05780833d52c78f3a327922f4d949aa92d1d80ccd9571d8a715620b8c637bee4

Analysis

max time kernel
152s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
16-05-2024 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c45eb6d86ac7b54399b0204c58273e0_NeikiAnalytics.exe
Size

163KB
MD5

0c45eb6d86ac7b54399b0204c58273e0
SHA1

bceb036c536246d811e686de62c721c8c3b7b6cc
SHA256

05780833d52c78f3a327922f4d949aa92d1d80ccd9571d8a715620b8c637bee4
SHA512

e889766252830c09a1de7d019793c1b6f4554192c9ccb34f45695d824f058bff6a32488823decb5e2ccdcbf0cb4740aa4465e54539a5ff6fd1db32044c7e83c3
SSDEEP

3072:aw4YeRoV538ZdKGGGGGGGGGGGGGGGznRF2NltOrWKDBr+yJb:a3YeRoV5Y0GGGGGGGGGGGGGGGzn2NLOf

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Klmnkdal.exePodkmgop.exePfncia32.exePiolkm32.exeIcachjbb.exeInfhebbh.exeLedoegkm.exePcbdcf32.exe0c45eb6d86ac7b54399b0204c58273e0_NeikiAnalytics.exeLoemnnhe.exeNlgbon32.exeQbngeadf.exeIlkhog32.exeJhhodg32.exeKbjbnnfg.exeLolcnman.exeNocbfjmc.exeOhqpjo32.exeJlfhke32.exeJacpcl32.exeLkcccn32.exeNamegfql.exeOdljjo32.exePkabbgol.exeJlanpfkj.exeKlddlckd.exeOhcmpn32.exePokanf32.exeJddiegbm.exeLeabphmp.exeAijlgkjq.exeHcljmj32.exeMaoifh32.exePeempn32.exeIjbbfc32.exeOfgmib32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klmnkdal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Podkmgop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfncia32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piolkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icachjbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Infhebbh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ledoegkm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbdcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	0c45eb6d86ac7b54399b0204c58273e0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Loemnnhe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlgbon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qbngeadf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ilkhog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jhhodg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbjbnnfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lolcnman.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nocbfjmc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohqpjo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlfhke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlfhke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jacpcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Loemnnhe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkcccn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Namegfql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odljjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcbdcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkabbgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icachjbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlanpfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlanpfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klddlckd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohcmpn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0c45eb6d86ac7b54399b0204c58273e0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Namegfql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qbngeadf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfncia32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pokanf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkabbgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilkhog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jddiegbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Leabphmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lolcnman.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkcccn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pokanf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aijlgkjq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Infhebbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbjbnnfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klddlckd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nocbfjmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohqpjo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcljmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maoifh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Peempn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odljjo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Podkmgop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Piolkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijbbfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijbbfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jddiegbm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leabphmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohcmpn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Peempn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aijlgkjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofgmib32.exe

Executes dropped EXE 38 IoCs

Processes:

Hcljmj32.exeIcachjbb.exeInfhebbh.exeIlkhog32.exeIhaidhgf.exeIjbbfc32.exeJlanpfkj.exeJhhodg32.exeJlfhke32.exeJacpcl32.exeJddiegbm.exeKlmnkdal.exeKbjbnnfg.exeKhfkfedn.exeKlddlckd.exeLoemnnhe.exeLeabphmp.exeLedoegkm.exeLolcnman.exeLkcccn32.exeMaoifh32.exeNamegfql.exeNocbfjmc.exeNlgbon32.exeOhqpjo32.exeOhcmpn32.exeOfgmib32.exeOdljjo32.exePodkmgop.exePfncia32.exePcbdcf32.exePiolkm32.exePeempn32.exePokanf32.exePkabbgol.exeQbngeadf.exeAijlgkjq.exeAmhdmi32.exe

pid	process
4744	Hcljmj32.exe
4720	Icachjbb.exe
2128	Infhebbh.exe
4756	Ilkhog32.exe
224	Ihaidhgf.exe
4112	Ijbbfc32.exe
3192	Jlanpfkj.exe
4860	Jhhodg32.exe
2348	Jlfhke32.exe
4164	Jacpcl32.exe
684	Jddiegbm.exe
4640	Klmnkdal.exe
4884	Kbjbnnfg.exe
4188	Khfkfedn.exe
3200	Klddlckd.exe
3648	Loemnnhe.exe
3992	Leabphmp.exe
4596	Ledoegkm.exe
932	Lolcnman.exe
4024	Lkcccn32.exe
4520	Maoifh32.exe
1052	Namegfql.exe
2160	Nocbfjmc.exe
1476	Nlgbon32.exe
2116	Ohqpjo32.exe
4600	Ohcmpn32.exe
1568	Ofgmib32.exe
1384	Odljjo32.exe
456	Podkmgop.exe
5096	Pfncia32.exe
4432	Pcbdcf32.exe
1388	Piolkm32.exe
3744	Peempn32.exe
2188	Pokanf32.exe
436	Pkabbgol.exe
2448	Qbngeadf.exe
2132	Aijlgkjq.exe
512	Amhdmi32.exe

Drops file in System32 directory 64 IoCs

Processes:

Ohqpjo32.exeQbngeadf.exeInfhebbh.exeJddiegbm.exeKlddlckd.exe0c45eb6d86ac7b54399b0204c58273e0_NeikiAnalytics.exeJhhodg32.exeOdljjo32.exePiolkm32.exeIhaidhgf.exeLeabphmp.exeLolcnman.exeIlkhog32.exeJlanpfkj.exePkabbgol.exeNamegfql.exeHcljmj32.exeLoemnnhe.exeNlgbon32.exeJlfhke32.exeKlmnkdal.exeOhcmpn32.exeOfgmib32.exePeempn32.exeIjbbfc32.exeLkcccn32.exePcbdcf32.exeKhfkfedn.exeMaoifh32.exePfncia32.exeJacpcl32.exeKbjbnnfg.exeAijlgkjq.exeIcachjbb.exePodkmgop.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Kmjaeema.dll	Ohqpjo32.exe
File created	C:\Windows\SysWOW64\Hmmppdij.dll	Qbngeadf.exe
File created	C:\Windows\SysWOW64\Oapijm32.dll	Infhebbh.exe
File opened for modification	C:\Windows\SysWOW64\Klmnkdal.exe	Jddiegbm.exe
File created	C:\Windows\SysWOW64\Eilbckfb.dll	Klddlckd.exe
File created	C:\Windows\SysWOW64\Hcljmj32.exe	0c45eb6d86ac7b54399b0204c58273e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Afgfhaab.dll	Jhhodg32.exe
File created	C:\Windows\SysWOW64\Bqpqlhmf.dll	Odljjo32.exe
File created	C:\Windows\SysWOW64\Peempn32.exe	Piolkm32.exe
File created	C:\Windows\SysWOW64\Qbddhbhn.dll	Ihaidhgf.exe
File opened for modification	C:\Windows\SysWOW64\Ledoegkm.exe	Leabphmp.exe
File created	C:\Windows\SysWOW64\Fogpoiia.dll	Lolcnman.exe
File opened for modification	C:\Windows\SysWOW64\Ihaidhgf.exe	Ilkhog32.exe
File created	C:\Windows\SysWOW64\Jhhodg32.exe	Jlanpfkj.exe
File created	C:\Windows\SysWOW64\Hlkjom32.dll	Pkabbgol.exe
File created	C:\Windows\SysWOW64\Mpaifo32.dll	0c45eb6d86ac7b54399b0204c58273e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Nocbfjmc.exe	Namegfql.exe
File opened for modification	C:\Windows\SysWOW64\Podkmgop.exe	Odljjo32.exe
File opened for modification	C:\Windows\SysWOW64\Icachjbb.exe	Hcljmj32.exe
File opened for modification	C:\Windows\SysWOW64\Leabphmp.exe	Loemnnhe.exe
File created	C:\Windows\SysWOW64\Kpmmhc32.dll	Nlgbon32.exe
File opened for modification	C:\Windows\SysWOW64\Jacpcl32.exe	Jlfhke32.exe
File created	C:\Windows\SysWOW64\Japjfm32.dll	Klmnkdal.exe
File opened for modification	C:\Windows\SysWOW64\Ofgmib32.exe	Ohcmpn32.exe
File created	C:\Windows\SysWOW64\Hopaik32.dll	Leabphmp.exe
File opened for modification	C:\Windows\SysWOW64\Odljjo32.exe	Ofgmib32.exe
File created	C:\Windows\SysWOW64\Pokanf32.exe	Peempn32.exe
File created	C:\Windows\SysWOW64\Jooeqo32.dll	Hcljmj32.exe
File created	C:\Windows\SysWOW64\Fncnpk32.dll	Jddiegbm.exe
File created	C:\Windows\SysWOW64\Loemnnhe.exe	Klddlckd.exe
File created	C:\Windows\SysWOW64\Qbngeadf.exe	Pkabbgol.exe
File created	C:\Windows\SysWOW64\Ckdlidhm.dll	Ijbbfc32.exe
File created	C:\Windows\SysWOW64\Fpjepamq.dll	Lkcccn32.exe
File created	C:\Windows\SysWOW64\Ofgmib32.exe	Ohcmpn32.exe
File created	C:\Windows\SysWOW64\Kjmole32.dll	Pcbdcf32.exe
File opened for modification	C:\Windows\SysWOW64\Qbngeadf.exe	Pkabbgol.exe
File opened for modification	C:\Windows\SysWOW64\Klddlckd.exe	Khfkfedn.exe
File created	C:\Windows\SysWOW64\Namegfql.exe	Maoifh32.exe
File created	C:\Windows\SysWOW64\Pcbdcf32.exe	Pfncia32.exe
File created	C:\Windows\SysWOW64\Jddiegbm.exe	Jacpcl32.exe
File created	C:\Windows\SysWOW64\Jlfhke32.exe	Jhhodg32.exe
File created	C:\Windows\SysWOW64\Icachjbb.exe	Hcljmj32.exe
File created	C:\Windows\SysWOW64\Khfkfedn.exe	Kbjbnnfg.exe
File opened for modification	C:\Windows\SysWOW64\Ohcmpn32.exe	Ohqpjo32.exe
File created	C:\Windows\SysWOW64\Ejcdfahd.dll	Aijlgkjq.exe
File opened for modification	C:\Windows\SysWOW64\Infhebbh.exe	Icachjbb.exe
File created	C:\Windows\SysWOW64\Kkpdnm32.dll	Peempn32.exe
File opened for modification	C:\Windows\SysWOW64\Aijlgkjq.exe	Qbngeadf.exe
File opened for modification	C:\Windows\SysWOW64\Jlanpfkj.exe	Ijbbfc32.exe
File created	C:\Windows\SysWOW64\Kbjbnnfg.exe	Klmnkdal.exe
File created	C:\Windows\SysWOW64\Ofnfbijk.dll	Khfkfedn.exe
File created	C:\Windows\SysWOW64\Leabphmp.exe	Loemnnhe.exe
File created	C:\Windows\SysWOW64\Piolkm32.exe	Pcbdcf32.exe
File opened for modification	C:\Windows\SysWOW64\Hcljmj32.exe	0c45eb6d86ac7b54399b0204c58273e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Ilkhog32.exe	Infhebbh.exe
File created	C:\Windows\SysWOW64\Jlanpfkj.exe	Ijbbfc32.exe
File created	C:\Windows\SysWOW64\Klddlckd.exe	Khfkfedn.exe
File created	C:\Windows\SysWOW64\Cieonn32.dll	Pfncia32.exe
File opened for modification	C:\Windows\SysWOW64\Peempn32.exe	Piolkm32.exe
File created	C:\Windows\SysWOW64\Aijlgkjq.exe	Qbngeadf.exe
File created	C:\Windows\SysWOW64\Ledoegkm.exe	Leabphmp.exe
File created	C:\Windows\SysWOW64\Chdjpphi.dll	Ofgmib32.exe
File opened for modification	C:\Windows\SysWOW64\Pfncia32.exe	Podkmgop.exe
File opened for modification	C:\Windows\SysWOW64\Jhhodg32.exe	Jlanpfkj.exe

Modifies registry class 64 IoCs

Processes:

Infhebbh.exeNlgbon32.exeLkcccn32.exeOdljjo32.exeIlkhog32.exeIhaidhgf.exePiolkm32.exeQbngeadf.exeOfgmib32.exePcbdcf32.exe0c45eb6d86ac7b54399b0204c58273e0_NeikiAnalytics.exeLedoegkm.exeIcachjbb.exeJacpcl32.exePeempn32.exeJlanpfkj.exeMaoifh32.exeLolcnman.exeLoemnnhe.exeJddiegbm.exePfncia32.exeKlmnkdal.exePkabbgol.exeKbjbnnfg.exeNocbfjmc.exePokanf32.exeAijlgkjq.exeKlddlckd.exeKhfkfedn.exeHcljmj32.exeJlfhke32.exeOhcmpn32.exeJhhodg32.exeNamegfql.exePodkmgop.exeIjbbfc32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Infhebbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpmmhc32.dll"	Nlgbon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkcccn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odljjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kknikplo.dll"	Ilkhog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbddhbhn.dll"	Ihaidhgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edkamckh.dll"	Piolkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qbngeadf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofgmib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjmole32.dll"	Pcbdcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	0c45eb6d86ac7b54399b0204c58273e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ledoegkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icachjbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jacpcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkpdnm32.dll"	Peempn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jlanpfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfqdbl32.dll"	Maoifh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogpoiia.dll"	Lolcnman.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpjepamq.dll"	Lkcccn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Loemnnhe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jddiegbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cieonn32.dll"	Pfncia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klmnkdal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqpqlhmf.dll"	Odljjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pkabbgol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbjbnnfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nocbfjmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maoifh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nonhbi32.dll"	Pokanf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejcdfahd.dll"	Aijlgkjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oapijm32.dll"	Infhebbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Balfdi32.dll"	Jlanpfkj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofgmib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	0c45eb6d86ac7b54399b0204c58273e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pinffi32.dll"	Icachjbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klddlckd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Infhebbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mobpnd32.dll"	Kbjbnnfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lolcnman.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lolcnman.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nocbfjmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Japjfm32.dll"	Klmnkdal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofnfbijk.dll"	Khfkfedn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbjbnnfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oofial32.dll"	Ledoegkm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlgbon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jooeqo32.dll"	Hcljmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jlfhke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcljmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fncnpk32.dll"	Jddiegbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eilbckfb.dll"	Klddlckd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkcccn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgoikbje.dll"	Ohcmpn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmppdij.dll"	Qbngeadf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ilkhog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jhhodg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jhhodg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qagfppeh.dll"	Loemnnhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdhfnche.dll"	Namegfql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aofbkbfe.dll"	Podkmgop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckdlidhm.dll"	Ijbbfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jlanpfkj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Peempn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijbbfc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0c45eb6d86ac7b54399b0204c58273e0_NeikiAnalytics.exeHcljmj32.exeIcachjbb.exeInfhebbh.exeIlkhog32.exeIhaidhgf.exeIjbbfc32.exeJlanpfkj.exeJhhodg32.exeJlfhke32.exeJacpcl32.exeJddiegbm.exeKlmnkdal.exeKbjbnnfg.exeKhfkfedn.exeKlddlckd.exeLoemnnhe.exeLeabphmp.exeLedoegkm.exeLolcnman.exeLkcccn32.exeMaoifh32.exe

description	pid	process	target process
PID 4844 wrote to memory of 4744	4844	0c45eb6d86ac7b54399b0204c58273e0_NeikiAnalytics.exe	Hcljmj32.exe
PID 4844 wrote to memory of 4744	4844	0c45eb6d86ac7b54399b0204c58273e0_NeikiAnalytics.exe	Hcljmj32.exe
PID 4844 wrote to memory of 4744	4844	0c45eb6d86ac7b54399b0204c58273e0_NeikiAnalytics.exe	Hcljmj32.exe
PID 4744 wrote to memory of 4720	4744	Hcljmj32.exe	Icachjbb.exe
PID 4744 wrote to memory of 4720	4744	Hcljmj32.exe	Icachjbb.exe
PID 4744 wrote to memory of 4720	4744	Hcljmj32.exe	Icachjbb.exe
PID 4720 wrote to memory of 2128	4720	Icachjbb.exe	Infhebbh.exe
PID 4720 wrote to memory of 2128	4720	Icachjbb.exe	Infhebbh.exe
PID 4720 wrote to memory of 2128	4720	Icachjbb.exe	Infhebbh.exe
PID 2128 wrote to memory of 4756	2128	Infhebbh.exe	Ilkhog32.exe
PID 2128 wrote to memory of 4756	2128	Infhebbh.exe	Ilkhog32.exe
PID 2128 wrote to memory of 4756	2128	Infhebbh.exe	Ilkhog32.exe
PID 4756 wrote to memory of 224	4756	Ilkhog32.exe	Ihaidhgf.exe
PID 4756 wrote to memory of 224	4756	Ilkhog32.exe	Ihaidhgf.exe
PID 4756 wrote to memory of 224	4756	Ilkhog32.exe	Ihaidhgf.exe
PID 224 wrote to memory of 4112	224	Ihaidhgf.exe	Ijbbfc32.exe
PID 224 wrote to memory of 4112	224	Ihaidhgf.exe	Ijbbfc32.exe
PID 224 wrote to memory of 4112	224	Ihaidhgf.exe	Ijbbfc32.exe
PID 4112 wrote to memory of 3192	4112	Ijbbfc32.exe	Jlanpfkj.exe
PID 4112 wrote to memory of 3192	4112	Ijbbfc32.exe	Jlanpfkj.exe
PID 4112 wrote to memory of 3192	4112	Ijbbfc32.exe	Jlanpfkj.exe
PID 3192 wrote to memory of 4860	3192	Jlanpfkj.exe	Jhhodg32.exe
PID 3192 wrote to memory of 4860	3192	Jlanpfkj.exe	Jhhodg32.exe
PID 3192 wrote to memory of 4860	3192	Jlanpfkj.exe	Jhhodg32.exe
PID 4860 wrote to memory of 2348	4860	Jhhodg32.exe	Jlfhke32.exe
PID 4860 wrote to memory of 2348	4860	Jhhodg32.exe	Jlfhke32.exe
PID 4860 wrote to memory of 2348	4860	Jhhodg32.exe	Jlfhke32.exe
PID 2348 wrote to memory of 4164	2348	Jlfhke32.exe	Jacpcl32.exe
PID 2348 wrote to memory of 4164	2348	Jlfhke32.exe	Jacpcl32.exe
PID 2348 wrote to memory of 4164	2348	Jlfhke32.exe	Jacpcl32.exe
PID 4164 wrote to memory of 684	4164	Jacpcl32.exe	Jddiegbm.exe
PID 4164 wrote to memory of 684	4164	Jacpcl32.exe	Jddiegbm.exe
PID 4164 wrote to memory of 684	4164	Jacpcl32.exe	Jddiegbm.exe
PID 684 wrote to memory of 4640	684	Jddiegbm.exe	Klmnkdal.exe
PID 684 wrote to memory of 4640	684	Jddiegbm.exe	Klmnkdal.exe
PID 684 wrote to memory of 4640	684	Jddiegbm.exe	Klmnkdal.exe
PID 4640 wrote to memory of 4884	4640	Klmnkdal.exe	Kbjbnnfg.exe
PID 4640 wrote to memory of 4884	4640	Klmnkdal.exe	Kbjbnnfg.exe
PID 4640 wrote to memory of 4884	4640	Klmnkdal.exe	Kbjbnnfg.exe
PID 4884 wrote to memory of 4188	4884	Kbjbnnfg.exe	Khfkfedn.exe
PID 4884 wrote to memory of 4188	4884	Kbjbnnfg.exe	Khfkfedn.exe
PID 4884 wrote to memory of 4188	4884	Kbjbnnfg.exe	Khfkfedn.exe
PID 4188 wrote to memory of 3200	4188	Khfkfedn.exe	Klddlckd.exe
PID 4188 wrote to memory of 3200	4188	Khfkfedn.exe	Klddlckd.exe
PID 4188 wrote to memory of 3200	4188	Khfkfedn.exe	Klddlckd.exe
PID 3200 wrote to memory of 3648	3200	Klddlckd.exe	Loemnnhe.exe
PID 3200 wrote to memory of 3648	3200	Klddlckd.exe	Loemnnhe.exe
PID 3200 wrote to memory of 3648	3200	Klddlckd.exe	Loemnnhe.exe
PID 3648 wrote to memory of 3992	3648	Loemnnhe.exe	Leabphmp.exe
PID 3648 wrote to memory of 3992	3648	Loemnnhe.exe	Leabphmp.exe
PID 3648 wrote to memory of 3992	3648	Loemnnhe.exe	Leabphmp.exe
PID 3992 wrote to memory of 4596	3992	Leabphmp.exe	Ledoegkm.exe
PID 3992 wrote to memory of 4596	3992	Leabphmp.exe	Ledoegkm.exe
PID 3992 wrote to memory of 4596	3992	Leabphmp.exe	Ledoegkm.exe
PID 4596 wrote to memory of 932	4596	Ledoegkm.exe	Lolcnman.exe
PID 4596 wrote to memory of 932	4596	Ledoegkm.exe	Lolcnman.exe
PID 4596 wrote to memory of 932	4596	Ledoegkm.exe	Lolcnman.exe
PID 932 wrote to memory of 4024	932	Lolcnman.exe	Lkcccn32.exe
PID 932 wrote to memory of 4024	932	Lolcnman.exe	Lkcccn32.exe
PID 932 wrote to memory of 4024	932	Lolcnman.exe	Lkcccn32.exe
PID 4024 wrote to memory of 4520	4024	Lkcccn32.exe	Maoifh32.exe
PID 4024 wrote to memory of 4520	4024	Lkcccn32.exe	Maoifh32.exe
PID 4024 wrote to memory of 4520	4024	Lkcccn32.exe	Maoifh32.exe
PID 4520 wrote to memory of 1052	4520	Maoifh32.exe	Namegfql.exe

C:\Users\Admin\AppData\Local\Temp\0c45eb6d86ac7b54399b0204c58273e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0c45eb6d86ac7b54399b0204c58273e0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4844

C:\Windows\SysWOW64\Hcljmj32.exe
C:\Windows\system32\Hcljmj32.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4744

C:\Windows\SysWOW64\Icachjbb.exe
C:\Windows\system32\Icachjbb.exe
3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4720

C:\Windows\SysWOW64\Infhebbh.exe
C:\Windows\system32\Infhebbh.exe
4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2128

C:\Windows\SysWOW64\Ilkhog32.exe
C:\Windows\system32\Ilkhog32.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4756

C:\Windows\SysWOW64\Ihaidhgf.exe
C:\Windows\system32\Ihaidhgf.exe
6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:224

C:\Windows\SysWOW64\Ijbbfc32.exe
C:\Windows\system32\Ijbbfc32.exe
7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4112

C:\Windows\SysWOW64\Jlanpfkj.exe
C:\Windows\system32\Jlanpfkj.exe
8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3192

C:\Windows\SysWOW64\Jhhodg32.exe
C:\Windows\system32\Jhhodg32.exe
9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4860

C:\Windows\SysWOW64\Jlfhke32.exe
C:\Windows\system32\Jlfhke32.exe
10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2348

C:\Windows\SysWOW64\Jacpcl32.exe
C:\Windows\system32\Jacpcl32.exe
11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4164

C:\Windows\SysWOW64\Jddiegbm.exe
C:\Windows\system32\Jddiegbm.exe
12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:684

C:\Windows\SysWOW64\Klmnkdal.exe
C:\Windows\system32\Klmnkdal.exe
13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4640

C:\Windows\SysWOW64\Kbjbnnfg.exe
C:\Windows\system32\Kbjbnnfg.exe
14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4884

C:\Windows\SysWOW64\Khfkfedn.exe
C:\Windows\system32\Khfkfedn.exe
15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4188

C:\Windows\SysWOW64\Klddlckd.exe
C:\Windows\system32\Klddlckd.exe
16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3200

C:\Windows\SysWOW64\Loemnnhe.exe
C:\Windows\system32\Loemnnhe.exe
17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3648

C:\Windows\SysWOW64\Leabphmp.exe
C:\Windows\system32\Leabphmp.exe
18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3992

C:\Windows\SysWOW64\Ledoegkm.exe
C:\Windows\system32\Ledoegkm.exe
19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4596

C:\Windows\SysWOW64\Lolcnman.exe
C:\Windows\system32\Lolcnman.exe
20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:932

C:\Windows\SysWOW64\Lkcccn32.exe
C:\Windows\system32\Lkcccn32.exe
21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4024

C:\Windows\SysWOW64\Maoifh32.exe
C:\Windows\system32\Maoifh32.exe
22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4520

C:\Windows\SysWOW64\Namegfql.exe
C:\Windows\system32\Namegfql.exe
23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1052

C:\Windows\SysWOW64\Nocbfjmc.exe
C:\Windows\system32\Nocbfjmc.exe
24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2160

C:\Windows\SysWOW64\Nlgbon32.exe
C:\Windows\system32\Nlgbon32.exe
25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1476

C:\Windows\SysWOW64\Ohqpjo32.exe
C:\Windows\system32\Ohqpjo32.exe
26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2116

C:\Windows\SysWOW64\Ohcmpn32.exe
C:\Windows\system32\Ohcmpn32.exe
27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4600

C:\Windows\SysWOW64\Ofgmib32.exe
C:\Windows\system32\Ofgmib32.exe
28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1568

C:\Windows\SysWOW64\Odljjo32.exe
C:\Windows\system32\Odljjo32.exe
29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1384

C:\Windows\SysWOW64\Podkmgop.exe
C:\Windows\system32\Podkmgop.exe
30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:456

C:\Windows\SysWOW64\Pfncia32.exe
C:\Windows\system32\Pfncia32.exe
31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5096

C:\Windows\SysWOW64\Pcbdcf32.exe
C:\Windows\system32\Pcbdcf32.exe
32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4432

C:\Windows\SysWOW64\Piolkm32.exe
C:\Windows\system32\Piolkm32.exe
33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1388

C:\Windows\SysWOW64\Peempn32.exe
C:\Windows\system32\Peempn32.exe
34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3744

C:\Windows\SysWOW64\Pokanf32.exe
C:\Windows\system32\Pokanf32.exe
35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2188

C:\Windows\SysWOW64\Pkabbgol.exe
C:\Windows\system32\Pkabbgol.exe
36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:436

C:\Windows\SysWOW64\Qbngeadf.exe
C:\Windows\system32\Qbngeadf.exe
37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2448

C:\Windows\SysWOW64\Aijlgkjq.exe
C:\Windows\system32\Aijlgkjq.exe
38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2132

C:\Windows\SysWOW64\Amhdmi32.exe
C:\Windows\system32\Amhdmi32.exe
39⤵
- Executes dropped EXE
PID:512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4156 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
1⤵
PID:3368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Hcljmj32.exe
Filesize
163KB

MD5
3882e3df1337a5bd860d414fbbf358f8

SHA1
1e000bc37ccf8d76e71867749da8aed5c8ed86cb

SHA256
900d7b902e3c6f59b0b7a5bad2b89364cdca8309e196b94ca9c509eec80aa983

SHA512
2e7a42f0db468f0a17463ead91a1f1f3339d8022bdcf83146bb4adc1d6ee6e09f0c633a5735848a2eaf1664877edbfd75f1e1b0165474cfe88881887cbde333c

Download Submit
C:\Windows\SysWOW64\Icachjbb.exe
Filesize
163KB

MD5
d7a077904efa56eb71719f5355545317

SHA1
72a9c47726215f7f2507f8f4cc43aeab19e816f3

SHA256
cce622abbb04577752a1aee320e5234ac0ed41de05fb9028d1786ad96da9671d

SHA512
9af8e121a13b7bd75f618453a1281fed590e4448f14c57a7d57416a189c1fa4f7ee806359d84fb4913263fc2a2176d7bf1a7af0ce7951127e4badfe12cef822d

Download Submit
C:\Windows\SysWOW64\Ihaidhgf.exe
Filesize
163KB

MD5
599877ef95fcdf315e8fd560a91cafb2

SHA1
d3b3e3b8f96663aad498e9c1e66223fb81a2787a

SHA256
a669b214b95cc14b4378a4b7e00725d0b11e451155ccf85f6b10b5a4e655577f

SHA512
5a6f430698365ed50551c3979b4fd77aac7b497fbefff91fdf686ec5197cabecc516fc9ba73f20bb7575d709e6e703b620fe19c8df601bc117e99fb147a9bb5b

Download Submit
C:\Windows\SysWOW64\Ijbbfc32.exe
Filesize
163KB

MD5
c83ff1dc42544d79acc1d1784de9743c

SHA1
ac1471c215be6db9fb732988c2f5c1987ef069f6

SHA256
89704bd3e04bb769d3608de0f5bad3b556ef8a4a5211b4fbbe2a7f3ff3de72d2

SHA512
a96d536cf8895f2f82af69925a71cf1cd287113ca2787aa793f6b5003c6f5c8c4c4c7e88daad0591e28194dea18d5d053d656d5ee7afe43153b70702d9436cc0

Download Submit
C:\Windows\SysWOW64\Ilkhog32.exe
Filesize
163KB

MD5
90501ff2a89bb60487cd18e986121988

SHA1
849622e1292d71fbae7aac0a2d7a9af5f84da5a8

SHA256
e11ffe5f2686e2ecc2176df3faf7b59c43d7534a8e51e219a631315e54e7d21b

SHA512
d58758863865e78da48af4da2325adbf5fb6bccb85b36396a4429fe14ccfdf916644b49015a9875b23ce93cc939dc6f3ad54d9399d8f8fdfc9e9678de82445c2

Download Submit
C:\Windows\SysWOW64\Infhebbh.exe
Filesize
163KB

MD5
e73713d276bb28f06649bf2a5053aa27

SHA1
1ef194ce153ea910987ad67df4a9b6e0b7eaba53

SHA256
0b0816d37b784559cfb019fd1788c8978b6bd085990a67ee76c36fa11e5a8e9c

SHA512
dd3643f9f962986d26e4c5edcabe181218bd9d344bcb85a399a2f6018b77928190280b1cd04c7740334a810f5ad7394b5af9a98b6d92b59b7922baf9f8ab2f44

Download Submit
C:\Windows\SysWOW64\Jacpcl32.exe
Filesize
163KB

MD5
ee4331607f511b88cd787851eeade858

SHA1
3f58e3109c662657423218cd497cb84d50899ae5

SHA256
b8dcb0ea679a41e5edcbd04c3a6c64bdcf6e6fb851be75ac3c74b7c8f38580ab

SHA512
dfddce9637844dce0eb69e1efbc1afb570322a4dae58a740ba39b22be960907aceee10fc4f4caff13b5050aacd4745d0dd0b0b334bbdf7d0478a0e0b03955776

Download Submit
C:\Windows\SysWOW64\Jddiegbm.exe
Filesize
163KB

MD5
89cbf0800ca6c8cb0d827c3eb55a4eea

SHA1
fcd6175c5588e548e1afe93fd041267cc3b7973e

SHA256
70bf9754592fc3b51379444a5d0e79d647a41ceca5e74d302477c57f5e0ce4e6

SHA512
e6c056e1b90125e63a84b89c43d2949e1b2d6d1b2d5df4a44edcbf5709cef6f76d93520d4bec5e6830ccdc837b6606ffd51e7324fc7b77d1be61f55a5b68de2e

Download Submit
C:\Windows\SysWOW64\Jhhodg32.exe
Filesize
163KB

MD5
6ef3f4ee1f01108dcd9e5212ee0701e1

SHA1
2fa58b75f6d29ca23cafcdb4ffab4d971327cc76

SHA256
b52b7dc61653204ac47600a32306fd2029edaf8f755f979ba31513bc1c289f3a

SHA512
698ff593365eef705d7551a500612c186bca460e59ccc0812ff0d0ec99104b7d8283cc6064701737dabc1aff62584b2959c3eb7d761be015a098147185caa31f

Download Submit
C:\Windows\SysWOW64\Jlanpfkj.exe
Filesize
163KB

MD5
8a655b87738a0f1c975079990054584b

SHA1
af24cb4f307b435dd4cedb39be912c2c9ad5ebcc

SHA256
c20664dc4b300ca708a0ed67d388ba7799dca8e88be291d52870d74850e1a70a

SHA512
ddf1bc04ac3744f0f4e77af1e5b01bdee724594d1ecc1eedd206ad668b0ddedbcfb95fd40c2de450e870722fe0a536183ffe67b0d41e530f844c94763eadf7ee

Download Submit
C:\Windows\SysWOW64\Jlfhke32.exe
Filesize
163KB

MD5
b12b331527adf91a954023e008be07d2

SHA1
e0c6881713861cd98b93fb13d6807e820ee7cc14

SHA256
60e0781bfcb9c607be439e63fb57c03b1ee932840a80f5bb35368c369dc31b0f

SHA512
f5047fffcbf5ad93c9e011c055d34591a95dd6eda60d2ceaffff88d790b8418750cf7cf260c3f121856ecf8d8532e0ac900a379624550e5b9096f8f4ede9be01

Download Submit
C:\Windows\SysWOW64\Kbjbnnfg.exe
Filesize
163KB

MD5
f41c2fc7e313d1798ae83b13c25b9efd

SHA1
ad9b2b19222f7dd0c6844f1a8ad556b72971db7a

SHA256
625740d7cfc00f4f33498c6c898118cbaa26b8baed791a14286c7244ed0a5d32

SHA512
5e530f78e689cc4c93889e1fb5674896ed83aa0d420a8df98fcc73f383f8d3d187ec857f08cc129832ecd50fb105675ec1f7fb1efd0c4edc817bbd1a64e1a413

Download Submit
C:\Windows\SysWOW64\Khfkfedn.exe
Filesize
163KB

MD5
29008f4c3eeefe0704145d8bf1bea6bb

SHA1
0a0bfa802d552b194a3f18e277bd7f9a348db9ee

SHA256
6cfba847a1774d7b69b5066a7aa5323b1fa50a611326817d675737b03224f532

SHA512
8f63377878c40f26d1c7dd4c2312a154481bc61879cde0e1595f2a56568aa3d2709e58e85c7a4bc6297e4e0fa6153790a85cba6f19b4451e1de6ac602c488563

Download Submit
C:\Windows\SysWOW64\Klddlckd.exe
Filesize
163KB

MD5
25f5f0b682f6bae7364bfd2782fa5eb1

SHA1
e24108a8b985b2bc472470f8ab0738dc29a94bc7

SHA256
b8b65379fbe3f2cfeacc29b99017c62f97f01d632b742ba9a5ab37c924a20a9a

SHA512
8dee417699cbe267a0d6521f8452adf5c1f696256f8c24a572110299b7cf86e393d89533f2bc7b882735a0162974a650ad05fe3e74b300508360c4508464334a

Download Submit
C:\Windows\SysWOW64\Klmnkdal.exe
Filesize
163KB

MD5
e3d4550011e9aacde0299687b4d90871

SHA1
49e4395b413c6e6580f7d69924c7be6e4ac90ef1

SHA256
f9c637e5aed4a13a8cf756845d470f93b8fda6244fa093ad56c61d0beb48dab2

SHA512
294495f869e30bb6b22198882adc7eb699bb9ff78bce4d55490b1b167e612c3958552cc1d01378fc58fb5e65d9e12c83de94fdabea36ae3e0ea4bc77f12fe538

Download Submit
C:\Windows\SysWOW64\Leabphmp.exe
Filesize
163KB

MD5
bd405c17495408e9be4a1dfcbbdce468

SHA1
c716d6e6df10887c344dffe5c7ccb418fd488cf9

SHA256
f055b4927cc9eaa93b77c0e8f130671e9a239fb301ff2a90d4775598b8e1dfd4

SHA512
c4c430284e41800c73c8f8833dc73e22b932c20b4de9afa542239d58d1a60dd705fec2f1ee29562e0adeb8e44fb4e9213d687a530bad3207a8eafd131b7c24c7

Download Submit
C:\Windows\SysWOW64\Ledoegkm.exe
Filesize
163KB

MD5
8769bd6258293f72e4f11f3ecabc1bd2

SHA1
9648acfa406dade42ec9ed5910a4b24f95a3d7cd

SHA256
768b24077abec18dfbd72d8962ed5ac8189b3a63c1c079437751a1b42078599e

SHA512
9d8ffe38be1598fd091e25ecf6d79a35739baf3365a317937ea7041c598b7e45f02dce96f0a27777d429dad62b51bc368965d38932d3eca04e88eee3e8dde93a

Download Submit
C:\Windows\SysWOW64\Loemnnhe.exe
Filesize
163KB

MD5
00e01a3a7585c40de4401d064a451b66

SHA1
17f4972ca3a93ad3eb61f85d3c5239653ed47ca2

SHA256
ce9b66648e8ba35b41ce2d7ca7362f8b442b5a0b6a68af782cd1c071da98a3d2

SHA512
7a10a1cde83adcea4fd453b99d25504bbf144ade24f0648c99e36bb9e35fcf6afab6f7db958c53692ae43163787299fad6799d41b131cbf0b45d0f731a0c0f82

Download Submit
C:\Windows\SysWOW64\Lolcnman.exe
Filesize
163KB

MD5
4490e3f5afd945b21a7a03319ba30946

SHA1
3955a2c6abcbd539da0aff21927a379ffae312fe

SHA256
ba9713cc2ec4274d07771d066391b492ebacfa3d61a27139f54213a72fc3e032

SHA512
e416fa5b2cfc0180d3952e4de25ef8416b178a1def118c9c86c0d148df4498cff3dde74cce11e3977820fbc07098308f978646a0115fd7c0a4a677b2aa02db51

Download Submit
C:\Windows\SysWOW64\Maoifh32.exe
Filesize
163KB

MD5
1b7b7c847f6b1b6d02f5e7db7f64b6bf

SHA1
dd547b9c9cacce5536e2c763a5e20e95426e9f52

SHA256
2f1387998609779424aff342bf84a1e37e217ddba7a5ea275c808303490ae665

SHA512
6317cda5efddf9e457ad9bd1a7aed9e5d2a1e8e89e35a388550a4c122d98802f7256bca506e0242eea5a1ed205ff6cc0efc74a311f3c1d28542e7c7db4d40ac8

Download Submit
C:\Windows\SysWOW64\Maoifh32.exe
Filesize
163KB

MD5
2376336b8b37be95152341e3a2c76197

SHA1
ebb218439b0fb9e44caf7d254be23ffc7e1fcdea

SHA256
3cababdb72bb8290ed97f10099a968b7bd26d826cb264fb572ba22f3cd99b1a9

SHA512
5947e79881538b909e1d705a062c67180c6d0d68e85e4ee52b714477f7c9839b3ff03a35436003b1593494000a26e243ee2c8dab7c7b2aec30d534e6752e69cf

Download Submit
C:\Windows\SysWOW64\Namegfql.exe
Filesize
163KB

MD5
d7f4c3e17da4aac1b0ff191a156df43a

SHA1
b5412670ad976a5169e50ce8fa95561704db634b

SHA256
99d4539266849df05620c2d5e92e1d6950364d919e95d3cf0e377bcc6af2b529

SHA512
7e68a66fe9c7568acb9837e7d13dc9efbdb49c1f77ad0f25a976e9c4759d265ee21945b1b618aaca93d5ad24eaffc74d31c94d72063b90aa4858658d2518509e

Download Submit
C:\Windows\SysWOW64\Nlgbon32.exe
Filesize
163KB

MD5
fb38fb8394072287ea4fd2c5206ad1d4

SHA1
2d364854c31f935fad4280b6a4e50edc60d1315a

SHA256
646b3df26ea0dc241fe28eff7bc401fee0a5d9c5b79ad51ab914d7de7419b9b9

SHA512
c052566cb56d70dbb1bb38e00673befa58445920e5dcf400f7abb8e7bfd7b00192de4b89afb4da032dc46a19f181972aec6e7d14dbc1eea290474d140f86a8cc

Download Submit
C:\Windows\SysWOW64\Nocbfjmc.exe
Filesize
163KB

MD5
b171656afe7e2198a4083914a9f14019

SHA1
755ffee3dab9540f44aabfe16c05a961eae834c6

SHA256
b8d75034e71f3b7a2e17b9868dda3fe4679b6d31fda43b06a338dfbf0f80fedd

SHA512
9b1f05228732377f6b766263094f8364bf6579bb790508844ce959d21a88200fde808b88e631e44e176afa34eaa139fa12d8f19f2b159d32764b81d6b7c939ef

Download Submit
C:\Windows\SysWOW64\Odljjo32.exe
Filesize
163KB

MD5
9b79db5084e0a835a37907ed692bb062

SHA1
a05f9f3f7c47615b41e3bb1470ea746bf7e5d577

SHA256
586c1e33af7ecf68c0a03123a149e19a0c6e8624cf47f1fa4f262f9bdfefb557

SHA512
bbbcb119528ea7b6f0d151b978887d14439d228238d049e5fc315d63f8695d9a6e65e717f9887e7eef57e3d9443069ad2a2621d592bda6b7b33b006a056a4f74

Download Submit
C:\Windows\SysWOW64\Ofgmib32.exe
Filesize
163KB

MD5
28f21aae5b0b80883cb8253471f52993

SHA1
769aed11dd89a4efcfabc552b7befef3b71a1478

SHA256
1d3e8c9a93e1a8501d90fa59c67feda1b4aac833258b4258f9455c2c9b2fb162

SHA512
7f876d01f286ee94dc518c6cd899c6e0547b85085437a526e9f205fc46adf1393a776108acdb6130be4eea1379d3a65a816e13caac2cef1e971f07e0be4b3f88

Download Submit
C:\Windows\SysWOW64\Ohcmpn32.exe
Filesize
163KB

MD5
a18251a36ea2bd116c35cd3c00a50939

SHA1
af61b5806bc52fa8d441063b6346a954f8851f75

SHA256
57a9c48312b3181e9772dfd956df715e9f4063bae636505d72ac3a5c785d1822

SHA512
48ad64f7beacdd5abf6be0959cea8f4f9d3037d78149bdff0c1f6a89d0836bcec879fad25ef322df5d0eebfce2362d8e75c3f555527cdf7b30cb11a1b57e1d9f

Download Submit
C:\Windows\SysWOW64\Ohqpjo32.exe
Filesize
163KB

MD5
39e333452ffbec6e0d38897d55be62b5

SHA1
cb8f23c198a509e2e3f3d052ca49d6de16c8eea4

SHA256
3e847ad7faa6a0a95d264e84d70ecba7fcf72ea53620f9d8e88ffe7f83e2ad92

SHA512
96b9951db2a92f2c903fc2c93bf52cdda2d1cd8225b41e4a340cbc450e421bf11b5e489ca830e68c9df2253b0698a356fcbd10282b66f43a0e18511adc34db1d

Download Submit
C:\Windows\SysWOW64\Pcbdcf32.exe
Filesize
163KB

MD5
c900880ae4b281df526c0f0b6f50ed4c

SHA1
7eb133e51616940023915c94823442120d24f7b7

SHA256
ff64f79731fe736164a7f1c45eebf85d7913f8d02d77c7407d3b3c08507f65ee

SHA512
a109f318e73994e815ad8ab0b1a5cb3b1fa67a83a7960470dc5bdb2d0239e48589f266538e84ef3430ca51238cc4a28ca63f69520d79b3e1bf473e503dee4c9a

Download Submit
C:\Windows\SysWOW64\Pfncia32.exe
Filesize
163KB

MD5
77afc28b76ea21fa7667788769f039df

SHA1
b3c5170ab0c61b99e82a47d9256bf8dcf68384bb

SHA256
4899ee4d802317df281d5f6e5e22a2d1cd8df20bc76285da642ee868077fabec

SHA512
31f3eee2fbe252cb5fda6bb2c693974dc077a3aff18026d69af3a2723e16df8cd78142228d556ef1c09229dc3d5136afb603b617acdd202b60a1647e764e18af

Download Submit
C:\Windows\SysWOW64\Piolkm32.exe
Filesize
163KB

MD5
6cabd319cd8e8fa3df0a2405d7002baf

SHA1
8350f7b368abaf3405ad6dc2d7c003268033db80

SHA256
4fa65883ebb7e3a1808f2a4dff2813f59c63ae43248ef38795c6475a370082d3

SHA512
ed71ae8a1c84cae1a8906d73768971c3268bde5c047d162c654ba2a786d362916846cbad67221a029fb98ab3cb09ad08b13319dd5971c483838f7e3cec246b9a

Download Submit
C:\Windows\SysWOW64\Pkabbgol.exe
Filesize
163KB

MD5
8113ee5c5b7200056d5bcffdd373be73

SHA1
a5d45ff2ce3646bd07c197d3aee890245b35f068

SHA256
79ead000582aa4fa1a352f4b00f6f0dd1ae50909a664bde243da1c965b6e45e2

SHA512
50378edb23ba1edb413db663faabe1e0d21528066acc529451c01f2d384b67cce833ff781452f7412015e6d0141464474d35d7a03d91dc52bcf2f5ef532be241

Download Submit
C:\Windows\SysWOW64\Podkmgop.exe
Filesize
163KB

MD5
f65a1757c0be56093aa16ad1d7420ee2

SHA1
21d3a34e7602d9ccc03aa07b23f6e58372ed1bb9

SHA256
8f8efa59f9f97a61bbbe21b18d9b038b0e75f782f64b96e2c04e19162c046292

SHA512
1a01fea12d62f9f829f61f119c84f8713157cbf2737ef6361637761d66e16ea8f84e6d8c1800cc7b895ba9de3c008eaaf52e7dd6b0ca725bd852476e174a718f

Download Submit
memory/224-370-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/224-41-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/436-454-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/436-275-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/456-232-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/456-442-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/512-294-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/684-88-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/684-401-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/932-153-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/932-417-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/932-416-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1052-176-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1052-423-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1384-440-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1384-225-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1388-257-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1388-448-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1476-431-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1476-432-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1476-193-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1568-217-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1568-437-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1568-438-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2116-200-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2116-434-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2116-433-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2128-366-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2128-25-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2132-287-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2132-458-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2160-185-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2160-430-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2188-269-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2188-452-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2348-72-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2348-397-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2448-281-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2448-456-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3192-374-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3192-56-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3200-409-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3200-408-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3200-121-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3648-411-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3648-129-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3744-450-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3744-263-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3992-136-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3992-413-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4024-161-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4024-419-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4112-49-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4112-372-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4164-81-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4164-399-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4188-407-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4188-406-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4188-113-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4432-446-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4432-249-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4520-169-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4520-421-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4596-145-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4596-415-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4600-209-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4600-436-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4640-403-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4640-97-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4720-364-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4720-17-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4744-8-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4744-362-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4756-368-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4756-33-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4844-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4844-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4844-360-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4860-65-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4860-376-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4884-405-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4884-105-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5096-444-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5096-241-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download