99acd00442812de8720c3fd4c66cfe9e08eed125125a8bc1dd45a3f00968ecbc

Analysis

max time kernel
92s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 23:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ba8c1f0451da953eb060a5e1c5412b0_NeikiAnalytics.exe
Size

90KB
MD5

5ba8c1f0451da953eb060a5e1c5412b0
SHA1

ddb4c9687d20cb77623a8e574ea7ec5f57b408dc
SHA256

99acd00442812de8720c3fd4c66cfe9e08eed125125a8bc1dd45a3f00968ecbc
SHA512

17cab8c690ed9dd76c655bab6731f40c582c48119ab708ee498d623c5357b8f925b2a48715b26092157b1ec8a1c52abee6cdf1a1e2d0d66e6749b17e11bf4539
SSDEEP

1536:RQ1h4na2y6WpSDpEIOI93U83Zs7kNC519ooIVGeu/Ub0VkVNK:RQzka2y6zDpEIOIFb3Z45fbIVGeu/Ubi

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Bcebhoii.exeBmngqdpj.exeDdjejl32.exeOfqpqo32.exePjjhbl32.exeQmmnjfnl.exeOjgbfocc.exeBfdodjhm.exeBcoenmao.exeCajlhqjp.exeDhkjej32.exePdmpje32.exeOcdqjceo.exeOjaelm32.exePdfjifjo.exeAglemn32.exeBchomn32.exeOdkjng32.exePmdkch32.exeAnmjcieo.exeAepefb32.exeBaicac32.exeCmgjgcgo.exeDjgjlelk.exeOcnjidkf.exePqdqof32.exeQceiaa32.exeBjmnoi32.exeCmiflbel.exe5ba8c1f0451da953eb060a5e1c5412b0_NeikiAnalytics.exeChmndlge.exeCalhnpgn.exePgllfp32.exePgioqq32.exeQqfmde32.exeBnmcjg32.exeBclhhnca.exeCndikf32.exeCnnlaehj.exePclgkb32.exeDknpmdfc.exeDodbbdbb.exePfjcgn32.exeCfmajipb.exeDgbdlf32.exeOqhacgdh.exePcncpbmd.exePgnilpah.exeBfhhoi32.exeCmlcbbcj.exeDopigd32.exeDeagdn32.exeBebblb32.exeChagok32.exePnonbk32.exeAqkgpedc.exeCjkjpgfi.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odkjng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	5ba8c1f0451da953eb060a5e1c5412b0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjkjpgfi.exe

Executes dropped EXE 64 IoCs

Processes:

Nfjjppmm.exeNnqbanmo.exeOdkjng32.exeOcnjidkf.exeOjgbfocc.exeOdmgcgbi.exeOfnckp32.exeOneklm32.exeOdocigqg.exeOfqpqo32.exeOlkhmi32.exeOcdqjceo.exeOjoign32.exeOqhacgdh.exeOcgmpccl.exeOjaelm32.exePdfjifjo.exePfhfan32.exePnonbk32.exePclgkb32.exePfjcgn32.exePmdkch32.exePcncpbmd.exePgioqq32.exePncgmkmj.exePdmpje32.exePgllfp32.exePjjhbl32.exePqdqof32.exePgnilpah.exeQqfmde32.exeQceiaa32.exeQjoankoi.exeQmmnjfnl.exeQcgffqei.exeQgcbgo32.exeAnmjcieo.exeAqkgpedc.exeAgeolo32.exeAfhohlbj.exeAmbgef32.exeAeiofcji.exeAglemn32.exeAjkaii32.exeAminee32.exeAepefb32.exeAgoabn32.exeBjmnoi32.exeBebblb32.exeBcebhoii.exeBfdodjhm.exeBmngqdpj.exeBaicac32.exeBchomn32.exeBjagjhnc.exeBnmcjg32.exeBeglgani.exeBfhhoi32.exeBnpppgdj.exeBeihma32.exeBclhhnca.exeBhhdil32.exeBnbmefbg.exeBmemac32.exe

pid	process
3968	Nfjjppmm.exe
3344	Nnqbanmo.exe
1100	Odkjng32.exe
4388	Ocnjidkf.exe
1360	Ojgbfocc.exe
836	Odmgcgbi.exe
228	Ofnckp32.exe
2212	Oneklm32.exe
4984	Odocigqg.exe
1496	Ofqpqo32.exe
1980	Olkhmi32.exe
2544	Ocdqjceo.exe
400	Ojoign32.exe
2408	Oqhacgdh.exe
3392	Ocgmpccl.exe
2712	Ojaelm32.exe
1652	Pdfjifjo.exe
4816	Pfhfan32.exe
452	Pnonbk32.exe
1900	Pclgkb32.exe
4276	Pfjcgn32.exe
4832	Pmdkch32.exe
3300	Pcncpbmd.exe
3852	Pgioqq32.exe
4324	Pncgmkmj.exe
1852	Pdmpje32.exe
3880	Pgllfp32.exe
3020	Pjjhbl32.exe
968	Pqdqof32.exe
1588	Pgnilpah.exe
4844	Qqfmde32.exe
4448	Qceiaa32.exe
1512	Qjoankoi.exe
3172	Qmmnjfnl.exe
1648	Qcgffqei.exe
3876	Qgcbgo32.exe
2456	Anmjcieo.exe
2008	Aqkgpedc.exe
1012	Ageolo32.exe
364	Afhohlbj.exe
2164	Ambgef32.exe
4352	Aeiofcji.exe
3708	Aglemn32.exe
3616	Ajkaii32.exe
3296	Aminee32.exe
3204	Aepefb32.exe
4812	Agoabn32.exe
3888	Bjmnoi32.exe
2984	Bebblb32.exe
2420	Bcebhoii.exe
1936	Bfdodjhm.exe
3208	Bmngqdpj.exe
4628	Baicac32.exe
1260	Bchomn32.exe
1448	Bjagjhnc.exe
4500	Bnmcjg32.exe
4840	Beglgani.exe
888	Bfhhoi32.exe
4716	Bnpppgdj.exe
3536	Beihma32.exe
468	Bclhhnca.exe
4112	Bhhdil32.exe
4320	Bnbmefbg.exe
4092	Bmemac32.exe

