f08b49eeff7f200efe5f29c2057f9df3c15541a567b24a7c6f4e7d9d66f769f7

Analysis

max time kernel
142s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 22:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4446f989a13f164bf4046e02dd5f2870_NeikiAnalytics.exe
Size

90KB
MD5

4446f989a13f164bf4046e02dd5f2870
SHA1

5884ccbd1747a7b375d98092de4c37329bd6b07a
SHA256

f08b49eeff7f200efe5f29c2057f9df3c15541a567b24a7c6f4e7d9d66f769f7
SHA512

b4004789a738517b5573c32774769460a65e9685ca535ea96b41f0375f5c3a17e917f97949869ea119ae0c00c7ef7f5e746e8913ffc9c91210770d1c2df26123
SSDEEP

1536:kkB8Pgtqzmab9m2E4ZYZiCwztvJdG5u/Ub0VkVNK:uiqzzehwhfG5u/Ub0+NK

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Cponen32.exeMjlhgaqp.exeNgqagcag.exeBaegibae.exeMcifkf32.exe4446f989a13f164bf4046e02dd5f2870_NeikiAnalytics.exeJniood32.exeLfbped32.exeQodeajbg.exeMjodla32.exePalklf32.exeOnapdl32.exeChkobkod.exeLggejg32.exeModgdicm.exeOgekbb32.exeOcaebc32.exePpjbmc32.exeKcmmhj32.exeNglhld32.exePdhkcb32.exeBacjdbch.exeAaoaic32.exeChnlgjlb.exeLqkqhm32.exeNgjkfd32.exeAggpfkjj.exeAagkhd32.exeCkgohf32.exeAaenbd32.exeKcbfcigf.exeBobabg32.exeDgcihgaj.exeNopfpgip.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cponen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cponen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjlhgaqp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngqagcag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Baegibae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjlhgaqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcifkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	4446f989a13f164bf4046e02dd5f2870_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jniood32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfbped32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qodeajbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	4446f989a13f164bf4046e02dd5f2870_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjodla32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Palklf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onapdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chkobkod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lggejg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Modgdicm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogekbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngqagcag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocaebc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ppjbmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcmmhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lfbped32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nglhld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdhkcb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bacjdbch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bacjdbch.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocaebc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaoaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chnlgjlb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lqkqhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngjkfd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aggpfkjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aagkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aaoaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckgohf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chkobkod.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jniood32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngjkfd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaenbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baegibae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lqkqhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppjbmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aggpfkjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Palklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aaenbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcbfcigf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcifkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Onapdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kcmmhj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lggejg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bobabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgcihgaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjodla32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nopfpgip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qodeajbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chnlgjlb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogekbb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bobabg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckgohf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgcihgaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kcbfcigf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nopfpgip.exe

Executes dropped EXE 36 IoCs

Processes:

Jniood32.exeKcmmhj32.exeKcbfcigf.exeLfbped32.exeLqkqhm32.exeLggejg32.exeModgdicm.exeMjlhgaqp.exeMjodla32.exeMcifkf32.exeNopfpgip.exeNgjkfd32.exeNglhld32.exeNgqagcag.exeOgekbb32.exeOnapdl32.exeOcaebc32.exePpjbmc32.exePdhkcb32.exePalklf32.exeQobhkjdi.exeQodeajbg.exeAaenbd32.exeAagkhd32.exeAggpfkjj.exeAaoaic32.exeBobabg32.exeBacjdbch.exeBaegibae.exeBajqda32.exeCponen32.exeCkgohf32.exeChkobkod.exeChnlgjlb.exeDgcihgaj.exeDkqaoe32.exe

pid	process
1780	Jniood32.exe
4236	Kcmmhj32.exe
3504	Kcbfcigf.exe
3100	Lfbped32.exe
1088	Lqkqhm32.exe
4964	Lggejg32.exe
4992	Modgdicm.exe
832	Mjlhgaqp.exe
3852	Mjodla32.exe
3652	Mcifkf32.exe
1816	Nopfpgip.exe
5048	Ngjkfd32.exe
1900	Nglhld32.exe
4500	Ngqagcag.exe
4608	Ogekbb32.exe
732	Onapdl32.exe
3628	Ocaebc32.exe
500	Ppjbmc32.exe
5004	Pdhkcb32.exe
4516	Palklf32.exe
1752	Qobhkjdi.exe
1040	Qodeajbg.exe
1888	Aaenbd32.exe
1996	Aagkhd32.exe
3212	Aggpfkjj.exe
4224	Aaoaic32.exe
5104	Bobabg32.exe
1744	Bacjdbch.exe
440	Baegibae.exe
4880	Bajqda32.exe
4280	Cponen32.exe
4052	Ckgohf32.exe
3816	Chkobkod.exe
1724	Chnlgjlb.exe
4988	Dgcihgaj.exe
2840	Dkqaoe32.exe

Drops file in System32 directory 64 IoCs

Processes:

Mjodla32.exeNgjkfd32.exeBacjdbch.exeKcbfcigf.exeLggejg32.exeQobhkjdi.exeQodeajbg.exePalklf32.exeBaegibae.exeMcifkf32.exeAggpfkjj.exeKcmmhj32.exeOgekbb32.exeOnapdl32.exeCkgohf32.exeChnlgjlb.exeLqkqhm32.exeBajqda32.exeNglhld32.exeNgqagcag.exeDgcihgaj.exe4446f989a13f164bf4046e02dd5f2870_NeikiAnalytics.exeMjlhgaqp.exeAagkhd32.exeChkobkod.exeJniood32.exeNopfpgip.exeOcaebc32.exeLfbped32.exeModgdicm.exePdhkcb32.exeCponen32.exePpjbmc32.exeAaoaic32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Mcifkf32.exe	Mjodla32.exe
File created	C:\Windows\SysWOW64\Ldpnmg32.dll	Mjodla32.exe
File created	C:\Windows\SysWOW64\Nglhld32.exe	Ngjkfd32.exe
File opened for modification	C:\Windows\SysWOW64\Baegibae.exe	Bacjdbch.exe
File created	C:\Windows\SysWOW64\Ipgijcij.dll	Kcbfcigf.exe
File created	C:\Windows\SysWOW64\Fdllgpbm.dll	Lggejg32.exe
File created	C:\Windows\SysWOW64\Qodeajbg.exe	Qobhkjdi.exe
File opened for modification	C:\Windows\SysWOW64\Aaenbd32.exe	Qodeajbg.exe
File created	C:\Windows\SysWOW64\Qobhkjdi.exe	Palklf32.exe
File created	C:\Windows\SysWOW64\Bkamodje.dll	Bacjdbch.exe
File opened for modification	C:\Windows\SysWOW64\Bajqda32.exe	Baegibae.exe
File created	C:\Windows\SysWOW64\Kllfakij.dll	Mcifkf32.exe
File created	C:\Windows\SysWOW64\Aaoaic32.exe	Aggpfkjj.exe
File created	C:\Windows\SysWOW64\Eeccjdie.dll	Kcmmhj32.exe
File created	C:\Windows\SysWOW64\Modgdicm.exe	Lggejg32.exe
File opened for modification	C:\Windows\SysWOW64\Onapdl32.exe	Ogekbb32.exe
File created	C:\Windows\SysWOW64\Ocaebc32.exe	Onapdl32.exe
File opened for modification	C:\Windows\SysWOW64\Chkobkod.exe	Ckgohf32.exe
File created	C:\Windows\SysWOW64\Gelfeh32.dll	Chnlgjlb.exe
File created	C:\Windows\SysWOW64\Kbmimp32.dll	Lqkqhm32.exe
File created	C:\Windows\SysWOW64\Olaafabl.dll	Bajqda32.exe
File opened for modification	C:\Windows\SysWOW64\Ngqagcag.exe	Nglhld32.exe
File created	C:\Windows\SysWOW64\Flbfjl32.dll	Ngqagcag.exe
File opened for modification	C:\Windows\SysWOW64\Dkqaoe32.exe	Dgcihgaj.exe
File created	C:\Windows\SysWOW64\Eemnff32.dll	4446f989a13f164bf4046e02dd5f2870_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mjodla32.exe	Mjlhgaqp.exe
File created	C:\Windows\SysWOW64\Qgnnai32.dll	Mjlhgaqp.exe
File created	C:\Windows\SysWOW64\Ekbmje32.dll	Aagkhd32.exe
File created	C:\Windows\SysWOW64\Chnlgjlb.exe	Chkobkod.exe
File created	C:\Windows\SysWOW64\Ekiapmnp.dll	Chkobkod.exe
File created	C:\Windows\SysWOW64\Ldjcfk32.dll	Jniood32.exe
File created	C:\Windows\SysWOW64\Ngjkfd32.exe	Nopfpgip.exe
File created	C:\Windows\SysWOW64\Mbkkam32.dll	Ckgohf32.exe
File opened for modification	C:\Windows\SysWOW64\Chnlgjlb.exe	Chkobkod.exe
File opened for modification	C:\Windows\SysWOW64\Kcbfcigf.exe	Kcmmhj32.exe
File opened for modification	C:\Windows\SysWOW64\Ppjbmc32.exe	Ocaebc32.exe
File opened for modification	C:\Windows\SysWOW64\Dgcihgaj.exe	Chnlgjlb.exe
File created	C:\Windows\SysWOW64\Dgcihgaj.exe	Chnlgjlb.exe
File opened for modification	C:\Windows\SysWOW64\Jniood32.exe	4446f989a13f164bf4046e02dd5f2870_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Iblhpckf.dll	Lfbped32.exe
File created	C:\Windows\SysWOW64\Mjlhgaqp.exe	Modgdicm.exe
File created	C:\Windows\SysWOW64\Aaenbd32.exe	Qodeajbg.exe
File opened for modification	C:\Windows\SysWOW64\Nopfpgip.exe	Mcifkf32.exe
File opened for modification	C:\Windows\SysWOW64\Ocaebc32.exe	Onapdl32.exe
File opened for modification	C:\Windows\SysWOW64\Palklf32.exe	Pdhkcb32.exe
File created	C:\Windows\SysWOW64\Ckgohf32.exe	Cponen32.exe
File created	C:\Windows\SysWOW64\Dbfpagon.dll	Qodeajbg.exe
File created	C:\Windows\SysWOW64\Phlepppi.dll	Aggpfkjj.exe
File created	C:\Windows\SysWOW64\Nopfpgip.exe	Mcifkf32.exe
File opened for modification	C:\Windows\SysWOW64\Aaoaic32.exe	Aggpfkjj.exe
File created	C:\Windows\SysWOW64\Dkqaoe32.exe	Dgcihgaj.exe
File opened for modification	C:\Windows\SysWOW64\Kcmmhj32.exe	Jniood32.exe
File created	C:\Windows\SysWOW64\Jponoqjl.dll	Ocaebc32.exe
File created	C:\Windows\SysWOW64\Jcgmgn32.dll	Ppjbmc32.exe
File created	C:\Windows\SysWOW64\Aggpfkjj.exe	Aagkhd32.exe
File opened for modification	C:\Windows\SysWOW64\Bobabg32.exe	Aaoaic32.exe
File opened for modification	C:\Windows\SysWOW64\Lfbped32.exe	Kcbfcigf.exe
File created	C:\Windows\SysWOW64\Bajqda32.exe	Baegibae.exe
File opened for modification	C:\Windows\SysWOW64\Modgdicm.exe	Lggejg32.exe
File opened for modification	C:\Windows\SysWOW64\Mcifkf32.exe	Mjodla32.exe
File created	C:\Windows\SysWOW64\Ngqagcag.exe	Nglhld32.exe
File created	C:\Windows\SysWOW64\Ppjbmc32.exe	Ocaebc32.exe
File created	C:\Windows\SysWOW64\Lggejg32.exe	Lqkqhm32.exe
File opened for modification	C:\Windows\SysWOW64\Ngjkfd32.exe	Nopfpgip.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5080 2840 WerFault.exe Dkqaoe32.exe

pid	pid_target	process	target process
5080	2840	WerFault.exe	Dkqaoe32.exe

Modifies registry class 64 IoCs

Processes:

4446f989a13f164bf4046e02dd5f2870_NeikiAnalytics.exeKcbfcigf.exeNgqagcag.exeOgekbb32.exeAaenbd32.exePdhkcb32.exeQodeajbg.exeBobabg32.exeCponen32.exeChkobkod.exeLfbped32.exeAagkhd32.exeJniood32.exeMjodla32.exeBaegibae.exeCkgohf32.exeOnapdl32.exePpjbmc32.exeBajqda32.exeLggejg32.exeNopfpgip.exeDgcihgaj.exeMcifkf32.exeNglhld32.exeChnlgjlb.exePalklf32.exeKcmmhj32.exeNgjkfd32.exeAggpfkjj.exeLqkqhm32.exeOcaebc32.exeAaoaic32.exeMjlhgaqp.exeQobhkjdi.exeModgdicm.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	4446f989a13f164bf4046e02dd5f2870_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipgijcij.dll"	Kcbfcigf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngqagcag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ogekbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmpockdl.dll"	Aaenbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aaenbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kibohd32.dll"	Ogekbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdhkcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbfpagon.dll"	Qodeajbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqppgj32.dll"	Bobabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cponen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chkobkod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lfbped32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aagkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldjcfk32.dll"	Jniood32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjodla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Baegibae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbkkam32.dll"	Ckgohf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjodla32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdhkcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqjpajgi.dll"	Cponen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	4446f989a13f164bf4046e02dd5f2870_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gadiippo.dll"	Onapdl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ppjbmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flbfjl32.dll"	Ngqagcag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aaenbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bajqda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lggejg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldpnmg32.dll"	Mjodla32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nopfpgip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ogekbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfdiedd.dll"	Dgcihgaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcifkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nglhld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Baegibae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chnlgjlb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kllfakij.dll"	Mcifkf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Onapdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Palklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeccjdie.dll"	Kcmmhj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngjkfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekbmje32.dll"	Aagkhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jniood32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qodeajbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aggpfkjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckgohf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lqkqhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jponoqjl.dll"	Ocaebc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igafkb32.dll"	Pdhkcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qodeajbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aaoaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjlhgaqp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nglhld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	4446f989a13f164bf4046e02dd5f2870_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nopfpgip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qobhkjdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bajqda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iblhpckf.dll"	Lfbped32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Modgdicm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngjkfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngqagcag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bobabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cklgfgfg.dll"	Baegibae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lqkqhm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4446f989a13f164bf4046e02dd5f2870_NeikiAnalytics.exeJniood32.exeKcmmhj32.exeKcbfcigf.exeLfbped32.exeLqkqhm32.exeLggejg32.exeModgdicm.exeMjlhgaqp.exeMjodla32.exeMcifkf32.exeNopfpgip.exeNgjkfd32.exeNglhld32.exeNgqagcag.exeOgekbb32.exeOnapdl32.exeOcaebc32.exePpjbmc32.exePdhkcb32.exePalklf32.exeQobhkjdi.exe

