4556	Nkeiia32.exe	Ncmajo32.exe
PID 4556 wrote to memory of 60	4556	Nkeiia32.exe	Ncmajo32.exe
PID 60 wrote to memory of 1004	60	Ncmajo32.exe	Nlefcddl.exe
PID 60 wrote to memory of 1004	60	Ncmajo32.exe	Nlefcddl.exe
PID 60 wrote to memory of 1004	60	Ncmajo32.exe	Nlefcddl.exe
PID 1004 wrote to memory of 1800	1004	Nlefcddl.exe	Oconpn32.exe
PID 1004 wrote to memory of 1800	1004	Nlefcddl.exe	Oconpn32.exe
PID 1004 wrote to memory of 1800	1004	Nlefcddl.exe	Oconpn32.exe
PID 1800 wrote to memory of 1828	1800	Oconpn32.exe	Odpjhfag.exe
PID 1800 wrote to memory of 1828	1800	Oconpn32.exe	Odpjhfag.exe
PID 1800 wrote to memory of 1828	1800	Oconpn32.exe	Odpjhfag.exe
PID 1828 wrote to memory of 2184	1828	Odpjhfag.exe	Oofoeo32.exe
PID 1828 wrote to memory of 2184	1828	Odpjhfag.exe	Oofoeo32.exe
PID 1828 wrote to memory of 2184	1828	Odpjhfag.exe	Oofoeo32.exe
PID 2184 wrote to memory of 3620	2184	Oofoeo32.exe	Ofpgaihj.exe
PID 2184 wrote to memory of 3620	2184	Oofoeo32.exe	Ofpgaihj.exe
PID 2184 wrote to memory of 3620	2184	Oofoeo32.exe	Ofpgaihj.exe
PID 3620 wrote to memory of 4844	3620	Ofpgaihj.exe	Obfhgj32.exe
PID 3620 wrote to memory of 4844	3620	Ofpgaihj.exe	Obfhgj32.exe
PID 3620 wrote to memory of 4844	3620	Ofpgaihj.exe	Obfhgj32.exe
PID 4844 wrote to memory of 3644	4844	Obfhgj32.exe	Qbimch32.exe
PID 4844 wrote to memory of 3644	4844	Obfhgj32.exe	Qbimch32.exe
PID 4844 wrote to memory of 3644	4844	Obfhgj32.exe	Qbimch32.exe
PID 3644 wrote to memory of 4304	3644	Qbimch32.exe	Eeggopkn.exe
PID 3644 wrote to memory of 4304	3644	Qbimch32.exe	Eeggopkn.exe
PID 3644 wrote to memory of 4304	3644	Qbimch32.exe	Eeggopkn.exe
PID 4304 wrote to memory of 4956	4304	Eeggopkn.exe	Lomooj32.exe
PID 4304 wrote to memory of 4956	4304	Eeggopkn.exe	Lomooj32.exe
PID 4304 wrote to memory of 4956	4304	Eeggopkn.exe	Lomooj32.exe
PID 4956 wrote to memory of 1136	4956	Lomooj32.exe	Anbklj32.exe
PID 4956 wrote to memory of 1136	4956	Lomooj32.exe	Anbklj32.exe
PID 4956 wrote to memory of 1136	4956	Lomooj32.exe	Anbklj32.exe
PID 1136 wrote to memory of 3536	1136	Anbklj32.exe	Afhokgme.exe
PID 1136 wrote to memory of 3536	1136	Anbklj32.exe	Afhokgme.exe
PID 1136 wrote to memory of 3536	1136	Anbklj32.exe	Afhokgme.exe
PID 3536 wrote to memory of 4660	3536	Afhokgme.exe	Eaekgjjn.exe
PID 3536 wrote to memory of 4660	3536	Afhokgme.exe	Eaekgjjn.exe
PID 3536 wrote to memory of 4660	3536	Afhokgme.exe	Eaekgjjn.exe
PID 4660 wrote to memory of 2368	4660	Eaekgjjn.exe	Cimcdidb.exe

C:\Users\Admin\AppData\Local\Temp\c2ffd9805a89659e13de9191b33d2dbae294c664750cd20534507adf40ce9ba1.exe
"C:\Users\Admin\AppData\Local\Temp\c2ffd9805a89659e13de9191b33d2dbae294c664750cd20534507adf40ce9ba1.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4452
- C:\Windows\SysWOW64\Lhbkkipn.exe
  C:\Windows\system32\Lhbkkipn.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4948
- - C:\Windows\SysWOW64\Nkapnbqo.exe
    C:\Windows\system32\Nkapnbqo.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3916
  - - C:\Windows\SysWOW64\Nchhooaa.exe
      C:\Windows\system32\Nchhooaa.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4508
    - - C:\Windows\SysWOW64\Nffdkkqe.exe
        
        C:\Windows\system32\Nffdkkqe.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3992
      - C:\Windows\SysWOW64\Nlplhe32.exe
        
        C:\Windows\system32\Nlplhe32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\SysWOW64\Ncjdeooo.exe
        
        C:\Windows\system32\Ncjdeooo.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4168
        
        C:\Windows\SysWOW64\Nhgmmfnf.exe
        
        C:\Windows\system32\Nhgmmfnf.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\SysWOW64\Nkeiia32.exe
        
