gozi | 23e660244272a1428b7591bed1c32c7abc634b8bdb8257a0de60a9f9aa03f6d7

Analysis

max time kernel
142s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19-05-2024 00:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37531f1427fd1ca04ba0fdb019b7c060_NeikiAnalytics.exe
Size

163KB
MD5

37531f1427fd1ca04ba0fdb019b7c060
SHA1

c8c15f79996d9f591ab79695f0bb93db1057c593
SHA256

23e660244272a1428b7591bed1c32c7abc634b8bdb8257a0de60a9f9aa03f6d7
SHA512

a12cba7ca80390b7042af8facc696c920e0c1477b5299291f9fddb069f2a5ce675a09694cd23825aea776b8d436b4fd4f97b789ceb2f4bf04495a02088fea518
SSDEEP

1536:PqetPtynIP/iDpkfa5riS9F9Iq25dYPzwlProNVU4qNVUrk/9QbfBr+7GwKrPAsf:HdtyI3iDpkfqrimIkMltOrWKDBr+yJb

Score

10^/10

gozi banker isfb persistence trojan

Malware Config

Extracted

Family

gozi

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Ncnofeof.exeKofkbk32.exeMfnoqc32.exeAagkhd32.exeNgndaccj.exeOjfcdnjc.exeQpeahb32.exe37531f1427fd1ca04ba0fdb019b7c060_NeikiAnalytics.exeKegpifod.exeLlodgnja.exeApmhiq32.exeBdmmeo32.exeJniood32.exePhfcipoo.exeBhkfkmmg.exeOjomcopk.exePhcgcqab.exeAdcjop32.exeKjgeedch.exeLfbped32.exeDhphmj32.exeBphgeo32.exeCgifbhid.exeLggejg32.exeMqkiok32.exeQfkqjmdg.exeOabhfg32.exeAgimkk32.exeCpmapodj.exeCaageq32.exePpjbmc32.exeMgphpe32.exeOmpfej32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncnofeof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kofkbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfnoqc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aagkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncnofeof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngndaccj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngndaccj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojfcdnjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qpeahb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	37531f1427fd1ca04ba0fdb019b7c060_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kegpifod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llodgnja.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apmhiq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdmmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jniood32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llodgnja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Phfcipoo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhkfkmmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojomcopk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phcgcqab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phfcipoo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adcjop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apmhiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhkfkmmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjgeedch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfbped32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhphmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bphgeo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgifbhid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhphmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lggejg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mqkiok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfbped32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfkqjmdg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpeahb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdmmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgifbhid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kjgeedch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kofkbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oabhfg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agimkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	37531f1427fd1ca04ba0fdb019b7c060_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kegpifod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpmapodj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caageq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lggejg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mqkiok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppjbmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adcjop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aagkhd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpmapodj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfnoqc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojomcopk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppjbmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfkqjmdg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caageq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgphpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojfcdnjc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oabhfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Phcgcqab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgphpe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ompfej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agimkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bphgeo32.exe

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Executes dropped EXE 33 IoCs

Processes:

Jniood32.exeKegpifod.exeKjgeedch.exeKofkbk32.exeLfbped32.exeLlodgnja.exeLggejg32.exeMfnoqc32.exeMgphpe32.exeMqkiok32.exeNcnofeof.exeNgndaccj.exeOjomcopk.exeOmpfej32.exeOjfcdnjc.exeOabhfg32.exePpjbmc32.exePhcgcqab.exePhfcipoo.exeQfkqjmdg.exeQpeahb32.exeAdcjop32.exeAagkhd32.exeApmhiq32.exeAgimkk32.exeBdmmeo32.exeBhkfkmmg.exeBphgeo32.exeCpmapodj.exeCgifbhid.exeCaageq32.exeDhphmj32.exeDkqaoe32.exe

pid	process
4944	Jniood32.exe
4016	Kegpifod.exe
404	Kjgeedch.exe
2724	Kofkbk32.exe
32	Lfbped32.exe
880	Llodgnja.exe
2904	Lggejg32.exe
1016	Mfnoqc32.exe
1432	Mgphpe32.exe
2884	Mqkiok32.exe
3088	Ncnofeof.exe
4304	Ngndaccj.exe
1708	Ojomcopk.exe
2124	Ompfej32.exe
5100	Ojfcdnjc.exe
2356	Oabhfg32.exe
2728	Ppjbmc32.exe
4604	Phcgcqab.exe
2348	Phfcipoo.exe
4040	Qfkqjmdg.exe
4496	Qpeahb32.exe
5056	Adcjop32.exe
1784	Aagkhd32.exe
2916	Apmhiq32.exe
4348	Agimkk32.exe
2400	Bdmmeo32.exe
2416	Bhkfkmmg.exe
3220	Bphgeo32.exe
2448	Cpmapodj.exe
4020	Cgifbhid.exe
2132	Caageq32.exe
4640	Dhphmj32.exe
2168	Dkqaoe32.exe

Drops file in System32 directory 64 IoCs

Processes:

Ncnofeof.exeBhkfkmmg.exeCgifbhid.exeDhphmj32.exeJniood32.exeKegpifod.exeAgimkk32.exeLlodgnja.exeAagkhd32.exeKofkbk32.exeKjgeedch.exeLggejg32.exeMqkiok32.exeBphgeo32.exePhfcipoo.exeAdcjop32.exeLfbped32.exeMfnoqc32.exe37531f1427fd1ca04ba0fdb019b7c060_NeikiAnalytics.exeCpmapodj.exeOjomcopk.exeOabhfg32.exeApmhiq32.exeOjfcdnjc.exePhcgcqab.exeQfkqjmdg.exeCaageq32.exeQpeahb32.exeBdmmeo32.exePpjbmc32.exeOmpfej32.exeMgphpe32.exeNgndaccj.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Ngndaccj.exe	Ncnofeof.exe
File opened for modification	C:\Windows\SysWOW64\Bphgeo32.exe	Bhkfkmmg.exe
File opened for modification	C:\Windows\SysWOW64\Caageq32.exe	Cgifbhid.exe
File opened for modification	C:\Windows\SysWOW64\Dkqaoe32.exe	Dhphmj32.exe
File created	C:\Windows\SysWOW64\Fmggcl32.dll	Jniood32.exe
File created	C:\Windows\SysWOW64\Aablof32.dll	Kegpifod.exe
File opened for modification	C:\Windows\SysWOW64\Bdmmeo32.exe	Agimkk32.exe
File opened for modification	C:\Windows\SysWOW64\Lggejg32.exe	Llodgnja.exe
File opened for modification	C:\Windows\SysWOW64\Apmhiq32.exe	Aagkhd32.exe
File created	C:\Windows\SysWOW64\Ipgijcij.dll	Kofkbk32.exe
File created	C:\Windows\SysWOW64\Kofkbk32.exe	Kjgeedch.exe
File created	C:\Windows\SysWOW64\Mfnoqc32.exe	Lggejg32.exe
File created	C:\Windows\SysWOW64\Ncnofeof.exe	Mqkiok32.exe
File opened for modification	C:\Windows\SysWOW64\Lfbped32.exe	Kofkbk32.exe
File created	C:\Windows\SysWOW64\Ebcmfjll.dll	Lggejg32.exe
File created	C:\Windows\SysWOW64\Eehnaq32.dll	Bphgeo32.exe
File created	C:\Windows\SysWOW64\Hhblffgn.dll	Phfcipoo.exe
File opened for modification	C:\Windows\SysWOW64\Aagkhd32.exe	Adcjop32.exe
File created	C:\Windows\SysWOW64\Llodgnja.exe	Lfbped32.exe
File created	C:\Windows\SysWOW64\Lggejg32.exe	Llodgnja.exe
File created	C:\Windows\SysWOW64\Difebl32.dll	Mfnoqc32.exe
File opened for modification	C:\Windows\SysWOW64\Jniood32.exe	37531f1427fd1ca04ba0fdb019b7c060_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Cgifbhid.exe	Cpmapodj.exe
File opened for modification	C:\Windows\SysWOW64\Ompfej32.exe	Ojomcopk.exe
File created	C:\Windows\SysWOW64\Apmhiq32.exe	Aagkhd32.exe
File created	C:\Windows\SysWOW64\Jponoqjl.dll	Oabhfg32.exe
File created	C:\Windows\SysWOW64\Agimkk32.exe	Apmhiq32.exe
File created	C:\Windows\SysWOW64\Oabhfg32.exe	Ojfcdnjc.exe
File created	C:\Windows\SysWOW64\Phfcipoo.exe	Phcgcqab.exe
File created	C:\Windows\SysWOW64\Bphgeo32.exe	Bhkfkmmg.exe
File created	C:\Windows\SysWOW64\Liabph32.dll	Lfbped32.exe
File created	C:\Windows\SysWOW64\Ppjbmc32.exe	Oabhfg32.exe
File created	C:\Windows\SysWOW64\Qpeahb32.exe	Qfkqjmdg.exe
File created	C:\Windows\SysWOW64\Mgphpe32.exe	Mfnoqc32.exe
File created	C:\Windows\SysWOW64\Dhphmj32.exe	Caageq32.exe
File opened for modification	C:\Windows\SysWOW64\Mfnoqc32.exe	Lggejg32.exe
File opened for modification	C:\Windows\SysWOW64\Oabhfg32.exe	Ojfcdnjc.exe
File opened for modification	C:\Windows\SysWOW64\Qfkqjmdg.exe	Phfcipoo.exe
File created	C:\Windows\SysWOW64\Hehhjm32.dll	Phcgcqab.exe
File opened for modification	C:\Windows\SysWOW64\Adcjop32.exe	Qpeahb32.exe
File created	C:\Windows\SysWOW64\Kegpifod.exe	Jniood32.exe
File created	C:\Windows\SysWOW64\Adfnba32.dll	Ncnofeof.exe
File created	C:\Windows\SysWOW64\Cnffoibg.dll	Ojfcdnjc.exe
File created	C:\Windows\SysWOW64\Bdmmeo32.exe	Agimkk32.exe
File opened for modification	C:\Windows\SysWOW64\Bhkfkmmg.exe	Bdmmeo32.exe
File created	C:\Windows\SysWOW64\Okhbek32.dll	Cpmapodj.exe
File created	C:\Windows\SysWOW64\Ekppjn32.dll	Caageq32.exe
File opened for modification	C:\Windows\SysWOW64\Phfcipoo.exe	Phcgcqab.exe
File created	C:\Windows\SysWOW64\Mfgomdnj.dll	Qpeahb32.exe
File created	C:\Windows\SysWOW64\Gjecbd32.dll	Bhkfkmmg.exe
File created	C:\Windows\SysWOW64\Kbmimp32.dll	Llodgnja.exe
File opened for modification	C:\Windows\SysWOW64\Phcgcqab.exe	Ppjbmc32.exe
File created	C:\Windows\SysWOW64\Pmpockdl.dll	Adcjop32.exe
File created	C:\Windows\SysWOW64\Cgifbhid.exe	Cpmapodj.exe
File created	C:\Windows\SysWOW64\Lbpflbpa.dll	Ojomcopk.exe
File created	C:\Windows\SysWOW64\Nphihiif.dll	Ompfej32.exe
File created	C:\Windows\SysWOW64\Qfkqjmdg.exe	Phfcipoo.exe
File opened for modification	C:\Windows\SysWOW64\Dhphmj32.exe	Caageq32.exe
File opened for modification	C:\Windows\SysWOW64\Kofkbk32.exe	Kjgeedch.exe
File created	C:\Windows\SysWOW64\Cfiedd32.dll	Kjgeedch.exe
File opened for modification	C:\Windows\SysWOW64\Agimkk32.exe	Apmhiq32.exe
File created	C:\Windows\SysWOW64\Mqkiok32.exe	Mgphpe32.exe
File opened for modification	C:\Windows\SysWOW64\Ojomcopk.exe	Ngndaccj.exe
File created	C:\Windows\SysWOW64\Ompfej32.exe	Ojomcopk.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4056 2168 WerFault.exe Dkqaoe32.exe

pid	pid_target	process	target process
4056	2168	WerFault.exe	Dkqaoe32.exe

Modifies registry class 64 IoCs

Processes:

Qpeahb32.exeMgphpe32.exeCpmapodj.exeAgimkk32.exeBphgeo32.exePhcgcqab.exePhfcipoo.exeAagkhd32.exe37531f1427fd1ca04ba0fdb019b7c060_NeikiAnalytics.exeApmhiq32.exeCgifbhid.exeKofkbk32.exeMfnoqc32.exeOabhfg32.exeDhphmj32.exeQfkqjmdg.exeJniood32.exeNcnofeof.exePpjbmc32.exeLlodgnja.exeOjfcdnjc.exeOjomcopk.exeKegpifod.exeKjgeedch.exeLfbped32.exeNgndaccj.exeLggejg32.exeCaageq32.exeOmpfej32.exeMqkiok32.exeBdmmeo32.exeBhkfkmmg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qpeahb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfgomdnj.dll"	Qpeahb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qpeahb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgphpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpmapodj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgphpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifaohg32.dll"	Agimkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bphgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Phcgcqab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Phfcipoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgeaknci.dll"	Aagkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	37531f1427fd1ca04ba0fdb019b7c060_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apmhiq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bphgeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgifbhid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kofkbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mfnoqc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eemnff32.dll"	37531f1427fd1ca04ba0fdb019b7c060_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oabhfg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhphmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipgijcij.dll"	Kofkbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfkqjmdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jniood32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adfnba32.dll"	Ncnofeof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmephjke.dll"	Ppjbmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcdibc32.dll"	Cgifbhid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llodgnja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnffoibg.dll"	Ojfcdnjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ppjbmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojomcopk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okhbek32.dll"	Cpmapodj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgifbhid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhphmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aablof32.dll"	Kegpifod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfiedd32.dll"	Kjgeedch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lfbped32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	37531f1427fd1ca04ba0fdb019b7c060_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	37531f1427fd1ca04ba0fdb019b7c060_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aepjgm32.dll"	Ngndaccj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ppjbmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kegpifod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kegpifod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lggejg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojfcdnjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jponoqjl.dll"	Oabhfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kjgeedch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlcdqdie.dll"	Qfkqjmdg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caageq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncnofeof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphihiif.dll"	Ompfej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehhjm32.dll"	Phcgcqab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llodgnja.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Phcgcqab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iocbnhog.dll"	Mgphpe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mqkiok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdmmeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	37531f1427fd1ca04ba0fdb019b7c060_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mfnoqc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aagkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdmmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekppjn32.dll"	Caageq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjecbd32.dll"	Bhkfkmmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agimkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eehnaq32.dll"	Bphgeo32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

37531f1427fd1ca04ba0fdb019b7c060_NeikiAnalytics.exeJniood32.exeKegpifod.exeKjgeedch.exeKofkbk32.exeLfbped32.exeLlodgnja.exeLggejg32.exeMfnoqc32.exeMgphpe32.exeMqkiok32.exeNcnofeof.exeNgndaccj.exeOjomcopk.exeOmpfej32.exeOjfcdnjc.exeOabhfg32.exePpjbmc32.exePhcgcqab.exePhfcipoo.exeQfkqjmdg.exeQpeahb32.exe