description	pid	process	target process
PID 2100 wrote to memory of 1780	2100	4446f989a13f164bf4046e02dd5f2870_NeikiAnalytics.exe	Jniood32.exe
PID 2100 wrote to memory of 1780	2100	4446f989a13f164bf4046e02dd5f2870_NeikiAnalytics.exe	Jniood32.exe
PID 2100 wrote to memory of 1780	2100	4446f989a13f164bf4046e02dd5f2870_NeikiAnalytics.exe	Jniood32.exe
PID 1780 wrote to memory of 4236	1780	Jniood32.exe	Kcmmhj32.exe
PID 1780 wrote to memory of 4236	1780	Jniood32.exe	Kcmmhj32.exe
PID 1780 wrote to memory of 4236	1780	Jniood32.exe	Kcmmhj32.exe
PID 4236 wrote to memory of 3504	4236	Kcmmhj32.exe	Kcbfcigf.exe
PID 4236 wrote to memory of 3504	4236	Kcmmhj32.exe	Kcbfcigf.exe
PID 4236 wrote to memory of 3504	4236	Kcmmhj32.exe	Kcbfcigf.exe
PID 3504 wrote to memory of 3100	3504	Kcbfcigf.exe	Lfbped32.exe
PID 3504 wrote to memory of 3100	3504	Kcbfcigf.exe	Lfbped32.exe
PID 3504 wrote to memory of 3100	3504	Kcbfcigf.exe	Lfbped32.exe
PID 3100 wrote to memory of 1088	3100	Lfbped32.exe	Lqkqhm32.exe
PID 3100 wrote to memory of 1088	3100	Lfbped32.exe	Lqkqhm32.exe
PID 3100 wrote to memory of 1088	3100	Lfbped32.exe	Lqkqhm32.exe
PID 1088 wrote to memory of 4964	1088	Lqkqhm32.exe	Lggejg32.exe
PID 1088 wrote to memory of 4964	1088	Lqkqhm32.exe	Lggejg32.exe
PID 1088 wrote to memory of 4964	1088	Lqkqhm32.exe	Lggejg32.exe
PID 4964 wrote to memory of 4992	4964	Lggejg32.exe	Modgdicm.exe
PID 4964 wrote to memory of 4992	4964	Lggejg32.exe	Modgdicm.exe
PID 4964 wrote to memory of 4992	4964	Lggejg32.exe	Modgdicm.exe
PID 4992 wrote to memory of 832	4992	Modgdicm.exe	Mjlhgaqp.exe
PID 4992 wrote to memory of 832	4992	Modgdicm.exe	Mjlhgaqp.exe
PID 4992 wrote to memory of 832	4992	Modgdicm.exe	Mjlhgaqp.exe
PID 832 wrote to memory of 3852	832	Mjlhgaqp.exe	Mjodla32.exe
PID 832 wrote to memory of 3852	832	Mjlhgaqp.exe	Mjodla32.exe
PID 832 wrote to memory of 3852	832	Mjlhgaqp.exe	Mjodla32.exe
PID 3852 wrote to memory of 3652	3852	Mjodla32.exe	Mcifkf32.exe
PID 3852 wrote to memory of 3652	3852	Mjodla32.exe	Mcifkf32.exe
PID 3852 wrote to memory of 3652	3852	Mjodla32.exe	Mcifkf32.exe
PID 3652 wrote to memory of 1816	3652	Mcifkf32.exe	Nopfpgip.exe
PID 3652 wrote to memory of 1816	3652	Mcifkf32.exe	Nopfpgip.exe
PID 3652 wrote to memory of 1816	3652	Mcifkf32.exe	Nopfpgip.exe
PID 1816 wrote to memory of 5048	1816	Nopfpgip.exe	Ngjkfd32.exe
PID 1816 wrote to memory of 5048	1816	Nopfpgip.exe	Ngjkfd32.exe
PID 1816 wrote to memory of 5048	1816	Nopfpgip.exe	Ngjkfd32.exe
PID 5048 wrote to memory of 1900	5048	Ngjkfd32.exe	Nglhld32.exe
PID 5048 wrote to memory of 1900	5048	Ngjkfd32.exe	Nglhld32.exe
PID 5048 wrote to memory of 1900	5048	Ngjkfd32.exe	Nglhld32.exe
PID 1900 wrote to memory of 4500	1900	Nglhld32.exe	Ngqagcag.exe
PID 1900 wrote to memory of 4500	1900	Nglhld32.exe	Ngqagcag.exe
PID 1900 wrote to memory of 4500	1900	Nglhld32.exe	Ngqagcag.exe
PID 4500 wrote to memory of 4608	4500	Ngqagcag.exe	Ogekbb32.exe
PID 4500 wrote to memory of 4608	4500	Ngqagcag.exe	Ogekbb32.exe
PID 4500 wrote to memory of 4608	4500	Ngqagcag.exe	Ogekbb32.exe
PID 4608 wrote to memory of 732	4608	Ogekbb32.exe	Onapdl32.exe
PID 4608 wrote to memory of 732	4608	Ogekbb32.exe	Onapdl32.exe
PID 4608 wrote to memory of 732	4608	Ogekbb32.exe	Onapdl32.exe
PID 732 wrote to memory of 3628	732	Onapdl32.exe	Ocaebc32.exe
PID 732 wrote to memory of 3628	732	Onapdl32.exe	Ocaebc32.exe
PID 732 wrote to memory of 3628	732	Onapdl32.exe	Ocaebc32.exe
PID 3628 wrote to memory of 500	3628	Ocaebc32.exe	Ppjbmc32.exe
PID 3628 wrote to memory of 500	3628	Ocaebc32.exe	Ppjbmc32.exe
PID 3628 wrote to memory of 500	3628	Ocaebc32.exe	Ppjbmc32.exe
PID 500 wrote to memory of 5004	500	Ppjbmc32.exe	Pdhkcb32.exe
PID 500 wrote to memory of 5004	500	Ppjbmc32.exe	Pdhkcb32.exe
PID 500 wrote to memory of 5004	500	Ppjbmc32.exe	Pdhkcb32.exe
PID 5004 wrote to memory of 4516	5004	Pdhkcb32.exe	Palklf32.exe
PID 5004 wrote to memory of 4516	5004	Pdhkcb32.exe	Palklf32.exe
PID 5004 wrote to memory of 4516	5004	Pdhkcb32.exe	Palklf32.exe
PID 4516 wrote to memory of 1752	4516	Palklf32.exe	Qobhkjdi.exe
PID 4516 wrote to memory of 1752	4516	Palklf32.exe	Qobhkjdi.exe
PID 4516 wrote to memory of 1752	4516	Palklf32.exe	Qobhkjdi.exe
PID 1752 wrote to memory of 1040	1752	Qobhkjdi.exe	Qodeajbg.exe

C:\Users\Admin\AppData\Local\Temp\4446f989a13f164bf4046e02dd5f2870_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4446f989a13f164bf4046e02dd5f2870_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2100

C:\Windows\SysWOW64\Jniood32.exe
C:\Windows\system32\Jniood32.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\SysWOW64\Kcmmhj32.exe
C:\Windows\system32\Kcmmhj32.exe
3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4236

C:\Windows\SysWOW64\Kcbfcigf.exe
C:\Windows\system32\Kcbfcigf.exe
4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3504

C:\Windows\SysWOW64\Lfbped32.exe
C:\Windows\system32\Lfbped32.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3100

C:\Windows\SysWOW64\Lqkqhm32.exe
C:\Windows\system32\Lqkqhm32.exe
6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\SysWOW64\Lggejg32.exe
C:\Windows\system32\Lggejg32.exe
7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4964

C:\Windows\SysWOW64\Modgdicm.exe
C:\Windows\system32\Modgdicm.exe
8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4992

C:\Windows\SysWOW64\Mjlhgaqp.exe
C:\Windows\system32\Mjlhgaqp.exe
9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\SysWOW64\Mjodla32.exe
C:\Windows\system32\Mjodla32.exe
10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3852

C:\Windows\SysWOW64\Mcifkf32.exe
C:\Windows\system32\Mcifkf32.exe
11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3652

C:\Windows\SysWOW64\Nopfpgip.exe
C:\Windows\system32\Nopfpgip.exe
12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\SysWOW64\Ngjkfd32.exe
C:\Windows\system32\Ngjkfd32.exe
13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5048

C:\Windows\SysWOW64\Nglhld32.exe
C:\Windows\system32\Nglhld32.exe
14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1900

C:\Windows\SysWOW64\Ngqagcag.exe
C:\Windows\system32\Ngqagcag.exe
15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4500

C:\Windows\SysWOW64\Ogekbb32.exe
C:\Windows\system32\Ogekbb32.exe
16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4608

