5ef9ec7e91efe0a6b370668973d1bebe48f839594b061d5639de7f9197af8f42

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 21:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

402b139c6e2ff855cad91fc0f2ee53c0_NeikiAnalytics.exe
Size

192KB
MD5

402b139c6e2ff855cad91fc0f2ee53c0
SHA1

ea6c47ce30815c3e4ca82688f778dd72d04ffc79
SHA256

5ef9ec7e91efe0a6b370668973d1bebe48f839594b061d5639de7f9197af8f42
SHA512

f50688df3a2e60229e61f3a466d89a4dee6a0fbeb00457a5f4660e3307bd391098b88336830b79c6ba294d8ef863bdb39b52ccabd8960c45ae3b23590b954e66
SSDEEP

3072:SFUAYNfpkIwhN7bda/HLTpYxoutkTy27zU:/AYNxl6JY/pYxoSkTl7zU

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Bemcgmak.exeCommqb32.exeGqkhjn32.exeMdiklqhm.exeMcnhmm32.exeBpladg32.exeLkdggmlj.exeLgbnmm32.exeMkpgck32.exeDhcnke32.exeHboagf32.exeJpgdbg32.exeMkbchk32.exeNnhfee32.exeChgoogfa.exeDjlddi32.exeDokjbp32.exeDchbhn32.exeLklnhlfb.exeDohmlp32.exeEoapbo32.exeJmnaakne.exeLdaeka32.exeBockjc32.exeCcfmla32.exeElccfc32.exeFjqgff32.exeHfjmgdlf.exeHbeghene.exeJplmmfmi.exeJidbflcj.exeMpaifalo.exeCapchmmb.exeFjhmgeao.exeGmoliohh.exeIjaida32.exeJfffjqdf.exeAeoffo32.exeMnfipekh.exeClldogdc.exeFmficqpc.exeGfhqbe32.exeKpccnefa.exeBidemmnj.exeChnlihnl.exeLcbiao32.exeAiolam32.exeBpcgdfaa.exeLalcng32.exeLdkojb32.exeFbqefhpm.exeJdmcidam.exeEfgodj32.exeEflhoigi.exeGimjhafg.exeMncmjfmk.exeNgcgcjnc.exeMgnnhk32.exeNjogjfoj.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bemcgmak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Commqb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqkhjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpladg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bpladg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhcnke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chgoogfa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djlddi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dokjbp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dchbhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dohmlp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eoapbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bockjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ccfmla32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Elccfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjqgff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bemcgmak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfjmgdlf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Capchmmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fjhmgeao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gmoliohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeoffo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Clldogdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fmficqpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gfhqbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bidemmnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chnlihnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aiolam32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpcgdfaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbqefhpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Efgodj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eflhoigi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gimjhafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhcnke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njogjfoj.exe

Executes dropped EXE 64 IoCs

Processes:

Aihfanhg.exeAlgbmjgk.exeAbqjjd32.exeAeoffo32.exeApekch32.exeAogkoedl.exeAimoln32.exeAbedecjb.exeAiolam32.exeBpidngil.exeBakqfp32.exeBibigmpl.exeBpladg32.exeBammlomg.exeBidemmnj.exeBpnnig32.exeBaojaoke.exeBhibni32.exeBockjc32.exeBemcgmak.exeBpcgdfaa.exeBoegpc32.exeBeppmmoi.exeChnlihnl.exeCpedjf32.exeCccpfa32.exeCimhckeo.exeClldogdc.exeCcfmla32.exeCipehkcl.exeCommqb32.exeCefemliq.exeCoojfa32.exeCeibclgn.exeChgoogfa.exeCoagla32.exeCapchmmb.exeDhjkdg32.exeDoccaall.exeDcopbp32.exeDiihojkb.exeDpcpkc32.exeDcalgo32.exeDadlclim.exeDjlddi32.exeDljqpd32.exeDohmlp32.exeDcdimopp.exeDhqaefng.exeDphifcoi.exeDokjbp32.exeDfdbojmq.exeDhcnke32.exeDpjflb32.exeDchbhn32.exeEfgodj32.exeEhekqe32.exeEpmcab32.exeEckonn32.exeEjegjh32.exeElccfc32.exeEoapbo32.exeEflhoigi.exeEhjdldfl.exe

pid	process
3784	Aihfanhg.exe
6056	Algbmjgk.exe
2516	Abqjjd32.exe
4832	Aeoffo32.exe
2276	Apekch32.exe
3388	Aogkoedl.exe
1412	Aimoln32.exe
5724	Abedecjb.exe
5420	Aiolam32.exe
4988	Bpidngil.exe
1036	Bakqfp32.exe
5268	Bibigmpl.exe
4264	Bpladg32.exe
1996	Bammlomg.exe
3140	Bidemmnj.exe
3652	Bpnnig32.exe
3564	Baojaoke.exe
4440	Bhibni32.exe
6080	Bockjc32.exe
4896	Bemcgmak.exe
4704	Bpcgdfaa.exe
6024	Boegpc32.exe
3796	Beppmmoi.exe
5368	Chnlihnl.exe
728	Cpedjf32.exe
2348	Cccpfa32.exe
1628	Cimhckeo.exe
1820	Clldogdc.exe
5264	Ccfmla32.exe
4960	Cipehkcl.exe
1632	Commqb32.exe
3068	Cefemliq.exe
1924	Coojfa32.exe
3516	Ceibclgn.exe
5296	Chgoogfa.exe
4388	Coagla32.exe
5416	Capchmmb.exe
4728	Dhjkdg32.exe
2896	Doccaall.exe
2632	Dcopbp32.exe
1496	Diihojkb.exe
3892	Dpcpkc32.exe
3708	Dcalgo32.exe
1140	Dadlclim.exe
3536	Djlddi32.exe
5232	Dljqpd32.exe
1052	Dohmlp32.exe
5712	Dcdimopp.exe
3792	Dhqaefng.exe
4640	Dphifcoi.exe
432	Dokjbp32.exe
2460	Dfdbojmq.exe
1952	Dhcnke32.exe
2972	Dpjflb32.exe
4532	Dchbhn32.exe
4516	Efgodj32.exe
2688	Ehekqe32.exe
5012	Epmcab32.exe
992	Eckonn32.exe
1532	Ejegjh32.exe
1436	Elccfc32.exe
5764	Eoapbo32.exe
5144	Eflhoigi.exe
5340	Ehjdldfl.exe

Drops file in System32 directory 64 IoCs

Processes:

Mpkbebbf.exeNqmhbpba.exeDfdbojmq.exeLiggbi32.exeNnolfdcn.exeLcbiao32.exeLaefdf32.exeMcnhmm32.exeFcgoilpj.exeFqmlhpla.exeFmclmabe.exeHcnnaikp.exeJidbflcj.exeMnocof32.exe402b139c6e2ff855cad91fc0f2ee53c0_NeikiAnalytics.exeCcfmla32.exeLcmofolg.exeNqfbaq32.exeNgedij32.exeCccpfa32.exeGqfooodg.exeJpojcf32.exeKbfiep32.exeEoapbo32.exeEodlho32.exeGcpapkgp.exeGcidfi32.exeMgnnhk32.exeLgkhlnbn.exeCommqb32.exeCoojfa32.exeGfhqbe32.exeHikfip32.exeHabnjm32.exeKgphpo32.exeKipabjil.exeLkgdml32.exeMcpebmkb.exeFomonm32.exeHmdedo32.exeJpjqhgol.exeJbmfoa32.exeLcdegnep.exeMamleegg.exeMglack32.exeFfbnph32.exeGqkhjn32.exeHfljmdjc.exeIjaida32.exeJiphkm32.exeCeibclgn.exeJkfkfohj.exeClldogdc.exeLkdggmlj.exeLmccchkn.exeMkpgck32.exeKphmie32.exeDcopbp32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Dhcnke32.exe	Dfdbojmq.exe
File opened for modification	C:\Windows\SysWOW64\Lmccchkn.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Laefdf32.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Fjqgff32.exe	Fcgoilpj.exe
File created	C:\Windows\SysWOW64\Fbnhphbp.exe	Fqmlhpla.exe
File opened for modification	C:\Windows\SysWOW64\Fbqefhpm.exe	Fmclmabe.exe
File opened for modification	C:\Windows\SysWOW64\Hfljmdjc.exe	Hcnnaikp.exe
File created	C:\Windows\SysWOW64\Jmpngk32.exe	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Hikfoe32.dll	402b139c6e2ff855cad91fc0f2ee53c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Cipehkcl.exe	Ccfmla32.exe
File created	C:\Windows\SysWOW64\Qgejif32.dll	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Cmafhe32.dll	Liggbi32.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Cimhckeo.exe	Cccpfa32.exe
File created	C:\Windows\SysWOW64\Gcekkjcj.exe	Gqfooodg.exe
File created	C:\Windows\SysWOW64\Jbmfoa32.exe	Jpojcf32.exe
File opened for modification	C:\Windows\SysWOW64\Kgbefoji.exe	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Ampkqqjm.dll	Eoapbo32.exe
File created	C:\Windows\SysWOW64\Ebbidj32.exe	Eodlho32.exe
File created	C:\Windows\SysWOW64\Gjjjle32.exe	Gcpapkgp.exe
File created	C:\Windows\SysWOW64\Gfhqbe32.exe	Gcidfi32.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Lkgdml32.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Cefemliq.exe	Commqb32.exe
File created	C:\Windows\SysWOW64\Ceibclgn.exe	Coojfa32.exe
File created	C:\Windows\SysWOW64\Gnbbnj32.dll	Gfhqbe32.exe
File opened for modification	C:\Windows\SysWOW64\Habnjm32.exe	Hikfip32.exe
File created	C:\Windows\SysWOW64\Pkbjnl32.dll	Habnjm32.exe
File created	C:\Windows\SysWOW64\Mghpbg32.dll	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Kagichjo.exe	Kipabjil.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Dmnlpfhd.dll	Fomonm32.exe
File created	C:\Windows\SysWOW64\Hpbaqj32.exe	Hmdedo32.exe
File opened for modification	C:\Windows\SysWOW64\Jfdida32.exe	Jpjqhgol.exe
File opened for modification	C:\Windows\SysWOW64\Jfhbppbc.exe	Jbmfoa32.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mamleegg.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Fqhbmqqg.exe	Ffbnph32.exe
File opened for modification	C:\Windows\SysWOW64\Gcidfi32.exe	Gqkhjn32.exe
File opened for modification	C:\Windows\SysWOW64\Hjhfnccl.exe	Hfljmdjc.exe
File opened for modification	C:\Windows\SysWOW64\Ipnalhii.exe	Ijaida32.exe
File opened for modification	C:\Windows\SysWOW64\Jpjqhgol.exe	Jiphkm32.exe
File opened for modification	C:\Windows\SysWOW64\Chgoogfa.exe	Ceibclgn.exe
File created	C:\Windows\SysWOW64\Gcidfi32.exe	Gqkhjn32.exe
File created	C:\Windows\SysWOW64\Kmegbjgn.exe	Jkfkfohj.exe
File opened for modification	C:\Windows\SysWOW64\Lkgdml32.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Ccfmla32.exe	Clldogdc.exe
File created	C:\Windows\SysWOW64\Liggbi32.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Lpappc32.exe	Lmccchkn.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mamleegg.exe
File created	C:\Windows\SysWOW64\Ppaaagol.dll	Kphmie32.exe
File opened for modification	C:\Windows\SysWOW64\Diihojkb.exe	Dcopbp32.exe
File opened for modification	C:\Windows\SysWOW64\Eflhoigi.exe	Eoapbo32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

7264 7916 WerFault.exe Nkcmohbg.exe

pid	pid_target	process	target process
7264	7916	WerFault.exe	Nkcmohbg.exe

Modifies registry class 64 IoCs

Processes:

Dchbhn32.exeKmjqmi32.exeLcmofolg.exeLddbqa32.exeMjeddggd.exeNqklmpdd.exeCefemliq.exeEhekqe32.exeFbnhphbp.exeHabnjm32.exeHaidklda.exeJfdida32.exeLgkhlnbn.exeMpmokb32.exeGjapmdid.exeHadkpm32.exeKpepcedo.exeLcbiao32.exeAihfanhg.exeBpcgdfaa.exeDcalgo32.exeFcgoilpj.exeJbkjjblm.exeAbqjjd32.exeGppekj32.exeHjolnb32.exeJbocea32.exeNbhkac32.exeGjjjle32.exeIjaida32.exeIpnalhii.exeChnlihnl.exeCommqb32.exeEqfeha32.exeIcljbg32.exeJfffjqdf.exeJkfkfohj.exeKdhbec32.exeCapchmmb.exeGmoliohh.exeHimcoo32.exeKajfig32.exeLilanioo.exeDokjbp32.exeEjegjh32.exeFomonm32.exeHmklen32.exeMcnhmm32.exeMjhqjg32.exeBammlomg.exeCeibclgn.exeLdmlpbbj.exeLgbnmm32.exeNcihikcg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpgbbq32.dll"	Dchbhn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cefemliq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iifpphha.dll"	Ehekqe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fbnhphbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkbjnl32.dll"	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Haidklda.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jfdida32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjcfkp32.dll"	Hadkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdhoohmo.dll"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kogbodfe.dll"	Aihfanhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opjeff32.dll"	Bpcgdfaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dcalgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fcgoilpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Abqjjd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lijiaonm.dll"	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbocea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fbnhphbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gjjjle32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qngfmkdl.dll"	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chnlihnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Commqb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ehekqe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eqfeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Icljbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iljnde32.dll"	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Capchmmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gmoliohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geekfi32.dll"	Himcoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdimilg.dll"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lilanioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cefemliq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dokjbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fphbondi.dll"	Ejegjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmnlpfhd.dll"	Fomonm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gjjjle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibadbaha.dll"	Hmklen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bammlomg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddphck32.dll"	Commqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikfcpn32.dll"	Ceibclgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Capchmmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ncihikcg.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

402b139c6e2ff855cad91fc0f2ee53c0_NeikiAnalytics.exeAihfanhg.exeAlgbmjgk.exeAbqjjd32.exeAeoffo32.exeApekch32.exeAogkoedl.exeAimoln32.exeAbedecjb.exeAiolam32.exeBpidngil.exeBakqfp32.exeBibigmpl.exeBpladg32.exeBammlomg.exeBidemmnj.exeBpnnig32.exeBaojaoke.exeBhibni32.exeBockjc32.exeBemcgmak.exeBpcgdfaa.exe

