gozi | 15fbe38974dc0b5dd0db1be3cf33bcf1f207f3722401d160652e3461db4e2034

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 03:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e514b4ab5503165b0bcb9733ccbc3450_NEIKI.exe
Size

163KB
MD5

e514b4ab5503165b0bcb9733ccbc3450
SHA1

d63f5c3f953c6e10da2ed6be2252fa297e1d13d9
SHA256

15fbe38974dc0b5dd0db1be3cf33bcf1f207f3722401d160652e3461db4e2034
SHA512

87dfd5040afa6a54eb9cfbfca61c93e1f8319cadf8fe495df7b00852f0a8c35dc83dc1a7376e8275359a31e72e1315abaf2674fdfc60843f6439e6eb01d616a0
SSDEEP

1536:P5s2UymmkhSe91RRlFluxNj4jHtTgralProNVU4qNVUrk/9QbfBr+7GwKrPAsqNy:xsXyoF9dluxZ4jHlcaltOrWKDBr+yJb

Score

10^/10

gozi banker isfb persistence trojan

Malware Config

Extracted

Family

gozi

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Lgokmgjm.exeMmnldp32.exeMigjoaaf.exeDddhpjof.exeBcebhoii.exeDodbbdbb.exeNjciko32.exeOponmilc.exeOfeilobp.exePdifoehl.exeAcnlgp32.exeChmndlge.exeDknpmdfc.exeLbabgh32.exeMiifeq32.exeNnjlpo32.exeOnhhamgg.exePncgmkmj.exeMbfkbhpa.exePjeoglgc.exePcbmka32.exeOgnpebpj.exeBnmcjg32.exee514b4ab5503165b0bcb9733ccbc3450_NEIKI.exeNpcoakfp.exeBfhhoi32.exeOddmdf32.exeQnhahj32.exeCmiflbel.exeCfbkeh32.exeDmcibama.exeAmpkof32.exeBhhdil32.exeDobfld32.exePdkcde32.exeQffbbldm.exeAeiofcji.exeMdckfk32.exeOqfdnhfk.exeMgimcebb.exeMpablkhc.exeDhfajjoj.exeNdaggimg.exeOdmgcgbi.exeAgjhgngj.exeCdhhdlid.exeNjqmepik.exeLebkhc32.exeOcnjidkf.exeOnjegled.exeNgmgne32.exeNdcdmikd.exeBnkgeg32.exeNilcjp32.exeCalhnpgn.exeDhkjej32.exeDhhnpjmh.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgokmgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmnldp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oponmilc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbabgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miifeq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbfkbhpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e514b4ab5503165b0bcb9733ccbc3450_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgokmgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npcoakfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdckfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgimcebb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpablkhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njqmepik.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lebkhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onjegled.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngmgne32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nilcjp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Executes dropped EXE 64 IoCs

Processes:

Lbabgh32.exeLepncd32.exeLdanqkki.exeLgokmgjm.exeLebkhc32.exeLingibiq.exeLllcen32.exeMdckfk32.exeMbfkbhpa.exeMpjlklok.exeMegdccmb.exeMmnldp32.exeMdhdajea.exeMeiaib32.exeMlcifmbl.exeMgimcebb.exeMigjoaaf.exeMpablkhc.exeMgkjhe32.exeMiifeq32.exeNpcoakfp.exeNgmgne32.exeNilcjp32.exeNdaggimg.exeNebdoa32.exeNnjlpo32.exeNdcdmikd.exeNjqmepik.exeNcianepl.exeNjciko32.exeNlaegk32.exeNfjjppmm.exeOponmilc.exeOcnjidkf.exeOjgbfocc.exeOlfobjbg.exeOdmgcgbi.exeOjjolnaq.exeOpdghh32.exeOgnpebpj.exeOnhhamgg.exeOqfdnhfk.exeOgpmjb32.exeOnjegled.exeOddmdf32.exeOfeilobp.exePdfjifjo.exePgefeajb.exePdifoehl.exePjeoglgc.exePdkcde32.exePflplnlg.exePncgmkmj.exePfolbmje.exePdpmpdbd.exePcbmka32.exeQnhahj32.exeQmkadgpo.exeQgqeappe.exeQnjnnj32.exeQffbbldm.exeAmpkof32.exeAcjclpcf.exeAnogiicl.exe

pid	process
232	Lbabgh32.exe
2676	Lepncd32.exe
656	Ldanqkki.exe
1052	Lgokmgjm.exe
3908	Lebkhc32.exe
1528	Lingibiq.exe
4848	Lllcen32.exe
2360	Mdckfk32.exe
3632	Mbfkbhpa.exe
3048	Mpjlklok.exe
1556	Megdccmb.exe
3484	Mmnldp32.exe
2644	Mdhdajea.exe
3860	Meiaib32.exe
2420	Mlcifmbl.exe
1768	Mgimcebb.exe
3052	Migjoaaf.exe
1440	Mpablkhc.exe
4756	Mgkjhe32.exe
4492	Miifeq32.exe
4148	Npcoakfp.exe
4068	Ngmgne32.exe
1764	Nilcjp32.exe
2572	Ndaggimg.exe
2812	Nebdoa32.exe
4564	Nnjlpo32.exe
1708	Ndcdmikd.exe
2956	Njqmepik.exe
3088	Ncianepl.exe
3576	Njciko32.exe
3652	Nlaegk32.exe
4884	Nfjjppmm.exe
3804	Oponmilc.exe
4760	Ocnjidkf.exe
4408	Ojgbfocc.exe
2824	Olfobjbg.exe
1436	Odmgcgbi.exe
2996	Ojjolnaq.exe
1856	Opdghh32.exe
2304	Ognpebpj.exe
1332	Onhhamgg.exe
2532	Oqfdnhfk.exe
2188	Ogpmjb32.exe
3904	Onjegled.exe
4972	Oddmdf32.exe
2036	Ofeilobp.exe
4516	Pdfjifjo.exe
2876	Pgefeajb.exe
632	Pdifoehl.exe
3284	Pjeoglgc.exe
4612	Pdkcde32.exe
4464	Pflplnlg.exe
1376	Pncgmkmj.exe
1272	Pfolbmje.exe
1428	Pdpmpdbd.exe
1680	Pcbmka32.exe
336	Qnhahj32.exe
3624	Qmkadgpo.exe
3356	Qgqeappe.exe
2172	Qnjnnj32.exe
2084	Qffbbldm.exe
2880	Ampkof32.exe
1244	Acjclpcf.exe
1096	Anogiicl.exe

Drops file in System32 directory 64 IoCs

Processes:

Mbfkbhpa.exeMegdccmb.exeOjgbfocc.exePdifoehl.exeQmkadgpo.exePdfjifjo.exePncgmkmj.exeAgjhgngj.exeBhhdil32.exeAnogiicl.exeMdhdajea.exeNdaggimg.exeOlfobjbg.exeOqfdnhfk.exeQnhahj32.exeMmnldp32.exePdpmpdbd.exeCndikf32.exeNpcoakfp.exeAnadoi32.exeCdfkolkf.exeDejacond.exeLdanqkki.exeQffbbldm.exeDobfld32.exeDkkcge32.exeOddmdf32.exePdkcde32.exeBnkgeg32.exeDogogcpo.exeNcianepl.exeBebblb32.exeCalhnpgn.exeMdckfk32.exeQgqeappe.exeBcebhoii.exeBfhhoi32.exeLbabgh32.exeLebkhc32.exeNdcdmikd.exeDodbbdbb.exeNilcjp32.exeNnjlpo32.exeDhmgki32.exeNlaegk32.exeOgnpebpj.exeOfeilobp.exeQnjnnj32.exeAndqdh32.exeCfbkeh32.exeNjciko32.exeAcjclpcf.exeDmcibama.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Ecaobgnf.dll	Mbfkbhpa.exe
File created	C:\Windows\SysWOW64\Eonefj32.dll	Megdccmb.exe
File created	C:\Windows\SysWOW64\Olfobjbg.exe	Ojgbfocc.exe
File opened for modification	C:\Windows\SysWOW64\Pjeoglgc.exe	Pdifoehl.exe
File created	C:\Windows\SysWOW64\Qciaajej.dll	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Pgefeajb.exe	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Pfolbmje.exe	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Andqdh32.exe	Agjhgngj.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Feibedlp.dll	Anogiicl.exe
File created	C:\Windows\SysWOW64\Nodfmh32.dll	Mdhdajea.exe
File created	C:\Windows\SysWOW64\Nebdoa32.exe	Ndaggimg.exe
File created	C:\Windows\SysWOW64\Odmgcgbi.exe	Olfobjbg.exe
File opened for modification	C:\Windows\SysWOW64\Ogpmjb32.exe	Oqfdnhfk.exe
File created	C:\Windows\SysWOW64\Qmkadgpo.exe	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Aeiofcji.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Mdhdajea.exe	Mmnldp32.exe
File created	C:\Windows\SysWOW64\Lipdae32.dll	Pdpmpdbd.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Ngmgne32.exe	Npcoakfp.exe
File opened for modification	C:\Windows\SysWOW64\Acnlgp32.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Lgokmgjm.exe	Ldanqkki.exe
File created	C:\Windows\SysWOW64\Ehmdjdgk.dll	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Ogpmjb32.exe	Oqfdnhfk.exe
File created	C:\Windows\SysWOW64\Mmcdaagm.dll	Oddmdf32.exe
File opened for modification	C:\Windows\SysWOW64\Pflplnlg.exe	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Pcbmka32.exe	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Akichh32.dll	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Pjeoglgc.exe	Pdifoehl.exe
File created	C:\Windows\SysWOW64\Dbnamnpl.dll	Pdifoehl.exe
File created	C:\Windows\SysWOW64\Ampkof32.exe	Qffbbldm.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Mpjlklok.exe	Mbfkbhpa.exe
File created	C:\Windows\SysWOW64\Njciko32.exe	Ncianepl.exe
File created	C:\Windows\SysWOW64\Bcebhoii.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Mbfkbhpa.exe	Mdckfk32.exe
File created	C:\Windows\SysWOW64\Qnjnnj32.exe	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Lepncd32.exe	Lbabgh32.exe
File created	C:\Windows\SysWOW64\Pkfcej32.dll	Lebkhc32.exe
File opened for modification	C:\Windows\SysWOW64\Njqmepik.exe	Ndcdmikd.exe
File opened for modification	C:\Windows\SysWOW64\Ampkof32.exe	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Ndaggimg.exe	Nilcjp32.exe
File created	C:\Windows\SysWOW64\Ndcdmikd.exe	Nnjlpo32.exe
File opened for modification	C:\Windows\SysWOW64\Ndcdmikd.exe	Nnjlpo32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Nfjjppmm.exe	Nlaegk32.exe
File created	C:\Windows\SysWOW64\Clbcapmm.dll	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Pdfjifjo.exe	Ofeilobp.exe
File created	C:\Windows\SysWOW64\Aoqimi32.dll	Qnjnnj32.exe
File opened for modification	C:\Windows\SysWOW64\Aeniabfd.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Hfligghk.dll	Njciko32.exe
File opened for modification	C:\Windows\SysWOW64\Anogiicl.exe	Acjclpcf.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3944 2376 WerFault.exe Dmllipeg.exe

pid	pid_target	process	target process
3944	2376	WerFault.exe	Dmllipeg.exe

Modifies registry class 64 IoCs

Processes:

Ncianepl.exeOgpmjb32.exeOnjegled.exePdpmpdbd.exeQmkadgpo.exeBnkgeg32.exeChmndlge.exeMpablkhc.exePncgmkmj.exeAeiofcji.exeCnkplejl.exeDkkcge32.exePdfjifjo.exeNnjlpo32.exeQffbbldm.exeAfoeiklb.exeNdaggimg.exeOjjolnaq.exeOgnpebpj.exeOqfdnhfk.exePdifoehl.exeLgokmgjm.exeNilcjp32.exeLebkhc32.exePdkcde32.exeDhmgki32.exeMpjlklok.exeMigjoaaf.exeOcnjidkf.exeQnhahj32.exeCmiflbel.exeLbabgh32.exeNfjjppmm.exeOponmilc.exeOpdghh32.exeCalhnpgn.exeLingibiq.exeMdhdajea.exeAnogiicl.exeCndikf32.exeNdcdmikd.exePflplnlg.exeMmnldp32.exePcbmka32.exeAmpkof32.exeBhhdil32.exee514b4ab5503165b0bcb9733ccbc3450_NEIKI.exeCdhhdlid.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hppdbdbc.dll"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdkpdef.dll"	Onjegled.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qciaajej.dll"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpablkhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goaojagc.dll"	Nnjlpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfbgbeai.dll"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgokmgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lebkhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmhofmq.dll"	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nenqea32.dll"	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpjlklok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqgmgehp.dll"	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnodjf32.dll"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpabk32.dll"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmmfbg32.dll"	Lbabgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najmlf32.dll"	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beapme32.dll"	Opdghh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingbah32.dll"	Lingibiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdhdajea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocljjj32.dll"	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnamnpl.dll"	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lbabgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hleecc32.dll"	Mpjlklok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeiam32.dll"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjeieojj.dll"	Lgokmgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmnldp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Migjoaaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oponmilc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jphopllo.dll"	e514b4ab5503165b0bcb9733ccbc3450_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cdhhdlid.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e514b4ab5503165b0bcb9733ccbc3450_NEIKI.exeLbabgh32.exeLepncd32.exeLdanqkki.exeLgokmgjm.exeLebkhc32.exeLingibiq.exeLllcen32.exeMdckfk32.exeMbfkbhpa.exeMpjlklok.exeMegdccmb.exeMmnldp32.exeMdhdajea.exeMeiaib32.exeMlcifmbl.exeMgimcebb.exeMigjoaaf.exeMpablkhc.exeMgkjhe32.exeMiifeq32.exeNpcoakfp.exe