C:\Windows\SysWOW64\Onapdl32.exe
C:\Windows\system32\Onapdl32.exe
17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:732

C:\Windows\SysWOW64\Ocaebc32.exe
C:\Windows\system32\Ocaebc32.exe
18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3628

C:\Windows\SysWOW64\Ppjbmc32.exe
C:\Windows\system32\Ppjbmc32.exe
19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:500

C:\Windows\SysWOW64\Pdhkcb32.exe
C:\Windows\system32\Pdhkcb32.exe
20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5004

C:\Windows\SysWOW64\Palklf32.exe
C:\Windows\system32\Palklf32.exe
21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4516

C:\Windows\SysWOW64\Qobhkjdi.exe
C:\Windows\system32\Qobhkjdi.exe
22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\SysWOW64\Qodeajbg.exe
C:\Windows\system32\Qodeajbg.exe
23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1040

C:\Windows\SysWOW64\Aaenbd32.exe
C:\Windows\system32\Aaenbd32.exe
24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1888

C:\Windows\SysWOW64\Aagkhd32.exe
C:\Windows\system32\Aagkhd32.exe
25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1996

C:\Windows\SysWOW64\Aggpfkjj.exe
C:\Windows\system32\Aggpfkjj.exe
26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3212

C:\Windows\SysWOW64\Aaoaic32.exe
C:\Windows\system32\Aaoaic32.exe
27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4224

C:\Windows\SysWOW64\Bobabg32.exe
C:\Windows\system32\Bobabg32.exe
28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:5104

C:\Windows\SysWOW64\Bacjdbch.exe
C:\Windows\system32\Bacjdbch.exe
29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1744

C:\Windows\SysWOW64\Baegibae.exe
C:\Windows\system32\Baegibae.exe
30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:440

C:\Windows\SysWOW64\Bajqda32.exe
C:\Windows\system32\Bajqda32.exe
31⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4880

C:\Windows\SysWOW64\Cponen32.exe
C:\Windows\system32\Cponen32.exe
32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4280

C:\Windows\SysWOW64\Ckgohf32.exe
C:\Windows\system32\Ckgohf32.exe
33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4052

C:\Windows\SysWOW64\Chkobkod.exe
C:\Windows\system32\Chkobkod.exe
34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3816

C:\Windows\SysWOW64\Chnlgjlb.exe
C:\Windows\system32\Chnlgjlb.exe
35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1724

C:\Windows\SysWOW64\Dgcihgaj.exe
C:\Windows\system32\Dgcihgaj.exe
36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4988

C:\Windows\SysWOW64\Dkqaoe32.exe
C:\Windows\system32\Dkqaoe32.exe
37⤵
- Executes dropped EXE
PID:2840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 412
38⤵
- Program crash
PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2840 -ip 2840
1⤵
PID:3544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
1⤵
PID:4048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaenbd32.exe

Filesize
90KB

MD5
2163570c9adacf0c2cfdb9d99171dcea

SHA1
fafd5ffb2c1680b8aad4563b98631076f6791433

SHA256
fe9aa32f088da19bf5e800aaf5c61905b9f9c8014bc5789536c57ea2a233ded8

SHA512
af44d371dd1a1fc56df1a44db99668d5f596c672dd438aa85ecfec4769f9b01131b857aab6cbe3ecf8442538a2f221a5c23cda088355ae9ffeddb1c610b75e71

Download Submit
C:\Windows\SysWOW64\Aagkhd32.exe

Filesize
90KB

MD5
c65dcba4e93d94e92e72d42c093624d4

SHA1
b3f51daa4668f3c2a73a2d58534f566d8d04630d

SHA256
2d0d384e3568045a4b2479b018c6c697d0333be2e81357beec120d13dd898ef3

SHA512
4f6d29cc7f0cb4a39e588eab786d7237316b247357fae4b74082d9f4a199350f5719c7c3dfb7cda785a55c5f7db7e49efe678264420705457de9bc32a1a22756

Download Submit
C:\Windows\SysWOW64\Aaoaic32.exe

Filesize
90KB

MD5
96eb741b9312e06af33d9fab4e8e0b9e

SHA1
1a0de91517ebe40a84c9308652c4a57ac5ce5b08

SHA256
705ab334efd13c43737499c18261ce5afa274279c49d3483ebb2416de2e410e9

SHA512
9273babe42664c03897d41252afc5c62e12e4e81f940680db2227eb2ec12f46879ba1c6c0ade963aa24add52d065ace6d72f4e5eb9467bec82b5cdc239fa6d7e

Download Submit
C:\Windows\SysWOW64\Aggpfkjj.exe

Filesize
90KB

MD5
bf8fb819e8182e572e8caea2cfbabb93

SHA1
5e6cc7e9cea033a3586fa42061211608374c9314

SHA256
430ca57526bab039bd6f98fc619ce13f23edf400b1f7fcf212de94b4b2ad808f

SHA512
83be07e981011f12fc9928312894a2a60af65b852c9c9f3a288f1fca3d300c8ce4688322c94e5fbd7f3822932145c08c86184859b3ddeebe60db30eed96c21ce

Download Submit
C:\Windows\SysWOW64\Bacjdbch.exe

Filesize
90KB

MD5
5846ce73d906686232a80ffa4e1759bb

SHA1
d95044025117552da39b58cf2b07cb4cfab8ec75

SHA256
dbe289f535bdf8da8ae552623bf3c287385f3d5996b01a26a67b7b1e011a2a67

SHA512
fdb48191cb6132c5520b22ef315e2a34fdaf56303a7a2d0a486f8d61b10fe61fde99581c26e63c0bb624902936f3c49ffce17a501fe6d3908b4f90c02caae584

Download Submit
C:\Windows\SysWOW64\Baegibae.exe

Filesize
90KB

MD5
b5340915e85f38216d6c9d1a5bc120b1

SHA1
06214ec9f59c9074527b3ea4224e8773777e83da

SHA256
6fd71a861b07732f979b58172c3e57bde0a3e73ef2dc443731acefe4d07646fe

SHA512
474d54a7e69cb75c6ce2bcd08eb21dbb82f597ceb952f950eb641923196527f437fa59978f3c47b50adb12e5fcb0679b2b2f1b9e3bbe03bea20ec2ea189e2332