description	pid	process	target process
PID 3436 wrote to memory of 3784	3436	402b139c6e2ff855cad91fc0f2ee53c0_NeikiAnalytics.exe	Aihfanhg.exe
PID 3436 wrote to memory of 3784	3436	402b139c6e2ff855cad91fc0f2ee53c0_NeikiAnalytics.exe	Aihfanhg.exe
PID 3436 wrote to memory of 3784	3436	402b139c6e2ff855cad91fc0f2ee53c0_NeikiAnalytics.exe	Aihfanhg.exe
PID 3784 wrote to memory of 6056	3784	Aihfanhg.exe	Algbmjgk.exe
PID 3784 wrote to memory of 6056	3784	Aihfanhg.exe	Algbmjgk.exe
PID 3784 wrote to memory of 6056	3784	Aihfanhg.exe	Algbmjgk.exe
PID 6056 wrote to memory of 2516	6056	Algbmjgk.exe	Abqjjd32.exe
PID 6056 wrote to memory of 2516	6056	Algbmjgk.exe	Abqjjd32.exe
PID 6056 wrote to memory of 2516	6056	Algbmjgk.exe	Abqjjd32.exe
PID 2516 wrote to memory of 4832	2516	Abqjjd32.exe	Aeoffo32.exe
PID 2516 wrote to memory of 4832	2516	Abqjjd32.exe	Aeoffo32.exe
PID 2516 wrote to memory of 4832	2516	Abqjjd32.exe	Aeoffo32.exe
PID 4832 wrote to memory of 2276	4832	Aeoffo32.exe	Apekch32.exe
PID 4832 wrote to memory of 2276	4832	Aeoffo32.exe	Apekch32.exe
PID 4832 wrote to memory of 2276	4832	Aeoffo32.exe	Apekch32.exe
PID 2276 wrote to memory of 3388	2276	Apekch32.exe	Aogkoedl.exe
PID 2276 wrote to memory of 3388	2276	Apekch32.exe	Aogkoedl.exe
PID 2276 wrote to memory of 3388	2276	Apekch32.exe	Aogkoedl.exe
PID 3388 wrote to memory of 1412	3388	Aogkoedl.exe	Aimoln32.exe
PID 3388 wrote to memory of 1412	3388	Aogkoedl.exe	Aimoln32.exe
PID 3388 wrote to memory of 1412	3388	Aogkoedl.exe	Aimoln32.exe
PID 1412 wrote to memory of 5724	1412	Aimoln32.exe	Abedecjb.exe
PID 1412 wrote to memory of 5724	1412	Aimoln32.exe	Abedecjb.exe
PID 1412 wrote to memory of 5724	1412	Aimoln32.exe	Abedecjb.exe
PID 5724 wrote to memory of 5420	5724	Abedecjb.exe	Aiolam32.exe
PID 5724 wrote to memory of 5420	5724	Abedecjb.exe	Aiolam32.exe
PID 5724 wrote to memory of 5420	5724	Abedecjb.exe	Aiolam32.exe
PID 5420 wrote to memory of 4988	5420	Aiolam32.exe	Bpidngil.exe
PID 5420 wrote to memory of 4988	5420	Aiolam32.exe	Bpidngil.exe
PID 5420 wrote to memory of 4988	5420	Aiolam32.exe	Bpidngil.exe
PID 4988 wrote to memory of 1036	4988	Bpidngil.exe	Bakqfp32.exe
PID 4988 wrote to memory of 1036	4988	Bpidngil.exe	Bakqfp32.exe
PID 4988 wrote to memory of 1036	4988	Bpidngil.exe	Bakqfp32.exe
PID 1036 wrote to memory of 5268	1036	Bakqfp32.exe	Bibigmpl.exe
PID 1036 wrote to memory of 5268	1036	Bakqfp32.exe	Bibigmpl.exe
PID 1036 wrote to memory of 5268	1036	Bakqfp32.exe	Bibigmpl.exe
PID 5268 wrote to memory of 4264	5268	Bibigmpl.exe	Bpladg32.exe
PID 5268 wrote to memory of 4264	5268	Bibigmpl.exe	Bpladg32.exe
PID 5268 wrote to memory of 4264	5268	Bibigmpl.exe	Bpladg32.exe
PID 4264 wrote to memory of 1996	4264	Bpladg32.exe	Bammlomg.exe
PID 4264 wrote to memory of 1996	4264	Bpladg32.exe	Bammlomg.exe
PID 4264 wrote to memory of 1996	4264	Bpladg32.exe	Bammlomg.exe
PID 1996 wrote to memory of 3140	1996	Bammlomg.exe	Bidemmnj.exe
PID 1996 wrote to memory of 3140	1996	Bammlomg.exe	Bidemmnj.exe
PID 1996 wrote to memory of 3140	1996	Bammlomg.exe	Bidemmnj.exe
PID 3140 wrote to memory of 3652	3140	Bidemmnj.exe	Bpnnig32.exe
PID 3140 wrote to memory of 3652	3140	Bidemmnj.exe	Bpnnig32.exe
PID 3140 wrote to memory of 3652	3140	Bidemmnj.exe	Bpnnig32.exe
PID 3652 wrote to memory of 3564	3652	Bpnnig32.exe	Baojaoke.exe
PID 3652 wrote to memory of 3564	3652	Bpnnig32.exe	Baojaoke.exe
PID 3652 wrote to memory of 3564	3652	Bpnnig32.exe	Baojaoke.exe
PID 3564 wrote to memory of 4440	3564	Baojaoke.exe	Bhibni32.exe
PID 3564 wrote to memory of 4440	3564	Baojaoke.exe	Bhibni32.exe
PID 3564 wrote to memory of 4440	3564	Baojaoke.exe	Bhibni32.exe
PID 4440 wrote to memory of 6080	4440	Bhibni32.exe	Bockjc32.exe
PID 4440 wrote to memory of 6080	4440	Bhibni32.exe	Bockjc32.exe
PID 4440 wrote to memory of 6080	4440	Bhibni32.exe	Bockjc32.exe
PID 6080 wrote to memory of 4896	6080	Bockjc32.exe	Bemcgmak.exe
PID 6080 wrote to memory of 4896	6080	Bockjc32.exe	Bemcgmak.exe
PID 6080 wrote to memory of 4896	6080	Bockjc32.exe	Bemcgmak.exe
PID 4896 wrote to memory of 4704	4896	Bemcgmak.exe	Bpcgdfaa.exe
PID 4896 wrote to memory of 4704	4896	Bemcgmak.exe	Bpcgdfaa.exe
PID 4896 wrote to memory of 4704	4896	Bemcgmak.exe	Bpcgdfaa.exe
PID 4704 wrote to memory of 6024	4704	Bpcgdfaa.exe	Boegpc32.exe

C:\Users\Admin\AppData\Local\Temp\402b139c6e2ff855cad91fc0f2ee53c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\402b139c6e2ff855cad91fc0f2ee53c0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3436
- C:\Windows\SysWOW64\Aihfanhg.exe
  C:\Windows\system32\Aihfanhg.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3784
- - C:\Windows\SysWOW64\Algbmjgk.exe
    C:\Windows\system32\Algbmjgk.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:6056
  - - C:\Windows\SysWOW64\Abqjjd32.exe
      C:\Windows\system32\Abqjjd32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2516
    - - C:\Windows\SysWOW64\Aeoffo32.exe
        
        C:\Windows\system32\Aeoffo32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4832
      - C:\Windows\SysWOW64\Apekch32.exe
        
        C:\Windows\system32\Apekch32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\SysWOW64\Aogkoedl.exe
        
        C:\Windows\system32\Aogkoedl.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3388
        
        C:\Windows\SysWOW64\Aimoln32.exe
        
        C:\Windows\system32\Aimoln32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\Windows\SysWOW64\Abedecjb.exe
        
        C:\Windows\system32\Abedecjb.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5724
        
        C:\Windows\SysWOW64\Aiolam32.exe
        
        C:\Windows\system32\Aiolam32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5420
        
        C:\Windows\SysWOW64\Bpidngil.exe
        
        C:\Windows\system32\Bpidngil.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\SysWOW64\Bakqfp32.exe
        
        C:\Windows\system32\Bakqfp32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\SysWOW64\Bibigmpl.exe
        
        C:\Windows\system32\Bibigmpl.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5268
        
        C:\Windows\SysWOW64\Bpladg32.exe
        
        C:\Windows\system32\Bpladg32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4264
        
        C:\Windows\SysWOW64\Bammlomg.exe
        
        C:\Windows\system32\Bammlomg.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\SysWOW64\Bidemmnj.exe
        
        C:\Windows\system32\Bidemmnj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3140
        
        C:\Windows\SysWOW64\Bpnnig32.exe
        
        C:\Windows\system32\Bpnnig32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3652
        
        C:\Windows\SysWOW64\Baojaoke.exe
        
        C:\Windows\system32\Baojaoke.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3564
        
        C:\Windows\SysWOW64\Bhibni32.exe
        
        C:\Windows\system32\Bhibni32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Windows\SysWOW64\Bockjc32.exe
        
        C:\Windows\system32\Bockjc32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:6080
        
        C:\Windows\SysWOW64\Bemcgmak.exe
        
        C:\Windows\system32\Bemcgmak.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\Bpcgdfaa.exe
        
        C:\Windows\system32\Bpcgdfaa.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\SysWOW64\Boegpc32.exe
        
        C:\Windows\system32\Boegpc32.exe
        23⤵
        Executes dropped EXE
        
        PID:6024
        
        C:\Windows\SysWOW64\Beppmmoi.exe
        
        C:\Windows\system32\Beppmmoi.exe
        24⤵
        Executes dropped EXE
        
        PID:3796
        
        C:\Windows\SysWOW64\Chnlihnl.exe
        
        C:\Windows\system32\Chnlihnl.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Cpedjf32.exe
        
        C:\Windows\system32\Cpedjf32.exe
        26⤵
        Executes dropped EXE
        
        PID:728
        
        C:\Windows\SysWOW64\Cccpfa32.exe
        
        C:\Windows\system32\Cccpfa32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2348
        
        C:\Windows\SysWOW64\Cimhckeo.exe
        
        C:\Windows\system32\Cimhckeo.exe
        28⤵
        Executes dropped EXE
        
        PID:1628
        
        C:\Windows\SysWOW64\Clldogdc.exe
        
        C:\Windows\system32\Clldogdc.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1820
        
        C:\Windows\SysWOW64\Ccfmla32.exe
        
        C:\Windows\system32\Ccfmla32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5264
        
