7b445452c68ad0c6f7bd6ba92a050dbeb5e53935c00c8f036e6599c2986d8693

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
29-05-2024 19:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9afdfc5aa6fa0eb6ccb548384e984460_NeikiAnalytics.exe
Size

128KB
MD5

9afdfc5aa6fa0eb6ccb548384e984460
SHA1

a1d696cdc31f3f74642b6de474d5b957dde8ef77
SHA256

7b445452c68ad0c6f7bd6ba92a050dbeb5e53935c00c8f036e6599c2986d8693
SHA512

54e14933bd052024e589ce1b3a0a3604d5995e14fb6990bd36026ab9812f4c2604fd65929523e716a92a9d475311fd97cbef1ea14fe29c6e96c6f15d7d500fe7
SSDEEP

1536:/PKWsov0F0HMn03U43and0SGLhj06BrFEznYiGzBn2rq15bLSwiHr/:/PFsobHMnmkGLJ06rFEznYfzB9BSwW

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ccjfgphj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhcnke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fqhbmqqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fcgoilpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ecdbdl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gidphq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haggelfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Impepm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emjjgbjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcfebonm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ejgdpg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbenqg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjcclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fjcclf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dadlclim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djlddi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcekkjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hbckbepg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Elagacbk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efneehef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eofinnkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fihqmb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ifjfnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfqjafdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfdida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehhgfdho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebeejijj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gjocgdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibccic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfdida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dakbckbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fflaff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Elhmablc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hclakimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hclakimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcpapkgp.exe

Executes dropped EXE 64 IoCs

pid	Process
5064	Ccjfgphj.exe
2688	Chgoogfa.exe
5104	Ccmclp32.exe
2188	Cekohk32.exe
4148	Digkijmd.exe
5588	Dlegeemh.exe
1360	Dpacfd32.exe
1496	Dabpnlkp.exe
680	Diihojkb.exe
2004	Dlgdkeje.exe
5376	Dcalgo32.exe
3988	Dadlclim.exe
4784	Djlddi32.exe
5700	Dljqpd32.exe
4532	Dcdimopp.exe
3388	Dagiil32.exe
4348	Debeijoc.exe
3052	Djnaji32.exe
3748	Dllmfd32.exe
5016	Dokjbp32.exe
5792	Dcfebonm.exe
4804	Dhcnke32.exe
3112	Dpjflb32.exe
5028	Domfgpca.exe
5756	Dakbckbe.exe
4916	Efgodj32.exe
3992	Ehekqe32.exe
1128	Elagacbk.exe
2832	Eoocmoao.exe
1972	Efikji32.exe
2988	Ehhgfdho.exe
3040	Elccfc32.exe
6068	Eoapbo32.exe
5140	Ecmlcmhe.exe
5564	Eflhoigi.exe
3124	Ejgdpg32.exe
2348	Ehjdldfl.exe
3660	Eqalmafo.exe
4548	Ecphimfb.exe
5660	Ebbidj32.exe
3928	Efneehef.exe
1188	Ehlaaddj.exe
5096	Elhmablc.exe
4996	Eofinnkf.exe
392	Ebeejijj.exe
2672	Efpajh32.exe
872	Ejlmkgkl.exe
2268	Emjjgbjp.exe
5872	Eoifcnid.exe
6140	Ecdbdl32.exe
3008	Ffbnph32.exe
3224	Fjnjqfij.exe
4908	Fmmfmbhn.exe
5572	Fqhbmqqg.exe
1716	Fcgoilpj.exe
6080	Fbioei32.exe
4604	Ficgacna.exe
404	Fmocba32.exe
4480	Fqkocpod.exe
8	Fcikolnh.exe
1160	Fbllkh32.exe
4652	Fjcclf32.exe
3232	Fifdgblo.exe
2240	Fqmlhpla.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Dadlclim.exe	Dcalgo32.exe
File created	C:\Windows\SysWOW64\Lbdfmi32.dll	Fjepaecb.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Hihjpn32.dll	Fckhdk32.exe
File created	C:\Windows\SysWOW64\Lgabcngj.dll	Hboagf32.exe
File created	C:\Windows\SysWOW64\Kpccnefa.exe	Kaqcbi32.exe
File opened for modification	C:\Windows\SysWOW64\Ibccic32.exe	Iabgaklg.exe
File created	C:\Windows\SysWOW64\Bclhoo32.dll	Jfdida32.exe
File created	C:\Windows\SysWOW64\Jbocea32.exe	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Kibnhjgj.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Gqfooodg.exe	Giofnacd.exe
File created	C:\Windows\SysWOW64\Pglanoaq.dll	Impepm32.exe
File created	C:\Windows\SysWOW64\Dakcla32.dll	Ifjfnb32.exe
File opened for modification	C:\Windows\SysWOW64\Gjclbc32.exe	Gqkhjn32.exe
File created	C:\Windows\SysWOW64\Ipqnahgf.exe	Imbaemhc.exe
File created	C:\Windows\SysWOW64\Jaedgjjd.exe	Iinlemia.exe
File created	C:\Windows\SysWOW64\Ggmlbfpm.dll	Domfgpca.exe
File created	C:\Windows\SysWOW64\Bjikbh32.dll	Fqmlhpla.exe
File opened for modification	C:\Windows\SysWOW64\Fbqefhpm.exe	Fobiilai.exe
File created	C:\Windows\SysWOW64\Jehocmdp.dll	Dljqpd32.exe
File opened for modification	C:\Windows\SysWOW64\Ijaida32.exe	Ibjqcd32.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Gidphq32.exe	Gfedle32.exe
File created	C:\Windows\SysWOW64\Hfcpncdk.exe	Hcedaheh.exe
File created	C:\Windows\SysWOW64\Bekppcpp.dll	Hmmhjm32.exe
File created	C:\Windows\SysWOW64\Bdhngp32.dll	Dcdimopp.exe
File opened for modification	C:\Windows\SysWOW64\Djnaji32.exe	Debeijoc.exe
File created	C:\Windows\SysWOW64\Eoifcnid.exe	Emjjgbjp.exe
File created	C:\Windows\SysWOW64\Opocad32.dll	Hibljoco.exe
File opened for modification	C:\Windows\SysWOW64\Jagqlj32.exe	Jjmhppqd.exe
File created	C:\Windows\SysWOW64\Cekohk32.exe	Ccmclp32.exe
File created	C:\Windows\SysWOW64\Lfhilofo.dll	Ecphimfb.exe
File opened for modification	C:\Windows\SysWOW64\Fjcclf32.exe	Fbllkh32.exe
File created	C:\Windows\SysWOW64\Gcpapkgp.exe	Fodeolof.exe
File created	C:\Windows\SysWOW64\Inccjgbc.dll	Hapaemll.exe
File opened for modification	C:\Windows\SysWOW64\Ipqnahgf.exe	Imbaemhc.exe
File opened for modification	C:\Windows\SysWOW64\Idofhfmm.exe	Iapjlk32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Djlddi32.exe	Dadlclim.exe
File created	C:\Windows\SysWOW64\Dbppbgjd.dll	Dpjflb32.exe
File created	C:\Windows\SysWOW64\Qfiapa32.dll	Fbllkh32.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Dlgdkeje.exe	Diihojkb.exe
File opened for modification	C:\Windows\SysWOW64\Jbhmdbnp.exe	Jdemhe32.exe
File created	C:\Windows\SysWOW64\Mghpbg32.dll	Kdaldd32.exe
File opened for modification	C:\Windows\SysWOW64\Hcqjfh32.exe	Habnjm32.exe
File opened for modification	C:\Windows\SysWOW64\Jfdida32.exe	Jbhmdbnp.exe
File created	C:\Windows\SysWOW64\Omfnojog.dll	Jibeql32.exe
File created	C:\Windows\SysWOW64\Jmbklj32.exe	Jkdnpo32.exe
File created	C:\Windows\SysWOW64\Ecphimfb.exe	Eqalmafo.exe
File opened for modification	C:\Windows\SysWOW64\Fmocba32.exe	Ficgacna.exe
File opened for modification	C:\Windows\SysWOW64\Hjfihc32.exe	Hboagf32.exe
File created	C:\Windows\SysWOW64\Dacdmi32.dll	Dokjbp32.exe
File created	C:\Windows\SysWOW64\Ockmjg32.dll	Dcfebonm.exe
File created	C:\Windows\SysWOW64\Jjblgaie.dll	Kilhgk32.exe
File opened for modification	C:\Windows\SysWOW64\Hcnnaikp.exe	Hpbaqj32.exe
File created	C:\Windows\SysWOW64\Hbckbepg.exe	Hcqjfh32.exe
File created	C:\Windows\SysWOW64\Jfhbppbc.exe	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Efgodj32.exe	Dakbckbe.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7192	6472	WerFault.exe	307