        C:\Windows\system32\Nkeiia32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\SysWOW64\Ncmajo32.exe
        
        C:\Windows\system32\Ncmajo32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:60
        
        C:\Windows\SysWOW64\Nlefcddl.exe
        
        C:\Windows\system32\Nlefcddl.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Windows\SysWOW64\Oconpn32.exe
        
        C:\Windows\system32\Oconpn32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\SysWOW64\Odpjhfag.exe
        
        C:\Windows\system32\Odpjhfag.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1828
        
        C:\Windows\SysWOW64\Oofoeo32.exe
        
        C:\Windows\system32\Oofoeo32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\SysWOW64\Ofpgaihj.exe
        
        C:\Windows\system32\Ofpgaihj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\SysWOW64\Obfhgj32.exe
        
        C:\Windows\system32\Obfhgj32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\SysWOW64\Qbimch32.exe
        
        C:\Windows\system32\Qbimch32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3644
        
        C:\Windows\SysWOW64\Eeggopkn.exe
        
        C:\Windows\system32\Eeggopkn.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4304
        
        C:\Windows\SysWOW64\Lomooj32.exe
        
        C:\Windows\system32\Lomooj32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\SysWOW64\Anbklj32.exe
        
        C:\Windows\system32\Anbklj32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Windows\SysWOW64\Afhokgme.exe
        
        C:\Windows\system32\Afhokgme.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3536
        
        C:\Windows\SysWOW64\Eaekgjjn.exe
        
        C:\Windows\system32\Eaekgjjn.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4660
        
        C:\Windows\SysWOW64\Cimcdidb.exe
        
        C:\Windows\system32\Cimcdidb.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\Dgndbq32.exe
        
        C:\Windows\system32\Dgndbq32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4688
        
        C:\Windows\SysWOW64\Djmpnlle.exe
        
        C:\Windows\system32\Djmpnlle.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Glkdicpi.exe
        
        C:\Windows\system32\Glkdicpi.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4668
        
        C:\Windows\SysWOW64\Hlnjeqpd.exe
        
        C:\Windows\system32\Hlnjeqpd.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3252
        
        C:\Windows\SysWOW64\Afhdgh32.exe
        
        C:\Windows\system32\Afhdgh32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4292

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afhdgh32.exe

Filesize
50KB

MD5
cd5ecf623220ae66bc4b1f0885dec3c5

SHA1
dcc8731399aba0cb23c848bd3cc8ace289ac585f

SHA256
7cf3764822960a79a5073653b5966561fc7e307549fd5f7cbf9cd556f3d746be

SHA512
a52f20d1decbc0ee92d3708b6256988cf724e99c6a0b75f4c4ed71c51cf1175df37c6bbdc64e401e3a9b41a0efe5ff8250f7e8dc2171f21d1a85595930017b2b

Download Submit
C:\Windows\SysWOW64\Afhdgh32.exe

Filesize
50KB

MD5
cd5ecf623220ae66bc4b1f0885dec3c5

SHA1
dcc8731399aba0cb23c848bd3cc8ace289ac585f

SHA256
7cf3764822960a79a5073653b5966561fc7e307549fd5f7cbf9cd556f3d746be

SHA512
a52f20d1decbc0ee92d3708b6256988cf724e99c6a0b75f4c4ed71c51cf1175df37c6bbdc64e401e3a9b41a0efe5ff8250f7e8dc2171f21d1a85595930017b2b

Download Submit
C:\Windows\SysWOW64\Afhokgme.exe

Filesize
50KB

MD5
423d3ff4e77d8132a6bafd6c45220c8c

SHA1
0019b66e6fdece54ae5bec1308bab5160b770c4b

SHA256
170f86c58534080b90bbe3627388b7c0086078bda1d2af16ded578de1506d3f6

SHA512
abb9bec7065f9d935fbbc3916bc1f289158a342afa929edf796f2c9f8f74cecd395b457fd833968159cee0cf687bd51f7ed6b5210b1f7849fc287284242c171c

Download Submit
C:\Windows\SysWOW64\Afhokgme.exe

Filesize
50KB

MD5
423d3ff4e77d8132a6bafd6c45220c8c

SHA1
0019b66e6fdece54ae5bec1308bab5160b770c4b

SHA256
170f86c58534080b90bbe3627388b7c0086078bda1d2af16ded578de1506d3f6

SHA512
abb9bec7065f9d935fbbc3916bc1f289158a342afa929edf796f2c9f8f74cecd395b457fd833968159cee0cf687bd51f7ed6b5210b1f7849fc287284242c171c

Download Submit
C:\Windows\SysWOW64\Anbklj32.exe

Filesize
50KB

MD5
c2a094ee6b26169d49a98fdb1f0e802d

SHA1
d70feaf37582c7831c9b6acabaf433d116ef3c6c

SHA256
4b0ae75d427bc3392262168098fdfa7b954a9a9c7b6ae0449f64e651855dd46d

SHA512
d18a6d05aaeeff6b9914a0e09c702634dd6cd80d13c6b32ad2051f25f96bb84b30f73ba6a1070a68668bbe0d7e73d3a04bd7859d52b5ec17ba0610298d06c2fd