        C:\Windows\SysWOW64\Cipehkcl.exe
        
        C:\Windows\system32\Cipehkcl.exe
        31⤵
        Executes dropped EXE
        
        PID:4960
        
        C:\Windows\SysWOW64\Commqb32.exe
        
        C:\Windows\system32\Commqb32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Cefemliq.exe
        
        C:\Windows\system32\Cefemliq.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3068
        
        C:\Windows\SysWOW64\Coojfa32.exe
        
        C:\Windows\system32\Coojfa32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1924
        
        C:\Windows\SysWOW64\Ceibclgn.exe
        
        C:\Windows\system32\Ceibclgn.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3516
        
        C:\Windows\SysWOW64\Chgoogfa.exe
        
        C:\Windows\system32\Chgoogfa.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5296
        
        C:\Windows\SysWOW64\Coagla32.exe
        
        C:\Windows\system32\Coagla32.exe
        37⤵
        Executes dropped EXE
        
        PID:4388
        
        C:\Windows\SysWOW64\Capchmmb.exe
        
        C:\Windows\system32\Capchmmb.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Dhjkdg32.exe
        
        C:\Windows\system32\Dhjkdg32.exe
        39⤵
        Executes dropped EXE
        
        PID:4728
        
        C:\Windows\SysWOW64\Doccaall.exe
        
        C:\Windows\system32\Doccaall.exe
        40⤵
        Executes dropped EXE
        
        PID:2896
        
        C:\Windows\SysWOW64\Dcopbp32.exe
        
        C:\Windows\system32\Dcopbp32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2632
        
        C:\Windows\SysWOW64\Diihojkb.exe
        
        C:\Windows\system32\Diihojkb.exe
        42⤵
        Executes dropped EXE
        
        PID:1496
        
        C:\Windows\SysWOW64\Dpcpkc32.exe
        
        C:\Windows\system32\Dpcpkc32.exe
        43⤵
        Executes dropped EXE
        
        PID:3892
        
        C:\Windows\SysWOW64\Dcalgo32.exe
        
        C:\Windows\system32\Dcalgo32.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3708
        
        C:\Windows\SysWOW64\Dadlclim.exe
        
        C:\Windows\system32\Dadlclim.exe
        45⤵
        Executes dropped EXE
        
        PID:1140
        
        C:\Windows\SysWOW64\Djlddi32.exe
        
        C:\Windows\system32\Djlddi32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3536
        
        C:\Windows\SysWOW64\Dljqpd32.exe
        
        C:\Windows\system32\Dljqpd32.exe
        47⤵
        Executes dropped EXE
        
        PID:5232
        
        C:\Windows\SysWOW64\Dohmlp32.exe
        
        C:\Windows\system32\Dohmlp32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1052
        
        C:\Windows\SysWOW64\Dcdimopp.exe
        
        C:\Windows\system32\Dcdimopp.exe
        49⤵
        Executes dropped EXE
        
        PID:5712
        
        C:\Windows\SysWOW64\Dhqaefng.exe
        
        C:\Windows\system32\Dhqaefng.exe
        50⤵
        Executes dropped EXE
        
        PID:3792
        
        C:\Windows\SysWOW64\Dphifcoi.exe
        
        C:\Windows\system32\Dphifcoi.exe
        51⤵
        Executes dropped EXE
        
        PID:4640
        
        C:\Windows\SysWOW64\Dokjbp32.exe
        
        C:\Windows\system32\Dokjbp32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:432
        
        C:\Windows\SysWOW64\Dfdbojmq.exe
        
        C:\Windows\system32\Dfdbojmq.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2460
        
        C:\Windows\SysWOW64\Dhcnke32.exe
        
        C:\Windows\system32\Dhcnke32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1952
        
        C:\Windows\SysWOW64\Dpjflb32.exe
        
        C:\Windows\system32\Dpjflb32.exe
        55⤵
        Executes dropped EXE
        
        PID:2972
        
        C:\Windows\SysWOW64\Dchbhn32.exe
        
        C:\Windows\system32\Dchbhn32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4532
        
        C:\Windows\SysWOW64\Efgodj32.exe
        
        C:\Windows\system32\Efgodj32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4516
        
        C:\Windows\SysWOW64\Ehekqe32.exe
        
        C:\Windows\system32\Ehekqe32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Epmcab32.exe
        
        C:\Windows\system32\Epmcab32.exe
        59⤵
        Executes dropped EXE
        
        PID:5012
        
        C:\Windows\SysWOW64\Eckonn32.exe
        
        C:\Windows\system32\Eckonn32.exe
        60⤵
        Executes dropped EXE
        
        PID:992
        
        C:\Windows\SysWOW64\Ejegjh32.exe
        
        C:\Windows\system32\Ejegjh32.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\Elccfc32.exe
        
        C:\Windows\system32\Elccfc32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1436
        
        C:\Windows\SysWOW64\Eoapbo32.exe
        
        C:\Windows\system32\Eoapbo32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5764
        
        C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5144
        
        C:\Windows\SysWOW64\Ehjdldfl.exe
        
        C:\Windows\system32\Ehjdldfl.exe
        65⤵
        Executes dropped EXE
        
        PID:5340
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        66⤵
        Drops file in System32 directory
        
        PID:800
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        67⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\Ejjqeg32.exe
        
        C:\Windows\system32\Ejjqeg32.exe
        68⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\Elhmablc.exe
        
        C:\Windows\system32\Elhmablc.exe
        69⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\Eofinnkf.exe
        
        C:\Windows\system32\Eofinnkf.exe
        70⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\Ebeejijj.exe
        
        C:\Windows\system32\Ebeejijj.exe
        71⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        72⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        73⤵
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        74⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        75⤵
        Drops file in System32 directory
        
        PID:624
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        76⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:796
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1020
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        79⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:748
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        81⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        82⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        83⤵
        Drops file in System32 directory
        
        PID:5644
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        84⤵
        Modifies registry class
        
        PID:3168
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        85⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        86⤵
        Drops file in System32 directory
        
        PID:5172
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1120
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2788
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5684
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        90⤵
        Drops file in System32 directory
        
        PID:3680
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        91⤵
        Modifies registry class
        
        PID:3224
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1192
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        93⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        94⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        95⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        96⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        97⤵
        Drops file in System32 directory
        
        PID:1208
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        98⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        99⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        100⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        101⤵
        Modifies registry class
        
        PID:5776
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3832
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1840
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        104⤵
        Drops file in System32 directory
        
        PID:5752
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5660
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        106⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        107⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        108⤵
        Modifies registry class
        
        PID:1268
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2940
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5348
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        111⤵
        
        PID:956
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        112⤵
        Drops file in System32 directory
        
        PID:5700
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        113⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        114⤵
        Drops file in System32 directory
        
        PID:4528
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        115⤵
        Drops file in System32 directory
        
        PID:4176
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        116⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        117⤵
        Drops file in System32 directory
        
        PID:1640
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        118⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4140
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        119⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        120⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        121⤵
        Modifies registry class
        
        PID:2960
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        122⤵
        Modifies registry class
        
        PID:3088
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2480
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        124⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        125⤵
        Modifies registry class
        
        PID:2168
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        126⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        127⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        128⤵
        Modifies registry class
        
        PID:5780
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        129⤵
        Modifies registry class
        
        PID:4524
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        130⤵
        
        PID:368
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:516
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        132⤵
        Modifies registry class
        
        PID:4228
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        133⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        134⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        135⤵
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        136⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        137⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        138⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        139⤵
        
        PID:380
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5208
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        141⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        142⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        143⤵
        Drops file in System32 directory
        
        PID:6156
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        144⤵
        Drops file in System32 directory
        
        PID:6196
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        145⤵
        Modifies registry class
        
        PID:6232
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        146⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6324
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6364
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        149⤵
        Modifies registry class
        
        PID:6408
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6452
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6496
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        152⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        153⤵
        Drops file in System32 directory
        
        PID:6580
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        154⤵
        Drops file in System32 directory
        
        PID:6620
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        155⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        156⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        157⤵
        
        PID:6752
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6800
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        159⤵
        Modifies registry class
        
        PID:6848
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        160⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6892
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        161⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6976
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        163⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        164⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        165⤵
        
        PID:7104
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        166⤵
        Modifies registry class
        
        PID:7140
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        167⤵
        
        PID:808
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        168⤵
        Drops file in System32 directory
        
        PID:6224
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        169⤵
        
        PID:6300
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        170⤵
        Modifies registry class
        
        PID:6356
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        171⤵
        Drops file in System32 directory
        