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbledndp.dll"	Iinlemia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dcfebonm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohcepmcb.dll"	Ebeejijj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bejkjg32.dll"	Hikfip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fbqefhpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gqikdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhikhod.dll"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fbnhphbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fobiilai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omccgkde.dll"	Dagiil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mepgghma.dll"	Gmhfhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anmklllo.dll"	Jjbako32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dcalgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dcdimopp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fqkocpod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iblilb32.dll"	Fqohnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Elhmablc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fmocba32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimhnoch.dll"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fcgoilpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eagncfoj.dll"	Hclakimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogaodjbe.dll"	Fjnjqfij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gbenqg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gjocgdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkmdbdbp.dll"	Gjocgdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geekfi32.dll"	Hmioonpn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ipldfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dcdimopp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbppbgjd.dll"	Dpjflb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpjljp32.dll"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoceo32.dll"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djlddi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Giacca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggcjqj32.dll"	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfdcbdnc.dll"	Eflhoigi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggdddife.dll"	Gpklpkio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gqkhjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Impepm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ficgacna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gimjhafg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dpjflb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ehekqe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iedonm32.dll"	Elccfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ecmlcmhe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fckhdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hikfip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebhjob32.dll"	Chgoogfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dacdmi32.dll"	Dokjbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceaklo32.dll"	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gfedle32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3256 wrote to memory of 5064	3256	9afdfc5aa6fa0eb6ccb548384e984460_NeikiAnalytics.exe	81
PID 3256 wrote to memory of 5064	3256	9afdfc5aa6fa0eb6ccb548384e984460_NeikiAnalytics.exe	81
PID 3256 wrote to memory of 5064	3256	9afdfc5aa6fa0eb6ccb548384e984460_NeikiAnalytics.exe	81
PID 5064 wrote to memory of 2688	5064	Ccjfgphj.exe	82
PID 5064 wrote to memory of 2688	5064	Ccjfgphj.exe	82
PID 5064 wrote to memory of 2688	5064	Ccjfgphj.exe	82
PID 2688 wrote to memory of 5104	2688	Chgoogfa.exe	83
PID 2688 wrote to memory of 5104	2688	Chgoogfa.exe	83
PID 2688 wrote to memory of 5104	2688	Chgoogfa.exe	83
PID 5104 wrote to memory of 2188	5104	Ccmclp32.exe	84
PID 5104 wrote to memory of 2188	5104	Ccmclp32.exe	84
PID 5104 wrote to memory of 2188	5104	Ccmclp32.exe	84
PID 2188 wrote to memory of 4148	2188	Cekohk32.exe	85
PID 2188 wrote to memory of 4148	2188	Cekohk32.exe	85
PID 2188 wrote to memory of 4148	2188	Cekohk32.exe	85
PID 4148 wrote to memory of 5588	4148	Digkijmd.exe	86
PID 4148 wrote to memory of 5588	4148	Digkijmd.exe	86
PID 4148 wrote to memory of 5588	4148	Digkijmd.exe	86
PID 5588 wrote to memory of 1360	5588	Dlegeemh.exe	88
PID 5588 wrote to memory of 1360	5588	Dlegeemh.exe	88
PID 5588 wrote to memory of 1360	5588	Dlegeemh.exe	88
PID 1360 wrote to memory of 1496	1360	Dpacfd32.exe	89
PID 1360 wrote to memory of 1496	1360	Dpacfd32.exe	89
PID 1360 wrote to memory of 1496	1360	Dpacfd32.exe	89
PID 1496 wrote to memory of 680	1496	Dabpnlkp.exe	90
PID 1496 wrote to memory of 680	1496	Dabpnlkp.exe	90
PID 1496 wrote to memory of 680	1496	Dabpnlkp.exe	90
PID 680 wrote to memory of 2004	680	Diihojkb.exe	92
PID 680 wrote to memory of 2004	680	Diihojkb.exe	92
PID 680 wrote to memory of 2004	680	Diihojkb.exe	92
PID 2004 wrote to memory of 5376	2004	Dlgdkeje.exe	93
PID 2004 wrote to memory of 5376	2004	Dlgdkeje.exe	93
PID 2004 wrote to memory of 5376	2004	Dlgdkeje.exe	93
PID 5376 wrote to memory of 3988	5376	Dcalgo32.exe	94
PID 5376 wrote to memory of 3988	5376	Dcalgo32.exe	94
PID 5376 wrote to memory of 3988	5376	Dcalgo32.exe	94
PID 3988 wrote to memory of 4784	3988	Dadlclim.exe	95
PID 3988 wrote to memory of 4784	3988	Dadlclim.exe	95
PID 3988 wrote to memory of 4784	3988	Dadlclim.exe	95
PID 4784 wrote to memory of 5700	4784	Djlddi32.exe	97
PID 4784 wrote to memory of 5700	4784	Djlddi32.exe	97
PID 4784 wrote to memory of 5700	4784	Djlddi32.exe	97
PID 5700 wrote to memory of 4532	5700	Dljqpd32.exe	98
PID 5700 wrote to memory of 4532	5700	Dljqpd32.exe	98
PID 5700 wrote to memory of 4532	5700	Dljqpd32.exe	98
PID 4532 wrote to memory of 3388	4532	Dcdimopp.exe	99
PID 4532 wrote to memory of 3388	4532	Dcdimopp.exe	99
PID 4532 wrote to memory of 3388	4532	Dcdimopp.exe	99
PID 3388 wrote to memory of 4348	3388	Dagiil32.exe	100
PID 3388 wrote to memory of 4348	3388	Dagiil32.exe	100
PID 3388 wrote to memory of 4348	3388	Dagiil32.exe	100
PID 4348 wrote to memory of 3052	4348	Debeijoc.exe	101
PID 4348 wrote to memory of 3052	4348	Debeijoc.exe	101
PID 4348 wrote to memory of 3052	4348	Debeijoc.exe	101
PID 3052 wrote to memory of 3748	3052	Djnaji32.exe	102
PID 3052 wrote to memory of 3748	3052	Djnaji32.exe	102
PID 3052 wrote to memory of 3748	3052	Djnaji32.exe	102
PID 3748 wrote to memory of 5016	3748	Dllmfd32.exe	103
PID 3748 wrote to memory of 5016	3748	Dllmfd32.exe	103
PID 3748 wrote to memory of 5016	3748	Dllmfd32.exe	103
PID 5016 wrote to memory of 5792	5016	Dokjbp32.exe	104
PID 5016 wrote to memory of 5792	5016	Dokjbp32.exe	104
PID 5016 wrote to memory of 5792	5016	Dokjbp32.exe	104
PID 5792 wrote to memory of 4804	5792	Dcfebonm.exe	105