Download Submit
C:\Windows\SysWOW64\Anbklj32.exe

Filesize
50KB

MD5
c2a094ee6b26169d49a98fdb1f0e802d

SHA1
d70feaf37582c7831c9b6acabaf433d116ef3c6c

SHA256
4b0ae75d427bc3392262168098fdfa7b954a9a9c7b6ae0449f64e651855dd46d

SHA512
d18a6d05aaeeff6b9914a0e09c702634dd6cd80d13c6b32ad2051f25f96bb84b30f73ba6a1070a68668bbe0d7e73d3a04bd7859d52b5ec17ba0610298d06c2fd

Download Submit
C:\Windows\SysWOW64\Cimcdidb.exe

Filesize
50KB

MD5
cddec381c806d22f2732e9052e8521fa

SHA1
d09094b28fe63584fc0120fddff5ecf49306a91d

SHA256
8459149020e258d10d51c30ab6791815ba04527a9ffe9e1339229f58d8abf266

SHA512
109de0408d0c1a40cbeae06fff1865ccb3d00174936ed3e32a897feb50772d51627a6afcf410c0572f3def1d54048f4c25f5cb0fdf7934df058c7214f6e52311

Download Submit
C:\Windows\SysWOW64\Cimcdidb.exe

Filesize
50KB

MD5
cddec381c806d22f2732e9052e8521fa

SHA1
d09094b28fe63584fc0120fddff5ecf49306a91d

SHA256
8459149020e258d10d51c30ab6791815ba04527a9ffe9e1339229f58d8abf266

SHA512
109de0408d0c1a40cbeae06fff1865ccb3d00174936ed3e32a897feb50772d51627a6afcf410c0572f3def1d54048f4c25f5cb0fdf7934df058c7214f6e52311

Download Submit
C:\Windows\SysWOW64\Dgndbq32.exe

Filesize
50KB

MD5
17f3b34da544f44787c7d530820d5cf0

SHA1
0cb246e418a3f1a5a78191ac1341185ac41b2bbc

SHA256
092b215b9a32c25b6746168dc4598f52e4022faf7c38dd1ef43206c95db476ed

SHA512
d69e3f449e8842a6d7f854c59817c0744b0d6be4c5ae87a35d9d5eec5d9e34fcf1946d8dd742e654f20fd2b6212c97d3248c4db737a5858ad6b22eb8ae1c0dbe

Download Submit
C:\Windows\SysWOW64\Dgndbq32.exe

Filesize
50KB

MD5
17f3b34da544f44787c7d530820d5cf0

SHA1
0cb246e418a3f1a5a78191ac1341185ac41b2bbc

SHA256
092b215b9a32c25b6746168dc4598f52e4022faf7c38dd1ef43206c95db476ed

SHA512
d69e3f449e8842a6d7f854c59817c0744b0d6be4c5ae87a35d9d5eec5d9e34fcf1946d8dd742e654f20fd2b6212c97d3248c4db737a5858ad6b22eb8ae1c0dbe

Download Submit
C:\Windows\SysWOW64\Djmpnlle.exe

Filesize
50KB

MD5
2b16822ca7dc4dbefd0c94db04c4ad0b

SHA1
8bf882416bfd1a7f530fe55cb78a77a1eef0c8c4

SHA256
063b3924292fb61efe6084bceff9dc0c54094b46b71118abeb815e4b7015143f

SHA512
1efc3952f9d84bb30f95b6ea7d1db73ae5d65b73be4dd8356dfe66775cbee1a4d192eb450ce8bed721f2fefeda464d302770e3f9eee60c78cdd47679656806ff

Download Submit
C:\Windows\SysWOW64\Djmpnlle.exe

Filesize
50KB

MD5
2b16822ca7dc4dbefd0c94db04c4ad0b

SHA1
8bf882416bfd1a7f530fe55cb78a77a1eef0c8c4

SHA256
063b3924292fb61efe6084bceff9dc0c54094b46b71118abeb815e4b7015143f

SHA512
1efc3952f9d84bb30f95b6ea7d1db73ae5d65b73be4dd8356dfe66775cbee1a4d192eb450ce8bed721f2fefeda464d302770e3f9eee60c78cdd47679656806ff

Download Submit
C:\Windows\SysWOW64\Eaekgjjn.exe

Filesize
50KB

MD5
3428e3fbd550c91b5a5dbb5dbd97f3b2

SHA1
94ddc3d3cefcd33762c29a81b45b30a023a35da9

SHA256
00a31c9ca57c75b6d2da91c174cb4c894507de5535c4761746f848c7120334b7

SHA512
9a1980ad63d5dc2dea5a420777d86c0fad5ad5d22fe97e1d70f82f99fe0a9d38940dfebb22cab0c8f42e2bcac0cf440ef9540b69982e6564fe30dc3248820585

Download Submit
C:\Windows\SysWOW64\Eaekgjjn.exe

Filesize
50KB

MD5
3428e3fbd550c91b5a5dbb5dbd97f3b2

SHA1
94ddc3d3cefcd33762c29a81b45b30a023a35da9

SHA256
00a31c9ca57c75b6d2da91c174cb4c894507de5535c4761746f848c7120334b7

SHA512
9a1980ad63d5dc2dea5a420777d86c0fad5ad5d22fe97e1d70f82f99fe0a9d38940dfebb22cab0c8f42e2bcac0cf440ef9540b69982e6564fe30dc3248820585