        PID:6428
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        172⤵
        Drops file in System32 directory
        
        PID:6484
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        173⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        174⤵
        Drops file in System32 directory
        
        PID:6636
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        175⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        176⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        177⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        178⤵
        
        PID:6936
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        179⤵
        Modifies registry class
        
        PID:7000
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        180⤵
        Modifies registry class
        
        PID:7068
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        181⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        182⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        183⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6392
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6548
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        186⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6616
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6740
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        188⤵
        Drops file in System32 directory
        
        PID:6856
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        189⤵
        Drops file in System32 directory
        
        PID:6968
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        190⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        191⤵
        Modifies registry class
        
        PID:6152
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        192⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6320
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        193⤵
        Drops file in System32 directory
        
        PID:6492
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        194⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        195⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        196⤵
        
        PID:7040
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        197⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6244
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        198⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        199⤵
        Modifies registry class
        
        PID:6720
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        200⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        201⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6400
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        202⤵
        Drops file in System32 directory
        
        PID:6792
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        203⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6504
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        204⤵
        
        PID:7172
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        205⤵
        Drops file in System32 directory
        
        PID:7228
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        206⤵
        Modifies registry class
        
        PID:7276
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        207⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7316
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        208⤵
        
        PID:7356
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        209⤵
        
        PID:7404
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        210⤵
        Drops file in System32 directory
        
        PID:7440
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        211⤵
        
        PID:7492
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        212⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7536
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        213⤵
        
        PID:7584
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        214⤵
        Drops file in System32 directory
        
        PID:7628
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        215⤵
        Modifies registry class
        
        PID:7668
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        216⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7716
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        217⤵
        
        PID:7764
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        218⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7812
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        219⤵
        Modifies registry class
        
        PID:7856
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        220⤵
        Drops file in System32 directory
        
        PID:7924
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        221⤵
        
        PID:7972
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        222⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:8020
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        223⤵
        
        PID:8072
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        224⤵
        Modifies registry class
        
        PID:8116
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        225⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8152
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        226⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7112
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        227⤵
        Drops file in System32 directory
        
        PID:7212
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        228⤵
        Drops file in System32 directory
        
        PID:7300
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        229⤵
        
        PID:7368
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        230⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7428
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        231⤵
        
        PID:7500
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        232⤵
        
        PID:7572
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        233⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7612
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        234⤵
        
        PID:7712
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        235⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7756
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        236⤵
        Drops file in System32 directory
        
        PID:7836
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        237⤵
        
        PID:7900
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        238⤵
        
        PID:7984
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        239⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8064
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        240⤵
        
        PID:8148
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        241⤵
        
        PID:7180
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        242⤵
        
        PID:7284
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        243⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7456
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        244⤵
        
        PID:7524
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        245⤵
        Modifies registry class
        
        PID:7880
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        246⤵
        Modifies registry class
        
        PID:7688
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        247⤵
        Modifies registry class
        
        PID:7808
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        248⤵
        Drops file in System32 directory
        
        PID:7964
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        249⤵
        
        PID:8104
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        250⤵
        Drops file in System32 directory
        
        PID:8172
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        251⤵
        Drops file in System32 directory
        
        PID:7344
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        252⤵
        
        PID:7520
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        253⤵
        
        PID:7736
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        254⤵
        
        PID:7916
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7916 -s 420
        255⤵
        Program crash
        
        PID:7264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 7916 -ip 7916
1⤵
PID:8140

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:7964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abedecjb.exe

Filesize
192KB

MD5
b28c97c2dd4fd59c8485d4960ef5c508

SHA1
aa519782e3bf4d2699985f6489edecd9026ce345

SHA256
4a6ba80418bc28578418d90b77d49c8f41ac1b53192147a40fd4c7b6655661e6

SHA512
5990644a0b75520e3062bc0b47cf309e6da7c85002fa62c468bd17e2995764d04381f5e4ea1cfb5a29ccda0c62c5e06201b590056ab34f14918f549c4624fb6e

Download Submit
C:\Windows\SysWOW64\Abqjjd32.exe

Filesize
192KB

MD5
c14eda411b98b62b074a4c7e2788f97a

SHA1
a17a93ca87d42d64503549de53c8639de88026cd

SHA256
4d96627e69cbedff6bd6071d984ac1bf016ca7a7e8755bc7c5665abfc8c41398

SHA512
342b7c11d404a1777a1538343a2b87f448b14c30489a249487b7ab9fc82fc287dcadb828a68ce0afb1e1bc289b8395a1c0a9acb82cb6fc120056dc7d050588ef

Download Submit
C:\Windows\SysWOW64\Aeoffo32.exe

Filesize
192KB

MD5
c4257ddc27f8c61504c7b5fe3f17ee76

SHA1
65117a8860c64b859dca2ab6bf7eaff67ceeddbe

SHA256
320519d16599d818dc06cca66905083bf2d875648d60f7cc4036c426c5324795

SHA512
c3c9dfb50c2fc65825299cf4561bec480dd0121fa249f7748a55b28398ebf3f61a4759cfbdf27e656f1423582dc69fc96c3ff6742235e0e3cc3f67c29a1e937a

Download Submit
C:\Windows\SysWOW64\Aihfanhg.exe

Filesize
192KB

MD5
c40748dc6a24de456e1f05f5fd0cd65f

SHA1
344a85b4b1492a56dafe26977be5ad3b33aef424

SHA256
9e707ef582e13df9027b50280485c1fcbdb3589b543024327123cffe713d0d6c

SHA512
ac30f45b06a75b93ad5259ae657b8f750ef374c4ed4b95a6b60548ed56f0576b87b8267b3f1de80571358ab8c685adf4cb70a59bb5e96f563685fd402e8ae79d

Download Submit
C:\Windows\SysWOW64\Aimoln32.exe

Filesize
192KB

MD5
9e41afce63cda04c0a879b1c43914a0c

SHA1
afdae0665f9a48c51f41cab607574157b830d4d9

SHA256
4e23d4abd332af85705b8e896e6dc51147f8be09d164296968e015158146e25b

SHA512
b628e166fa4405e224739f2b9bb030bcde6aa7cbb25be2817b7a6c4d171af4eb0490a13123d80230137bc47f07f9f6d04bb294ecd1e39a38f82a53cd080c5aa8

Download Submit
C:\Windows\SysWOW64\Aiolam32.exe

Filesize
192KB

MD5
465b7cea323b799a432ac366171c0e1d

SHA1
d1eb68264f9fcaa5da1592447cd3090d3275e167

SHA256
008b5683f977f42e6d31e3520d5cc3bc4d2e5f46a25b094ec50fae576fb0efdd

SHA512
b66fa1b90ef14edfc73207b320573f49acce437c74b9b532994d594a062d40fd58595065a3cbf3be5e4bfbf02edb9719a1fd15b4187275bb8807045687cadf18

Download Submit
C:\Windows\SysWOW64\Algbmjgk.exe

Filesize
192KB

MD5
6b4a24101cd1cc3bbccd4454e1e76c3c

SHA1
9bb81fc4a214b009f9fb30978cfdd302f2a6e9d8

SHA256
e5f391ca4efcc52fc9e18e31d689436499e88a0f83de7616807f72e3c60e750b

SHA512
cc958e1b8a26e12c8aca087e6aee1f2df3372e592e57c12c72d2997f566774054998ba941377a434ced22e98c8bb95779890a96ad942df0156f8b3bad183b056

Download Submit
C:\Windows\SysWOW64\Aogkoedl.exe

Filesize
192KB

MD5
32af42989e314507a25e494672c90205

SHA1
44e53f4638ce1d1cb0b51bb5e4a19222100ed8b6

SHA256
fe26d0288b55b50e80fcc487b877dfdbd724750e2e803f068f02decac17f54fc

SHA512
8678dc9f07710e0c0fb41eca1913bc8fe5ed51ed6f63d5d364ff43f8ca2a1afc8e84104a0fa02e445578df94275c1a03a19ec4a7140a092f168a70311ba62bab

Download Submit
C:\Windows\SysWOW64\Apekch32.exe

Filesize
192KB

MD5
54a6a0c982d226e84614ed926d4123c6

SHA1
35760971faafc06da4296282f180ccab313cc199

SHA256
d2bd4c9230b8ed2c83022a4f052d75cf4ad8c1c5b77972694e6599a0e1c9d9b4

SHA512
2b7041f5eb9fc3db850cbbe16ee05f09d51f1809d9fae5bbac25baa1724b5802ae000be8040e00904acd922ca57da69a74b729407e8655b366996c5ce84fbd62