C:\Users\Admin\AppData\Local\Temp\9afdfc5aa6fa0eb6ccb548384e984460_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9afdfc5aa6fa0eb6ccb548384e984460_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3256
- C:\Windows\SysWOW64\Ccjfgphj.exe
  C:\Windows\system32\Ccjfgphj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5064
- - C:\Windows\SysWOW64\Chgoogfa.exe
    C:\Windows\system32\Chgoogfa.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\SysWOW64\Ccmclp32.exe
      C:\Windows\system32\Ccmclp32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:5104
    - - C:\Windows\SysWOW64\Cekohk32.exe
        
        C:\Windows\system32\Cekohk32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2188
      - C:\Windows\SysWOW64\Digkijmd.exe
        
        C:\Windows\system32\Digkijmd.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4148
        
        C:\Windows\SysWOW64\Dlegeemh.exe
        
        C:\Windows\system32\Dlegeemh.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5588
        
        C:\Windows\SysWOW64\Dpacfd32.exe
        
        C:\Windows\system32\Dpacfd32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Windows\SysWOW64\Dabpnlkp.exe
        
        C:\Windows\system32\Dabpnlkp.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\SysWOW64\Diihojkb.exe
        
        C:\Windows\system32\Diihojkb.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:680
        
        C:\Windows\SysWOW64\Dlgdkeje.exe
        
        C:\Windows\system32\Dlgdkeje.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\Dcalgo32.exe
        
        C:\Windows\system32\Dcalgo32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5376
        
        C:\Windows\SysWOW64\Dadlclim.exe
        
        C:\Windows\system32\Dadlclim.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3988
        
        C:\Windows\SysWOW64\Djlddi32.exe
        
        C:\Windows\system32\Djlddi32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Windows\SysWOW64\Dljqpd32.exe
        
        C:\Windows\system32\Dljqpd32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5700
        
        C:\Windows\SysWOW64\Dcdimopp.exe
        
        C:\Windows\system32\Dcdimopp.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\SysWOW64\Dagiil32.exe
        
        C:\Windows\system32\Dagiil32.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3388
        
        C:\Windows\SysWOW64\Debeijoc.exe
        
        C:\Windows\system32\Debeijoc.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4348
        
        C:\Windows\SysWOW64\Djnaji32.exe
        
        C:\Windows\system32\Djnaji32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\SysWOW64\Dllmfd32.exe
        
        C:\Windows\system32\Dllmfd32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3748
        
        C:\Windows\SysWOW64\Dokjbp32.exe
        
        C:\Windows\system32\Dokjbp32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\SysWOW64\Dcfebonm.exe
        
        C:\Windows\system32\Dcfebonm.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5792
        
        C:\Windows\SysWOW64\Dhcnke32.exe
        
        C:\Windows\system32\Dhcnke32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4804
        
        C:\Windows\SysWOW64\Dpjflb32.exe
        
        C:\Windows\system32\Dpjflb32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3112
        
        C:\Windows\SysWOW64\Domfgpca.exe
        
        C:\Windows\system32\Domfgpca.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5028
        
        C:\Windows\SysWOW64\Dakbckbe.exe
        
        C:\Windows\system32\Dakbckbe.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5756
        
        C:\Windows\SysWOW64\Efgodj32.exe
        
        C:\Windows\system32\Efgodj32.exe
        27⤵
        Executes dropped EXE
        
        PID:4916
        
        C:\Windows\SysWOW64\Ehekqe32.exe
        
        C:\Windows\system32\Ehekqe32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3992
        
        C:\Windows\SysWOW64\Elagacbk.exe
        
        C:\Windows\system32\Elagacbk.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1128
        
        C:\Windows\SysWOW64\Eoocmoao.exe
        
        C:\Windows\system32\Eoocmoao.exe
        30⤵
        Executes dropped EXE
        
        PID:2832
        
        C:\Windows\SysWOW64\Efikji32.exe
        
        C:\Windows\system32\Efikji32.exe
        31⤵
        Executes dropped EXE
        
        PID:1972
        
        C:\Windows\SysWOW64\Ehhgfdho.exe
        
        C:\Windows\system32\Ehhgfdho.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2988
        
        C:\Windows\SysWOW64\Elccfc32.exe
        
        C:\Windows\system32\Elccfc32.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3040
        
        C:\Windows\SysWOW64\Eoapbo32.exe
        
        C:\Windows\system32\Eoapbo32.exe
        34⤵
        Executes dropped EXE
        
        PID:6068
        
        C:\Windows\SysWOW64\Ecmlcmhe.exe
        
        C:\Windows\system32\Ecmlcmhe.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Ejgdpg32.exe
        
        C:\Windows\system32\Ejgdpg32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3124
        
        C:\Windows\SysWOW64\Ehjdldfl.exe
        
        C:\Windows\system32\Ehjdldfl.exe
        38⤵
        Executes dropped EXE
        
        PID:2348
        
        C:\Windows\SysWOW64\Eqalmafo.exe
        
        C:\Windows\system32\Eqalmafo.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3660
        
        C:\Windows\SysWOW64\Ecphimfb.exe
        
        C:\Windows\system32\Ecphimfb.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4548
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        41⤵
        Executes dropped EXE
        
        PID:5660
        
        C:\Windows\SysWOW64\Efneehef.exe
        
        C:\Windows\system32\Efneehef.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3928
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        43⤵
        Executes dropped EXE
        
        PID:1188
        
        C:\Windows\SysWOW64\Elhmablc.exe
        
        C:\Windows\system32\Elhmablc.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5096
        
        C:\Windows\SysWOW64\Eofinnkf.exe
        
        C:\Windows\system32\Eofinnkf.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4996
        
        C:\Windows\SysWOW64\Ebeejijj.exe
        
        C:\Windows\system32\Ebeejijj.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:392
        
        C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        47⤵
        Executes dropped EXE
        
        PID:2672
        
        C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        48⤵
        Executes dropped EXE
        
        PID:872
        
        C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2268
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        50⤵
        Executes dropped EXE
        
        PID:5872
        
        C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:6140
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        52⤵
        Executes dropped EXE
        
        PID:3008
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3224
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        54⤵
        Executes dropped EXE
        
        PID:4908
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5572
        
        C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        57⤵
        Executes dropped EXE
        
        PID:6080
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:404
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        61⤵
        Executes dropped EXE
        
        PID:8
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1160
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4652
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        64⤵
        Executes dropped EXE
        
        PID:3232
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2240
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1668
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        67⤵
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        68⤵
        Drops file in System32 directory
        
        PID:1312
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5472
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        70⤵
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:428
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        72⤵
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4640
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        74⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        75⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        76⤵
        Drops file in System32 directory
        
        PID:3688
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5860
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        78⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        79⤵
        Modifies registry class
        
        PID:5744
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        80⤵
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        81⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1352
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2868
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        84⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        85⤵
        Drops file in System32 directory
        
        PID:3624
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        86⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3144
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1340
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        89⤵
        Modifies registry class
        
        PID:4816
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        90⤵
        Modifies registry class
        
        PID:3512
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        91⤵
        Modifies registry class
        
        PID:3524
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        92⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6100
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1720
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        97⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        98⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        99⤵
        Modifies registry class
        