Download Submit
C:\Windows\SysWOW64\Eeggopkn.exe

Filesize
50KB

MD5
de8c27978f48bf479d834654f7dca004

SHA1
ac556143829d4475502ccb8e1b8ca3996e968ad5

SHA256
9e9f0faedb43aa2b182c9d5c1545f9b6301dab8099dece824dd0940f60e5c72c

SHA512
7670b36107b0d74608caddc087fcc7b36de0dbd94eecb16c4d6b06e5cb6841239b5c616d059f909a91297f70027cfb7f4e28d8cda1227af36e9fa3745e51f8a1

Download Submit
C:\Windows\SysWOW64\Eeggopkn.exe

Filesize
50KB

MD5
de8c27978f48bf479d834654f7dca004

SHA1
ac556143829d4475502ccb8e1b8ca3996e968ad5

SHA256
9e9f0faedb43aa2b182c9d5c1545f9b6301dab8099dece824dd0940f60e5c72c

SHA512
7670b36107b0d74608caddc087fcc7b36de0dbd94eecb16c4d6b06e5cb6841239b5c616d059f909a91297f70027cfb7f4e28d8cda1227af36e9fa3745e51f8a1

Download Submit
C:\Windows\SysWOW64\Glkdicpi.exe

Filesize
50KB

MD5
8237aba39be34b2e765ef392518d9575

SHA1
2b7161a8ac6a2c6fffb4563e57e0a58220fa4256

SHA256
97106c936237ee4e8a3060b5575fc88967b2c8330f01422d7bc8d4de89db01d8

SHA512
4091ab3898bd60035b9e2d14217784f32d10be66887b1ac740152dc3c1022a481915943b2b525ee1bf3f5a5411f16ae3f8392d8c3cd6a26a770572a9991c7564

Download Submit
C:\Windows\SysWOW64\Glkdicpi.exe

Filesize
50KB

MD5
8237aba39be34b2e765ef392518d9575

SHA1
2b7161a8ac6a2c6fffb4563e57e0a58220fa4256

SHA256
97106c936237ee4e8a3060b5575fc88967b2c8330f01422d7bc8d4de89db01d8

SHA512
4091ab3898bd60035b9e2d14217784f32d10be66887b1ac740152dc3c1022a481915943b2b525ee1bf3f5a5411f16ae3f8392d8c3cd6a26a770572a9991c7564

Download Submit
C:\Windows\SysWOW64\Hlnjeqpd.exe

Filesize
50KB

MD5
0a8fdced890ddc95163f6a9a3ed9fe2c

SHA1
b428347778448d87666d69d358e1cfdc67c1aea5

SHA256
567fa78792a82b3f713ca80178ec3f6da4af5f2ff9c9ff9ca9d601fb3c092a41

SHA512
94e4f3626f501cb55a68d6a525381c0079d6c21a4aae2beea08a526bd25c78a8951d914331157b7309225a8b7ddcb3bb663da04ee391e7a8cd4973ad2e97d62e

Download Submit
C:\Windows\SysWOW64\Hlnjeqpd.exe

Filesize
50KB

MD5
0a8fdced890ddc95163f6a9a3ed9fe2c

SHA1
b428347778448d87666d69d358e1cfdc67c1aea5

SHA256
567fa78792a82b3f713ca80178ec3f6da4af5f2ff9c9ff9ca9d601fb3c092a41

SHA512
94e4f3626f501cb55a68d6a525381c0079d6c21a4aae2beea08a526bd25c78a8951d914331157b7309225a8b7ddcb3bb663da04ee391e7a8cd4973ad2e97d62e

Download Submit
C:\Windows\SysWOW64\Lhbkkipn.exe

Filesize
50KB

MD5
593c102ab6cdb0dd0183c19ff0278f82

SHA1
880c851028c2bab4b10cab6eac26547f66883f85

SHA256
58d3b5886f6015719b5ef9768c835a1729bc37860be428f6083412786d11a297

SHA512
6248f5cdf0c61f880e39e7a9603f6b7e6d0f629fb11f5317b3536810ed821bd0d67e36ee35906e1a5f64d587fb91edb79e05d71315ba6c40815cc4bf549e9e58

Download Submit
C:\Windows\SysWOW64\Lhbkkipn.exe

Filesize
50KB

MD5
593c102ab6cdb0dd0183c19ff0278f82

SHA1
880c851028c2bab4b10cab6eac26547f66883f85

SHA256
58d3b5886f6015719b5ef9768c835a1729bc37860be428f6083412786d11a297

SHA512
6248f5cdf0c61f880e39e7a9603f6b7e6d0f629fb11f5317b3536810ed821bd0d67e36ee35906e1a5f64d587fb91edb79e05d71315ba6c40815cc4bf549e9e58

Download Submit
C:\Windows\SysWOW64\Lomooj32.exe

Filesize
50KB

MD5
5c8fc004b493630666da29ef34d4f1cd

SHA1
831a4bcfbced18015eee557623c3fa47ebed7a2d

SHA256
a946be90c0f3f7fabb0b431d66bc73faf16c6f3bd16ee8517f1c61616438b71b

SHA512
438a7332475b50c4fa38d4f629289dbd1cbdde5764b39150247bc30ad243d175ebeff8fd64e046c221ada93ea19d69cc6cbf50fe1a11c3d26e8e2a58940256e7

