6103a59b930055cf2f1117ce4049f3392ca19dabc7cb05b9683ba7d865b8157e

Analysis

max time kernel
132s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 03:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c90e3f1a76a33fd37d1e9a5423d77a0_NeikiAnalytics.exe
Size

94KB
MD5

5c90e3f1a76a33fd37d1e9a5423d77a0
SHA1

111cd4aca4ec7bf8adebb16a8fc912a93fb96bf6
SHA256

6103a59b930055cf2f1117ce4049f3392ca19dabc7cb05b9683ba7d865b8157e
SHA512

d0388962187ac293c543d2e5bd658a56e3bc7c2c5977734525e21c334a936d226786323caf0a796cabf28dade83eef180f8abe38b06172ccbb53c7affc4af6d0
SSDEEP

1536:FUjqmyjRlgYjSjJNylFqjOjn2LfJaIZTJ+7LhkiB0MPiKeEAgv:FUjqmK1jwPvyAfJaMU7uihJ5v

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Cjmgfgdf.exeCagobalc.exeCaebma32.exeCmqmma32.exeDdakjkqi.exeNepgjaeg.exeNjciko32.exePgllfp32.exeQmmnjfnl.exeAadifclh.exeDaekdooc.exeDknpmdfc.exeNgpccdlj.exePqpgdfnp.exeDgbdlf32.exeOcbddc32.exeOlkhmi32.exePnonbk32.exeQddfkd32.exeAgoabn32.exeMcpnhfhf.exeNdcdmikd.exeCndikf32.exeNpcoakfp.exeBanllbdn.exeOjgbfocc.exeBchomn32.exeCjinkg32.exeDfpgffpm.exeNcbknfed.exeDkifae32.exeDodbbdbb.exePjhlml32.exeBmbplc32.exeNggjdc32.exeAfhohlbj.exeBcebhoii.exeBjfaeh32.exeAqkgpedc.exeBjddphlq.exeDanecp32.exeDaqbip32.exeDelnin32.exeOpdghh32.exeBapiabak.exeBcoenmao.exeCenahpha.exeBhhdil32.exeDhmgki32.exePgioqq32.exeBmngqdpj.exeDejacond.exePqdqof32.exeBmpcfdmg.exeDhocqigp.exeCdcoim32.exeNjnpppkn.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpnhfhf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njnpppkn.exe

Malware Dropper & Backdoor - Berbew 38 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
C:\Windows\SysWOW64\Mcpnhfhf.exe	family_berbew
C:\Windows\SysWOW64\Menjdbgj.exe	family_berbew
C:\Windows\SysWOW64\Npcoakfp.exe	family_berbew
C:\Windows\SysWOW64\Ncbknfed.exe	family_berbew
C:\Windows\SysWOW64\Nepgjaeg.exe	family_berbew
C:\Windows\SysWOW64\Npfkgjdn.exe	family_berbew
C:\Windows\SysWOW64\Ngpccdlj.exe	family_berbew
C:\Windows\SysWOW64\Njnpppkn.exe	family_berbew
C:\Windows\SysWOW64\Ndcdmikd.exe	family_berbew
C:\Windows\SysWOW64\Ngbpidjh.exe	family_berbew
C:\Windows\SysWOW64\Nnlhfn32.exe	family_berbew
C:\Windows\SysWOW64\Ngdmod32.exe	family_berbew
C:\Windows\SysWOW64\Njciko32.exe	family_berbew
C:\Windows\SysWOW64\Ndhmhh32.exe	family_berbew
C:\Windows\SysWOW64\Nggjdc32.exe	family_berbew
C:\Windows\SysWOW64\Olcbmj32.exe	family_berbew
C:\Windows\SysWOW64\Ojgbfocc.exe	family_berbew
C:\Windows\SysWOW64\Olfobjbg.exe	family_berbew
C:\Windows\SysWOW64\Ocpgod32.exe	family_berbew
C:\Windows\SysWOW64\Oneklm32.exe	family_berbew
C:\Windows\SysWOW64\Opdghh32.exe	family_berbew
C:\Windows\SysWOW64\Ocbddc32.exe	family_berbew
C:\Windows\SysWOW64\Olkhmi32.exe	family_berbew
C:\Windows\SysWOW64\Odapnf32.exe	family_berbew
C:\Windows\SysWOW64\Onjegled.exe	family_berbew
C:\Windows\SysWOW64\Oddmdf32.exe	family_berbew
C:\Windows\SysWOW64\Ofeilobp.exe	family_berbew
C:\Windows\SysWOW64\Pqknig32.exe	family_berbew
C:\Windows\SysWOW64\Pcijeb32.exe	family_berbew
C:\Windows\SysWOW64\Pfhfan32.exe	family_berbew
C:\Windows\SysWOW64\Pnonbk32.exe	family_berbew
C:\Windows\SysWOW64\Pdifoehl.exe	family_berbew
C:\Windows\SysWOW64\Bgehcmmm.exe	family_berbew
C:\Windows\SysWOW64\Bcoenmao.exe	family_berbew
C:\Windows\SysWOW64\Chcddk32.exe	family_berbew
C:\Windows\SysWOW64\Djdmffnn.exe	family_berbew
C:\Windows\SysWOW64\Dhkjej32.exe	family_berbew
C:\Windows\SysWOW64\Dmllipeg.exe	family_berbew

Executes dropped EXE 64 IoCs

Processes:

Mcpnhfhf.exeMenjdbgj.exeNpcoakfp.exeNcbknfed.exeNepgjaeg.exeNpfkgjdn.exeNgpccdlj.exeNjnpppkn.exeNdcdmikd.exeNgbpidjh.exeNnlhfn32.exeNgdmod32.exeNjciko32.exeNdhmhh32.exeNggjdc32.exeOlcbmj32.exeOjgbfocc.exeOlfobjbg.exeOcpgod32.exeOneklm32.exeOpdghh32.exeOcbddc32.exeOlkhmi32.exeOdapnf32.exeOnjegled.exeOddmdf32.exeOfeilobp.exePqknig32.exePcijeb32.exePfhfan32.exePnonbk32.exePdifoehl.exePfjcgn32.exePqpgdfnp.exePgioqq32.exePjhlml32.exePmfhig32.exePcppfaka.exePgllfp32.exePnfdcjkg.exePqdqof32.exePdpmpdbd.exePgnilpah.exeQnhahj32.exeQdbiedpa.exeQceiaa32.exeQmmnjfnl.exeQddfkd32.exeQffbbldm.exeAnmjcieo.exeAqkgpedc.exeAfhohlbj.exeAmbgef32.exeAqncedbp.exeAadifclh.exeAepefb32.exeAgoabn32.exeBjmnoi32.exeBnhjohkb.exeBmkjkd32.exeBebblb32.exeBcebhoii.exeBganhm32.exeBjokdipf.exe