Download Submit
C:\Windows\SysWOW64\Bajqda32.exe

Filesize
90KB

MD5
2b0fcd7d0ac2364c31d112efa1b91396

SHA1
40a3985a49bafc643f27a759b5fd0316a271253e

SHA256
35d4d7c810eb1af37552c46d202fde0b18764eb46e079c445423f4c116418176

SHA512
970cb50f9b0fe1ef589e0c0a53652f64f9879c75178e70b388f49b0f481df25c9676f693f22bbdb569fef59ff36dd41b0283332e8c39c4e28235ee7546ef057c

Download Submit
C:\Windows\SysWOW64\Bobabg32.exe

Filesize
90KB

MD5
4b733237f1171d1790b2f0ae69393b49

SHA1
f030c0e0a913b7264aeb7aae57c02298fe08d48e

SHA256
fecf459ee990f7e6eec841bac34f912d1017e80d5f5e94e04a3c44523e8e2049

SHA512
0857168606fa0e17cbf54d81edee7fefa84483f3bffc40e2c214e8211974190d15a57911f291df7d78bdb30a39cbca5ba1fef66f12132e726103ce6fa83fcf5b

Download Submit
C:\Windows\SysWOW64\Ckgohf32.exe

Filesize
90KB

MD5
cbf2fe63aeb6929b7511ce86f1faa860

SHA1
5a68630db40bab3a9a969f3b10f24d469593d14e

SHA256
5d05879615e993e2803b3112476974a359078197e6b01ec92b639693c9135d53

SHA512
b45a93ae26f3fc741b7eca7153e35cd706f441b902feb72c71117c113dd59977dd54c05b81bbd31e0728b63805a85060e5bf979b6165e3e008e2386818c5784d

Download Submit
C:\Windows\SysWOW64\Cponen32.exe

Filesize
90KB

MD5
0fe6e288a0fd6eccb693b57642f303ef

SHA1
bcea1647f2fdabf9abaa16021dfbebaf6f8dea26

SHA256
72953da4ba0067ba4e7a30ed5eb3be60e870ba669ccbfc65b08d26a0c0ed81db

SHA512
18593ff680e53088ddfe5721bf5d54644074223d9b66eb5ee2c5063ab896cfee27c78cf003a7bf7bf4b93e675779402c2dde817062edba1756835f7560e418c6

Download Submit
C:\Windows\SysWOW64\Dgcihgaj.exe

Filesize
90KB

MD5
9cf35aa5ac42e247c5c2ca7dafadd36f

SHA1
63252ae75b24a5f455cf52557c694c3d764cf0e4

SHA256
8236907ecccd134d61af5abe1ebf2eafaea7a272270312729e8b1403ad588b48

SHA512
58bc1b484195ad1aa6d4d79d752e35f872b208fd4f9f91e0d7e880ed35be273cc59dea4c3c62ef9b41f38626ef9e2528a2ee0ef57516538c7aa72a4bdeee113a

Download Submit
C:\Windows\SysWOW64\Iblhpckf.dll

Filesize
7KB

MD5
be2b35c6bfaf6711b306ff3ce8c64821

SHA1
d3c4eb76624b454c6c1866c58d4b999dff4ea55a

SHA256
1984260082dd06325d68022ca4ac2243b2c1c3451bb04954fa0b1fce21dffebf

SHA512
14eefae1d32cacaabb6ca29273827382b665ea45cba41f496e024837c61d25ebd05d3f2d7f37d6bd26c2e7d63bf5ab6a3479dcb3be7a77ab6416655e3caaa0ae

Download Submit
C:\Windows\SysWOW64\Jniood32.exe

Filesize
90KB

MD5
007f98d08170cbcb00d13cd66dd29de3

SHA1
9230cea63f25c3fb053acec71105fa67db566f62

SHA256
4c00bc176c630af4bf8ec7aa79979e9e1c2ce02b4ae0d54fc8866687be9c1c29

SHA512
f7718ed1496012a83aa20b55c5b0b53157ac1e9ff69e82d7db8bbcead49fec1030041643935f772bbe0eb5a37a250de1c1aeb2bbd19b11cc1275a111fb301d3c

Download Submit
C:\Windows\SysWOW64\Kcbfcigf.exe

Filesize
90KB

MD5
99391fb49a74d997ef61a801518c5f9a

SHA1
7f9abd096a732616be31180d6203b6357d787c2c

SHA256
ad8e495bfd6e93ba71065e80afb127695dde4ce1ded0dbe6086b6b8cb6c5ede8

SHA512
2eb4f5936aade028f65fafb70d3c2629fd10ef642f3aeca12c643c728c538b87476074cf8d02519d39902016e1dc28305ea23e6174429c93564cfe787330b3d4

Download Submit
C:\Windows\SysWOW64\Kcmmhj32.exe

Filesize
90KB

MD5
025a5b3a500961f9de7ba2437813e63e

SHA1
34d53270b36dbe7fb98560c3a477606c9076722a

SHA256
771c9e3ea70d9fa032b1e8ceacae47b25063a73a2e700f79bdfaa22fad6cf4bc

SHA512
4eea463ba3dd58ef1680236a21100eedb70b49a9dd9e9b36b488e268e1b666c1bff8702f5d436251f502ef627b0ea4d32076eaf8bc79813d0b6094d6a85600ee

Download Submit
C:\Windows\SysWOW64\Lfbped32.exe

Filesize
90KB

MD5
61f9f7d6db217e806047bb77a22e31df

SHA1
03eaadd0ddb3c7d7df449d4f4fd60e30d591a8e9

SHA256
1654db97bc5b4c269844a6316c92f6f1331c6fa3f9c3a8409fb2500273b32c0a

SHA512
6a88f939ac10fbe9ed7793bfb5656a0e6e5d54f9585f5a892da22fe3bbe6077174579b23fc9d5418d2c0a3cfd0835f2d9f958ac26194d76a81d3f456c93325be