Drops file in System32 directory 64 IoCs

Processes:

Ajkaii32.exeQmmnjfnl.exeBjagjhnc.exeBeglgani.exeDkkcge32.exe5ba8c1f0451da953eb060a5e1c5412b0_NeikiAnalytics.exeQqfmde32.exePjjhbl32.exeAgoabn32.exeCfmajipb.exeDmefhako.exeDmjocp32.exeDgbdlf32.exeQjoankoi.exeAmbgef32.exeBclhhnca.exeBnbmefbg.exeCeckcp32.exeDhhnpjmh.exeBjmnoi32.exeNfjjppmm.exeNnqbanmo.exeOdocigqg.exeOlkhmi32.exeQcgffqei.exeAqkgpedc.exeCnnlaehj.exeQgcbgo32.exeAnmjcieo.exeAepefb32.exeCajlhqjp.exeDhocqigp.exePcncpbmd.exeAeiofcji.exeBmngqdpj.exeBaicac32.exeCalhnpgn.exeDhkjej32.exeOcnjidkf.exePdfjifjo.exeCenahpha.exeDkifae32.exePncgmkmj.exeChokikeb.exeDdjejl32.exePclgkb32.exePgllfp32.exeAminee32.exeBchomn32.exePnonbk32.exeQceiaa32.exeCmnpgb32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Aminee32.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Qcgffqei.exe	Qmmnjfnl.exe
File opened for modification	C:\Windows\SysWOW64\Bnmcjg32.exe	Bjagjhnc.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Nfjjppmm.exe	5ba8c1f0451da953eb060a5e1c5412b0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Qceiaa32.exe	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Pqdqof32.exe	Pjjhbl32.exe
File opened for modification	C:\Windows\SysWOW64\Bjmnoi32.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bjagjhnc.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qjoankoi.exe
File opened for modification	C:\Windows\SysWOW64\Aeiofcji.exe	Ambgef32.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Gnpllc32.dll	Nfjjppmm.exe
File created	C:\Windows\SysWOW64\Glgmkm32.dll	Nnqbanmo.exe
File opened for modification	C:\Windows\SysWOW64\Ofqpqo32.exe	Odocigqg.exe
File created	C:\Windows\SysWOW64\Ocdqjceo.exe	Olkhmi32.exe
File opened for modification	C:\Windows\SysWOW64\Pqdqof32.exe	Pjjhbl32.exe
File opened for modification	C:\Windows\SysWOW64\Qgcbgo32.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Efmolq32.dll	Aqkgpedc.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Pkmlea32.dll	Qgcbgo32.exe
File opened for modification	C:\Windows\SysWOW64\Aqkgpedc.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Pgioqq32.exe	Pcncpbmd.exe
File opened for modification	C:\Windows\SysWOW64\Aglemn32.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Bneljh32.dll	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Baicac32.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Ojgbfocc.exe	Ocnjidkf.exe
File opened for modification	C:\Windows\SysWOW64\Pfhfan32.exe	Pdfjifjo.exe
File opened for modification	C:\Windows\SysWOW64\Qceiaa32.exe	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Anmjcieo.exe	Qgcbgo32.exe
File opened for modification	C:\Windows\SysWOW64\Ageolo32.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Ciopbjik.dll	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Ochpdn32.dll	Pjjhbl32.exe
File opened for modification	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qjoankoi.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Donfhp32.dll	Odocigqg.exe
File created	C:\Windows\SysWOW64\Ekphijkm.dll	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Odaoecld.dll	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Bchomn32.exe
File opened for modification	C:\Windows\SysWOW64\Pclgkb32.exe	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Qjoankoi.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cmnpgb32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5552 5436 WerFault.exe Dmllipeg.exe

pid	pid_target	process	target process
5552	5436	WerFault.exe	Dmllipeg.exe

Modifies registry class 64 IoCs

Processes:

Ageolo32.exeDopigd32.exeOfqpqo32.exePncgmkmj.exeQgcbgo32.exeOcdqjceo.exeBeihma32.exeCmlcbbcj.exeOcgmpccl.exeBnmcjg32.exeBeglgani.exeOqhacgdh.exePnonbk32.exeAgoabn32.exeDhmgki32.exeDhocqigp.exeCndikf32.exeDhhnpjmh.exePgioqq32.exeAjkaii32.exePmdkch32.exeBaicac32.exeCjkjpgfi.exeCalhnpgn.exeOdkjng32.exePdmpje32.exeBnbmefbg.exeCajlhqjp.exeDodbbdbb.exeDknpmdfc.exeOdocigqg.exeBcebhoii.exeBclhhnca.exeChokikeb.exePgnilpah.exeBebblb32.exePdfjifjo.exePqdqof32.exe5ba8c1f0451da953eb060a5e1c5412b0_NeikiAnalytics.exeAglemn32.exeCmgjgcgo.exeNfjjppmm.exeAmbgef32.exeBfhhoi32.exeBhhdil32.exeBmemac32.exeCenahpha.exeOjgbfocc.exeOjoign32.exeQceiaa32.exeCmnpgb32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ageolo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciopbjik.dll"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clncadfb.dll"	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeiam32.dll"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmblqfc.dll"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Donfhp32.dll"	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqnjfo32.dll"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igjnojdk.dll"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdlci32.dll"	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	5ba8c1f0451da953eb060a5e1c5412b0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ageolo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aglemn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feibedlp.dll"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggmg32.dll"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbkfake.dll"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kboeke32.dll"	Ageolo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmnpgb32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5ba8c1f0451da953eb060a5e1c5412b0_NeikiAnalytics.exeNfjjppmm.exeNnqbanmo.exeOdkjng32.exeOcnjidkf.exeOjgbfocc.exeOdmgcgbi.exeOfnckp32.exeOneklm32.exeOdocigqg.exeOfqpqo32.exeOlkhmi32.exeOcdqjceo.exeOjoign32.exeOqhacgdh.exeOcgmpccl.exeOjaelm32.exePdfjifjo.exePfhfan32.exePnonbk32.exePclgkb32.exePfjcgn32.exe

description	pid	process	target process
PID 4236 wrote to memory of 3968	4236	5ba8c1f0451da953eb060a5e1c5412b0_NeikiAnalytics.exe	Nfjjppmm.exe
PID 4236 wrote to memory of 3968	4236	5ba8c1f0451da953eb060a5e1c5412b0_NeikiAnalytics.exe	Nfjjppmm.exe
PID 4236 wrote to memory of 3968	4236	5ba8c1f0451da953eb060a5e1c5412b0_NeikiAnalytics.exe	Nfjjppmm.exe
PID 3968 wrote to memory of 3344	3968	Nfjjppmm.exe	Nnqbanmo.exe
PID 3968 wrote to memory of 3344	3968	Nfjjppmm.exe	Nnqbanmo.exe
PID 3968 wrote to memory of 3344	3968	Nfjjppmm.exe	Nnqbanmo.exe
PID 3344 wrote to memory of 1100	3344	Nnqbanmo.exe	Odkjng32.exe
PID 3344 wrote to memory of 1100	3344	Nnqbanmo.exe	Odkjng32.exe
PID 3344 wrote to memory of 1100	3344	Nnqbanmo.exe	Odkjng32.exe
PID 1100 wrote to memory of 4388	1100	Odkjng32.exe	Ocnjidkf.exe
PID 1100 wrote to memory of 4388	1100	Odkjng32.exe	Ocnjidkf.exe
PID 1100 wrote to memory of 4388	1100	Odkjng32.exe	Ocnjidkf.exe
PID 4388 wrote to memory of 1360	4388	Ocnjidkf.exe	Ojgbfocc.exe
PID 4388 wrote to memory of 1360	4388	Ocnjidkf.exe	Ojgbfocc.exe
PID 4388 wrote to memory of 1360	4388	Ocnjidkf.exe	Ojgbfocc.exe
PID 1360 wrote to memory of 836	1360	Ojgbfocc.exe	Odmgcgbi.exe
PID 1360 wrote to memory of 836	1360	Ojgbfocc.exe	Odmgcgbi.exe
PID 1360 wrote to memory of 836	1360	Ojgbfocc.exe	Odmgcgbi.exe
PID 836 wrote to memory of 228	836	Odmgcgbi.exe	Ofnckp32.exe
PID 836 wrote to memory of 228	836	Odmgcgbi.exe	Ofnckp32.exe
PID 836 wrote to memory of 228	836	Odmgcgbi.exe	Ofnckp32.exe
PID 228 wrote to memory of 2212	228	Ofnckp32.exe	Oneklm32.exe
PID 228 wrote to memory of 2212	228	Ofnckp32.exe	Oneklm32.exe
PID 228 wrote to memory of 2212	228	Ofnckp32.exe	Oneklm32.exe
PID 2212 wrote to memory of 4984	2212	Oneklm32.exe	Odocigqg.exe
PID 2212 wrote to memory of 4984	2212	Oneklm32.exe	Odocigqg.exe
PID 2212 wrote to memory of 4984	2212	Oneklm32.exe	Odocigqg.exe
PID 4984 wrote to memory of 1496	4984	Odocigqg.exe	Ofqpqo32.exe
PID 4984 wrote to memory of 1496	4984	Odocigqg.exe	Ofqpqo32.exe
PID 4984 wrote to memory of 1496	4984	Odocigqg.exe	Ofqpqo32.exe
PID 1496 wrote to memory of 1980	1496	Ofqpqo32.exe	Olkhmi32.exe
PID 1496 wrote to memory of 1980	1496	Ofqpqo32.exe	Olkhmi32.exe
PID 1496 wrote to memory of 1980	1496	Ofqpqo32.exe	Olkhmi32.exe
PID 1980 wrote to memory of 2544	1980	Olkhmi32.exe	Ocdqjceo.exe
PID 1980 wrote to memory of 2544	1980	Olkhmi32.exe	Ocdqjceo.exe
PID 1980 wrote to memory of 2544	1980	Olkhmi32.exe	Ocdqjceo.exe
PID 2544 wrote to memory of 400	2544	Ocdqjceo.exe	Ojoign32.exe
PID 2544 wrote to memory of 400	2544	Ocdqjceo.exe	Ojoign32.exe
PID 2544 wrote to memory of 400	2544	Ocdqjceo.exe	Ojoign32.exe
PID 400 wrote to memory of 2408	400	Ojoign32.exe	Oqhacgdh.exe
PID 400 wrote to memory of 2408	400	Ojoign32.exe	Oqhacgdh.exe
PID 400 wrote to memory of 2408	400	Ojoign32.exe	Oqhacgdh.exe
PID 2408 wrote to memory of 3392	2408	Oqhacgdh.exe	Ocgmpccl.exe
PID 2408 wrote to memory of 3392	2408	Oqhacgdh.exe	Ocgmpccl.exe
PID 2408 wrote to memory of 3392	2408	Oqhacgdh.exe	Ocgmpccl.exe
PID 3392 wrote to memory of 2712	3392	Ocgmpccl.exe	Ojaelm32.exe
PID 3392 wrote to memory of 2712	3392	Ocgmpccl.exe	Ojaelm32.exe
PID 3392 wrote to memory of 2712	3392	Ocgmpccl.exe	Ojaelm32.exe
PID 2712 wrote to memory of 1652	2712	Ojaelm32.exe	Pdfjifjo.exe
PID 2712 wrote to memory of 1652	2712	Ojaelm32.exe	Pdfjifjo.exe
PID 2712 wrote to memory of 1652	2712	Ojaelm32.exe	Pdfjifjo.exe
PID 1652 wrote to memory of 4816	1652	Pdfjifjo.exe	Pfhfan32.exe
PID 1652 wrote to memory of 4816	1652	Pdfjifjo.exe	Pfhfan32.exe
PID 1652 wrote to memory of 4816	1652	Pdfjifjo.exe	Pfhfan32.exe
PID 4816 wrote to memory of 452	4816	Pfhfan32.exe	Pnonbk32.exe
PID 4816 wrote to memory of 452	4816	Pfhfan32.exe	Pnonbk32.exe
PID 4816 wrote to memory of 452	4816	Pfhfan32.exe	Pnonbk32.exe
PID 452 wrote to memory of 1900	452	Pnonbk32.exe	Pclgkb32.exe
PID 452 wrote to memory of 1900	452	Pnonbk32.exe	Pclgkb32.exe
PID 452 wrote to memory of 1900	452	Pnonbk32.exe	Pclgkb32.exe
PID 1900 wrote to memory of 4276	1900	Pclgkb32.exe	Pfjcgn32.exe
PID 1900 wrote to memory of 4276	1900	Pclgkb32.exe	Pfjcgn32.exe
PID 1900 wrote to memory of 4276	1900	Pclgkb32.exe	Pfjcgn32.exe
PID 4276 wrote to memory of 4832	4276	Pfjcgn32.exe	Pmdkch32.exe