description	pid	process	target process
PID 3176 wrote to memory of 4944	3176	37531f1427fd1ca04ba0fdb019b7c060_NeikiAnalytics.exe	Jniood32.exe
PID 3176 wrote to memory of 4944	3176	37531f1427fd1ca04ba0fdb019b7c060_NeikiAnalytics.exe	Jniood32.exe
PID 3176 wrote to memory of 4944	3176	37531f1427fd1ca04ba0fdb019b7c060_NeikiAnalytics.exe	Jniood32.exe
PID 4944 wrote to memory of 4016	4944	Jniood32.exe	Kegpifod.exe
PID 4944 wrote to memory of 4016	4944	Jniood32.exe	Kegpifod.exe
PID 4944 wrote to memory of 4016	4944	Jniood32.exe	Kegpifod.exe
PID 4016 wrote to memory of 404	4016	Kegpifod.exe	Kjgeedch.exe
PID 4016 wrote to memory of 404	4016	Kegpifod.exe	Kjgeedch.exe
PID 4016 wrote to memory of 404	4016	Kegpifod.exe	Kjgeedch.exe
PID 404 wrote to memory of 2724	404	Kjgeedch.exe	Kofkbk32.exe
PID 404 wrote to memory of 2724	404	Kjgeedch.exe	Kofkbk32.exe
PID 404 wrote to memory of 2724	404	Kjgeedch.exe	Kofkbk32.exe
PID 2724 wrote to memory of 32	2724	Kofkbk32.exe	Lfbped32.exe
PID 2724 wrote to memory of 32	2724	Kofkbk32.exe	Lfbped32.exe
PID 2724 wrote to memory of 32	2724	Kofkbk32.exe	Lfbped32.exe
PID 32 wrote to memory of 880	32	Lfbped32.exe	Llodgnja.exe
PID 32 wrote to memory of 880	32	Lfbped32.exe	Llodgnja.exe
PID 32 wrote to memory of 880	32	Lfbped32.exe	Llodgnja.exe
PID 880 wrote to memory of 2904	880	Llodgnja.exe	Lggejg32.exe
PID 880 wrote to memory of 2904	880	Llodgnja.exe	Lggejg32.exe
PID 880 wrote to memory of 2904	880	Llodgnja.exe	Lggejg32.exe
PID 2904 wrote to memory of 1016	2904	Lggejg32.exe	Mfnoqc32.exe
PID 2904 wrote to memory of 1016	2904	Lggejg32.exe	Mfnoqc32.exe
PID 2904 wrote to memory of 1016	2904	Lggejg32.exe	Mfnoqc32.exe
PID 1016 wrote to memory of 1432	1016	Mfnoqc32.exe	Mgphpe32.exe
PID 1016 wrote to memory of 1432	1016	Mfnoqc32.exe	Mgphpe32.exe
PID 1016 wrote to memory of 1432	1016	Mfnoqc32.exe	Mgphpe32.exe
PID 1432 wrote to memory of 2884	1432	Mgphpe32.exe	Mqkiok32.exe
PID 1432 wrote to memory of 2884	1432	Mgphpe32.exe	Mqkiok32.exe
PID 1432 wrote to memory of 2884	1432	Mgphpe32.exe	Mqkiok32.exe
PID 2884 wrote to memory of 3088	2884	Mqkiok32.exe	Ncnofeof.exe
PID 2884 wrote to memory of 3088	2884	Mqkiok32.exe	Ncnofeof.exe
PID 2884 wrote to memory of 3088	2884	Mqkiok32.exe	Ncnofeof.exe
PID 3088 wrote to memory of 4304	3088	Ncnofeof.exe	Ngndaccj.exe
PID 3088 wrote to memory of 4304	3088	Ncnofeof.exe	Ngndaccj.exe
PID 3088 wrote to memory of 4304	3088	Ncnofeof.exe	Ngndaccj.exe
PID 4304 wrote to memory of 1708	4304	Ngndaccj.exe	Ojomcopk.exe
PID 4304 wrote to memory of 1708	4304	Ngndaccj.exe	Ojomcopk.exe
PID 4304 wrote to memory of 1708	4304	Ngndaccj.exe	Ojomcopk.exe
PID 1708 wrote to memory of 2124	1708	Ojomcopk.exe	Ompfej32.exe
PID 1708 wrote to memory of 2124	1708	Ojomcopk.exe	Ompfej32.exe
PID 1708 wrote to memory of 2124	1708	Ojomcopk.exe	Ompfej32.exe
PID 2124 wrote to memory of 5100	2124	Ompfej32.exe	Ojfcdnjc.exe
PID 2124 wrote to memory of 5100	2124	Ompfej32.exe	Ojfcdnjc.exe
PID 2124 wrote to memory of 5100	2124	Ompfej32.exe	Ojfcdnjc.exe
PID 5100 wrote to memory of 2356	5100	Ojfcdnjc.exe	Oabhfg32.exe
PID 5100 wrote to memory of 2356	5100	Ojfcdnjc.exe	Oabhfg32.exe
PID 5100 wrote to memory of 2356	5100	Ojfcdnjc.exe	Oabhfg32.exe
PID 2356 wrote to memory of 2728	2356	Oabhfg32.exe	Ppjbmc32.exe
PID 2356 wrote to memory of 2728	2356	Oabhfg32.exe	Ppjbmc32.exe
PID 2356 wrote to memory of 2728	2356	Oabhfg32.exe	Ppjbmc32.exe
PID 2728 wrote to memory of 4604	2728	Ppjbmc32.exe	Phcgcqab.exe
PID 2728 wrote to memory of 4604	2728	Ppjbmc32.exe	Phcgcqab.exe
PID 2728 wrote to memory of 4604	2728	Ppjbmc32.exe	Phcgcqab.exe
PID 4604 wrote to memory of 2348	4604	Phcgcqab.exe	Phfcipoo.exe
PID 4604 wrote to memory of 2348	4604	Phcgcqab.exe	Phfcipoo.exe
PID 4604 wrote to memory of 2348	4604	Phcgcqab.exe	Phfcipoo.exe
PID 2348 wrote to memory of 4040	2348	Phfcipoo.exe	Qfkqjmdg.exe
PID 2348 wrote to memory of 4040	2348	Phfcipoo.exe	Qfkqjmdg.exe
PID 2348 wrote to memory of 4040	2348	Phfcipoo.exe	Qfkqjmdg.exe
PID 4040 wrote to memory of 4496	4040	Qfkqjmdg.exe	Qpeahb32.exe
PID 4040 wrote to memory of 4496	4040	Qfkqjmdg.exe	Qpeahb32.exe
PID 4040 wrote to memory of 4496	4040	Qfkqjmdg.exe	Qpeahb32.exe
PID 4496 wrote to memory of 5056	4496	Qpeahb32.exe	Adcjop32.exe

C:\Users\Admin\AppData\Local\Temp\37531f1427fd1ca04ba0fdb019b7c060_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\37531f1427fd1ca04ba0fdb019b7c060_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3176

C:\Windows\SysWOW64\Jniood32.exe
C:\Windows\system32\Jniood32.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4944

C:\Windows\SysWOW64\Kegpifod.exe
C:\Windows\system32\Kegpifod.exe
3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4016

C:\Windows\SysWOW64\Kjgeedch.exe
C:\Windows\system32\Kjgeedch.exe
4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:404

C:\Windows\SysWOW64\Kofkbk32.exe
C:\Windows\system32\Kofkbk32.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2724

C:\Windows\SysWOW64\Lfbped32.exe
C:\Windows\system32\Lfbped32.exe
6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:32

C:\Windows\SysWOW64\Llodgnja.exe
C:\Windows\system32\Llodgnja.exe
7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:880

C:\Windows\SysWOW64\Lggejg32.exe
C:\Windows\system32\Lggejg32.exe
8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2904

C:\Windows\SysWOW64\Mfnoqc32.exe
C:\Windows\system32\Mfnoqc32.exe
9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1016

