25a147449ecd3b443cf0051a52c2640f3a3d88da222603ed75018cc4b95b5c11

Analysis

max time kernel
92s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
04-06-2024 06:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3556541534397b5dfa20aaf0d3cfe320_NeikiAnalytics.exe
Size

208KB
MD5

3556541534397b5dfa20aaf0d3cfe320
SHA1

b39d1b8e56dd7f14e3066bad6c51bde810b91551
SHA256

25a147449ecd3b443cf0051a52c2640f3a3d88da222603ed75018cc4b95b5c11
SHA512

c8a5307aec6b90b5a0248131db6a1530c89d19aa6dd1cd269dfdfc42b063fd248ef8719b810f8c45a19e2de9848ed58a9706c4696ad6efd12fa8c103418c54fd
SSDEEP

6144:TOL6EDX4EYtCwGtMtkiXOoloMr1JeSldqP7+x55KmC:TChtMtkM71r1MSXqPix55Kx

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Eqalmafo.exeEoapbo32.exeIjkljp32.exeJdemhe32.exeLnjjdgee.exeIpckgh32.exeJbfpobpb.exeKilhgk32.exeNkqpjidj.exeKckbqpnj.exeMnapdf32.exeFqohnp32.exeGmhfhp32.exeHjmoibog.exeIcjmmg32.exeIpqnahgf.exeNjcpee32.exe3556541534397b5dfa20aaf0d3cfe320_NeikiAnalytics.exeGfqjafdq.exeKgbefoji.exeFjcclf32.exeGfcgge32.exeGiofnacd.exeKipabjil.exeKcifkp32.exeLmccchkn.exeHfljmdjc.exeFodeolof.exeGmmocpjk.exeMaaepd32.exeMcnhmm32.exeHcedaheh.exeHjolnb32.exeJfaloa32.exeJagqlj32.exeLdaeka32.exeHccglh32.exeIbagcc32.exeLnepih32.exeLcgblncm.exeMgghhlhq.exeFjnjqfij.exeLdohebqh.exeImihfl32.exeKaemnhla.exeNjacpf32.exeJkdnpo32.exeNceonl32.exeGpklpkio.exeIidipnal.exeJjpeepnb.exeJmpngk32.exeMcpebmkb.exeNjogjfoj.exeGidphq32.exeHikfip32.exeJmnaakne.exeJbmfoa32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqalmafo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eoapbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ijkljp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqohnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gmhfhp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3556541534397b5dfa20aaf0d3cfe320_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eoapbo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfqjafdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fjcclf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfcgge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Giofnacd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kipabjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	3556541534397b5dfa20aaf0d3cfe320_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fodeolof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gmmocpjk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbfpobpb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcedaheh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ibagcc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjnjqfij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Imihfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gpklpkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hcedaheh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iidipnal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gidphq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hikfip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbmfoa32.exe

Malware Dropper & Backdoor - Berbew 42 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
C:\Windows\SysWOW64\Eoapbo32.exe	family_berbew
C:\Windows\SysWOW64\Ebploj32.exe	family_berbew
C:\Windows\SysWOW64\Eqalmafo.exe	family_berbew
C:\Windows\SysWOW64\Ecphimfb.exe	family_berbew
C:\Windows\SysWOW64\Elhmablc.exe	family_berbew
C:\Windows\SysWOW64\Eqciba32.exe	family_berbew
C:\Windows\SysWOW64\Ebeejijj.exe	family_berbew
C:\Windows\SysWOW64\Ehonfc32.exe	family_berbew
C:\Windows\SysWOW64\Eoifcnid.exe	family_berbew
C:\Windows\SysWOW64\Fjnjqfij.exe	family_berbew
C:\Windows\SysWOW64\Fokbim32.exe	family_berbew
C:\Windows\SysWOW64\Fbioei32.exe	family_berbew
C:\Windows\SysWOW64\Ficgacna.exe	family_berbew
C:\Windows\SysWOW64\Fomonm32.exe	family_berbew
C:\Windows\SysWOW64\Fjcclf32.exe	family_berbew
C:\Windows\SysWOW64\Fqmlhpla.exe	family_berbew
C:\Windows\SysWOW64\Fckhdk32.exe	family_berbew
C:\Windows\SysWOW64\Fjepaecb.exe	family_berbew
C:\Windows\SysWOW64\Fqohnp32.exe	family_berbew
C:\Windows\SysWOW64\Fijmbb32.exe	family_berbew
C:\Windows\SysWOW64\Fodeolof.exe	family_berbew
C:\Windows\SysWOW64\Gbcakg32.exe	family_berbew
C:\Windows\SysWOW64\Gmhfhp32.exe	family_berbew
C:\Windows\SysWOW64\Gfqjafdq.exe	family_berbew
C:\Windows\SysWOW64\Giofnacd.exe	family_berbew
C:\Windows\SysWOW64\Gcekkjcj.exe	family_berbew
C:\Windows\SysWOW64\Gfcgge32.exe	family_berbew
C:\Windows\SysWOW64\Gmmocpjk.exe	family_berbew
C:\Windows\SysWOW64\Gpklpkio.exe	family_berbew
C:\Windows\SysWOW64\Gidphq32.exe	family_berbew
C:\Windows\SysWOW64\Gqkhjn32.exe	family_berbew
C:\Windows\SysWOW64\Gbldaffp.exe	family_berbew
C:\Windows\SysWOW64\Hmmhjm32.exe	family_berbew
C:\Windows\SysWOW64\Iakaql32.exe	family_berbew
C:\Windows\SysWOW64\Imihfl32.exe	family_berbew
C:\Windows\SysWOW64\Kaqcbi32.exe	family_berbew
C:\Windows\SysWOW64\Kagichjo.exe	family_berbew
C:\Windows\SysWOW64\Lnepih32.exe	family_berbew
C:\Windows\SysWOW64\Lcgblncm.exe	family_berbew
C:\Windows\SysWOW64\Mpmokb32.exe	family_berbew
C:\Windows\SysWOW64\Mcpebmkb.exe	family_berbew
C:\Windows\SysWOW64\Mdpalp32.exe	family_berbew

Executes dropped EXE 64 IoCs

Processes:

Eoapbo32.exeEbploj32.exeEqalmafo.exeEcphimfb.exeElhmablc.exeEqciba32.exeEbeejijj.exeEhonfc32.exeEoifcnid.exeFjnjqfij.exeFokbim32.exeFbioei32.exeFicgacna.exeFomonm32.exeFjcclf32.exeFqmlhpla.exeFckhdk32.exeFjepaecb.exeFqohnp32.exeFijmbb32.exeFodeolof.exeGbcakg32.exeGmhfhp32.exeGfqjafdq.exeGiofnacd.exeGcekkjcj.exeGfcgge32.exeGmmocpjk.exeGpklpkio.exeGidphq32.exeGqkhjn32.exeGbldaffp.exeGifmnpnl.exeGameonno.exeHclakimb.exeHjfihc32.exeHmdedo32.exeHfljmdjc.exeHikfip32.exeHabnjm32.exeHcqjfh32.exeHfofbd32.exeHimcoo32.exeHadkpm32.exeHccglh32.exeHjmoibog.exeHaggelfd.exeHcedaheh.exeHjolnb32.exeHmmhjm32.exeIcgqggce.exeIffmccbi.exeIidipnal.exeIakaql32.exeIcjmmg32.exeIjdeiaio.exeImbaemhc.exeIpqnahgf.exeIfjfnb32.exeIiibkn32.exeIpckgh32.exeIbagcc32.exeIjhodq32.exeIabgaklg.exe

pid	process
4164	Eoapbo32.exe
3984	Ebploj32.exe
2624	Eqalmafo.exe
1236	Ecphimfb.exe
2440	Elhmablc.exe
4300	Eqciba32.exe
664	Ebeejijj.exe
4056	Ehonfc32.exe
228	Eoifcnid.exe
860	Fjnjqfij.exe
4516	Fokbim32.exe
1784	Fbioei32.exe
2744	Ficgacna.exe
3104	Fomonm32.exe
3012	Fjcclf32.exe
5012	Fqmlhpla.exe
532	Fckhdk32.exe
1960	Fjepaecb.exe
2412	Fqohnp32.exe
4184	Fijmbb32.exe
4616	Fodeolof.exe
4432	Gbcakg32.exe
4404	Gmhfhp32.exe
4824	Gfqjafdq.exe
436	Giofnacd.exe
4372	Gcekkjcj.exe
920	Gfcgge32.exe
4524	Gmmocpjk.exe
224	Gpklpkio.exe
4468	Gidphq32.exe
5060	Gqkhjn32.exe
4272	Gbldaffp.exe
2800	Gifmnpnl.exe
2540	Gameonno.exe
3584	Hclakimb.exe
3508	Hjfihc32.exe
1700	Hmdedo32.exe
3524	Hfljmdjc.exe
1688	Hikfip32.exe
2652	Habnjm32.exe
2456	Hcqjfh32.exe
4668	Hfofbd32.exe
4028	Himcoo32.exe
1016	Hadkpm32.exe
4752	Hccglh32.exe
2900	Hjmoibog.exe
8	Haggelfd.exe
1684	Hcedaheh.exe
2072	Hjolnb32.exe
1644	Hmmhjm32.exe
4828	Icgqggce.exe
1648	Iffmccbi.exe
2144	Iidipnal.exe
2968	Iakaql32.exe
4052	Icjmmg32.exe
948	Ijdeiaio.exe
4680	Imbaemhc.exe
3256	Ipqnahgf.exe
4008	Ifjfnb32.exe
1268	Iiibkn32.exe
5048	Ipckgh32.exe
1920	Ibagcc32.exe
884	Ijhodq32.exe
1596	Iabgaklg.exe

Drops file in System32 directory 64 IoCs

Processes:

Fjnjqfij.exeHjmoibog.exeNjogjfoj.exeLiekmj32.exeHcedaheh.exeKaqcbi32.exeKaemnhla.exeNdghmo32.exeFijmbb32.exeGbldaffp.exeLcmofolg.exeGpklpkio.exeHabnjm32.exeImihfl32.exeJbmfoa32.exeKgbefoji.exeEbeejijj.exeFicgacna.exeGmmocpjk.exeMpaifalo.exeIcgqggce.exeIbagcc32.exeJjbako32.exeIcjmmg32.exeLkiqbl32.exeEcphimfb.exeIidipnal.exeLkdggmlj.exeJangmibi.exeHmmhjm32.exeIiibkn32.exeEqciba32.exeJdemhe32.exeKipabjil.exeKckbqpnj.exeIabgaklg.exeLgkhlnbn.exeGmhfhp32.exeLcgblncm.exeMgghhlhq.exeGidphq32.exeKinemkko.exeNcldnkae.exeMnlfigcc.exeLaciofpa.exeIakaql32.exeJbocea32.exeGfqjafdq.exeKagichjo.exeMcnhmm32.exeKpepcedo.exeLdohebqh.exeLphfpbdi.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Neahbi32.dll	Fjnjqfij.exe
File created	C:\Windows\SysWOW64\Haggelfd.exe	Hjmoibog.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Jchbak32.dll	Liekmj32.exe
File opened for modification	C:\Windows\SysWOW64\Hjolnb32.exe	Hcedaheh.exe
File created	C:\Windows\SysWOW64\Kbapjafe.exe	Kaqcbi32.exe
File opened for modification	C:\Windows\SysWOW64\Kdcijcke.exe	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Fodeolof.exe	Fijmbb32.exe
File created	C:\Windows\SysWOW64\Gnbbnj32.dll	Gbldaffp.exe
File created	C:\Windows\SysWOW64\Lkdggmlj.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Ifegaglc.dll	Gpklpkio.exe
File opened for modification	C:\Windows\SysWOW64\Hcqjfh32.exe	Habnjm32.exe
File created	C:\Windows\SysWOW64\Jbfpobpb.exe	Imihfl32.exe
File created	C:\Windows\SysWOW64\Jkdnpo32.exe	Jbmfoa32.exe
File opened for modification	C:\Windows\SysWOW64\Kipabjil.exe	Kgbefoji.exe
File opened for modification	C:\Windows\SysWOW64\Ehonfc32.exe	Ebeejijj.exe
File opened for modification	C:\Windows\SysWOW64\Fomonm32.exe	Ficgacna.exe
File created	C:\Windows\SysWOW64\Gpklpkio.exe	Gmmocpjk.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Iffmccbi.exe	Icgqggce.exe
File created	C:\Windows\SysWOW64\Ijhodq32.exe	Ibagcc32.exe
File opened for modification	C:\Windows\SysWOW64\Jmpngk32.exe	Jjbako32.exe
File opened for modification	C:\Windows\SysWOW64\Ijdeiaio.exe	Icjmmg32.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Elhmablc.exe	Ecphimfb.exe
File created	C:\Windows\SysWOW64\Lcnodhch.dll	Iidipnal.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Jbocea32.exe	Jangmibi.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Icgqggce.exe	Hmmhjm32.exe
File opened for modification	C:\Windows\SysWOW64\Iakaql32.exe	Iidipnal.exe
File created	C:\Windows\SysWOW64\Ikjmhmfd.dll	Iiibkn32.exe
File created	C:\Windows\SysWOW64\Inomojol.dll	Eqciba32.exe
File created	C:\Windows\SysWOW64\Qdhoohmo.dll	Jdemhe32.exe
File created	C:\Windows\SysWOW64\Hefffnbk.dll	Kipabjil.exe
File created	C:\Windows\SysWOW64\Gmlgol32.dll	Jangmibi.exe
File created	C:\Windows\SysWOW64\Liekmj32.exe	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Fjkiobic.dll	Hmmhjm32.exe
File opened for modification	C:\Windows\SysWOW64\Ibccic32.exe	Iabgaklg.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Peeafpaf.dll	Gmhfhp32.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Gbajhpfb.dll	Gidphq32.exe
File created	C:\Windows\SysWOW64\Gncoccha.dll	Kinemkko.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Hndnbj32.dll	Ficgacna.exe
File opened for modification	C:\Windows\SysWOW64\Icjmmg32.exe	Iakaql32.exe
File opened for modification	C:\Windows\SysWOW64\Jkfkfohj.exe	Jbocea32.exe
File opened for modification	C:\Windows\SysWOW64\Kaemnhla.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	Lgkhlnbn.exe
File opened for modification	C:\Windows\SysWOW64\Fokbim32.exe	Fjnjqfij.exe
File opened for modification	C:\Windows\SysWOW64\Giofnacd.exe	Gfqjafdq.exe
File created	C:\Windows\SysWOW64\Anmklllo.dll	Jjbako32.exe
File opened for modification	C:\Windows\SysWOW64\Ebeejijj.exe	Eqciba32.exe
File opened for modification	C:\Windows\SysWOW64\Kcifkp32.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Nqjfoc32.dll	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Plilol32.dll	Lphfpbdi.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5252 5992 WerFault.exe Nkcmohbg.exe

pid	pid_target	process	target process
5252	5992	WerFault.exe	Nkcmohbg.exe

Modifies registry class 64 IoCs

Processes:

Gcekkjcj.exeGqkhjn32.exeIjhodq32.exeJigollag.exeKipabjil.exeLknjmkdo.exeEqalmafo.exeEcphimfb.exeKpepcedo.exeGidphq32.exeJbocea32.exeLpocjdld.exeLkiqbl32.exe3556541534397b5dfa20aaf0d3cfe320_NeikiAnalytics.exeJmnaakne.exeNjcpee32.exeHcqjfh32.exeIakaql32.exeImbaemhc.exeJiphkm32.exeGiofnacd.exeHmdedo32.exeNqfbaq32.exeFjnjqfij.exeHjfihc32.exeMpaifalo.exeFjcclf32.exeIbagcc32.exeLphfpbdi.exeMaaepd32.exeFqmlhpla.exeFodeolof.exeGpklpkio.exeJkfkfohj.exeIbccic32.exeMpmokb32.exeMnapdf32.exeGameonno.exeHjolnb32.exeKcifkp32.exeKajfig32.exeEbploj32.exeGifmnpnl.exeHadkpm32.exeNcldnkae.exeHcedaheh.exeMgghhlhq.exeEbeejijj.exeFjepaecb.exeHccglh32.exeJmpngk32.exeNqmhbpba.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeahce32.dll"	Gcekkjcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gqkhjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hefffnbk.dll"	Kipabjil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fihpfl32.dll"	Eqalmafo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdmaid32.dll"	Ecphimfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gidphq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eilljncf.dll"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	3556541534397b5dfa20aaf0d3cfe320_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pglanoaq.dll"	Iakaql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Imbaemhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggcjqj32.dll"	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Giofnacd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Giofnacd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fjnjqfij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfhlfk32.dll"	Fjcclf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Imbaemhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjikbh32.dll"	Fqmlhpla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fodeolof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gpklpkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichhhi32.dll"	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fqmlhpla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ibccic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgkghl32.dll"	Gameonno.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hjolnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iedonm32.dll"	3556541534397b5dfa20aaf0d3cfe320_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fqmlhpla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcbnd32.dll"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jplifcqp.dll"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bejnmepn.dll"	Ebploj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkageheh.dll"	Hadkpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ibccic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ebeejijj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fjepaecb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbajhpfb.dll"	Gidphq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmlfmg32.dll"	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqmhbpba.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3556541534397b5dfa20aaf0d3cfe320_NeikiAnalytics.exeEoapbo32.exeEbploj32.exeEqalmafo.exeEcphimfb.exeElhmablc.exeEqciba32.exeEbeejijj.exeEhonfc32.exeEoifcnid.exeFjnjqfij.exeFokbim32.exeFbioei32.exeFicgacna.exeFomonm32.exeFjcclf32.exeFqmlhpla.exeFckhdk32.exeFjepaecb.exeFqohnp32.exeFijmbb32.exeFodeolof.exe

description	pid	process	target process
PID 3276 wrote to memory of 4164	3276	3556541534397b5dfa20aaf0d3cfe320_NeikiAnalytics.exe	Eoapbo32.exe
PID 3276 wrote to memory of 4164	3276	3556541534397b5dfa20aaf0d3cfe320_NeikiAnalytics.exe	Eoapbo32.exe
PID 3276 wrote to memory of 4164	3276	3556541534397b5dfa20aaf0d3cfe320_NeikiAnalytics.exe	Eoapbo32.exe
PID 4164 wrote to memory of 3984	4164	Eoapbo32.exe	Ebploj32.exe
PID 4164 wrote to memory of 3984	4164	Eoapbo32.exe	Ebploj32.exe
PID 4164 wrote to memory of 3984	4164	Eoapbo32.exe	Ebploj32.exe
PID 3984 wrote to memory of 2624	3984	Ebploj32.exe	Eqalmafo.exe
PID 3984 wrote to memory of 2624	3984	Ebploj32.exe	Eqalmafo.exe
PID 3984 wrote to memory of 2624	3984	Ebploj32.exe	Eqalmafo.exe
PID 2624 wrote to memory of 1236	2624	Eqalmafo.exe	Ecphimfb.exe
PID 2624 wrote to memory of 1236	2624	Eqalmafo.exe	Ecphimfb.exe
PID 2624 wrote to memory of 1236	2624	Eqalmafo.exe	Ecphimfb.exe
PID 1236 wrote to memory of 2440	1236	Ecphimfb.exe	Elhmablc.exe
PID 1236 wrote to memory of 2440	1236	Ecphimfb.exe	Elhmablc.exe
PID 1236 wrote to memory of 2440	1236	Ecphimfb.exe	Elhmablc.exe
PID 2440 wrote to memory of 4300	2440	Elhmablc.exe	Eqciba32.exe
PID 2440 wrote to memory of 4300	2440	Elhmablc.exe	Eqciba32.exe
PID 2440 wrote to memory of 4300	2440	Elhmablc.exe	Eqciba32.exe
PID 4300 wrote to memory of 664	4300	Eqciba32.exe	Ebeejijj.exe
PID 4300 wrote to memory of 664	4300	Eqciba32.exe	Ebeejijj.exe
PID 4300 wrote to memory of 664	4300	Eqciba32.exe	Ebeejijj.exe
PID 664 wrote to memory of 4056	664	Ebeejijj.exe	Ehonfc32.exe
PID 664 wrote to memory of 4056	664	Ebeejijj.exe	Ehonfc32.exe
PID 664 wrote to memory of 4056	664	Ebeejijj.exe	Ehonfc32.exe
PID 4056 wrote to memory of 228	4056	Ehonfc32.exe	Eoifcnid.exe
PID 4056 wrote to memory of 228	4056	Ehonfc32.exe	Eoifcnid.exe
PID 4056 wrote to memory of 228	4056	Ehonfc32.exe	Eoifcnid.exe
PID 228 wrote to memory of 860	228	Eoifcnid.exe	Fjnjqfij.exe
PID 228 wrote to memory of 860	228	Eoifcnid.exe	Fjnjqfij.exe
PID 228 wrote to memory of 860	228	Eoifcnid.exe	Fjnjqfij.exe
PID 860 wrote to memory of 4516	860	Fjnjqfij.exe	Fokbim32.exe
PID 860 wrote to memory of 4516	860	Fjnjqfij.exe	Fokbim32.exe
PID 860 wrote to memory of 4516	860	Fjnjqfij.exe	Fokbim32.exe
PID 4516 wrote to memory of 1784	4516	Fokbim32.exe	Fbioei32.exe
PID 4516 wrote to memory of 1784	4516	Fokbim32.exe	Fbioei32.exe
PID 4516 wrote to memory of 1784	4516	Fokbim32.exe	Fbioei32.exe
PID 1784 wrote to memory of 2744	1784	Fbioei32.exe	Ficgacna.exe
PID 1784 wrote to memory of 2744	1784	Fbioei32.exe	Ficgacna.exe
PID 1784 wrote to memory of 2744	1784	Fbioei32.exe	Ficgacna.exe
PID 2744 wrote to memory of 3104	2744	Ficgacna.exe	Fomonm32.exe
PID 2744 wrote to memory of 3104	2744	Ficgacna.exe	Fomonm32.exe
PID 2744 wrote to memory of 3104	2744	Ficgacna.exe	Fomonm32.exe
PID 3104 wrote to memory of 3012	3104	Fomonm32.exe	Fjcclf32.exe
PID 3104 wrote to memory of 3012	3104	Fomonm32.exe	Fjcclf32.exe
PID 3104 wrote to memory of 3012	3104	Fomonm32.exe	Fjcclf32.exe
PID 3012 wrote to memory of 5012	3012	Fjcclf32.exe	Fqmlhpla.exe
PID 3012 wrote to memory of 5012	3012	Fjcclf32.exe	Fqmlhpla.exe
PID 3012 wrote to memory of 5012	3012	Fjcclf32.exe	Fqmlhpla.exe
PID 5012 wrote to memory of 532	5012	Fqmlhpla.exe	Fckhdk32.exe
PID 5012 wrote to memory of 532	5012	Fqmlhpla.exe	Fckhdk32.exe
PID 5012 wrote to memory of 532	5012	Fqmlhpla.exe	Fckhdk32.exe
PID 532 wrote to memory of 1960	532	Fckhdk32.exe	Fjepaecb.exe
PID 532 wrote to memory of 1960	532	Fckhdk32.exe	Fjepaecb.exe
PID 532 wrote to memory of 1960	532	Fckhdk32.exe	Fjepaecb.exe
PID 1960 wrote to memory of 2412	1960	Fjepaecb.exe	Fqohnp32.exe
PID 1960 wrote to memory of 2412	1960	Fjepaecb.exe	Fqohnp32.exe
PID 1960 wrote to memory of 2412	1960	Fjepaecb.exe	Fqohnp32.exe
PID 2412 wrote to memory of 4184	2412	Fqohnp32.exe	Fijmbb32.exe
PID 2412 wrote to memory of 4184	2412	Fqohnp32.exe	Fijmbb32.exe
PID 2412 wrote to memory of 4184	2412	Fqohnp32.exe	Fijmbb32.exe
PID 4184 wrote to memory of 4616	4184	Fijmbb32.exe	Fodeolof.exe
PID 4184 wrote to memory of 4616	4184	Fijmbb32.exe	Fodeolof.exe
PID 4184 wrote to memory of 4616	4184	Fijmbb32.exe	Fodeolof.exe
PID 4616 wrote to memory of 4432	4616	Fodeolof.exe	Gbcakg32.exe

C:\Users\Admin\AppData\Local\Temp\3556541534397b5dfa20aaf0d3cfe320_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3556541534397b5dfa20aaf0d3cfe320_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3276

C:\Windows\SysWOW64\Eoapbo32.exe
C:\Windows\system32\Eoapbo32.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4164

C:\Windows\SysWOW64\Ebploj32.exe
C:\Windows\system32\Ebploj32.exe
3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3984

C:\Windows\SysWOW64\Eqalmafo.exe
C:\Windows\system32\Eqalmafo.exe
4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2624

C:\Windows\SysWOW64\Ecphimfb.exe
C:\Windows\system32\Ecphimfb.exe
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1236

C:\Windows\SysWOW64\Elhmablc.exe
C:\Windows\system32\Elhmablc.exe
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440

C:\Windows\SysWOW64\Eqciba32.exe
C:\Windows\system32\Eqciba32.exe
7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4300

C:\Windows\SysWOW64\Ebeejijj.exe
C:\Windows\system32\Ebeejijj.exe
8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:664

C:\Windows\SysWOW64\Ehonfc32.exe
C:\Windows\system32\Ehonfc32.exe
9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4056

C:\Windows\SysWOW64\Eoifcnid.exe
C:\Windows\system32\Eoifcnid.exe
10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228

C:\Windows\SysWOW64\Fjnjqfij.exe
C:\Windows\system32\Fjnjqfij.exe
11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:860

C:\Windows\SysWOW64\Fokbim32.exe
C:\Windows\system32\Fokbim32.exe
12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516

C:\Windows\SysWOW64\Fbioei32.exe
C:\Windows\system32\Fbioei32.exe
13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1784

C:\Windows\SysWOW64\Ficgacna.exe
C:\Windows\system32\Ficgacna.exe
14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2744

C:\Windows\SysWOW64\Fomonm32.exe
C:\Windows\system32\Fomonm32.exe
15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3104

C:\Windows\SysWOW64\Fjcclf32.exe
C:\Windows\system32\Fjcclf32.exe
16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3012

C:\Windows\SysWOW64\Fqmlhpla.exe
C:\Windows\system32\Fqmlhpla.exe
17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5012

C:\Windows\SysWOW64\Fckhdk32.exe
C:\Windows\system32\Fckhdk32.exe
18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:532

C:\Windows\SysWOW64\Fjepaecb.exe
C:\Windows\system32\Fjepaecb.exe
19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\SysWOW64\Fqohnp32.exe
C:\Windows\system32\Fqohnp32.exe
20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412

C:\Windows\SysWOW64\Fijmbb32.exe
C:\Windows\system32\Fijmbb32.exe
21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4184

C:\Windows\SysWOW64\Fodeolof.exe
C:\Windows\system32\Fodeolof.exe
22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4616

C:\Windows\SysWOW64\Gbcakg32.exe
C:\Windows\system32\Gbcakg32.exe
23⤵
- Executes dropped EXE
PID:4432

C:\Windows\SysWOW64\Gmhfhp32.exe
C:\Windows\system32\Gmhfhp32.exe
24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4404

C:\Windows\SysWOW64\Gfqjafdq.exe
C:\Windows\system32\Gfqjafdq.exe
25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4824

C:\Windows\SysWOW64\Giofnacd.exe
C:\Windows\system32\Giofnacd.exe
26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:436

C:\Windows\SysWOW64\Gcekkjcj.exe
C:\Windows\system32\Gcekkjcj.exe
27⤵
- Executes dropped EXE
- Modifies registry class
PID:4372

C:\Windows\SysWOW64\Gfcgge32.exe
C:\Windows\system32\Gfcgge32.exe
28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:920

C:\Windows\SysWOW64\Gmmocpjk.exe
C:\Windows\system32\Gmmocpjk.exe
29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4524

C:\Windows\SysWOW64\Gpklpkio.exe
C:\Windows\system32\Gpklpkio.exe
30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:224

C:\Windows\SysWOW64\Gidphq32.exe
C:\Windows\system32\Gidphq32.exe
31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4468

C:\Windows\SysWOW64\Gqkhjn32.exe
C:\Windows\system32\Gqkhjn32.exe
32⤵
- Executes dropped EXE
- Modifies registry class
PID:5060

C:\Windows\SysWOW64\Gbldaffp.exe
C:\Windows\system32\Gbldaffp.exe
33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4272

C:\Windows\SysWOW64\Gifmnpnl.exe
C:\Windows\system32\Gifmnpnl.exe
34⤵
- Executes dropped EXE
- Modifies registry class
PID:2800

C:\Windows\SysWOW64\Gameonno.exe
C:\Windows\system32\Gameonno.exe
35⤵
- Executes dropped EXE
- Modifies registry class
PID:2540

C:\Windows\SysWOW64\Hclakimb.exe
C:\Windows\system32\Hclakimb.exe
36⤵
- Executes dropped EXE
PID:3584

C:\Windows\SysWOW64\Hjfihc32.exe
C:\Windows\system32\Hjfihc32.exe
37⤵
- Executes dropped EXE
- Modifies registry class
PID:3508

C:\Windows\SysWOW64\Hmdedo32.exe
C:\Windows\system32\Hmdedo32.exe
38⤵
- Executes dropped EXE
- Modifies registry class
PID:1700

C:\Windows\SysWOW64\Hfljmdjc.exe
C:\Windows\system32\Hfljmdjc.exe
39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3524

C:\Windows\SysWOW64\Hikfip32.exe
C:\Windows\system32\Hikfip32.exe
40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1688

C:\Windows\SysWOW64\Habnjm32.exe
C:\Windows\system32\Habnjm32.exe
41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2652

C:\Windows\SysWOW64\Hcqjfh32.exe
C:\Windows\system32\Hcqjfh32.exe
42⤵
- Executes dropped EXE
- Modifies registry class
PID:2456

C:\Windows\SysWOW64\Hfofbd32.exe
C:\Windows\system32\Hfofbd32.exe
43⤵
- Executes dropped EXE
PID:4668

C:\Windows\SysWOW64\Himcoo32.exe
C:\Windows\system32\Himcoo32.exe
44⤵
- Executes dropped EXE
PID:4028

C:\Windows\SysWOW64\Hadkpm32.exe
C:\Windows\system32\Hadkpm32.exe
45⤵
- Executes dropped EXE
- Modifies registry class
PID:1016

C:\Windows\SysWOW64\Hccglh32.exe
C:\Windows\system32\Hccglh32.exe
46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4752

C:\Windows\SysWOW64\Hjmoibog.exe
C:\Windows\system32\Hjmoibog.exe
47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2900

C:\Windows\SysWOW64\Haggelfd.exe
C:\Windows\system32\Haggelfd.exe
48⤵
- Executes dropped EXE
PID:8

C:\Windows\SysWOW64\Hcedaheh.exe
C:\Windows\system32\Hcedaheh.exe
49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1684

C:\Windows\SysWOW64\Hjolnb32.exe
C:\Windows\system32\Hjolnb32.exe
50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2072

C:\Windows\SysWOW64\Hmmhjm32.exe
C:\Windows\system32\Hmmhjm32.exe
51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1644

C:\Windows\SysWOW64\Icgqggce.exe
C:\Windows\system32\Icgqggce.exe
52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4828

C:\Windows\SysWOW64\Iffmccbi.exe
C:\Windows\system32\Iffmccbi.exe
53⤵
- Executes dropped EXE
PID:1648

C:\Windows\SysWOW64\Iidipnal.exe
C:\Windows\system32\Iidipnal.exe
54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2144

C:\Windows\SysWOW64\Iakaql32.exe
C:\Windows\system32\Iakaql32.exe
55⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2968

C:\Windows\SysWOW64\Icjmmg32.exe
C:\Windows\system32\Icjmmg32.exe
56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4052

C:\Windows\SysWOW64\Ijdeiaio.exe
C:\Windows\system32\Ijdeiaio.exe
57⤵
- Executes dropped EXE
PID:948

C:\Windows\SysWOW64\Imbaemhc.exe
C:\Windows\system32\Imbaemhc.exe
58⤵
- Executes dropped EXE
- Modifies registry class
PID:4680

C:\Windows\SysWOW64\Ipqnahgf.exe
C:\Windows\system32\Ipqnahgf.exe
59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3256

C:\Windows\SysWOW64\Ifjfnb32.exe
C:\Windows\system32\Ifjfnb32.exe
60⤵
- Executes dropped EXE
PID:4008

C:\Windows\SysWOW64\Iiibkn32.exe
C:\Windows\system32\Iiibkn32.exe
61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1268

C:\Windows\SysWOW64\Ipckgh32.exe
C:\Windows\system32\Ipckgh32.exe
62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5048

C:\Windows\SysWOW64\Ibagcc32.exe
C:\Windows\system32\Ibagcc32.exe
63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1920

C:\Windows\SysWOW64\Ijhodq32.exe
C:\Windows\system32\Ijhodq32.exe
64⤵
- Executes dropped EXE
- Modifies registry class
PID:884

C:\Windows\SysWOW64\Iabgaklg.exe
C:\Windows\system32\Iabgaklg.exe
65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1596

C:\Windows\SysWOW64\Ibccic32.exe
C:\Windows\system32\Ibccic32.exe
66⤵
- Modifies registry class
PID:2888

C:\Windows\SysWOW64\Ijkljp32.exe
C:\Windows\system32\Ijkljp32.exe
67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4376

C:\Windows\SysWOW64\Imihfl32.exe
C:\Windows\system32\Imihfl32.exe
68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4748

C:\Windows\SysWOW64\Jbfpobpb.exe
C:\Windows\system32\Jbfpobpb.exe
69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4908

C:\Windows\SysWOW64\Jfaloa32.exe
C:\Windows\system32\Jfaloa32.exe
70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1108

C:\Windows\SysWOW64\Jiphkm32.exe
C:\Windows\system32\Jiphkm32.exe
71⤵
- Modifies registry class
PID:2832

C:\Windows\SysWOW64\Jagqlj32.exe
C:\Windows\system32\Jagqlj32.exe
72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2848

C:\Windows\SysWOW64\Jdemhe32.exe
C:\Windows\system32\Jdemhe32.exe
73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4172

C:\Windows\SysWOW64\Jjpeepnb.exe
C:\Windows\system32\Jjpeepnb.exe
74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3172

C:\Windows\SysWOW64\Jmnaakne.exe
C:\Windows\system32\Jmnaakne.exe
75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4016

C:\Windows\SysWOW64\Jjbako32.exe
C:\Windows\system32\Jjbako32.exe
76⤵
- Drops file in System32 directory
PID:1912

C:\Windows\SysWOW64\Jmpngk32.exe
C:\Windows\system32\Jmpngk32.exe
77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3756

C:\Windows\SysWOW64\Jbmfoa32.exe
C:\Windows\system32\Jbmfoa32.exe
78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4944

C:\Windows\SysWOW64\Jkdnpo32.exe
C:\Windows\system32\Jkdnpo32.exe
79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1444

C:\Windows\SysWOW64\Jigollag.exe
C:\Windows\system32\Jigollag.exe
80⤵
- Modifies registry class
PID:4648

C:\Windows\SysWOW64\Jangmibi.exe
C:\Windows\system32\Jangmibi.exe
81⤵
- Drops file in System32 directory
PID:4604

C:\Windows\SysWOW64\Jbocea32.exe
C:\Windows\system32\Jbocea32.exe
82⤵
- Drops file in System32 directory
- Modifies registry class
PID:4380

C:\Windows\SysWOW64\Jkfkfohj.exe
C:\Windows\system32\Jkfkfohj.exe
83⤵
- Modifies registry class
PID:2160

C:\Windows\SysWOW64\Kaqcbi32.exe
C:\Windows\system32\Kaqcbi32.exe
84⤵
- Drops file in System32 directory
PID:2364

C:\Windows\SysWOW64\Kbapjafe.exe
C:\Windows\system32\Kbapjafe.exe
85⤵
PID:4628

C:\Windows\SysWOW64\Kilhgk32.exe
C:\Windows\system32\Kilhgk32.exe
86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4960

C:\Windows\SysWOW64\Kpepcedo.exe
C:\Windows\system32\Kpepcedo.exe
87⤵
- Drops file in System32 directory
- Modifies registry class
PID:4108

C:\Windows\SysWOW64\Kgphpo32.exe
C:\Windows\system32\Kgphpo32.exe
88⤵
PID:2632

C:\Windows\SysWOW64\Kinemkko.exe
C:\Windows\system32\Kinemkko.exe
89⤵
- Drops file in System32 directory
PID:4900

C:\Windows\SysWOW64\Kaemnhla.exe
C:\Windows\system32\Kaemnhla.exe
90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3504

C:\Windows\SysWOW64\Kdcijcke.exe
C:\Windows\system32\Kdcijcke.exe
91⤵
PID:3980

C:\Windows\SysWOW64\Kgbefoji.exe
C:\Windows\system32\Kgbefoji.exe
92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4688

C:\Windows\SysWOW64\Kipabjil.exe
C:\Windows\system32\Kipabjil.exe
93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1368

C:\Windows\SysWOW64\Kagichjo.exe
C:\Windows\system32\Kagichjo.exe
94⤵
- Drops file in System32 directory
PID:3168

C:\Windows\SysWOW64\Kcifkp32.exe
C:\Windows\system32\Kcifkp32.exe
95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2168

C:\Windows\SysWOW64\Kibnhjgj.exe
C:\Windows\system32\Kibnhjgj.exe
96⤵
PID:1664

C:\Windows\SysWOW64\Kajfig32.exe
C:\Windows\system32\Kajfig32.exe
97⤵
- Modifies registry class
PID:1732

C:\Windows\SysWOW64\Kckbqpnj.exe
C:\Windows\system32\Kckbqpnj.exe
98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4704

C:\Windows\SysWOW64\Liekmj32.exe
C:\Windows\system32\Liekmj32.exe
99⤵
- Drops file in System32 directory
PID:4388

C:\Windows\SysWOW64\Lpocjdld.exe
C:\Windows\system32\Lpocjdld.exe
100⤵
- Modifies registry class
PID:3812

C:\Windows\SysWOW64\Lcmofolg.exe
C:\Windows\system32\Lcmofolg.exe
101⤵
- Drops file in System32 directory
PID:1560

C:\Windows\SysWOW64\Lkdggmlj.exe
C:\Windows\system32\Lkdggmlj.exe
102⤵
- Drops file in System32 directory
PID:5088

C:\Windows\SysWOW64\Lmccchkn.exe
C:\Windows\system32\Lmccchkn.exe
103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:312

C:\Windows\SysWOW64\Ldmlpbbj.exe
C:\Windows\system32\Ldmlpbbj.exe
104⤵
PID:5136

C:\Windows\SysWOW64\Lgkhlnbn.exe
C:\Windows\system32\Lgkhlnbn.exe
105⤵
- Drops file in System32 directory
PID:5180

C:\Windows\SysWOW64\Lnepih32.exe
C:\Windows\system32\Lnepih32.exe
106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5224

C:\Windows\SysWOW64\Ldohebqh.exe
C:\Windows\system32\Ldohebqh.exe
107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5268

C:\Windows\SysWOW64\Lkiqbl32.exe
C:\Windows\system32\Lkiqbl32.exe
108⤵
- Drops file in System32 directory
- Modifies registry class
PID:5312

C:\Windows\SysWOW64\Laciofpa.exe
C:\Windows\system32\Laciofpa.exe
109⤵
- Drops file in System32 directory
PID:5348

C:\Windows\SysWOW64\Ldaeka32.exe
C:\Windows\system32\Ldaeka32.exe
110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5392

C:\Windows\SysWOW64\Lklnhlfb.exe
C:\Windows\system32\Lklnhlfb.exe
111⤵
PID:5436

C:\Windows\SysWOW64\Lnjjdgee.exe
C:\Windows\system32\Lnjjdgee.exe
112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5480

C:\Windows\SysWOW64\Lphfpbdi.exe
C:\Windows\system32\Lphfpbdi.exe
113⤵
- Drops file in System32 directory
- Modifies registry class
PID:5524

C:\Windows\SysWOW64\Lcgblncm.exe
C:\Windows\system32\Lcgblncm.exe
114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5572

C:\Windows\SysWOW64\Lknjmkdo.exe
C:\Windows\system32\Lknjmkdo.exe
115⤵
- Modifies registry class
PID:5616

C:\Windows\SysWOW64\Mnlfigcc.exe
C:\Windows\system32\Mnlfigcc.exe
116⤵
- Drops file in System32 directory
PID:5660

C:\Windows\SysWOW64\Mkpgck32.exe
C:\Windows\system32\Mkpgck32.exe
117⤵
PID:5704

C:\Windows\SysWOW64\Mnocof32.exe
C:\Windows\system32\Mnocof32.exe
118⤵
PID:5748

C:\Windows\SysWOW64\Mpmokb32.exe
C:\Windows\system32\Mpmokb32.exe
119⤵
- Modifies registry class
PID:5792

C:\Windows\SysWOW64\Mgghhlhq.exe
C:\Windows\system32\Mgghhlhq.exe
120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5836

C:\Windows\SysWOW64\Mnapdf32.exe
C:\Windows\system32\Mnapdf32.exe
121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5876

C:\Windows\SysWOW64\Mcnhmm32.exe
C:\Windows\system32\Mcnhmm32.exe
122⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5920

C:\Windows\SysWOW64\Mjhqjg32.exe
C:\Windows\system32\Mjhqjg32.exe
123⤵
PID:5960

C:\Windows\SysWOW64\Mpaifalo.exe
C:\Windows\system32\Mpaifalo.exe
124⤵
- Drops file in System32 directory
- Modifies registry class
PID:6004

C:\Windows\SysWOW64\Mcpebmkb.exe
C:\Windows\system32\Mcpebmkb.exe
125⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6044

C:\Windows\SysWOW64\Maaepd32.exe
C:\Windows\system32\Maaepd32.exe
126⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6088

C:\Windows\SysWOW64\Mdpalp32.exe
C:\Windows\system32\Mdpalp32.exe
127⤵
PID:6128

C:\Windows\SysWOW64\Mgnnhk32.exe
C:\Windows\system32\Mgnnhk32.exe
128⤵
PID:5164

C:\Windows\SysWOW64\Nqfbaq32.exe
C:\Windows\system32\Nqfbaq32.exe
129⤵
- Modifies registry class
PID:5244

C:\Windows\SysWOW64\Nceonl32.exe
C:\Windows\system32\Nceonl32.exe
130⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5300

C:\Windows\SysWOW64\Njogjfoj.exe
C:\Windows\system32\Njogjfoj.exe
131⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5384

C:\Windows\SysWOW64\Ncgkcl32.exe
C:\Windows\system32\Ncgkcl32.exe
132⤵
PID:5432

C:\Windows\SysWOW64\Njacpf32.exe
C:\Windows\system32\Njacpf32.exe
133⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5512

C:\Windows\SysWOW64\Nbhkac32.exe
C:\Windows\system32\Nbhkac32.exe
134⤵
PID:5592

C:\Windows\SysWOW64\Ndghmo32.exe
C:\Windows\system32\Ndghmo32.exe
135⤵
- Drops file in System32 directory
PID:5648

C:\Windows\SysWOW64\Nkqpjidj.exe
C:\Windows\system32\Nkqpjidj.exe
136⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5724

C:\Windows\SysWOW64\Njcpee32.exe
C:\Windows\system32\Njcpee32.exe
137⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5784

C:\Windows\SysWOW64\Nqmhbpba.exe
C:\Windows\system32\Nqmhbpba.exe
138⤵
- Modifies registry class
PID:5864

C:\Windows\SysWOW64\Ncldnkae.exe
C:\Windows\system32\Ncldnkae.exe
139⤵
- Drops file in System32 directory
- Modifies registry class
PID:5936

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
140⤵
PID:5992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5992 -s 420
141⤵
- Program crash
PID:5252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5992 -ip 5992
1⤵
PID:6116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ebeejijj.exe
Filesize
208KB

MD5
6a0ad6c12167278a7f6925d2e7d46d6c

SHA1
6e270d27d6f7cdd1f6c8788f29558ccc98c00d25

SHA256
a37cda1a111edaef8ec5582b7f76d4625b743c8d102961d3e2ab9d5c08433685

SHA512
9c21174cdd5cc25ebfa481e997ee7407e0f45848fa1eb5fe41c68319595d14e58cad84817416afd2ae77ecb5ced821272c37ccdc286368c8802d5f7e47dfb0ef

Download Submit
C:\Windows\SysWOW64\Ebploj32.exe
Filesize
208KB

MD5
71218f333562f88cf5d5a489c27f4d22

SHA1
383d4425bcca3df6184256c90a91310fc6d84f4b

SHA256
116448e15df4a095bcac02460b13242d67db130b3f49e2edbdc532d7ff937708

SHA512
1f7f6423df99d083027f132cc97c0f428c7e99e1551d6e6bf41b0dc7dea9a0d3e67f91a9afa310bf4622848705553765e87572b89dd7fd9e4418590999af0391

Download Submit
C:\Windows\SysWOW64\Ecphimfb.exe
Filesize
208KB

MD5
a36be6df2bc520b9ae2272db1fa7e119

SHA1
21b4058234b0d17ce7e04840f721883a3126de69

SHA256
91df33b6f2a4c0fe5e37c372c8460ff88f630a39511c613c7c469ad6a7735202

SHA512
a959d08a85f77cc24288681371f0e5bd12e8c2030c24053fd8fa04189c9b475568abe2cf5d072b976d7a2d73db503eba8cb0f9deeacfa8ee8f9da993f67b72e0

Download Submit
C:\Windows\SysWOW64\Ehonfc32.exe
Filesize
208KB

MD5
83be63305bb881e412c9abe02334b6af

SHA1
9de288f7606b73fbd5a35dcbebdb4d4c8a6fdda3

SHA256
c7d5cdcc1bb3ec500c0e2006d200dc2bd081c72a64b91d7736db3d6d5dacaa5d

SHA512
e870ae0a89e028779ae7735d8c7e6f38eb5ccbba4203b3fb2980046a50fa0003e4763e59a526ea8a9f278679057668dc5cc3454d0920b1f4b55e44046f7951b9

Download Submit
C:\Windows\SysWOW64\Elhmablc.exe
Filesize
208KB

MD5
944d3c0817e0f32ee94e6f499645a618

SHA1
2a7af094378f8a624165fb7681221b7b13b07f9b

SHA256
56e360d4674c9256fb71f974db9a83a558817a56f7919e669ccb91c531e958a0

SHA512
09cf55d0b749c30892dc22846fa8e2c0050ea80e6f0792d0c53e353f072183c51c065dc6c690df6559b693b525e2665ee98c7b4e24a9b029db0355aa9b179339

Download Submit
C:\Windows\SysWOW64\Eoapbo32.exe
Filesize
208KB

MD5
0c3eefd7dfb398f6a0e50c11aa57ce4f

SHA1
76710972228367161e4a9c54a36b5d5023d04652

SHA256
9514e20e3f45a79775026f63ba3ab5686c2f6782bfcc92c000956117eb7c88d5

SHA512
d3e58fea94f3060f0020d91aedce4397d491ddce6475f54d37c6af375edd69a4b5fa04d1faa6eba47b03f8b7d7d674a9c15bf0c3a44ce4548650fabbf8b38f8e

Download Submit
C:\Windows\SysWOW64\Eoifcnid.exe
Filesize
208KB

MD5
ee6e17eacd3994d1096bc38b265ef502

SHA1
48c7fdb1937856e654e93849b77cfc644bc1c3c8

SHA256
80cee1f0768da2f32f3e1ab6a5ba1daeb7e5e549d8c350a80790ea5481817ad6

SHA512
d273af2dd35c64940431b2bfbb1d47f43098b73416bf7d3a4bd355f9332f59e2730e9d32622f9ca5199438aa343022257733cfac2d7fb55711a48e19fbf85d0a

Download Submit
C:\Windows\SysWOW64\Eqalmafo.exe
Filesize
208KB

MD5
efbe40650f1b08ac50447cf90fef22bf

SHA1
0eb50bd40301f2b8211c04af67fd424ae43dae24

SHA256
691ddbd1548e487d6326dc1185353c913c425ee74cda3af9f8240ce6bab27e36

SHA512
79f31c6432ac2ce2cfdec0620b27375569248081f886a35c5655af059a1dc27953e3100f36188ffef943453dc1ce997e7d0de29e33170f44d01a6c5ba0cfe399

Download Submit
C:\Windows\SysWOW64\Eqciba32.exe
Filesize
208KB

MD5
f9f217eb2ceb63ad3fbb20ce5bd5b951

SHA1
47bde78f5a69072091798d3ef1063e039e57033f

SHA256
c519010f071c68a0273def8419b64282769b0edd447a7d3073a0ac8750ef22e9

SHA512
d3a7b39b0cdddab97b2af224290d5a66068bb5e7ec4dbb75e049cb8bc54abf5d50b0ea82832a0453ccbd6eec975f7adf3b75d17bcb355fc67a4b53ae6f2b080c

Download Submit
C:\Windows\SysWOW64\Fbioei32.exe
Filesize
208KB

MD5
6b280f1a13f4485616e89252e6dd6b81

SHA1
41d25396a2a694637df684670ff599542f91ef6a

SHA256
b02f08a6439521bf9a3e9ba162369600ef4e32cd5647cd84ae265836975e87b0

SHA512
516f143eb78782ed96fb6a766dd25d2bcd26b7720f60e0c7bacfb381bf0f970d361213516dff9354c09e42ca1136531d818d90fb6760fb2a82c5173b19460cc4

Download Submit
C:\Windows\SysWOW64\Fckhdk32.exe
Filesize
208KB

MD5
3afd6f75fd75efa72ec8df9d179be2f7

SHA1
6e8527e4e2489f8cfd39fabc3612a0286dc4ccec

SHA256
ba356f371b29260afd09da353c34b8378aa9beb642ca7e5e544b296047082ac7

SHA512
a7a844f569b16147e01edb01a8c5cf40bc59ecca21931ae0fc55b27c21895802515b968c766bc1f628d1618e6e807c7601d23b0625b2bd6677f126294eb8e195

Download Submit
C:\Windows\SysWOW64\Ficgacna.exe
Filesize
208KB

MD5
30337c7f351fb3ff315ba1c412ecc3ca

SHA1
592f98b274a9e10a3229c38c2547ebd247b7de6e

SHA256
e5ef23be59097ee3051a2aa82e888bbecc827b5254c1716f15c5c93f6a80fb25

SHA512
501721be82bacd98b97e3721f9a580e094d90edd0d761c921202db60eaf512549e6dc39d188dcb98e003e7075159a36a7632b3f1c60031843726925e62ed292b

Download Submit
C:\Windows\SysWOW64\Fijmbb32.exe
Filesize
208KB

MD5
d42e410e3ed621c5d0b8b1391e3e85d5

SHA1
c2a49f2d926f24fe097cf4a36ab7ab9a7072b909

SHA256
f066d9c6a116c3f563dbc2ad52ef0bdb5fcb0d34403945034ecfce897b8777b7

SHA512
5df6bb8aba78420c8bae2c84ffe935a3838e0f691dae601118c02164e9f1e1560cf58d314bc65acdc22759531a20c5f9604bb0796c050e227a4e20de9c7a318a

Download Submit
C:\Windows\SysWOW64\Fjcclf32.exe
Filesize
208KB

MD5
58b6567898eb04b213e6c0b6af616a87

SHA1
b75a45866e19bc1f42f1f7ce0513e3ab63f9d35a

SHA256
10d3e838867f3a2d12366d5a354cb3011c546095af010e05f148e3e2a28db217

SHA512
6816e6481adbedb89bec4563d4ff56400ce1c89d5b0c6752f78cc106a9d0d27d418a52636bf9881495b32a5b7c1330a5fba22db7888bdbeb8ffe2fdb8e3bc209

Download Submit
C:\Windows\SysWOW64\Fjepaecb.exe
Filesize
208KB

MD5
e003c4e21889dd5804926b7f1622dd99

SHA1
af8065b79fe35ac2ce1e908900da8991818835fb

SHA256
58c96debd4cef49b8569601cfa4208ecc0419a419e35e1f5974ffab09702b8ee

SHA512
7bca7b647e875325f7b170ae759768b0a76236acb748f868959ac08e2366048be365e15cb7341ad0b00a2c21e21409ce5d75ee6d7cf4f240c60b49d5da695d0c