C:\Users\Admin\AppData\Local\Temp\5ba8c1f0451da953eb060a5e1c5412b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5ba8c1f0451da953eb060a5e1c5412b0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4236
- C:\Windows\SysWOW64\Nfjjppmm.exe
  C:\Windows\system32\Nfjjppmm.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3968
- - C:\Windows\SysWOW64\Nnqbanmo.exe
    C:\Windows\system32\Nnqbanmo.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3344
  - - C:\Windows\SysWOW64\Odkjng32.exe
      C:\Windows\system32\Odkjng32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1100
    - - C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4388
      - C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:836
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3392
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4276
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4832
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3300
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3852
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4324
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1852
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3880
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3020
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:968
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1588
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4844
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1512
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3172
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1648
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3876
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2456
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2008
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1012
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        41⤵
        Executes dropped EXE
        
        PID:364
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2164
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4352
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3708
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3616
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3296
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3204
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4812
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3888
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2420
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1936
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3208
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4628
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1260
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1448
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4840
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:888
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        60⤵
        Executes dropped EXE
        
        PID:4716
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3536
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:468
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4112
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4092
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3948
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2088
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4964
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4640
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1816
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        74⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3528
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1860
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        76⤵
        Drops file in System32 directory
        
        PID:3000
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:832
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4664
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1704
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3176
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4232
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2116
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:532
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2800
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        86⤵
        Drops file in System32 directory
        
        PID:3532
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4880
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        88⤵
        Drops file in System32 directory
        
        PID:3696
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        90⤵
        Modifies registry class
        
        PID:3476
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        91⤵
        Drops file in System32 directory
        
        PID:768
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        92⤵
        Drops file in System32 directory
        
        PID:5148
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5208
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5336
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        97⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5436 -s 416
        98⤵
        Program crash
        
        PID:5552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5436 -ip 5436
1⤵
PID:5520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ambgef32.exe

Filesize
90KB

MD5
df47b58a83082b5475d56fb1434c2c33

SHA1
c1fa80ffc42a1f1fd266b19d339b56ed5ac51f13

SHA256
4166baedc781937972f74ef2a51505b79f41d5f54d79b13c57611aee90b6c304

SHA512
7c070f13eca94abc1010f1f971ba54fef0d972a1161a7fb4baf08443c119f15322e1be99b1108c11c55a74bbec2e1af685257ecfaecc72707bb660e56d13512f

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
90KB

MD5
b2dd5ff153c21d4ae1a18a5fde1bf232

SHA1
eb40a35cf7850b3c607869a466fca3df32917bfc

SHA256
2a8802ba70729e7603b05106eb7349643b294baa207908422f3905ccdac96e17

SHA512
297956106bb40b28148758684f65a3e39ad0468c662e9025130eeef07ddbaa0d7959bb4c2514a2f67fbcf13b9ba2494d8aa2cc8973ef7f3c51ab20d4ab9f9f0c