C:\Windows\SysWOW64\Mgphpe32.exe
C:\Windows\system32\Mgphpe32.exe
10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1432

C:\Windows\SysWOW64\Mqkiok32.exe
C:\Windows\system32\Mqkiok32.exe
11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2884

C:\Windows\SysWOW64\Ncnofeof.exe
C:\Windows\system32\Ncnofeof.exe
12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3088

C:\Windows\SysWOW64\Ngndaccj.exe
C:\Windows\system32\Ngndaccj.exe
13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4304

C:\Windows\SysWOW64\Ojomcopk.exe
C:\Windows\system32\Ojomcopk.exe
14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\SysWOW64\Ompfej32.exe
C:\Windows\system32\Ompfej32.exe
15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2124

C:\Windows\SysWOW64\Ojfcdnjc.exe
C:\Windows\system32\Ojfcdnjc.exe
16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5100

C:\Windows\SysWOW64\Oabhfg32.exe
C:\Windows\system32\Oabhfg32.exe
17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2356

C:\Windows\SysWOW64\Ppjbmc32.exe
C:\Windows\system32\Ppjbmc32.exe
18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2728

C:\Windows\SysWOW64\Phcgcqab.exe
C:\Windows\system32\Phcgcqab.exe
19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4604

C:\Windows\SysWOW64\Phfcipoo.exe
C:\Windows\system32\Phfcipoo.exe
20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2348

C:\Windows\SysWOW64\Qfkqjmdg.exe
C:\Windows\system32\Qfkqjmdg.exe
21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4040

C:\Windows\SysWOW64\Qpeahb32.exe
C:\Windows\system32\Qpeahb32.exe
22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4496

C:\Windows\SysWOW64\Adcjop32.exe
C:\Windows\system32\Adcjop32.exe
23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:5056

C:\Windows\SysWOW64\Aagkhd32.exe
C:\Windows\system32\Aagkhd32.exe
24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1784

C:\Windows\SysWOW64\Apmhiq32.exe
C:\Windows\system32\Apmhiq32.exe
25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2916

C:\Windows\SysWOW64\Agimkk32.exe
C:\Windows\system32\Agimkk32.exe
26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4348

C:\Windows\SysWOW64\Bdmmeo32.exe
C:\Windows\system32\Bdmmeo32.exe
27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2400

C:\Windows\SysWOW64\Bhkfkmmg.exe
C:\Windows\system32\Bhkfkmmg.exe
28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2416

C:\Windows\SysWOW64\Bphgeo32.exe
C:\Windows\system32\Bphgeo32.exe
29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3220

C:\Windows\SysWOW64\Cpmapodj.exe
C:\Windows\system32\Cpmapodj.exe
30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2448

C:\Windows\SysWOW64\Cgifbhid.exe
C:\Windows\system32\Cgifbhid.exe
31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4020

C:\Windows\SysWOW64\Caageq32.exe
C:\Windows\system32\Caageq32.exe
32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2132

C:\Windows\SysWOW64\Dhphmj32.exe
C:\Windows\system32\Dhphmj32.exe
33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4640

C:\Windows\SysWOW64\Dkqaoe32.exe
C:\Windows\system32\Dkqaoe32.exe
34⤵
- Executes dropped EXE
PID:2168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 400
35⤵
- Program crash
PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 124 -p 2168 -ip 2168
1⤵
PID:1252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3744 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
1⤵
PID:3004

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aagkhd32.exe
Filesize
163KB

MD5
1e9ce22b33473cc4b8856889f3354dc8

SHA1
8e0269e4be719a08847add5504d6fb978a85ca6b

SHA256
32c70271a8b5e7f604d31c29719010dc3fd4192824bacb7dfe269505a023ceac

SHA512
c45f3b29a75281f05ff436740537d60570e524c46645962cf4883751b85cb79a18292aaced255f7c228e0ea23db336781d0cecb05edbdad40d6e65008e8f502e

Download Submit
C:\Windows\SysWOW64\Adcjop32.exe
Filesize
163KB

MD5
29724dd2e1b03076aeffd95226dc1ead

SHA1
33477a9d60ba21622c33baab45d48af259d97bbd

SHA256
281795cdf7bec73056165a45d35a8d2ad1ce4e982e0857bc695ac60062f024df

SHA512
6bc9c37035c03858b6f6cac1a614524fe79fab2d353cece4740e19436da9ffc20c0a05f909bbe2283eebbacee373265d4f031f637e93c75b347c578e8baeaca4

Download Submit
C:\Windows\SysWOW64\Agimkk32.exe
Filesize
163KB

MD5
0175fabddf42227b235129281360389f

SHA1
32a7a9719c43fd1669a689c41e8304933861141b

SHA256
8ead895f2f4f113ba4014108b434de7c96434c52c279bef0c631441d432c3868

SHA512
510a60148e194ac3314dc346e6b4931fd82953f6835371aad0ccf76dcb009c48b9d645ecdb9b8a3459a13e093813f4bf20f5cea2e7d7d3be4019ae1d9cdd8757

Download Submit
C:\Windows\SysWOW64\Apmhiq32.exe
Filesize
163KB

MD5
aeb468513c31939f3e46b1f8cc77c404

SHA1
5cb3370db66e7cc3d203c8781e41a0c83a0da829

SHA256
c4b58f1cf645a80a5ebfa6a4eee2a2351a58da111d074e9432941070e24e7a49

SHA512
1c3f61b9280454500589c730db8d93d48414d7912572978538878af907e1a547098fc0b9bd3f83867c487e3a62b6832abd394fb2f450cfce280cad527fd19ddf

Download Submit
C:\Windows\SysWOW64\Bdmmeo32.exe
Filesize
163KB

MD5
ce889e86769a824a05effc58dbe17123

SHA1
8977bda2418d2aeb2cdda4826dfd8b687cf91fa0

SHA256
e25fa9cc23de5b83583997dd655cd96ef5378547b3b9f06e2a968c467fdc30a5

SHA512
2abf358e23a1bf6858333b9dba3abe4e4e81daf31c2dbac969fbb5c32794030bb4e8ef60eb27ab88353c6b782cb98be3438f1c8cb4b1f4a04eaacfda14ce0bd2

Download Submit
C:\Windows\SysWOW64\Bhkfkmmg.exe
Filesize
163KB

MD5
4e157e3bee84a3261e64db0c8d1dd2a7

SHA1
04db357d99f987040c80a7c71fd49dfdfc3d935c

SHA256
a46d6f6f4da648c31afb108ef48ecd577c32561811d6f83907b0ac80984b1033

SHA512
484e4897a4833d98f95b6488135d107f69b46b1432c50981272bf04d961d9b6aa971839e9b5ff2b8f00f80bf4f40aeda147da65c122671b2276784dbcd1e2b22

Download Submit
C:\Windows\SysWOW64\Bphgeo32.exe
Filesize
163KB

MD5
6bf452212e09d98ef0d8594976b6912c

SHA1
eb94cf9d8b988e5710be2264f13e15036bbd4c1b

SHA256
abe1b4e0212b1a37883408ebe574deb2bca055dc65709144a2f5e3665f16b952

SHA512
45d4e5572a634e720baea477512ed72c641a73ae7a237653646c799fe87185c49126622d510cee9679e5e7b939d934806e15174ff1953e7892516379e8924faf

Download Submit
C:\Windows\SysWOW64\Caageq32.exe
Filesize
163KB

MD5
8ba2a4f7548554bc4b1a889a03c1f390

SHA1
54671d58a567e247d43256bc657893f96d48209c

SHA256
88441ac4f92ebc761404eecb61591dcfb7904eb89976409c7befd7791308c8f9

SHA512
8898be261f914f2d995cccd84afeeb9850d91e47602a7919b1217df462cd441542d342b016d54c940e70bbc9ead8b5e7a2a4f8cfea9748535c4752c75a80cad9

Download Submit
C:\Windows\SysWOW64\Cgifbhid.exe
Filesize
163KB

MD5
6cccf81dd4eec17aefe79dc89831fce6

SHA1
d6c37c1f60b4e83cc456c79c00a4e588c6a232b2

SHA256
b54e5879b6c0d18fd4a3a79476c5ebbfb32f388d93bf52d73bb752750bdcc831

SHA512
9a7c128d8d7a494e7caa0d8611ec5e8f421ff2eeab37338cc4c02498f09c790f7178eee9058c8a6fb71da0a3ac3b29dd54efb8d2700fbf6c2a5a1eb9bea758c6

Download Submit
C:\Windows\SysWOW64\Cpmapodj.exe
Filesize
163KB

MD5
471e6f8614a4bc93611d9b0fab194660

SHA1
3b0ec92d46945697993d96257aad9079a4bdb5ea

SHA256
7a47fffd0eb8dceb0077592c450434c698fcd7d3de88e81b440e68c988148e85

SHA512
739f7ad2bb110f58421d96767175e8802ab5c377f1fbd69fb8adaeae16ef186c41313dc0d412f38246d5155e25a65f5c7c3889921772069f3123607137d63cd5

Download Submit
C:\Windows\SysWOW64\Dhphmj32.exe
Filesize
163KB

MD5
c2bf37555da2cccd78b9e8f970531ac4

SHA1
d8a7dfb0a846e6882158b59d752ebafcf4038cfc

SHA256
948a7dc386d4f267f616d22bc650b4eb37322c871a7e9074c9bfe74728d45025

SHA512
d7a0f139550864bc82bc1bbb00aaa597cf4fc01d640deba1d7b4382438cd1a9c1032951d3e1c3701f7f0d40e05ffc60c68a450872b61bb009b5fc448c1185309

Download Submit
C:\Windows\SysWOW64\Jniood32.exe
Filesize
163KB

MD5
2e0efb17ea84d274acc5581b5568aa7a

SHA1
459388c0c51ce5ab39e7dc2a72dab8f157780608

SHA256
6b89682610d8e6bb0b3714f7fd9db7828c2d05e1ab595193f9a0b54c5fa56332

SHA512
a21e28a6bb1b38f578c38c336c6190cdc3e8a46741bc3fc584bc8df4303fa7004074a7e7ecc5086c2015ad73fb0e96ae49da03879cf35cf0037fc8731c86b1d7

Download Submit
C:\Windows\SysWOW64\Kegpifod.exe
Filesize
163KB

MD5
c9b64111593ff5eaf059e7358bb0ccbb

SHA1
b830c309f4a09dc6066bed18334690d780b5c0db

SHA256
18bb5d0d97ccf08d6b341bb0449015bf3eec37a0074dc5085c1f237ad8d2ac06

SHA512
2b3c475a2e45a5a93cbf8dc5ec258f383ffab5af246232d5273614e4add5a0238efe6c9e3cf5cc2291fbc65926222bbd50bc189cc53a96758d001c6858a35ae8

Download Submit
C:\Windows\SysWOW64\Kjgeedch.exe
Filesize
64KB

MD5
d9ac596b3634aa8b16ad2824bcb270fc

SHA1
a19005579a62826815d1d1ed4d1bc7f9c8c10c7e

SHA256
e43a7c5c2092bc0d6521f82084c8433cf7b8fea964b785e1015e6de53b3805a3

SHA512
81558907da848174f5ab03976321baeb97dd917c02b4165723bcb435d2518d75c915fd0215ee70863a010068595241be77215d42309647f5aec06fc6dfbd6af7

Download Submit
C:\Windows\SysWOW64\Kjgeedch.exe
Filesize
163KB

MD5
572757ec7576a9e112a5c3ffb0fde2ef

SHA1
7691e309771995319421808c0884195c95ead2f7

SHA256
9db554b48d881943cda1dc97ab5ba8096240168a7d6bfc933059271967003076

SHA512
0416c08b5df1e2c61ae9a86ae539f6fd9d68c2b034512a211fc7fc5f9ab8762968b5b75abc05eecb569d6d015eba4062c2b1222ae4bd3e34506b265800675b81

Download Submit
C:\Windows\SysWOW64\Kofkbk32.exe
Filesize
163KB

MD5
31c77b84682d651ac9c9ab964e65602b

SHA1
ce9409b2b65789f06d39d93a7235f6204eb060e7

SHA256
7b817982dc2b36919937cd60f1e8b407b3d983a152a376cc8d80a4d27fd7f07a

SHA512
f8e2c3459633f600679e41e6d2f3ff48c37b3afd2fb097c8ba9d7185da0efe7369cde759e677762dbd0fac24630bc43d3243ec8212ef5146ff35995442995f71

Download Submit
C:\Windows\SysWOW64\Lfbped32.exe
Filesize
163KB

MD5
e3f1502ef372bc42ca7b7709d6d05e51

SHA1
ae370b859637a84eb1fd003f69f75a5997092b09

SHA256
e0cb2da5b924e99fafc309622c72f6f46867108ca59663b8758900f106e32acf

SHA512
b7001d3d58edabe95d361c1315706e826d057038d06a56f7535ddb75640ba67e9686af1d66d6c1a409b58a2ce7db80741333fca0ae3a42fece6339dca30e96b8

Download Submit
C:\Windows\SysWOW64\Lggejg32.exe
Filesize
163KB

MD5
98e8faab66b03f64d2fe3c759a285a5c

SHA1
6c0ce8258d0303bf8ab82257e135752efefdacc8

SHA256
b3ac1ca54c0dc636024cec4dc7f32b7a341d741b7a7adf4cb662d2463beb6a28

SHA512
1aea47e6684367b24d1ed145c1f73bdedb095927435ac0c123ed2a9854d39422cf67bcd1b5c4bfaf34f27d0b873ea3579690208abb7e3b8c699e84956f3a1822

Download Submit
C:\Windows\SysWOW64\Llodgnja.exe
Filesize
163KB

MD5
7bcb9c8b99ffad4d2632f0307b5934be

SHA1
4c2276913bc1ff9a4ebb657d4e2fa16b3f7dee64

SHA256
41f40a10b329a606082ab50b1d7bddbb0a0270d81c60d346c9d06830245bbfe8

SHA512
11b6cf2b38f3e30404d51b03d353bea34642817b22e76b561c4198e71130cea65fa261e0a8dcbc63b75466c584882320f08bf14dc759793fd5ba54920686b65c

Download Submit
C:\Windows\SysWOW64\Mfnoqc32.exe
Filesize
163KB

MD5
fafa988d54b9d9e6d7da644a1b25a824

SHA1
4ec326546a78352a2e765f4917ffbede881335ad

SHA256
099a9f76a6d539fd0335ac5dba460d217ad68d584a8eb624dfef17de3cbb0d28

SHA512
d0ec17daa238db01415838b4bcf77b3ab777364b3256f128153e1a3f46d8ef9b5ec0fc5b6839392f5f8f7fb1efa5c6f54e7bfcc79e9825e72f5fb13c95d3d603

Download Submit
C:\Windows\SysWOW64\Mgphpe32.exe
Filesize
163KB

MD5
b555a6a1846b8801f18ba15501454deb

SHA1
0a6669111421b8d171920ff9848300a91c8fab13

SHA256
9a3c8f49a17dbeee503f7fdcc8696d8ff8217b070610e1bce523e046e959f361

SHA512
6844aa4e1b1d58cac60a96f791edd45e228fc7ae067a4e3f591a649921e359a8320d91137dd902d34c023be3608a7e9d2df898c8f4f779f2b0af30c5acc7f2c6

Download Submit
C:\Windows\SysWOW64\Mqkiok32.exe
Filesize
163KB

MD5
6e07ba17d90198364606162a36f068d4

SHA1
42d2ea10b2dab5e26556a9bbf46eca4eeffafb5e

SHA256
1e80ec8dc6b530fb6235ce33715c52c3fb0fe5aaea306bb744d721ea8d76375f

SHA512
24605aa22f0d4c663ec846d63b515cd951d0d2b28a7972dfa5fe2d5f3d601d1124fde738230651e8babd1d53b42a7ad59d16843cc7f8d86ce266e6857847dec7

Download Submit
C:\Windows\SysWOW64\Ncnofeof.exe
Filesize
163KB

MD5
2cd3325b1c9ac4cb7549035b63786166

SHA1
503f50f8d7603beb6aede37b0a5f147a9ca99bec

SHA256
512f8778765844975c134702ad93671265d6c014d446da848d0a854a181304d5

SHA512
d54a0c529ef6b006bd0542c53471d11f1780cc802e97712e7ee9f6876aef2021a536b65239b1c9d907be473e55feafc574924ca848f10f4438b3736a050c1af6

Download Submit
C:\Windows\SysWOW64\Ngndaccj.exe
Filesize
163KB

MD5
31992000aac1dbd6c44bc7bc5289ac56

SHA1
a039f53c55624d48ff420ad339d02885cab373e6

SHA256
f2c8b6ac8f3ef34bb6a80cb863ae1b4aa472b7f000c88de3a5f19941e52d76e5

SHA512
b57fcf297c2a62f360208668f8a18a65f857400c1fb8a495613631264aab16a7cfb4fb2bacd51949be0a71870640e15b6f67859c6107805359b6f0d812aac3b1

Download Submit
C:\Windows\SysWOW64\Oabhfg32.exe
Filesize
163KB

MD5
79c093c46c2388278d5fd75db87b3de6

SHA1
e1320b025d2aaed0fc0fd182c951b25f55ed29e3

SHA256
9f1b9a72b90a9433f5d605eedafe48cd958a2fc37c2f8ad0c73ff6ccd9e7a2c3

SHA512
f3e16d936e989e8c8c8e6f11941d924fc24ce10ebae2a597ed5cd73008817ea212007e9d6f314040c7881352d3cab0db03b3b3f7b0658d29c37f8439cf5d5936