        PID:1912
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5884
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:948
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        102⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        103⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        104⤵
        Drops file in System32 directory
        
        PID:3652
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        105⤵
        Drops file in System32 directory
        
        PID:3964
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        106⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        107⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        108⤵
        Modifies registry class
        
        PID:4980
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        109⤵
        
        PID:832
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        110⤵
        Drops file in System32 directory
        
        PID:2480
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        111⤵
        Drops file in System32 directory
        
        PID:5804
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3848
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        113⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        114⤵
        
        PID:536
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        115⤵
        Modifies registry class
        
        PID:4048
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        116⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2096
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        118⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        119⤵
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3516
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        121⤵
        Drops file in System32 directory
        
        PID:4536
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        122⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        123⤵
        Drops file in System32 directory
        
        PID:1896
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        124⤵
        Drops file in System32 directory
        
        PID:2736
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5540
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        126⤵
        Drops file in System32 directory
        
        PID:2456
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4632
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        129⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        130⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        131⤵
        Drops file in System32 directory
        
        PID:3488
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        132⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4100
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        134⤵
        Drops file in System32 directory
        
        PID:1348
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        135⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        136⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        137⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        138⤵
        Drops file in System32 directory
        
        PID:5704
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2120
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        140⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        141⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3368
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:964
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4976
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        144⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        145⤵
        Drops file in System32 directory
        
        PID:4524
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        146⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5772
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        148⤵
        Drops file in System32 directory
        
        PID:4000
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        149⤵
        Modifies registry class
        
        PID:2864
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4612
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        151⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        152⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        153⤵
        Modifies registry class
        
        PID:3976
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        154⤵
        
        PID:776
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        155⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        156⤵
        Drops file in System32 directory
        
        PID:1812
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        157⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3300
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        159⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6204
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6244
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        162⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        163⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        164⤵
        Drops file in System32 directory
        
        PID:6380
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        165⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        166⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6520
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        168⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6600
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        170⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        171⤵
        Modifies registry class
        
        PID:6684
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        172⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6764
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        174⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6848
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6884
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        177⤵
        Drops file in System32 directory
        
        PID:6932
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        178⤵
        Modifies registry class
        
        PID:6972
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        179⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        180⤵
        
        PID:7064
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        181⤵
        Modifies registry class
        
        PID:7104
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        182⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        183⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        184⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        185⤵
        Modifies registry class
        
        PID:6288
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        186⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        187⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6508
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6576
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        190⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6668
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        192⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6800
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        193⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6892
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        194⤵
        
        PID:6916
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        195⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7004
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7072
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        197⤵
        Modifies registry class
        
        PID:7136
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        198⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        199⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        200⤵
        Modifies registry class
        
        PID:6400
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        201⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        202⤵
        Drops file in System32 directory
        
        PID:6584
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        203⤵
        
        PID:6624
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        204⤵
        Drops file in System32 directory
        
        PID:6752
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        205⤵
        Drops file in System32 directory
        
        PID:6840
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        206⤵
        
        PID:7000
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        207⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7048
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        208⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6176
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        209⤵
        Modifies registry class
        
        PID:6416
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        210⤵
        Modifies registry class
        
        PID:4684
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        211⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6608
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        212⤵
        Drops file in System32 directory
        
        PID:6796
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        213⤵
        
        PID:6984
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        214⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4680
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        215⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3908
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        216⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        217⤵
        
        PID:6880
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        218⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        219⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        220⤵
        Drops file in System32 directory
        
        PID:6920
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        221⤵
        
        PID:6472
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6472 -s 412
        222⤵
        Program crash
        
        PID:7192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 6472 -ip 6472
1⤵
PID:7156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ccjfgphj.exe

Filesize
128KB

MD5
f4c6221a69f516510d450b7ab763c0e3

SHA1
d2c9d9f3e85387981de0800d4c5dfab8331222f2

SHA256
985b708eec8d4a31041bf7db87157e391ae28b549f18fc1040533275d49fb151

SHA512
2ec07add3336201e2a3ffb913296c99cb26fab3252cfdeabf8831f9493892e9e5fea91f1015e6291f1f68be61a79f3cbdf3706a12c8ae816c97fa7f2adb67040

Download Submit
C:\Windows\SysWOW64\Ccmclp32.exe

Filesize
128KB

MD5
418f6a4171acdc07b7163cf921ac198b

SHA1
01298271a53189ce65a5e2a075ad8557f16f172a

SHA256
7d84c01066fbeab59c4efca32431fa5b5934b21b1a724b74ab664eb2f7903602

SHA512
ee7ab9fd7ef28b0d90932eb51dc7fd9c5818c7ecf1f5f97d9b92395094f74163764b9e87a9e36d04b112c2dc06d451622aeb6e878836f5854981a27e47c3e468

Download Submit
C:\Windows\SysWOW64\Cekohk32.exe

Filesize
128KB

MD5
424b5aceac3198bebc60724e1d5bb188

SHA1
197ddd5db908bf2f4338bdacc800a88fe0521a2a

SHA256
c1d32909a09db4be5b5df1f43887757405c33c3152ff1d5149374c5e6c41f464

SHA512
22fb110a655f83e06e3d60d86084c30a102f8e5c978ea966b8755008d271db8600a642a03f763e1ab3672b66836876ce8e3c925944bab799c055907cdd489b90

Download Submit
C:\Windows\SysWOW64\Chgoogfa.exe

Filesize
128KB

MD5
f3546dc3f7a638249dafa8baf82629da

SHA1
1b0cbf06b66253952c431d4e88897d9e7171669d

SHA256
10e3a4844e8d5e29d1132ba1acfd785a47d1f197b945bcf3063134b0cb4da3be

SHA512
71368e26e838ecab335db2063430c6ef3135be9526d1d0443d48ea647f7a6b7d921579c409fc270121aea1cad9ad9edab1d5c0e6b8eb7e348017583f6605fd9f

Download Submit
C:\Windows\SysWOW64\Dabpnlkp.exe

Filesize
128KB

MD5
c91b89d53e5d326b1b79ad5496602074

SHA1
7eef0cf4853cad3a520c046b57183f69e702ae2d

SHA256
961cab45c6bd7410c4e2c4b937c8cc7c1ae810c7142258b781465254dfedf471

SHA512
1f5be46a2d2c5e1f1cf09ad5448c2dd6b61e2c37b705b95d66b61835afe42ade44e787ad13d2bb2ca0f2aa742b04faa1257ebae36ca6bef4884a00a017cb64ba

Download Submit
C:\Windows\SysWOW64\Dadlclim.exe

Filesize
128KB

MD5
0d5c1f1200b7226a60e21d60f359f36e

SHA1
066d2fd4bda70f005697816002a4f221517193dd

SHA256
cac6d869dfcc207b3d632ede7b8892f7254c003e134c0e789527d34fae520e82

SHA512
b7eb3e20032f09fd0e7c0e12b3ac80a37fa823efca7dc858c66ed5fe608fb328604bb19043f078706dae79765caa24ce1a1725245372fe447bb49dabc3b47def

Download Submit
C:\Windows\SysWOW64\Dagiil32.exe

Filesize
128KB

MD5
ae30b00e8352aefdce9d7a4889017a48

SHA1
bda0e50743363379d1bc1cd71b5e8f738e6c8274

SHA256
b5ed974d3d47fb29f6fa67569e632cec98411541085bab50deb9ff8d0d8492d8

SHA512
07073744bcde7f61199a5cbb66bfec83687728b2b55406a74da2e128b80a6199f5eb151bb2de98e5d1267b52f272e0959d0bdd15d653bc48d4208099657ec6c8