Download Submit
C:\Windows\SysWOW64\Lomooj32.exe

Filesize
50KB

MD5
5c8fc004b493630666da29ef34d4f1cd

SHA1
831a4bcfbced18015eee557623c3fa47ebed7a2d

SHA256
a946be90c0f3f7fabb0b431d66bc73faf16c6f3bd16ee8517f1c61616438b71b

SHA512
438a7332475b50c4fa38d4f629289dbd1cbdde5764b39150247bc30ad243d175ebeff8fd64e046c221ada93ea19d69cc6cbf50fe1a11c3d26e8e2a58940256e7

Download Submit
C:\Windows\SysWOW64\Nchhooaa.exe

Filesize
50KB

MD5
d1d49d8c2edecf6f0403d2759c6293f9

SHA1
4dfefaa5484c11fbdd40ed6cc4a16c1b19234f06

SHA256
895afcec36012752e13e07e791ba8f75d6e709457af5f9fc39d2f932913827f1

SHA512
1c4e57ef2bf18299f7f88243580649c0976ab0eb47c32096eabb16403c9283259dca9238a59f55f0d034c754f8a7f1ef7e4794369565023688024a879ce1f741

Download Submit
C:\Windows\SysWOW64\Nchhooaa.exe

Filesize
50KB

MD5
d1d49d8c2edecf6f0403d2759c6293f9

SHA1
4dfefaa5484c11fbdd40ed6cc4a16c1b19234f06

SHA256
895afcec36012752e13e07e791ba8f75d6e709457af5f9fc39d2f932913827f1

SHA512
1c4e57ef2bf18299f7f88243580649c0976ab0eb47c32096eabb16403c9283259dca9238a59f55f0d034c754f8a7f1ef7e4794369565023688024a879ce1f741

Download Submit
C:\Windows\SysWOW64\Ncjdeooo.exe

Filesize
50KB

MD5
ffb318d2b1faeef1aa9fba9a1da6f50e

SHA1
e250df8fae95a5fcd11246fc25dc76afb26650ab

SHA256
c5471b308902062fd4c565b646420c791e75e25d42753b38bf9dcf290c6abfef

SHA512
2867641156828714d743ca5f05168be7943465faa9d3a9f24e421696b44c8ac9ae6dc57785f2ae19d45e48e3b4103c1da6e8a92f4517b09f5ec4b853a989a8b3

Download Submit
C:\Windows\SysWOW64\Ncjdeooo.exe

Filesize
50KB

MD5
ffb318d2b1faeef1aa9fba9a1da6f50e

SHA1
e250df8fae95a5fcd11246fc25dc76afb26650ab

SHA256
c5471b308902062fd4c565b646420c791e75e25d42753b38bf9dcf290c6abfef

SHA512
2867641156828714d743ca5f05168be7943465faa9d3a9f24e421696b44c8ac9ae6dc57785f2ae19d45e48e3b4103c1da6e8a92f4517b09f5ec4b853a989a8b3

Download Submit
C:\Windows\SysWOW64\Ncmajo32.exe

Filesize
50KB

MD5
63be42d7de58ef19eb4ea3681fa3e5a5

SHA1
217142c29a84449b6449d6bd74761464d0a40e8e

SHA256
fb094b270bf891bab45737b0df788f05bde1f5edd62c9ae6b3d074b6606a1b1d

SHA512
dd35c55e19881171bcea4d71beffe3ff29b3d97e052ffc91178003fe2b8589e61f7d62b4a038ebf41c31433b344a07f2e1c89b12bdcc0abd5cc36a04d6b54555

Download Submit
C:\Windows\SysWOW64\Ncmajo32.exe

Filesize
50KB

MD5
63be42d7de58ef19eb4ea3681fa3e5a5

SHA1
217142c29a84449b6449d6bd74761464d0a40e8e

SHA256
fb094b270bf891bab45737b0df788f05bde1f5edd62c9ae6b3d074b6606a1b1d

SHA512
dd35c55e19881171bcea4d71beffe3ff29b3d97e052ffc91178003fe2b8589e61f7d62b4a038ebf41c31433b344a07f2e1c89b12bdcc0abd5cc36a04d6b54555

Download Submit
C:\Windows\SysWOW64\Nffdkkqe.exe

Filesize
50KB

MD5
c0c6f6bc0e47c13eca54e61ef447b16c

SHA1
71e28d8540e9a781e6f8ad9341ae797813856e0a

SHA256
f20cfeaaf11af6719e197b98e59a0edd873855fc8f60f358539efe14c7db2573

SHA512
e07e782f297494741deb9cf0045a9c7c0b78674c4e4f453315e49408fbb260def895a87db5a04fca8af9b518236219f5b417971c3a0aeef435668149d5c1b1dc

Download Submit
C:\Windows\SysWOW64\Nffdkkqe.exe

Filesize
50KB

MD5
c0c6f6bc0e47c13eca54e61ef447b16c

SHA1
71e28d8540e9a781e6f8ad9341ae797813856e0a

SHA256
f20cfeaaf11af6719e197b98e59a0edd873855fc8f60f358539efe14c7db2573

SHA512
e07e782f297494741deb9cf0045a9c7c0b78674c4e4f453315e49408fbb260def895a87db5a04fca8af9b518236219f5b417971c3a0aeef435668149d5c1b1dc