Download Submit
C:\Windows\SysWOW64\Ojfcdnjc.exe
Filesize
163KB

MD5
b2fc5f1c46f2d5dd903f21ff83ebb7a0

SHA1
352893cb7167f8e6b6daa43d3fe46d115b619dc1

SHA256
6b04ee75421e734189dc43efcbbf1e721c9a710aefc4f46b89bd570d3f2932f2

SHA512
85f3f45b336d09b4de175207371c12a00a997acb5ceb1f2daa80f274f7643071f9ffcb60940abec85d1eb25a50cd77e80566fa4e3a15b61009193ae6040aec74

Download Submit
C:\Windows\SysWOW64\Ojomcopk.exe
Filesize
163KB

MD5
41d3542b18d662841bd083af7cbf056f

SHA1
7989b7ceb9bf9281069585c978d3528249758cc6

SHA256
4a1c2cf4434625570b84c7194e27e4daf72320a9b76f655bd15137220a8d69bd

SHA512
b174f82702ce4a78a7b2bcae4c37af9fdb2f50c91152771a0c2fa153005dc683e4aa59e5a566acd22b5c5cd7bd73a52457d7c47c5c8865bcc61157d74faa9030

Download Submit
C:\Windows\SysWOW64\Ompfej32.exe
Filesize
163KB

MD5
3d1ee23f412c47fea2e7563355110f54

SHA1
fbae44c9c0489e6a657773856be6f8a93177b4a1

SHA256
421f0262cdaf60af62d5d657730846f7fd9c6191cdc6403506f85ea890e347ba

SHA512
573a562eadbada5c106731877dfe3bc7ec0fee767c39f3e92975fba15d69affbca14160896238ce6a116a965f00262be0842ab7adf57b0d064689693a817accd

Download Submit
C:\Windows\SysWOW64\Phcgcqab.exe
Filesize
163KB

MD5
6923dfd67434ccb4d6c70f9f80089a59

SHA1
217a77eb6f5402ab1d1f298fef4ad0e839755217

SHA256
e486d3a3a2e62d82032f374fe808832d0b9d6bfb9e04d0f20659e78fd62908b1

SHA512
4cece493317fcfc8b9f0ad14135907ea1019e5ec413448598852551729435fc4fd1bad4429bcec5cc28fffe439a3078c0363ed1ee139694a9fc310790fed6839

Download Submit
C:\Windows\SysWOW64\Phfcipoo.exe
Filesize
163KB

MD5
29defcba2de0e37d95b7690acca91081

SHA1
91bbb78619e3183f41c194aa18542fd958092746

SHA256
be20ed4569b424c48f5b5deffefe7a142003dea419f8a8265af8466c3f21024e

SHA512
ed18a646952964226d4a89d6048145f850b100c1181a8a189c896dae11214f2c0540c1d551a23293f0c86f019ea5e61375e701d0444c740905d42712607d9c18

Download Submit
C:\Windows\SysWOW64\Ppjbmc32.exe
Filesize
163KB

MD5
a2a0ee18f2475e1adea5e39a3c73459e

SHA1
71244d2b07d5edb8df4eae7557f69908947efbb2

SHA256
8fb6529b17561d172dbcdff04c93dd3e3137b6078ca5d7477d1172a77a346b2a

SHA512
73ed26499101e83f1a30a672c90dd29ca2ea8424dccb1fa044ede2f54f782f7a5e34ae414735514692c86c373900b28800e2a686f00b651bca9bf1b2f2d5d5d5

Download Submit
C:\Windows\SysWOW64\Qfkqjmdg.exe
Filesize
163KB

MD5
1bfa5fc85f2632ddf8ee69b8170a0a9e

SHA1
4160d536c45e43928ead6b3e22945734ef43cf7c

SHA256
1fefbefa2930ebd96f76818fc42f98f59e0ebd81a5f42748879b6a234de12966

SHA512
3a8b869a9f604cf53dc34d4948958e3c7e91eedc442af7d9ef642b2db07ad9906699d16a036417549a64824763ff042429d0d259691c3c4334939805cc2f09d6

Download Submit
C:\Windows\SysWOW64\Qpeahb32.exe
Filesize
163KB

MD5
46e1119548f8dc0301107970bde1a7a5

SHA1
3613aac161256064dbe145b99dbcfac12747534f

SHA256
6b7b2506c50580c403a6a0e64b6a05b404c4944268150e071f768ee6f4ab6722

SHA512
77df3687ec2ca9aff15bf6825f5375bffb9a28517650249fae1c78ec77f3e42980b73b591074241b377169447f19ed1a4b9d1cf987ddaa5ac581398d2e0ed142

Download Submit
memory/32-40-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/32-327-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/404-24-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/404-331-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/880-325-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/880-48-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1016-64-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1016-321-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1432-73-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1432-319-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1708-311-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1708-104-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1784-185-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1784-291-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2124-309-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2124-113-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2132-275-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2132-248-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2168-271-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2168-263-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2348-153-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2348-299-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2356-128-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2356-305-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2400-208-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2400-286-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2416-216-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2416-283-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2448-232-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2448-282-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2724-329-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2724-32-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2728-303-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2728-137-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2884-317-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2884-80-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2904-323-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2904-57-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2916-289-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2916-192-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3088-315-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3088-89-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3176-337-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3176-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3176-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/3220-224-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3220-280-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4016-16-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4016-333-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4020-277-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4020-240-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4040-160-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4040-297-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4304-97-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4304-313-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4348-201-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4348-288-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4496-295-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4496-168-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4604-301-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4604-145-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4640-273-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4640-256-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4944-8-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4944-335-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5056-293-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5056-177-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5100-307-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5100-121-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download