304d1f0894aeecca55fe4fc0e6f17f2d3b67a8ee809448836e346c50015c893b

Analysis

max time kernel
137s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04-06-2024 06:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35e08bfe1b1a555bc16a3bc234a0f590_NeikiAnalytics.exe
Size

357KB
MD5

35e08bfe1b1a555bc16a3bc234a0f590
SHA1

cd09ff7e2fd1d2e4ebbdb11a1603bda8f8d9ef88
SHA256

304d1f0894aeecca55fe4fc0e6f17f2d3b67a8ee809448836e346c50015c893b
SHA512

1a36d8b5d59d8299bd5060149b28c784ea26beed5fff4fbeb986f11928ba74ba02b55effbe72dc1bb2cec2c55474b0ab5792b2b4e56d137acebfe78e80747411
SSDEEP

6144:UBtA8wbg02bmj31n6xJmPMwZoXpKtCe8AUReheFlfSZR0SvsuFrGoyeg3kl+fiXt:qtADbg02KZoXpKtCe1eehil6ZR5ZrQe7

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Ibmmhdhm.exeIpckgh32.exeIbagcc32.exeNcgkcl32.exeMdiklqhm.exeMaaepd32.exeNceonl32.exeNqiogp32.exeGfcgge32.exeJfkoeppq.exeLgkhlnbn.exeMgekbljc.exeKkbkamnl.exeMdfofakp.exeNgedij32.exeKgmlkp32.exeLcdegnep.exeMnapdf32.exeKbfiep32.exeLpfijcfl.exeNjljefql.exeHjfihc32.exeHpgkkioa.exeHaidklda.exeJpaghf32.exeLmqgnhmp.exeMgnnhk32.exeNklfoi32.exeNbkhfc32.exeGmkbnp32.exeJdemhe32.exeKagichjo.exeLgikfn32.exeMaohkd32.exeHaggelfd.exeMajopeii.exeGmaioo32.exeLnhmng32.exeHjjbcbqj.exeNnmopdep.exe35e08bfe1b1a555bc16a3bc234a0f590_NeikiAnalytics.exeIjdeiaio.exeMnlfigcc.exeMglack32.exeKdaldd32.exeKgdbkohf.exeLpappc32.exeLknjmkdo.exeGjclbc32.exeHcqjfh32.exeLijdhiaa.exeMdkhapfj.exeMgidml32.exeGoiojk32.exeIidipnal.exeImihfl32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibmmhdhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfcgge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpgkkioa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Haidklda.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmkbnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gmkbnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Haggelfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	35e08bfe1b1a555bc16a3bc234a0f590_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Goiojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iidipnal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imihfl32.exe

Malware Dropper & Backdoor - Berbew 36 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
C:\Windows\SysWOW64\Gmkbnp32.exe	family_berbew
C:\Windows\SysWOW64\Goiojk32.exe	family_berbew
C:\Windows\SysWOW64\Gfcgge32.exe	family_berbew
C:\Windows\SysWOW64\Giacca32.exe	family_berbew
C:\Windows\SysWOW64\Gpklpkio.exe	family_berbew
C:\Windows\SysWOW64\Gjclbc32.exe	family_berbew
C:\Windows\SysWOW64\Gmaioo32.exe	family_berbew
C:\Windows\SysWOW64\Hjfihc32.exe	family_berbew
C:\Windows\SysWOW64\Hcnnaikp.exe	family_berbew
C:\Windows\SysWOW64\Hjhfnccl.exe	family_berbew
C:\Windows\SysWOW64\Hcqjfh32.exe	family_berbew
C:\Windows\SysWOW64\Hjjbcbqj.exe	family_berbew
C:\Windows\SysWOW64\Hpgkkioa.exe	family_berbew
C:\Windows\SysWOW64\Haggelfd.exe	family_berbew
C:\Windows\SysWOW64\Hbhdmd32.exe	family_berbew
C:\Windows\SysWOW64\Haidklda.exe	family_berbew
C:\Windows\SysWOW64\Iidipnal.exe	family_berbew
C:\Windows\SysWOW64\Ibmmhdhm.exe	family_berbew
C:\Windows\SysWOW64\Ijdeiaio.exe	family_berbew
C:\Windows\SysWOW64\Imbaemhc.exe	family_berbew
C:\Windows\SysWOW64\Ipckgh32.exe	family_berbew
C:\Windows\SysWOW64\Ibagcc32.exe	family_berbew
C:\Windows\SysWOW64\Idacmfkj.exe	family_berbew
C:\Windows\SysWOW64\Imihfl32.exe	family_berbew
C:\Windows\SysWOW64\Jbfpobpb.exe	family_berbew
C:\Windows\SysWOW64\Jdemhe32.exe	family_berbew
C:\Windows\SysWOW64\Jpaghf32.exe	family_berbew
C:\Windows\SysWOW64\Jfkoeppq.exe	family_berbew
C:\Windows\SysWOW64\Kgmlkp32.exe	family_berbew
C:\Windows\SysWOW64\Kdaldd32.exe	family_berbew
C:\Windows\SysWOW64\Kaemnhla.exe	family_berbew
C:\Windows\SysWOW64\Kbfiep32.exe	family_berbew
C:\Windows\SysWOW64\Lcbiao32.exe	family_berbew
C:\Windows\SysWOW64\Ljnnch32.exe	family_berbew
C:\Windows\SysWOW64\Mgidml32.exe	family_berbew
C:\Windows\SysWOW64\Maohkd32.exe	family_berbew

Executes dropped EXE 64 IoCs

Processes:

Gmkbnp32.exeGoiojk32.exeGfcgge32.exeGiacca32.exeGpklpkio.exeGjclbc32.exeGmaioo32.exeHjfihc32.exeHcnnaikp.exeHjhfnccl.exeHcqjfh32.exeHjjbcbqj.exeHpgkkioa.exeHaggelfd.exeHbhdmd32.exeHaidklda.exeIidipnal.exeIbmmhdhm.exeIjdeiaio.exeImbaemhc.exeIpckgh32.exeIbagcc32.exeIdacmfkj.exeImihfl32.exeJbfpobpb.exeJdemhe32.exeJpaghf32.exeJfkoeppq.exeKgmlkp32.exeKdaldd32.exeKaemnhla.exeKbfiep32.exeKagichjo.exeKdffocib.exeKgdbkohf.exeKmnjhioc.exeKpmfddnf.exeKkbkamnl.exeLmqgnhmp.exeLpocjdld.exeLgikfn32.exeLkdggmlj.exeLpappc32.exeLgkhlnbn.exeLijdhiaa.exeLpcmec32.exeLcbiao32.exeLnhmng32.exeLpfijcfl.exeLcdegnep.exeLjnnch32.exeLcgblncm.exeLknjmkdo.exeMnlfigcc.exeMdfofakp.exeMgekbljc.exeMjcgohig.exeMajopeii.exeMdiklqhm.exeMkbchk32.exeMnapdf32.exeMdkhapfj.exeMgidml32.exeMaohkd32.exe

pid	process
2092	Gmkbnp32.exe
2540	Goiojk32.exe
4308	Gfcgge32.exe
2408	Giacca32.exe
1788	Gpklpkio.exe
3188	Gjclbc32.exe
2800	Gmaioo32.exe
3796	Hjfihc32.exe
4672	Hcnnaikp.exe
1040	Hjhfnccl.exe
2344	Hcqjfh32.exe
3000	Hjjbcbqj.exe
1392	Hpgkkioa.exe
3204	Haggelfd.exe
1252	Hbhdmd32.exe
3764	Haidklda.exe
4584	Iidipnal.exe
1556	Ibmmhdhm.exe
2196	Ijdeiaio.exe
884	Imbaemhc.exe
4688	Ipckgh32.exe
1160	Ibagcc32.exe
1272	Idacmfkj.exe
3792	Imihfl32.exe
3436	Jbfpobpb.exe
1780	Jdemhe32.exe
1224	Jpaghf32.exe
4324	Jfkoeppq.exe
3972	Kgmlkp32.exe
2564	Kdaldd32.exe
3708	Kaemnhla.exe
4568	Kbfiep32.exe
4980	Kagichjo.exe
2260	Kdffocib.exe
2688	Kgdbkohf.exe
1704	Kmnjhioc.exe
1424	Kpmfddnf.exe
4364	Kkbkamnl.exe
2020	Lmqgnhmp.exe
2292	Lpocjdld.exe
4460	Lgikfn32.exe
912	Lkdggmlj.exe
4684	Lpappc32.exe
4680	Lgkhlnbn.exe
1796	Lijdhiaa.exe
4284	Lpcmec32.exe
1936	Lcbiao32.exe
532	Lnhmng32.exe
3872	Lpfijcfl.exe
4500	Lcdegnep.exe
1544	Ljnnch32.exe
3372	Lcgblncm.exe
1984	Lknjmkdo.exe
1600	Mnlfigcc.exe
5092	Mdfofakp.exe
4724	Mgekbljc.exe
4372	Mjcgohig.exe
624	Majopeii.exe
1152	Mdiklqhm.exe
1772	Mkbchk32.exe
5104	Mnapdf32.exe
3604	Mdkhapfj.exe
3488	Mgidml32.exe
3884	Maohkd32.exe

Drops file in System32 directory 64 IoCs

Processes:

Imihfl32.exeIdacmfkj.exeMaaepd32.exeNdghmo32.exeJbfpobpb.exeLpfijcfl.exeMdiklqhm.exeGfcgge32.exeKgdbkohf.exeNnjbke32.exeNnmopdep.exeNjcpee32.exeGmaioo32.exeIidipnal.exeKagichjo.exeHjjbcbqj.exeKpmfddnf.exeLpappc32.exeGmkbnp32.exeLpcmec32.exeIbmmhdhm.exeMaohkd32.exeNqiogp32.exeImbaemhc.exeLcbiao32.exeLcdegnep.exeLcgblncm.exeKmnjhioc.exeNklfoi32.exeNbkhfc32.exeMjcgohig.exeKkbkamnl.exeLkdggmlj.exeLjnnch32.exeMajopeii.exeNceonl32.exeNcgkcl32.exeNgedij32.exeGiacca32.exeKgmlkp32.exeHpgkkioa.exeIbagcc32.exeLgikfn32.exeGpklpkio.exeHjhfnccl.exeKaemnhla.exeNqfbaq32.exeHcqjfh32.exeLgkhlnbn.exeMnlfigcc.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Jbfpobpb.exe	Imihfl32.exe
File opened for modification	C:\Windows\SysWOW64\Imihfl32.exe	Idacmfkj.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Jdemhe32.exe	Jbfpobpb.exe
File opened for modification	C:\Windows\SysWOW64\Lcdegnep.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Bkmdbdbp.dll	Gfcgge32.exe
File opened for modification	C:\Windows\SysWOW64\Jdemhe32.exe	Jbfpobpb.exe
File created	C:\Windows\SysWOW64\Oimhnoch.dll	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Hjfihc32.exe	Gmaioo32.exe
File opened for modification	C:\Windows\SysWOW64\Ibmmhdhm.exe	Iidipnal.exe
File opened for modification	C:\Windows\SysWOW64\Kdffocib.exe	Kagichjo.exe
File opened for modification	C:\Windows\SysWOW64\Hpgkkioa.exe	Hjjbcbqj.exe
File created	C:\Windows\SysWOW64\Kdffocib.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Gcdihi32.dll	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Lpappc32.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Dadofijl.dll	Gmkbnp32.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Qngfmkdl.dll	Ibmmhdhm.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Ipckgh32.exe	Imbaemhc.exe
File created	C:\Windows\SysWOW64\Kmnjhioc.exe	Kgdbkohf.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Kpmfddnf.exe	Kmnjhioc.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Goiojk32.exe	Gmkbnp32.exe
File created	C:\Windows\SysWOW64\Hjfihc32.exe	Gmaioo32.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mjcgohig.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Lpappc32.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Lcgblncm.exe	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Gpklpkio.exe	Giacca32.exe
File created	C:\Windows\SysWOW64\Kdaldd32.exe	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Bnckcnhb.dll	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Ljnnch32.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Maaepd32.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Haggelfd.exe	Hpgkkioa.exe
File created	C:\Windows\SysWOW64\Gmbkmemo.dll	Iidipnal.exe
File opened for modification	C:\Windows\SysWOW64\Idacmfkj.exe	Ibagcc32.exe
File created	C:\Windows\SysWOW64\Qgejif32.dll	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Qbplof32.dll	Gpklpkio.exe
File created	C:\Windows\SysWOW64\Pkbjnl32.dll	Hjhfnccl.exe
File created	C:\Windows\SysWOW64\Ppaaagol.dll	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Denfkg32.dll	Hcqjfh32.exe
File opened for modification	C:\Windows\SysWOW64\Lijdhiaa.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mnlfigcc.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5348 5220 WerFault.exe Nkcmohbg.exe

pid	pid_target	process	target process
5348	5220	WerFault.exe	Nkcmohbg.exe

Modifies registry class 64 IoCs

Processes:

Ibagcc32.exeLnhmng32.exeLknjmkdo.exeHcqjfh32.exeNdghmo32.exeNjcpee32.exeNkncdifl.exe35e08bfe1b1a555bc16a3bc234a0f590_NeikiAnalytics.exeMkbchk32.exeJbfpobpb.exeLpocjdld.exeNqfbaq32.exeHjhfnccl.exeIdacmfkj.exeMaaepd32.exeMdpalp32.exeGpklpkio.exeMglack32.exeLcbiao32.exeLpfijcfl.exeMjcgohig.exeGmkbnp32.exeJfkoeppq.exeLkdggmlj.exeNnmopdep.exeHjjbcbqj.exeIidipnal.exeMaohkd32.exeNbkhfc32.exeNcgkcl32.exeNgedij32.exeGjclbc32.exeLijdhiaa.exeLcgblncm.exeIpckgh32.exeNjljefql.exeNklfoi32.exeKgdbkohf.exeMnlfigcc.exeGmaioo32.exeIjdeiaio.exeMgekbljc.exeMnapdf32.exeMdkhapfj.exeHbhdmd32.exeKagichjo.exeLpappc32.exeNceonl32.exeGoiojk32.exeJdemhe32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpqnnk32.dll"	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hcqjfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnfmmb32.dll"	35e08bfe1b1a555bc16a3bc234a0f590_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbfpobpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Denfkg32.dll"	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gpklpkio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeandl32.dll"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gmkbnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iidipnal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ibagcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	35e08bfe1b1a555bc16a3bc234a0f590_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dadofijl.dll"	Gmkbnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ipckgh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdcbljie.dll"	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimhnoch.dll"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkfpkkqa.dll"	Gjclbc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Goiojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbplof32.dll"	Gpklpkio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jdemhe32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

35e08bfe1b1a555bc16a3bc234a0f590_NeikiAnalytics.exeGmkbnp32.exeGoiojk32.exeGfcgge32.exeGiacca32.exeGpklpkio.exeGjclbc32.exeGmaioo32.exeHjfihc32.exeHcnnaikp.exeHjhfnccl.exeHcqjfh32.exeHjjbcbqj.exeHpgkkioa.exeHaggelfd.exeHbhdmd32.exeHaidklda.exeIidipnal.exeIbmmhdhm.exeIjdeiaio.exeImbaemhc.exeIpckgh32.exe

description	pid	process	target process
PID 5000 wrote to memory of 2092	5000	35e08bfe1b1a555bc16a3bc234a0f590_NeikiAnalytics.exe	Gmkbnp32.exe
PID 5000 wrote to memory of 2092	5000	35e08bfe1b1a555bc16a3bc234a0f590_NeikiAnalytics.exe	Gmkbnp32.exe
PID 5000 wrote to memory of 2092	5000	35e08bfe1b1a555bc16a3bc234a0f590_NeikiAnalytics.exe	Gmkbnp32.exe
PID 2092 wrote to memory of 2540	2092	Gmkbnp32.exe	Goiojk32.exe
PID 2092 wrote to memory of 2540	2092	Gmkbnp32.exe	Goiojk32.exe
PID 2092 wrote to memory of 2540	2092	Gmkbnp32.exe	Goiojk32.exe
PID 2540 wrote to memory of 4308	2540	Goiojk32.exe	Gfcgge32.exe
PID 2540 wrote to memory of 4308	2540	Goiojk32.exe	Gfcgge32.exe
PID 2540 wrote to memory of 4308	2540	Goiojk32.exe	Gfcgge32.exe
PID 4308 wrote to memory of 2408	4308	Gfcgge32.exe	Giacca32.exe
PID 4308 wrote to memory of 2408	4308	Gfcgge32.exe	Giacca32.exe
PID 4308 wrote to memory of 2408	4308	Gfcgge32.exe	Giacca32.exe
PID 2408 wrote to memory of 1788	2408	Giacca32.exe	Gpklpkio.exe
PID 2408 wrote to memory of 1788	2408	Giacca32.exe	Gpklpkio.exe
PID 2408 wrote to memory of 1788	2408	Giacca32.exe	Gpklpkio.exe
PID 1788 wrote to memory of 3188	1788	Gpklpkio.exe	Gjclbc32.exe
PID 1788 wrote to memory of 3188	1788	Gpklpkio.exe	Gjclbc32.exe
PID 1788 wrote to memory of 3188	1788	Gpklpkio.exe	Gjclbc32.exe
PID 3188 wrote to memory of 2800	3188	Gjclbc32.exe	Gmaioo32.exe
PID 3188 wrote to memory of 2800	3188	Gjclbc32.exe	Gmaioo32.exe
PID 3188 wrote to memory of 2800	3188	Gjclbc32.exe	Gmaioo32.exe
PID 2800 wrote to memory of 3796	2800	Gmaioo32.exe	Hjfihc32.exe
PID 2800 wrote to memory of 3796	2800	Gmaioo32.exe	Hjfihc32.exe
PID 2800 wrote to memory of 3796	2800	Gmaioo32.exe	Hjfihc32.exe
PID 3796 wrote to memory of 4672	3796	Hjfihc32.exe	Hcnnaikp.exe
PID 3796 wrote to memory of 4672	3796	Hjfihc32.exe	Hcnnaikp.exe
PID 3796 wrote to memory of 4672	3796	Hjfihc32.exe	Hcnnaikp.exe
PID 4672 wrote to memory of 1040	4672	Hcnnaikp.exe	Hjhfnccl.exe
PID 4672 wrote to memory of 1040	4672	Hcnnaikp.exe	Hjhfnccl.exe
PID 4672 wrote to memory of 1040	4672	Hcnnaikp.exe	Hjhfnccl.exe
PID 1040 wrote to memory of 2344	1040	Hjhfnccl.exe	Hcqjfh32.exe
PID 1040 wrote to memory of 2344	1040	Hjhfnccl.exe	Hcqjfh32.exe
PID 1040 wrote to memory of 2344	1040	Hjhfnccl.exe	Hcqjfh32.exe
PID 2344 wrote to memory of 3000	2344	Hcqjfh32.exe	Hjjbcbqj.exe
PID 2344 wrote to memory of 3000	2344	Hcqjfh32.exe	Hjjbcbqj.exe
PID 2344 wrote to memory of 3000	2344	Hcqjfh32.exe	Hjjbcbqj.exe
PID 3000 wrote to memory of 1392	3000	Hjjbcbqj.exe	Hpgkkioa.exe
PID 3000 wrote to memory of 1392	3000	Hjjbcbqj.exe	Hpgkkioa.exe
PID 3000 wrote to memory of 1392	3000	Hjjbcbqj.exe	Hpgkkioa.exe
PID 1392 wrote to memory of 3204	1392	Hpgkkioa.exe	Haggelfd.exe
PID 1392 wrote to memory of 3204	1392	Hpgkkioa.exe	Haggelfd.exe
PID 1392 wrote to memory of 3204	1392	Hpgkkioa.exe	Haggelfd.exe
PID 3204 wrote to memory of 1252	3204	Haggelfd.exe	Hbhdmd32.exe
PID 3204 wrote to memory of 1252	3204	Haggelfd.exe	Hbhdmd32.exe
PID 3204 wrote to memory of 1252	3204	Haggelfd.exe	Hbhdmd32.exe
PID 1252 wrote to memory of 3764	1252	Hbhdmd32.exe	Haidklda.exe
PID 1252 wrote to memory of 3764	1252	Hbhdmd32.exe	Haidklda.exe
PID 1252 wrote to memory of 3764	1252	Hbhdmd32.exe	Haidklda.exe
PID 3764 wrote to memory of 4584	3764	Haidklda.exe	Iidipnal.exe
PID 3764 wrote to memory of 4584	3764	Haidklda.exe	Iidipnal.exe
PID 3764 wrote to memory of 4584	3764	Haidklda.exe	Iidipnal.exe
PID 4584 wrote to memory of 1556	4584	Iidipnal.exe	Ibmmhdhm.exe
PID 4584 wrote to memory of 1556	4584	Iidipnal.exe	Ibmmhdhm.exe
PID 4584 wrote to memory of 1556	4584	Iidipnal.exe	Ibmmhdhm.exe
PID 1556 wrote to memory of 2196	1556	Ibmmhdhm.exe	Ijdeiaio.exe
PID 1556 wrote to memory of 2196	1556	Ibmmhdhm.exe	Ijdeiaio.exe
PID 1556 wrote to memory of 2196	1556	Ibmmhdhm.exe	Ijdeiaio.exe
PID 2196 wrote to memory of 884	2196	Ijdeiaio.exe	Imbaemhc.exe
PID 2196 wrote to memory of 884	2196	Ijdeiaio.exe	Imbaemhc.exe
PID 2196 wrote to memory of 884	2196	Ijdeiaio.exe	Imbaemhc.exe
PID 884 wrote to memory of 4688	884	Imbaemhc.exe	Ipckgh32.exe
PID 884 wrote to memory of 4688	884	Imbaemhc.exe	Ipckgh32.exe
PID 884 wrote to memory of 4688	884	Imbaemhc.exe	Ipckgh32.exe
PID 4688 wrote to memory of 1160	4688	Ipckgh32.exe	Ibagcc32.exe

C:\Users\Admin\AppData\Local\Temp\35e08bfe1b1a555bc16a3bc234a0f590_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\35e08bfe1b1a555bc16a3bc234a0f590_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5000
- C:\Windows\SysWOW64\Gmkbnp32.exe
  C:\Windows\system32\Gmkbnp32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Windows\SysWOW64\Goiojk32.exe
    C:\Windows\system32\Goiojk32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2540
  - - C:\Windows\SysWOW64\Gfcgge32.exe
      C:\Windows\system32\Gfcgge32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4308
    - - C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2408
      - C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3188
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3796
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3204
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3764
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4688
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1160
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1272
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3792
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3436
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1780
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1224
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4324
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3972
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2564
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3708
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4568
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4980
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        35⤵
        Executes dropped EXE
        
        PID:2260
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1704
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1424
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4364
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2020
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4460
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:912
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4684
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4680
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1796
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4284
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1936
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:532
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3872
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4500
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1544
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3372
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1984
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5092
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4724
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:624
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1152
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1772
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3604
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3488
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3884
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3004
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        68⤵
        Modifies registry class
        
        PID:3036
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1896
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4540
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1460
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4712
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3132
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        74⤵
        Drops file in System32 directory
        
        PID:948
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2964
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:232
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        77⤵
        Modifies registry class
        
        PID:4924
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2496
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3780
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        81⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3992
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        83⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        84⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 416
        85⤵
        Program crash
        
        PID:5348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5220 -ip 5220
1⤵
PID:5296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gfcgge32.exe

Filesize
357KB

MD5
0df3a51f475e60d837d385ed2f015606

SHA1
f1285945c51c9ff19b373f48ffe0694d1e0cc365

SHA256
53b59f2c3c7bebe55ba5d127b1506d2f8220ba3f895692eafe4b01520c72c2d3

SHA512
cd565817992f53db83b64a96cf66d3dc678b807e6ccc4634b5989f70d6a3db964448a4fd3108f8a38d75a4a554ebc264e74e1979548659dd0ad964770342fbbb

Download Submit
C:\Windows\SysWOW64\Giacca32.exe

Filesize
357KB

MD5
cd65f7207565f9e8811863c06f5daa7b

SHA1
b6a830bc5a9fe582c40e28a8a2039a6aabfbc8d2

SHA256
33447d9082128cb7782914f62eeceff9555a92543a1d4829eb7459857e67421b

SHA512
eb9d50f567bfc73ceda9bcd8b2d4f5518af3157f4c6d4bcbf7d46fbf13e44961a164906786fe390b47e9ac4edbc18250d708448762d5d25628eb2820802079ce

Download Submit
C:\Windows\SysWOW64\Gjclbc32.exe

Filesize
357KB

MD5
65d3f9a6afe900016bc55054d71c33c1

SHA1
8063baf5f94323602fe6f3cfad2d04e35933019d

SHA256
d440205f0439b4e75b03e94f53b2d1a76be20738eaabcda2e6634e00712c8261

SHA512
ea8f84ee29c0821659dd414ef1a6767da4442b65d69b64735ec740df2cb58ef0a5c066a1922f9505b1b28be085e2c78bacb3c2f71932aa70794bec899e218f12

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
357KB

MD5
5d216647e6051ea7c5bdff746bf1d6b3

SHA1
a22fc87a372ede3f2b78a69e9f65ee0e2f7a2075

SHA256
be5eafdf282b3e0fbe90eb26faf8650d3e09b4d0669816e839109bbb33c402c6

SHA512
55ea156f3919a778c75b9d8e78d9b60b99ef1b0219d9315630ff43bc135cb827f17a9448fa696632b5523a2d85d8b760f83dd146542fa7af3ceeb3d0879afade

Download Submit
C:\Windows\SysWOW64\Gmkbnp32.exe

Filesize
357KB

MD5
e2a97b4d4b16a7f4dc017a1b3024172d

SHA1
b68f67e679cc8a26e1dc6aab7da1fc7ed449be1a

SHA256
9a8badd40fe0adfc498636a26f6ddb07eb3ef32f7bb707e2d81a344703dbe49d

SHA512
5c83e41ec3383acae1ee8cdcb7cde2abb7eb19290fecf0b95cae45221c51cae4469cc135b395f289f40130ea1f5c073746f03923719009e5dc4639d78569ab6d

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
357KB

MD5
0c34bb7dcaf9b83e851fec83efba4633

SHA1
78e5fbdc233e3299dd4523569b098d45efaf2c2c

SHA256
9864058be15e4d47ab5e47680c271d540564dd8740b1a326465079872e37b899

SHA512
25f5233aaeb0f88568577ebc3eeb0920e197a6baa5a241dd22a0e3234237e9a8133e4fbe8cfb8846465eb0e893e82c2ec317c0670c1d83e3afb3522fc1acb816

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
357KB

MD5
27e69b841a2d4397c1071c15b4bbe3f5

SHA1
9556503fb1a0c554b17a46ab43b43c6ae577abb5

SHA256
6c35deb0fc636283773a40699e67e50417fcf0687fa7fdd5e75134b6dec89e1d

SHA512
a27a2accb84cfae4bf932324951e3a9c97b8f6a812a999659caecd1dc6c2d7de94e01797ae18200ca4c8c7ff1128dc0c97a964343f009fae4fe311ee93245ceb

Download Submit
C:\Windows\SysWOW64\Haggelfd.exe

Filesize
357KB

MD5
69dea8d9e58904afc2bf30c319bb574a

SHA1
d9b6bad9b582d03b0fc00d10e6f49030b6a6995b

SHA256
0823571895149297dfade45d7b936ddcb4a324ea360abbdafe265aa300f96f0a

SHA512
30d888e5f46c80e8172cb286fb61e15f3ae836a0d525a712d1e7d3f1fbf9ef04d74eecfc670360c9b7133bb66235616ed60195698bbac489f9451642167e5212

Download Submit
C:\Windows\SysWOW64\Haidklda.exe

Filesize
357KB

MD5
db98cfc0d2a4c1fc605c0ea1524c31ad

SHA1
f50b7dc068411f63d9ff3b0a8a2de93eea4787ee

SHA256
b80477ee72ccef8bfc005ed3d5e462746fd2915e350a8a238c0a40711c8c066e

SHA512
9a3d25a4d8f5b0ab1757640ede555c9f88988ef58aa8abd150cea7459a8d1195daf5430f4c399c1a653944a71e455da033cfdde9092cd8097fbfb698e4194693

Download Submit
C:\Windows\SysWOW64\Hbhdmd32.exe

Filesize
357KB

MD5
a8e26e4e2ab81105ab235501e377ec08

SHA1
5b22e5974c63fe03d864fceaf78e0d84444b9a9a

SHA256
63a417711e13ebba543c7c8f3668babdbdc68038a0001471f73b2259806a3566

SHA512
eefb0f79ef0d368444d8b1e893dbc68359a5777cccebe3686f663ecd21d77887c0db42edb0a6919cc6f54cf67925338c22a58d84814df84430ade3f7a30cc61f

Download Submit
C:\Windows\SysWOW64\Hcnnaikp.exe

Filesize
357KB

MD5
563f59ec5e4b0b0c7849c4decd9fa24b

SHA1
f63a1a0608f6544e89636aa1d125b7b686721367

SHA256
b2dbf3b5da021166880ed22cabeaa0c134d2b4179876cf3831d0711bf48735d6

SHA512
06b5cbf63bc9e97c8a490a1211e7d757635efcd479e9b9e6b62233125e3471e9bce304589cd3f396be59469b94f19a8b748a0fed76eff7af6922d49e7689cdd3

Download Submit
C:\Windows\SysWOW64\Hcqjfh32.exe

Filesize
357KB

MD5
caab7ba14f61c6d77f6566f1cfab3628

SHA1
cb5d61368543c3a322ad4912a77dd028bdd2c81c

SHA256
864c1397e1d34d30ac036c909c6f165e66640f9405a63ef1726915e304e09dcf

SHA512
caf7e6f0fa05e75348876c7869e35ad60e40ff794a8fe402c862146d3478e8e2e24768c9ae26d050d1bbc428f1a8a0bff28aff5237af65f2648c63617018ee36

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
357KB

MD5
e06148be24264a92303f84282e9783ca

SHA1
897337c341599ad99594014ac5bfa621c7532d7f

SHA256
7dc6d5b45a1715de902638bf67205756e6a7348426e0541703de654f68d72e80

SHA512
d7cec373a8038a9637c76a0cba581d251659be3d100010dcd826bd26fecd163ad240063218139b47798e03dcd84307c4516f310715365d551d8ff35bcf8a2b60

Download Submit
C:\Windows\SysWOW64\Hjhfnccl.exe

Filesize
357KB

MD5
939ae2c8c7269578a4edfa875192b2af

SHA1
4b6ad92e98386a429412f007e124e28bc5de42a7

SHA256
f1c3ef57ba2a897bf504dfce992f3bfa9b80a617fafe0dc6be958aaeb29c7dff

SHA512
d65671a466ab32c6a8717b36973168f3fd4eda7e5737bc6ad266f0b724b919186ac739baf05f9d5e6dd59b27b5e01e1984cf0246a6f149c00326b73a7d3ead61

Download Submit
C:\Windows\SysWOW64\Hjjbcbqj.exe

Filesize
357KB

MD5
be3ad987cf6d1df9ab14b71c23092e06

SHA1
2a28801788128d1e947ccde493457ae1838c6af2

SHA256
b127d9d845553273a78a98be2b9d05961779b74d3e65e1dcda5bc0ff29dddcc8

SHA512
cf2f4ef1f80d9fb3aad706b34d83f7442eff7109ea69a2f7aea464bc68867f65b14b40b42e7e803e6598a9a604e59f2de845f351fd20ddd82b288e7ea3ded550

Download Submit
C:\Windows\SysWOW64\Hpgkkioa.exe

Filesize
357KB

MD5
ebbe337c173c695d0d497b5fd24d0327

SHA1
65b1095c13dbb98580b31d782b476a48b3509157

SHA256
19f97470738cf0b47ef6fa86d4a318b9a4f44e0fcc240aadbcb5758f356a1447

SHA512
d9fd1ab8bf317d216dbd4303a17280d2dee164ab141b0f32cf00fb85f5f2308d652cd4ea65e19e9a2cb8aeff73f84b07e1f90b3b4ac7bf19b553dc4cac9aacc7

Download Submit
C:\Windows\SysWOW64\Ibagcc32.exe

Filesize
357KB

MD5
b0f570b711d931126ea9f1f367d06f9d

SHA1
6344382ec2819a87ffcdfa82f0aec554efa184a9

SHA256
d595e7f3b52e2967661a6730d36ad1bd2f54e78cb469cbb560997adde48f7b4d

SHA512
c91be64b9db3a51f7de27da03471da97135b53a93f52ca42009b930e4860a73395eee7aa72a317aa0dfd65db6b10b78ef7436618465812252b426fb9a792a542

Download Submit
C:\Windows\SysWOW64\Ibmmhdhm.exe

Filesize
357KB

MD5
f7293a13ef02c5bd04af64ec6ad4974f

SHA1
13cbf6c4c202a6fbbab34cbb98b8e6a313c11974

SHA256
3ad63201e4a0cf20f2d1ec98e68c2714113eb6ad211dbd323f831276b8ccc88c

SHA512
f2a733307556e85e0ee1fd141de820495a4dedd1b5b8f8fcac0415f1bacbddf053f9fc626c09a3c4a3d9e54df4f612f6698385b3e4121927c968c390bbc6e4f4

Download Submit
C:\Windows\SysWOW64\Idacmfkj.exe

Filesize
357KB

MD5
76745a152e0a9c8056bf4aac5dd55351

SHA1
7184254310ae76e69fb39b1bd078a321aec3db0c

SHA256
32a7c3f3882b22400b322dccc5353be09057149d422ebcad11c3331e4af13abb

SHA512
6e6a0fda79ea660fa9e25d74fa55a219d5729131c0d144cbc4e745599037edd18b884936354f8e3e0162be9d099f8dbdaf080808902d54cc5d579b9c49018401

Download Submit
C:\Windows\SysWOW64\Iidipnal.exe

Filesize
357KB

MD5
4e558bf5412ac8dcb52204f71390bd2e

SHA1
99c4a8c4148b4348338b669be02b38ff339bdcf7

SHA256
a2e0759487ea8b6114cb0ead92a02f7fe2d15efb99013ea26b926c49e1aca9f3

SHA512
99b5029901c98acb730787b9724f2c725f2e8153014d873f9a96c98a74eeb71acf11957c73ad70a2b111d803322bdfacd2e9c62f3c25bd3aaee38bcdbda04b1b

Download Submit
C:\Windows\SysWOW64\Ijdeiaio.exe

Filesize
357KB

MD5
bcc178cda704b54d0feb427f020a5fbd

SHA1
6ece6f65ff866265194ae384a2954ee0b8e5253f

SHA256
e0e3ea40feca1902fabf2ade590b6315f4b475335e513f5113d3e5a07a344f01

SHA512
410ef965129770d30e632e20d781394ae09af79d6408d27ac2ccc1f8d454cec49172c92de630dfc45a0e32be3eca726e51b6617e957ab3cb638c254d336584f5

Download Submit
C:\Windows\SysWOW64\Imbaemhc.exe

Filesize
357KB

MD5
7645781c733a775e960ee612873cc705

SHA1
5a9d27865aa4780055d0c43a9ef325b48b78dd74

SHA256
f56cb6ca90dc2e4ec62cd85f5d188bbba7be72e92561bde52a406f5a0a2b27ea

SHA512
90972fae82fe9e4ed846c27f8d293cf966402f0ed4602762997f527832a2bf42228e3db12c175709fe153c5a0a79c8ec3553042f09b9bc8afd5524f4e9b9519f

Download Submit
C:\Windows\SysWOW64\Imihfl32.exe

Filesize
357KB

MD5
c3bebdd7847affa493139c1c1dd0d821

SHA1
55bd8268e69a13f72000f8f250baa6ee4687e7a6

SHA256
7f02e9de0f48c2ad2a66591c5760c280651552de420aa9d285568301a9958ec2

SHA512
10f58fd89137fba35a399134c9550bc599ee4a944c2f00fc2a7b1c22b5b42cad4e9cf256a99de7894d33de8eb81ee4e627dcf7fabc875f791d319a9995bc751a

Download Submit
C:\Windows\SysWOW64\Ipckgh32.exe

Filesize
357KB

MD5
4beb9d83a442e10c84bb40e8bbfef8e5

SHA1
8997751f7d38772f088c23dca3394051c90db0b6

SHA256
8e1a986759a7f4d4296e89631d6d42dbe5bdd3ddb8c363ed0953b116e19674d5

SHA512
fb5f228dd30020bfe5606f8cdf10ee665bb14ad16ce909afdd23ddb783018ae6491c453215b01f9714fe0634669161dc81dfa6d474da593ce7766e58ba27cce8

Download Submit
C:\Windows\SysWOW64\Jbfpobpb.exe

Filesize
357KB

MD5
4649700efa1ddea284605b91de412159

SHA1
7e8fa3c9123cc43a97ec4853034dbcd7d0a3ff74

SHA256
b63d71c6e32f8575253b20ca0c646b30d1656b6c7aaacefe96092715a478b0b3

SHA512
b80679e60c9e927586ac372787fbb2b7637775c56b86a649548f1759d8bb75cf02d753473c6d2874890c1748915aa439d48ec56f2c81d3999e549849c22379d7

Download Submit
C:\Windows\SysWOW64\Jdemhe32.exe

Filesize
357KB

MD5
0a770e7c8fecf8e27122e74bbe162bb7

SHA1
ff6ab280e49f729b9f6bfa43a5d0baa1193e43b3

SHA256
ee90174ed9e95b99bae5d69dc4c75dbedee5fcae411c2f7bd86245e9e9e06f29

SHA512
e25d88829834a54b85062aef91c26f30a0690ef6fc9822ac885c0a0d01885ddd2477eba7183edbd39db8f782061a17ecbf339d558139849f8da4ea1099af31af

Download Submit
C:\Windows\SysWOW64\Jfkoeppq.exe

Filesize
357KB

MD5
7bc65b779e8efb9b83b931f0f63614d0

SHA1
a289302d60d86446d9eda016ca459f7c9426466f

SHA256
051e88a5e846c687483856a9779b1ba7c66382d957402da9179e796b34f6fba3

SHA512
5d8c96a3f30fd95d0c0fc02e7c1af46ce9c64efeef8f302d2d36f7b3b2643fe2f9288d98dfccdeb3c4fc3081c045785cf5d64023134c0dca7a6fc98b12d05e55

Download Submit
C:\Windows\SysWOW64\Jpaghf32.exe

Filesize
357KB

MD5
941b2c19835198e71193225df0dceb8d

SHA1
d3a54e6a1bec28ece0d0665603e957af0f16ec80

SHA256
59eb0c286923ae409876ed719c717c600203eba026998920c41932ebe0d077ab

SHA512
2925c46cdc123e258e6165653824741bda1c569f73497a1e20e1e3d2a8a3c81cdd953a455c1a1c28c7bc0fa83383ab450e21e8090363913ecb9dfa78b8bc63ae

Download Submit
C:\Windows\SysWOW64\Kaemnhla.exe

Filesize
357KB

MD5
3708902f3cb663933d133f300f2d2e75

SHA1
9accc9df835417810aebdb7acac220ee20931677

SHA256
7c07f7948efd203c2ba0f880636c373ed42dca3183a38165e5199cc25bf73d0b

SHA512
75dbff54f4dfbbc95152aa33b450c326cf5b35314555b82d66eaced706da74b17020181cbd53b36650f884e8571b1bdebd65b7648dc68377f2e9db9ea4f2d515

Download Submit
C:\Windows\SysWOW64\Kbfiep32.exe

Filesize
357KB

MD5
584e7eab405719bbf44eba672c6126ce

SHA1
6de38e653e470aaf42eeea4aca543e2f8a1e578f

SHA256
d3dc271290a8f920912614d0c0ae222917663ab5b85d8075a67cda1fbb3ef2e9

SHA512
1853747df106f95c9fc7e34900a63882bc033370e652e32f55758a6f240e7b5aca98444be72a1326b25288ffc44012e800ced7c3e7fce8e8795f0808c5f67c74

Download Submit
C:\Windows\SysWOW64\Kdaldd32.exe

Filesize
357KB

MD5
e5c6b77b1cfad8ee792c970dca8a3aeb

SHA1
c862c1d6554ade7d8acf1b8f72247cf89bdded1f

SHA256
19760bcf91a074d58be292869a676ef4b67f597eab1b5190e3f8ce624dad3d87

SHA512
6ca39594dff04e2c9bce6016709f77aee0fd2dd231b9ee1387bf7fbaa50dd8f615bd54cfc6e9120f1ec767102e9f988969c96f68f12294eabb1a802eaf346047

Download Submit
C:\Windows\SysWOW64\Kgmlkp32.exe

Filesize
357KB

MD5
85f127b71fdf68199c20e6e652379763

SHA1
fb6a9b5303fb31814ccf6a8b6afad5a363dec6e3

SHA256
a7dd742f0b6d8225dd0ee97444958402fa987b13389af240da39e2ea99a9d398

SHA512
13998809f43443a99019d02c2bdf160dfd1087006bb4844ec14d9cd55f57ec18dcec1419f46ccb1c49a86a0bded47725769cdef98066a806421f77b9414062ea

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
357KB

MD5
6152672dfd61eb2639f1ccfc74433307

SHA1
572ee79b0d14de3acddfe992d1a528a93a27b3f6

SHA256
d40edeb68a8f0153bc7c42991b46dad4bcc25c52ddc9712979191e627eadab3a

SHA512
72dd1cc07546a63b651e417f12a54cde6c2e65bf1da7526ee9ca7e1be7545a7b4a223a98daac871623a6a2904b6e2a33090f14a3c4acedb159020d252df4b505

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
357KB

MD5
4ba8c4deb6ecaf3e430a722fcdbe0aee

SHA1
8569ea78e9c0626ef8f25fff1438279c897ccb04

SHA256
6dbdae116afb426d3e19898c1e86fada3760dfcc5237374834e1a60b3fd7f971

SHA512
91ea2217b202b18665dcb97e631abebeed2ad1dad7397bfda9bdebf6899f4202478701fa747d6ad87a8960d7a1d8f5eb48fe84f22f0917b4c435d60f5157f6bf

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
357KB

MD5
f3fdfb73ddf2c215ac6143dc11268d06

SHA1
9dec30be7b4d4716a79b313cf41c367e9ed45b02

SHA256
75095c24992675fe221c4ff9adfad4f20b064f0bebe58019f688f11388c4c6e2

SHA512
653160b8e07172b467a812970b913d6abee8406940839e62be3aa1130f2f0a82322955dfdc3d9eb770fe562e44614072d8b2bc3009a3845e7aa1fa43ef971d76

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
357KB

MD5
2b5e33c625ffd358c3eae226f4f4c98d

SHA1
b43d38414881a89360191c1f25c3ce0f476da854

SHA256
37752c8679796fa85631c72c1e3d0e6d3c588acd52e21062cf4dc1f0aed1c481

SHA512
ceb54e59e2acdfc056715567617fd1993e047a05ee0091ec9685c30523becad15413e9be919b0cf03cc19991cd97f5aae196c68987e55c0833f506a1eb8d5780

Download Submit
C:\Windows\SysWOW64\Ocdehlgh.dll

Filesize
7KB

MD5
d113526e36ce797fa2a16cd867f4272c

SHA1
4165d0212168ea16ac457a393be717f7774ef4bc

SHA256
04402268a1717885999a4b15d35a7a8dc6b3f35d9cd5304ff58532516e6596dd

SHA512
41187c72c0b9d98320577ac77389104e8d0e7bb7be944fa02bbbb5c447fc2a9049405b5af49e070f1fefa0443d307f2a3718b0e2933705fc328d0640fa0c075b

Download Submit
memory/232-514-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/232-572-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/532-352-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/624-417-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/884-160-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/912-316-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/948-502-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/948-574-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1040-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1152-418-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1160-176-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1224-215-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1252-120-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1272-184-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1392-103-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1424-286-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1460-489-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1544-370-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1556-148-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1600-388-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1704-284-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1772-424-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1780-207-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1788-39-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1796-334-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1896-476-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1936-346-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1984-382-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2020-302-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2092-551-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2092-7-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2196-156-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2260-268-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2292-304-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2344-87-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2408-32-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2496-570-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2496-532-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2540-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2540-558-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2564-240-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2688-274-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2800-55-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2964-511-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2964-573-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3000-100-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3004-460-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3036-466-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3132-496-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3188-47-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3204-112-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3372-378-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3436-200-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3488-442-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3604-436-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3708-248-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3764-127-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3780-542-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3792-191-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3796-63-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3872-358-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3884-452-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3972-232-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3992-550-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4284-340-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4308-24-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4308-565-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4324-224-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4364-292-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4372-406-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4460-315-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4500-364-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4516-571-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4516-530-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4540-478-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4568-256-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4584-135-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4672-71-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4680-332-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4684-322-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4688-172-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4712-494-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4724-400-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4924-524-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4980-262-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5000-548-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5000-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5092-398-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5104-430-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5112-454-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5128-552-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5128-568-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5176-559-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5176-569-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5220-567-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5220-566-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download