pid	process
404	Mcpnhfhf.exe
2760	Menjdbgj.exe
4696	Npcoakfp.exe
4704	Ncbknfed.exe
3596	Nepgjaeg.exe
4208	Npfkgjdn.exe
4244	Ngpccdlj.exe
3204	Njnpppkn.exe
1320	Ndcdmikd.exe
3316	Ngbpidjh.exe
4348	Nnlhfn32.exe
2504	Ngdmod32.exe
1720	Njciko32.exe
760	Ndhmhh32.exe
3228	Nggjdc32.exe
944	Olcbmj32.exe
3908	Ojgbfocc.exe
3308	Olfobjbg.exe
408	Ocpgod32.exe
3136	Oneklm32.exe
4832	Opdghh32.exe
3600	Ocbddc32.exe
3240	Olkhmi32.exe
1192	Odapnf32.exe
1404	Onjegled.exe
2520	Oddmdf32.exe
3728	Ofeilobp.exe
2884	Pqknig32.exe
532	Pcijeb32.exe
5012	Pfhfan32.exe
3972	Pnonbk32.exe
4944	Pdifoehl.exe
1972	Pfjcgn32.exe
1764	Pqpgdfnp.exe
4412	Pgioqq32.exe
1380	Pjhlml32.exe
1636	Pmfhig32.exe
3460	Pcppfaka.exe
1000	Pgllfp32.exe
4252	Pnfdcjkg.exe
2604	Pqdqof32.exe
2044	Pdpmpdbd.exe
520	Pgnilpah.exe
3644	Qnhahj32.exe
4764	Qdbiedpa.exe
3172	Qceiaa32.exe
4584	Qmmnjfnl.exe
4612	Qddfkd32.exe
3112	Qffbbldm.exe
2868	Anmjcieo.exe
1564	Aqkgpedc.exe
2468	Afhohlbj.exe
3268	Ambgef32.exe
4980	Aqncedbp.exe
3784	Aadifclh.exe
2260	Aepefb32.exe
1976	Agoabn32.exe
2140	Bjmnoi32.exe
4200	Bnhjohkb.exe
4360	Bmkjkd32.exe
3648	Bebblb32.exe
1592	Bcebhoii.exe
2120	Bganhm32.exe
1388	Bjokdipf.exe

Drops file in System32 directory 64 IoCs

Processes:

Pgioqq32.exeQnhahj32.exeCagobalc.exeChagok32.exeMcpnhfhf.exeBmkjkd32.exeBmngqdpj.exeBnmcjg32.exeNjciko32.exeCmgjgcgo.exeCdabcm32.exeDgbdlf32.exeBfkedibe.exeCjinkg32.exeMenjdbgj.exeNgpccdlj.exePnfdcjkg.exeAqncedbp.exeAgoabn32.exeBjokdipf.exeCfbkeh32.exeDdakjkqi.exeNnlhfn32.exeCjmgfgdf.exeDhmgki32.exeDhocqigp.exeQddfkd32.exeCmlcbbcj.exeQdbiedpa.exeBmbplc32.exeCajlhqjp.exeBjagjhnc.exeNgbpidjh.exePdifoehl.exePfjcgn32.exeQceiaa32.exeAqkgpedc.exeCmiflbel.exeBgcknmop.exeDaekdooc.exePfhfan32.exeBchomn32.exeDaqbip32.exeDodbbdbb.exeDfpgffpm.exe5c90e3f1a76a33fd37d1e9a5423d77a0_NeikiAnalytics.exePgnilpah.exeQffbbldm.exeCmqmma32.exeDejacond.exeOlfobjbg.exeBcoenmao.exeCfdhkhjj.exeCjpckf32.exeDjdmffnn.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Pjhlml32.exe	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Kgldjcmk.dll	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Menjdbgj.exe	Mcpnhfhf.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Bneljh32.dll	Bmngqdpj.exe
File opened for modification	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Fjegoh32.dll	Njciko32.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Npcoakfp.exe	Menjdbgj.exe
File created	C:\Windows\SysWOW64\Ahioknai.dll	Ngpccdlj.exe
File created	C:\Windows\SysWOW64\Pqdqof32.exe	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Aadifclh.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Ldfgeigq.dll	Agoabn32.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Ngdmod32.exe	Nnlhfn32.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Qffbbldm.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Qceiaa32.exe	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Npcoakfp.exe	Menjdbgj.exe
File created	C:\Windows\SysWOW64\Fibbmq32.dll	Ngbpidjh.exe
File created	C:\Windows\SysWOW64\Ekphijkm.dll	Pdifoehl.exe
File opened for modification	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Afhohlbj.exe	Aqkgpedc.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Ndhmhh32.exe	Njciko32.exe
File created	C:\Windows\SysWOW64\Fjbnapki.dll	Pfhfan32.exe
File opened for modification	C:\Windows\SysWOW64\Bgcknmop.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Mcpnhfhf.exe	5c90e3f1a76a33fd37d1e9a5423d77a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Bchdhnom.dll	Mcpnhfhf.exe
File opened for modification	C:\Windows\SysWOW64\Qnhahj32.exe	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Pkmlea32.dll	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Ocpgod32.exe	Olfobjbg.exe
File created	C:\Windows\SysWOW64\Qceiaa32.exe	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Djdmffnn.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5140 5912 WerFault.exe Dmllipeg.exe

pid	pid_target	process	target process
5140	5912	WerFault.exe	Dmllipeg.exe

Modifies registry class 64 IoCs

Processes:

Beglgani.exeChagok32.exeOdapnf32.exeDelnin32.exeQceiaa32.exeBmemac32.exeOddmdf32.exeCfpnph32.exeCdcoim32.exeCfbkeh32.exeCmlcbbcj.exeDhmgki32.exePjhlml32.exeBebblb32.exeDhkjej32.exeCajlhqjp.exeOcpgod32.exeBgcknmop.exeBanllbdn.exeDfpgffpm.exeNcbknfed.exeCjinkg32.exeOjgbfocc.exeOfeilobp.exeCmgjgcgo.exeCjmgfgdf.exePdifoehl.exeAnmjcieo.exeBmkjkd32.exeBjokdipf.exeNdhmhh32.exeCmqmma32.exeMcpnhfhf.exePfjcgn32.exePgnilpah.exeDogogcpo.exeNpfkgjdn.exeNjciko32.exeQffbbldm.exeCndikf32.exeCfdhkhjj.exeQnhahj32.exeCdabcm32.exeDaekdooc.exePqknig32.exeCjpckf32.exeCagobalc.exeCmnpgb32.exe5c90e3f1a76a33fd37d1e9a5423d77a0_NeikiAnalytics.exeNggjdc32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgngca32.dll"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmcdaagm.dll"	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcmjaol.dll"	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bebblb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfhoiaf.dll"	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekphijkm.dll"	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfnmfki.dll"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpnhfhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jocbigff.dll"	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjkmdp32.dll"	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onliio32.dll"	5c90e3f1a76a33fd37d1e9a5423d77a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nggjdc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5c90e3f1a76a33fd37d1e9a5423d77a0_NeikiAnalytics.exeMcpnhfhf.exeMenjdbgj.exeNpcoakfp.exeNcbknfed.exeNepgjaeg.exeNpfkgjdn.exeNgpccdlj.exeNjnpppkn.exeNdcdmikd.exeNgbpidjh.exeNnlhfn32.exeNgdmod32.exeNjciko32.exeNdhmhh32.exeNggjdc32.exeOlcbmj32.exeOjgbfocc.exeOlfobjbg.exeOcpgod32.exeOneklm32.exeOpdghh32.exe