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
90KB

MD5
0887895170bcfd08c2e0c8b243aa736d

SHA1
5448ecac8e6875632ab1416006aec03970a24631

SHA256
25b86ba2073af9f99f9aac25039682497bc81ce33db1ece5caa07f21fcefff73

SHA512
2d0a180870f81ef1c1b8a45ff5b1b935c5a1a1226f10e3f3f07d5392adb934306a9a070d78e415bfc8c1845365c1d439b02a9b058208e325198e28b35f2d9eb8

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
90KB

MD5
4b2d08e5392b8b880f4f026df5f3e3eb

SHA1
55c6f8e5f76b9427fcf198ead46cc7876cef6ddf

SHA256
648be5193c9da22fc92eb197b98164ef158de4563dab0408e1173160090a09d7

SHA512
55490eefed7d68b1493403c95c363344710290690ba189f89410a05a08856b765251c472c7cb6525c4110f41fe937f28f92e6a3166249e0e2a84d30dd3f8c7bd

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
90KB

MD5
e82123ffad55aeaca5569daf30f74bb9

SHA1
7151fb95e4271d4d629b51b0c9c60a589f3ef3f0

SHA256
0048bb1853df31cc7c1e1df140feae48ec59c91248ee916277bda486358fc49b

SHA512
28d7aac21aa17f85f6c185fdfe6314607c2aeea41164ba5425d130aa0cc8e24ae0ee6e3fede84ee56ca0553de83f07f155d56e6d398c4e8e4e9512e3f9762704

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
90KB

MD5
16022fe41c8068fd529dc76f7b9e2aca

SHA1
be68896494cc65bb2617a55d96800231afb1bde4

SHA256
ee176eb65e2278eacfd2148d424c7b682e82ae98e9e2450e968dc7619b1b2be8

SHA512
4c2d32aa64ccbecdda81d60e1dfe9e6d00e5f5eb42344ace1c1fe950934e573dd8dfbba19cf248aa49a91c5a0a2d159bb371de5b52e0205263d30494e5b563c8

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
90KB

MD5
4824bca07ca3aa717de9871e3d8d69f3

SHA1
2ce418ea4274ba9c2879edfa92f5118adae4ee8c

SHA256
38eb9c805e043ade846c5a5f9c4223537501dc2455cd438aaf6c0283891919b7

SHA512
b9dd8e1446cad252a2df1b093dba3f79ebf2bf470df5f7fc0d3e0d003cdbdfe853d8439783e5e72d22ac77080446603d3640cf280953337c67579380aef0302d

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
90KB

MD5
25f1fa715fa34811a2e35f113c547731

SHA1
057ab6ed27fae34162924d146eb8e6abad1d6a4d

SHA256
b74e76203dcca42ee65844a447260faae9d2fec8e517999403e5838f2382b461

SHA512
e406715b52df6e2d4ca5b2e623bbcdbb573f555f51aa78b536cf450ab74872cc2189cd519fa822d9117348d1f854abde15d70db125cef8e8aeecdd529c4055f8

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
90KB

MD5
ea99e8c3ab6921c0fa7b33d3718a97bb

SHA1
43977046d99e335d3b9eb66cf5097ac628f48094

SHA256
dc068c780569738e27a56d93b29cfd16144b96a04cf0661a6fdde0df7aba594d

SHA512
d3d2554c72f09ebbd7d374fc1859de0e4fff229002f61866503f9176478bf14c131e017324664e1a6c9acbcc982356d06905867faa879e68ef303da680e9fe71

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
90KB

MD5
273f32ed0cbc496b76ab56ae34d29e8a

SHA1
73adb0d2bdb28e033dd7c97b814cb01b4a32f4bb

SHA256
2cf26b219c0f1a75a288981c869273b364e2d24906b3ce0b1a3096d0b119fdb4

SHA512
14429abf2d510f328a26ee6e8903e4423cfb7385956207315239fe2f60908bc093717f48a5dbbbefe7ac8e7a24c0c233577b9ab5507fcbea1321568074b5b677

Download Submit
C:\Windows\SysWOW64\Mnodjf32.dll

Filesize
7KB

MD5
b842b53d4772df04e20dc3d904391857

SHA1
ed3762a526acd9ee45a46f24352da4036b88d63e

SHA256
ee98d7d38b46383b5dd4ff972b626ce63b0ab29d0e082bf0e62ac39ea7faaee0

SHA512
5cab54ba90d1d46eccd0086dab175dfae954f0e022aa2ef45ef9bce89edbb9d8faebfe0a31ea527a68686f1cc47da87b9591efc346672b95e1d3e6f110f2159c

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
90KB

MD5
18cdc09fc74e8c0411e462a701095057

SHA1
42c8a8ebcc624d65f229c7a0d846dbcbfa0e9e91

SHA256
2c73f1d9997b0bc6574e874ab8316eb707afb069a755c9bad972258d0f067029

SHA512
daa265c0924ba6c0e1341b2f89ffda64911e0613cc3003552da5f4358eb73aa9058971c52a3e17964e4e870c5a28d6c94aeda35293886e7d73d93f1463b0387a

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
90KB

MD5
e3532d6090908f78ead5a7b4cc6ba191

SHA1
9b3139c5d7655410fc37ce0ef6bb5c753ff1f864

SHA256
1ec08998444a8c40a9deefd5306e6bf29bc3464621be850d8ecf73a0d90b110d

SHA512
58c1e55edbab5d4492d3fb5b1bdef3a2cb557a3a6a1ad31ed4912f102fb3f8f87929c9c1599b642f8952ea656573f2ecbfa5b2c1fe83b51ca5f65d1ba396036e