Download Submit
C:\Windows\SysWOW64\Fjnjqfij.exe
Filesize
208KB

MD5
3d22f7c15fe58d26cd142bb9713085dd

SHA1
f05413499236413451505c11c58a28bbc903ee22

SHA256
70a4de808e30ac03ceece1617de5bd773c0a455d7f730a86ea00be48a767174a

SHA512
13931f2152666235372dde4eab30b108f6ee8ae04aa11c2c1df51445d216c266da497897bca4186bff2afd138ecc4b8b0f8e534d61e08e36c2a9288a736b15df

Download Submit
C:\Windows\SysWOW64\Fodeolof.exe
Filesize
208KB

MD5
e154aaea9bb61370f68ceda0f9924666

SHA1
bb900a672cacf557294ab3ace53b04648dbff67b

SHA256
8bb516d5d66ce6f71b8cded74bad8ec0eea18cfa90b2a37369339373673a202a

SHA512
f99d7246117dba4ea392f9b8a44324475dd2f60b2cc911c678ba7bcba8011440f0c926f198aa991e4b555bbaaad535328f46e25d79991111aa6d86af7e76e35e

Download Submit
C:\Windows\SysWOW64\Fokbim32.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\Fokbim32.exe
Filesize
208KB

MD5
1fcc4d8696bb59bbd31effc7667dc56b

SHA1
22c7411459e63cad091095d00532ac9e1afd1267

SHA256
0e59dc2299e89b98eb367086073f5a74d7f937d8cb7b1f407cb4a8c19c5c3b52

SHA512
44d9e21d866aa71f71343b1d507d8d7e749a19f4dee1ade2cbd086c5b26bd614c46e47c515aaca7551573b6e597d516d34cd20cf62f8af8a600bca055f39ceaf

Download Submit
C:\Windows\SysWOW64\Fomonm32.exe
Filesize
208KB

MD5
ccbcd65fea93845cf16c35eda2d580ac

SHA1
c218b826ee13d2a070938c52822ddb37d6cdaf9d

SHA256
08db0b57489d82e91758c929527f77edfe8da1e169eb09e34b9a89a333c969f7

SHA512
27d16079b762f4bd746d83d61e1fb4e886c2c65af6842d574f68e68489e90475fac6cd3c669f727133da0c0c535e629bb68c056d3d7af83b7b15c2b0142d936f

Download Submit
C:\Windows\SysWOW64\Fqmlhpla.exe
Filesize
208KB

MD5
f1fdb1f2ec8a5d108f5a4d17acb22b03

SHA1
df3ad8e10d914a64d80a9a68efa98e1326939e95

SHA256
a5b56394c43286141cdc51d698617887f41da6a4661afaeee173bd7fea2febfd

SHA512
54c89cfe0946f07c6c3fe19993e8b016719766ea0c5c587ba7a0cc6d83857e34f1de2a07f581d01e10667c2e1bc2b13fafe3358cabbc79f069688f4a0641a6eb

Download Submit
C:\Windows\SysWOW64\Fqohnp32.exe
Filesize
208KB

MD5
62435533a286897de759e83f26842813

SHA1
d61a5e0216a253234dbd2f5854248bb8d599d243

SHA256
be0ffbb57643004faca2fd835b77f0e8537af40f24df8204683b4e011ce4920e

SHA512
87f0dce7420a1ae8019e74fcfe165ec3167a4e2d7e6879067859e7ff5d3c66aafa51114b09c591fbb465f1935a31f0ba16d56debebe38c381bf9bebc68c65d34

Download Submit
C:\Windows\SysWOW64\Gbcakg32.exe
Filesize
208KB

MD5
e8e75f02b151811716608b70e8eca86a

SHA1
f09cff1b22c94d24eaf6d233b036608e925055a9

SHA256
e9a2cf0fdc345ffafe51c51edccb6a294339cb5e88acbefb912ac5c6a4fa4099

SHA512
76e894fd9aa031aacd54481b23da7599047950475e970923a6c8d9b7225cb9acff632d19c4f4ab50c8aa569953f9735df18632a68aba8644ae51f5158da4ea68

Download Submit
C:\Windows\SysWOW64\Gbldaffp.exe
Filesize
208KB

MD5
1e84e0de92a7d8c73bd30d47c43f9891

SHA1
b3567bf187c86018c4e403e50fc2b294190253b9

SHA256
aeb7d50e08f468d1c4692e45402636850d389b06fbe52ef391bfb917b91e0b23

SHA512
1e6a1ff2adcad649562980bf2621edcb9782cd805ad8af9b6055a3aba2bef076e9c9ad1d238eb2eba5ddfb57d5a2eb27a0a4a87c14e19660e23ed8c3b42f8450

Download Submit
C:\Windows\SysWOW64\Gcekkjcj.exe
Filesize
208KB

MD5
96d50750a944bd442da4d76709731e66

SHA1
45aa2f9c864d71152dbefd610269721c2610e221

SHA256
df99ea267d32a9f776675c12448f450bf10ecfb72840e5d19bccd47214bc89f9

SHA512
ceffd810500d3d16c4edb35ce907e570cd040b3beed6e411b1762d642df42d93c5fd7fee5838225c4cb4b0b0f31685cc7f28dc8162ea7df18a3b0515c1984180

Download Submit
C:\Windows\SysWOW64\Gfcgge32.exe
Filesize
208KB

MD5
e3936d4f70fe680489d12033f9c293d1

SHA1
0e93024edf416be8597f9590103304100486d55c

SHA256
540e0fd05f20541459ce0d651a04b19893459bb296240afbb0a7b4c6407e049b

SHA512
f44f3c410e23decc8dc28818af7dd05ae675d091deeed4eb5e2ec80de1254ec5ff6e3cbcc8c0f9b4f2e4f3af00cd89c2fc1caa97a7006cc6fe71823728eecb3a

Download Submit
C:\Windows\SysWOW64\Gfqjafdq.exe
Filesize
208KB

MD5
d7ef327041ffee1aaad59892b425f9c8

SHA1
d584e54f13ab6ba2faff36a8c5c9bed8e70d014f

SHA256
86ff0470bdb09f9acf57aa60701e16d82ea630eb24e3f1522c5a0e235d8454dc

SHA512
763363cd51bddf79451a25b087e54a59691c7c69eecb180aa5fbc0e99bb79503e385848545844140ac58f9643d0b53f6095fdddfa9aaa9cfdd42a7d05388bc59

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe
Filesize
208KB

MD5
debd83bad5192e5ebbdfe562d586632b

SHA1
452a8f2b4c32dd3f6ed25ed45b8665c78f84148c

SHA256
13b184cb473fddb1c172e7aa7c0c34b75fdd8a7cda871389fb24a7e5f014cdf5

SHA512
be35f97d16c203f81ef7f776069dc0cf80f0cccf749fc6749aa23be5d3479f6ec55c9f625a393e601398eec6fa99624db3f3621178010b58da13dfee5993fa01

Download Submit
C:\Windows\SysWOW64\Giofnacd.exe
Filesize
208KB

MD5
8ba0bb7613bf64b880710f447aedcce2

SHA1
e7852278da06a6a3f8a8d0eac8abad448ba376e8

SHA256
b93349bf2792f82842912d21654c9bfc01394d5aa5e2336643e747aa8f55c8bf

SHA512
730e63161b8d51fc1d5707ce7a98bb0f7510c7e71cd0636dcda8fc4901cacfab02d3b49d82c467b0f7bb167e2995eccbec03decf74e63a3be66e3c9647fc366e

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe
Filesize
208KB

MD5
238e7fc97d2be14e3cc84fdde5ad3d76

SHA1
c11118bd0871156486de6dcdb3e0d080de72e566

SHA256
f15c522a8af2047c911ac3bc8156551ebeb80a604de91bd1fc3fa3b2b85a5570

SHA512
11b3bd5dedbe8f4bfc089af84fdbc8dc7e37db9c26df73f5c3651349d76aa9eefc9622b5f20b6f0a72cd05373414f5ed8984bbc77302cfd87224d153a95a47a9

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe
Filesize
208KB

MD5
4c4a7c87d6dab56889bdb75d3cdc2199

SHA1
7c047cb497823447555358f7662bfd09172aea3f

SHA256
d0a5ff30e4f94827d69dc90cda7a4baa8d73b60cbe78d601c8bab026306cd517

SHA512
fddf07bcfbc411ac77a8ddc626aee00de66de50053e2384e1779a2e25493ab1ec834fdadb8b0637dc6c3bac28adb6001887a18e2d300798cea16625bb6e731cd