description	pid	process	target process
PID 2996 wrote to memory of 404	2996	5c90e3f1a76a33fd37d1e9a5423d77a0_NeikiAnalytics.exe	Mcpnhfhf.exe
PID 2996 wrote to memory of 404	2996	5c90e3f1a76a33fd37d1e9a5423d77a0_NeikiAnalytics.exe	Mcpnhfhf.exe
PID 2996 wrote to memory of 404	2996	5c90e3f1a76a33fd37d1e9a5423d77a0_NeikiAnalytics.exe	Mcpnhfhf.exe
PID 404 wrote to memory of 2760	404	Mcpnhfhf.exe	Menjdbgj.exe
PID 404 wrote to memory of 2760	404	Mcpnhfhf.exe	Menjdbgj.exe
PID 404 wrote to memory of 2760	404	Mcpnhfhf.exe	Menjdbgj.exe
PID 2760 wrote to memory of 4696	2760	Menjdbgj.exe	Npcoakfp.exe
PID 2760 wrote to memory of 4696	2760	Menjdbgj.exe	Npcoakfp.exe
PID 2760 wrote to memory of 4696	2760	Menjdbgj.exe	Npcoakfp.exe
PID 4696 wrote to memory of 4704	4696	Npcoakfp.exe	Ncbknfed.exe
PID 4696 wrote to memory of 4704	4696	Npcoakfp.exe	Ncbknfed.exe
PID 4696 wrote to memory of 4704	4696	Npcoakfp.exe	Ncbknfed.exe
PID 4704 wrote to memory of 3596	4704	Ncbknfed.exe	Nepgjaeg.exe
PID 4704 wrote to memory of 3596	4704	Ncbknfed.exe	Nepgjaeg.exe
PID 4704 wrote to memory of 3596	4704	Ncbknfed.exe	Nepgjaeg.exe
PID 3596 wrote to memory of 4208	3596	Nepgjaeg.exe	Npfkgjdn.exe
PID 3596 wrote to memory of 4208	3596	Nepgjaeg.exe	Npfkgjdn.exe
PID 3596 wrote to memory of 4208	3596	Nepgjaeg.exe	Npfkgjdn.exe
PID 4208 wrote to memory of 4244	4208	Npfkgjdn.exe	Ngpccdlj.exe
PID 4208 wrote to memory of 4244	4208	Npfkgjdn.exe	Ngpccdlj.exe
PID 4208 wrote to memory of 4244	4208	Npfkgjdn.exe	Ngpccdlj.exe
PID 4244 wrote to memory of 3204	4244	Ngpccdlj.exe	Njnpppkn.exe
PID 4244 wrote to memory of 3204	4244	Ngpccdlj.exe	Njnpppkn.exe
PID 4244 wrote to memory of 3204	4244	Ngpccdlj.exe	Njnpppkn.exe
PID 3204 wrote to memory of 1320	3204	Njnpppkn.exe	Ndcdmikd.exe
PID 3204 wrote to memory of 1320	3204	Njnpppkn.exe	Ndcdmikd.exe
PID 3204 wrote to memory of 1320	3204	Njnpppkn.exe	Ndcdmikd.exe
PID 1320 wrote to memory of 3316	1320	Ndcdmikd.exe	Ngbpidjh.exe
PID 1320 wrote to memory of 3316	1320	Ndcdmikd.exe	Ngbpidjh.exe
PID 1320 wrote to memory of 3316	1320	Ndcdmikd.exe	Ngbpidjh.exe
PID 3316 wrote to memory of 4348	3316	Ngbpidjh.exe	Nnlhfn32.exe
PID 3316 wrote to memory of 4348	3316	Ngbpidjh.exe	Nnlhfn32.exe
PID 3316 wrote to memory of 4348	3316	Ngbpidjh.exe	Nnlhfn32.exe
PID 4348 wrote to memory of 2504	4348	Nnlhfn32.exe	Ngdmod32.exe
PID 4348 wrote to memory of 2504	4348	Nnlhfn32.exe	Ngdmod32.exe
PID 4348 wrote to memory of 2504	4348	Nnlhfn32.exe	Ngdmod32.exe
PID 2504 wrote to memory of 1720	2504	Ngdmod32.exe	Njciko32.exe
PID 2504 wrote to memory of 1720	2504	Ngdmod32.exe	Njciko32.exe
PID 2504 wrote to memory of 1720	2504	Ngdmod32.exe	Njciko32.exe
PID 1720 wrote to memory of 760	1720	Njciko32.exe	Ndhmhh32.exe
PID 1720 wrote to memory of 760	1720	Njciko32.exe	Ndhmhh32.exe
PID 1720 wrote to memory of 760	1720	Njciko32.exe	Ndhmhh32.exe
PID 760 wrote to memory of 3228	760	Ndhmhh32.exe	Nggjdc32.exe
PID 760 wrote to memory of 3228	760	Ndhmhh32.exe	Nggjdc32.exe
PID 760 wrote to memory of 3228	760	Ndhmhh32.exe	Nggjdc32.exe
PID 3228 wrote to memory of 944	3228	Nggjdc32.exe	Olcbmj32.exe
PID 3228 wrote to memory of 944	3228	Nggjdc32.exe	Olcbmj32.exe
PID 3228 wrote to memory of 944	3228	Nggjdc32.exe	Olcbmj32.exe
PID 944 wrote to memory of 3908	944	Olcbmj32.exe	Ojgbfocc.exe
PID 944 wrote to memory of 3908	944	Olcbmj32.exe	Ojgbfocc.exe
PID 944 wrote to memory of 3908	944	Olcbmj32.exe	Ojgbfocc.exe
PID 3908 wrote to memory of 3308	3908	Ojgbfocc.exe	Olfobjbg.exe
PID 3908 wrote to memory of 3308	3908	Ojgbfocc.exe	Olfobjbg.exe
PID 3908 wrote to memory of 3308	3908	Ojgbfocc.exe	Olfobjbg.exe
PID 3308 wrote to memory of 408	3308	Olfobjbg.exe	Ocpgod32.exe
PID 3308 wrote to memory of 408	3308	Olfobjbg.exe	Ocpgod32.exe
PID 3308 wrote to memory of 408	3308	Olfobjbg.exe	Ocpgod32.exe
PID 408 wrote to memory of 3136	408	Ocpgod32.exe	Oneklm32.exe
PID 408 wrote to memory of 3136	408	Ocpgod32.exe	Oneklm32.exe
PID 408 wrote to memory of 3136	408	Ocpgod32.exe	Oneklm32.exe
PID 3136 wrote to memory of 4832	3136	Oneklm32.exe	Opdghh32.exe
PID 3136 wrote to memory of 4832	3136	Oneklm32.exe	Opdghh32.exe
PID 3136 wrote to memory of 4832	3136	Oneklm32.exe	Opdghh32.exe
PID 4832 wrote to memory of 3600	4832	Opdghh32.exe	Ocbddc32.exe

C:\Users\Admin\AppData\Local\Temp\5c90e3f1a76a33fd37d1e9a5423d77a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5c90e3f1a76a33fd37d1e9a5423d77a0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2996

C:\Windows\SysWOW64\Mcpnhfhf.exe
C:\Windows\system32\Mcpnhfhf.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:404

C:\Windows\SysWOW64\Menjdbgj.exe
C:\Windows\system32\Menjdbgj.exe
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2760

C:\Windows\SysWOW64\Npcoakfp.exe
C:\Windows\system32\Npcoakfp.exe
4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4696

C:\Windows\SysWOW64\Ncbknfed.exe
C:\Windows\system32\Ncbknfed.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4704

C:\Windows\SysWOW64\Nepgjaeg.exe
C:\Windows\system32\Nepgjaeg.exe
6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3596

C:\Windows\SysWOW64\Npfkgjdn.exe
C:\Windows\system32\Npfkgjdn.exe
7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4208

C:\Windows\SysWOW64\Ngpccdlj.exe
C:\Windows\system32\Ngpccdlj.exe
8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4244

C:\Windows\SysWOW64\Njnpppkn.exe
C:\Windows\system32\Njnpppkn.exe
9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3204

C:\Windows\SysWOW64\Ndcdmikd.exe
C:\Windows\system32\Ndcdmikd.exe
10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\SysWOW64\Ngbpidjh.exe
C:\Windows\system32\Ngbpidjh.exe
11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3316

C:\Windows\SysWOW64\Nnlhfn32.exe
C:\Windows\system32\Nnlhfn32.exe
12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4348