Download Submit
C:\Windows\SysWOW64\Nhgmmfnf.exe

Filesize
50KB

MD5
1cb8c805ba83ba14116cb167dcc80765

SHA1
9d225a731b58ab7d466bef8126e7746d14965c1e

SHA256
54a15601ed47bbb4cfc3774ce6751cacbc7485bc1229d1ecbf04a9d3845263a9

SHA512
e80a48f52ca50f81793260db12992806c8128cb24ff334186c946e0104a63dfa6634b7499472e94be720519639f8ff1755669fcc2f8ee3eb0e477322a2f538a6

Download Submit
C:\Windows\SysWOW64\Nhgmmfnf.exe

Filesize
50KB

MD5
1cb8c805ba83ba14116cb167dcc80765

SHA1
9d225a731b58ab7d466bef8126e7746d14965c1e

SHA256
54a15601ed47bbb4cfc3774ce6751cacbc7485bc1229d1ecbf04a9d3845263a9

SHA512
e80a48f52ca50f81793260db12992806c8128cb24ff334186c946e0104a63dfa6634b7499472e94be720519639f8ff1755669fcc2f8ee3eb0e477322a2f538a6

Download Submit
C:\Windows\SysWOW64\Nkapnbqo.exe

Filesize
50KB

MD5
28a6a88796b4d7eb3261a8642fb69aff

SHA1
45ad8b19148c53cd68f2ddc7ec7746627d6ecaa3

SHA256
5dd0186d9a558ff730c47e91eee69ada1c81d9a61f6c879371af200c1fc2f5ef

SHA512
e7ea182cff7f26bdf145fb745ff9384b952cc052a8f483d67ae7b96d12317e0362f1745b424c484f8365035291be0dec196e0ab470a78de94e7d4207df7e6cfb

Download Submit
C:\Windows\SysWOW64\Nkapnbqo.exe

Filesize
50KB

MD5
28a6a88796b4d7eb3261a8642fb69aff

SHA1
45ad8b19148c53cd68f2ddc7ec7746627d6ecaa3

SHA256
5dd0186d9a558ff730c47e91eee69ada1c81d9a61f6c879371af200c1fc2f5ef

SHA512
e7ea182cff7f26bdf145fb745ff9384b952cc052a8f483d67ae7b96d12317e0362f1745b424c484f8365035291be0dec196e0ab470a78de94e7d4207df7e6cfb

Download Submit
C:\Windows\SysWOW64\Nkeiia32.exe

Filesize
50KB

MD5
17c33e862418bcae285e10fbcdec7479

SHA1
34ba04b9a23287c61982d4dd4ca0369e2942ef41

SHA256
ca903b9d71d2215885ce996b0f948acde38cd4d8c46c7a7144f25f80e1fa3789

SHA512
cb9ab4919c635eec0cb25195e4515ccf7bf6feb20c9f46a92ebf88a3e05ebe706b6907b22912f078e9981341055b664081d9509c761191b2de18934392fa2eb1

Download Submit
C:\Windows\SysWOW64\Nkeiia32.exe

Filesize
50KB

MD5
17c33e862418bcae285e10fbcdec7479

SHA1
34ba04b9a23287c61982d4dd4ca0369e2942ef41

SHA256
ca903b9d71d2215885ce996b0f948acde38cd4d8c46c7a7144f25f80e1fa3789

SHA512
cb9ab4919c635eec0cb25195e4515ccf7bf6feb20c9f46a92ebf88a3e05ebe706b6907b22912f078e9981341055b664081d9509c761191b2de18934392fa2eb1

Download Submit
C:\Windows\SysWOW64\Nlefcddl.exe

Filesize
50KB

MD5
40ea307a0c55d327e4733f60db2a3d64

SHA1
5a4f8a514317a249d5f46b03a8785faa291c4444

SHA256
9e890c5c326a53564285e60ce00b11e870a8ea7b21abef4048605bab2f3b5c2b

SHA512
b5ed0ca84faffb44e5df5e6a7ce0c9b3e185364c9f2db078b499f1b2cc01866152500546f09d5947aa2090fc7ea82f53ea04044961ebf1b1335cdc52cd17360a

Download Submit
C:\Windows\SysWOW64\Nlefcddl.exe

Filesize
50KB

MD5
40ea307a0c55d327e4733f60db2a3d64

SHA1
5a4f8a514317a249d5f46b03a8785faa291c4444

SHA256
9e890c5c326a53564285e60ce00b11e870a8ea7b21abef4048605bab2f3b5c2b

SHA512
b5ed0ca84faffb44e5df5e6a7ce0c9b3e185364c9f2db078b499f1b2cc01866152500546f09d5947aa2090fc7ea82f53ea04044961ebf1b1335cdc52cd17360a