Download Submit
C:\Windows\SysWOW64\Dagiil32.exe

Filesize
128KB

MD5
712b333394d5f1d2d9a08578725b550a

SHA1
7e88f0fb0fa4c25bd1fb3a9c4a2fe789c3900997

SHA256
d3bb5917a6a622bcdf342c23b4b4c78ea9768681bc41bf7e054a2a7ca9b4db3c

SHA512
955620c3e87bcb1417858b1d2a7842dfebb157d1f4bd134ede39ba4573ccb81470d51d9cbd7ea6cec10bc638025f4cbfdb57eece8248735d9502adcf17f76d0d

Download Submit
C:\Windows\SysWOW64\Dakbckbe.exe

Filesize
128KB

MD5
6d19a3687be180b787db56c37691cd3d

SHA1
cb1f5530a6e3aca50017d8dc57a606c79d39bab6

SHA256
7bb5dbfb9ddc2ea9784402c8acfd57b051050ccc65d0201fec8762c34789e32b

SHA512
eaeee9753928e6555fb4266ca2a7645963a07fd46af147594941d73f574060facc7f6e15a5ba6f3bcb973f659f2d02f33f8e84abb469dbffefa543f85e5162b9

Download Submit
C:\Windows\SysWOW64\Dcalgo32.exe

Filesize
128KB

MD5
45db71f9f111a020f936d6519241f7bb

SHA1
017c0a77e9a87251edaea5547dbd3e8251a1cec0

SHA256
e16b5f0fd0449be77941fb8a522b293d7bedb5572be6a97f5b66dcd9b9f1a026

SHA512
4f0bb6c4d9198d2b97c889112de38e0338aa2b9e2c506184e0f25452b31395ab390c163db9ed938cef4eec61a58a0dda1abf0a8829831828d74dec7553e68fdb

Download Submit
C:\Windows\SysWOW64\Dcdimopp.exe

Filesize
128KB

MD5
d981a5dafd12d0fac0f1f76283fb3230

SHA1
6789211b5bde600e498d575d93d9259ffeb32b0a

SHA256
d1535eb454faf2880f910495626f305a8e1194a3cc4bb708bbf733f3205a7cda

SHA512
039318a7a5d38d8a5a6351400472c96b68dc8527f4be100ea145e0ab7ef5418bb8ddb9137c697c6f5257a308a0e1629d1ed9ed601d373500496a477e508065e5

Download Submit
C:\Windows\SysWOW64\Dcfebonm.exe

Filesize
128KB

MD5
2acf7bbf35c98ada0e1b5ebb9ad7b1ac

SHA1
25eefb0970aeb358047ad4f78f8e8a7b803fc314

SHA256
a124b513a562218076f03a96fd026fe0bb812ff8c4f2b95ff5a355832146365c

SHA512
fb81c0257186bc5744885330cdc01bbe8ff432ffc82e4fd521d917e6a548eb032dea5f4adbc06bcaae8e4a5c6e0617fce5c51ec1c26ae77de9b8fa043a7c395d

Download Submit
C:\Windows\SysWOW64\Debeijoc.exe

Filesize
128KB

MD5
f08f9a6280ea67a6c98a7a025cf79dd1

SHA1
0db7ae4b23010d3e1a2012a456e4f0b2e07b2f42

SHA256
3253f1326cd75db64fa1af2f17b0aa3a044bca07812ddbc9c80d00b0b12740b3

SHA512
adc9b7730014f602b73038a159f7c636a042cb6927718f50f1af69eea17924dc5bcd57da17de103831d04b97ab9997faaa33bcacc4e35c7ca1e62aab6eeca0b2

Download Submit
C:\Windows\SysWOW64\Dhcnke32.exe

Filesize
128KB

MD5
03bc8434a8066328963df5642980e3de

SHA1
c9aaa37b19cd7e895cc2d5d9eb5acab27538d6ea

SHA256
3b7d10c895dc4b517ecfe982cd04e5fb528ef54c803482699676a9b0267b33d0

SHA512
ea86e2732493555cebfa71ba2472a23bf188e9a59ce5719024e259b4bd5b1d2e53cc5d239c91fb1376a03505b383cbfb7f3fe0cf767a24f51055f28b590628e0

Download Submit
C:\Windows\SysWOW64\Digkijmd.exe

Filesize
128KB

MD5
84b1eac5b3efb135a63726af2a7f6954

SHA1
f89115f4e952451fc3e1bcfe891bff36d70f3d8a

SHA256
90a63edd3f4915ed71ffe955a7e91d522c95ecb6ffc0cd6bff437ed95e27dd70

SHA512
f3a9ab23715ffa82b855a512cd316854f6bf9075424507f12a6096bbe35cc83f507c976d5da2bbfc5c78333d6ab479f496b1b1f402af6ca804c2123a0aaa6f8c

Download Submit
C:\Windows\SysWOW64\Diihojkb.exe

Filesize
128KB

MD5
992615114f6c84750b1457cac5230b05

SHA1
42a8bf48d31b97d225293a330509a893ca85121e

SHA256
853b6840bb1cc5c0dd198dcc4b71ec1622afe6d6381e184ade94e2a907017fc7

SHA512
52ab723126a75ba3e5c9be7f7fd3259b0891f4cbbcbb9cf209bb245e3a055194c2b7add83722bf5647b5a5c8acc92918d8f234ffeb998ce64c28d5aea4672545

Download Submit
C:\Windows\SysWOW64\Djlddi32.exe

Filesize
128KB

MD5
2ab63eac3ddad62f1850372f2680833f

SHA1
ed370a82050b7370be564e29041678fd66c52ea7

SHA256
41cf970761b90d1f701d813d16fc634197d8b5f0556728f984943fc4222c1328

SHA512
1dbe520fc9b8d4ac5a558b07efd502d3fac554c591213778ac61301175c10576c85c2486e0acde9ea58267c1a46b00a8e5bc6ab595cee0381f14eb5f972ab1cc

Download Submit
C:\Windows\SysWOW64\Djnaji32.exe

Filesize
128KB

MD5
77bf32406aab782dba5eac0428e997f8

SHA1
cbe3d1d4ff70eda1bec2854ceebbf4703133fb28

SHA256
3fc61dcbd4181efeee3d86512808fd8f1288cbef0cd979c3c1176c52e8bbfc62

SHA512
088df1aa4f8cc34d3d9d58c706dc656dd4986e2a0b3f27e30f3183b1c7d4b577f66d3d2c7fd84d2bf18b7925308f7a8f4fba5940570c5a1a0e12d4fd70302789

Download Submit
C:\Windows\SysWOW64\Dlegeemh.exe

Filesize
128KB

MD5
1afe818d82b28613f82abbde633491a1

SHA1
d9ef267e8f0412b4ae0587b73bce5a0890f1bda6

SHA256
c76785f567db5c8f61c15e08848f6ff3cfb931a349264b1576107c574db7b4ec

SHA512
5f7778972472b81e9a33cb549adc38f7e8c11607567f64951a7ca6d5b301f8246cd4fc35f80898b7a8ca15ec4687b1f72baf9e9fe83cf822abb047e55b734d99

Download Submit
C:\Windows\SysWOW64\Dlgdkeje.exe

Filesize
128KB

MD5
3e2695a41a4fcc44a366869cc40d0742

SHA1
3165381dc8b9e0648e260dcb4acdd1c4f6764bcf

SHA256
f1459e87efb3b585081714a6588ab88035ab8b35a386020469d7380f0f3b8a02

SHA512
2a1dbcae67997e270eb3ce8007f440bd03e8bab489c9abc2978146cc289ba8459c75c292b628587efbe96639a71fe88de7bac9026ddfb7638e16b28888eb6f36