C:\Windows\SysWOW64\Ngdmod32.exe
C:\Windows\system32\Ngdmod32.exe
13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2504

C:\Windows\SysWOW64\Njciko32.exe
C:\Windows\system32\Njciko32.exe
14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\SysWOW64\Ndhmhh32.exe
C:\Windows\system32\Ndhmhh32.exe
15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\SysWOW64\Nggjdc32.exe
C:\Windows\system32\Nggjdc32.exe
16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3228

C:\Windows\SysWOW64\Olcbmj32.exe
C:\Windows\system32\Olcbmj32.exe
17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:944

C:\Windows\SysWOW64\Ojgbfocc.exe
C:\Windows\system32\Ojgbfocc.exe
18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3908

C:\Windows\SysWOW64\Olfobjbg.exe
C:\Windows\system32\Olfobjbg.exe
19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3308

C:\Windows\SysWOW64\Ocpgod32.exe
C:\Windows\system32\Ocpgod32.exe
20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:408

C:\Windows\SysWOW64\Oneklm32.exe
C:\Windows\system32\Oneklm32.exe
21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3136

C:\Windows\SysWOW64\Opdghh32.exe
C:\Windows\system32\Opdghh32.exe
22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4832

C:\Windows\SysWOW64\Ocbddc32.exe
C:\Windows\system32\Ocbddc32.exe
23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3600

C:\Windows\SysWOW64\Olkhmi32.exe
C:\Windows\system32\Olkhmi32.exe
24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3240

C:\Windows\SysWOW64\Odapnf32.exe
C:\Windows\system32\Odapnf32.exe
25⤵
- Executes dropped EXE
- Modifies registry class
PID:1192

C:\Windows\SysWOW64\Onjegled.exe
C:\Windows\system32\Onjegled.exe
26⤵
- Executes dropped EXE
PID:1404

C:\Windows\SysWOW64\Oddmdf32.exe
C:\Windows\system32\Oddmdf32.exe
27⤵
- Executes dropped EXE
- Modifies registry class
PID:2520

C:\Windows\SysWOW64\Ofeilobp.exe
C:\Windows\system32\Ofeilobp.exe
28⤵
- Executes dropped EXE
- Modifies registry class
PID:3728

C:\Windows\SysWOW64\Pqknig32.exe
C:\Windows\system32\Pqknig32.exe
29⤵
- Executes dropped EXE
- Modifies registry class
PID:2884

C:\Windows\SysWOW64\Pcijeb32.exe
C:\Windows\system32\Pcijeb32.exe
30⤵
- Executes dropped EXE
PID:532

C:\Windows\SysWOW64\Pfhfan32.exe
C:\Windows\system32\Pfhfan32.exe
31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5012

C:\Windows\SysWOW64\Pnonbk32.exe
C:\Windows\system32\Pnonbk32.exe
32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3972

C:\Windows\SysWOW64\Pdifoehl.exe
C:\Windows\system32\Pdifoehl.exe
33⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4944

C:\Windows\SysWOW64\Pfjcgn32.exe
C:\Windows\system32\Pfjcgn32.exe
34⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1972

C:\Windows\SysWOW64\Pqpgdfnp.exe
C:\Windows\system32\Pqpgdfnp.exe
35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1764

C:\Windows\SysWOW64\Pgioqq32.exe
C:\Windows\system32\Pgioqq32.exe
36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4412

C:\Windows\SysWOW64\Pjhlml32.exe
C:\Windows\system32\Pjhlml32.exe
37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1380

C:\Windows\SysWOW64\Pmfhig32.exe
C:\Windows\system32\Pmfhig32.exe
38⤵
- Executes dropped EXE
PID:1636

C:\Windows\SysWOW64\Pcppfaka.exe
C:\Windows\system32\Pcppfaka.exe
39⤵
- Executes dropped EXE
PID:3460

C:\Windows\SysWOW64\Pgllfp32.exe
C:\Windows\system32\Pgllfp32.exe
40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1000

C:\Windows\SysWOW64\Pnfdcjkg.exe
C:\Windows\system32\Pnfdcjkg.exe
41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4252

C:\Windows\SysWOW64\Pqdqof32.exe
C:\Windows\system32\Pqdqof32.exe
42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2604

C:\Windows\SysWOW64\Pdpmpdbd.exe
C:\Windows\system32\Pdpmpdbd.exe
43⤵
- Executes dropped EXE
PID:2044

C:\Windows\SysWOW64\Pgnilpah.exe
C:\Windows\system32\Pgnilpah.exe
44⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:520

C:\Windows\SysWOW64\Qnhahj32.exe
C:\Windows\system32\Qnhahj32.exe
45⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3644

C:\Windows\SysWOW64\Qdbiedpa.exe
C:\Windows\system32\Qdbiedpa.exe
46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4764

C:\Windows\SysWOW64\Qceiaa32.exe
C:\Windows\system32\Qceiaa32.exe
47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3172

C:\Windows\SysWOW64\Qmmnjfnl.exe
C:\Windows\system32\Qmmnjfnl.exe
48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4584

C:\Windows\SysWOW64\Qddfkd32.exe
C:\Windows\system32\Qddfkd32.exe
49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4612

C:\Windows\SysWOW64\Qffbbldm.exe
C:\Windows\system32\Qffbbldm.exe
50⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3112

C:\Windows\SysWOW64\Anmjcieo.exe
C:\Windows\system32\Anmjcieo.exe
51⤵
- Executes dropped EXE
- Modifies registry class
PID:2868

C:\Windows\SysWOW64\Aqkgpedc.exe
C:\Windows\system32\Aqkgpedc.exe
52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1564

C:\Windows\SysWOW64\Afhohlbj.exe
C:\Windows\system32\Afhohlbj.exe
53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2468

C:\Windows\SysWOW64\Ambgef32.exe
C:\Windows\system32\Ambgef32.exe
54⤵
- Executes dropped EXE
PID:3268

C:\Windows\SysWOW64\Aqncedbp.exe
C:\Windows\system32\Aqncedbp.exe
55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4980

C:\Windows\SysWOW64\Aadifclh.exe
C:\Windows\system32\Aadifclh.exe
56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3784

C:\Windows\SysWOW64\Aepefb32.exe
C:\Windows\system32\Aepefb32.exe
57⤵
- Executes dropped EXE
PID:2260

C:\Windows\SysWOW64\Agoabn32.exe
C:\Windows\system32\Agoabn32.exe
58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1976

C:\Windows\SysWOW64\Bjmnoi32.exe
C:\Windows\system32\Bjmnoi32.exe
59⤵
- Executes dropped EXE
PID:2140

C:\Windows\SysWOW64\Bnhjohkb.exe
C:\Windows\system32\Bnhjohkb.exe
60⤵
- Executes dropped EXE
PID:4200

C:\Windows\SysWOW64\Bmkjkd32.exe
C:\Windows\system32\Bmkjkd32.exe
61⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4360

C:\Windows\SysWOW64\Bebblb32.exe
C:\Windows\system32\Bebblb32.exe
62⤵
- Executes dropped EXE
- Modifies registry class
PID:3648

C:\Windows\SysWOW64\Bcebhoii.exe
C:\Windows\system32\Bcebhoii.exe
63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1592

C:\Windows\SysWOW64\Bganhm32.exe
C:\Windows\system32\Bganhm32.exe
64⤵
- Executes dropped EXE
PID:2120

C:\Windows\SysWOW64\Bjokdipf.exe
C:\Windows\system32\Bjokdipf.exe
65⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1388