Download Submit
C:\Windows\SysWOW64\Lggejg32.exe

Filesize
90KB

MD5
a8afe8af1803f065b37e06763a86a25b

SHA1
dbd5a5e56d0d3131f402e18027feb8477c5a8129

SHA256
c7099311c0fca7fb65df1c0a6160208ef31f5039c99401b91e9f5b5d35bf75b1

SHA512
1504c63f6cfd0408b73afc1d4f5099d289d2fc0bf12cb106c2dc350b05ee230274bcb84e685081d7eaeadd6f7c8f8c7565abeb9d395a24bab65d61faa0fad48c

Download Submit
C:\Windows\SysWOW64\Lqkqhm32.exe

Filesize
90KB

MD5
076d6e325278502c44b946a86dd7039e

SHA1
7a1ef7974715feec3bfbd1cf2f03b4cfff6b64b8

SHA256
4e34562ba69fe962ede67336a57e408c9965bf35304741e76bcedfbe72c5ba97

SHA512
59c469d1c8e80ebec3cc9543a889f919546b3cbb09f1cd8fb76a8eb045fc1ff4f10480f392d0dce7ae3db3825fbbeb9b0d2fcd89d6a7ba44b8843b5515b580a0

Download Submit
C:\Windows\SysWOW64\Mcifkf32.exe

Filesize
90KB

MD5
c9b12fc731891830773681e9e282a581

SHA1
7838e015d4f65f606fc5efd5ba7dd273cc7f4a47

SHA256
02baf4680488e2d0bc262776c2c0d6d7ac77b37edc0d1d9a0ffcbef3da93679b

SHA512
4811c41e3ac4fd430db22f6f51f10fbb8aad0b0270a4042aac7c45fd615e32be3144a22e5144884b8e207e79ed6b2b64cab2b2d263f395787f61a3247afcb151

Download Submit
C:\Windows\SysWOW64\Mjlhgaqp.exe

Filesize
90KB

MD5
395a718db4fcb4da2dd33bf10fb11045

SHA1
94d099447713f8c083700300df93708aa645f1e5

SHA256
c7fe9cd0f7bd39b9cc19947f73ddd425046a006012e434d09e81959e8b022588

SHA512
9d14427a199c7e1792cd1580bf9d2e4f46f4a6857e5a0e71cba1ebdb1e8c521d70c170d490d53bd7fbdc5fbf676a7cf053b045c7a27cd786766a61ffdaedf364

Download Submit
C:\Windows\SysWOW64\Mjodla32.exe

Filesize
90KB

MD5
7f97735e27b4d4d9f9961038fa3de1b8

SHA1
753ecb9c085ced71638fced066b8cfc3b1ffb05e

SHA256
57e5384ff2a224f71eeb21666611f33017b587dbb5129a60ae0cb2698852ebce

SHA512
44da14bbff511c10a5bef66516d2f6e34f478ae09333b392f68ebf4d4cc0330f0d6bba8a8a16734f499d71659f0ad9a726c71dfab3ebfcab26d2b4e5ad0425b3

Download Submit
C:\Windows\SysWOW64\Modgdicm.exe

Filesize
90KB

MD5
f67db2f691bbf574fe4165a97a287723

SHA1
c12f5b73c24fb9d2de6b1487481df0cf288108da

SHA256
c5e9b4992f8028b625cafc5d970bb0da42587f007527dfdf02d3ba17750b3c42

SHA512
64c157bef336fdd5772eb3c12e1201a77f7fa296db8cd90b3ea39a7eaae1d5a378237baac0a9db12f1425a747bf1e181da087c1f5de842a1d7404848da913702

Download Submit
C:\Windows\SysWOW64\Ngjkfd32.exe

Filesize
90KB

MD5
7dc499ea47ccbacdcc29010244dcde5a

SHA1
fcf575eb8d89747fbf1c6edb82d8f1cfedb0ad0d

SHA256
9fccea6942c797b8709a8c08d602a3ce3bc95f7becb17c8d6640133ae622ccae

SHA512
1d12adf00ff22d45e63518f6e65f93a5ef253b4412232bf0a5c26d3bdb8762771f7b46d85caa5d92f8b18002398da200e17896e7fc3f80d33ab33620024f617d

Download Submit
C:\Windows\SysWOW64\Nglhld32.exe

Filesize
90KB

MD5
ba9366945688b696d822c8627d7facb1

SHA1
9f8979a36a3623b2055452dec0dc1777cb93b4c3

SHA256
7c2809477d5327c4e1fd1756c2a53a18699e0ebb923870d4d2a12bb8e7bc83f5

SHA512
93c8e64648182f8dcd7ee5ec405ee2daac62b6b7566c6f162f305b8e1252a170305b6300a4ec5c940bdd2aefd4cc0164e9d83baa2c919be844e45c1774e03e11

Download Submit
C:\Windows\SysWOW64\Ngqagcag.exe

Filesize
90KB

MD5
c51d9d211b4dd1e8ff157f3f4ef4a72f

SHA1
7321f7364051be39fc549d3d1fd01fd8557c7046

SHA256
697eef0d511d5b8028605d7f379eb3ad19c0882d3326396d75d02b3c64ff3e97

SHA512
786a6ee1119345ec35c369fea4c09d24387f0a759aecd3dd8739667521d7aff71f535294169bee443f7cd29be728733b845babf7ce3b20e00eb7b1a6ba7a5346

Download Submit
C:\Windows\SysWOW64\Nopfpgip.exe

Filesize
90KB

MD5
2197b3ba5007e0c51865be9a4ae2fbe5

SHA1
0018bff1ad73039f837d7c24efa3b837973cdc64

SHA256
7c26373794ed09963ddcee7418a86ee95c0fe2ef39615383d1bad057b1d62f31

SHA512
785dfea2627734a1a8d302ec5495e8d6d6387af5ef268c655aa685f0d6c3f3ffab62723e7b621d1db107b567284a336765f5479aa5198549a70566315886a73f