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
90KB

MD5
a702044e03b600053c0f027466d5ebd0

SHA1
b249983afcb4dc2f8c7a6be696f148cac738261e

SHA256
978f0d299006c263759b6c6653083588c211f04ffd4f006972acd1ad59d7f78a

SHA512
c2beaad8ea455bdad440094a2e9d73bf9431dde37dbfa6a0f21f510d019e7daac7009aef81f2f1a9a15b230df42d06bb05f0100530b1f8c457e320115dbd5333

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
90KB

MD5
6f9c51cb2f0fce4a0fad3b54174043f1

SHA1
2cca567c2428ce68903c7f84084e60690058c012

SHA256
d721ba37f54a91d5e7a5ae2d74ad7eca4d810b1e4bb91965d3205f80605b4791

SHA512
d4334dbefc1b0a9a68a55711feb99a3cd52589ca8bde39cb20ad51a9f1505cdb5413cfe74bbb3ce532245caec6c77ed4c2e2bbccecbe99bd9c0acb38d4fa8221

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
90KB

MD5
d7b134126c5af8cf9c8bc4b22dca7c38

SHA1
083a19659e5ba6b525293985e761752c4d9a0191

SHA256
6e3fbd650a7fb9809a70c5b283803a0f708a20caf99c39fc1f918e079172cb3d

SHA512
cba463e27afdf5befa32cba540128d5e87b67fd4223f029651a7e59cd5df98be96f55400a86c64dc37a96273c4d8570a9fb5386982f8740930ece9c6e1c9fa7c

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
90KB

MD5
bd3a5eb760be819a7449d549a9bd2ed1

SHA1
c3611250282667b1b1b77ee5024006a17ca0ffd2

SHA256
27b88f4471bca7ded5626d5b2cd9baa7399587676f59974c7d21b811e0c3b261

SHA512
1937ec69351b5fdf638149da013e5c59616de6cd1b129eb74bfaab1b45120a9a33af18273572fd7579fe1d0197aa92d9760b2e901e82211a943d452f71c5c3da

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
90KB

MD5
f61fa8a2e300ea82c18a608ff2fe9f94

SHA1
b8543b0956abb4e1c7b31db66c973fbc2487f03c

SHA256
3991abe486befc4ebbedca8a2f3e3f524fad7eabe613c2adc13eb297bfbe5d8d

SHA512
623c82b51a8dbfdfdbb07c7cf6c11edda8ce85889b8c480377f1c8c0054b2d9210086fdf403ec507936fe2a6650ad45063ff340abf441c8ea36adf6f5d9c5b22

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
90KB

MD5
9faa8643cfb86518ec35e344a724b7a6

SHA1
12d8ce0acad1e1af2c99bfdca9e1bcd20c9befb6

SHA256
6a27b4664a76cefb57f4704134837901d0551223b77119f0b8bad4310450cef9

SHA512
2c2564f50f1b58b425ea7dcb19ca52dfd4e7bb01eecaf4808d496f3b91779b658ea57798eb297e2a0e124e7dc706d7f1c545a88d9a3075d3f93cfb5a151c84a1

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
90KB

MD5
b03c2338438fa80dd60803323251bc7a

SHA1
d29ff8adf00aa1a3168aa2033a208ae1b47d89a7

SHA256
e55c18f38bb1d56582f7c89cdf3aec2432bdde7ba83d682ed6dbb2e72d235229

SHA512
dbe00e05a3c6702c6ffb50a86d19cb2795f0c7472e02cbe40cdc4188af85c5e7fec5b97e43e07a961857041fdd95ae66ed68d58798b9d31a7fee9b76dcd2a51d

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
90KB

MD5
b983f1a8a03e44f73705f54131878545

SHA1
4bdf2d55b1dc34d3b67165ed4757d126280283c8

SHA256
cb77eb28597816632551cbf69c7184d026bc63d3f32ad85a59454a80154e1ee4

SHA512
a483543cd6ae2499b47c331e7d50c67c6d727eecaacf5cb4b8a4f6c436e5b5b716b107439e5eb8a5a0a09d34668d3c49e4a1f2b53cdf18f4a4f2f96e727ab0fb

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
90KB

MD5
1755f169bab478e8056ac6470a2b6495

SHA1
2b431dded76058f7259f7f24830a1836bc50f079

SHA256
8df8b32f82f2699912dd7b999b16f809e658807991cc85f2b7fb29fcad193a48

SHA512
28616b204d99cbb5c3f00f31c769f3302da725607ed6e33be8e082f57cf9a0a15bbbc1809484b24396ca4432007e8e3ed8fc79caa7aac6a7a6e1037989587139

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
90KB

MD5
e834ad3ced22f61d5a3b4e8c5fb144a7

SHA1
0d0d085a74b4acd8f01495e507fb2b2c50989022

SHA256
039138e96a6d579d657ab943225e9cac63cb5835037b005f8926b9ce15c0b64b

SHA512
8889c277fd84616e702fd7bc29086b3664109e1432f3168e95da6a59ac5b1e1a0330a11aebaeec9ae9b4027e30134b13c0c28fe5939a94adc792b139456c0717

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
90KB

MD5
0eb04ee0bb3c2a4022c395de3e87946a

SHA1
e0a19bfd0c9e97ce9bd4fdc4dac24990957472c4

SHA256
d2dd412bdea8ebbe07905818b8315ec6cee1a1a402adcde69048ca0ea1d00333

SHA512
c01afb3392e607eb2ea40f02c2049ae10ccd3199117590aca68a69764c1a3b041f95a276d6e4c05f2ee9561a4c3386ebce631e6fa9e64151dd78cc462c6c8cc9