Download Submit
C:\Windows\SysWOW64\Bakqfp32.exe

Filesize
192KB

MD5
21fbd6b550a23e639c2f9833140fd25a

SHA1
af7f0e92784258144a6514492d7a7af6a2cb6ff6

SHA256
6310b16e63b08e88e574d2c9f34be076ab4bfebb3982b1e91741dd41b0cf2ccf

SHA512
14c3bd9d2f2cb1979f180d8cfc838e3c2bf54e840a9e8f16383bda1ad19085f77d3e4abf3ca6f6a06d3533ffdcd61097f7f1ed4a89f6011d51dc08b568edfbc8

Download Submit
C:\Windows\SysWOW64\Bammlomg.exe

Filesize
192KB

MD5
52bce9ecb462e823410215622f25efa1

SHA1
e2462e3fa9266b85ae1e1894a3f26667f0359302

SHA256
ec39751eb439395850e7ab59e61ef59758baddf436d4e736f36f3ee2524e8a92

SHA512
f9d34e128a282ebbe3d353cdbbcc27d70d683ffd19473e9b0f2a817a1f655e2fe46aabcbb39eb8f8038f67fe9aeb08b908e9890cfa6a91b694294724ab286f6b

Download Submit
C:\Windows\SysWOW64\Baojaoke.exe

Filesize
192KB

MD5
a4611a20ffe19ecf282cedfd8b42a6b1

SHA1
33c358ddfc9b72c59c60a8daf8f28c6c46befc45

SHA256
e3471ecf39dc5e05150e9ade18416137d2388e8fa633b246e595a8f3f092f7d7

SHA512
d04d9c025f3ab9eb0568eba2198c179fde6c2dd0324fbdf324f84908a098bead055dcefe5cc38b760df34f0d7c9aed84f4931c42e1ec97a6579b12184eaf8bf5

Download Submit
C:\Windows\SysWOW64\Bemcgmak.exe

Filesize
192KB

MD5
efce0c87e391c9a1c287ed52b562308c

SHA1
a78be82c4cc918e85b67a3b91ca708c49ebe98fa

SHA256
ef985d7a0eac5c66d597943e86f1444af4eb7859e8dd0b88a5c528db0c99c102

SHA512
55a15f8e2bda4b54af62e4ff1355117e4567283f37c265c5a8fece19c63d583c0316f496a30f9bd3e4eb88ceffc33c535b7202e454665c86963e0973927f2c9d

Download Submit
C:\Windows\SysWOW64\Beppmmoi.exe

Filesize
192KB

MD5
f7c7e18b03e87f5cfd3f7f7dfe9fda50

SHA1
27757bf5bc48ea61a45cc8466866e2c3aa0644a1

SHA256
e2acf464e3a691426082044042f3f1eabc6ee8a92e5032cdfa48be0d08b7f811

SHA512
1dc07af85ba63712c0180e64a44cdac19d34ac193d3bca61a7fb9677ecaf8d26aa781eb414966def03deaedfa218c453316e2a2b0ddbdc735d33e8aa59e2bc78

Download Submit
C:\Windows\SysWOW64\Bhibni32.exe

Filesize
192KB

MD5
753811b3dc45f7b5d3421f27735c04ff

SHA1
c6fced58bea7f56cf912a46d338c863740d1bfef

SHA256
8dd1dfd0bfbe8a9f7da0a81a858c3d2e54872031570fe0d82bb660babb2f35fa

SHA512
3083957ecb17c6cb2659b386f6de6e735bd0259362c379b43ebed48cd7e6164987b98b856ca859fc5e811ccc354d83011ec10003ad8d4e03e50a7170747a574f

Download Submit
C:\Windows\SysWOW64\Bibigmpl.exe

Filesize
192KB

MD5
046a2cb7339727c30709e3dd9cf49a1f

SHA1
655bc671dbe372020893fb5c53460953a5da1453

SHA256
df0a0f03d93b217c62deb05c295da4fb482ec63908aed0c47fd2c4a2941b5275

SHA512
e1103f079bded765c70ee13fd037616c35d3c542ec0c947cffe3d35deee14c25ae5bf89d8728cd24d5d100cdf0f358c2c3164842c695ec32532ed228740c55cd

Download Submit
C:\Windows\SysWOW64\Bidemmnj.exe

Filesize
192KB

MD5
fbb0a6cd4cc408a22a79e3c7478b0ef3

SHA1
8e0f91d43d5f6bef0459a0471c0972af72147d97

SHA256
88fd4c13703b7caf03b68b0ff2fb169b448e7b37dff38a03d2283190071a6ba9

SHA512
593a8ff6aa8837a93fd8bb0243dedf8a4d931b3235a7069a65c7851b1138163d542f41944cc05a79f7cad714f7322c6d2f9e7f1be87be21870ed566abc912e8f

Download Submit
C:\Windows\SysWOW64\Bockjc32.exe

Filesize
192KB

MD5
e2b82bd606c1c11cc2cd80947c70261e

SHA1
5878f344996330a5706b57d910a8df7d416d51b5

SHA256
9ff3a1084beaaf4e34d43c2f449451e68e67a6f6dac1893d61f1e1996d9d619f

SHA512
aaf2fc864243c2daa054e80697bf6b9041db6981f0eba8228266b74a1d97161e177d7fdf7c2ae6700203553ded4f02818f21e5832b166afd9652e0cf49dac1db

Download Submit
C:\Windows\SysWOW64\Boegpc32.exe

Filesize
192KB

MD5
83b83f04a2f1c55b1dc284786bf408e2

SHA1
64a2994d16e3dbf1329d21d5ae758bbb28c47a49

SHA256
5f5e8703e9bc0b4eacc61d00c0be8f3fbbee74b1bda819b00586b6053a86d11b

SHA512
67633fef43b3964832807d44775e6a6c74480145f9236472b072c24f54e557b53ad3e5a48ec99cbe58d3b3121eb46410396736ca8b1494f089a61d9cc67b7085

Download Submit
C:\Windows\SysWOW64\Bpcgdfaa.exe

Filesize
192KB

MD5
a0ad6e786a1996840a9b68c26b6d2fd6

SHA1
0d9d9f42751666a577380ddc384019b65115cb88

SHA256
0161f8295164e9705b901d03c68a749404bf6eb34767a96091f8fe868d375351

SHA512
7ca6206153744faaed051ffe0073160e54b716b1c610854805ff74cb4a945f061cf011fcd90c14f205834d5810ac09cd476aeb929c9df1724b7180ad2d02ac9a

Download Submit
C:\Windows\SysWOW64\Bpidngil.exe

Filesize
192KB

MD5
9a98a42793f9fa615ca10ed35d25a0eb

SHA1
433851bf8f424494851fd81d360fb0a6f45d0f64

SHA256
8d5e0db60a2920a1ac2840a09c786e31983747f3dca29e6c255e9e01c2cc55f2

SHA512
8c7d94c4983bf9c36cfc2d01dbb14e6d261d4fe964078636548fa34d4bda0a28f1504e10b9eb958cf09f8591f4032360c4fd5e815aa15dbda98ca5c2d3f6897f

Download Submit
C:\Windows\SysWOW64\Bpladg32.exe

Filesize
192KB

MD5
d5c4ab0aa933abe05338ccb533a5d98c

SHA1
d4ff0d2e858f34070cc3f2821065d6d89135dfb9

SHA256
8a3a1399c059ab72706badacb0cafea6ec8fa43482bb5b31b8206060cdb8330c

SHA512
b22b0c8c698b7ed146295d4d9752d9306c073847452aeea001f4170f37ef4ef7213cf92b98119d50efbe568eb2ce583be41f02449e7bb466bee8ddac2900ee48

Download Submit
C:\Windows\SysWOW64\Bpnnig32.exe

Filesize
192KB

MD5
3184ecd9039e3f7d71c94a5f41e09cb3

SHA1
4c8ebeb7fb21f2e8b932dfd05734f86c26855262

SHA256
f23875a65de48455e757abce5bd6ea586c5a7d3f61cd2b26e3b3c2b911b394b6

SHA512
26ee8026747854a8833093cf71e944f9b65f86a143f4b7625c62a2480386fd3b06294a3d4af8b0ce982605777922de3520311ee59a12f01344be24aa53730c79

Download Submit
C:\Windows\SysWOW64\Cccpfa32.exe

Filesize
192KB

MD5
f8de6c894760cb7c12592e13396dd181

SHA1
c30be2492776bf271fcb74c59e3710cd73cfc230

SHA256
0301481683a945d685bea3557579ce371fc7e87a1f73725409980f113fc8199a

SHA512
c0ce896cd0ea3551a87257e8af3b5ad1a301a687e06fee004a6579c84d848e1cff41bc29a4993852e1daf4f9dade683e6610629eb5d28d9d9f635644a1546b69

Download Submit
C:\Windows\SysWOW64\Ccfmla32.exe

Filesize
192KB

MD5
2e2283a82337a22dfc0e60bba5989f32

SHA1
82198131aad172e6e06a4f847184a39c7ee56904

SHA256
a755be619c79c55cc7b566fff4731ba02d30c1e83023030e7a592a23a8a8c104

SHA512
8191e371533d94e094fe2173b2f5e3a3fac568f4c0a125a72ef4185f9281efde5350ff939781517ae24c1b4111c9d263c262c6686628e141b74587b484d93336

Download Submit
C:\Windows\SysWOW64\Cefemliq.exe

Filesize
192KB

MD5
f6f4fb5704b8353e17ebc9761f622251

SHA1
ce3730075d051510fb7bd7b550489822ef7cb6b0

SHA256
ae621272431c57429b3eff507438b51efe9e367386de35b1191341887b989174

SHA512
f792341e869087821f61c36c35f847f2454d5fdfbe0092e00ca10305fccb569cfeb356676591f3014c078477334b7103f051c0d75a8eac07d266e79b887afa1e

Download Submit
C:\Windows\SysWOW64\Chnlihnl.exe

Filesize
192KB

MD5
e9c66ac9343527522e1ee7f87ed1b152

SHA1
8f976fd0cff3555dd77f326ecc09176c4ad1bb6f

SHA256
7600f057057982fb7d393370ae044d52a62ce916bc7f73666f2cf29cef8ee56f

SHA512
e5712b0471795cab1618667d0e7785e449dd43fa94bcc0988dd1359d35aa52564e3cde6af14b1f1b28daa7be993eff10fa1214f83f5dcb5e55368808c9564b0c

Download Submit
C:\Windows\SysWOW64\Cimhckeo.exe

Filesize
192KB

MD5
ae683a5ffe83bdfedf1252b12998b399

SHA1
53577e34bb0e38a4f014ab1eac08d08d8cdc5060

SHA256
12a104f6e5913eb88fbbc0d79b6ff253274c5a21c811a9d8b4a9acae5e9d09f8

SHA512
c94c7426c801fcb4fc98936facc78303199c5f744760a426e0de537675b1d456a96583b989476f68d2cf690c7f784595d73acb2a92ab898370c607c26d2621f7

Download Submit
C:\Windows\SysWOW64\Cipehkcl.exe

Filesize
192KB

MD5
8288f153475fb673fa8a754dc7dd105a

SHA1
980903a16393336d4b64c9038dcdcefa34983f99

SHA256
7c1ab0fc3643c3de7341c621eea4917bb9b5eca8e58f5d247b2e706537337e43

SHA512
b8380fffe66c291fda7a2a2fbdea95e69c940d73406334e1ec55fc84b946aae3e4f084704449212906745e62f180aab8e956b683e690fa1a000a8fe797d0da15

Download Submit
C:\Windows\SysWOW64\Clldogdc.exe

Filesize
192KB

MD5
40909663c6ea2636aaee7f476ea28339

SHA1
332481dcf3cf41fda5e2261499cb9bd8a73aa77e

SHA256
d2bdf98f150d788295622142d39f7a4059dc80ef38b20cb043b23472bb463722

SHA512
300a45613fd1b4079607e108569975a0782c993ed941fd390e154bed775bef172d67adf778cb59f6cf96291053c3113bcff4a4e8c2b081563e4e278a72ff2e14

Download Submit
C:\Windows\SysWOW64\Commqb32.exe

Filesize
192KB

MD5
6b7e65b45d88f33df283fac22a83d88a

SHA1
e0d3143721e1b347b98d01207a061209bad8e621

SHA256
65544d9bb9e30530e542def037e9cc361c31729c6ecfae144b3234ab51abd15f

SHA512
8e971b01f8f6452f614b4015a5f90e509f117cf7519e4a9ec931283794d203e9e5e520f47abe80eb6b398dc9ecd981490a2409651e255834ac534570b18fe329

Download Submit
C:\Windows\SysWOW64\Cpedjf32.exe

Filesize
192KB

MD5
cda8033c4e95221490761df2a844ac0e

SHA1
a95f1655b51ca7a552100e68d2d1b0a462fe8231

SHA256
830bd832a1d09b4888922fc1191a9cc2f7a515c5ced21321648ed8687e9d5256

SHA512
b95db26cce61cc368a190b18d5c419b8ddf1d3a14cae033f3bead7b0bdc6c7c1ea100c3e6842d51c6fd14042920a58d16db76fa9ed7c79519005c1ae61344dcc

Download Submit
C:\Windows\SysWOW64\Dhjkdg32.exe

Filesize
192KB

MD5
c425c98bf592b9e5c7fb7ccac298a83b

SHA1
5120679f5e14b2f9c529731f8f248dcd09ac71ec

SHA256
a7e11f23e8ca745aec9ba6a0cbdde766f9ec9da0f58a5d3203608ccb624b6d9a

SHA512
ace8bfc8662e17f46c008fb383c4c4a56025368c7c60ffc77fe33725ecb1f7285bdb108c987123681b2fa9373fd5e6b1d7587faa14c8fd13a3082b2b81990654

Download Submit
C:\Windows\SysWOW64\Ebeejijj.exe

Filesize
192KB

MD5
97a95448ff9965ac0931ca80322110ba

SHA1
dd029696af1415b9ddd3425cb33814ba5b0f271a

SHA256
563bc5143ea26ba1487d535803028d1492a62240ba6369742f71cc04703ea8c8

SHA512
84bbed7cd6b2933d71cb44d1947ddfd66a4326b7bb6ded02c2ef1f999920fc09bfd9bd0d0538762cc3c620b60d2ef70757eb17eeb2dce3cd3e3ac4fa86e23979

Download Submit
C:\Windows\SysWOW64\Eqfeha32.exe

Filesize
192KB

MD5
4f42f7668e463868b36548a4f76f30e4

SHA1
1e93d58a479c1d575198d4a3308ab16063354099

SHA256
a9b3435247c5476d04c7bfec73e9be934fe6980ec4db0e7142f14b87a703a40a

SHA512
078bf9290ff2d944805c15233c9cfe3410efe0a6ef1c9dfcfba68cdd7cb01def803212cdaa3b893ffd57f14ca5a8b37ee1ec4b755b8c1cccc1e9c807201f6713

Download Submit
C:\Windows\SysWOW64\Ffbnph32.exe

Filesize
192KB

MD5
c699731387d4589dc2186a62cf84906e

SHA1
4c0990084358fe7dd5ac8be1d708022cc1f11d53

SHA256
0e4d7d408c47013e70a9a537b17a7dae429fcc29419bca25be13744f8d331f5b

SHA512
6864c5380fea4632e27f281bb7829f1336cd990b4b1b619ce9d8db37afb40e51b1352af92a5d0698f07a6817360bf27c9efc965f3fa34a0470848afc3846e97c

Download Submit
C:\Windows\SysWOW64\Fmficqpc.exe

Filesize
192KB

MD5
5785ea8b643721d93b68d6c993964a83

SHA1
d53cc3c550c48ee8fd0c93ce667e28c56609ce4b

SHA256
57a4d6e25a0d7f8b0359e51954c0f81ff52085f5ccb0b74f7ac10061d03816da

SHA512
ea435cbfefedac462017217fb31e2420ce288e5fdadedf1fc9c7de2102534951081576ed48f51ec692a8c4516065e35442969b876135d7e1882e2234b9c3964b

Download Submit
C:\Windows\SysWOW64\Fomonm32.exe

Filesize
192KB

MD5
003b500fcb5bc62da6bb8ff07e9d2271

SHA1
e6017d984b2648a44c427ee697cb6d714d851208

SHA256
03cc265579e94d6e7b55c782b950598785ec227d8ec5bbe49670ca5e989b95d8

SHA512
1e8875116d1f18a4630cb5eddcdaa3fc7e630e2f0733e10be418a3214db3c9e01255db928e062a568ca7205be18d74ccdc353da0f6f1199390ac57a65d7e258b

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
192KB

MD5
513392e00b54fcff7cbc5c74d23c57e0

SHA1
c44b7082c52a0d0b20bf7566eaaa4f83a79e6d15

SHA256
f6cc40b8536cc2d854bd0b7c5e146da2a16038d5abaea5f606db079dc68d3a81

SHA512
423f0901b8a30f8949fb97ab7dc86803e3f044c752b95dfd98de7614cf88d179b973547efcb14af5e61f875b2452d95d37d44ca55aeb0ae35c2be280a39f078b

Download Submit
C:\Windows\SysWOW64\Gogbdl32.exe

Filesize
192KB

MD5
42f358a2a437dd55abc2dbe020979a16

SHA1
61a2bf33bcc58ca4f10a064f2fd75a43b813350e

SHA256
cf95309708b5da13858ace8fc4d99d4e02a9acfd835d6d94813a6d3dee3c3230

SHA512
add24c73256935e49fc933caac7d68a16d5fb8d38b8399f5d8de1822f871d4118a7212f1d868fe17b31a0ab39a1909f36c2555686dd288c2f6c18da91f2451e8

Download Submit
C:\Windows\SysWOW64\Idacmfkj.exe

Filesize
192KB

MD5
7e23d6f076ca6492284653e74d7ed0a4

SHA1
ae7789406663d4553556c3ed88aa418b47acdea6

SHA256
42728327ad74c70f027c53309a7a5457859c9d70eb7b054df419739f44a789c5

SHA512
64a23f8253e5e965e561e97bb866824eeb1ce78deae1ce6eeff2e7fe2e923818a1ddade5d6b26160268b8863e51d8daba46af619f1413be9c2fbd85830dc865e

Download Submit
C:\Windows\SysWOW64\Imdnklfp.exe

Filesize
192KB

MD5
89a8085e916349b38a3a22e517210a85

SHA1
272767ef5a7a514ea9735068c8a973ccf1f26b00

SHA256
1b0e10ccfc2c73446c893928d4c93a1c813a3144f661228b989a9127f59f1fdd

SHA512
dac23bcbe3008d4fdf2944413d8fe9892ebaf0f92b21ff6b9559ae2de4c6f18fbdaea8248f5291eae598b235c6dbd4ef80da103bdde1c7af8aff648e8ea69fd9

Download Submit
C:\Windows\SysWOW64\Ipnalhii.exe

Filesize
192KB

MD5
d108eafb03e23bdc94cc5585c1d66d48

SHA1
626f08bf1c70aba462ad40110c853b774af651ac

SHA256
5786a5ee47cde84e5156def61ed9fe918573cd024c1b27abb1171ba154a3640b

SHA512
94343a9889f0ceaacae30c211c71f3c5d8aa294b9aefa34d1acf2da773daf7c1c1abc28307cd60ee9b3561aacdff8b7d735d7ed34b9a822004db62f261232530

Download Submit
C:\Windows\SysWOW64\Jfaloa32.exe

Filesize
192KB

MD5
48df577fa335f02d1e57e889163ec0fe

SHA1
195d77954db7d4b93d5fe4952253738c777aa1db

SHA256
c0889df486b06228f559766fe437dcfe4a58c647b0d84d980deb248d948094e4

SHA512
655c12371170aab2a8a323e7ce3826b254bb86fd8a03f50907fa0a3f488431438a9ad37b7b6c46bc7f0f34c12663ac6c656aa722e02607f7b5304557a4d79714

Download Submit
C:\Windows\SysWOW64\Jigollag.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\Jmpngk32.exe

Filesize
192KB

MD5
1fcb5114e027f5703dd2e4551d89835a

SHA1
2528bb639c8112b70593eb4d12676c84be5c7930

SHA256
ae694a2537ecadff9b7cbe3e0235794b721479c76c7f8c4168d0d2aca8ceb22e

SHA512
e532c5ffd391b73bd7a119450613e600ec4bda3b53b453eef344b22fba039b78c221d9001480175640bee4be99c7649852fa4b1b511b8a18558095487fc8ccbc

Download Submit
C:\Windows\SysWOW64\Jpjqhgol.exe

Filesize
192KB

MD5
862df7a0f8c92a641643fd06e2b0af62

SHA1
bbe13f7e608fabeeec05f1883ef2da4de2232b8e

SHA256
6565b4d18a4e3c6b3518f3362ab817195974a74db1497d3095ec29f89d64bdaf

SHA512
72e3de8eb0e6fa8e14b13af407719b0e16c590980a9975d6eb806726b0de1ed54bf62702ad88f0740cc0055eecf45c47a7ae7ec436174fb854be0515c5e56a42

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
192KB

MD5
492e8ded1d658449147dc26e243dde80

SHA1
33f2727203647ddbdede80d6fe17807c5275e72f

SHA256
e301849e9a1d276c634d1400858ba6b9c478be4113625b1ed119a10b5cc56dbc

SHA512
db12a4a06cad21b6af0a51f7fce0b7a2092e1e9f6d70d3eb8fa53524bada98fdaa87be45fcd70af7cc824cc13468d482a55e32b24e4a985e20d4f931340a000e

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
192KB

MD5
2d6842e67e5e58d685c78d4f0a25b47f

SHA1
89b1db4d783491dd2b6731e4d000ea102ddef163

SHA256
0825a20c225aa1816aa3f4451bb2daeaaad55cf00bc7f1266ad091ff7d9f2075

SHA512
9c86a1d742089e7290035b2263356ce468d86573839835e77d287a7435c47799f7714143d546fd8485748ac74e7be90f98635b3eb91433ea0c96bb952196d638

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
192KB

MD5
1c87028de56b88bcbf41dbf3291dabc1

SHA1
72f7feb56a072da4a1977e1433a215f07c016776

SHA256
57dac8162bb1422c9c6c0f07b38c79870d0447d12638408938b1dd5f7cde4e47

SHA512
4e919ef241063fabeea2a118ee16e3330b3f2398e50f683a0394ae527ed2403b709e9cb48602d90d29422110bead2bd055e5e82ddc7028fe6a9b9f9a7c7c1837

Download Submit
C:\Windows\SysWOW64\Lppbbf32.dll

Filesize
7KB

MD5
b328725963460516548b0806acde65f6

SHA1
238260d740e0c41fb86d69532e55603048cd069c

SHA256
d0dfddf9a7a3749e3a48c4794f6a15299ad699e1a38a7a14c2932731cdda89f5

SHA512
26f51eacb69ba1610f2558f9d835c196af7aa8d4d9b9d7db40c8e7640ab9b4e9c0d14c24a9705e4baaf909d301e175380757c082d58695ba8364cb2b52b8af9e

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
192KB

MD5
39e5597645a764abe3ff6c012da229af

SHA1
bf993ee254ebf55e5c452533e889d3f793d3dcc3

SHA256
c6dba402be76a7227fb83dd52986ff47e3ff2f200601bdf2af6cf1a3fb968c95

SHA512
449214468e4be9bb6e3ca7ee47099547908bca6c61405cd181b5ac52db15fd2f4905f4a8ce334a1886b35e59038b122ae91583694ca577ddbbc75e46d8cdb023

Download Submit
memory/432-374-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/624-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/728-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/748-542-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/796-524-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/800-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/992-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1020-529-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1036-92-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1052-350-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1120-586-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1140-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1412-592-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1412-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1436-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1496-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1532-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1628-221-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1632-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1664-576-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1820-228-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1924-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1952-386-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1996-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2020-548-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2276-581-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2276-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2348-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2384-488-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2440-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2460-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2516-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2632-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2688-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2788-593-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2896-303-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2972-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3068-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3100-532-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3140-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3148-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3168-569-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3388-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3388-585-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3436-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3436-544-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3516-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3536-338-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3564-140-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3628-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3652-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3708-325-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3784-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3784-551-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3792-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3796-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3892-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4264-108-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4324-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4388-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4440-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4516-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4532-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4616-554-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4640-368-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4704-173-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4716-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4728-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4832-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4832-571-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4896-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4960-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4988-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5012-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5144-446-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5172-583-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5188-465-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5232-344-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5264-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5268-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5296-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5340-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5352-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5368-196-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5416-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5420-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5588-500-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5644-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5712-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5724-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5724-599-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5764-440-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6024-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6056-558-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6056-20-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6080-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download