Download Submit
C:\Windows\SysWOW64\Ocaebc32.exe

Filesize
90KB

MD5
7273b3e3f29ae5da2cde2bf1a598b235

SHA1
b84d13aea18552d9fd7db16ed662aafbce27d735

SHA256
4cc8728f4f05fcc8291049ce265a83855f85c6938fa964ec6b8dc071983c0bad

SHA512
f4904aa244772afd2cfa31014623067054d9c71cb5b3c3688530294ca6bd2e88c753ccede6f3bfabbbfb3e97eeb5cc84e2cf7dd14c2886e0c3cabaabf371901a

Download Submit
C:\Windows\SysWOW64\Ogekbb32.exe

Filesize
90KB

MD5
e1fcf7155722f1ee537d5f2e5c81b6b2

SHA1
fd30a9b8c35baa4332fffdcc806ddfb33e387138

SHA256
0f12dd2e268c2da5d65d749c3fc8eef23c41b4369cfc1c1a4f6b05768cd51acb

SHA512
30625c870cc7cfd4524c405373a1f230abba0be2fd0cd7786d88457bc7634b9f3ecf1b57cd1c5e89d80d12f032700b91664a6308c200a7ee43cc879e66a7d8ba

Download Submit
C:\Windows\SysWOW64\Onapdl32.exe

Filesize
90KB

MD5
3f5195526e96a2c43d0e51d5459ffbc5

SHA1
ad2e03693180fe479d499d44a9afbe425f722d19

SHA256
b098fcae0ff347c5fcfedb68b757e08cd58d4cd1790a97261d236fe3a3884693

SHA512
dd58a9427cf85d844692d5b25f9cbfa498235760ec2233ad8eda986e568a52ec2ef4bfc4d0fdb69808efd1169b48b4f7b6494075aed1c74ce9fc8fac8783ff4d

Download Submit
C:\Windows\SysWOW64\Palklf32.exe

Filesize
90KB

MD5
5aa369abd4f6d4c3fc3fa66d56cab681

SHA1
3b993c1b69a5a17d1168fcc45ed96a4bba3d941f

SHA256
b34b003a42e496721490ebd4244b4db5ceb250442f9f1535e239b58ae626fd6d

SHA512
4d2a6a99d47acc34135bd8a2b76f195fc78644cac32ececd81075a4ccdaab19c18556d4128ef0028014411c005071594066e14b08c2f726acd801c2840eb270f

Download Submit
C:\Windows\SysWOW64\Pdhkcb32.exe

Filesize
90KB

MD5
f6388e73f13206d45c5820b4a45f8e66

SHA1
ab91686f084d9833715c796e44a83d153897be96

SHA256
5cae547cdd80f6c055e38aaa47347346d4b2dfcf13c2064cccd6ebc1e5b06a29

SHA512
b8f831711a7b61ef4ca26923dc9fe3fce07db2fc933dc7e07532184084216af530b9d87da21cb390a9e1c582399927de788087cd3a91930a5cbd43f9d7039e8b

Download Submit
C:\Windows\SysWOW64\Ppjbmc32.exe

Filesize
90KB

MD5
d2bc60a2dfad92a976892cbbe4c61f3f

SHA1
54d5c50fdc21c9370ac4e529dbc28963e9c2936f

SHA256
0ada711b039adf07811797a7376bb658f607192281bb9b496a1d56619298046f

SHA512
5ff88fcd7615ec032ea74b05c6557a364a1ecfed747c5bf908b391ea54958f3498abfe7c5d49b152faf17136e1251f4ce880e5a624e086470006ae4c45bbf2eb

Download Submit
C:\Windows\SysWOW64\Qobhkjdi.exe

Filesize
90KB

MD5
a7f51ecf8f88b9ff40464c17ff4f469f

SHA1
5c62a0c7145c8226267b04e8c9cc151508dbed05

SHA256
29b4de0095f88f0eae4ecda1e3e0d1002564081769a01e1efc725e0691d0a261

SHA512
a1f925462b6131f361e462af1503b00b2243a5f2c61d275685ff337d586415d5ba4cc478fbb7efdfd7267392e27e9a5e6e979260d8b9092516f535e36c8fa83c

Download Submit
C:\Windows\SysWOW64\Qodeajbg.exe

Filesize
90KB

MD5
d4e598b401c5585f7de612fc8b0b3cb9

SHA1
0cee4ab94e97b1c2987bf1096557cddfd96c433f

SHA256
c84a6ffc3d39d286a0a7c2e2ba0c954e79b50f17a856d09d87252c1d3627a62c

SHA512
f3d55f194d42d4a78fc73e6381def94fc6d0b3a812d05970ac4e5b57f0f739cdf298cd1ca67c2f45ca28ee77fa42a35163493e6652d7bf4ee180ffbd767cc38f

Download Submit
memory/440-287-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/440-231-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/500-144-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/500-297-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/732-128-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/732-299-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/832-63-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/832-307-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1040-293-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1040-175-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1088-310-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1088-40-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1724-268-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1724-283-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1744-224-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1744-288-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1752-167-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1752-294-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1780-8-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1780-314-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1816-87-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1816-303-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1888-184-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1888-292-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1900-103-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1900-302-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1996-291-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1996-192-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2100-315-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2100-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2840-280-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3100-311-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3100-31-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3212-204-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3504-312-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3504-23-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3628-298-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3628-135-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3652-305-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3652-79-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3816-282-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3816-262-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3852-71-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3852-306-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4052-258-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4052-284-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4224-208-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4224-290-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4236-313-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4236-15-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4280-285-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4280-248-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4500-111-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4500-301-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4516-159-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4516-295-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4608-120-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4608-300-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4880-286-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4880-240-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4964-309-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4964-48-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4988-281-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4988-274-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4992-55-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4992-308-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5004-152-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5004-296-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5048-95-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5048-304-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5104-215-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5104-289-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download