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
90KB

MD5
e2824a611e2ff84edcb049ce284cb0a6

SHA1
c09cc0e653ea383d339d85c026fdc95fa4d29f3d

SHA256
cdc780c230fcb553c727afbbffdc8ae76cff32b4e0723be2632dcbb04d254bae

SHA512
08984ddb194c77b329b8f0123622c8b14512d639ee1978ef09121ef2e5ea7891d7c30beb7764c99185a3d56646547e201b971141b4897cd20f63d251eb101a5e

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
90KB

MD5
f13c17fa063266d2842a957b32c2dcb1

SHA1
fc293f2168222877a38dbdfa87ea5e15e531e822

SHA256
34ae851e73b66d03c19da3c161ccad88661fda7b4fcc3e99a7fffb94981017a7

SHA512
7091069adbac54f275927f8ad4bfc659faf823dec6c1957ec9bae3bb8b58dd83475d30655746ddb2964a248ef6e076af71cf48fa901206eb82e1074ba246dd80

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
90KB

MD5
3644f3be8da0e945417fd1d544aff4e4

SHA1
0d118006a571a4972c6d69e1564f356be0376501

SHA256
a2dfa4baaa028094418497cd6fae2d708b5b8e69bea5ad944bca771b20c41a2c

SHA512
4ac19cc0763febdca52294c08659928fec24564ab6177603549cc66011f8536f49bcfd36bf0eebe2060ec8c25fe483ade31d02b1969d786f252b09824bc683a4

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
90KB

MD5
934b82d75e839c3a9d1bb5ca33324235

SHA1
17121aed747a4ce3b476d7074f04228d7d52717e

SHA256
6ad4458a273f378b549cc86509eab71cb5083bdab103fed1ba17d683d8814e50

SHA512
49353eb314442ee14a42059f27f88fb8af62453275f4bbe57d345843d5821cc32c66aa85212eee406634b632df972dd5aaf8cb7f74d749cf9323748234f6b218

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
90KB

MD5
5a3a9a7d0472427e65876347f8799fb5

SHA1
5c5099c0aeb80aab25c78ec1e89a0e614347b4a5

SHA256
93de1516660d372ce711be3dde46ab288f030444d828695110192ed67b48adaa

SHA512
803378365ddaeaacb8af2689c94516cc518987f6450c6182eb7bf08a96e0045d451133837e381f8089850711365d1d9d656fda6620cbf8a1330c03aa571b0851

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
90KB

MD5
4634df20cb6eea74d54459a8c1036797

SHA1
97ac34a7dc514f51bb30d8f7be9a2f49c52be5fe

SHA256
9d5556f41019a966bc231f3926deba65b677a8947ea7dc89dd870b8f0cdaadf5

SHA512
c5aa4f161eea352d4f96e29d59e2ff23e2a23e5be09d02ca3b87d4a1e9ded9359d8f0b2b19ad0ded061ca5ae1e42f5d2304a42678133ee8a440d4a283a779a5c

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
90KB

MD5
9dd964ab1d719ad72dfe23d01bb4ee41

SHA1
6ae2d0e28410509c6838234eab0eb9faa29d0860

SHA256
8628334e55cf46a85173d3dd4ab10a85622af719da25faf68fac1e68cb21cff0

SHA512
68aec00ad824ea9df62df07ff615ffd8e19f5efe9149043cab92d8f0ab87fe7e8d39d018ae12bd2f0ba6726cd0f1016380272ab91fa472c0b3bde1f1d67ff4f0

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
90KB

MD5
dc9c69a599a23472188fd195bd7cbf4d

SHA1
c597176d281f56e6b3c6407dc784b6dd564e0c74

SHA256
287b04982c3f74d2cccaee184c6e4b7c29d8621e5afe483dc680ce7e41990175

SHA512
0f0a95c2b73e19d16d20d1a579909c27ec22b155f371e1773dc1d82e999b5b4fe306aec06622cb5213c2d2f2b264e3b986e06bcd0c21d6eadc4d0b7403096f1c

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
90KB

MD5
b544acdc09f870dda05a84b60fe693ce

SHA1
8b1c7a82ed57c589d51de58f712cccf887c722a4

SHA256
dff117441979bb34c77c33ad7eda238083f896496da1764a6ac2a84ae9f98ee9

SHA512
4fc2dd31b77d07822443283722ee124c8b0280f514b45b7c2e6e0d79e7066444d8b0d0fce239a8d5f725c5e14fdd0b629f41bf992ae1e2d97e116d86c7ac4480

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
90KB

MD5
0932f1a1423ecf95acdcf38b50e7fa15

SHA1
5bc4be798ff72fc52b406fa53be10387b56b234c

SHA256
333d5bcf66a62f575b88c7541ae7e9baec9f211b36fd9e38ec06393a5352cd63

SHA512
171a945448258c2fd575d04084dbb7c4d4181e1759d0aeca799ee7a12d51d7b51e5e7935bab29fced15553c6af6be8166b3fe5224fa2858e903c30e7e5b58c2d

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
90KB

MD5
65fc4eecfc023a208f1d760090ac31b5

SHA1
ce384b99fa94c8272f048d555960fdaa0dc48d94

SHA256
e72c1b0fabc67047dea3bf3d50556c873710d08fd23a3eac3a51723e34f4f158

SHA512
c8f151c2f2ddba1c64748274a6afb746414995887f8172a4c9e4eec78e92c77aec83fff595df15a009e73b4a57683ba161b4ddf8a9cebfe593d52e085e1e8440

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
90KB

MD5
6fd326f0a1d1f5f156383e48d362743e

SHA1
ce0442a917cb5aa5f68ebc2a33f5958204f89d37

SHA256
e761c850e828803944482951ec4fa11e6194dbe9df10386fc9929ac7c4ada626

SHA512
884403851050c0bde1f26b675dffbe49130a25012858ef1d211f8c86a18a1a3ae89714feb6d7ff3815836a4c2874dc048ef67c0b2caaae8b3352b74c63569bb5

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
90KB

MD5
0f3dc445294dbe807902ad4135febd86

SHA1
5222295e763c0bc3b88bcd79cb5eef6712bbdfa3

SHA256
313f1b1b4d6b175c0183e90d4320fb9a4d16b87258711b14ed651442d8fa2c84

SHA512
93c35957ae8784687803fd8f485434cf9f50cbe57f4e2719429202740984da940331f10ebc574e1497d4cc959da61f36e1ceb534503c1e070748b8aa5db3d04c

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
90KB

MD5
facaf7f4c58441ab2a1a06a8ed18f48e

SHA1
62bfcafb2e228af12925e1b7f9ec8c105d1b6a33

SHA256
8c227d4d32b91520f4b30a3fb8d621ae762e4530be5e894deece41f66771587a

SHA512
23f7d9c7207bf2514a548c2f475bacbfc71775b2820e9c5fa3f71970f10e36f44ae43fffb7b3b5480b6113444408465b9ee4feb07473dbc0ad3c9017eb6d146a

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
90KB

MD5
ae3c595b940b21f8225f257f9b0830f2

SHA1
2277e4b919a80b65a4eb49b24fc22716f22280c2

SHA256
c154ed6b155d8f73afe6f2d0b398b444495b8f7b432427565d0c04b23617d039

SHA512
427dea72576ba834e926442cacd62c76fc43612945de443190cd5d2b7d5ea6a62ea3277e06d3a40346b8e8a801eb55147147a1962dec684424c7670d384638cb

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
90KB

MD5
a73e27d2d3d076ddf7d27aba0109dfc8

SHA1
d71d2f7179b9807570b421dc5f0e2cfbca1eb2bc

SHA256
c21012c8fa7f28735cfecb8606441f87c674e5497f9f5664d4737ce33e6e573b

SHA512
fa1c0728f61dc1f09b556e3073d9d879e73b785eb4d477d48ad588333bd463690cd0825e0c62f002154d10418b7af6fdc24ec95b955699487b609a67b55b90f2

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
90KB

MD5
8db8d7089c96c1bbab3591a082b12bed

SHA1
318a0281b62f9567a22e9aad9a2ab9bddc5a11f9

SHA256
3ddee7f9d6faad217db6e92986b493586d1df895ac4d7c0eaa5d766d48f74b52

SHA512
0019d32276dd8798391c2574d471b76502ba6736f37217c5ede7f7cc23a443f0036f2470fbb6049ba52ed447eb50fbaa9ce2c8674efca7ff9242882835c08cc2

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
90KB

MD5
455f7edc0bdce2c8d400f37c8349648a

SHA1
82900db25a6091c747efecdf8f6614f99a87af6b

SHA256
e27d5f8bf5dcd9042f9d22d30b3caf97884369649c87792a4da521ee6b554e55

SHA512
01317d81e2143327f15a46c96dafa0275e385d4f7177f5ff4854d9be8369a6d712ec377123783197eea74de66ce4d2c6328c008396d732fa19d44f5617ee7b97

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
90KB

MD5
5da0f5e944b9f19febc676deae2853dc

SHA1
8cb527016ac7dae913115057555fca3fde894937

SHA256
b7215c9a9c1470106f298da2626e559b0c2fb53aea7bd414ae90b8b182ef73c3

SHA512
318854af0a6ecab9b741635f7c4d39ac7aa7508c08748762cddd749b1a8e9cab30f4d3a50a152c3e6466942737d6dfd6e34438e490f705892af3ccd2599ad81d

Download Submit
memory/228-56-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/228-596-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/364-304-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/400-104-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/452-152-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/468-434-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/532-569-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/832-520-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/836-48-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/836-588-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/888-412-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/968-231-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1012-298-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1100-24-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1100-564-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1260-388-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1360-39-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1360-578-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1448-398-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1496-79-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1512-265-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1588-239-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1648-274-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1652-136-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1704-532-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1816-496-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1852-208-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1860-509-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1900-166-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1936-370-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1980-88-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2008-292-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2088-460-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2116-558-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2164-310-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2212-64-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2212-599-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2252-490-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2264-472-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2408-112-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2420-364-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2456-286-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2544-95-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2712-128-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2800-577-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2900-545-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2964-478-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2984-362-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3000-518-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3020-228-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3172-268-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3176-538-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3204-340-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3208-381-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3296-338-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3300-188-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3344-21-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3344-557-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3392-119-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3528-502-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3532-579-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3536-424-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3616-328-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3696-598-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3708-322-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3852-196-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3876-280-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3880-216-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3888-352-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3948-454-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3968-12-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4092-448-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4112-436-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4232-551-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4236-544-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4236-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4276-168-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4320-447-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4324-199-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4352-316-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4388-32-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4388-571-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4448-256-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4500-400-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4628-386-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4640-484-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4664-526-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4716-418-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4812-346-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4816-144-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4832-176-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4840-406-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4844-252-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4880-591-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4964-470-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4984-72-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download