C:\Windows\SysWOW64\Bnkgeg32.exe
C:\Windows\system32\Bnkgeg32.exe
66⤵
PID:3120

C:\Windows\SysWOW64\Bmngqdpj.exe
C:\Windows\system32\Bmngqdpj.exe
67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2888

C:\Windows\SysWOW64\Baicac32.exe
C:\Windows\system32\Baicac32.exe
68⤵
PID:3200

C:\Windows\SysWOW64\Bchomn32.exe
C:\Windows\system32\Bchomn32.exe
69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1988

C:\Windows\SysWOW64\Bgcknmop.exe
C:\Windows\system32\Bgcknmop.exe
70⤵
- Drops file in System32 directory
- Modifies registry class
PID:4720

C:\Windows\SysWOW64\Bjagjhnc.exe
C:\Windows\system32\Bjagjhnc.exe
71⤵
- Drops file in System32 directory
PID:4592

C:\Windows\SysWOW64\Bnmcjg32.exe
C:\Windows\system32\Bnmcjg32.exe
72⤵
- Drops file in System32 directory
PID:3684

C:\Windows\SysWOW64\Bmpcfdmg.exe
C:\Windows\system32\Bmpcfdmg.exe
73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4176

C:\Windows\SysWOW64\Beglgani.exe
C:\Windows\system32\Beglgani.exe
74⤵
- Modifies registry class
PID:2964

C:\Windows\SysWOW64\Bgehcmmm.exe
C:\Windows\system32\Bgehcmmm.exe
75⤵
PID:4888

C:\Windows\SysWOW64\Bjddphlq.exe
C:\Windows\system32\Bjddphlq.exe
76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4708

C:\Windows\SysWOW64\Bmbplc32.exe
C:\Windows\system32\Bmbplc32.exe
77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1444

C:\Windows\SysWOW64\Banllbdn.exe
C:\Windows\system32\Banllbdn.exe
78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1728

C:\Windows\SysWOW64\Bhhdil32.exe
C:\Windows\system32\Bhhdil32.exe
79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4288

C:\Windows\SysWOW64\Bfkedibe.exe
C:\Windows\system32\Bfkedibe.exe
80⤵
- Drops file in System32 directory
PID:2320

C:\Windows\SysWOW64\Bjfaeh32.exe
C:\Windows\system32\Bjfaeh32.exe
81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4188

C:\Windows\SysWOW64\Bmemac32.exe
C:\Windows\system32\Bmemac32.exe
82⤵
- Modifies registry class
PID:1640

C:\Windows\SysWOW64\Bapiabak.exe
C:\Windows\system32\Bapiabak.exe
83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:228

C:\Windows\SysWOW64\Bcoenmao.exe
C:\Windows\system32\Bcoenmao.exe
84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1036

C:\Windows\SysWOW64\Cjinkg32.exe
C:\Windows\system32\Cjinkg32.exe
85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:4344

C:\Windows\SysWOW64\Cndikf32.exe
C:\Windows\system32\Cndikf32.exe
86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2704

C:\Windows\SysWOW64\Cmgjgcgo.exe
C:\Windows\system32\Cmgjgcgo.exe
87⤵
- Drops file in System32 directory
- Modifies registry class
PID:5132

C:\Windows\SysWOW64\Cenahpha.exe
C:\Windows\system32\Cenahpha.exe
88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5176

C:\Windows\SysWOW64\Cdabcm32.exe
C:\Windows\system32\Cdabcm32.exe
89⤵
- Drops file in System32 directory
- Modifies registry class
PID:5220

C:\Windows\SysWOW64\Cfpnph32.exe
C:\Windows\system32\Cfpnph32.exe
90⤵
- Modifies registry class
PID:5256

C:\Windows\SysWOW64\Cmiflbel.exe
C:\Windows\system32\Cmiflbel.exe
91⤵
- Drops file in System32 directory
PID:5300

C:\Windows\SysWOW64\Caebma32.exe
C:\Windows\system32\Caebma32.exe
92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5344

C:\Windows\SysWOW64\Cdcoim32.exe
C:\Windows\system32\Cdcoim32.exe
93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5388

C:\Windows\SysWOW64\Cfbkeh32.exe
C:\Windows\system32\Cfbkeh32.exe
94⤵
- Drops file in System32 directory
- Modifies registry class
PID:5428

C:\Windows\SysWOW64\Cjmgfgdf.exe
C:\Windows\system32\Cjmgfgdf.exe
95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5484

C:\Windows\SysWOW64\Cmlcbbcj.exe
C:\Windows\system32\Cmlcbbcj.exe
96⤵
- Drops file in System32 directory
- Modifies registry class
PID:5528

C:\Windows\SysWOW64\Cagobalc.exe
C:\Windows\system32\Cagobalc.exe
97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5564

C:\Windows\SysWOW64\Chagok32.exe
C:\Windows\system32\Chagok32.exe
98⤵
- Drops file in System32 directory
- Modifies registry class
PID:5608

C:\Windows\SysWOW64\Cfdhkhjj.exe
C:\Windows\system32\Cfdhkhjj.exe
99⤵
- Drops file in System32 directory
- Modifies registry class
PID:5652

C:\Windows\SysWOW64\Cjpckf32.exe
C:\Windows\system32\Cjpckf32.exe
100⤵
- Drops file in System32 directory
- Modifies registry class
PID:5692

C:\Windows\SysWOW64\Cmnpgb32.exe
C:\Windows\system32\Cmnpgb32.exe
101⤵
- Modifies registry class
PID:5724

C:\Windows\SysWOW64\Cajlhqjp.exe
C:\Windows\system32\Cajlhqjp.exe
102⤵
- Drops file in System32 directory
- Modifies registry class
PID:5776

C:\Windows\SysWOW64\Chcddk32.exe
C:\Windows\system32\Chcddk32.exe
103⤵
PID:5828

C:\Windows\SysWOW64\Cmqmma32.exe
C:\Windows\system32\Cmqmma32.exe
104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5888

C:\Windows\SysWOW64\Cegdnopg.exe
C:\Windows\system32\Cegdnopg.exe
105⤵
PID:5952

C:\Windows\SysWOW64\Ddjejl32.exe
C:\Windows\system32\Ddjejl32.exe
106⤵
PID:6000

C:\Windows\SysWOW64\Dfiafg32.exe
C:\Windows\system32\Dfiafg32.exe
107⤵
PID:6056

C:\Windows\SysWOW64\Djdmffnn.exe
C:\Windows\system32\Djdmffnn.exe
108⤵
- Drops file in System32 directory
PID:6104

C:\Windows\SysWOW64\Danecp32.exe
C:\Windows\system32\Danecp32.exe
109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5124

C:\Windows\SysWOW64\Dejacond.exe
C:\Windows\system32\Dejacond.exe
110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5164

C:\Windows\SysWOW64\Ddmaok32.exe
C:\Windows\system32\Ddmaok32.exe
111⤵
PID:5228

C:\Windows\SysWOW64\Dfknkg32.exe
C:\Windows\system32\Dfknkg32.exe
112⤵
PID:5332

C:\Windows\SysWOW64\Dobfld32.exe
C:\Windows\system32\Dobfld32.exe
113⤵
PID:5384

C:\Windows\SysWOW64\Daqbip32.exe
C:\Windows\system32\Daqbip32.exe
114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5480

C:\Windows\SysWOW64\Delnin32.exe
C:\Windows\system32\Delnin32.exe
115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5524

C:\Windows\SysWOW64\Dhkjej32.exe
C:\Windows\system32\Dhkjej32.exe
116⤵
- Modifies registry class
PID:5596

C:\Windows\SysWOW64\Dkifae32.exe
C:\Windows\system32\Dkifae32.exe
117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5676

