5a707d7479868b07998e3072afb95c20f366ef59c83f6ce5f062d1e564fc4469

Analysis

max time kernel
143s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 22:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e13c0cb056e9a89619287c3bfbdd9d0_NeikiAnalytics.exe
Size

50KB
MD5

4e13c0cb056e9a89619287c3bfbdd9d0
SHA1

552b2ff458f95b3028e635e1ad45788a172de1aa
SHA256

5a707d7479868b07998e3072afb95c20f366ef59c83f6ce5f062d1e564fc4469
SHA512

9b46daff860bd353a4e5e0176b5235d2e5012aebd5ae8b2f2abe7b4e8576a9b5f5c74e77aa3351fed6a752f9ab10d231b3dacc407c24c53a0e116198533166a3
SSDEEP

768:y0AY46qWWDSTUSQBO+Y0ppmlBl3zDyKKvHRnTOVKnJ1XHxQa/1H5eA:y0//qW4SYfYqpmlBxnzOnK0XXRt5

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Emhlfmgj.exeFckjalhj.exeGejcjbah.exeGmgdddmq.exeHlakpp32.exeEfppoc32.exeEajaoq32.exeFehjeo32.exeFnpnndgp.exeGlaoalkh.exeHnagjbdf.exeIeqeidnl.exeFnbkddem.exeFjlhneio.exeFmjejphb.exeHacmcfge.exeEjbfhfaj.exeFilldb32.exeHgilchkf.exeHodpgjha.exeHenidd32.exeEiomkn32.exeFfkcbgek.exeGgpimica.exeHmlnoc32.exeInljnfkg.exeFddmgjpo.exeHknach32.exeIhoafpmp.exeIcbimi32.exeEpfhbign.exeGpknlk32.exeHpapln32.exe4e13c0cb056e9a89619287c3bfbdd9d0_NeikiAnalytics.exeFacdeo32.exeIdceea32.exeHogmmjfo.exeGelppaof.exeGdopkn32.exeHggomh32.exeHhjhkq32.exeEgdilkbf.exeGaemjbcg.exeEihfjo32.exeFeeiob32.exeGopkmhjk.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emhlfmgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fckjalhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gejcjbah.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmgdddmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlakpp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efppoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eajaoq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fehjeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fnpnndgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Glaoalkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnbkddem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjlhneio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmjejphb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hacmcfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejbfhfaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Filldb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hgilchkf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hodpgjha.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Henidd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eiomkn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffkcbgek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffkcbgek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ggpimica.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmlnoc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Inljnfkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fddmgjpo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hknach32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgilchkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Henidd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihoafpmp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icbimi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epfhbign.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmjejphb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpknlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gejcjbah.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpapln32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	4e13c0cb056e9a89619287c3bfbdd9d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Facdeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idceea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idceea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hogmmjfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hogmmjfo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Filldb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gelppaof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gdopkn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlakpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	4e13c0cb056e9a89619287c3bfbdd9d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Emhlfmgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hggomh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egdilkbf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdopkn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ggpimica.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gaemjbcg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eihfjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Feeiob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gopkmhjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hodpgjha.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hacmcfge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glaoalkh.exe

Executes dropped EXE 64 IoCs

Processes:

Eihfjo32.exeEbpkce32.exeEpdkli32.exeEbbgid32.exeEmhlfmgj.exeEpfhbign.exeEfppoc32.exeEiomkn32.exeEnkece32.exeEajaoq32.exeEgdilkbf.exeEjbfhfaj.exeFehjeo32.exeFckjalhj.exeFnpnndgp.exeFejgko32.exeFfkcbgek.exeFnbkddem.exeFmekoalh.exeFaagpp32.exeFfnphf32.exeFilldb32.exeFacdeo32.exeFpfdalii.exeFjlhneio.exeFmjejphb.exeFddmgjpo.exeFeeiob32.exeGpknlk32.exeGbijhg32.exeGlaoalkh.exeGopkmhjk.exeGejcjbah.exeGhhofmql.exeGelppaof.exeGdopkn32.exeGmgdddmq.exeGgpimica.exeGaemjbcg.exeGphmeo32.exeHknach32.exeHmlnoc32.exeHahjpbad.exeHnojdcfi.exeHlakpp32.exeHckcmjep.exeHggomh32.exeHnagjbdf.exeHgilchkf.exeHjhhocjj.exeHhjhkq32.exeHpapln32.exeHodpgjha.exeHacmcfge.exeHenidd32.exeHjjddchg.exeHhmepp32.exeHogmmjfo.exeIcbimi32.exeIeqeidnl.exeIdceea32.exeIhoafpmp.exeIknnbklc.exeInljnfkg.exe

pid	process
2488	Eihfjo32.exe
2748	Ebpkce32.exe
2228	Epdkli32.exe
2900	Ebbgid32.exe
2684	Emhlfmgj.exe
2584	Epfhbign.exe
3036	Efppoc32.exe
2876	Eiomkn32.exe
2560	Enkece32.exe
1136	Eajaoq32.exe
1304	Egdilkbf.exe
2276	Ejbfhfaj.exe
332	Fehjeo32.exe
2308	Fckjalhj.exe
1088	Fnpnndgp.exe
2192	Fejgko32.exe
2232	Ffkcbgek.exe
1504	Fnbkddem.exe
2304	Fmekoalh.exe
444	Faagpp32.exe
1724	Ffnphf32.exe
1652	Filldb32.exe
1988	Facdeo32.exe
1272	Fpfdalii.exe
1036	Fjlhneio.exe
1996	Fmjejphb.exe
2400	Fddmgjpo.exe
2648	Feeiob32.exe
1948	Gpknlk32.exe
2784	Gbijhg32.exe
2548	Glaoalkh.exe
2552	Gopkmhjk.exe
1296	Gejcjbah.exe
2856	Ghhofmql.exe
2984	Gelppaof.exe
1976	Gdopkn32.exe
2180	Gmgdddmq.exe
1676	Ggpimica.exe
320	Gaemjbcg.exe
1000	Gphmeo32.exe
636	Hknach32.exe
2108	Hmlnoc32.exe
2620	Hahjpbad.exe
2044	Hnojdcfi.exe
1112	Hlakpp32.exe
712	Hckcmjep.exe
1792	Hggomh32.exe
2924	Hnagjbdf.exe
1052	Hgilchkf.exe
2356	Hjhhocjj.exe
1276	Hhjhkq32.exe
2768	Hpapln32.exe
2812	Hodpgjha.exe
2776	Hacmcfge.exe
2428	Henidd32.exe
2124	Hjjddchg.exe
2988	Hhmepp32.exe
1032	Hogmmjfo.exe
2208	Icbimi32.exe
2580	Ieqeidnl.exe
1108	Idceea32.exe
1548	Ihoafpmp.exe
2252	Iknnbklc.exe
2820	Inljnfkg.exe

Loads dropped DLL 64 IoCs

Processes:

4e13c0cb056e9a89619287c3bfbdd9d0_NeikiAnalytics.exeEihfjo32.exeEbpkce32.exeEpdkli32.exeEbbgid32.exeEmhlfmgj.exeEpfhbign.exeEfppoc32.exeEiomkn32.exeEnkece32.exeEajaoq32.exeEgdilkbf.exeEjbfhfaj.exeFehjeo32.exeFckjalhj.exeFnpnndgp.exeFejgko32.exeFfkcbgek.exeFnbkddem.exeFmekoalh.exeFaagpp32.exeFfnphf32.exeFilldb32.exeFacdeo32.exeFpfdalii.exeFjlhneio.exeFmjejphb.exeFddmgjpo.exeFeeiob32.exeGpknlk32.exeGbijhg32.exeGlaoalkh.exe

pid	process
2156	4e13c0cb056e9a89619287c3bfbdd9d0_NeikiAnalytics.exe
2156	4e13c0cb056e9a89619287c3bfbdd9d0_NeikiAnalytics.exe
2488	Eihfjo32.exe
2488	Eihfjo32.exe
2748	Ebpkce32.exe
2748	Ebpkce32.exe
2228	Epdkli32.exe
2228	Epdkli32.exe
2900	Ebbgid32.exe
2900	Ebbgid32.exe
2684	Emhlfmgj.exe
2684	Emhlfmgj.exe
2584	Epfhbign.exe
2584	Epfhbign.exe
3036	Efppoc32.exe
3036	Efppoc32.exe
2876	Eiomkn32.exe
2876	Eiomkn32.exe
2560	Enkece32.exe
2560	Enkece32.exe
1136	Eajaoq32.exe
1136	Eajaoq32.exe
1304	Egdilkbf.exe
1304	Egdilkbf.exe
2276	Ejbfhfaj.exe
2276	Ejbfhfaj.exe
332	Fehjeo32.exe
332	Fehjeo32.exe
2308	Fckjalhj.exe
2308	Fckjalhj.exe
1088	Fnpnndgp.exe
1088	Fnpnndgp.exe
2192	Fejgko32.exe
2192	Fejgko32.exe
2232	Ffkcbgek.exe
2232	Ffkcbgek.exe
1504	Fnbkddem.exe
1504	Fnbkddem.exe
2304	Fmekoalh.exe
2304	Fmekoalh.exe
444	Faagpp32.exe
444	Faagpp32.exe
1724	Ffnphf32.exe
1724	Ffnphf32.exe
1652	Filldb32.exe
1652	Filldb32.exe
1988	Facdeo32.exe
1988	Facdeo32.exe
1272	Fpfdalii.exe
1272	Fpfdalii.exe
1036	Fjlhneio.exe
1036	Fjlhneio.exe
1996	Fmjejphb.exe
1996	Fmjejphb.exe
2400	Fddmgjpo.exe
2400	Fddmgjpo.exe
2648	Feeiob32.exe
2648	Feeiob32.exe
1948	Gpknlk32.exe
1948	Gpknlk32.exe
2784	Gbijhg32.exe
2784	Gbijhg32.exe
2548	Glaoalkh.exe
2548	Glaoalkh.exe

Drops file in System32 directory 64 IoCs

Processes:

Hlakpp32.exeIcbimi32.exeFckjalhj.exeGphmeo32.exeFacdeo32.exeHhjhkq32.exeHhmepp32.exeFfkcbgek.exeIdceea32.exeHjjddchg.exeFnbkddem.exeFmekoalh.exeHnagjbdf.exeEpfhbign.exeFddmgjpo.exeHckcmjep.exeEajaoq32.exeGgpimica.exeHacmcfge.exeIhoafpmp.exeHnojdcfi.exeHpapln32.exeHodpgjha.exeHenidd32.exeInljnfkg.exe4e13c0cb056e9a89619287c3bfbdd9d0_NeikiAnalytics.exeGhhofmql.exeEbbgid32.exeFpfdalii.exeFilldb32.exeHknach32.exeHjhhocjj.exeGpknlk32.exeGopkmhjk.exeFnpnndgp.exeHogmmjfo.exeIeqeidnl.exeFaagpp32.exeGejcjbah.exeEiomkn32.exeGbijhg32.exeHggomh32.exeFeeiob32.exeFfnphf32.exeEjbfhfaj.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Hckcmjep.exe	Hlakpp32.exe
File created	C:\Windows\SysWOW64\Nfmjcmjd.dll	Icbimi32.exe
File created	C:\Windows\SysWOW64\Fnpnndgp.exe	Fckjalhj.exe
File opened for modification	C:\Windows\SysWOW64\Hknach32.exe	Gphmeo32.exe
File created	C:\Windows\SysWOW64\Ohbepi32.dll	Facdeo32.exe
File created	C:\Windows\SysWOW64\Hpapln32.exe	Hhjhkq32.exe
File created	C:\Windows\SysWOW64\Glqllcbf.dll	Hhjhkq32.exe
File opened for modification	C:\Windows\SysWOW64\Hogmmjfo.exe	Hhmepp32.exe
File created	C:\Windows\SysWOW64\Fnbkddem.exe	Ffkcbgek.exe
File created	C:\Windows\SysWOW64\Amammd32.dll	Idceea32.exe
File created	C:\Windows\SysWOW64\Bdhaablp.dll	Hjjddchg.exe
File opened for modification	C:\Windows\SysWOW64\Fmekoalh.exe	Fnbkddem.exe
File opened for modification	C:\Windows\SysWOW64\Faagpp32.exe	Fmekoalh.exe
File created	C:\Windows\SysWOW64\Hgilchkf.exe	Hnagjbdf.exe
File opened for modification	C:\Windows\SysWOW64\Hgilchkf.exe	Hnagjbdf.exe
File created	C:\Windows\SysWOW64\Efppoc32.exe	Epfhbign.exe
File opened for modification	C:\Windows\SysWOW64\Feeiob32.exe	Fddmgjpo.exe
File created	C:\Windows\SysWOW64\Hggomh32.exe	Hckcmjep.exe
File created	C:\Windows\SysWOW64\Midahn32.dll	Eajaoq32.exe
File created	C:\Windows\SysWOW64\Jmloladn.dll	Fckjalhj.exe
File created	C:\Windows\SysWOW64\Gaemjbcg.exe	Ggpimica.exe
File created	C:\Windows\SysWOW64\Polebcgg.dll	Hacmcfge.exe
File created	C:\Windows\SysWOW64\Iknnbklc.exe	Ihoafpmp.exe
File created	C:\Windows\SysWOW64\Kifjcn32.dll	Fddmgjpo.exe
File created	C:\Windows\SysWOW64\Hlakpp32.exe	Hnojdcfi.exe
File created	C:\Windows\SysWOW64\Hodpgjha.exe	Hpapln32.exe
File created	C:\Windows\SysWOW64\Alogkm32.dll	Hodpgjha.exe
File created	C:\Windows\SysWOW64\Hjjddchg.exe	Henidd32.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Inljnfkg.exe
File created	C:\Windows\SysWOW64\Eihfjo32.exe	4e13c0cb056e9a89619287c3bfbdd9d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Gelppaof.exe	Ghhofmql.exe
File created	C:\Windows\SysWOW64\Gcaciakh.dll	Ggpimica.exe
File created	C:\Windows\SysWOW64\Emhlfmgj.exe	Ebbgid32.exe
File created	C:\Windows\SysWOW64\Fjlhneio.exe	Fpfdalii.exe
File created	C:\Windows\SysWOW64\Fclomp32.dll	4e13c0cb056e9a89619287c3bfbdd9d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Facdeo32.exe	Filldb32.exe
File created	C:\Windows\SysWOW64\Hmlnoc32.exe	Hknach32.exe
File created	C:\Windows\SysWOW64\Hhjhkq32.exe	Hjhhocjj.exe
File created	C:\Windows\SysWOW64\Lnnhje32.dll	Gpknlk32.exe
File created	C:\Windows\SysWOW64\Gejcjbah.exe	Gopkmhjk.exe
File created	C:\Windows\SysWOW64\Fejgko32.exe	Fnpnndgp.exe
File created	C:\Windows\SysWOW64\Icbimi32.exe	Hogmmjfo.exe
File created	C:\Windows\SysWOW64\Bhpdae32.dll	Hckcmjep.exe
File created	C:\Windows\SysWOW64\Idceea32.exe	Ieqeidnl.exe
File opened for modification	C:\Windows\SysWOW64\Iknnbklc.exe	Ihoafpmp.exe
File created	C:\Windows\SysWOW64\Ffnphf32.exe	Faagpp32.exe
File created	C:\Windows\SysWOW64\Ghhofmql.exe	Gejcjbah.exe
File created	C:\Windows\SysWOW64\Ncolgf32.dll	Hknach32.exe
File created	C:\Windows\SysWOW64\Qdcbfq32.dll	Fnpnndgp.exe
File created	C:\Windows\SysWOW64\Pabakh32.dll	Ghhofmql.exe
File opened for modification	C:\Windows\SysWOW64\Hjjddchg.exe	Henidd32.exe
File created	C:\Windows\SysWOW64\Lbidmekh.dll	Eiomkn32.exe
File opened for modification	C:\Windows\SysWOW64\Hckcmjep.exe	Hlakpp32.exe
File created	C:\Windows\SysWOW64\Addnil32.dll	Gbijhg32.exe
File opened for modification	C:\Windows\SysWOW64\Ieqeidnl.exe	Icbimi32.exe
File created	C:\Windows\SysWOW64\Hnagjbdf.exe	Hggomh32.exe
File created	C:\Windows\SysWOW64\Hogmmjfo.exe	Hhmepp32.exe
File created	C:\Windows\SysWOW64\Kgcampld.dll	Ebbgid32.exe
File created	C:\Windows\SysWOW64\Gpknlk32.exe	Feeiob32.exe
File created	C:\Windows\SysWOW64\Dhggeddb.dll	Ffnphf32.exe
File created	C:\Windows\SysWOW64\Aloeodfi.dll	Fpfdalii.exe
File created	C:\Windows\SysWOW64\Fehjeo32.exe	Ejbfhfaj.exe
File created	C:\Windows\SysWOW64\Ongbcmlc.dll	Fnbkddem.exe
File opened for modification	C:\Windows\SysWOW64\Enkece32.exe	Eiomkn32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2028 2140 WerFault.exe Iagfoe32.exe

pid	pid_target	process	target process
2028	2140	WerFault.exe	Iagfoe32.exe

Modifies registry class 64 IoCs

Processes:

Ffkcbgek.exeEihfjo32.exeEajaoq32.exeGpknlk32.exeGgpimica.exeEbpkce32.exeFaagpp32.exeFpfdalii.exeHmlnoc32.exeHlakpp32.exeGhhofmql.exeHknach32.exeHogmmjfo.exeIeqeidnl.exe4e13c0cb056e9a89619287c3bfbdd9d0_NeikiAnalytics.exeFnpnndgp.exeIhoafpmp.exeEpfhbign.exeFejgko32.exeFeeiob32.exeHenidd32.exeFjlhneio.exeIcbimi32.exeGejcjbah.exeHjhhocjj.exeHhmepp32.exeEfppoc32.exeEnkece32.exeHahjpbad.exeIknnbklc.exeGbijhg32.exeEpdkli32.exeFmekoalh.exeGopkmhjk.exeGaemjbcg.exeFnbkddem.exeHnojdcfi.exeHckcmjep.exeFfnphf32.exeHhjhkq32.exeEjbfhfaj.exeHpapln32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaeldika.dll"	Ffkcbgek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdoik32.dll"	Eihfjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Midahn32.dll"	Eajaoq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gpknlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ggpimica.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebpkce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ffkcbgek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Faagpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aloeodfi.dll"	Fpfdalii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmlnoc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hlakpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ghhofmql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hknach32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hogmmjfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	4e13c0cb056e9a89619287c3bfbdd9d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glpjaf32.dll"	Ebpkce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdcbfq32.dll"	Fnpnndgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbolehjh.dll"	Epfhbign.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fejgko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Faagpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Feeiob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Henidd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kegiig32.dll"	Faagpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cakqnc32.dll"	Fjlhneio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmjcmjd.dll"	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gejcjbah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjhhocjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icbimi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Efppoc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Enkece32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odpegjpg.dll"	Hahjpbad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdnaob32.dll"	Iknnbklc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbijhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hahjpbad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebpkce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Epdkli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgahch32.dll"	Fmekoalh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gpknlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gopkmhjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gaemjbcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	4e13c0cb056e9a89619287c3bfbdd9d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ongbcmlc.dll"	Fnbkddem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmjdk32.dll"	Gaemjbcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hnojdcfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhpdae32.dll"	Hckcmjep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqpofkjo.dll"	Ihoafpmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ffnphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hknach32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hlakpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlgohm32.dll"	Ejbfhfaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fpfdalii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hckcmjep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iknnbklc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	4e13c0cb056e9a89619287c3bfbdd9d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enkece32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfoihbdp.dll"	Feeiob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdanej32.dll"	Fejgko32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2156 wrote to memory of 2488	2156	4e13c0cb056e9a89619287c3bfbdd9d0_NeikiAnalytics.exe	Eihfjo32.exe
PID 2156 wrote to memory of 2488	2156	4e13c0cb056e9a89619287c3bfbdd9d0_NeikiAnalytics.exe	Eihfjo32.exe
PID 2156 wrote to memory of 2488	2156	4e13c0cb056e9a89619287c3bfbdd9d0_NeikiAnalytics.exe	Eihfjo32.exe
PID 2156 wrote to memory of 2488	2156	4e13c0cb056e9a89619287c3bfbdd9d0_NeikiAnalytics.exe	Eihfjo32.exe
PID 2488 wrote to memory of 2748	2488	Eihfjo32.exe	Ebpkce32.exe
PID 2488 wrote to memory of 2748	2488	Eihfjo32.exe	Ebpkce32.exe
PID 2488 wrote to memory of 2748	2488	Eihfjo32.exe	Ebpkce32.exe
PID 2488 wrote to memory of 2748	2488	Eihfjo32.exe	Ebpkce32.exe
PID 2748 wrote to memory of 2228	2748	Ebpkce32.exe	Epdkli32.exe
PID 2748 wrote to memory of 2228	2748	Ebpkce32.exe	Epdkli32.exe
PID 2748 wrote to memory of 2228	2748	Ebpkce32.exe	Epdkli32.exe
PID 2748 wrote to memory of 2228	2748	Ebpkce32.exe	Epdkli32.exe
PID 2228 wrote to memory of 2900	2228	Epdkli32.exe	Ebbgid32.exe
PID 2228 wrote to memory of 2900	2228	Epdkli32.exe	Ebbgid32.exe
PID 2228 wrote to memory of 2900	2228	Epdkli32.exe	Ebbgid32.exe
PID 2228 wrote to memory of 2900	2228	Epdkli32.exe	Ebbgid32.exe
PID 2900 wrote to memory of 2684	2900	Ebbgid32.exe	Emhlfmgj.exe
PID 2900 wrote to memory of 2684	2900	Ebbgid32.exe	Emhlfmgj.exe
PID 2900 wrote to memory of 2684	2900	Ebbgid32.exe	Emhlfmgj.exe
PID 2900 wrote to memory of 2684	2900	Ebbgid32.exe	Emhlfmgj.exe
PID 2684 wrote to memory of 2584	2684	Emhlfmgj.exe	Epfhbign.exe
PID 2684 wrote to memory of 2584	2684	Emhlfmgj.exe	Epfhbign.exe
PID 2684 wrote to memory of 2584	2684	Emhlfmgj.exe	Epfhbign.exe
PID 2684 wrote to memory of 2584	2684	Emhlfmgj.exe	Epfhbign.exe
PID 2584 wrote to memory of 3036	2584	Epfhbign.exe	Efppoc32.exe
PID 2584 wrote to memory of 3036	2584	Epfhbign.exe	Efppoc32.exe
PID 2584 wrote to memory of 3036	2584	Epfhbign.exe	Efppoc32.exe
PID 2584 wrote to memory of 3036	2584	Epfhbign.exe	Efppoc32.exe
PID 3036 wrote to memory of 2876	3036	Efppoc32.exe	Eiomkn32.exe
PID 3036 wrote to memory of 2876	3036	Efppoc32.exe	Eiomkn32.exe
PID 3036 wrote to memory of 2876	3036	Efppoc32.exe	Eiomkn32.exe
PID 3036 wrote to memory of 2876	3036	Efppoc32.exe	Eiomkn32.exe
PID 2876 wrote to memory of 2560	2876	Eiomkn32.exe	Enkece32.exe
PID 2876 wrote to memory of 2560	2876	Eiomkn32.exe	Enkece32.exe
PID 2876 wrote to memory of 2560	2876	Eiomkn32.exe	Enkece32.exe
PID 2876 wrote to memory of 2560	2876	Eiomkn32.exe	Enkece32.exe
PID 2560 wrote to memory of 1136	2560	Enkece32.exe	Eajaoq32.exe
PID 2560 wrote to memory of 1136	2560	Enkece32.exe	Eajaoq32.exe
PID 2560 wrote to memory of 1136	2560	Enkece32.exe	Eajaoq32.exe
PID 2560 wrote to memory of 1136	2560	Enkece32.exe	Eajaoq32.exe
PID 1136 wrote to memory of 1304	1136	Eajaoq32.exe	Egdilkbf.exe
PID 1136 wrote to memory of 1304	1136	Eajaoq32.exe	Egdilkbf.exe
PID 1136 wrote to memory of 1304	1136	Eajaoq32.exe	Egdilkbf.exe
PID 1136 wrote to memory of 1304	1136	Eajaoq32.exe	Egdilkbf.exe
PID 1304 wrote to memory of 2276	1304	Egdilkbf.exe	Ejbfhfaj.exe
PID 1304 wrote to memory of 2276	1304	Egdilkbf.exe	Ejbfhfaj.exe
PID 1304 wrote to memory of 2276	1304	Egdilkbf.exe	Ejbfhfaj.exe
PID 1304 wrote to memory of 2276	1304	Egdilkbf.exe	Ejbfhfaj.exe
PID 2276 wrote to memory of 332	2276	Ejbfhfaj.exe	Fehjeo32.exe
PID 2276 wrote to memory of 332	2276	Ejbfhfaj.exe	Fehjeo32.exe
PID 2276 wrote to memory of 332	2276	Ejbfhfaj.exe	Fehjeo32.exe
PID 2276 wrote to memory of 332	2276	Ejbfhfaj.exe	Fehjeo32.exe
PID 332 wrote to memory of 2308	332	Fehjeo32.exe	Fckjalhj.exe
PID 332 wrote to memory of 2308	332	Fehjeo32.exe	Fckjalhj.exe
PID 332 wrote to memory of 2308	332	Fehjeo32.exe	Fckjalhj.exe
PID 332 wrote to memory of 2308	332	Fehjeo32.exe	Fckjalhj.exe
PID 2308 wrote to memory of 1088	2308	Fckjalhj.exe	Fnpnndgp.exe
PID 2308 wrote to memory of 1088	2308	Fckjalhj.exe	Fnpnndgp.exe
PID 2308 wrote to memory of 1088	2308	Fckjalhj.exe	Fnpnndgp.exe
PID 2308 wrote to memory of 1088	2308	Fckjalhj.exe	Fnpnndgp.exe
PID 1088 wrote to memory of 2192	1088	Fnpnndgp.exe	Fejgko32.exe
PID 1088 wrote to memory of 2192	1088	Fnpnndgp.exe	Fejgko32.exe
PID 1088 wrote to memory of 2192	1088	Fnpnndgp.exe	Fejgko32.exe
PID 1088 wrote to memory of 2192	1088	Fnpnndgp.exe	Fejgko32.exe

C:\Users\Admin\AppData\Local\Temp\4e13c0cb056e9a89619287c3bfbdd9d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4e13c0cb056e9a89619287c3bfbdd9d0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2156

C:\Windows\SysWOW64\Eihfjo32.exe
C:\Windows\system32\Eihfjo32.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2488

C:\Windows\SysWOW64\Ebpkce32.exe
C:\Windows\system32\Ebpkce32.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2748

C:\Windows\SysWOW64\Epdkli32.exe
C:\Windows\system32\Epdkli32.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2228

C:\Windows\SysWOW64\Ebbgid32.exe
C:\Windows\system32\Ebbgid32.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2900

C:\Windows\SysWOW64\Emhlfmgj.exe
C:\Windows\system32\Emhlfmgj.exe
6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684

C:\Windows\SysWOW64\Epfhbign.exe
C:\Windows\system32\Epfhbign.exe
7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2584

C:\Windows\SysWOW64\Efppoc32.exe
C:\Windows\system32\Efppoc32.exe
8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3036

C:\Windows\SysWOW64\Eiomkn32.exe
C:\Windows\system32\Eiomkn32.exe
9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2876

C:\Windows\SysWOW64\Enkece32.exe
C:\Windows\system32\Enkece32.exe
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2560

C:\Windows\SysWOW64\Eajaoq32.exe
C:\Windows\system32\Eajaoq32.exe
11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1136

C:\Windows\SysWOW64\Egdilkbf.exe
C:\Windows\system32\Egdilkbf.exe
12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\SysWOW64\Ejbfhfaj.exe
C:\Windows\system32\Ejbfhfaj.exe
13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2276

C:\Windows\SysWOW64\Fehjeo32.exe
C:\Windows\system32\Fehjeo32.exe
14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:332

C:\Windows\SysWOW64\Fckjalhj.exe
C:\Windows\system32\Fckjalhj.exe
15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2308

C:\Windows\SysWOW64\Fnpnndgp.exe
C:\Windows\system32\Fnpnndgp.exe
16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\SysWOW64\Fejgko32.exe
C:\Windows\system32\Fejgko32.exe
17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2192

C:\Windows\SysWOW64\Ffkcbgek.exe
C:\Windows\system32\Ffkcbgek.exe
18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2232

C:\Windows\SysWOW64\Fnbkddem.exe
C:\Windows\system32\Fnbkddem.exe
19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1504

C:\Windows\SysWOW64\Fmekoalh.exe
C:\Windows\system32\Fmekoalh.exe
20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2304

C:\Windows\SysWOW64\Faagpp32.exe
C:\Windows\system32\Faagpp32.exe
21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:444

C:\Windows\SysWOW64\Ffnphf32.exe
C:\Windows\system32\Ffnphf32.exe
22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1724

C:\Windows\SysWOW64\Filldb32.exe
C:\Windows\system32\Filldb32.exe
23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1652

C:\Windows\SysWOW64\Facdeo32.exe
C:\Windows\system32\Facdeo32.exe
24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1988

C:\Windows\SysWOW64\Fpfdalii.exe
C:\Windows\system32\Fpfdalii.exe
25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1272

C:\Windows\SysWOW64\Fjlhneio.exe
C:\Windows\system32\Fjlhneio.exe
26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1036

C:\Windows\SysWOW64\Fmjejphb.exe
C:\Windows\system32\Fmjejphb.exe
27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1996

C:\Windows\SysWOW64\Fddmgjpo.exe
C:\Windows\system32\Fddmgjpo.exe
28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2400

C:\Windows\SysWOW64\Feeiob32.exe
C:\Windows\system32\Feeiob32.exe
29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2648

C:\Windows\SysWOW64\Gpknlk32.exe
C:\Windows\system32\Gpknlk32.exe
30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1948

C:\Windows\SysWOW64\Gbijhg32.exe
C:\Windows\system32\Gbijhg32.exe
31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2784

C:\Windows\SysWOW64\Glaoalkh.exe
C:\Windows\system32\Glaoalkh.exe
32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2548

C:\Windows\SysWOW64\Gopkmhjk.exe
C:\Windows\system32\Gopkmhjk.exe
33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2552

C:\Windows\SysWOW64\Gejcjbah.exe
C:\Windows\system32\Gejcjbah.exe
34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1296

C:\Windows\SysWOW64\Ghhofmql.exe
C:\Windows\system32\Ghhofmql.exe
35⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2856

C:\Windows\SysWOW64\Gelppaof.exe
C:\Windows\system32\Gelppaof.exe
36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2984

C:\Windows\SysWOW64\Gdopkn32.exe
C:\Windows\system32\Gdopkn32.exe
37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1976

C:\Windows\SysWOW64\Gmgdddmq.exe
C:\Windows\system32\Gmgdddmq.exe
38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2180

C:\Windows\SysWOW64\Ggpimica.exe
C:\Windows\system32\Ggpimica.exe
39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1676

C:\Windows\SysWOW64\Gaemjbcg.exe
C:\Windows\system32\Gaemjbcg.exe
40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:320

C:\Windows\SysWOW64\Gphmeo32.exe
C:\Windows\system32\Gphmeo32.exe
41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1000

C:\Windows\SysWOW64\Hknach32.exe
C:\Windows\system32\Hknach32.exe
42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:636

C:\Windows\SysWOW64\Hmlnoc32.exe
C:\Windows\system32\Hmlnoc32.exe
43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2108

C:\Windows\SysWOW64\Hahjpbad.exe
C:\Windows\system32\Hahjpbad.exe
44⤵
- Executes dropped EXE
- Modifies registry class
PID:2620

C:\Windows\SysWOW64\Hnojdcfi.exe
C:\Windows\system32\Hnojdcfi.exe
45⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2044

C:\Windows\SysWOW64\Hlakpp32.exe
C:\Windows\system32\Hlakpp32.exe
46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1112

C:\Windows\SysWOW64\Hckcmjep.exe
C:\Windows\system32\Hckcmjep.exe
47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:712

C:\Windows\SysWOW64\Hggomh32.exe
C:\Windows\system32\Hggomh32.exe
48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1792

C:\Windows\SysWOW64\Hnagjbdf.exe
C:\Windows\system32\Hnagjbdf.exe
49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2924

C:\Windows\SysWOW64\Hgilchkf.exe
C:\Windows\system32\Hgilchkf.exe
50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1052

C:\Windows\SysWOW64\Hjhhocjj.exe
C:\Windows\system32\Hjhhocjj.exe
51⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2356

C:\Windows\SysWOW64\Hhjhkq32.exe
C:\Windows\system32\Hhjhkq32.exe
52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1276

C:\Windows\SysWOW64\Hpapln32.exe
C:\Windows\system32\Hpapln32.exe
53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2768

C:\Windows\SysWOW64\Hodpgjha.exe
C:\Windows\system32\Hodpgjha.exe
54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2812

C:\Windows\SysWOW64\Hacmcfge.exe
C:\Windows\system32\Hacmcfge.exe
55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2776

C:\Windows\SysWOW64\Henidd32.exe
C:\Windows\system32\Henidd32.exe
56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2428

C:\Windows\SysWOW64\Hjjddchg.exe
C:\Windows\system32\Hjjddchg.exe
57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2124

C:\Windows\SysWOW64\Hhmepp32.exe
C:\Windows\system32\Hhmepp32.exe
58⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2988

C:\Windows\SysWOW64\Hogmmjfo.exe
C:\Windows\system32\Hogmmjfo.exe
59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1032

C:\Windows\SysWOW64\Icbimi32.exe
C:\Windows\system32\Icbimi32.exe
60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2208

C:\Windows\SysWOW64\Ieqeidnl.exe
C:\Windows\system32\Ieqeidnl.exe
61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2580

C:\Windows\SysWOW64\Idceea32.exe
C:\Windows\system32\Idceea32.exe
62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1108

C:\Windows\SysWOW64\Ihoafpmp.exe
C:\Windows\system32\Ihoafpmp.exe
63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1548

C:\Windows\SysWOW64\Iknnbklc.exe
C:\Windows\system32\Iknnbklc.exe
64⤵
- Executes dropped EXE
- Modifies registry class
PID:2252

C:\Windows\SysWOW64\Inljnfkg.exe
C:\Windows\system32\Inljnfkg.exe
65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2820

C:\Windows\SysWOW64\Iagfoe32.exe
C:\Windows\system32\Iagfoe32.exe
66⤵
PID:2140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 140
67⤵
- Program crash
PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ebpkce32.exe

Filesize
50KB

MD5
a42e53a01df7e50454514570ff951888

SHA1
36f83cb43bed9df9bd56b07be3d48fb94d2fd237

SHA256
7f03d592b9a7ec8029aed0c5a8b82939f1d2f932fd2e8d7797d574d28b02dbdd

SHA512
5b11c49d4c9a8930262770e2b7de955b32025d6eb274f55389ed35c4b45b9b4910a73c23ce555d93fe1fac1148b131f1532bc54f56c2349a2e931a3b6268362f

Download Submit
C:\Windows\SysWOW64\Eiomkn32.exe

Filesize
50KB

MD5
c4dcb4f49260b76c6cf18eda1581776c

SHA1
765e3f9d669c16bc4f89e571a7da6216a489dced

SHA256
2772194730a47b172c1803f14c97cab0c3900e600970b7fc4b0c0e11a76bcc93

SHA512
03eaeca47b89b2ec03f5186558254a87ab273a2e325ec35212dc42e1333bccaf1dd879b6aa4e4a0f366c100c7f8a123e90d27573a90348ec2e6dd22a5e5e282a

Download Submit
C:\Windows\SysWOW64\Ejbfhfaj.exe

Filesize
50KB

MD5
d1487f9b0bb9f89a26af2e97ece12f5a

SHA1
758e7fd25d62d2ca2a4a7e1c5083f39a5a2be0c8

SHA256
149288b235c060300eedd7ea62bd4a109ff71f855f466d5fa70d4f109422a531

SHA512
2fb933a1a0a3494de5b003b1565416553ce8433a5f260428f697c951d4ec4ba85ceed501fa23248d8e7f69d7b17e959c20935bf7a043454ab4b602f1f9d811c1

Download Submit
C:\Windows\SysWOW64\Epfhbign.exe

Filesize
50KB

MD5
eec134d66ff876f0032df3d37758a3d8

SHA1
ae0958c4512365b318b08b964fb650d1b6314912

SHA256
b14d95affa8120ad95f57b98115835d8fa2ccbfda2c2718ec15cc629c3314764

SHA512
59c4ad56e80184cb1c051a56ae3c99a6b6de427f6c577136aab095044e264531e05ed8b3c904f5cb66995f4c11bf21019a35f6ae7df2d52099ca2d5c32ff3deb

Download Submit
C:\Windows\SysWOW64\Faagpp32.exe

Filesize
50KB

MD5
f09128e804cf1da9a0a6a32ee7e01745

SHA1
767b7c4700cc9c2f38f93c7c61ea94486e386927

SHA256
e0dbcdc3e8d57a5540b8956568648964cc873c624a9b3ff91409758f0815b92d

SHA512
5ff9106b8e4e2e0580a0697f95cb4b0e2243b1e97b00f86590d6c1fbda53792826fde37124f54d214bbdb2c75ae19416fddd33cf9bf30b5b258b210efb9996a1

Download Submit
C:\Windows\SysWOW64\Facdeo32.exe

Filesize
50KB

MD5
b42a1f8f9b6c4260b4e4f2ac1acf340a

SHA1
c50aa49a9a8a02004abe079babc0d6fc4b14e814

SHA256
6242bf37782b4f2482466eec2c4b73a87d5cfa535a1b99a6f895d328f84d453f

SHA512
752f6f55dc0da3f5c909785f78736037736fd4c29fc926a1ff4cda869ad4abca5f8f79b4d1a505b47a659f12521915905165459603a1c10716a8b3ad91219699

Download Submit
C:\Windows\SysWOW64\Fddmgjpo.exe

Filesize
50KB

MD5
48a15466cf0c53d69d2391566ff5569c

SHA1
bffd93a3b344218d68b15e1536cfd380237f703f

SHA256
7a3f2e8548f3a0720ea86f9f36694e3606d4a18115ad2f2cebd0137d7f5f6080

SHA512
40df1c0d5a76072225acadf83ceb970763cc76bac5f654b5df639d990662cbf9358b42d56bd9faf1639889f2a2d74c2f837ffb67113634f0684f867e526ab40b

Download Submit
C:\Windows\SysWOW64\Feeiob32.exe

Filesize
50KB

MD5
ae1b808edb88e8d92d27c3032c930fce

SHA1
4933d8f22d25c6d33258ddaecf9d4e7c4b379763

SHA256
60f027a9234465e26cf3979d1c40c568f94c9351c76f0843326af8ae5a7f7d43

SHA512
91089eeed6d4f038fcbbdf7ef3ed14223fd2fcdec6869de39c542ebc8fb54e8b2e381fc18869cd9b2949d18ab823c698fd20aa05a929bc23a34fe590068bfd5e

Download Submit
C:\Windows\SysWOW64\Ffkcbgek.exe

Filesize
50KB

MD5
3c4ed397c4e6f4a9b152a9d097302403

SHA1
ee180164bfbcbc28a9965f5e7b48d41941ee517d

SHA256
a3e5fff8abc5a2a21a0e900cf53b2855b2977d228d1382f88764cadc23ea034a

SHA512
55afbbee41025ddd8d47a702b4274c15dcd81d15e72f42b63b87585ec96e73ea6957ca007984f5dfc6aae24811c1b6eae39e1575512e973f470afa9ff2e17806

Download Submit
C:\Windows\SysWOW64\Ffnphf32.exe

Filesize
50KB

MD5
e9c2fcbf66a1cab9144640a1d0fc1648

SHA1
23927a6f28117e8f8dfc5d8ee56494033b21dc4e

SHA256
e289049f0dc7bdf40a2b04d4b6fc4f350f70cb288ce021be8fa2f6ddd2705fe5

SHA512
7f0c6b5e87e57229f9db215e57891bd917b6ddf46c9a7905028edb2f83b6803e9b38d783aa0d2e82ffc8b9ba7ab5afb90b5bbba61d0775d9a72fbcc4d40c6e52

Download Submit
C:\Windows\SysWOW64\Filldb32.exe

Filesize
50KB

MD5
77bab2356c300aba281bfc9ba498717d

SHA1
0d9a471191f84166eec63ff1a13596bb3d8c3b90

SHA256
5aaddfad2db673554d5d0f57407a86b3343e289734d52db8b1cccae8f8a3fc84

SHA512
5f474d0c3cae53b31462ea8df8d202e9092ffdd32dabfeb0db804dbfe37e3d31d5f3a0ef09240e7d0c5aa59bfe6d48e9c2090dfea5394449ca9c44dc3b4479ab

Download Submit
C:\Windows\SysWOW64\Fjlhneio.exe

Filesize
50KB

MD5
c8bba2fe80549a1cac07b95f4673e960

SHA1
085050cb7fe4fc426758822ba59dca50c9c7e5c4

SHA256
7b9a9829b3bb830290f432edadb6d67460f4d692513411a1ec22aaa6aacff2bd

SHA512
5cba5c9e38422e72e25daa8293a1b1e329b47f25aad69075efaea3f21d01ced38107eb7c57b388eb40021be318034e5d7fe90552dcb7d23405f9d8f44a383d0e

Download Submit
C:\Windows\SysWOW64\Fmekoalh.exe

Filesize
50KB

MD5
390f274570e6e9fa68cdc796c0384cbc

SHA1
610498e0bb3bdd450c5f1c6ab7b77a5396ea4e89

SHA256
75f29c4f731fadf89a5555304fde484873e56cf58d7e66326a5bfdb1cade5675

SHA512
44cd3168da3ade00d57c45148b680643fb508d93a3cd512646ed9e3c4b9df0e8ac419e2a34848b542b054add3775b79201110de5e4df3f7ea209bf760c9c4909

Download Submit
C:\Windows\SysWOW64\Fmjejphb.exe

Filesize
50KB

MD5
b924178f2ecadf043bf6dadc0e558989

SHA1
0c356645b44f6717928e11ae6b56527b26538e45

SHA256
6b538bc91deb9ea13800e8946064284ca0e294b41693d4f6468588f0944b1b92

SHA512
b102e12b22e1f98a2fae3df7c2d16242056d577c9e63cee100811e774292daf67e3550f4991b369484ce3dbd61ab2c24846bb5b0a8e0fce2be8c8e199d007199

Download Submit
C:\Windows\SysWOW64\Fnbkddem.exe

Filesize
50KB

MD5
bfebb0bb53d2f8c35ebbcda9e486194b

SHA1
75dcb892c5f2c7b6ea33b55823f6e437d537d393

SHA256
8d7c71a77c8f774f40f8588e21723589dd240f917daf0c50ffec0d01c192a854

SHA512
90dbe54412f535d656ef1f3520fba6eb0d759fd9e87bd20fc4ca4f94ae05d676c7f4b9c96b347b099125eb0255b053bcb8790046af2885ebd06cb05c491c18c1

Download Submit
C:\Windows\SysWOW64\Fpfdalii.exe

Filesize
50KB

MD5
011e603849506ab88636d9dc692f5067

SHA1
d2aa34c169150db58228fd98d83522455538739a

SHA256
780d6594cd4d6070fd1c6c0d028f46ef427396e498618b7aeba3feadd140a72e

SHA512
6ddb8fceea4ca1696e99b180251d51171fb7205a8b7a889038d7b99f3535228b3023aa0813d1d72a8b7456c0d4ab5b3b13fe4d721845f4a663fa3f4367c530eb

Download Submit
C:\Windows\SysWOW64\Gaemjbcg.exe

Filesize
50KB

MD5
eafc50f7e4fb1905b855e2924d6e9292

SHA1
dd98c42aff94d7ad4b8dd016145a0b6623282e90

SHA256
af84187365b16bb8fcf9a9dcca6b96d709b17f715d86455ff50a2a6be9ed238d

SHA512
ea5371516759e47ef860274a1ae87f1b650a3b9fe10397afc85c89ddc796ab0bf3ae8927dcc25c0403bd30d6718f3c75eae0681a9b5257fb3fe6bdc2752efa89

Download Submit
C:\Windows\SysWOW64\Gbijhg32.exe

Filesize
50KB

MD5
b423b93b0bafc3026dc08d3c741451d8

SHA1
2dd869db0984f39747c90e3a9221e22c816b118b

SHA256
a588c8a19f77b9ee15229ba9436fad50451e4d81881a75144b177fe1e0f5f17a

SHA512
d13e3f8b59712e3227ea7f4ff3f4b3930be453b2e1c3efad53021dd429978d4ba17f68c40f4f5cff0c5ea56a25ed3ac644734c7044a77bf303d734e42f227b80

Download Submit
C:\Windows\SysWOW64\Gdopkn32.exe

Filesize
50KB

MD5
5a5f013b5b232b79ab0bf665625aef1e

SHA1
0c0c4724c5bb80721b5c9c0aac0ba36b7d54eeb3

SHA256
ab68dbdc68f6a3b40657685cc8aa04b0532bd44be9a78b27246be693dd4c1fd6

SHA512
d914ee6a68be886b66064a73878e1259a39e7a99c21899de8ba3f1f17ffe55c76d0685d818114bf67c4d3b41cc5402b7c758d89812f1e690fbd1df59a9c4f062

Download Submit
C:\Windows\SysWOW64\Gejcjbah.exe

Filesize
50KB

MD5
67308b269a3fa6765d1b2c42037e9362

SHA1
e41b30ecd88628be272d3318bcbd752941cec678

SHA256
e6bc4aa279fca9acfc5456d939c93a6109eb6548694efa841d0114ea9021a98f

SHA512
5bd353b53808c5464091495b6a8d741d41100e0b66158e12b3708f9b0d5ecd390f4ce3b912e9fb42b6ab09cf68efc59e4201af161f91b1d91abcc555fb9c697a

Download Submit
C:\Windows\SysWOW64\Gelppaof.exe

Filesize
50KB

MD5
9e1dc9c38c3d890aa900c5294bc7fbb1

SHA1
dabe4fa4a4f9d19aea72fda8a244f0753fcb5eb5

SHA256
2722da8c9583d2c501c1c7932eaaf760fdc77fe60ac833976efb24186f8d539c

SHA512
2e7cd51e1a380f075c729f24f96286e0764e3d68e3e2490997e43ed81db7b865aba4e8ff1073f5481bafda7dbb4b7d195d765a84bb74cd4e66d5f7cb4e507467

Download Submit
C:\Windows\SysWOW64\Ggpimica.exe

Filesize
50KB

MD5
30f54d27d004762a027dd71c600fceec

SHA1
013055abb76759bb8c3c963d95fedfdc4b809a17

SHA256
2fe392cfea1d74520e01a5c4e542daa9bcf400c69c0e8a23ac12427d78383c01

SHA512
9fd10bacdc646985d54ad4bb77aa417ccc9e90e832ce6be1e31618ef9512d9a1995fce89b326393faea1c4bf54f71382c593031cd54680e80bfa7af241266f0a

Download Submit
C:\Windows\SysWOW64\Ghhofmql.exe

Filesize
50KB

MD5
8b367ed65244e66b9371df70009070ba

SHA1
70de98295765ecbe00e0d5c30097605aadec663f

SHA256
5456b4a079de47bbc20ca7403b71f7c3ec7b7dc266cf24d10310e90695ea2d8d

SHA512
8392e8b521bef8e9b1d43b37adfddc9d296fcf68cd7871209a9e5bf0ad0a14eb08751b3f08be14554886cb81ccde571972b3085cda02ced794656407425eda9e

Download Submit
C:\Windows\SysWOW64\Glaoalkh.exe

Filesize
50KB

MD5
8f1d373571c531f90d52132abc614694

SHA1
4f695be4709b8657131dfa97c4e424825fae19c0

SHA256
5060d4227e0581d1fb1430ee1b0c09aff9eae1d0408d98113e4b06750dc844e3

SHA512
21110fcabebd9c3f3865f4e36269a86ab2f1038859ec25a2e5dcb1bac033d6783cd1cab6eafcd36e0108ec351ebc3d79ef1dc1ec00a01d14a1e7c8ce2fe28413

Download Submit
C:\Windows\SysWOW64\Gmgdddmq.exe

Filesize
50KB

MD5
c3f77d1e8de1e8982e080b6cad9c924a

SHA1
29692a0dd024b9c2756a65a453535ee0309acdc9

SHA256
b2f3d00bd50680a91f14b0037a9c1998665645c70869cef8f280b5631f0a94d6

SHA512
d3f226a1344ee1bf06d7cb2229c513d877c453aabb5bccecf084ecdfacc5c570f189a3596feea60737fef303b1d32c813582304cf14247ec0aabe40a29e2dcd4

Download Submit
C:\Windows\SysWOW64\Gopkmhjk.exe

Filesize
50KB

MD5
366968723b320ff2449a83bc5d7888ba

SHA1
1060441dc912fe36723fa33c6b875260b3733c57

SHA256
9fc26dbcb23b373ec671d8d5214f3dbcfcd03da495b035d1afa45facd5047a2a

SHA512
c0f25623c9b6c15dc3a1f5a0d4e1c5f30e6f9afa5f129ebca288fa6774a8b9066a76ffce6ac46120a25088855a83ac663ea7b563724862e797acd5a06818a6f2

Download Submit
C:\Windows\SysWOW64\Gphmeo32.exe

Filesize
50KB

MD5
12706da071a827923d8d63f259027031

SHA1
6c3b1b9114a555eb07254689c22e6a56d1c62c05

SHA256
4b9245f5c6312cc6ea2bc7f1f22d575153a8f1fb9b1a37f7974ef9047b169e66

SHA512
f8fc2d0a3732d2f95dad336c31cacfd5911e2249d667d257fc2a7d3843c45a212f00bae4764b73a852289b8398a54846c7bf0d73aef7844f624bce4f18edfcd7

Download Submit
C:\Windows\SysWOW64\Gpknlk32.exe

Filesize
50KB

MD5
d0dcd42b00ff4066457500c326263472

SHA1
1bdeff7b8974c1520a5b467f9f17aa08679dd951

SHA256
d5c4e23a22aa1982d08dc95929ee78bba32e8e681fad7ad51e36f2612c8300f7

SHA512
123dd5eedfded8189880a4a83d4fef3dec06e04dfc50f80e47bbcde5971f99de1041246034cdab3808ab3835baa289987da45311a0d949c1916f8d8f6205ef4e

Download Submit
C:\Windows\SysWOW64\Hacmcfge.exe

Filesize
50KB

MD5
5c48c116dd5d9774eb15798bf37490b1

SHA1
99f6e64a86216d89aa436b675f88a4697e711383

SHA256
059bd874a46bdc36c5576f0c5dda0d4c03a641c1c5b2eb2be18dd3148bca9e65

SHA512
b5e36ef2f43d52a23e95bea2f66ab60d1a1aaf36bdb20a88519165600d0a02abe6fd9fc6fde49627217366b8ba2955c522bb7629fe143d9543d35d3aee1b27d7

Download Submit
C:\Windows\SysWOW64\Hahjpbad.exe

Filesize
50KB

MD5
b332108d9e9aeffe04c37734a6b1bb09

SHA1
7e988e6f73b20f738f330fab018ca687be93c766

SHA256
92d9f7c5af2d88580f232106f5feddd634df8ed0ae3929f69ba005ee5f0ed6ac

SHA512
762f88370ed2975d298c1a68045712d1efb9bce6c795b0bd3bc6987ebe09d8f9fbfeb162e80c9573552d6b227e9cf5115f1cda056a3ce6dbf6cd5719f56b3e17

Download Submit
C:\Windows\SysWOW64\Hckcmjep.exe

Filesize
50KB

MD5
5cecbcf588b7992bd769282d1e32d8aa

SHA1
da3eb68f81a52b9be01927067e1ad1fbc9d44e77

SHA256
e75ea89a8848356de379bcece2da515a9b7698e82a18a4c9f19447db3d7e3a0e

SHA512
6ce6400a5381551361c70c50806a14e39dbaa2231321c2b25b9826ae3f2b8885faf73b7042a4f49c3fc52099c7eb3a5c0bbf3762cf88a2b55ed14f01d486b918

Download Submit
C:\Windows\SysWOW64\Henidd32.exe

Filesize
50KB

MD5
8a4df5ac55d35fc7afaf15d3b973c13d

SHA1
c988c830e48e3b5b5567b22a8c37de13fc8aca54

SHA256
46cc8409cdd55894a0aa34e366d609a2bc20607ebd53b8a1584c0ea65778036b

SHA512
08c6472da7e0f239c8c0ba4a9e15d04b3b4fccc8fc287c0d83dcc84fdc90ffb08f42153b2bdce334ae14fea8b2e240deeaba92dab914a3cc79fd5d11130c8371

Download Submit
C:\Windows\SysWOW64\Hggomh32.exe

Filesize
50KB

MD5
4e5e8829043ff05332da7e3bcde02b93

SHA1
07f9fa173a3d7faa1b780f169e1c9bc8a7dc3f76

SHA256
dfb85186e983fe67888eef9b4eeb33d21c24ffbf4ea2e3157cdf6da11c47a55d

SHA512
14b37aaf0d1fbe4d6fdceb66b01cc4167d7771f6fdbad37e4a11e086e70725628b31d13bbc1812aaf084ce1fe67289daca1863220bda96e1dd595dae5d645da6

Download Submit
C:\Windows\SysWOW64\Hgilchkf.exe

Filesize
50KB

MD5
5ff658fc8a59a23c73e6b6fec410ca37

SHA1
0219da84e395644d2524ef6a1c85f1e7a51c7f36

SHA256
1e6c247ffd4cde448899f58c77f1e8b18378574fc97bcb5d3521c2bf49807270

SHA512
047d85a5b01b2b1bcd39eebd075628a023dc34da91eb9dc1f637bf1209ba9400e7552da17b6b0d0304a5b0303d8a54738ad72de301d0ad8cea8059a101b2fcdd

Download Submit
C:\Windows\SysWOW64\Hhjhkq32.exe

Filesize
50KB

MD5
8fc8851ce5d398e4be22741ca88416b9

SHA1
bbfd52f95a8a8e6b89dedb6b1faa1b79393751fb

SHA256
4ca4f65fedc4e506bc9c635a6172d026c0fa1455270c769c92363dc65766de57

SHA512
6007ce095dc1667d44c18b81493477fa789a430320567f843745b0c2daa761d44bd55737f6a93fd20dcee2b80ec5b4d22beed69992470a3f5c70634f7579ced0

Download Submit
C:\Windows\SysWOW64\Hhmepp32.exe

Filesize
50KB

MD5
530013858b1cc475b2c15fde76546f20

SHA1
fddc36f40827b0c82e7fbf0b479aa8c99f5c93f6

SHA256
d1550efd11d13592ef1126d7aec6006b58729ec5bf632830743b8b1ae76a18cc

SHA512
c9155d95f948de8e18a6145715fc2b67ca0138d917c0b4c60c7fc48f23cd891ce52c605c97fd50f0281359c670fec698dd8ec86248ac14ca42200ff626f3946f

Download Submit
C:\Windows\SysWOW64\Hjhhocjj.exe

Filesize
50KB

MD5
33d9e9766ef50879bd280a4d0c16b522

SHA1
39c808bbf6947b678c2b28a17066a7fca4741cad

SHA256
9cc1a693ba06db2ee0d5b3a77bba7730297f1831dc0510b1910b389dedaded8d

SHA512
fc42b3b0957a7a152a7718a5eb1024392854f3e25d9a3bd38a3b44213f757fa723b925b38e0f37221dc8e4f5be8a32e2cbf5994cbeb958be020654209fc002db

Download Submit
C:\Windows\SysWOW64\Hjjddchg.exe

Filesize
50KB

MD5
56484d3469a2f287bb246c14d418a178

SHA1
e0fc7dd61463f596f4f352c9d9d7e90711ca18d2

SHA256
09a0d440d52fafa77d40e60c82e6d514730e5981329d003df5b7822f5d6af107

SHA512
a6c98ccbbca675d1a2b4377230a299e23d5c30b4b80e142e35be3eb2669cd8e68d28ad8b4b66eb4a292c0f70a4f27663b06ca6c7544d7b85d6afbf9ea22a825c

Download Submit
C:\Windows\SysWOW64\Hknach32.exe

Filesize
50KB

MD5
78093d1d49726906186174a67f131d64

SHA1
579034486850f6119e9f273f7a7cf59975d2db80

SHA256
4d58ddeee0ff3dd17bee9394dfa69f54ed5a1f2acf9a2d189e0c08922023f815

SHA512
9177f9f03973b94ca011ef81ddecf12ba3c2f3efb8901358a7b59371ade436d4d4d9dfb1a496a47ea37a430cf3a40d88cfdb5d3c9255dc07b9e8ddeb7fa780f4

Download Submit
C:\Windows\SysWOW64\Hlakpp32.exe

Filesize
50KB

MD5
a32611c25bff2d008be05152eb776373

SHA1
056d630201b9fb6d41424b9b5d1e6847d2fb531e

SHA256
75de8ba35bc462eb36e93a17a45d0a8f83febdd3c9a40e2d8c29fe6fa98d462c

SHA512
789f3f2b62d4ce5ef179f5c6b8f468e66a93bd1229d11a1f574db9de368d5d5580ed03c820529c08ebe368ad993cbea453295ad7da642da658bc30117e8e9d68

Download Submit
C:\Windows\SysWOW64\Hmlnoc32.exe

Filesize
50KB

MD5
f0edd54b3901ce0529880b6a45be3abd

SHA1
87b12e090009ccd3b4eb8e7738ad123c57af9201

SHA256
8fbc98ebb20a5c7f8ace449de5972d9ad0341737d47402027971e9b8f687eb2c

SHA512
8b0b8ea414f34383da9df6ad5cccd1c70e8dfe3597b5eed368d5767a07875cdb6c2a94936deccc99f574ff5d547e5ed780e27d594341bac92a1476fcc681e1a1

Download Submit
C:\Windows\SysWOW64\Hnagjbdf.exe

Filesize
50KB

MD5
b2f15eab2fa921aa5f987a9031676542

SHA1
bba6b805ce55c5e75a423798b2e58c85ecb1047d

SHA256
de6c471773534910cadfc9db8b58351895c9b395a9acecbaf453c57006874de0

SHA512
a12b93acaabb17b2ac467bab05ad5986eba21f6f916bab992a7e61dcb8d30460e0e0110164510d3beecf5370c07f43def019228fc677d730796f4a48ed7c1c48

Download Submit
C:\Windows\SysWOW64\Hnojdcfi.exe

Filesize
50KB

MD5
7600e79a3ad03873bd6e5c6e54cf41b6

SHA1
fc140b2bcab2c66c5ca657011de22aabac6f3f61

SHA256
b6c51a2211b5f475f97df5c29cc83f4b66bbd20249a5038229a0a3110c347094

SHA512
462e63f5eb4620771be1f62c8ea5a929f8ffac4355eeda88e692cbec9d0e1def3925f6c5319fc72f02e94e84885ad6e55dbaee43cd32c5aa6552a0a2455a6d9b

Download Submit
C:\Windows\SysWOW64\Hodpgjha.exe

Filesize
50KB

MD5
57fca530530fe8769009fb015f41151c

SHA1
2ed0f4d1440497c83ca03f21a7f8f8989d429a97

SHA256
6ee4003d2ec91a774bf7f5d5a54ad3de53c36dd76f4e4a684f622618b9de63d8

SHA512
028e81430c0c014967b57a24c35944349b0948810e5fd39a705df9909c902d1343a826fe5af67558337dd48767080434384e4ad0f6a60101a40d9c33085def47

Download Submit
C:\Windows\SysWOW64\Hpapln32.exe

Filesize
50KB

MD5
b3d6532b85c0b1a6a800a3079cbdd5ff

SHA1
456e40a8e5ac5f0ce2f10a89a5e73fdf0357677b

SHA256
de3ed69b47ae84fbb444ade1106e72714d82cbcd99d5921cc927aa00b23cf5eb

SHA512
a2b444aa4d4756ff2a844950c0953e1a157d0fe0fc08cbf2b4d66fe0cc8b006956e20372e04f60ed585c2a07fa5968ae5e4661c6e5fc3aafcf828e632b606590

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
50KB

MD5
780388e5a0887f2357a0ba4520647880

SHA1
c55fa0177cc41278470ded4b8c97afc5e3950372

SHA256
75ad6ec0c477d68a293e004435a5adb0e25679d212c289759eda4bf4a1f05082

SHA512
11903f54d92a83b8956a09330c765645e5207095dad792154142be44863b10d4ed4ef2f05ef91819b8456e11add19f7e67d4870081a5f65d3d17a87f10056b08

Download Submit
C:\Windows\SysWOW64\Icbimi32.exe

Filesize
50KB

MD5
306e126391e23af888d45571efaf646a

SHA1
d8c8392700a7ac76be59ec17ef06f93d3c314393

SHA256
e0a3e713d683ce5b73d839e152d489150602bdb6892d5aeab2fa01fd61e0ad64

SHA512
fce5182ca2be346b316c5bdc33906af03bcd7ed7126517862d3cc4090afc21abcd06f75d71ba273d64fe473d1a7453f694210b659782119f6ad7c013f5be0a44

Download Submit
C:\Windows\SysWOW64\Idceea32.exe

Filesize
50KB

MD5
abbdfb457df2872317b5927f342f823f

SHA1
d5534890f79f18ee9d28a91daddcd5e2a9fa4d2f

SHA256
0cebbcdc9f086c34b0dee3b08e213dd190011f34661a5ce62bbd457d8633fda0

SHA512
3dce56f7fa92c646f47858549e883e08bb9d83fac08fbb3b5fe48c96d01c57f8a0ec045e49bddcd15c9a323cca7509277c2e202dcca43fbd97fc422330c266cf

Download Submit
C:\Windows\SysWOW64\Ieqeidnl.exe

Filesize
50KB

MD5
379beb6a735c08a5725c90a78e3f7dbe

SHA1
cc7f30c87742adedd814c90af2aece0bbd1b5dcc

SHA256
7f7cbad3656cfce9130f2c420cfb8b31aedd75f16b3d654d9d1a177d191e4c89

SHA512
0ae0a0defc7e5974c24aec4d5136e511ecd115909f3f027197c7744e5e1cb83a134fe96a463b7a5dc60215394458c957fdc1a07593a19e82a1c779799e963381

Download Submit
C:\Windows\SysWOW64\Ihoafpmp.exe

Filesize
50KB

MD5
9b5cd054f5dab7e2520ac326a6b2cf61

SHA1
fa155b242bc139119009569a01de1a27f7208844

SHA256
47d02d426376629c294d7568b6a88becd44a845052a7a7d7cbe9a860823add1b

SHA512
0ce153bd23d67ad40f03190f22b0f78b5f7fa81e1a3c5bd16ecf85f99fc2669d5da4bf732a00305d2a5228aeaed69d5a3921e46ff85b7e6e18e717676456e6e4

Download Submit
C:\Windows\SysWOW64\Iknnbklc.exe

Filesize
50KB

MD5
277a08e0e3acf8d3a48f099bc10e3877

SHA1
ed367aa8ef8b1814941af213e07fd666985d927a

SHA256
a7c3faa09c5f30081c90898ac25b8052ec5282aab13b261b54d62e44b039b5a1

SHA512
c565f11f07f24d60d6d24ac8412f22b57e56acb52267c10a1050cb04d04410df885eab6e59377260ad5bfb29c10ce16fe18258c91209cb7fce7f4749dd5920d4

Download Submit
C:\Windows\SysWOW64\Inljnfkg.exe

Filesize
50KB

MD5
a83270de54d79481ed1e91c3019335ff

SHA1
360c80ad4fcd5b4c1883cfb1351744e783655812

SHA256
03a0d5637313e65a5b780ff48a52163823f3e8388e1c1d1238476b16e8a01d9f

SHA512
de15d17164c0af789724b6b746d06bfee902655a15d1c20cc1b3ddb89c09cb351d3ef99b6a719ad020224084f4459e3b4cb3b24fe00285298c59cf12890571e3

Download Submit
\Windows\SysWOW64\Eajaoq32.exe

Filesize
50KB

MD5
8625404c3afa399b392f2dbcfb1839fb

SHA1
8795d26587a7e5ce158e18a1880330adfa68328e

SHA256
2300f01c84000068afbb10cce4e96cb6fea484a4c8860d6345bc827c5b92479e

SHA512
a2ad754347aa7c78100da68a0b139218c77ead8b22001e9a8be33ed810a010651b698e9ccf71b8ec2247a91f7768915847e6db60f6c0875b7cbacf74c236d047

Download Submit
\Windows\SysWOW64\Ebbgid32.exe

Filesize
50KB

MD5
b0edfc71f42d4453ee581dd07bbe85b9

SHA1
bc68f30e725bc360d568e3c90c1b88bab6ac75c9

SHA256
b7bb2361be7bed3e5c42494faed7207889d571a62003f08321112c5254d33a5d

SHA512
9a3b60cc79cfc3ca07c3b32570df60acd0d9ded934c77438890e7a8a21adbdc1b6d33785e326ed5c4c8b27d64dee3d89cbebad05ee262e040d7ceb11309bc46f

Download Submit
\Windows\SysWOW64\Efppoc32.exe

Filesize
50KB

MD5
63744b505772296b7f6734cd15bc4beb

SHA1
514d3d8608be1ded014377079d6d586abe507cf1

SHA256
afe156284506c4eaf19cdd47370653e42a8199f9a74d1c5a82bf4fe5db3e9d91

SHA512
c51462da2f43ddd30f716b6802d42da4719a001d4236fd7583a2a216fd88db22d4110f15b5cab2795e46f04a9b44ecd7de046ed8ee81d6c7e56dc3674c6fa138

Download Submit
\Windows\SysWOW64\Egdilkbf.exe

Filesize
50KB

MD5
9aeb9fbf67d1a762659517a1a2d2def5

SHA1
97eb17f440c3e42461de80da823a9496dd896a1a

SHA256
87a46e6c3cb567f12cca69a47d3e4c3d67fc09576b328b4bbf7904e1968a656a

SHA512
b42e25b1addfe66e426faeec24cf7cf9e6e9b15731e4b731186c7d65d67afc63e489d1ef080b646d255a0c8a0dc3493ed58ad99a7dd8948932824ad03e9efe07

Download Submit
\Windows\SysWOW64\Eihfjo32.exe

Filesize
50KB

MD5
879565dcf899f8e98bc292599c805152

SHA1
8689bbfb8e940ce41a38265165b2ad5b85f4c55c

SHA256
b9b195aba34e8adc163c391f9ba7c6d9394543270c413febc0673d92e03ac89d

SHA512
4652c7a36b4405348f18d90724a83f6508076d4855feb5e46aacb30d16a217015150765fc1b554dfd7cbd6d41bb8e23b7d14079fa8734051291aac8e74b0aca1

Download Submit
\Windows\SysWOW64\Emhlfmgj.exe

Filesize
50KB

MD5
65742dfc066dbfee221e6d6df6a8ca5f

SHA1
939132d988c323bb040aa8a3c5dba81af80781be

SHA256
029e254294d15165828790d72bbd78a99c1cef93bd4c4cdb688e990b3ba96774

SHA512
82c80f8e5136561d6e8591119d20606fbfe407a37be67bcffa0063ace710c44db8f78240577050f442f6659568c6dcdeaa2e30bfb13bae7be24f32cd40438946

Download Submit
\Windows\SysWOW64\Enkece32.exe

Filesize
50KB

MD5
13478415cb9560ef4bfb5bc2505e9725

SHA1
465b59fb97f0780636850991986d2bbcedb8a15c

SHA256
ebe05e7700201fee93c68b80a64132648c37da162b2100bd8c99f79040ebb010

SHA512
a2efa79e7f8afbf98631fd773fb34a7f9ff446eaf887a41b8c10aaacdcf9e2d88bd468154080a88cdfc82310f3a6a7a0e565b30e267a7c90c4b84c3f3c2e4928

Download Submit
\Windows\SysWOW64\Epdkli32.exe

Filesize
50KB

MD5
e7b97d116a4444a9445c1a77f8082899

SHA1
b64cdbe069db8cebae786f164f0a4e176b39d6c3

SHA256
c402bd2c92addc72e887c9ce4c969de4b5fa1e4078a5a6972fb866b75684611e

SHA512
fe8e626f08db1075864493b33c9f9ef0864ca38fbf74e903441e7c928abc2ab91e4e6afc605cb8e9fb219500d39a47cc48e72c13ecc026d5bd1ef461afe19118

Download Submit
\Windows\SysWOW64\Fckjalhj.exe

Filesize
50KB

MD5
42b7e36f91698606560d7edcb4951404

SHA1
be26e21d579a81b4e91ced2300b74067ad128cb3

SHA256
4506b1b9361db71c01a9cc23cee54c6d9cdaa16843a6463669fe26b668ec5d28

SHA512
b23c3e48da0d437d5e2297abad465ad9100b8239e4edb43adeaa3d779fb768ed86a8333fb147c37536c0e2d58efd252522f7d99af2f7a1d36b82c9fcddcc3eb0

Download Submit
\Windows\SysWOW64\Fehjeo32.exe

Filesize
50KB

MD5
6d9fa3b0f3d3220a4bf7f2adb12f7294

SHA1
1bd0a43b337a397f29b30cfc7a51cf05e1383b9e

SHA256
00fde456ccc2624bb161fa73c4260aeb9ddb7f24ada01fbbb16a1eb8126adcad

SHA512
b98b5692a0f76be24f48fb57b725a45b12363a27d01b0795e1beb575fa36b0cd38456f43b53d45d721ee6338ce35655077c40d6201996a10f9127e1a590b005d

Download Submit
\Windows\SysWOW64\Fejgko32.exe

Filesize
50KB

MD5
838be2c17091437577b6566439fce20f

SHA1
b7366c673ee1819d0545124bc86eda8b7aed5c00

SHA256
d829265a4333f1b62b12027e510941f28a13039184b3b058ee10c5852dc770ad

SHA512
fe34e9e4d009f22c2119fbb9d53b08be35c6be373ac77dcfe378954393a39cade9de1124103a74805aac7f2bead8ffd4e74f8cea35b141882a80f9f663eac4d8

Download Submit
\Windows\SysWOW64\Fnpnndgp.exe

Filesize
50KB

MD5
22066935495a6cada247478ab271c71e

SHA1
c03f28a1a3fbb3d884a12eb22962f05d8adea3cd

SHA256
670d1c1e8436254755bf2293020ec4f27831ee80ddd9bc306c9db7baba05d05b

SHA512
f58b0e2827f0a7e61630b7b8b2cdf0d36477bfabe9b8567da89ccd9187e258bcab8168477fcf05f837425a9c7300a3b1d4a86f62f030261a8a6d1c98704b0d47

Download Submit
memory/320-448-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/320-458-0x0000000000250000-0x0000000000281000-memory.dmp

Filesize
196KB

Download
memory/320-457-0x0000000000250000-0x0000000000281000-memory.dmp

Filesize
196KB

Download
memory/332-176-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/444-248-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/636-480-0x0000000000250000-0x0000000000281000-memory.dmp

Filesize
196KB

Download
memory/636-479-0x0000000000250000-0x0000000000281000-memory.dmp

Filesize
196KB

Download
memory/636-478-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/712-538-0x0000000000250000-0x0000000000281000-memory.dmp

Filesize
196KB

Download
memory/712-524-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/712-539-0x0000000000250000-0x0000000000281000-memory.dmp

Filesize
196KB

Download
memory/1000-459-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1000-468-0x0000000000440000-0x0000000000471000-memory.dmp

Filesize
196KB

Download
memory/1000-469-0x0000000000440000-0x0000000000471000-memory.dmp

Filesize
196KB

Download
memory/1036-303-0x0000000000250000-0x0000000000281000-memory.dmp

Filesize
196KB

Download
memory/1036-298-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1036-304-0x0000000000250000-0x0000000000281000-memory.dmp

Filesize
196KB

Download
memory/1088-198-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1112-519-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1112-523-0x0000000000250000-0x0000000000281000-memory.dmp

Filesize
196KB

Download
memory/1136-132-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1136-140-0x0000000000250000-0x0000000000281000-memory.dmp

Filesize
196KB

Download
memory/1272-297-0x0000000000440000-0x0000000000471000-memory.dmp

Filesize
196KB

Download
memory/1272-284-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1296-381-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1296-392-0x0000000000260000-0x0000000000291000-memory.dmp

Filesize
196KB

Download
memory/1296-388-0x0000000000260000-0x0000000000291000-memory.dmp

Filesize
196KB

Download
memory/1304-151-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1504-230-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1652-266-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1676-437-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1676-446-0x0000000000250000-0x0000000000281000-memory.dmp

Filesize
196KB

Download
memory/1676-447-0x0000000000250000-0x0000000000281000-memory.dmp

Filesize
196KB

Download
memory/1724-265-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1792-540-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1948-348-0x00000000002E0000-0x0000000000311000-memory.dmp

Filesize
196KB

Download
memory/1948-342-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1948-347-0x00000000002E0000-0x0000000000311000-memory.dmp

Filesize
196KB

Download
memory/1976-425-0x00000000002E0000-0x0000000000311000-memory.dmp

Filesize
196KB

Download
memory/1976-424-0x00000000002E0000-0x0000000000311000-memory.dmp

Filesize
196KB

Download
memory/1976-415-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1988-278-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1996-314-0x0000000000250000-0x0000000000281000-memory.dmp

Filesize
196KB

Download
memory/1996-315-0x0000000000250000-0x0000000000281000-memory.dmp

Filesize
196KB

Download
memory/1996-305-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2044-518-0x0000000000250000-0x0000000000281000-memory.dmp

Filesize
196KB

Download
memory/2044-517-0x0000000000250000-0x0000000000281000-memory.dmp

Filesize
196KB

Download
memory/2044-506-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2108-490-0x0000000001F30000-0x0000000001F61000-memory.dmp

Filesize
196KB

Download
memory/2108-481-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2108-491-0x0000000001F30000-0x0000000001F61000-memory.dmp

Filesize
196KB

Download
memory/2156-6-0x0000000000310000-0x0000000000341000-memory.dmp

Filesize
196KB

Download
memory/2156-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2180-435-0x00000000002F0000-0x0000000000321000-memory.dmp

Filesize
196KB

Download
memory/2180-436-0x00000000002F0000-0x0000000000321000-memory.dmp

Filesize
196KB

Download
memory/2180-426-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2192-211-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2228-41-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2232-221-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2276-159-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2304-243-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2308-185-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2400-325-0x0000000000260000-0x0000000000291000-memory.dmp

Filesize
196KB

Download
memory/2400-316-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2400-766-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2400-326-0x0000000000260000-0x0000000000291000-memory.dmp

Filesize
196KB

Download
memory/2488-28-0x0000000000250000-0x0000000000281000-memory.dmp

Filesize
196KB

Download
memory/2488-26-0x0000000000250000-0x0000000000281000-memory.dmp

Filesize
196KB

Download
memory/2488-18-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2548-770-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2548-370-0x00000000002D0000-0x0000000000301000-memory.dmp

Filesize
196KB

Download
memory/2548-369-0x00000000002D0000-0x0000000000301000-memory.dmp

Filesize
196KB

Download
memory/2548-360-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2552-371-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2552-380-0x00000000002D0000-0x0000000000301000-memory.dmp

Filesize
196KB

Download
memory/2552-382-0x00000000002D0000-0x0000000000301000-memory.dmp

Filesize
196KB

Download
memory/2584-80-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2620-492-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2620-501-0x0000000000250000-0x0000000000281000-memory.dmp

Filesize
196KB

Download
memory/2620-502-0x0000000000250000-0x0000000000281000-memory.dmp

Filesize
196KB

Download
memory/2648-767-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2648-327-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2648-333-0x0000000000440000-0x0000000000471000-memory.dmp

Filesize
196KB

Download
memory/2648-337-0x0000000000440000-0x0000000000471000-memory.dmp

Filesize
196KB

Download
memory/2684-67-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2748-27-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2784-358-0x00000000005D0000-0x0000000000601000-memory.dmp

Filesize
196KB

Download
memory/2784-359-0x00000000005D0000-0x0000000000601000-memory.dmp

Filesize
196KB

Download
memory/2784-769-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2784-349-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2856-393-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2856-402-0x00000000005D0000-0x0000000000601000-memory.dmp

Filesize
196KB

Download
memory/2856-403-0x00000000005D0000-0x0000000000601000-memory.dmp

Filesize
196KB

Download
memory/2876-118-0x0000000000250000-0x0000000000281000-memory.dmp

Filesize
196KB

Download
memory/2900-54-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2984-407-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2984-414-0x00000000002D0000-0x0000000000301000-memory.dmp

Filesize
196KB

Download
memory/2984-413-0x00000000002D0000-0x0000000000301000-memory.dmp

Filesize
196KB

Download
memory/3036-98-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3036-101-0x0000000000440000-0x0000000000471000-memory.dmp

Filesize
196KB

Download