Download Submit
C:\Windows\SysWOW64\Dljqpd32.exe

Filesize
128KB

MD5
1150d688fd832a04aa5ba6f6157e1ac8

SHA1
38148de66552777d97a2f180c90581a8464eeea4

SHA256
431105aa85d3915b20a8af52c92fe991df128d8021740b86c06ac733138483ac

SHA512
2bbd8568c34f9238268aaa52261490a6101d9b83c43a773e7cf5f70f18969132f7e928fd3c8d8bd2a951a9ddff9bf456471bd3a7ed10288f680ab14922640115

Download Submit
C:\Windows\SysWOW64\Dllmfd32.exe

Filesize
128KB

MD5
749dc1df48b97a6ff437cf8295426202

SHA1
0dabc20f11a45a251528ee9e087d22bf325659c8

SHA256
bc95b8f6c96040404f298655705a2bd9fed17fe01ade58aed80a13b96fd9355b

SHA512
fe90d719bc6a41e441618f9c3de1756e25e136aa86520c835e1840009af2871e99c9c7bed7ec42edd14a6ebe6235411f372ec4cb4d803d11f879d928b3fa8764

Download Submit
C:\Windows\SysWOW64\Dokjbp32.exe

Filesize
128KB

MD5
a1c2ca087fb6e3124aea392881427f56

SHA1
0acbbd245778ef1f7661fcb8ee0e6a371b66f688

SHA256
d21200a1a90bee49aeff35f49488c9498649ec9a47570beac7503af73f42a5fc

SHA512
4074cce188d52129dfa888aeed90ca69145bb84b7e384bb5f72d3b35552f052a52f8c7191ee3f72b67c3d4252000a586249d069bfd9b2d5682037f8f2462722b

Download Submit
C:\Windows\SysWOW64\Domfgpca.exe

Filesize
128KB

MD5
56f8b7ada0f2da98882ca442236ee461

SHA1
4eb2b2ce24d4a15365356fba14e0ace3b774578a

SHA256
8fa6eec1e5c8f5776a17c2e27aa39663977039f1caa11f2a622445df99bf6fe2

SHA512
f17855bf160fa8b1063bc36dc530f6c2428306d9171d552e91e6c9b879e9510549b74e51d58885a05891f831210a6b8b60c4cd2b2ef0ff1c2d7e25c1a23d87e5

Download Submit
C:\Windows\SysWOW64\Dpacfd32.exe

Filesize
128KB

MD5
13cc4cf81733569e8f99a378a6c7174e

SHA1
5165db7a9fcf6e1b28c9c14910f73043a7d07b58

SHA256
b42f9bb81af2d1e6fd120f7b809808706e366e942180cf2bb2f65049b567e47f

SHA512
6a14ed2e13657ce3210348ea7a6e811224bd7e48b830db99809c342ad320c6be55e4d953ac67882c20f40ea08f6ac732ff67f41a5635b4261a4e5f0cc0162384

Download Submit
C:\Windows\SysWOW64\Dpjflb32.exe

Filesize
128KB

MD5
cf7e3835c1588fbee0d44fb62c62bac3

SHA1
2d881d4c6355b8edd1c57344383bae27c403d1d9

SHA256
9c3dca428f914a67885ce467e74037ea46c38f6b2de7696f7f21bddb8621d4e3

SHA512
84a9507e8b58b92dc7933ed0510559b251bd9f30df455313c54fa3b05d387b297e9fe131a248155e67a571898051369b59c27eecc3a17038be6f14ddcc7dc15e

Download Submit
C:\Windows\SysWOW64\Efgodj32.exe

Filesize
128KB

MD5
a17140f7c5d488d2eadcaf3ffae73d95

SHA1
76b9241792de058dfb5856a22abc3c621bf9882a

SHA256
3952b293f8ac14de55070998d2bd74d6e7315fce1a689e6ea8f5f13f2c82c011

SHA512
4f994ea74a632ba0d812f16ebf39a99d87f251f36e23ce5ed52275248e9e288a834e91103aeabc48dad45c6a7009054ae330229d18bf58776f25aa5359175274

Download Submit
C:\Windows\SysWOW64\Efikji32.exe

Filesize
128KB

MD5
fc43263b35fc6226dc33faf10aac3c2f

SHA1
9c03f5c525a681482e5a4fb3b62cdd10ee2c5b35

SHA256
1f0f692e5dbc5a0f6bf307f5052b9e1a8eec168f4c5497f296033ec3a74d7300

SHA512
be35bb3d5c7527838aff73efa982d5d9d38d16f8b538030f8f02ea109f51a46fb32eaf100165b6e701ccdacddf04ea7bdeb313dac5ffe26647324112725ca133

Download Submit
C:\Windows\SysWOW64\Ehekqe32.exe

Filesize
128KB

MD5
1cbc319a1224ccaf3baf92fb97969fea

SHA1
d041a7fddd6b952061f72c628796ee7bb3301701

SHA256
90351fbf77ab11df9a0c1cb224913445c6b58d9ab79e6ee572b628abb9a93ef6

SHA512
3c73c7ad8135615cad63abc891a85a621bdf7fef04fac1ed8d4e72fa9c9d9897378c08c873d8153a4a24d0a1df72c2988a9469e6af546b1758b0344073d740fd

Download Submit
C:\Windows\SysWOW64\Ehhgfdho.exe

Filesize
128KB

MD5
375be25a39a66de67ef5cc2d40b4048d

SHA1
1f31dc5a0dd5a6b6f52ee251cefd13a02f61c668

SHA256
dd88823bb5206396c98dfb774b07b76f46f8a0acbfa7fae037ea992fad0c4c91

SHA512
ca9ba8f6d3c1d79af045a86f550f8d30b7ae0e1abb2d8fac211344472a1d60ab1a6c4619eb05936dca78da8bc9709cd6df5ce4a1ee3c86d74f43c78fd24beef4

Download Submit
C:\Windows\SysWOW64\Elagacbk.exe

Filesize
128KB

MD5
37fe97ee7375ad609bd83d8749648cfb

SHA1
6fc51e3af76813b0610eb98808abeef3d504d25a

SHA256
76023d637e4b6f39be5c66bee7d86969193d68a73394ce2345bf28688bf0259a

SHA512
377de0eb5c21ac58de1eb0ae298fd1f05748a7d70d7d91851468c30c4eda2ee60d82dfa01f1a2d6ee88789ca1100550858b357b7028105dd21608a6d57408e81

Download Submit
C:\Windows\SysWOW64\Elccfc32.exe

Filesize
128KB

MD5
82800493c6e12599e2c95e28bdfeee87

SHA1
47af912e186ab9c29c3f9d05a9515346c4d3a069

SHA256
0f46730d314b32b584d8bed4dd1c2c6e96da884106fe98a6c532288a1c946e15

SHA512
7bc3e8a8b5a185fa569c3c796d6b49d27a3b7ae28df297723df065ef7e4434e581c57b9dac23841bcb3c1cb4ff4ec113ee9032ff66084c6f74bede15989854bf

Download Submit
C:\Windows\SysWOW64\Eoocmoao.exe

Filesize
128KB

MD5
c5d36ca2b2bd7654e4aadfef3b993d69

SHA1
dce851637b8b87cf99a50ee5a534814d4f804d31

SHA256
49d7cbc727dab3a13b1f0f6b3779c6afba30b16f9ad6355dc4a9ef6b2a9952e9

SHA512
44aa1d2fa367e92031af54895bd378090c20f194b219f5d08d048461cde4745daf813aa1936c4254d2b499b3a5f414a5007f6c46c253716deeeee93d2e7fe8f8