C:\Windows\SysWOW64\Dodbbdbb.exe
C:\Windows\system32\Dodbbdbb.exe
118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5736

C:\Windows\SysWOW64\Daconoae.exe
C:\Windows\system32\Daconoae.exe
119⤵
PID:5820

C:\Windows\SysWOW64\Ddakjkqi.exe
C:\Windows\system32\Ddakjkqi.exe
120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5936

C:\Windows\SysWOW64\Dhmgki32.exe
C:\Windows\system32\Dhmgki32.exe
121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:6044

C:\Windows\SysWOW64\Dfpgffpm.exe
C:\Windows\system32\Dfpgffpm.exe
122⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:6112

C:\Windows\SysWOW64\Dogogcpo.exe
C:\Windows\system32\Dogogcpo.exe
123⤵
- Modifies registry class
PID:5172

C:\Windows\SysWOW64\Daekdooc.exe
C:\Windows\system32\Daekdooc.exe
124⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5288

C:\Windows\SysWOW64\Deagdn32.exe
C:\Windows\system32\Deagdn32.exe
125⤵
PID:5408

C:\Windows\SysWOW64\Dhocqigp.exe
C:\Windows\system32\Dhocqigp.exe
126⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5508

C:\Windows\SysWOW64\Dgbdlf32.exe
C:\Windows\system32\Dgbdlf32.exe
127⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5660

C:\Windows\SysWOW64\Dknpmdfc.exe
C:\Windows\system32\Dknpmdfc.exe
128⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5716

C:\Windows\SysWOW64\Dmllipeg.exe
C:\Windows\system32\Dmllipeg.exe
129⤵
PID:5912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5912 -s 396
130⤵
- Program crash
PID:5140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5912 -ip 5912
1⤵
PID:6096

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadifclh.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe
Filesize
94KB

MD5
900bb467071a50fcb306ab0789086087

SHA1
131182c73c21b9a8794cd2dbb395f69796bab627

SHA256
08057e99b75e69cac60f72433df6bbc7b056b6d4ef8255c1d12b1d316e16145f

SHA512
a415329a477b001cbc0619ebac3047b5eb156a2b2361169904b827e891b78b0ab1f1cda34e192c4483e5b1dff689a608d461271ffbfe19080a9e2c739828f13c

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe
Filesize
94KB

MD5
75fd13ca7ad02080cb23f13f36c6e719

SHA1
c0a0043f22b1abda949308e2333b8218d57c98ae

SHA256
219f035a490cfe752e9b54bc035fc8d430f8895d8a4cdbc24801735fa51b3083

SHA512
ae6d641c9163340e2504708b3e1ad4a74f7d978b72504c38a8601948907ca208693a5798ccd511d4de121a7248ea734dbe55c37058b312aebae43a1629a1d395

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe
Filesize
94KB

MD5
924bb56acfa8035e3844843d4119f95f

SHA1
e9a68835fbaaf2aa2533e438da65cc72267d8f13

SHA256
6051ded8ec7037e461a0dd2e0ebea218baa09d188534602f108e5997321f16be

SHA512
b35ee10868d6fa4c425ac08d0bcb4df056456492f6372403d6b7ebd05850a4fb3b86e62360176814033bd4682beb14353ac4f501a9b9e0e52fff443dc3cff6ad

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe
Filesize
94KB

MD5
b9fe365118cbddd1f9b23e7ea1d3e0cb

SHA1
a6d6d24392c1728aae781d252249dd520738c366

SHA256
433536cf149dc992f0b8aafd8cedce80d480f6623cd1c85b34327d9789dd0d12

SHA512
004c03f0bbd0ef5cb2303ca7b8ee4e0c8102893bf19526c242c533628188ce788fbb90fa74ea6210d45caec2b279a64bc36cf75c0986fe5a8984e6629125c6c9

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe
Filesize
94KB

MD5
e258f33e16fbb11977dd6a810dab329c

SHA1
6055b960b65b8a8f86107bee2cf986f8b16a9ed0

SHA256
1b24be89ca873c07070765688756ff68d0ba446426e7f5e330b8c2b7e0f3694b

SHA512
85a587df189faf4bac7f9e6889d4335b59ecd8f12c1113095166a178c81149b00019bac0e4f69d2d7447a3ede7e8deb733d32f3be2e00b3434b93cc589392cf1

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe
Filesize
94KB

MD5
b29376a9cdf6411bdc986117eaaf150b

SHA1
d0b43afcf281eb05f9352a1cb838bbe830f4ee0d

SHA256
3c70428a8a28a3beff856ad069e40d30d9a13af36e5c551d93be99aff43d8fb7

SHA512
9122d135411101882e0fe7e62b472b503a64c6f66ad2fc282c3e22c5891b75273511b223e1a263db89c6214950f06f33c1d16693d0fc39911cc6faffed3d997b

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe
Filesize
94KB

MD5
299484ed87748440abf66306e67a3442

SHA1
1db70e72d58440a25a024078dfcfe07d98901f10

SHA256
4cb71de86ec0f8b360672dd9071d0f1272494188162a76d90f17cf0d55e90ef8

SHA512
c524cabafa788557adb23a9223c89fb2f24305f209377f601511cce6db4bee4405d69d1d559a1ef80ccd42e6875b4497b533f4d93a9f5cd3d68a2a2074f38a95

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe
Filesize
94KB

MD5
117f308622969514ad7dabc654030b6b

SHA1
dcd55886c00434e801eebb314a5187b3f06ff036

SHA256
90c8b1ea843bf10818271cad92b01ab0f4a3729831b72cfff856680d1967b6b1

SHA512
b212f89a8e12beb3c40f72441608f5e1a58607120091773918134ad38da423d90300dfe7a12e2c6de4823f16e2893830fb9e9559f2702291f62d6a0fe6ebab5b

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe
Filesize
94KB

MD5
e410e37dd7ba38e88fad88774daf513e

SHA1
3e2a9cfe3d7971bd68bb7fbc9d532d3312544004

SHA256
ae245907510fa0e773d516cb8077d57ba3837015338726cbd751532d5731b7f7

SHA512
860db3c98ef03283d1f6b918e55dcf89c5e7d1842e662eaaff0993e60ae0fe6a6e3aa0086041f765405514529f36eac9bc19fc1c7c8f4d179c842b7517846a2b

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe
Filesize
94KB

MD5
6224102c36dd472e68491b9d43d22876

SHA1
786eaa896e2848cd9e9f9f53afbf5c7c98fc26a8

SHA256
3995db3a5ff7b67023453782490565a8d05922dab753b594b9af0a3237d2f063

SHA512
033cb243a3c4667dd2c8ee00f6059c1d4a151d008bdf0b4ca0695a14c726f0e17f4adaadf2dbb2a121d8b6f6471ea750385456b244bda486fcfc24714c208724

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe
Filesize
94KB

MD5
2a422e6085252dbf58c9e1671b11b342

SHA1
2976abb2c02dc257891ee9cf13ee99815453b5f1

SHA256
9fa29b5f6dcac3d99de081f78f80d3cd6f3bd0296231c580e3dccaac214b901f

SHA512
c6d94377c3213143fd64df9dcea90023088e92d2bd94d122a38d702deb1178e637ca8c18409bbfd14c8da99463a95de3cbe1b0edb8239149ac9946bd418e8163

Download Submit
C:\Windows\SysWOW64\Nepgjaeg.exe
Filesize
94KB

MD5
6421018d821c0c281f911a06f4ff628b

SHA1
2558bbbb07050fd32e16454fde0e927dbc08bf12

SHA256
3e52b3ff7ebb0e21039088c960297b89fdb1194744cfb5d36832f6ccd596e938

SHA512
44c4bd99c3913962e140cd4ed2782c01440feb753f80def68469c6d739ba19569bf776ee9eb01560cc5a43a6601c71bed9401e1497f77a49df3ac699430f5200