description	pid	process	target process
PID 5016 wrote to memory of 232	5016	e514b4ab5503165b0bcb9733ccbc3450_NEIKI.exe	Lbabgh32.exe
PID 5016 wrote to memory of 232	5016	e514b4ab5503165b0bcb9733ccbc3450_NEIKI.exe	Lbabgh32.exe
PID 5016 wrote to memory of 232	5016	e514b4ab5503165b0bcb9733ccbc3450_NEIKI.exe	Lbabgh32.exe
PID 232 wrote to memory of 2676	232	Lbabgh32.exe	Lepncd32.exe
PID 232 wrote to memory of 2676	232	Lbabgh32.exe	Lepncd32.exe
PID 232 wrote to memory of 2676	232	Lbabgh32.exe	Lepncd32.exe
PID 2676 wrote to memory of 656	2676	Lepncd32.exe	Ldanqkki.exe
PID 2676 wrote to memory of 656	2676	Lepncd32.exe	Ldanqkki.exe
PID 2676 wrote to memory of 656	2676	Lepncd32.exe	Ldanqkki.exe
PID 656 wrote to memory of 1052	656	Ldanqkki.exe	Lgokmgjm.exe
PID 656 wrote to memory of 1052	656	Ldanqkki.exe	Lgokmgjm.exe
PID 656 wrote to memory of 1052	656	Ldanqkki.exe	Lgokmgjm.exe
PID 1052 wrote to memory of 3908	1052	Lgokmgjm.exe	Lebkhc32.exe
PID 1052 wrote to memory of 3908	1052	Lgokmgjm.exe	Lebkhc32.exe
PID 1052 wrote to memory of 3908	1052	Lgokmgjm.exe	Lebkhc32.exe
PID 3908 wrote to memory of 1528	3908	Lebkhc32.exe	Lingibiq.exe
PID 3908 wrote to memory of 1528	3908	Lebkhc32.exe	Lingibiq.exe
PID 3908 wrote to memory of 1528	3908	Lebkhc32.exe	Lingibiq.exe
PID 1528 wrote to memory of 4848	1528	Lingibiq.exe	Lllcen32.exe
PID 1528 wrote to memory of 4848	1528	Lingibiq.exe	Lllcen32.exe
PID 1528 wrote to memory of 4848	1528	Lingibiq.exe	Lllcen32.exe
PID 4848 wrote to memory of 2360	4848	Lllcen32.exe	Mdckfk32.exe
PID 4848 wrote to memory of 2360	4848	Lllcen32.exe	Mdckfk32.exe
PID 4848 wrote to memory of 2360	4848	Lllcen32.exe	Mdckfk32.exe
PID 2360 wrote to memory of 3632	2360	Mdckfk32.exe	Mbfkbhpa.exe
PID 2360 wrote to memory of 3632	2360	Mdckfk32.exe	Mbfkbhpa.exe
PID 2360 wrote to memory of 3632	2360	Mdckfk32.exe	Mbfkbhpa.exe
PID 3632 wrote to memory of 3048	3632	Mbfkbhpa.exe	Mpjlklok.exe
PID 3632 wrote to memory of 3048	3632	Mbfkbhpa.exe	Mpjlklok.exe
PID 3632 wrote to memory of 3048	3632	Mbfkbhpa.exe	Mpjlklok.exe
PID 3048 wrote to memory of 1556	3048	Mpjlklok.exe	Megdccmb.exe
PID 3048 wrote to memory of 1556	3048	Mpjlklok.exe	Megdccmb.exe
PID 3048 wrote to memory of 1556	3048	Mpjlklok.exe	Megdccmb.exe
PID 1556 wrote to memory of 3484	1556	Megdccmb.exe	Mmnldp32.exe
PID 1556 wrote to memory of 3484	1556	Megdccmb.exe	Mmnldp32.exe
PID 1556 wrote to memory of 3484	1556	Megdccmb.exe	Mmnldp32.exe
PID 3484 wrote to memory of 2644	3484	Mmnldp32.exe	Mdhdajea.exe
PID 3484 wrote to memory of 2644	3484	Mmnldp32.exe	Mdhdajea.exe
PID 3484 wrote to memory of 2644	3484	Mmnldp32.exe	Mdhdajea.exe
PID 2644 wrote to memory of 3860	2644	Mdhdajea.exe	Meiaib32.exe
PID 2644 wrote to memory of 3860	2644	Mdhdajea.exe	Meiaib32.exe
PID 2644 wrote to memory of 3860	2644	Mdhdajea.exe	Meiaib32.exe
PID 3860 wrote to memory of 2420	3860	Meiaib32.exe	Mlcifmbl.exe
PID 3860 wrote to memory of 2420	3860	Meiaib32.exe	Mlcifmbl.exe
PID 3860 wrote to memory of 2420	3860	Meiaib32.exe	Mlcifmbl.exe
PID 2420 wrote to memory of 1768	2420	Mlcifmbl.exe	Mgimcebb.exe
PID 2420 wrote to memory of 1768	2420	Mlcifmbl.exe	Mgimcebb.exe
PID 2420 wrote to memory of 1768	2420	Mlcifmbl.exe	Mgimcebb.exe
PID 1768 wrote to memory of 3052	1768	Mgimcebb.exe	Migjoaaf.exe
PID 1768 wrote to memory of 3052	1768	Mgimcebb.exe	Migjoaaf.exe
PID 1768 wrote to memory of 3052	1768	Mgimcebb.exe	Migjoaaf.exe
PID 3052 wrote to memory of 1440	3052	Migjoaaf.exe	Mpablkhc.exe
PID 3052 wrote to memory of 1440	3052	Migjoaaf.exe	Mpablkhc.exe
PID 3052 wrote to memory of 1440	3052	Migjoaaf.exe	Mpablkhc.exe
PID 1440 wrote to memory of 4756	1440	Mpablkhc.exe	Mgkjhe32.exe
PID 1440 wrote to memory of 4756	1440	Mpablkhc.exe	Mgkjhe32.exe
PID 1440 wrote to memory of 4756	1440	Mpablkhc.exe	Mgkjhe32.exe
PID 4756 wrote to memory of 4492	4756	Mgkjhe32.exe	Miifeq32.exe
PID 4756 wrote to memory of 4492	4756	Mgkjhe32.exe	Miifeq32.exe
PID 4756 wrote to memory of 4492	4756	Mgkjhe32.exe	Miifeq32.exe
PID 4492 wrote to memory of 4148	4492	Miifeq32.exe	Npcoakfp.exe
PID 4492 wrote to memory of 4148	4492	Miifeq32.exe	Npcoakfp.exe
PID 4492 wrote to memory of 4148	4492	Miifeq32.exe	Npcoakfp.exe
PID 4148 wrote to memory of 4068	4148	Npcoakfp.exe	Ngmgne32.exe

C:\Users\Admin\AppData\Local\Temp\e514b4ab5503165b0bcb9733ccbc3450_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\e514b4ab5503165b0bcb9733ccbc3450_NEIKI.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5016

C:\Windows\SysWOW64\Lbabgh32.exe
C:\Windows\system32\Lbabgh32.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:232

C:\Windows\SysWOW64\Lepncd32.exe
C:\Windows\system32\Lepncd32.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676

C:\Windows\SysWOW64\Ldanqkki.exe
C:\Windows\system32\Ldanqkki.exe
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:656

C:\Windows\SysWOW64\Lgokmgjm.exe
C:\Windows\system32\Lgokmgjm.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1052

C:\Windows\SysWOW64\Lebkhc32.exe
C:\Windows\system32\Lebkhc32.exe
6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3908

C:\Windows\SysWOW64\Lingibiq.exe
C:\Windows\system32\Lingibiq.exe
7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\SysWOW64\Lllcen32.exe
C:\Windows\system32\Lllcen32.exe
8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848

C:\Windows\SysWOW64\Mdckfk32.exe
C:\Windows\system32\Mdckfk32.exe
9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2360

C:\Windows\SysWOW64\Mbfkbhpa.exe
C:\Windows\system32\Mbfkbhpa.exe
10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3632

C:\Windows\SysWOW64\Mpjlklok.exe
C:\Windows\system32\Mpjlklok.exe
11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3048

C:\Windows\SysWOW64\Megdccmb.exe
C:\Windows\system32\Megdccmb.exe
12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\SysWOW64\Mmnldp32.exe
C:\Windows\system32\Mmnldp32.exe
13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3484