Download Submit
C:\Windows\SysWOW64\Fcikolnh.exe

Filesize
128KB

MD5
943c2e5251b373ff41e0add005175063

SHA1
57d105affbb1b34d5ef651a0152e90da769bbe73

SHA256
3ca8c8d33d646ab664370995aabd99b66cd55d1c83cea564e0aeb188ff01fb0c

SHA512
e6a796a60006770a19b9f07da2b82b3b289bd1bd12ac5cd7665cda73da13be4a9495de07a62fde73615b64b202914a0a99128b20327c78aabcb8e35855afaa71

Download Submit
C:\Windows\SysWOW64\Ffbnph32.exe

Filesize
128KB

MD5
0d3c34b48a83ef64bf880bbe2e1cf519

SHA1
39033789f67603b4dadb90a8b3331bc2c1c03f2d

SHA256
abb8d3b1faa7da669476e622160f0bcb5be901e4ec8fd2790f014063eb42b000

SHA512
87ed700b9acd9e6420498e7fbd425a87b6dd55f4555242041b75725fb5deba8299eea246618acd1b042d6676559709cebe0b5ed4a4c1189ccd03b74c2c83777f

Download Submit
C:\Windows\SysWOW64\Fflaff32.exe

Filesize
128KB

MD5
020a03fd980981bd8715d1827fd39567

SHA1
641baf46f70d7548d9119ef362bb29c2336b0314

SHA256
1b058246fcd1560f6e3d3fe85f5c35c1fc38c5ecc32d6d52f943a748a6fda7bb

SHA512
abbece32d6dc5510926cc00d85792cd40b133b687f8e4912cc6a3552f7f9d0ac856d765ac09c54ae49ebb3b4b18d8cc42cb0b34589a8455944a7c90166a10045

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
128KB

MD5
c50dacf5cf4991b5217f8cb20d886a41

SHA1
f3f9e63afaa3146a337ddd290ad4fe6330b2eba2

SHA256
2f868467f5bd93ff285282f68f2c1931ef735c7961d6cdd7779a3cb3bd2867ec

SHA512
b3a54d3577e319fd1ab52e02d738b6f4d026631513bb1fead979ce61fc2888d14de5e8361edb80fe999ec98cf3e15b757a70a48412f4010cf3feaee9ba696318

Download Submit
C:\Windows\SysWOW64\Gfedle32.exe

Filesize
128KB

MD5
d72f14f93369369edb0c102ab6b72674

SHA1
34486a57424d07f85d5d406b4fe6faf1140c3e39

SHA256
d63fa10568c76cb3421e5e8747ac08080d669152e36913bc37c3d23f9493f854

SHA512
732c5451fd0e2449a04b288956082140a234b442c61083419d66d698dcf6dfeb62fdbce7c4440d2e6c768eb9e968d2c00d7c38e82e697be947374390d29ee0a7

Download Submit
C:\Windows\SysWOW64\Gibgla32.dll

Filesize
7KB

MD5
94560633b39b3950e5804f3fd3db0723

SHA1
1be4b00c1d2dd3e1d1b4c75e31424fc38bb5f818

SHA256
0785310b69a4d538509cb3566e034eef11954e7f1450efe1972c316f6bca4b8d

SHA512
0d973ae0d7e796ffb3d5a7c909e25a24a614dea1c846ec9fd69d8632bf8dcadc866c7723da570c58f9b2b14dc7a7f9e3773bb540deee758bca1ef7199313581f

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
128KB

MD5
6e11c9dee668e5b2542cd192b1ae93a3

SHA1
8bb05248f2befa6c252293eee8d817c1655de185

SHA256
6edbce89c712e8c31ef53182a5b25aff649bf6ca54b3ecb3cafb6154d3204700

SHA512
56609598b80de3a4be74eab2007360aedadbf858ce1edfd687bb2510e476882ce198c29965840f0928cb3319fa090064c20bd2fbefa1147846710849d5b6aa74

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
128KB

MD5
963c73994b6a0a79d51dbd9ef474a192

SHA1
349485bd8bd1e9fa6f1585aafbfc204722c3fb80

SHA256
0d9ba3d6fd48524ef6b06194e84d6732459d1b53361f3cb1601852ae416d448e

SHA512
7a29f9dd4826e640b41560bdd05bff05f9ac3f98c1eb507fa2606baf739e872e7c099fa6c55f67259e55317bf3bd27efe45fe5871eb7e9e0e0c6f351be2c6c69

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
128KB

MD5
a15751426018518cc1152c636cb85d68

SHA1
4577c64b9ac3acdeeefff226f7922a25b5ac64af

SHA256
42d3a38e6e61d621cd809182037e969a7ae92d02660f21b659b2256d43bf1ed8

SHA512
c6952b2d830e0785c791b3f5b6fa5489a22ed17657f993111e2695d49ba5ad6ae77ad4d4a155ba4045966a280ad866873681267b873ebf32f62883a3cabcd0c0

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
128KB

MD5
495e1886d61486b133d96f26862001d9

SHA1
40d483b175e808bd7ba62e4a866a81498a9f68bb

SHA256
3f184c095e660a04152f7a4a81e4530f6260b3404f5215e1d6defe46615333c9

SHA512
dfe1a3f4869b0300d850a8a8349d0eb0c331dd3b326713ed7ac3e319caf2af00d85f763707831e48a9fdb1aaa47acaee70d4ea7bd05fba473355c445482e7f73

Download Submit
C:\Windows\SysWOW64\Hfofbd32.exe

Filesize
128KB

MD5
4f0fc715911f11fd365cc95c45193ccb

SHA1
9700bfc1142093d19402a7182e5ecc6e2fca7e7c

SHA256
7ffefa451d19b5971032cc2076df2370e6195e0db4053ac65aad727a22af1dd0

SHA512
1407268c3e4accd373bbab6650cb90fc327558cea3f7adbb15e017965e24ca861f70f2b8fb8725aca5f3a80c22babf36e6add9c4eeb7ba3ccc4d1fb11707bea3

Download Submit
C:\Windows\SysWOW64\Hmfbjnbp.exe

Filesize
128KB

MD5
88dce54ed2bc9adb239cfeba50f334fe

SHA1
1be37ddf81604da1b990d63677446d9a4dcc8541

SHA256
c2103f22b67dd6a72970f595cfc2076402847d7617bf3aa0dd2c3daff39d5c43

SHA512
72b04e99240ca8be066a8591c6522041aef3ade8bb49f794c6fc28efa93bfdd2c9679e23877a02749608b9cd0054c27f39cf555790ac223610199ff355399708

Download Submit
C:\Windows\SysWOW64\Iikopmkd.exe

Filesize
128KB

MD5
d1016511f4aa9e7f12bd77b84143641f

SHA1
1c58c7deb38f6750783ae6c328cb77a632a53831

SHA256
35cd812152153549d8f9f695697d82eaaa00b1bf561f9126c521afd363f31e91

SHA512
87c16e592647e9e2f17e7b974c7c7f14f60f4d2ff49920bee4a0e106ac191193faf1d0aa80cafa7a477a8bca32cc49b5792c4481d2a2af93672b7dbd6b3cd8b8