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe
Filesize
94KB

MD5
8efe52791ba0a59d143d0ff069db75c5

SHA1
6fee468973eb99be84cd8fb638ba265a7f9994ff

SHA256
45adcce141b2eddbee89bd8b4738da0d765d7cf3a465ae10836803e720353280

SHA512
a3399baa4567b20b15023d53c3205587da4adc067a66c5877ad5393ce8f3d6cba55a9db2153d46816f7fd0209146ecc56c2d49ef5e4e4baba764d49044eb3680

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe
Filesize
94KB

MD5
89891464ccca93e45838d04d91dadc89

SHA1
629c29ba9a13356dc69d77dfc814b714f825e338

SHA256
ef8b23099791e3433f057be2e2a4d23106421877bbf1f22f9708174ec89c2a54

SHA512
522b1552debf4e4defefced7fde1ee1a92478a9d9053d2c8989c748b7919fd2ee76a50b994252e47fee171610670decdf60cbf13b2203834fa2489107d76bd03

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe
Filesize
94KB

MD5
9ce7a7b43fda555033570c39e88ade8a

SHA1
f4fbca6219430a1b32430469dedc0992ba0e5993

SHA256
2f1f8c940f6cd47074d6fd36bf4d894f65a3b64f0fd7fbc0c65390c019652628

SHA512
840286d4d48bdcbb4b82446b60ede997354042da658f4366151b3d404401484fc51f2b3b70aa2dfcd417bec0835fc6bc02d8e32b088b0b54471c233ea6aafdf9

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe
Filesize
94KB

MD5
bc3fd7dc925ff0a12b6cbb937e2cabd3

SHA1
6dead7b152d2a5912900c49455b6d607074e6861

SHA256
ac98d460ab39e37e8b31cc4d17bf760839c922215dc774e22d3e6b5b28000c9e

SHA512
5209d9da7410bbb3cd5776ffe926df90c53e497c63c3296ca3e15b71694cee2d9fc2db9a028162a816cf3ddc0279ebd7e8d715d72b3bf05a4e839fe0699d9be5

Download Submit
C:\Windows\SysWOW64\Njciko32.exe
Filesize
94KB

MD5
640a9420c2ee26883f39e686ef5a2c9a

SHA1
360f7f1bd3fa9792c553b4e3c71704946228f8a0

SHA256
28cd2e4bf0d47ea2f6df4c02df09c134c2898846a353b38c5d251104cea63124

SHA512
0aa3fce1f2c8976256809b176daf73f459bcd2f5a8b34510305cba8fa796110f07446fabf8fbf8987c5622df75a1bf0e2c2ceba0b03b19d9c120362c57a71260

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe
Filesize
94KB

MD5
6bdc195cab5b9d04cdb6ee6e4b9a081f

SHA1
927e561ec533531f370faf2fd88b5c63ba844718

SHA256
d2be5b1e6094096a6299688fa103946535d4ca7c3bcec7446f0cb99135332557

SHA512
14033eaa5027e496de0a0d695e05ee762d61d0be74959cad5b4c3964765410d495934729248b22a0cd403402f9b5b09c0156232fd9c0bf16429ba4219fcf2e31

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe
Filesize
94KB

MD5
aa19f3b8b3d2c54e4a84fa76c6f1056c

SHA1
d3cf54a71b9600420f8a8cd05c2ab05b7dc3ff8f

SHA256
80bc28fbd90ad2f9952004590f7885157530ab9a73546a2d2a65be3d78e654a4

SHA512
74aa0042c992d459c323f567562e7d064254050f6e937e6ffdf9b6412a83506741e144b13809201c2088ffdeb78d4e58875e986d909f59c5d2e8f76b80ca169e

Download Submit
C:\Windows\SysWOW64\Npcoakfp.exe
Filesize
94KB

MD5
cfcda90a36f5d5fc89318bf28d3e2c51

SHA1
000561b6b5cd836dfb0c70f04bdc987dbbb6ea83

SHA256
f587b6f4319170c692f9b066e3b295c9e10c6f0932471c10774148d210eb9090

SHA512
1b1552e73bb6c0cbf688727cabc24c90000b62a72bf61ec9ef0ae66fe52c089b52bca10b1491193b9bbca5c43b7ad99f93b5b06206dad4879f6a49ae8ff53e9a

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe
Filesize
94KB

MD5
20777b653f1ee35e160dfea97eedefed

SHA1
f561311e282c119388bbe46c5eb452eeef669428

SHA256
3b83ee0e138a4ff057a4227ccae7ebe305c08c4bc22b65d414260e6a812129f9

SHA512
1d32b6fc19ad6f544cfede36afd2f035f33ab55d26523c25b4fabe59e0dbd4a7756ae58eeabdc1f4bc5af5e8d6709562e8e309dc9267ad391d12538b8521725e

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe
Filesize
94KB

MD5
0528965bac62cdb3a5170710fec5b609

SHA1
1306b5d531b1658e95dab52ce34dff622a481059

SHA256
0b6a3077cadac9445e73a7b66c3fbd899561841ffb668e52cfca27204890ab53

SHA512
d14cd1d7a110764926a98eb3d8fbd288f8ea99c87d4615bed973d795ac4e8d9fb8f0fd096e54dd0b6e0d4797bc1f4d0a1ddb66794987baddf4b255b5682b2b6d

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe
Filesize
94KB

MD5
5a2d65fc4c380f02a940df092eaa3d5f

SHA1
42e0638b4d0e4f204819d1b0ad903f7b698cff60

SHA256
6061dee8aca1723ca3f13854f5f6891ab8ecd25301ddb007c355321eefbd922d

SHA512
1150430011c921ed312349ca194d5012aad49e4ba6a704d1e644d0565728340d92eaef6b62cbe595b5f4a2a45604d7a5018affb517cac5f7018fdaaae092f1c6

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe
Filesize
94KB

MD5
ad188755d2e5dec0ff56a3df1dab8ceb

SHA1
6b57eb25024f2b56ba686c62289a9846d9e1de1f

SHA256
cfc066aa503206e420b9cc35482170cff5db90d4cb44b772d2de17091bc30f1f

SHA512
8590096b45075f2ea75f67fcf0a9cb3c859df7ebfc18bab4291bd01961d786b62f282a4e4ffc28723d5930a53bdca6466fab7ea35fff939be872d48a0c0a20c8

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe
Filesize
94KB

MD5
739f329fd0e24f4080e4cd360f6dc5ed

SHA1
f176fcb168b8445d7a1b83b32e1da0aa70b37134

SHA256
2829f70cccb91117a9bfe62ccf6321eade30d572908b3cf841a73c07929c55c6

SHA512
b24af496b2b30a96bb9e2444cceb058eb3e415de33afa52949b3e390c7c2d0e1cf30340043b3a73c8c9ad696a0ff2acbc5274cdfb28bd9c23ff261757920ae8b

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe
Filesize
94KB

MD5
84fe3089896b4b66e4f51eb8e8663086

SHA1
e4290224c6f086c60e25ffd34b4706cbb70316e4

SHA256
401be66a9384b892c5cdfcd4fa0acd7119c6a4ae4d9354e286c6936966535619

SHA512
58447a40ee5cbd8a859fba8a738df565c6bd22dd12243cf076562a3df048fd298e681cd819cd71e793014692f16a994118cdb5190afd2dfe9f18b2d71ecacb7c

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe
Filesize
94KB

MD5
fde93c22d89e29e8e69d80269e25c19b

SHA1
d3b9e07f9af6934009f72f24266d76201ddb148b

SHA256
30038e0b110f2d4b3a3a3c6eb0e08c831c4b508bf50702670bf8ac96e151479c

SHA512
8921fa5fe8fbeec84424ccbe99d782221ff21e88e4afc837f9bf7a888e018633f0d466584a3353f324bb04ef631b8e29660082840e0a06c2f96ce995cb702f43

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe
Filesize
94KB

MD5
725b5886939d61dd4157264d1a65b570

SHA1
ddb36ee8c3b28a175b2eb0f4d72db6d9baa39456

SHA256
bd1d52204b5edf9fa11ff1647257091f0904dfda5ccde37caf9ff65359fa215d

SHA512
fffb6100e87739115ee0539cb0ecf92158341c16c81ea2f06bacba1294d393251ca2daa6f10a4609ecb33f8b804245c7404e7be61f84478b2bcddbf6c226655e

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe
Filesize
94KB

MD5
8b63e6d4c4784043e3748a964a7578cf

SHA1
9ac830ae12ee01313079eff19cbca8bd753c8689

SHA256
3fdab9c83b8b6c688b37a31a8c171e205c2003eaf476f1bb1422b5303b6dda90

SHA512
03ff1c66e3aaf805a27ac8faa89d5f599079058f067a80add354075fd30bce243d29b0346050af097c6f53be90729728d4b070faa15914281e480e7b6b992580

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe
Filesize
94KB

MD5
a5aa57fb177d40f26adf81a162675b8f

SHA1
8fced5384e7855c26d1d83ea4b68dc34de54e140

SHA256
69bfcb53a43b6ee6edc65ddbc6e9abc3a855999018f5bcd1c7a7b6f6694173e6

SHA512
6de1b931121cffaf14839476c9148351dc5f712a2a580a3ba05bc7af720e365f5e87163c25e8f3fc3521b41b4d8292b35fc89cd9c634f02a082145cd2c038168

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe
Filesize
94KB

MD5
9548971f1d5997b27a7fb11e5f1f3598

SHA1
e9556fea4637cf8641eeda02f094fea0d6005d00

SHA256
eb1de6bb7ba9f73faae4fea7e6874301fc0ccbf626c79400a023bdb3da5ef6c4

SHA512
69f794385345d3a39249aa130115f346f86d0c73ac6f74308befaf9f6bd7d7060771e4ebbd83a70e9e865e6735544e0f82e33aa86585d60682ae243cd1a9733f

Download Submit
C:\Windows\SysWOW64\Onjegled.exe
Filesize
94KB

MD5
4ed7a42b9d9af3190258335b2afb5865

SHA1
f3305461e3cc23cf6a7ff5501613c4359e2c751d

SHA256
a1a9c687aadb998cb8246d1d24d261825dd217331463ec57301b75616a4e4098

SHA512
859de75ec8b8e534a890465420dccfb9e85f76cfb01cd6ca15672c93e6a6eeafc6fc91c0ecd116388613f31e33097516011831e7441343155c21407b9236ca6a

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe
Filesize
94KB

MD5
8baceff956ec4dbc44cb36307d5b4fb2

SHA1
74e0ebe047899e2e8109d919b95c2abb41e4a708

SHA256
d6ce35ec18b41c9e0ac914f5ebbcf27b2bdb9ab44835b92dbb38543f0931db26

SHA512
636c8cfcd876a4738f6108eddbd2997e0a1a6a3a60a42695791bd53d02391927920674b8b1111c9575ed0e23994722450f0f05d6fa28f71782f4553a1c0463cf

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe
Filesize
94KB

MD5
da3f2a8fa6ff2e504cf79afee005ffd7

SHA1
eae4ed1edf80dc8cf6b95c318b96505b3ef959e4

SHA256
5df7f8a6910e407776f4603113fc95e2eb254ef87dc7216fce5ba3f5aa2e44ed

SHA512
f0c0e460463da16acf044b9b5873059c1d75dc82a80df2deb4153f97430fc917f31f9d5f1a1ba682fa40b5999e567896d59dc6d42ec538ed07297e37193395a3

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe
Filesize
94KB

MD5
e5ba5b573ec3b5ea263b25950736867d

SHA1
43a0ccecc9142f786f490b03ad3c30fb2e88755c

SHA256
d244bd188a95b7cd6796e07442ba8d68a8015fc2123a4eaeb9862a120a5bb024

SHA512
b8046d30db0033a933811b77f83f8ffdd5b698a4812224e36637fed87517f5a7ebba6c6b0e25b705166a0b2bdbfaf03c2eeb7d574f860f5dad457cb2d8bf43c2

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe
Filesize
94KB

MD5
0adc0cafaf2e0bccc5f495a17d2f0dbe

SHA1
9a253c02f7755c3d041310d5dc86cc2e9e0b37be

SHA256
69d34fc9391651f44213fb446e7dba0cdfa6974a67595270c52f2f448d06b4f4

SHA512
9eb266726a7089d5da744c38b016fdc2e7c9e0a445a06356059a869099273809a50eef00f108c4694f278e8f4b539b5c4f133f7ab6dac8f79d82b8d464256a95

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe
Filesize
94KB

MD5
2103ddd57ff93395e153021d8ba456e3

SHA1
99895a81b38b8bfd24c2906b5539a99c51d52671

SHA256
d1a50d3700976e28190ba95adaab5c8a508e49316740438c526cdd2912436465

SHA512
e6a6a2f6c1e624460024c48e385a3ad1150736320031d7ba1ec1fd3d851e7f98839e48e6034ffac83dbe7d5e24d07489b3238d0329d5081973f564a2b3b6b3c3

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe
Filesize
94KB

MD5
6267943deb6f9fcc7100343fc9c836a8

SHA1
f42038713513e798a3e2ad4ed927f4f41eb54315

SHA256
c3a0b7784eecb1345a81a1f0ed00d34ac1d48f11bace0e83edaf064a344b1a83

SHA512
ad1f3123416bcfed9f8f1fd97c5087cdba732dd060676caebdc6ce6904e81a1603b105dc547294f8751aad9b5a37cc4ae32af588cb29d560ef68c6e7b3e07822

Download Submit
memory/404-9-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/404-90-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/408-162-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/408-255-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/520-358-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/532-256-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/760-206-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/760-118-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/944-223-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/944-136-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1000-329-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1000-394-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1192-207-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1192-292-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1320-79-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1380-374-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1380-307-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1404-216-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1404-299-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1564-408-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1636-385-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1636-314-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1720-197-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1720-109-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1764-293-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1764-360-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1972-357-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1972-286-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2044-414-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2044-347-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2468-415-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2504-188-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2504-100-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2520-306-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2520-225-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2604-344-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2760-17-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2760-99-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2868-402-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2884-324-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2884-247-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2996-77-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2996-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2996-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3112-395-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3136-264-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3136-170-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3172-375-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3204-153-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3204-65-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3228-215-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3228-131-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3240-198-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3240-285-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3268-421-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3308-242-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3308-154-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3316-169-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3316-82-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3460-326-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3596-126-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3596-40-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3600-278-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3600-189-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3644-361-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3644-427-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3728-234-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3728-313-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3784-438-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3908-145-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3908-233-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3972-270-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3972-343-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4208-134-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4208-49-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4244-56-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4244-144-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4252-401-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4252-333-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4348-178-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4348-91-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4412-300-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4412-372-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4584-386-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4612-393-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4696-108-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4696-25-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4704-116-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4704-37-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4764-373-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4832-269-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4832-179-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4944-279-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4944-346-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4980-428-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5012-265-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download