C:\Windows\SysWOW64\Mdhdajea.exe
C:\Windows\system32\Mdhdajea.exe
14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2644

C:\Windows\SysWOW64\Meiaib32.exe
C:\Windows\system32\Meiaib32.exe
15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3860

C:\Windows\SysWOW64\Mlcifmbl.exe
C:\Windows\system32\Mlcifmbl.exe
16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2420

C:\Windows\SysWOW64\Mgimcebb.exe
C:\Windows\system32\Mgimcebb.exe
17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\SysWOW64\Migjoaaf.exe
C:\Windows\system32\Migjoaaf.exe
18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3052

C:\Windows\SysWOW64\Mpablkhc.exe
C:\Windows\system32\Mpablkhc.exe
19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1440

C:\Windows\SysWOW64\Mgkjhe32.exe
C:\Windows\system32\Mgkjhe32.exe
20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4756

C:\Windows\SysWOW64\Miifeq32.exe
C:\Windows\system32\Miifeq32.exe
21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4492

C:\Windows\SysWOW64\Npcoakfp.exe
C:\Windows\system32\Npcoakfp.exe
22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4148

C:\Windows\SysWOW64\Ngmgne32.exe
C:\Windows\system32\Ngmgne32.exe
23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4068

C:\Windows\SysWOW64\Nilcjp32.exe
C:\Windows\system32\Nilcjp32.exe
24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1764

C:\Windows\SysWOW64\Ndaggimg.exe
C:\Windows\system32\Ndaggimg.exe
25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2572

C:\Windows\SysWOW64\Nebdoa32.exe
C:\Windows\system32\Nebdoa32.exe
26⤵
- Executes dropped EXE
PID:2812

C:\Windows\SysWOW64\Nnjlpo32.exe
C:\Windows\system32\Nnjlpo32.exe
27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4564

C:\Windows\SysWOW64\Ndcdmikd.exe
C:\Windows\system32\Ndcdmikd.exe
28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1708

C:\Windows\SysWOW64\Njqmepik.exe
C:\Windows\system32\Njqmepik.exe
29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2956

C:\Windows\SysWOW64\Ncianepl.exe
C:\Windows\system32\Ncianepl.exe
30⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3088

C:\Windows\SysWOW64\Njciko32.exe
C:\Windows\system32\Njciko32.exe
31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3576

C:\Windows\SysWOW64\Nlaegk32.exe
C:\Windows\system32\Nlaegk32.exe
32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3652

C:\Windows\SysWOW64\Nfjjppmm.exe
C:\Windows\system32\Nfjjppmm.exe
33⤵
- Executes dropped EXE
- Modifies registry class
PID:4884

C:\Windows\SysWOW64\Oponmilc.exe
C:\Windows\system32\Oponmilc.exe
34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3804

C:\Windows\SysWOW64\Ocnjidkf.exe
C:\Windows\system32\Ocnjidkf.exe
35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4760

C:\Windows\SysWOW64\Ojgbfocc.exe
C:\Windows\system32\Ojgbfocc.exe
36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4408

C:\Windows\SysWOW64\Olfobjbg.exe
C:\Windows\system32\Olfobjbg.exe
37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2824

C:\Windows\SysWOW64\Odmgcgbi.exe
C:\Windows\system32\Odmgcgbi.exe
38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1436

C:\Windows\SysWOW64\Ojjolnaq.exe
C:\Windows\system32\Ojjolnaq.exe
39⤵
- Executes dropped EXE
- Modifies registry class
PID:2996

C:\Windows\SysWOW64\Opdghh32.exe
C:\Windows\system32\Opdghh32.exe
40⤵
- Executes dropped EXE
- Modifies registry class
PID:1856

C:\Windows\SysWOW64\Ognpebpj.exe
C:\Windows\system32\Ognpebpj.exe
41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2304

C:\Windows\SysWOW64\Onhhamgg.exe
C:\Windows\system32\Onhhamgg.exe
42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1332

C:\Windows\SysWOW64\Oqfdnhfk.exe
C:\Windows\system32\Oqfdnhfk.exe
43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2532

C:\Windows\SysWOW64\Ogpmjb32.exe
C:\Windows\system32\Ogpmjb32.exe
44⤵
- Executes dropped EXE
- Modifies registry class
PID:2188

C:\Windows\SysWOW64\Onjegled.exe
C:\Windows\system32\Onjegled.exe
45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3904

C:\Windows\SysWOW64\Oddmdf32.exe
C:\Windows\system32\Oddmdf32.exe
46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4972

C:\Windows\SysWOW64\Ofeilobp.exe
C:\Windows\system32\Ofeilobp.exe
47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2036

C:\Windows\SysWOW64\Pdfjifjo.exe
C:\Windows\system32\Pdfjifjo.exe
48⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4516

C:\Windows\SysWOW64\Pgefeajb.exe
C:\Windows\system32\Pgefeajb.exe
49⤵
- Executes dropped EXE
PID:2876

C:\Windows\SysWOW64\Pdifoehl.exe
C:\Windows\system32\Pdifoehl.exe
50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:632

C:\Windows\SysWOW64\Pjeoglgc.exe
C:\Windows\system32\Pjeoglgc.exe
51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3284

C:\Windows\SysWOW64\Pdkcde32.exe
C:\Windows\system32\Pdkcde32.exe
52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4612

C:\Windows\SysWOW64\Pflplnlg.exe
C:\Windows\system32\Pflplnlg.exe
53⤵
- Executes dropped EXE
- Modifies registry class
PID:4464

C:\Windows\SysWOW64\Pncgmkmj.exe
C:\Windows\system32\Pncgmkmj.exe
54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1376

C:\Windows\SysWOW64\Pfolbmje.exe
C:\Windows\system32\Pfolbmje.exe
55⤵
- Executes dropped EXE
PID:1272

C:\Windows\SysWOW64\Pdpmpdbd.exe
C:\Windows\system32\Pdpmpdbd.exe
56⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1428

C:\Windows\SysWOW64\Pcbmka32.exe
C:\Windows\system32\Pcbmka32.exe
57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1680

C:\Windows\SysWOW64\Qnhahj32.exe
C:\Windows\system32\Qnhahj32.exe
58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:336

C:\Windows\SysWOW64\Qmkadgpo.exe
C:\Windows\system32\Qmkadgpo.exe
59⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3624

C:\Windows\SysWOW64\Qgqeappe.exe
C:\Windows\system32\Qgqeappe.exe
60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3356

C:\Windows\SysWOW64\Qnjnnj32.exe
C:\Windows\system32\Qnjnnj32.exe
61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2172

C:\Windows\SysWOW64\Qffbbldm.exe
C:\Windows\system32\Qffbbldm.exe
62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2084

C:\Windows\SysWOW64\Ampkof32.exe
C:\Windows\system32\Ampkof32.exe
63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2880

C:\Windows\SysWOW64\Acjclpcf.exe
C:\Windows\system32\Acjclpcf.exe
64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1244

C:\Windows\SysWOW64\Anogiicl.exe
C:\Windows\system32\Anogiicl.exe
65⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1096

C:\Windows\SysWOW64\Aeiofcji.exe
C:\Windows\system32\Aeiofcji.exe
66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3076

C:\Windows\SysWOW64\Anadoi32.exe
C:\Windows\system32\Anadoi32.exe
67⤵
- Drops file in System32 directory
PID:3572

C:\Windows\SysWOW64\Acnlgp32.exe
C:\Windows\system32\Acnlgp32.exe
68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3516

C:\Windows\SysWOW64\Agjhgngj.exe
C:\Windows\system32\Agjhgngj.exe
69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4388

C:\Windows\SysWOW64\Andqdh32.exe
C:\Windows\system32\Andqdh32.exe
70⤵
- Drops file in System32 directory
PID:1700

C:\Windows\SysWOW64\Aeniabfd.exe
C:\Windows\system32\Aeniabfd.exe
71⤵
PID:2432

C:\Windows\SysWOW64\Afoeiklb.exe
C:\Windows\system32\Afoeiklb.exe
72⤵
- Modifies registry class
PID:1056

C:\Windows\SysWOW64\Aminee32.exe
C:\Windows\system32\Aminee32.exe
73⤵
PID:2628

C:\Windows\SysWOW64\Bebblb32.exe
C:\Windows\system32\Bebblb32.exe
74⤵
- Drops file in System32 directory
PID:3976

C:\Windows\SysWOW64\Bcebhoii.exe
C:\Windows\system32\Bcebhoii.exe
75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4444

C:\Windows\SysWOW64\Bfdodjhm.exe
C:\Windows\system32\Bfdodjhm.exe
76⤵
PID:3460

C:\Windows\SysWOW64\Bnkgeg32.exe
C:\Windows\system32\Bnkgeg32.exe
77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:4772

C:\Windows\SysWOW64\Bgcknmop.exe
C:\Windows\system32\Bgcknmop.exe
78⤵
PID:4032

C:\Windows\SysWOW64\Bnmcjg32.exe
C:\Windows\system32\Bnmcjg32.exe
79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4136

C:\Windows\SysWOW64\Bfhhoi32.exe
C:\Windows\system32\Bfhhoi32.exe
80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4808

C:\Windows\SysWOW64\Bhhdil32.exe
C:\Windows\system32\Bhhdil32.exe
81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:4048

C:\Windows\SysWOW64\Bmemac32.exe
C:\Windows\system32\Bmemac32.exe
82⤵
PID:5036

C:\Windows\SysWOW64\Bcoenmao.exe
C:\Windows\system32\Bcoenmao.exe
83⤵
PID:2964

C:\Windows\SysWOW64\Cndikf32.exe
C:\Windows\system32\Cndikf32.exe
84⤵
- Drops file in System32 directory
- Modifies registry class
PID:2392

C:\Windows\SysWOW64\Chmndlge.exe
C:\Windows\system32\Chmndlge.exe
85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4328

C:\Windows\SysWOW64\Cmiflbel.exe
C:\Windows\system32\Cmiflbel.exe
86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4124

C:\Windows\SysWOW64\Cfbkeh32.exe
C:\Windows\system32\Cfbkeh32.exe
87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4628

C:\Windows\SysWOW64\Cdfkolkf.exe
C:\Windows\system32\Cdfkolkf.exe
88⤵
- Drops file in System32 directory
PID:4832

C:\Windows\SysWOW64\Cnkplejl.exe
C:\Windows\system32\Cnkplejl.exe
89⤵
- Modifies registry class
PID:4256

C:\Windows\SysWOW64\Cdhhdlid.exe
C:\Windows\system32\Cdhhdlid.exe
90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2152

C:\Windows\SysWOW64\Calhnpgn.exe
C:\Windows\system32\Calhnpgn.exe
91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3560

C:\Windows\SysWOW64\Dhfajjoj.exe
C:\Windows\system32\Dhfajjoj.exe
92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:456

C:\Windows\SysWOW64\Djdmffnn.exe
C:\Windows\system32\Djdmffnn.exe
93⤵
PID:448

C:\Windows\SysWOW64\Dmcibama.exe
C:\Windows\system32\Dmcibama.exe
94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4704

C:\Windows\SysWOW64\Dejacond.exe
C:\Windows\system32\Dejacond.exe
95⤵
- Drops file in System32 directory
PID:2704

C:\Windows\SysWOW64\Dhhnpjmh.exe
C:\Windows\system32\Dhhnpjmh.exe
96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2712

C:\Windows\SysWOW64\Dobfld32.exe
C:\Windows\system32\Dobfld32.exe
97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1148

C:\Windows\SysWOW64\Dhkjej32.exe
C:\Windows\system32\Dhkjej32.exe
98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:748

C:\Windows\SysWOW64\Dodbbdbb.exe
C:\Windows\system32\Dodbbdbb.exe
99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3272

C:\Windows\SysWOW64\Dhmgki32.exe
C:\Windows\system32\Dhmgki32.exe
100⤵
- Drops file in System32 directory
- Modifies registry class
PID:2184

C:\Windows\SysWOW64\Dkkcge32.exe
C:\Windows\system32\Dkkcge32.exe
101⤵
- Drops file in System32 directory
- Modifies registry class
PID:2108

C:\Windows\SysWOW64\Dogogcpo.exe
C:\Windows\system32\Dogogcpo.exe
102⤵
- Drops file in System32 directory
PID:2720

C:\Windows\SysWOW64\Dddhpjof.exe
C:\Windows\system32\Dddhpjof.exe
103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2348

C:\Windows\SysWOW64\Dknpmdfc.exe
C:\Windows\system32\Dknpmdfc.exe
104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4776

C:\Windows\SysWOW64\Dmllipeg.exe
C:\Windows\system32\Dmllipeg.exe
105⤵
PID:2376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 404
106⤵
- Program crash
PID:3944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2376 -ip 2376
1⤵
PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
163KB

MD5
7f4ef927995f817267528e1a36dd2877

SHA1
34be031fcffad31c3ad0be295f705db8abbd3e2a

SHA256
eb5b853649c8fc162a6607a1671c491d033d07351bf64df0beb2fe3e6e008e58

SHA512
8bdbed1efe3bdeead6c92370ceb749b59237ba6d11479c9605135d7b8e1edbd1f3d3291dae45d8887a0a3234688c04e8980b7ac6b4e460a88205acd1c4d97756

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
163KB

MD5
47221aa36ef4ffef2f53e0d36cc35a9c

SHA1
81378b0f879d4379aea2bcb7967086dbd81b171e

SHA256
54dc3044207aabbb2a9cec992a4c3cacb1388cb1a771844896a2f7af545fa31d

SHA512
5b37aceac9bd2da6787386ce42aebc0765c5cce7982dab3dcde743453fb35c109708d2836575e57249a3a0a461b8621abca0967a376d41230aa98d10ae6dd0b0

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
163KB

MD5
0f4fcf86c79d5797d30a53e2e7c7e656

SHA1
34af3e9187608dcca41d6efe6a959e2ffa350c82

SHA256
653c801d5a38079cb8763998683d68440c8e4349553683a99cc482632f33517d

SHA512
4253588d327caab3a15eccc3f3e837fe77d80e917787196b74f52d90d9f1cc4789e03d199433ee4e166c9824a88c138d5427d09be15e0567adff741a3f3233f0

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
163KB

MD5
30d36c25a1416fb50e8ed592d3a816af

SHA1
782d93d4412fad7a1a4294148d822e458a80da22

SHA256
9ec86233462c73c0948a4e0f596652c282c83bf007ac7a0b5fe2b2cad54c51c7

SHA512
0e6d84fc173676d6c9bdaa124071dc4b5f708194e5d2ed14aabeb7c41f09c2242e855b187f539de56e17f3d6e24e9745397d63da8c6bec4c1eb7e584a23f6d3b

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
163KB

MD5
3895ec3059b4b12ec8bbf9d786ca3967

SHA1
b26ab6d5bf8a70c02dfb5df9a8799ec5f526c9d3

SHA256
ca8782d521caf47bd4fc5e33a71340930c50eb3c58500907a084f599e31a2f9c

SHA512
f736714d8c2025ec2dceab3e02c13a8f1d6a6ecca83b83fe6db5bea9b756e37ba5927f695ff890522511871e945977b9a0e443c60bc875b2c1985f3fed56687d

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
163KB

MD5
bda30a52b165d1e8847074a971357df1

SHA1
4e9aff6adb72ee62c67acf4c5b9d79df2d37f0c9

SHA256
4b9ffcd6af24f88acece347e2a7368703379925bebb568809a6fb68ae6e40337

SHA512
b9783eddcdbcff83148d810d0ade281f26e8bee540cf053a8abec9c502d852904628353ccc6a339b4ab6d7ce6f351b955e7be7f4bf1efa2b983aa695343040b9

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
163KB

MD5
d7d59cf2df12d9058fb17d19d70216a0

SHA1
16dde2c62b2f8a3a7ebff6f10ce8a73beeafd9fd

SHA256
ee62a9eb484e5db3647b6508efcd14ab3709c26f557a1fc40422ee0077b6c950

SHA512
ccad981a948542f35170f87dee60a8d1dd955395078c1fd5c6c060ce3b219d05340ec91ff6ac23c9089b76887c1cb579bc81284949242cc01e74f987760a6457

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
163KB

MD5
7ea795f5ae1603cd6ef71148ea853e0c

SHA1
99411e2803380512bd590299b0aa0bb436cf28a5

SHA256
35e3a04a2778c0e2c7fce530ef31786e7797151b48de995a93c64b4fe77204ff

SHA512
6f46073f77fb2621fafadbc0e8957ede37094c829c8b85bc5d79264247865fe88649e59bc5d45c3e6c3df580eb647bf7470c125c01fc96dd397868c79e5b46a4

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
163KB

MD5
703948d250e280a5ddc2dda4b33d13a2

SHA1
c5cc87006f7c639c7f23bfe036459a7d73197f84

SHA256
4222c4e48123e93753d6b5c46e1b7c4a4313449ae70557768be50f493dc39bad

SHA512
413c75f8b7735c3feaf335499e285871a676c0aeb1e177385521b5d0882a055592ef2eba59788e9f6851fe32780d747b1718e4e3f1544dc02f4733788696fa1f

Download Submit
C:\Windows\SysWOW64\Ldanqkki.exe

Filesize
163KB

MD5
c868c9400bba945f7d976ce9576d9245

SHA1
ab65a8858d4a107c35717394bef4b2e432c30a4e

SHA256
9d738cd02f3125ad77cfb27b1c7822060972ccb6f689040273772f6a90ec1fee

SHA512
27935cfad878140a31ad540b484edbe773713caf39ea0ae76d9f11d650e51bc7068bd4f75331878bd0280db4a64be8d39036e3b26b167bf79ddadbdb410699a6

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
163KB

MD5
d773f79d1e0e021ace9ef5f46ae84435

SHA1
70f177a38e2e440af10e87fdec5811c9729c0a83

SHA256
7d67243e26afb0a4b14083e2423c66315169301bd6a8884561da74238d5b433c

SHA512
c1ae7456ff0e1c5b8a4234b1a73b0063c6d65db9921f85b0826c60875eb61f22b9aac62a08852799f0b152d263df646a7e17a26c76677a4d0c318c29aa6f3025

Download Submit
C:\Windows\SysWOW64\Lepncd32.exe

Filesize
163KB

MD5
a8a1122f48af74efe353b7cf802cfb92

SHA1
b553242dda0574c8ddf61bbde2f1649dfa6554ca

SHA256
080191088d90cf9ba7a5c17793c46af07e1d5b9de49cd815ca3bd05344bd3254

SHA512
8d1e71c79d62e74ef1d5bf818da1b81e774493f12a0326d230f88d3fe2901f3738a783a5fcd2967908bd8bd9801d2d0f001fb16b37cbf454d928c3a31f2fef08

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
163KB

MD5
445f20d15f9bdda48f497ad4db344ebe

SHA1
acd2a7dc635497e0f4a44bef2aae168f9f9b82b6

SHA256
ecd392f530f4771f70ed1e4f3368c228e883c9fdf9c6e42f75f84cd79353ce12

SHA512
6a189616180e48f7cd58e92c4fb49fcf2d5358ff8f0aa973654acd89832e4041f3cb14808d4a713d47c527b1be95447ef38908e5703ecceb50f2082bf39502e8

Download Submit
C:\Windows\SysWOW64\Lingibiq.exe

Filesize
163KB

MD5
61f6be90105e9683d10de9c7efd1f908

SHA1
1154c593e0b3d3e1eb0b9de66e49f9f317a8502f

SHA256
fe40d29646d9c61e2ce5ca03945cb83697154353547131377d09e631467ee76e

SHA512
999dce9fac718f683840368145eed62fc0d52167b4deb50b3441f8be072b433ad3b264b0d1073250fda6c35836a890efeb56a4ea85680369e1fdf71ac9451027

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
163KB

MD5
62991ee0563df3facd71cc99bf98a439

SHA1
94e5a0ff3e045b978725b023b9f64d075edeacaf

SHA256
8cdff43ca9b08150acbf603f64c3300a5b3d7263baaaa600b60a0494a4c6ca72

SHA512
c13ee40742f5e2128593bf69487577e517d69c10f0f3fc63ba72cd8d8d953dea02fce920656871a124ee3b2eac038389f851cff304d3a699d44fc27db59c9586

Download Submit
C:\Windows\SysWOW64\Mbfkbhpa.exe

Filesize
163KB

MD5
e6a50c8ecfd7b8e77dbc70288634a462

SHA1
42054700b8b46281c2609d6b5088c1bbd95b28e1

SHA256
6bc27355916cb1044b1d467bcdce6f8eb8ec4088879b88bd18c46b0db868ede7

SHA512
d65778909f893f69b9bbfad9e18ce18737aa17dbe3d6bc06a3f9c91d26dc905636da0bb9058867765467fe84cf033ac64fb0d5fb1527979a11f3f8e6d3ada242

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
163KB

MD5
8a6444a70e20a7c2a165454129cfa138

SHA1
c000cf6ffaf9b59535e50e9df9e017a49bb15187

SHA256
223fb31d0bd972a3426a8c4cdb13ac4638a9e7eeeb952ccfe17fb17b7d743f33

SHA512
a7cf763fdb55e921059b58d24932c96dd549b3660895bc28931e2b344b95a4379dc5c38ce91ab86b7db31caff916517ed001c0e5fba69bbec0b145c70f8fbb5c

Download Submit
C:\Windows\SysWOW64\Mdhdajea.exe

Filesize
163KB

MD5
8488f0e26b32a9861674ccc2e014102e

SHA1
69ce6f6c9cd2e556e96383ea0f615ef5998870e5

SHA256
853dc04590451dcd245087622143656dd5793a477494749679df066680713faa

SHA512
fecf184231801eaeaeaf20a66fac5635e1e576e998f51c0fb5cd2c5645c667b8756a938ed4e28ccd4242e8e57ba30b08f7eb6a7a485afe732007ec78eeebc8f9

Download Submit
C:\Windows\SysWOW64\Megdccmb.exe

Filesize
163KB

MD5
3679d7cb037a8a60e7ce49a1072276f6

SHA1
ec932e38225d0a12159222b04246fead01f30b25

SHA256
dfebe98cec01cd4e5efcc5ebd49032126cab4249d6386cf03a89dd112373e767

SHA512
b35d9abca2d351372e2466ecaf1e261f1dbdd79bfc21516c511fff3436a8e98c153f72cc048c57067953469ba129c02ce2158d770b35a3a00d0eb16d7c54124c

Download Submit
C:\Windows\SysWOW64\Meiaib32.exe

Filesize
163KB

MD5
cb8d28884ca11c94511511afe312b736

SHA1
8aea265c9d5e7c22237f92874c826a1a7cb167a5

SHA256
2a0949d16162a064f4fa3a989844f1c4a4a51fdec1970d6537fa93584e92741c

SHA512
088eebe0d998fbbfd3e31925c1e58e5d71bfe2c3bdd99a456257cba95340704509d13e95dfa6d9a0968b8c2f276015e33d364288c1e1e040d827ee15f75ffc36

Download Submit
C:\Windows\SysWOW64\Mgimcebb.exe

Filesize
163KB

MD5
9d431890d55808ab00453ba3d5360968

SHA1
1f00a4881c6ed606e45e4f7c23db0371f9358914

SHA256
05a6044b5e5346632590b9919e8dfef203b1b25fff32e17b173930d4ef2e024a

SHA512
a0806bc177308a0b178b3289a3afc9970206a3a0fafd1d89b2ec960bd2a783e5fc70bb136df95e69dfe25c25cf1bc88958a1493aaca302510a87827daad740e9

Download Submit
C:\Windows\SysWOW64\Mgkjhe32.exe

Filesize
163KB

MD5
8fd353271a93ec204558146d95ada266

SHA1
d715f6c6f466db244db7bc8eb53360f316f883b7

SHA256
0a87c49d35a21a7685d3c94335d89dd6dcdcbad02062ade4fe941078ee24dcec

SHA512
2b2a70e79a78a81d0b49fb51d3fff2f13e6e83e5d73df06fd93835770f4e77e901e9d68fca863d4d19a09c6c4a357b067bcbfd528768b3841acf7b61fde5fa7a

Download Submit
C:\Windows\SysWOW64\Migjoaaf.exe

Filesize
163KB

MD5
f5a6ac9b55bf51fe475489514ac946d8

SHA1
136b8fbc6c75b2304eb76ce9cb58b89940a895f2

SHA256
44b96e80684806fa4321a4c1527ab24ed29e14b9eeaf8d89a6762a508a5273b4

SHA512
c18ca2dcee707eca37cca886367db4356f74aef3d43e1991e66d6c59c700664b00e5ed29f6afd83ffebed6795dd7b907a55ff734761bf69e52abcb097b04b78f

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
163KB

MD5
2cc5e2247b7544a868ca56a85eab3c13

SHA1
6de196e48bdecb824b0e332827d8104551d5a1eb

SHA256
c61477d3302b9aaba31bced6f48be35395061aa858d47b99fbd92ebe5302cbe4

SHA512
638b170485e4ca108b5c5c2a6344c814d122e8de17248b3874bd1848b8edf934ca91492fbca8e0dd8426d32e5140e3ccf1f95714e4f1352680faa98cb363c6db

Download Submit
C:\Windows\SysWOW64\Mlcifmbl.exe

Filesize
163KB

MD5
522901f7b8e0509f2c604fa80fbf1563

SHA1
4cba1efc0ff4fee6edaeec7b0febfea5f21eac2b

SHA256
e2b77a91f7278e7dffbf19017c7063316ae592ea41eed2b0db5933b0f32a7af8

SHA512
9c0a8944b867f427f037f36d7dbcebeccef6789c934f35bec8971b867a1ce523c2ef474eeb90a02ed6f087154e16746804edca3754f24c6bebd43949bdec44cf

Download Submit
C:\Windows\SysWOW64\Mmnldp32.exe

Filesize
163KB

MD5
0fc44c6ec2eec89d8edda33b3b50ce4d

SHA1
d262453f05255dc0eb250e1fe7271020e791ba52

SHA256
540f8fa00e5f05bf3989f926fd9cee9dd032311de0c874e198521bf270be45c1

SHA512
02427f9130d920de80818a709aa7914ad450cda9c53ac4a4030ed3eaca57b0dc0e18b2068fe320d72e811c9e60f6b79fe1d17e80cfcf54e1a42d0db344321614

Download Submit
C:\Windows\SysWOW64\Mpablkhc.exe

Filesize
163KB

MD5
4ae38d23fb89db7cf3fd935ca1f77095

SHA1
d23d426ac7ab8ff0cd9e7d86dc586748b13ca894

SHA256
fd20505b31ae160eebb5ec70d59650aa65927ef58c8af53a52e7f2c1f9d8cf2c

SHA512
5af9352e06e345740dbecadaeb76fd782b4d9cb3720633d23a9497336949ba035d74c567540a694a8ca18eda4d0d09cc4e618824a8425da61919593f0a743a93

Download Submit
C:\Windows\SysWOW64\Mpjlklok.exe

Filesize
163KB

MD5
6c3a00ef237ade89b300149a07e4fbd6

SHA1
24868ee3af94de10c46ff7397a062fcc8d61dbfa

SHA256
2d89a810106abd2226d09de8264c4b27d3d570d268166a887813ac954426e03a

SHA512
d081d1cbd7bbba386a466979ca093bdad722a2cab1e74439e973704d539c3ae9d22f195fdd9140c09df8e02bc43739ff4d918d134879919b1b2eb0ea9d530c3e

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
163KB

MD5
901b91999e50e97e5c43f8ea6089259e

SHA1
05c1db3ceef83a2ff13952b5d8913587a74ba6a7

SHA256
e9cb8d5ac676d9b5e30740ba03c6fd4d448ac2abaa11a5ee94d9fa9b25663079

SHA512
0793b791364adf11d64661bf07e970a3d8e8c64e803a842d2850abede9ffd3567f9828fe93285df5e66ec0c7f9e45595ef78fde1c056a77f6f07aabbb169f59e

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
163KB

MD5
48d54466fcb0a39990d2c1231757ab5c

SHA1
faea791c5990c0fbc2b58742cff58208b46f739c

SHA256
83e34ac493dcee180775c569e5ba4d9a623b241f0a7890aa4ab5481ea3c97bf5

SHA512
698d644f8a683ef3a9db22a5b506a41d774786124f52139150fbe2684288f31735d94e7ed6fed02d552afd42caf725c96b33655f7184cf1efd5f37b356960f39

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
163KB

MD5
6eafc6653d7f88443df0181d1276ad35

SHA1
a282121530fcd9dcd4a2536d3d139bc51fad1910

SHA256
88dac0e05294f59820a2dc9f6ebcaa07a3a7e655887ee55f53af9b763cd30043

SHA512
f57aaa02344da2c387ee66c7afcaf590dc7841b00c3bf93f599d6c1780e90e3966bdb6970e1de0cab5415566986b7a7fc99302a0cd7ca26394c33cfcc614dc2a

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
163KB

MD5
54c2485c7a077ca906fb472ce2dcf165

SHA1
ad1a2d582d07de2a4153e3a3a34219344b409816

SHA256
e4a1da88477a698571f329430850d7f5d5ba2654054a63145290363aa800f7ca

SHA512
fee590cff0e2ac6afbfb4cf508b2655238120b9ca2c060c7ee0045c82567953fcf888b9a33841819a883068564231d8908ebc871647beec12321b2bcaaa7b35c