Download Submit
C:\Windows\SysWOW64\Nlplhe32.exe

Filesize
50KB

MD5
bb6accf6d278c818ab4ca8185ff7ac02

SHA1
c07e2bb34eb8397151b299f80367a20fc5207b4d

SHA256
6fa4e8f216a4c04669ee5d11fee24fe3d71e4227c47ecff228829b04e71b6f02

SHA512
95ee86ea2d8693c9501c031d30d8e11e9c6ff8425ee9ced25f7a0db2fd34af465182afb4995cda8a539c9b237645ee14c86e5c466314e311f3286981fa042314

Download Submit
C:\Windows\SysWOW64\Nlplhe32.exe

Filesize
50KB

MD5
bb6accf6d278c818ab4ca8185ff7ac02

SHA1
c07e2bb34eb8397151b299f80367a20fc5207b4d

SHA256
6fa4e8f216a4c04669ee5d11fee24fe3d71e4227c47ecff228829b04e71b6f02

SHA512
95ee86ea2d8693c9501c031d30d8e11e9c6ff8425ee9ced25f7a0db2fd34af465182afb4995cda8a539c9b237645ee14c86e5c466314e311f3286981fa042314

Download Submit
C:\Windows\SysWOW64\Obfhgj32.exe

Filesize
50KB

MD5
2ccb5d5469fb851cdc974ffd38329231

SHA1
b64d4286a29beb3a90f6c2d3044141da0fe99e0d

SHA256
aaa0873bd4f58d0e4bb44db137345b69b08c6c0efc02bfcc4edb3983ccc90121

SHA512
6098c8d453326cf7707a96542a3909fa7a23794f39c8eb40ae5374cd3a7d8e67576ad32065e16901cc3c469385608ee801354b61f0024effbd8a27ad1a8192ae

Download Submit
C:\Windows\SysWOW64\Obfhgj32.exe

Filesize
50KB

MD5
2ccb5d5469fb851cdc974ffd38329231

SHA1
b64d4286a29beb3a90f6c2d3044141da0fe99e0d

SHA256
aaa0873bd4f58d0e4bb44db137345b69b08c6c0efc02bfcc4edb3983ccc90121

SHA512
6098c8d453326cf7707a96542a3909fa7a23794f39c8eb40ae5374cd3a7d8e67576ad32065e16901cc3c469385608ee801354b61f0024effbd8a27ad1a8192ae

Download Submit
C:\Windows\SysWOW64\Oconpn32.exe

Filesize
50KB

MD5
f6a480aa62f452d75aa99b812b322e3d

SHA1
de76c0291d19b365da3a51405959ee5fb8370187

SHA256
6706957b975fdce963a72ffe2716df1ef2653b5cc382e9d54d4d84b9831042da

SHA512
38b510af3c12b9bcf686a973f30ce86e12223890d4defeea28ef059182792be78396a182ba2abead708b3cd4ed34f5d3fd48fbd660c2a2183b023d3755920fc0

Download Submit
C:\Windows\SysWOW64\Oconpn32.exe

Filesize
50KB

MD5
f6a480aa62f452d75aa99b812b322e3d

SHA1
de76c0291d19b365da3a51405959ee5fb8370187

SHA256
6706957b975fdce963a72ffe2716df1ef2653b5cc382e9d54d4d84b9831042da

SHA512
38b510af3c12b9bcf686a973f30ce86e12223890d4defeea28ef059182792be78396a182ba2abead708b3cd4ed34f5d3fd48fbd660c2a2183b023d3755920fc0

Download Submit
C:\Windows\SysWOW64\Odpjhfag.exe

Filesize
50KB

MD5
7340f22959443a2209ba63ab7adac16c

SHA1
387f23a9f18265a7f236a99359470afb1d3b7cf6

SHA256
baa960941acd8cc3e22c55bcf2da16b22800c5f4cb2bc2b9cacd0e8c1a6afaf3

SHA512
361feb2555b18c0a66bf5ef66aa1576a47691bb277cc66955ca78d4b117e28d97c40f510bc3d35f38db8e783391d10dd9b0ca9e6d3c2e9b6ab101587665c928c

Download Submit
C:\Windows\SysWOW64\Odpjhfag.exe

Filesize
50KB

MD5
7340f22959443a2209ba63ab7adac16c

SHA1
387f23a9f18265a7f236a99359470afb1d3b7cf6

SHA256
baa960941acd8cc3e22c55bcf2da16b22800c5f4cb2bc2b9cacd0e8c1a6afaf3

SHA512
361feb2555b18c0a66bf5ef66aa1576a47691bb277cc66955ca78d4b117e28d97c40f510bc3d35f38db8e783391d10dd9b0ca9e6d3c2e9b6ab101587665c928c

Download Submit
C:\Windows\SysWOW64\Ofpgaihj.exe

Filesize
50KB

MD5
66f20dcfdbeb4eef83257be9b45fef30

SHA1
69d60daa1dc2f199655a2f1c3cf60bbe7ba4bd57

SHA256
a7145e9165fea8c1645fd8c2cfa3e7a8e643602dc7c2945991d96a3adc41bb6f

SHA512
79fb2b6f13f852439c1462b4f440e2a60f6ff4e71c4d0b81f13bef645e087b0ccd36b4c262fb6cc776f07f269d5784a68be1cedcdfa70ce28c36cd751b6704e6

Download Submit
C:\Windows\SysWOW64\Ofpgaihj.exe

Filesize
50KB

MD5
66f20dcfdbeb4eef83257be9b45fef30

SHA1
69d60daa1dc2f199655a2f1c3cf60bbe7ba4bd57

SHA256
a7145e9165fea8c1645fd8c2cfa3e7a8e643602dc7c2945991d96a3adc41bb6f

SHA512
79fb2b6f13f852439c1462b4f440e2a60f6ff4e71c4d0b81f13bef645e087b0ccd36b4c262fb6cc776f07f269d5784a68be1cedcdfa70ce28c36cd751b6704e6

Download Submit
C:\Windows\SysWOW64\Oofoeo32.exe

Filesize
50KB

MD5
2f5c55148938bfea07ac745b5a33d55f

SHA1
1d648021d60e2fc210a09388926fd1c5b171b735

SHA256
118a4f595af80a2e1292c97474e8f5d91ad53056b032950a6029895960f42959

SHA512
f59ff1fc8557ec16ad2abd0a474396c7a8a10fa4bdfc2b3ac623d21517a910fe6f5cfd3e064490843e2be756ef51dd5cae8f1ecb8feeb5ca6784a22bbf744232

Download Submit
C:\Windows\SysWOW64\Oofoeo32.exe

Filesize
50KB

MD5
2f5c55148938bfea07ac745b5a33d55f

SHA1
1d648021d60e2fc210a09388926fd1c5b171b735

SHA256
118a4f595af80a2e1292c97474e8f5d91ad53056b032950a6029895960f42959

SHA512
f59ff1fc8557ec16ad2abd0a474396c7a8a10fa4bdfc2b3ac623d21517a910fe6f5cfd3e064490843e2be756ef51dd5cae8f1ecb8feeb5ca6784a22bbf744232

Download Submit
C:\Windows\SysWOW64\Qbimch32.exe

Filesize
50KB

MD5
38f9963d6fa91b5c87adc22318ccaaf7

SHA1
53683a079dd96fd0f02f1a805afb707b7cf8a977

SHA256
3629ccda5cedcb6f672c40f3be5944c3c0ed6a4a9216365769e6434b5d82461a

SHA512
07faad875ba95868e46131dfaec4f1f2237aa1b2be24cf6c73346f4270e0dadb71842a6693b27c2a20b1edbb931f600a7a28be197a96e88a89efa0d4e0bdcdad

Download Submit
C:\Windows\SysWOW64\Qbimch32.exe

Filesize
50KB

MD5
38f9963d6fa91b5c87adc22318ccaaf7

SHA1
53683a079dd96fd0f02f1a805afb707b7cf8a977

SHA256
3629ccda5cedcb6f672c40f3be5944c3c0ed6a4a9216365769e6434b5d82461a

SHA512
07faad875ba95868e46131dfaec4f1f2237aa1b2be24cf6c73346f4270e0dadb71842a6693b27c2a20b1edbb931f600a7a28be197a96e88a89efa0d4e0bdcdad

Download Submit
memory/60-157-0x0000000000000000-mapping.dmp

Download
memory/60-183-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1004-184-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1004-160-0x0000000000000000-mapping.dmp

Download
memory/1136-207-0x0000000000000000-mapping.dmp

Download
memory/1136-210-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1136-232-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1800-185-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1800-163-0x0000000000000000-mapping.dmp

Download
memory/1828-167-0x0000000000000000-mapping.dmp

Download
memory/1828-189-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2184-172-0x0000000000000000-mapping.dmp

Download
memory/2184-190-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2368-228-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2368-219-0x0000000000000000-mapping.dmp

Download
memory/3252-238-0x0000000000000000-mapping.dmp

Download
memory/3252-241-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3536-214-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3536-242-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3536-211-0x0000000000000000-mapping.dmp

Download
memory/3620-177-0x0000000000000000-mapping.dmp

Download
memory/3620-191-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3644-193-0x0000000000000000-mapping.dmp

Download
memory/3644-196-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3916-136-0x0000000000000000-mapping.dmp

Download
memory/3916-168-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3992-173-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3992-142-0x0000000000000000-mapping.dmp

Download
memory/4168-178-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4168-148-0x0000000000000000-mapping.dmp

Download
memory/4292-246-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4292-243-0x0000000000000000-mapping.dmp

Download
memory/4304-200-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4304-197-0x0000000000000000-mapping.dmp

Download
memory/4304-215-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4396-230-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4396-225-0x0000000000000000-mapping.dmp

Download
memory/4412-151-0x0000000000000000-mapping.dmp

Download
memory/4412-179-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4452-132-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4452-205-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4508-171-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4508-139-0x0000000000000000-mapping.dmp

Download
memory/4556-154-0x0000000000000000-mapping.dmp

Download
memory/4556-181-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4660-226-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4660-216-0x0000000000000000-mapping.dmp

Download
memory/4668-234-0x0000000000000000-mapping.dmp

Download
memory/4668-237-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4688-222-0x0000000000000000-mapping.dmp

Download
memory/4688-229-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4844-186-0x0000000000000000-mapping.dmp

Download
memory/4844-206-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4844-192-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4948-166-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4948-133-0x0000000000000000-mapping.dmp

Download
memory/4956-201-0x0000000000000000-mapping.dmp

Download
memory/4956-203-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4956-231-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5072-176-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5072-145-0x0000000000000000-mapping.dmp

Download