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe
Filesize
208KB

MD5
b55fabe760edc2ebc1b84627bc4c2d62

SHA1
128b55b64624d1128e3cccea1b8c7d6c769fa416

SHA256
10c0865816be5c5cf56992ba90934d48cc6b9dd0f2fe886876318027fb33c918

SHA512
a7b0e9852bcfd21c4889c9585554089c253668c053bf346c432f81d4b72828c737a7352079dc88d6ccec277fc1822b125e7c7302b8dfb203707307243e25523c

Download Submit
C:\Windows\SysWOW64\Gqkhjn32.exe
Filesize
208KB

MD5
f30cd707db9cc7c6b6452193d92f8dcf

SHA1
4fe4ba2a0d20911d594c794bf2101a8689095b22

SHA256
98d72d24c08846ab28cfd94f5bcc88191791fa48180c93ebf0915f6e8840808f

SHA512
18c55b2931e71167b04379f7018d33c45c786787a65d2d1121717a87a08ec95ec018531152f41220de542cb5f7df641662f584ba60d1e113513b278da88c50f0

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe
Filesize
64KB

MD5
e51d9ae7b7b75f89ab7abf815babb62e

SHA1
e47916ef49dd6eec044d74afe08cd668931e8ede

SHA256
e7ca1ff8ec96a66b367f54f30719b044717cd08d9a58b959594ff9d565a0d328

SHA512
4cdfe01d1757095c2f2a4ab421cd4b144ddc0ad60fd20354cd993dc3f83059f2bee2cabc70c873ef201686ba233a3410a3ec5a1dd225040def421bef42ad0061

Download Submit
C:\Windows\SysWOW64\Hmmhjm32.exe
Filesize
208KB

MD5
f8f53a1d5d02031d6789602a3cb4607f

SHA1
ca80b9c2c01abce50d63b5140d71483f8b8745a5

SHA256
f0aaf32224232c44d030aaee87ce4f1f3c3f210fa88043a2d8d0f57f2a921e09

SHA512
23f9bd8c87d6b599ed3d934be7f57d7f5f47151358683bcb0e32ff6df5663b610417ba1925eb3239b3aa9b100f8c2a5243183984ff16ed5eaa7ab2df4cc36ed1

Download Submit
C:\Windows\SysWOW64\Iakaql32.exe
Filesize
208KB

MD5
fe3a3292fb3e5d64c435a0611b0db6a4

SHA1
bd39f39c337d89a9e600410c96375df1053f7c44

SHA256
e46f942da7b3197883f492b1e9dfd149ff1fa94e7cd1ad975ea73e0e10c66ac0

SHA512
56e4da6d1beaeb8ed2d4ea30648f8236841ba81ff47f59d39ffdb434748ebd3796e088e74d39493da83604b259c2d386b559fed7098e1a01e5793f02c72dba59

Download Submit
C:\Windows\SysWOW64\Imihfl32.exe
Filesize
208KB

MD5
a158a31c890362ab96f864c3129928ac

SHA1
ab4efce191414d715ce96f10f81bb123a819e0d5

SHA256
d84784fe304eb5812f392c3624b5b17ee2c5ed66e08fe01f56f8a0edcc820608

SHA512
d5b0f7e68cb675564a1db35f61785eea336bfaa64d9467e0bb1e592c59fcd87f784087fc4a360653bfd531219473fae32bebebd932a1d6513f6c858774bcefce

Download Submit
C:\Windows\SysWOW64\Jdmaid32.dll
Filesize
7KB

MD5
51bf29c64d7418a4363e04547b663481

SHA1
33e7ee769859a2b2b186ffa1845af447c96f3f98

SHA256
c499c0b3d29f0c2b820058a8272242f2b522c1114b38e1eae79a6a5dd26ed9c4

SHA512
73162d69ef14ff75f574520851d45d657d65245658af19aea2dae4eccd451ba117e370bf1065fd379cd98d034abf5786e9088c214e78b1c5d4e49d321021e99b

Download Submit
C:\Windows\SysWOW64\Kagichjo.exe
Filesize
208KB

MD5
111449afc289fac34f309d8daa1bb937

SHA1
b233d3a99b46516c1ead0505bcf8a5cfec8dafe3

SHA256
dd2876dd9cfb338c26906a7e61b9481e4f055d9551ea0ca1145d14208f8b7823

SHA512
f6600c711c18e55b6dfb1cd61a907c8a5da52e6d031dbe24bddfe3944c5d325f546e7da7034471b59a48fb66fe7e1e1a30a841726460b677699aefee4dbd7119

Download Submit
C:\Windows\SysWOW64\Kaqcbi32.exe
Filesize
208KB

MD5
fffaed455e6dff02e6c69c9bcddc5e6d

SHA1
7aa97eefd6f074c8c603e2706bc10909d4991261

SHA256
0f162342185cb42db3b7aeadb2de23cc4ee3801f32e20ea90d0408e3459f2285

SHA512
c411674c3e0332dfd5c6e8f842d5c502720ec7539237ebedb60753051f1bf8e6995b42adc6a24cbfd6f5a87d1fb20a26baf9dccbbc0d2ac2928375de0ab9b661

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe
Filesize
208KB

MD5
a75b66f1dae2eff6937236f5cf1523cf

SHA1
6fbdc5812be5baea908bc200f2fe9c0778fbe21e

SHA256
6870d440c699d078953de7a601865e6135a3c6c929d389fa7b334e8358b3ba9a

SHA512
75a521c3a47978bf86ff8f14c76d9428b279441a5a7e00d2563bf92e06b5d85d7e931fe50e81598c37bb821d9983e0ab545eb80bd9c5a4759e94682e4e9e4a47

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe
Filesize
208KB

MD5
6d71727a867205e4aea48885f91f1761

SHA1
62176d2153fd988479994a35226516a945014d7a

SHA256
469a118f9b8ee8ace2b1268e0d938b7d00373b579455507b6913d7be4191dcdd

SHA512
b5885214d27dc5b5c6d3493e55f3e213fb7c77cd363e376bd0719d5343da44892694c076780c5617146b1211e323d50ec766e9aced31a03a9b567bc2f0070727

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe
Filesize
208KB

MD5
44b65b2c9b25f72c4cebaef1431b09cc

SHA1
a6aab65cf91cc158772ab8a9db44717dce37c7bb

SHA256
c9343d1359410ec3ed98369947cf4286255016c155afcc63712ccb3ee7f35316

SHA512
552af453d4f08157f2a4ad1ca82a92d812a46715b3b11261e3c3fc408c6e90535eb54e8e9366e2c5c75a724bf4b64e565fefaebe5931b1c7fb083ce9fabaeff8

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe
Filesize
208KB

MD5
ef08ee1b4ee9ede9de1c3190b3e27a22

SHA1
8d0af139b619aba18c128b2c07b417d8fe7c4aa0

SHA256
26fad0b43dc7fefd2865ab87529ee652e3eb6170722474ba12b5802b97a273a4

SHA512
824a0fafaf8020dfa634ae8d58ea948c947f7e226a3dc623e5035291261b717f67a4b12699bfde17904b886e453dc7f722de851bc407a8f224ffb82a2eba127f

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe
Filesize
208KB

MD5
ee937ba8cd5b798e1ee7e0e7c761067e

SHA1
1bf723f8cd7630e888a83d415ffe13ed51381851

SHA256
98192ec01c56bb7581b4e5b2554b02fc58d39f1edb48d2b1cb97a1b6d6e76a70

SHA512
bf96f0ea6a5cd111a8e5cc50d4895f567ae4f0e9810e26ce783cddb22c9e3066990676b9fd72784e23c23575516ac8aa3bb357d2a843871680a6f8aa71ebefc5

Download Submit
memory/8-350-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/224-231-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/228-71-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/436-200-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/532-136-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/664-55-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/664-602-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/860-80-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/884-442-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/920-221-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/948-400-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1016-328-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1108-478-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1236-31-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1236-578-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1268-424-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1444-532-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1596-448-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1644-364-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1648-376-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1684-356-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1688-298-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1700-286-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1784-96-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1912-514-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1920-441-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1960-144-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2072-358-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2144-382-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2160-559-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2364-565-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2412-151-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2440-44-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2456-310-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2540-272-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2624-24-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2624-571-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2632-592-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2652-308-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2744-104-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2800-266-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2832-484-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2848-494-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2888-458-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2900-340-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2968-392-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3012-120-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3104-112-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3172-502-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3256-412-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3276-550-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3276-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3508-281-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3524-296-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3584-274-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3756-520-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3984-564-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3984-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4008-423-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4016-513-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4028-322-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4052-398-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4056-64-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4108-585-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4164-557-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4164-8-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4172-496-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4184-160-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4272-255-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4300-591-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4300-48-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4372-212-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4376-460-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4380-555-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4404-184-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4432-175-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4468-240-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4516-88-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4524-224-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4604-544-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4616-167-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4628-575-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4648-543-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4668-320-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4680-406-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4748-466-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4752-334-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4824-191-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4828-375-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4900-604-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4908-472-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4944-531-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4960-579-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5012-128-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5048-434-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5060-248-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download