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
163KB

MD5
8b8147f6edafedaf3fbb7ca18dce177d

SHA1
001804de76e0d962a9f45e9951e55b383a1b6c98

SHA256
db3d40987db50e0772a930b0038ce2313158b36f1c759f557cf5b58041ad3e5c

SHA512
2fd291abad1c5a20302ec15ce9a0d1707b7642963389c9dfce5831c4828ea9f6cbc45f6f7abc809cb24bf5341575224b0c2d1e1276513ebf880172f79560a3f7

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
163KB

MD5
15c5b058ac211a1869593e1743c193e5

SHA1
1d99b412cfc9d69909e67f412f931358b03beb08

SHA256
3bafbf52158aa6eadd67dc4d22b821840f14d30e254fa1e0b4755a100848d9c3

SHA512
054da746f363874f5ad1548d278972c5950bfdc3f9604a5dad4ac18ecefe60c462bfe8890a39c059f36acfc0a4f72ed5e5a6fab2f6e8577901cc109940df0e0f

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
163KB

MD5
a6856941d79d2242dfb7e557552eb117

SHA1
fc84adbe08a92e100910ed2b82ec2ae1d5691362

SHA256
013916c1d74e6ef7012e29b7e93a7b277319c1de10776d1dffbbbf3ca93883dd

SHA512
694100e07624895b28b198a7d2329b0f825bad134032a8850adc3e2eda27ace88afc7395072829bfd9d4934287a272051a53e5cd34fba4bbb6dd8fe9c84b8fa2

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
163KB

MD5
05fe7c8e7455f1be5d5ff4eee4048db8

SHA1
9e99fbed50ada8a3f465d1e5a1bdc790541bb6c4

SHA256
a230a295956b52708707e20b30808487b79847bf3269ad233a181578cf4f105f

SHA512
86652b50e8b56801c43d86360b9a60ac41450f5a7300b4b034c097bd23cc31c4ea73a7e5d8c430f6f087feb6d3d4f541c3724012fa79c4e4ee2653759fa3a59f

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
163KB

MD5
942f0401e9c90dee80639cda5c42ea63

SHA1
c3be81c41632e50ad357d0eea6ed35355c3c1d0b

SHA256
fe0ca536750eecbe40553cd904750032d8a419d961138ace27d6cc76ecc76786

SHA512
a44d56a6fc28eb1283c5beb531b153fe9d0210156dd33b8623d16e4d8450d0ceba60c525ba945a6bac6b93d85d5975c72c7873d6a73ded16673888fc0c4839c3

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
163KB

MD5
427c94f210331a35750d6cca9701deda

SHA1
eeb50d496a3b105542808ccac6d2059d3f032ac0

SHA256
d2bd55b5d33158c8394509a59f66df46f20fefc9a3e6bf8460bb225e236412fe

SHA512
4a2f1ca13f7bf04d64467d4c07f96be2ac2fee3185ae3386f404e1009e1188d716d8250a81692ab9b4520c6add4030d6e80f045ebdf58a4cd026829063fb5da1

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
163KB

MD5
303717e61801b261ac6b25d146391259

SHA1
fddd953051a041dab8570ae14883754d03b9fef3

SHA256
a2ba01ee677162a5d0fa2743a02da16ed4fc7ebe4e10dd477a35b0d4f4bb5dd1

SHA512
8a469dd4c48721453ae0e5a233ba0c84d0b7f37bde1253ecae2c396608a4f0e6c50e5a9af67c668f76674b69d09a6e969309d7446ad4101d246cb28312877f85

Download Submit
C:\Windows\SysWOW64\Npcoakfp.exe

Filesize
163KB

MD5
e3702a34a41c8770e03890ce9b06bf6d

SHA1
8945b58955ca7ad4b5e1819173e468be45788ef9

SHA256
a8e82b92635cf8f3e18464fb4089eab17bab2f345cf555160d54b791afe39bd6

SHA512
9514bf35cfe8e2012436bc4d6291cd8e15a74068d3fee00502c706aad39eb80aa899fe2946fa5cfa6f5ba2b4d7b6d4aabdc3cc94760e7e76f07e6e3c6e8e3268

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
163KB

MD5
b7222ba65b8b9ff80e7ae28d931254c2

SHA1
2b4256267bd72022b9259808915619d082c176ec

SHA256
a503a2f355d81828dc40589d065fcbeaeace58d046d7085bba094474735f5659

SHA512
10b24a2456fe55ecbc77a4e09818f671fbdcde768867496ff7ff8bb2a0872f65c4e19e03fef974328adcb904da774d792ed78e0f327079df03a4a6dedd0de8cf

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe

Filesize
163KB

MD5
595caaf7f7afa08fdc915efff13e652c

SHA1
63ac1e7d0ad6d6f5e61c84296e0c96ee7a72635b

SHA256
92646613173df8c23447fff3ed9ebee8797f15505a1295c471a7efda4c3d93d5

SHA512
bee8b47093ae873616adf1adefd997932efedc3c0b11dd4a008e908d8cfade9ea97ff1afe3889a06465356a76ba1a99106f5911cd72547d833105da73e7a0b34

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
163KB

MD5
62e051b19a60040cc1deefe44cdac51c

SHA1
c52a67dcc3459c3ab2a551131365ca005ca1686c

SHA256
55cd7ab311a0cfaf660209ae1963152d5921ce721bc10ebd7d9c0e852472e69c

SHA512
42398f1f0ac5496d77077a3fb284c48d8e1ddedfff053f3c46240d74363b57498416e50bd0938d50656115be5c0b1821e7e67f8dd8ea5b5249ac4cbb68e9cd86

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
163KB

MD5
6f6925bf57b469564603229a5be0680d

SHA1
512b2de7def9d1a804f31d912d139f546dd8e168

SHA256
b604be71d66ba91d67b5304db4c919b5b8fcf73bac80472ef1d74a4482e5edaf

SHA512
5476e3ca8f16ef339c45933535efbe5213f9e15f63587604da134e9a242dce585ee39788dbef024861f277e69339eb84feedbed79151ed32619bf661051a9a5d

Download Submit
memory/232-9-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/232-549-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/336-405-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/632-358-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/656-563-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/656-30-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1052-38-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1052-570-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1056-489-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1056-771-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1096-447-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1244-441-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1272-388-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1332-310-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1376-382-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1436-286-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1440-143-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1528-53-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1528-584-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1680-399-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1700-477-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1708-216-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1764-184-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1768-127-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1856-302-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2036-340-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2084-429-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2152-604-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2172-423-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2188-322-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2304-304-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2360-65-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2360-597-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2392-564-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2420-120-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2432-483-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2532-319-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2572-192-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2628-495-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2644-104-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2676-17-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2676-556-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2812-200-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2824-280-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2876-352-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2880-435-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2956-223-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2964-557-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2996-292-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3048-82-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3052-136-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3076-453-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3088-232-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3284-364-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3284-813-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3356-417-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3460-512-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3484-96-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3516-465-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3572-459-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3576-245-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3624-411-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3632-78-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3632-603-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3652-247-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3804-262-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3860-111-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3904-328-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3908-45-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3908-577-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3976-505-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4032-524-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4048-543-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4068-176-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4124-578-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4136-530-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4148-168-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4328-571-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4388-471-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4408-274-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4464-380-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4492-160-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4516-350-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4564-208-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4612-370-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4628-585-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4756-152-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4760-268-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4772-518-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4808-537-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4848-57-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4848-591-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4884-255-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4972-334-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5016-536-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5016-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5016-4-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/5036-552-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download