Download Submit
C:\Windows\SysWOW64\Impepm32.exe

Filesize
128KB

MD5
8e0005341e5816edbe8b99df6d3fd685

SHA1
c3a22467f3c00400bb36733024661f7348066e7f

SHA256
390425b8f1bc7e31e3e289bb301b5931bd6797bd024221b2f5889c5b5f4fe74f

SHA512
e70e6d7743e52387a162448aacc003975bf174e7418220757a9d75c62544a213b07594f3f448fcee4ce43aea63a2ea9ae8f07d20f3dbec5d6bbabf422e119592

Download Submit
C:\Windows\SysWOW64\Jpaghf32.exe

Filesize
128KB

MD5
e3450772a2d3945879985d389ebf3e34

SHA1
eef5427b0be6043ca087737997807740fea30f8e

SHA256
e11749c2ff09388160f8681beb847b383311396d3469b74f2b78e3fb491d16b2

SHA512
6703dddc0cc6d809994ae8cc63d1562e22a306bde044975ad9fbdd493d749bf2793e799fddd70a1f4c6d55c9255e72f901cc8d6f5594153779fb2ded5c1c30a7

Download Submit
C:\Windows\SysWOW64\Jpojcf32.exe

Filesize
128KB

MD5
bb813739861543a79ed02cb3ca364bb6

SHA1
781d44416ecc5f9bf7e9c5af8700b926b6bd8d25

SHA256
8410ea7ab1955b4a9ce1908c2cbf0f7d06abc3d2de1b1ef2491dc4cd6f910cde

SHA512
22c1ebf7d1f5a3ca778d76c4b4e4ebdf24d03f4412f59d6d697f18c3a647da60f3dcc81eb1c387a31bcd738b5b49d435ac778b8fcd87c4976b37dc09a927406a

Download Submit
C:\Windows\SysWOW64\Kaemnhla.exe

Filesize
128KB

MD5
43116fb69bc14231fa26bbf1ac5d5384

SHA1
ac17111510de5c1e44ad39d8e499d27e677e3628

SHA256
8493f8265ad6b52143aa92c8fa199264684f71684a688cfabe1a20ae926435d7

SHA512
6d17193737e5f225db29622ef0209e07a8324ed6158ce08f577e4b2c5ef7a16c9b6dfded2669a031be6ecf7ad37dce0b5514a2ddbfaa2f4a9e7ef9e2144bd6c3

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
128KB

MD5
f577aa4a81a995d8db8c20729d16c89e

SHA1
d3fd311dbb36c9c2bf40a011c06085184d67d809

SHA256
8bdf015f77bb9b2fd6bc6294d676ff85a75f619eaccc8fca63101416c2b4b0d8

SHA512
36400914e369bd642f6c726b20a0b753aaf0e19598e46d0fea8d0413579702248562a90430c3a78484f9cd33113d2af7d1c908a37c3ad5bee276ba95d1a0b008

Download Submit
C:\Windows\SysWOW64\Kgfoan32.exe

Filesize
128KB

MD5
82879e12cd7bc953b7ba264e75154c9c

SHA1
15c37d90d3d6717f792553d6d1ed156a35861844

SHA256
74a7c87cdad8dbfd1748c7ff44167c104fb5ac81f32aacd0f104c3368b7d63be

SHA512
7aac20f9f9d91f63476c55b584e79c79b1d202235a7d31838ca1f180e0e9f7306854f5c4751f94c075ff6a1ca88eb937b4d2733a0ceeedcf30dffb669bb62bc9

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
128KB

MD5
981699decb5c731450ebe418d221033e

SHA1
8f1af204cd51aacf7d4c9c575c613d101f85e74a

SHA256
aa03571260bb31dc2ee348d1f451afdc33af246b82e7939e4d5ebb06a362177e

SHA512
96fc503474eb0355463b184c0a00a428b597611e249291690384fef55ea8ceb2e6b0543575cbab95fd49eb7d315dc333645bc26dc2c591ce20c38ea22d1a3f7c

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
128KB

MD5
337bfe54551d1df1d592651e51a985a6

SHA1
e90e6d5d2662b1f3324887ffb60d370440305d90

SHA256
2646788bad92cab9ec7f77b4039df09cbe845239b99119292d065b509053fb8d

SHA512
ea4bb35561eb777fe1b7f2443f221910712fafaed507864d1187375b613694395be2c229b57fd045af2f5aef6297d31bb109d63300795f6b9b10b949eb315433

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
128KB

MD5
c1db395f05bc0124735307f3b51705bc

SHA1
a7885bc23fd70f170d8553dba0f32bbb40983855

SHA256
d344a66881a8172294e73d6f9423b358e75560e301ec735f44e3d240e06f9945

SHA512
02707cdc3b5b510b61e7f0a811435064f4dc64a65c502032bd8fe18dd8baff4db3b6dc4e4870be19536507d332d8be3256e6ff409b44ecefbaffabca8b5a8a43

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
128KB

MD5
7bd23cfe89478f76b7636ea1870b86f4

SHA1
7484e9ddb4a47fe69762b1dfb45ea62fe70df2a0

SHA256
97262e6a75bf5ba2bbe55ad0386631d8cc9dd1e7891af87b272361565a592e2c

SHA512
28ad3fed468c011cffb4dd5fd20e559fa31201a70d165b741b5134f738e9951937f2fc9c266a109621be5ee7f82181c00f66f5385768af057952a9d1ff2ca705

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
128KB

MD5
c74bf4ba38bd9bf855b49ff343f1a48e

SHA1
bd2132e0a2585007b56aa36210865e8ff7f28aa1

SHA256
8f8e984bf0eab1ab1adbe136cb573fab2165093f4809983310ae651fd569f6fd

SHA512
7b084a5ee1964eb5d239aa83af9058c2a715396c814462988281ff2685d7db90f3f16878946560838f9f75474442d7d5b4112c51ebe73461b4f3a1bc1c72877d

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
128KB

MD5
fcdc03a3931978b7693aada3cf2684da

SHA1
18fcc93d8b61645870c9614b2aa1b9ba7325bdd0

SHA256
b087ad075973f5474d77359e7cbff0a146cf020870bb261abaf01a91cf283ecc

SHA512
465a76e1986d2095a2f04e02e494e9d4e791f5f7766841eca7ce6a1e151953d72521af20af7ab50b89acf00ca71e72f7a850d7d61024d7da423747f076fd3709

Download Submit
memory/8-428-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/392-338-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/404-412-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/428-484-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/680-72-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/872-351-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1128-224-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1160-430-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1188-316-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1312-466-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1340-596-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1352-554-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1360-56-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1496-64-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1652-591-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1668-458-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1688-478-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1716-394-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1972-245-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2004-80-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2188-578-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2188-32-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2240-448-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2268-352-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2348-286-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2552-538-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2672-345-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2688-567-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2688-15-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2832-232-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2868-558-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2988-252-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3008-375-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3040-260-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3052-144-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3112-184-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3124-284-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3144-595-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3224-376-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3232-442-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3256-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3256-550-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3388-128-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3624-572-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3660-296-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3688-514-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3748-152-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3928-314-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3988-95-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3992-222-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4112-513-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4148-594-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4148-40-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4292-464-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4344-490-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4348-140-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4404-569-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4480-418-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4532-120-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4548-300-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4604-410-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4640-500-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4652-441-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4784-104-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4804-176-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4816-604-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4908-382-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4916-212-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4996-332-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5016-160-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5028-196-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5064-557-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5064-7-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5096-327-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5104-571-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5104-23-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5140-268-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5240-526-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5316-502-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5376-88-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5472-476-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5516-549-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5564-274-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5572-392-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5588-48-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5588-598-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5660-308-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5700-116-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5744-532-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5756-204-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5792-168-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5860-521-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5872-358-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/6068-267-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/6080-400-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/6140-364-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads