gozi | 8d23e953e69c20634abab6afcf1d5ec8062d2ed8ece58166b5e690f19332c539

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 07:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d23e953e69c20634abab6afcf1d5ec8062d2ed8ece58166b5e690f19332c539_NeikiAnalytics.exe
Size

163KB
MD5

ef5a78af5fd0d9a9de04f49d0c2be860
SHA1

006c9437035975dcca19e3e7834e1e33266d0ace
SHA256

8d23e953e69c20634abab6afcf1d5ec8062d2ed8ece58166b5e690f19332c539
SHA512

8fa5392aac55f349d22d04b4a49f36f6322d9ec64010dd8cc3d8e085e7dee2c8f8189fb06ffde2f7488627e5ea3a817976fbd4990a137a165f7caad5fb8daa8f
SSDEEP

1536:PyO1ZPwwSV1WyTCKA6rWerLYx02QJjTam97lProNVU4qNVUrk/9QbfBr+7GwKrPb:vjwwelCnwoGae7ltOrWKDBr+yJb

Score

10^/10

gozi banker isfb persistence trojan

Malware Config

Extracted

Family

gozi

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Jaedgjjd.exeFokbim32.exeFqmlhpla.exeFqaeco32.exeIcjmmg32.exeMjhqjg32.exeNcihikcg.exeGjocgdkg.exeIjdeiaio.exeKgmlkp32.exeMkpgck32.exeHabnjm32.exeJfkoeppq.exeMcnhmm32.exeImihfl32.exeJbmfoa32.exeNnjbke32.exeNdghmo32.exeEoifcnid.exeHfofbd32.exeImgkql32.exeNceonl32.exeGcekkjcj.exeJdmcidam.exeKpjjod32.exeLaalifad.exeMpolqa32.exeEfpajh32.exeLklnhlfb.exeMgidml32.exeGifmnpnl.exeHaidklda.exeJaljgidl.exeMajopeii.exeFmapha32.exeIapjlk32.exeKdopod32.exeLkdggmlj.exeIdacmfkj.exeJjbako32.exeKbdmpqcb.exeMjeddggd.exeGbcakg32.exeJiphkm32.exeHcnnaikp.exeLcbiao32.exeNgcgcjnc.exeGfqjafdq.exeGiofnacd.exeGidphq32.exeHmdedo32.exeLkgdml32.exeNjljefql.exeFbllkh32.exeLmccchkn.exeLgkhlnbn.exeMdiklqhm.exeKpepcedo.exeMciobn32.exeEbeejijj.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fokbim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqmlhpla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqaeco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjocgdkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Habnjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eoifcnid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijdeiaio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imgkql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcekkjcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efpajh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjocgdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Haidklda.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmapha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbcakg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfqjafdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Giofnacd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gidphq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbllkh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebeejijj.exe

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Executes dropped EXE 64 IoCs

Processes:

Ejjqeg32.exeEqciba32.exeEbeejijj.exeEfpajh32.exeEmjjgbjp.exeEoifcnid.exeFfbnph32.exeFhajlc32.exeFokbim32.exeFbioei32.exeFjqgff32.exeFmocba32.exeFqkocpod.exeFbllkh32.exeFmapha32.exeFqmlhpla.exeFjepaecb.exeFqohnp32.exeFobiilai.exeFjhmgeao.exeFqaeco32.exeGbcakg32.exeGjjjle32.exeGqdbiofi.exeGfqjafdq.exeGiofnacd.exeGcekkjcj.exeGbgkfg32.exeGjocgdkg.exeGmmocpjk.exeGcggpj32.exeGidphq32.exeGcidfi32.exeGfhqbe32.exeGifmnpnl.exeGppekj32.exeHfjmgdlf.exeHmdedo32.exeHpbaqj32.exeHcnnaikp.exeHfljmdjc.exeHjhfnccl.exeHabnjm32.exeHcqjfh32.exeHfofbd32.exeHmioonpn.exeHccglh32.exeHfachc32.exeHippdo32.exeHpihai32.exeHcedaheh.exeHjolnb32.exeHaidklda.exeIcgqggce.exeIffmccbi.exeIjaida32.exeImpepm32.exeIcjmmg32.exeIjdeiaio.exeIannfk32.exeIcljbg32.exeIfjfnb32.exeIiibkn32.exeIapjlk32.exe

pid	process
5112	Ejjqeg32.exe
3100	Eqciba32.exe
2960	Ebeejijj.exe
4696	Efpajh32.exe
2492	Emjjgbjp.exe
3060	Eoifcnid.exe
4860	Ffbnph32.exe
1768	Fhajlc32.exe
636	Fokbim32.exe
1628	Fbioei32.exe
1476	Fjqgff32.exe
2220	Fmocba32.exe
3536	Fqkocpod.exe
1192	Fbllkh32.exe
4532	Fmapha32.exe
2784	Fqmlhpla.exe
2040	Fjepaecb.exe
1124	Fqohnp32.exe
5096	Fobiilai.exe
3032	Fjhmgeao.exe
3720	Fqaeco32.exe
4924	Gbcakg32.exe
1532	Gjjjle32.exe
456	Gqdbiofi.exe
1680	Gfqjafdq.exe
3528	Giofnacd.exe
1396	Gcekkjcj.exe
3500	Gbgkfg32.exe
3584	Gjocgdkg.exe
4440	Gmmocpjk.exe
3028	Gcggpj32.exe
4464	Gidphq32.exe
1668	Gcidfi32.exe
1720	Gfhqbe32.exe
3168	Gifmnpnl.exe
4956	Gppekj32.exe
1196	Hfjmgdlf.exe
5000	Hmdedo32.exe
2956	Hpbaqj32.exe
3564	Hcnnaikp.exe
3948	Hfljmdjc.exe
3740	Hjhfnccl.exe
4192	Habnjm32.exe
3204	Hcqjfh32.exe
3704	Hfofbd32.exe
4776	Hmioonpn.exe
2864	Hccglh32.exe
4660	Hfachc32.exe
2200	Hippdo32.exe
4820	Hpihai32.exe
3732	Hcedaheh.exe
3744	Hjolnb32.exe
4940	Haidklda.exe
1520	Icgqggce.exe
4952	Iffmccbi.exe
4488	Ijaida32.exe
2808	Impepm32.exe
3580	Icjmmg32.exe
1956	Ijdeiaio.exe
3992	Iannfk32.exe
3972	Icljbg32.exe
3572	Ifjfnb32.exe
3916	Iiibkn32.exe
4748	Iapjlk32.exe

Drops file in System32 directory 64 IoCs

Processes:

Fokbim32.exeHcqjfh32.exeIjaida32.exeMnfipekh.exeMpdelajl.exeLkiqbl32.exeLjnnch32.exeNjcpee32.exeNcihikcg.exeEmjjgbjp.exeFfbnph32.exeFmocba32.exeKdopod32.exeKpjjod32.exeLdmlpbbj.exeEfpajh32.exeFmapha32.exeGcidfi32.exeIjhodq32.exeGifmnpnl.exeJfaloa32.exeLkdggmlj.exeIcljbg32.exeLaalifad.exeNceonl32.exeFjqgff32.exeJfhbppbc.exeGmmocpjk.exeHfjmgdlf.exeHmioonpn.exeImihfl32.exeMgghhlhq.exeNkncdifl.exeHfofbd32.exeJidbflcj.exeLaefdf32.exeMamleegg.exeFjepaecb.exeFqaeco32.exeGjjjle32.exeIjdeiaio.exeJaljgidl.exeMahbje32.exeHfachc32.exeKpepcedo.exeLpappc32.exeFobiilai.exeJiphkm32.exeJjbako32.exeHmdedo32.exeJiikak32.exeLmccchkn.exeFbioei32.exeKknafn32.exeMcnhmm32.exeNjljefql.exeKdcijcke.exeLgpagm32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Fbioei32.exe	Fokbim32.exe
File created	C:\Windows\SysWOW64\Dnplgc32.dll	Hcqjfh32.exe
File opened for modification	C:\Windows\SysWOW64\Impepm32.exe	Ijaida32.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Eoifcnid.exe	Emjjgbjp.exe
File created	C:\Windows\SysWOW64\Bofjdo32.dll	Ffbnph32.exe
File created	C:\Windows\SysWOW64\Fqkocpod.exe	Fmocba32.exe
File created	C:\Windows\SysWOW64\Hehifldd.dll	Kdopod32.exe
File created	C:\Windows\SysWOW64\Kcifkp32.exe	Kpjjod32.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Emjjgbjp.exe	Efpajh32.exe
File opened for modification	C:\Windows\SysWOW64\Fqmlhpla.exe	Fmapha32.exe
File created	C:\Windows\SysWOW64\Diefokle.dll	Gcidfi32.exe
File created	C:\Windows\SysWOW64\Bclgpkgk.dll	Ijhodq32.exe
File created	C:\Windows\SysWOW64\Mngoghpn.dll	Gifmnpnl.exe
File created	C:\Windows\SysWOW64\Impepm32.exe	Ijaida32.exe
File created	C:\Windows\SysWOW64\Jdkind32.dll	Jfaloa32.exe
File created	C:\Windows\SysWOW64\Cmafhe32.dll	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Ifjfnb32.exe	Icljbg32.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Laalifad.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Fmocba32.exe	Fjqgff32.exe
File created	C:\Windows\SysWOW64\Imgkql32.exe	Ijhodq32.exe
File opened for modification	C:\Windows\SysWOW64\Jangmibi.exe	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Gcggpj32.exe	Gmmocpjk.exe
File created	C:\Windows\SysWOW64\Hmdedo32.exe	Hfjmgdlf.exe
File opened for modification	C:\Windows\SysWOW64\Hccglh32.exe	Hmioonpn.exe
File opened for modification	C:\Windows\SysWOW64\Jaedgjjd.exe	Imihfl32.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Hmioonpn.exe	Hfofbd32.exe
File created	C:\Windows\SysWOW64\Jaljgidl.exe	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mamleegg.exe
File opened for modification	C:\Windows\SysWOW64\Fqohnp32.exe	Fjepaecb.exe
File opened for modification	C:\Windows\SysWOW64\Gbcakg32.exe	Fqaeco32.exe
File opened for modification	C:\Windows\SysWOW64\Gqdbiofi.exe	Gjjjle32.exe
File opened for modification	C:\Windows\SysWOW64\Iannfk32.exe	Ijdeiaio.exe
File created	C:\Windows\SysWOW64\Jeiooj32.dll	Jaljgidl.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Mahbje32.exe
File opened for modification	C:\Windows\SysWOW64\Emjjgbjp.exe	Efpajh32.exe
File opened for modification	C:\Windows\SysWOW64\Hippdo32.exe	Hfachc32.exe
File created	C:\Windows\SysWOW64\Ojmmkpmf.dll	Kpepcedo.exe
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Laefdf32.exe	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Fjhmgeao.exe	Fobiilai.exe
File created	C:\Windows\SysWOW64\Anjekdho.dll	Jiphkm32.exe
File created	C:\Windows\SysWOW64\Jidbflcj.exe	Jjbako32.exe
File created	C:\Windows\SysWOW64\Mglppmnd.dll	Laefdf32.exe
File created	C:\Windows\SysWOW64\Hpbaqj32.exe	Hmdedo32.exe
File created	C:\Windows\SysWOW64\Kdopod32.exe	Jiikak32.exe
File created	C:\Windows\SysWOW64\Lpappc32.exe	Lmccchkn.exe
File opened for modification	C:\Windows\SysWOW64\Fjqgff32.exe	Fbioei32.exe
File created	C:\Windows\SysWOW64\Kpjjod32.exe	Kknafn32.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Kbfiep32.exe	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Lgpagm32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

7140 7048 WerFault.exe Nkcmohbg.exe

pid	pid_target	process	target process
7140	7048	WerFault.exe	Nkcmohbg.exe

Modifies registry class 64 IoCs

Processes:

Efpajh32.exeNklfoi32.exeIjhodq32.exeJbmfoa32.exeLaefdf32.exeNjcpee32.exeGjjjle32.exeGfqjafdq.exeGcidfi32.exeHjhfnccl.exeJiikak32.exeKcifkp32.exeMdiklqhm.exeEmjjgbjp.exeHmdedo32.exeHccglh32.exeImgkql32.exeGifmnpnl.exeImpepm32.exeJiphkm32.exeMpolqa32.exeLdmlpbbj.exeNnmopdep.exe8d23e953e69c20634abab6afcf1d5ec8062d2ed8ece58166b5e690f19332c539_NeikiAnalytics.exeJfaloa32.exeKilhgk32.exeLiekmj32.exeFmocba32.exeHfachc32.exeLkdggmlj.exeMciobn32.exeHfjmgdlf.exeLknjmkdo.exeMjqjih32.exeJaimbj32.exeKbfiep32.exeKkpnlm32.exeNjljefql.exeHjolnb32.exeMpdelajl.exeLnhmng32.exeEqciba32.exeFhajlc32.exeMajopeii.exeNceonl32.exeNgcgcjnc.exeFjepaecb.exeGjocgdkg.exeLkgdml32.exeFmapha32.exeIjdeiaio.exeKgmlkp32.exeGqdbiofi.exeLdkojb32.exeMjhqjg32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmihaj32.dll"	Efpajh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbcjkf32.dll"	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ginahd32.dll"	Gjjjle32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfqjafdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diefokle.dll"	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeecjqkd.dll"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Emjjgbjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gifmnpnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anjekdho.dll"	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	8d23e953e69c20634abab6afcf1d5ec8062d2ed8ece58166b5e690f19332c539_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liekmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmocba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfachc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfjmgdlf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibimpp32.dll"	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lijiaonm.dll"	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eqciba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neahbi32.dll"	Fhajlc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inomojol.dll"	Eqciba32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjepaecb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odhibo32.dll"	Gjocgdkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fhajlc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmapha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijdeiaio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peeafpaf.dll"	Gqdbiofi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdemcacc.dll"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjhqjg32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8d23e953e69c20634abab6afcf1d5ec8062d2ed8ece58166b5e690f19332c539_NeikiAnalytics.exeEjjqeg32.exeEqciba32.exeEbeejijj.exeEfpajh32.exeEmjjgbjp.exeEoifcnid.exeFfbnph32.exeFhajlc32.exeFokbim32.exeFbioei32.exeFjqgff32.exeFmocba32.exeFqkocpod.exeFbllkh32.exeFmapha32.exeFqmlhpla.exeFjepaecb.exeFqohnp32.exeFobiilai.exeFjhmgeao.exeFqaeco32.exe

description	pid	process	target process
PID 3780 wrote to memory of 5112	3780	8d23e953e69c20634abab6afcf1d5ec8062d2ed8ece58166b5e690f19332c539_NeikiAnalytics.exe	Ejjqeg32.exe
PID 3780 wrote to memory of 5112	3780	8d23e953e69c20634abab6afcf1d5ec8062d2ed8ece58166b5e690f19332c539_NeikiAnalytics.exe	Ejjqeg32.exe
PID 3780 wrote to memory of 5112	3780	8d23e953e69c20634abab6afcf1d5ec8062d2ed8ece58166b5e690f19332c539_NeikiAnalytics.exe	Ejjqeg32.exe
PID 5112 wrote to memory of 3100	5112	Ejjqeg32.exe	Eqciba32.exe
PID 5112 wrote to memory of 3100	5112	Ejjqeg32.exe	Eqciba32.exe
PID 5112 wrote to memory of 3100	5112	Ejjqeg32.exe	Eqciba32.exe
PID 3100 wrote to memory of 2960	3100	Eqciba32.exe	Ebeejijj.exe
PID 3100 wrote to memory of 2960	3100	Eqciba32.exe	Ebeejijj.exe
PID 3100 wrote to memory of 2960	3100	Eqciba32.exe	Ebeejijj.exe
PID 2960 wrote to memory of 4696	2960	Ebeejijj.exe	Efpajh32.exe
PID 2960 wrote to memory of 4696	2960	Ebeejijj.exe	Efpajh32.exe
PID 2960 wrote to memory of 4696	2960	Ebeejijj.exe	Efpajh32.exe
PID 4696 wrote to memory of 2492	4696	Efpajh32.exe	Emjjgbjp.exe
PID 4696 wrote to memory of 2492	4696	Efpajh32.exe	Emjjgbjp.exe
PID 4696 wrote to memory of 2492	4696	Efpajh32.exe	Emjjgbjp.exe
PID 2492 wrote to memory of 3060	2492	Emjjgbjp.exe	Eoifcnid.exe
PID 2492 wrote to memory of 3060	2492	Emjjgbjp.exe	Eoifcnid.exe
PID 2492 wrote to memory of 3060	2492	Emjjgbjp.exe	Eoifcnid.exe
PID 3060 wrote to memory of 4860	3060	Eoifcnid.exe	Ffbnph32.exe
PID 3060 wrote to memory of 4860	3060	Eoifcnid.exe	Ffbnph32.exe
PID 3060 wrote to memory of 4860	3060	Eoifcnid.exe	Ffbnph32.exe
PID 4860 wrote to memory of 1768	4860	Ffbnph32.exe	Fhajlc32.exe
PID 4860 wrote to memory of 1768	4860	Ffbnph32.exe	Fhajlc32.exe
PID 4860 wrote to memory of 1768	4860	Ffbnph32.exe	Fhajlc32.exe
PID 1768 wrote to memory of 636	1768	Fhajlc32.exe	Fokbim32.exe
PID 1768 wrote to memory of 636	1768	Fhajlc32.exe	Fokbim32.exe
PID 1768 wrote to memory of 636	1768	Fhajlc32.exe	Fokbim32.exe
PID 636 wrote to memory of 1628	636	Fokbim32.exe	Fbioei32.exe
PID 636 wrote to memory of 1628	636	Fokbim32.exe	Fbioei32.exe
PID 636 wrote to memory of 1628	636	Fokbim32.exe	Fbioei32.exe
PID 1628 wrote to memory of 1476	1628	Fbioei32.exe	Fjqgff32.exe
PID 1628 wrote to memory of 1476	1628	Fbioei32.exe	Fjqgff32.exe
PID 1628 wrote to memory of 1476	1628	Fbioei32.exe	Fjqgff32.exe
PID 1476 wrote to memory of 2220	1476	Fjqgff32.exe	Fmocba32.exe
PID 1476 wrote to memory of 2220	1476	Fjqgff32.exe	Fmocba32.exe
PID 1476 wrote to memory of 2220	1476	Fjqgff32.exe	Fmocba32.exe
PID 2220 wrote to memory of 3536	2220	Fmocba32.exe	Fqkocpod.exe
PID 2220 wrote to memory of 3536	2220	Fmocba32.exe	Fqkocpod.exe
PID 2220 wrote to memory of 3536	2220	Fmocba32.exe	Fqkocpod.exe
PID 3536 wrote to memory of 1192	3536	Fqkocpod.exe	Fbllkh32.exe
PID 3536 wrote to memory of 1192	3536	Fqkocpod.exe	Fbllkh32.exe
PID 3536 wrote to memory of 1192	3536	Fqkocpod.exe	Fbllkh32.exe
PID 1192 wrote to memory of 4532	1192	Fbllkh32.exe	Fmapha32.exe
PID 1192 wrote to memory of 4532	1192	Fbllkh32.exe	Fmapha32.exe
PID 1192 wrote to memory of 4532	1192	Fbllkh32.exe	Fmapha32.exe
PID 4532 wrote to memory of 2784	4532	Fmapha32.exe	Fqmlhpla.exe
PID 4532 wrote to memory of 2784	4532	Fmapha32.exe	Fqmlhpla.exe
PID 4532 wrote to memory of 2784	4532	Fmapha32.exe	Fqmlhpla.exe
PID 2784 wrote to memory of 2040	2784	Fqmlhpla.exe	Fjepaecb.exe
PID 2784 wrote to memory of 2040	2784	Fqmlhpla.exe	Fjepaecb.exe
PID 2784 wrote to memory of 2040	2784	Fqmlhpla.exe	Fjepaecb.exe
PID 2040 wrote to memory of 1124	2040	Fjepaecb.exe	Fqohnp32.exe
PID 2040 wrote to memory of 1124	2040	Fjepaecb.exe	Fqohnp32.exe
PID 2040 wrote to memory of 1124	2040	Fjepaecb.exe	Fqohnp32.exe
PID 1124 wrote to memory of 5096	1124	Fqohnp32.exe	Fobiilai.exe
PID 1124 wrote to memory of 5096	1124	Fqohnp32.exe	Fobiilai.exe
PID 1124 wrote to memory of 5096	1124	Fqohnp32.exe	Fobiilai.exe
PID 5096 wrote to memory of 3032	5096	Fobiilai.exe	Fjhmgeao.exe
PID 5096 wrote to memory of 3032	5096	Fobiilai.exe	Fjhmgeao.exe
PID 5096 wrote to memory of 3032	5096	Fobiilai.exe	Fjhmgeao.exe
PID 3032 wrote to memory of 3720	3032	Fjhmgeao.exe	Fqaeco32.exe
PID 3032 wrote to memory of 3720	3032	Fjhmgeao.exe	Fqaeco32.exe
PID 3032 wrote to memory of 3720	3032	Fjhmgeao.exe	Fqaeco32.exe
PID 3720 wrote to memory of 4924	3720	Fqaeco32.exe	Gbcakg32.exe

C:\Users\Admin\AppData\Local\Temp\8d23e953e69c20634abab6afcf1d5ec8062d2ed8ece58166b5e690f19332c539_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8d23e953e69c20634abab6afcf1d5ec8062d2ed8ece58166b5e690f19332c539_NeikiAnalytics.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3780

C:\Windows\SysWOW64\Ejjqeg32.exe
C:\Windows\system32\Ejjqeg32.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5112

C:\Windows\SysWOW64\Eqciba32.exe
C:\Windows\system32\Eqciba32.exe
3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3100

C:\Windows\SysWOW64\Ebeejijj.exe
C:\Windows\system32\Ebeejijj.exe
4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960

C:\Windows\SysWOW64\Efpajh32.exe
C:\Windows\system32\Efpajh32.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4696

C:\Windows\SysWOW64\Emjjgbjp.exe
C:\Windows\system32\Emjjgbjp.exe
6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2492

C:\Windows\SysWOW64\Eoifcnid.exe
C:\Windows\system32\Eoifcnid.exe
7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060

C:\Windows\SysWOW64\Ffbnph32.exe
C:\Windows\system32\Ffbnph32.exe
8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4860

C:\Windows\SysWOW64\Fhajlc32.exe
C:\Windows\system32\Fhajlc32.exe
9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\SysWOW64\Fokbim32.exe
C:\Windows\system32\Fokbim32.exe
10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:636

C:\Windows\SysWOW64\Fbioei32.exe
C:\Windows\system32\Fbioei32.exe
11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\SysWOW64\Fjqgff32.exe
C:\Windows\system32\Fjqgff32.exe
12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\SysWOW64\Fmocba32.exe
C:\Windows\system32\Fmocba32.exe
13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2220

C:\Windows\SysWOW64\Fqkocpod.exe
C:\Windows\system32\Fqkocpod.exe
14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3536

C:\Windows\SysWOW64\Fbllkh32.exe
C:\Windows\system32\Fbllkh32.exe
15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1192

C:\Windows\SysWOW64\Fmapha32.exe
C:\Windows\system32\Fmapha32.exe
16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4532

C:\Windows\SysWOW64\Fqmlhpla.exe
C:\Windows\system32\Fqmlhpla.exe
17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784

C:\Windows\SysWOW64\Fjepaecb.exe
C:\Windows\system32\Fjepaecb.exe
18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\Fqohnp32.exe
C:\Windows\system32\Fqohnp32.exe
19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\SysWOW64\Fobiilai.exe
C:\Windows\system32\Fobiilai.exe
20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5096

C:\Windows\SysWOW64\Fjhmgeao.exe
C:\Windows\system32\Fjhmgeao.exe
21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032

C:\Windows\SysWOW64\Fqaeco32.exe
C:\Windows\system32\Fqaeco32.exe
22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3720

C:\Windows\SysWOW64\Gbcakg32.exe
C:\Windows\system32\Gbcakg32.exe
23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4924

C:\Windows\SysWOW64\Gjjjle32.exe
C:\Windows\system32\Gjjjle32.exe
24⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1532

C:\Windows\SysWOW64\Gqdbiofi.exe
C:\Windows\system32\Gqdbiofi.exe
25⤵
- Executes dropped EXE
- Modifies registry class
PID:456

C:\Windows\SysWOW64\Gfqjafdq.exe
C:\Windows\system32\Gfqjafdq.exe
26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1680

C:\Windows\SysWOW64\Giofnacd.exe
C:\Windows\system32\Giofnacd.exe
27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3528

C:\Windows\SysWOW64\Gcekkjcj.exe
C:\Windows\system32\Gcekkjcj.exe
28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1396

C:\Windows\SysWOW64\Gbgkfg32.exe
C:\Windows\system32\Gbgkfg32.exe
29⤵
- Executes dropped EXE
PID:3500

C:\Windows\SysWOW64\Gjocgdkg.exe
C:\Windows\system32\Gjocgdkg.exe
30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3584

C:\Windows\SysWOW64\Gmmocpjk.exe
C:\Windows\system32\Gmmocpjk.exe
31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4440

C:\Windows\SysWOW64\Gcggpj32.exe
C:\Windows\system32\Gcggpj32.exe
32⤵
- Executes dropped EXE
PID:3028

C:\Windows\SysWOW64\Gidphq32.exe
C:\Windows\system32\Gidphq32.exe
33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4464

C:\Windows\SysWOW64\Gcidfi32.exe
C:\Windows\system32\Gcidfi32.exe
34⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1668

C:\Windows\SysWOW64\Gfhqbe32.exe
C:\Windows\system32\Gfhqbe32.exe
35⤵
- Executes dropped EXE
PID:1720

C:\Windows\SysWOW64\Gifmnpnl.exe
C:\Windows\system32\Gifmnpnl.exe
36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3168

C:\Windows\SysWOW64\Gppekj32.exe
C:\Windows\system32\Gppekj32.exe
37⤵
- Executes dropped EXE
PID:4956

C:\Windows\SysWOW64\Hfjmgdlf.exe
C:\Windows\system32\Hfjmgdlf.exe
38⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1196

C:\Windows\SysWOW64\Hmdedo32.exe
C:\Windows\system32\Hmdedo32.exe
39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5000

C:\Windows\SysWOW64\Hpbaqj32.exe
C:\Windows\system32\Hpbaqj32.exe
40⤵
- Executes dropped EXE
PID:2956

C:\Windows\SysWOW64\Hcnnaikp.exe
C:\Windows\system32\Hcnnaikp.exe
41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3564

C:\Windows\SysWOW64\Hfljmdjc.exe
C:\Windows\system32\Hfljmdjc.exe
42⤵
- Executes dropped EXE
PID:3948

C:\Windows\SysWOW64\Hjhfnccl.exe
C:\Windows\system32\Hjhfnccl.exe
43⤵
- Executes dropped EXE
- Modifies registry class
PID:3740

C:\Windows\SysWOW64\Habnjm32.exe
C:\Windows\system32\Habnjm32.exe
44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4192

C:\Windows\SysWOW64\Hcqjfh32.exe
C:\Windows\system32\Hcqjfh32.exe
45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3204

C:\Windows\SysWOW64\Hfofbd32.exe
C:\Windows\system32\Hfofbd32.exe
46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3704

C:\Windows\SysWOW64\Hmioonpn.exe
C:\Windows\system32\Hmioonpn.exe
47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4776

C:\Windows\SysWOW64\Hccglh32.exe
C:\Windows\system32\Hccglh32.exe
48⤵
- Executes dropped EXE
- Modifies registry class
PID:2864

C:\Windows\SysWOW64\Hfachc32.exe
C:\Windows\system32\Hfachc32.exe
49⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4660

C:\Windows\SysWOW64\Hippdo32.exe
C:\Windows\system32\Hippdo32.exe
50⤵
- Executes dropped EXE
PID:2200

C:\Windows\SysWOW64\Hpihai32.exe
C:\Windows\system32\Hpihai32.exe
51⤵
- Executes dropped EXE
PID:4820

C:\Windows\SysWOW64\Hcedaheh.exe
C:\Windows\system32\Hcedaheh.exe
52⤵
- Executes dropped EXE
PID:3732

C:\Windows\SysWOW64\Hjolnb32.exe
C:\Windows\system32\Hjolnb32.exe
53⤵
- Executes dropped EXE
- Modifies registry class
PID:3744

C:\Windows\SysWOW64\Haidklda.exe
C:\Windows\system32\Haidklda.exe
54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4940

C:\Windows\SysWOW64\Icgqggce.exe
C:\Windows\system32\Icgqggce.exe
55⤵
- Executes dropped EXE
PID:1520

C:\Windows\SysWOW64\Iffmccbi.exe
C:\Windows\system32\Iffmccbi.exe
56⤵
- Executes dropped EXE
PID:4952

C:\Windows\SysWOW64\Ijaida32.exe
C:\Windows\system32\Ijaida32.exe
57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4488

C:\Windows\SysWOW64\Impepm32.exe
C:\Windows\system32\Impepm32.exe
58⤵
- Executes dropped EXE
- Modifies registry class
PID:2808

C:\Windows\SysWOW64\Icjmmg32.exe
C:\Windows\system32\Icjmmg32.exe
59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3580

C:\Windows\SysWOW64\Ijdeiaio.exe
C:\Windows\system32\Ijdeiaio.exe
60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1956

C:\Windows\SysWOW64\Iannfk32.exe
C:\Windows\system32\Iannfk32.exe
61⤵
- Executes dropped EXE
PID:3992

C:\Windows\SysWOW64\Icljbg32.exe
C:\Windows\system32\Icljbg32.exe
62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3972

C:\Windows\SysWOW64\Ifjfnb32.exe
C:\Windows\system32\Ifjfnb32.exe
63⤵
- Executes dropped EXE
PID:3572

C:\Windows\SysWOW64\Iiibkn32.exe
C:\Windows\system32\Iiibkn32.exe
64⤵
- Executes dropped EXE
PID:3916

C:\Windows\SysWOW64\Iapjlk32.exe
C:\Windows\system32\Iapjlk32.exe
65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4748

C:\Windows\SysWOW64\Ijhodq32.exe
C:\Windows\system32\Ijhodq32.exe
66⤵
- Drops file in System32 directory
- Modifies registry class
PID:2300

C:\Windows\SysWOW64\Imgkql32.exe
C:\Windows\system32\Imgkql32.exe
67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:528

C:\Windows\SysWOW64\Iabgaklg.exe
C:\Windows\system32\Iabgaklg.exe
68⤵
PID:3024

C:\Windows\SysWOW64\Idacmfkj.exe
C:\Windows\system32\Idacmfkj.exe
69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3288

C:\Windows\SysWOW64\Ifopiajn.exe
C:\Windows\system32\Ifopiajn.exe
70⤵
PID:1872

C:\Windows\SysWOW64\Imihfl32.exe
C:\Windows\system32\Imihfl32.exe
71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2480

C:\Windows\SysWOW64\Jaedgjjd.exe
C:\Windows\system32\Jaedgjjd.exe
72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4132

C:\Windows\SysWOW64\Jfaloa32.exe
C:\Windows\system32\Jfaloa32.exe
73⤵
- Drops file in System32 directory
- Modifies registry class
PID:2892

C:\Windows\SysWOW64\Jiphkm32.exe
C:\Windows\system32\Jiphkm32.exe
74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2428

C:\Windows\SysWOW64\Jfdida32.exe
C:\Windows\system32\Jfdida32.exe
75⤵
PID:1684

C:\Windows\SysWOW64\Jaimbj32.exe
C:\Windows\system32\Jaimbj32.exe
76⤵
- Modifies registry class
PID:740

C:\Windows\SysWOW64\Jbkjjblm.exe
C:\Windows\system32\Jbkjjblm.exe
77⤵
PID:412

C:\Windows\SysWOW64\Jjbako32.exe
C:\Windows\system32\Jjbako32.exe
78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4112

C:\Windows\SysWOW64\Jidbflcj.exe
C:\Windows\system32\Jidbflcj.exe
79⤵
- Drops file in System32 directory
PID:1336

C:\Windows\SysWOW64\Jaljgidl.exe
C:\Windows\system32\Jaljgidl.exe
80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2568

C:\Windows\SysWOW64\Jbmfoa32.exe
C:\Windows\system32\Jbmfoa32.exe
81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2992

C:\Windows\SysWOW64\Jfhbppbc.exe
C:\Windows\system32\Jfhbppbc.exe
82⤵
- Drops file in System32 directory
PID:3052

C:\Windows\SysWOW64\Jangmibi.exe
C:\Windows\system32\Jangmibi.exe
83⤵
PID:2760

C:\Windows\SysWOW64\Jdmcidam.exe
C:\Windows\system32\Jdmcidam.exe
84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4124

C:\Windows\SysWOW64\Jfkoeppq.exe
C:\Windows\system32\Jfkoeppq.exe
85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:664

C:\Windows\SysWOW64\Jiikak32.exe
C:\Windows\system32\Jiikak32.exe
86⤵
- Drops file in System32 directory
- Modifies registry class
PID:3316

C:\Windows\SysWOW64\Kdopod32.exe
C:\Windows\system32\Kdopod32.exe
87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2968

C:\Windows\SysWOW64\Kgmlkp32.exe
C:\Windows\system32\Kgmlkp32.exe
88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5044

C:\Windows\SysWOW64\Kilhgk32.exe
C:\Windows\system32\Kilhgk32.exe
89⤵
- Modifies registry class
PID:1772

C:\Windows\SysWOW64\Kpepcedo.exe
C:\Windows\system32\Kpepcedo.exe
90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4332

C:\Windows\SysWOW64\Kbdmpqcb.exe
C:\Windows\system32\Kbdmpqcb.exe
91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5148

C:\Windows\SysWOW64\Kinemkko.exe
C:\Windows\system32\Kinemkko.exe
92⤵
PID:5188

C:\Windows\SysWOW64\Kdcijcke.exe
C:\Windows\system32\Kdcijcke.exe
93⤵
- Drops file in System32 directory
PID:5232

C:\Windows\SysWOW64\Kbfiep32.exe
C:\Windows\system32\Kbfiep32.exe
94⤵
- Modifies registry class
PID:5272

C:\Windows\SysWOW64\Kknafn32.exe
C:\Windows\system32\Kknafn32.exe
95⤵
- Drops file in System32 directory
PID:5312

C:\Windows\SysWOW64\Kpjjod32.exe
C:\Windows\system32\Kpjjod32.exe
96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5356

C:\Windows\SysWOW64\Kcifkp32.exe
C:\Windows\system32\Kcifkp32.exe
97⤵
- Modifies registry class
PID:5400

C:\Windows\SysWOW64\Kkpnlm32.exe
C:\Windows\system32\Kkpnlm32.exe
98⤵
- Modifies registry class
PID:5444

C:\Windows\SysWOW64\Liekmj32.exe
C:\Windows\system32\Liekmj32.exe
99⤵
- Modifies registry class
PID:5488

C:\Windows\SysWOW64\Lalcng32.exe
C:\Windows\system32\Lalcng32.exe
100⤵
PID:5528

C:\Windows\SysWOW64\Ldkojb32.exe
C:\Windows\system32\Ldkojb32.exe
101⤵
- Modifies registry class
PID:5568

C:\Windows\SysWOW64\Lcmofolg.exe
C:\Windows\system32\Lcmofolg.exe
102⤵
PID:5612

C:\Windows\SysWOW64\Lkdggmlj.exe
C:\Windows\system32\Lkdggmlj.exe
103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5648

C:\Windows\SysWOW64\Lmccchkn.exe
C:\Windows\system32\Lmccchkn.exe
104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5696

C:\Windows\SysWOW64\Lpappc32.exe
C:\Windows\system32\Lpappc32.exe
105⤵
- Drops file in System32 directory
PID:5736

C:\Windows\SysWOW64\Ldmlpbbj.exe
C:\Windows\system32\Ldmlpbbj.exe
106⤵
- Drops file in System32 directory
- Modifies registry class
PID:5772

C:\Windows\SysWOW64\Lgkhlnbn.exe
C:\Windows\system32\Lgkhlnbn.exe
107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5836

C:\Windows\SysWOW64\Lkgdml32.exe
C:\Windows\system32\Lkgdml32.exe
108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5876

C:\Windows\SysWOW64\Laalifad.exe
C:\Windows\system32\Laalifad.exe
109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5924

C:\Windows\SysWOW64\Ldohebqh.exe
C:\Windows\system32\Ldohebqh.exe
110⤵
PID:5988

C:\Windows\SysWOW64\Lcbiao32.exe
C:\Windows\system32\Lcbiao32.exe
111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6036

C:\Windows\SysWOW64\Lkiqbl32.exe
C:\Windows\system32\Lkiqbl32.exe
112⤵
- Drops file in System32 directory
PID:6088

C:\Windows\SysWOW64\Lnhmng32.exe
C:\Windows\system32\Lnhmng32.exe
113⤵
- Modifies registry class
PID:6140

C:\Windows\SysWOW64\Laciofpa.exe
C:\Windows\system32\Laciofpa.exe
114⤵
PID:5180

C:\Windows\SysWOW64\Ldaeka32.exe
C:\Windows\system32\Ldaeka32.exe
115⤵
PID:5280

C:\Windows\SysWOW64\Lgpagm32.exe
C:\Windows\system32\Lgpagm32.exe
116⤵
- Drops file in System32 directory
PID:5352

C:\Windows\SysWOW64\Lklnhlfb.exe
C:\Windows\system32\Lklnhlfb.exe
117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5452

C:\Windows\SysWOW64\Ljnnch32.exe
C:\Windows\system32\Ljnnch32.exe
118⤵
- Drops file in System32 directory
PID:5564

C:\Windows\SysWOW64\Laefdf32.exe
C:\Windows\system32\Laefdf32.exe
119⤵
- Drops file in System32 directory
- Modifies registry class
PID:5620

C:\Windows\SysWOW64\Lphfpbdi.exe
C:\Windows\system32\Lphfpbdi.exe
120⤵
PID:5680

C:\Windows\SysWOW64\Lcgblncm.exe
C:\Windows\system32\Lcgblncm.exe
121⤵
PID:5780

C:\Windows\SysWOW64\Lknjmkdo.exe
C:\Windows\system32\Lknjmkdo.exe
122⤵
- Modifies registry class
PID:5872

C:\Windows\SysWOW64\Mjqjih32.exe
C:\Windows\system32\Mjqjih32.exe
123⤵
- Modifies registry class
PID:5932

C:\Windows\SysWOW64\Mahbje32.exe
C:\Windows\system32\Mahbje32.exe
124⤵
- Drops file in System32 directory
PID:6024

C:\Windows\SysWOW64\Mpkbebbf.exe
C:\Windows\system32\Mpkbebbf.exe
125⤵
PID:6124

C:\Windows\SysWOW64\Mciobn32.exe
C:\Windows\system32\Mciobn32.exe
126⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5268

C:\Windows\SysWOW64\Mgekbljc.exe
C:\Windows\system32\Mgekbljc.exe
127⤵
PID:5428

C:\Windows\SysWOW64\Mkpgck32.exe
C:\Windows\system32\Mkpgck32.exe
128⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5520

C:\Windows\SysWOW64\Mnocof32.exe
C:\Windows\system32\Mnocof32.exe
129⤵
PID:5672

C:\Windows\SysWOW64\Majopeii.exe
C:\Windows\system32\Majopeii.exe
130⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:640

C:\Windows\SysWOW64\Mdiklqhm.exe
C:\Windows\system32\Mdiklqhm.exe
131⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5940

C:\Windows\SysWOW64\Mcklgm32.exe
C:\Windows\system32\Mcklgm32.exe
132⤵
PID:6104

C:\Windows\SysWOW64\Mgghhlhq.exe
C:\Windows\system32\Mgghhlhq.exe
133⤵
- Drops file in System32 directory
PID:5240

C:\Windows\SysWOW64\Mjeddggd.exe
C:\Windows\system32\Mjeddggd.exe
134⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5524

C:\Windows\SysWOW64\Mamleegg.exe
C:\Windows\system32\Mamleegg.exe
135⤵
- Drops file in System32 directory
PID:5732

C:\Windows\SysWOW64\Mpolqa32.exe
C:\Windows\system32\Mpolqa32.exe
136⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5900

C:\Windows\SysWOW64\Mcnhmm32.exe
C:\Windows\system32\Mcnhmm32.exe
137⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5156

C:\Windows\SysWOW64\Mgidml32.exe
C:\Windows\system32\Mgidml32.exe
138⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5472

C:\Windows\SysWOW64\Mjhqjg32.exe
C:\Windows\system32\Mjhqjg32.exe
139⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5916

C:\Windows\SysWOW64\Mncmjfmk.exe
C:\Windows\system32\Mncmjfmk.exe
140⤵
PID:5328

C:\Windows\SysWOW64\Mcpebmkb.exe
C:\Windows\system32\Mcpebmkb.exe
141⤵
PID:5860

C:\Windows\SysWOW64\Mnfipekh.exe
C:\Windows\system32\Mnfipekh.exe
142⤵
- Drops file in System32 directory
PID:5768

C:\Windows\SysWOW64\Mpdelajl.exe
C:\Windows\system32\Mpdelajl.exe
143⤵
- Drops file in System32 directory
- Modifies registry class
PID:6076

C:\Windows\SysWOW64\Mcbahlip.exe
C:\Windows\system32\Mcbahlip.exe
144⤵
PID:6188

C:\Windows\SysWOW64\Nkjjij32.exe
C:\Windows\system32\Nkjjij32.exe
145⤵
PID:6228

C:\Windows\SysWOW64\Njljefql.exe
C:\Windows\system32\Njljefql.exe
146⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:6288

C:\Windows\SysWOW64\Nacbfdao.exe
C:\Windows\system32\Nacbfdao.exe
147⤵
PID:6336

C:\Windows\SysWOW64\Ndbnboqb.exe
C:\Windows\system32\Ndbnboqb.exe
148⤵
PID:6376

C:\Windows\SysWOW64\Nceonl32.exe
C:\Windows\system32\Nceonl32.exe
149⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:6412

C:\Windows\SysWOW64\Nklfoi32.exe
C:\Windows\system32\Nklfoi32.exe
150⤵
- Modifies registry class
PID:6456

C:\Windows\SysWOW64\Njogjfoj.exe
C:\Windows\system32\Njogjfoj.exe
151⤵
PID:6504

C:\Windows\SysWOW64\Nnjbke32.exe
C:\Windows\system32\Nnjbke32.exe
152⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6548

C:\Windows\SysWOW64\Nqiogp32.exe
C:\Windows\system32\Nqiogp32.exe
153⤵
PID:6588

C:\Windows\SysWOW64\Nddkgonp.exe
C:\Windows\system32\Nddkgonp.exe
154⤵
PID:6632

C:\Windows\SysWOW64\Ngcgcjnc.exe
C:\Windows\system32\Ngcgcjnc.exe
155⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6676

C:\Windows\SysWOW64\Nkncdifl.exe
C:\Windows\system32\Nkncdifl.exe
156⤵
- Drops file in System32 directory
PID:6712

C:\Windows\SysWOW64\Nnmopdep.exe
C:\Windows\system32\Nnmopdep.exe
157⤵
- Modifies registry class
PID:6756

C:\Windows\SysWOW64\Nbhkac32.exe
C:\Windows\system32\Nbhkac32.exe
158⤵
PID:6808

C:\Windows\SysWOW64\Ndghmo32.exe
C:\Windows\system32\Ndghmo32.exe
159⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6860

C:\Windows\SysWOW64\Ncihikcg.exe
C:\Windows\system32\Ncihikcg.exe
160⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6900

C:\Windows\SysWOW64\Njcpee32.exe
C:\Windows\system32\Njcpee32.exe
161⤵
- Drops file in System32 directory
- Modifies registry class
PID:6936

C:\Windows\SysWOW64\Nbkhfc32.exe
C:\Windows\system32\Nbkhfc32.exe
162⤵
PID:6972

C:\Windows\SysWOW64\Nggqoj32.exe
C:\Windows\system32\Nggqoj32.exe
163⤵
PID:7012

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
164⤵
PID:7048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7048 -s 400
165⤵
- Program crash
PID:7140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 7048 -ip 7048
1⤵
PID:7112

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ebeejijj.exe
Filesize
163KB

MD5
c43fad25983d3e2fb37e4d24c4d7e913

SHA1
e95bda69b746b4337fd68b2840a4c8d3455554d3

SHA256
c03715679a4e658b04aedae0ff43cebb9e301748575f53c1102593d577a58609

SHA512
ca9c824dc54f25bf73da23367820fbb81620b0d512c519ffbab3aff51a1ceddd9c4edb660bf97d0a6f34e209729bb35b091d1901f9a4f213acb0882080bf7759

Download Submit
C:\Windows\SysWOW64\Efpajh32.exe
Filesize
163KB

MD5
5c148617d3aad6de430ebb9fb68f083e

SHA1
14f8efbfbf5383aebcd5c7391e4c65efd9fd110e

SHA256
af9914db379eaa6243282b66ecbc4ffc3c85626d80cba54b5f6fb059a4eb0d44

SHA512
c24a284344135b943379e39f34cc39493ed925739510340d6e286e463da980ca88a54f8b49afc932e5e54e022a7945c5d2818bb68cd6d2879228965eded35017

Download Submit
C:\Windows\SysWOW64\Ejjqeg32.exe
Filesize
163KB

MD5
6a61e028ce7a2b7fd3b83a5e9267025d

SHA1
af659f8a71228a5b00118cda58e0dac3d3f733b7

SHA256
1b60aad1426e8dad4906c878a683662b7e90445a05981b8944b3ffa266499eb9

SHA512
b9ce3dc6bf7d1daf20e8f4bb0a8cecef1f459c0d08c3f79ca9a3a7492d263c2b1cca56ced01a52c9c684d38bb3cec1104b1cede39abcd7c4d259e37e099bf1c0

Download Submit
C:\Windows\SysWOW64\Emjjgbjp.exe
Filesize
163KB

MD5
13f5c0e3c298484c14c02c10f2127159

SHA1
b6dcc3ada8218d350ccd777d4114d94085f974d6

SHA256
2560be26adb89244a69e6585c9600908c16e540ff9fc988df9b6308bfabf04d1

SHA512
89cd20cad9b1a19acc19cdacdf9fe8ca7ceb040249f237891d087bc080ce0e541664eef721e840fbb8976e3f362b29ded2f5b21c31527975aa4414d9a14d9202

Download Submit
C:\Windows\SysWOW64\Eoifcnid.exe
Filesize
163KB

MD5
8e2c15af6816881f97c566037f238886

SHA1
8eee98a437db365984448ffd7a450c42ea37d3f8

SHA256
05beac7cba8daab7853c48a56539e8680cb4d5cf8c3f9048b2595b2f725a528c

SHA512
947fd9833ab8f445a99ca2087eb5128a09ab0253b3b5d6a627d65af8251128ac84fe3cb1636e0a27cf9340874eb995616e2e6486277d8346bc795d9c5ca506e5

Download Submit
C:\Windows\SysWOW64\Eqciba32.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\Eqciba32.exe
Filesize
163KB

MD5
2ee9965b9d713fbee87a2a71df594fa7

SHA1
e2a593cce314241a68ec4651804fb2effd5f1b88

SHA256
d42c9de44fe851668271a92d7f4b72892de32fdc280fefe8cf7defecde79a6c5

SHA512
54e012ca696f7c2386977007781d97d7ec8d812bc5d2a9e905de352e9ec03c9035918628be7a22a62b61931cc7859c320a8bb22594bbe16e1a623f9dbf6986f3

Download Submit
C:\Windows\SysWOW64\Fbioei32.exe
Filesize
163KB

MD5
7d4cffc511e90a42eba8b69da6a99d6f

SHA1
ad1286089efb6398a8f37c5bf1e4634c95140e8a

SHA256
22e631bb21850ea41819fa489ff54b473537d70a6bacf6d78bdeb154bae430e9

SHA512
84c24c1fd5b53618d5d520dd9ce4d6fc70462f24f8562badd0401b311197c12bef25772d816c60e9f38381d3966688b3f317d266908ec1b0ecdf1a07f4f96eae

Download Submit
C:\Windows\SysWOW64\Fbllkh32.exe
Filesize
163KB

MD5
0e8aa84679f85993d14f42eef847c57a

SHA1
5462009e8df7c31b0e15a94e58de4cebef5acfa3

SHA256
68e5b7064ab3f72c6433c2ee5b00f069fd2726f3939bb5d5108e2370f426b89d

SHA512
618b42729747ccc202251cb2b4fd91beb7e010d150d5e956e37a500d74b27288d933d9ddd0908ffd99989f2824a091d6a2d1d5dee3ed60a7a0fdff9394513453

Download Submit
C:\Windows\SysWOW64\Ffbnph32.exe
Filesize
163KB

MD5
1295f9d6e5bd274c7d68c0545e558a8b

SHA1
966b6242fb32040e2688c1e0d9b3d4d52e858dde

SHA256
57f5042c7d6b67e54b42cbf0b85f1c459c757d56f19ed6ed3abdbc3a6a41c027

SHA512
28caf6dedeca7f9bdb50ed7a22db5a8065961be3f141d505867d76dfdc4ed9aa8bc96a5be65c2309e080fb6bd14ea57d4234de240e186dac62187da7a6a15970

Download Submit
C:\Windows\SysWOW64\Fhajlc32.exe
Filesize
163KB

MD5
ecdf70d1dcb75432bb61d761545ae9cc

SHA1
07df6284afefbe7c5ef9d1b3c7d09abe20d76b24

SHA256
92cbccffa9215e721fee6c517b07dfef4090d7854512b4089d8047941136aea8

SHA512
c06a0ee137b24886ca89739556d7e2d03b4cc97e34cd160357dbd0f0664369f81fdf22f6a867135b3c2e1459cc132c07e8fca3eedf53423fda28865d3fe1dcab

Download Submit
C:\Windows\SysWOW64\Fjepaecb.exe
Filesize
163KB

MD5
58ed757530819147e801a75beceadf0e

SHA1
e3932d77fd495daac2da5139203c2a2b6efc6686

SHA256
666225ad7363d5570b019d043b070bc51839477f79bccc15209ac89f76b4fdd6

SHA512
3b866a8587e16b10671780f4f4f51540183f0d9f526ce7f1ad0c712ca85278abd08eacc40f352755a7def885ed0552d821fc01250efb7d6eaa2638bb5f005410

Download Submit
C:\Windows\SysWOW64\Fjhmgeao.exe
Filesize
163KB

MD5
4ef56230ac9bf7116caab03ea26c9375

SHA1
8d84102d57877be97f2eba0cc7414ec5647e5c91

SHA256
af92efb006f33dedd536e24959f0e0c9f6491e97942137b81b2314e95043137e

SHA512
2c461e1c033dbe657bd0e136a72390dfd32a176d357c4ef9a64e54199064937d2cc1873e412bacde31263a7df1c94f34b63626aab6f599fb9c1bdbfa58d12e17

Download Submit
C:\Windows\SysWOW64\Fjqgff32.exe
Filesize
163KB

MD5
c017d2ee50376d0c48d4caddf18db033

SHA1
d613412c3e388b2a21c3072e78e2b1c9832f574b

SHA256
054d6fa3dc8ac4a9e62cc6e5e2b5bac269008cc41a0ea936183690ff04df7243

SHA512
86073c21b56c156731d19ed590020165d74f541f74db2d8938b834650a0f18aa36869d3cb6619dda8935917a97a7d821dd96591aafc5b7234e81fd6b99aa81a3

Download Submit
C:\Windows\SysWOW64\Fmapha32.exe
Filesize
163KB

MD5
9e066d563108009a8a0c28e4e69838e1

SHA1
0c2a18252dc82be40e88198619026f17f817d01e

SHA256
31e06de15dde83f20d3d0433a757efdddc6b01cac750176ec59b5bbc8f0d9dd5

SHA512
2666a61ff75691d1f0ae40b40b7c030061eef195a6bca31d99fda229896c1f3f1236e85ce6b3dcd9024071b092e52db720e6f02d9f4807a271e8368ad9c9b1f8

Download Submit
C:\Windows\SysWOW64\Fmocba32.exe
Filesize
163KB

MD5
4cb92ba7f84fa54ab972ad6faffa2224

SHA1
efa9bc7773ce5afcb996e0f706c62e831214b00a

SHA256
bcdf721aa42bcfa1758b0ba7658e93b14f63732cd5cf7aa1f3894ef26a2cf5b3

SHA512
88b5ab553539d91bc0644d89a578da8c024de08cb4fa1032234d322809957a5bc324fe7b1bf07aee1a3ef35e82bd4c2ab1cd5569626f977fb3e87b8a9779494d

Download Submit
C:\Windows\SysWOW64\Fobiilai.exe
Filesize
163KB

MD5
bbafcd271da00c38933d4c1440fa5b06

SHA1
bf6cc9fdde7007448a5a7ddc3b1d4593a5c5ef0d

SHA256
eab01cf0691891242c1ba92591287ce6215b8074ee1dd1a72ca7866906485356

SHA512
14159e666095bed9c9aed1f32e2a58a43a13544a444e9b4d020e64aae23f37efb192062147218b15aaef9cdb280e125358738c0feb3b995fa738efba459f4637

Download Submit
C:\Windows\SysWOW64\Fokbim32.exe
Filesize
163KB

MD5
dd505a07993253ca514d7da3cd9d7070

SHA1
aa2de1b333821d448d9bc6549a1e71a8b0284794

SHA256
4f13f6622e0337bc0595b025e085ffa78146414e7e5e7cdcf622c29c93ea43ac

SHA512
fb7bc466712acc39a76a3446d68aba38edafce606d8e00b5a3340f2b85f12caf604729e091e9a0c5cb209e67fe9bd3e332abb3229aa6aa78c2824b192da44636

Download Submit
C:\Windows\SysWOW64\Fqaeco32.exe
Filesize
163KB

MD5
f78af16d6e0a779b19e9781f5fbe2b28

SHA1
c950dadf4726279bd4e21f8f5af4ff685c7c0c11

SHA256
42967a73e3b185af50dd0db2f0f1a3d6a9b2daf4a042ccdeddf62d264a246fbc

SHA512
f74b7fb2f8763641ee44374809d686ad0995a1afb72fa78b2b5a5f4393222bd5d3adc9acb787e16e433f3f5cd0d005df62a387f832921f1cf21464d1aaa986a7

Download Submit
C:\Windows\SysWOW64\Fqkocpod.exe
Filesize
163KB

MD5
a0e9172c602555715d51b637036b5fd7

SHA1
ae7440d71723fa83f63d57cea095da09d7575315

SHA256
1121b07a826160262cbadc4d403f0842235e858d497e42bb0a78e1cb25c7d335

SHA512
46f27d49da313383188a6f772c8410f71d47b07f70a4779172b115a87aa8438c52ae45b3e48769b4c23035448562894b1c2006c459892396c929e87f26eef5fb

Download Submit
C:\Windows\SysWOW64\Fqmlhpla.exe
Filesize
163KB

MD5
24df1fa880cf0047c3ce9ac7307b1087

SHA1
22e79f738de10e5ac0fce95a69317d3e66c73e96

SHA256
7dbbd2ce99b40207f50e90604ab5e9c395c5e351446525cf2c6c9d55b44e01db

SHA512
0a164ebbcddb9c0ef87f9737615165e7784e06648669fe99f526c8481fcb1a0e10ebb5c332ace06923e19d8e7f7dc895ddf276501f70ceb4b83276e0126e6720

Download Submit
C:\Windows\SysWOW64\Fqohnp32.exe
Filesize
163KB

MD5
622d2642c7e7b87eb96863b4372f119e

SHA1
262137d6d357d2b29265430dd3b769b07fdb807e

SHA256
7709cc226feecf8bf98f12a0acb09c2965a620b561084e8cb54f3292d1a2abf2

SHA512
e5dc5d2c579404489b59f7538e928a38ab5542a4142465fbe548529e6305b6a0cc8318f386ec0afcc2e2b74b3cdc409d69e1057a077d43f720209004e02eb0ef

Download Submit
C:\Windows\SysWOW64\Gbcakg32.exe
Filesize
163KB

MD5
3262529c88930502219e2db718a8d9ed

SHA1
e7053c7a1a12d1c5d81d94fd1a1ccc3df28efe80

SHA256
dab295ce68bdf876578900d8a1ad1b94ebbdbaaa74da6a79b02842d17c5660f8

SHA512
5a32a1493636888ba184bcc9a6e1abfdb25df2b7e0f6c9c967c1e7825ee1c605e19a3ab4b6caf8f6df70d2c748a7977c7a081d95d58ab0c118e73e74cc57e1cf

Download Submit
C:\Windows\SysWOW64\Gbgkfg32.exe
Filesize
163KB

MD5
6f48589942a7f1b5867c9c54061cf80f

SHA1
a250ff7630964c70d07b8c493cd32dd9a60a0a1d

SHA256
04a41ca1bd63ad1d7e64b7d0ffe55cb40b2f77a50611abdc21c05546f5b51d45

SHA512
ec2028a382c54155dc1265adb5b773bf6a783561d4f490f8462cab5e1024009f02e9e2ea48c52e721baa8906195a3f300190294480ba43efa67f515604b1839a

Download Submit
C:\Windows\SysWOW64\Gcekkjcj.exe
Filesize
163KB

MD5
d4bc7b7594b6bad6e534907fc21cd6fb

SHA1
78f9e07f24acac21687fcce8a18159d5006f26ae

SHA256
dcfd01d4ffbdd075452abbf202c5e2a89f62588dd3776d4b9a281a410bf8d827

SHA512
89e98caf5eb7399543ef6a1dca78029fc51ec7d554908fd630502faf6cc544f26839a82801b67b7137355f991d8e178d1af35c8b8b305109b1d1afa7380883db

Download Submit
C:\Windows\SysWOW64\Gcggpj32.exe
Filesize
163KB

MD5
2f79a3c366975c883828c9f051f493ec

SHA1
9fa6573f8a92952929f07c08ab058f3be04154c2

SHA256
57a8ec503ea71b1069b52614f1d4b984bd2b8ef3407ac0b6847bdd4fdbaa74b2

SHA512
856d0830a419516d0e52f72b783e06c24b8c320c5b06f9a0405cb066bde85341339070294edeebc0e1337b21f1671fefd133cc2730ca6535c222ff231a84aad9

Download Submit
C:\Windows\SysWOW64\Gfqjafdq.exe
Filesize
163KB

MD5
01cf88b7a07f82239ba372b0f7642003

SHA1
c753d3e76d42ebb541aa283553907cdc0b86c5ba

SHA256
b178b05f05612d3863e77351a6160182b9b502b95b600b39acd465853a6c1c83

SHA512
6c8116d5dd1df4c9af7c73db96c4959ce9ea94df6d008b536f1b6f44e6278835c05b5f34fe8574abf5e87bf6abf06e06cb1823d7f05f4488d46850ac66646cd4

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe
Filesize
163KB

MD5
747e5178a86c9f84e27d382c7cec62ae

SHA1
44490ad96025a8d451a11d017ab940378e15bb22

SHA256
390b1199d9a481c9ca725201b04166606485ce9b53b89befd52b8b25248113b2

SHA512
a89dd5a6d8363b9635aafd5e5ce5632f79c8b391ecf22177f910139b3f94e5b162824f38f23a995daac754f1a99c26d1b98de8811a43e9b0dccf5cc331b33ab1

Download Submit
C:\Windows\SysWOW64\Giofnacd.exe
Filesize
163KB

MD5
09210affc8001e33cbc56a7ec5429063

SHA1
7525e7925b1ea8ec74a629389089b72f5144a4dd

SHA256
ad88a5d3ea7149238032fe33b0de1a76a81a17e8bb0ffedbcdfb13548177ca50

SHA512
65ac6868c0787641e0fe4e3b349099a5aa16756747126e53fe67375c260032d9069248a01caba36c1ff80329f2d43a322f746bb640b7ff5675838b72ab6cd134

Download Submit
C:\Windows\SysWOW64\Gjjjle32.exe
Filesize
163KB

MD5
7d63386c506c0a42102f330d42cd48d2

SHA1
09871630826d73c8824678c49b9318cc8a53fc0f

SHA256
7ca687a0fa0fb84f57800e66a54faa2d1a15ae588f767c3bc4d84cb24e389670

SHA512
51fbd1c004497481be318c4390d9d651588a85430d5ac82e6842cabb751fce3807188adf46340b9aee8450168401da5b33785d9cd0375eefd0baec051e0a1c02

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe
Filesize
163KB

MD5
3880c0a059b1de13e39b0469f796543a

SHA1
4945e8d6e96a41958c391dc50843e9f2f4e8bf14

SHA256
53886624def4d524320bebc4074057ed9f5b4656c4c1650d457bf0018770a511

SHA512
db65e544bc7fa0e18df86f9324b3ded79f9aa9ee21450a57bef805ee3a178d29ba3741f5784ace5d6cd3cb6050dd367b647c58c68c3d1c7e3a4b9798a315e5f5

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe
Filesize
163KB

MD5
6de913fac27d7d3eaa54b30cf6110ea7

SHA1
7a55347cbacf2201fc13d63141f56a4642dc19f7

SHA256
6072a49ff05cf2c76c769d3f5848c7d57629804dfd6df5aad2a6916efdb78878

SHA512
a5205ea3b4f763fb8893366d063a05148497192f6aa50be67ecad654d95030b2e6ec927570b30db4d9fdd6a8b1a420ef16c4c37849b953b881c06d937c201996

Download Submit
C:\Windows\SysWOW64\Gqdbiofi.exe
Filesize
163KB

MD5
84d59526a1a90f3c86bc64ca67b486fc

SHA1
d5c80d395c6b2640293d37af55dbe26034ef2c59

SHA256
f5399fb0245bf95208d006ac60dafd4b6052a2796b721b07f0a29029292115cc

SHA512
a1cfe25f3a67318043b63a596d7f4771903183293529453497d2f9f24e1785fd4a437df312aea2eb033618778562c4a6ef3c7c0bc7410b71c9aac1f993a710cb

Download Submit
C:\Windows\SysWOW64\Hjolnb32.exe
Filesize
163KB

MD5
45cef52651a3979153dd5f45111ba12a

SHA1
0033c2512469efeda233da92a999c2781d24ab28

SHA256
6d5a8aa6166fea874ea90b861312e4322946b033599819ed849ff1d1a29cd086

SHA512
67eb0cf4e1c1bae0a4a1e5185d483f966667b1a6acfbb8b6ce045772fbdcc0b551a24b179454f185bc3f58d1f77825f5ddfe5d572e85fcbbb3a207df8447efbb

Download Submit
C:\Windows\SysWOW64\Icjmmg32.exe
Filesize
163KB

MD5
8585b9967b5d585d3e851a777569be41

SHA1
d4dd8ecc3ee56fb07a44728d8871c2f470b32cca

SHA256
52f4a8efe06f6d0be3e73d415807f1df744d073fc9f8d9db63303f75a9f44cfa

SHA512
eb2778f651630c4954b0ec2e5777ea049df445fec787f0abee7bddea60dc92b7fa6a71e69e994c6d946c2f90be2a8b73d2aa3a1464120343d38a8149ec921616

Download Submit
C:\Windows\SysWOW64\Jfdida32.exe
Filesize
163KB

MD5
0dd2f674cce1cc19d5cf849b5e1526df

SHA1
c5e3fb0e340b08d76a989d243ab612f42fedefbf

SHA256
e17f54ada286581f6c57fbba24da6cf9c378fa65c8458f297bbe4fa96e31a967

SHA512
19b739bca94281ea51e7aec885f66365c94539a73a7cb573b275da941f3f05998a8ca54824c38c25449cde90d53c0ba5353570de293225f7537bf4abd4c1f5af

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe
Filesize
163KB

MD5
a6faca5d0158112d073af675dbeeda2a

SHA1
2d7af0c6253d8114173acc7b28cb63205b9d5b40

SHA256
158edee59dcfbc60d133f25f0289d0e1cd653c38500e97c534770961b32ac71b

SHA512
d04be2739ad243d1131fa7725a7befa6ebc7b95e7d4fd80a51376aaf68988bf144a44f7c3f87275695a8a855571f518d43304168703a9ad69c83b4378f27fd43

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe
Filesize
163KB

MD5
7137b9140ca4cbe6cbb31e9fe02cd66d

SHA1
a75557509c077312828185076cd1923f5cfcdeef

SHA256
abca11b499806002043d916ae08df5aead56fd2038869fd013331775c69d0b56

SHA512
e6e2b004eb75533095a5ec99cf98a8c31a41cbf56dd5b16892f72ef10d0df2eed66f0953b00c6582ff02ac31d6014bff604cd8085bb266e083ed05d50d1eb06e

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe
Filesize
64KB

MD5
89afcbc97a929217fdb2d9857abf18b4

SHA1
082af29fdcc3c2adb9e385bc07e8249a9e627fd2

SHA256
696745ed36da0432b8a06284efccac7ad0123fbbdfba1900d7d571fce569437e

SHA512
adfcea874786f99da592ac749f5ce2d56f147f84a0dfe846e220060ffe6e549d5f9632ab5bc3e79d60365e1786f1651611327cd2fae205bf1e397df0f12878ff

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe
Filesize
163KB

MD5
235fb5cdcbdfd9c28411cb864e54e0d4

SHA1
4407a116262cfbdbbb1451ea67d06365e79c3159

SHA256
45c54ad377eb09ef68bea775458ecb1f50914434d976be4e834854caaba62e37

SHA512
c45008beca70927af1804925c6e65b4607e6d2128312bf028e9608930724e1737f2e9757e95e6334d23c956ba2a8cda6100aa1c911d1f0b3482778167e5ec942

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe
Filesize
163KB

MD5
2a78585c07d7a0b502eb7200cc98dce3

SHA1
0a01a18724ac49f42b4ab61b8541682c8f693bb9

SHA256
f06e546d00fca7ceff2c395d62059f8595594b4303f3120cc3c510c27a228e5c

SHA512
f005efac268b615e1f2c690e6a953fd12e54aad1446c7080ebff8b7772d0544dd6d671140abcf1c4307b37ed0eab9c2b86567a63f09389b6c8804fac2669ddc9

Download Submit
memory/412-1234-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/412-516-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/456-192-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/456-1337-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/528-457-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/636-73-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/636-594-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/640-1127-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/664-563-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/740-1235-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1124-144-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1192-112-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1192-626-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1196-285-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1336-528-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1396-216-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1476-607-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1476-1363-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1532-188-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1628-81-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1628-601-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1680-200-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1684-501-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1720-272-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1768-587-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1768-65-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1772-588-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1872-471-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1956-413-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2040-136-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2200-354-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2220-614-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2220-96-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2300-448-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2428-495-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2480-481-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2492-568-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2492-1375-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2492-45-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2568-530-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2784-639-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2784-128-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2808-401-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2864-346-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2892-493-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2956-301-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2960-25-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2960-555-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2992-536-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3024-1252-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3028-248-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3032-159-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3052-543-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3060-578-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3060-49-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3100-17-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3100-549-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3168-273-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3288-465-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3316-1214-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3500-228-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3528-208-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3536-624-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3536-104-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3564-1305-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3572-1263-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3580-407-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3580-1269-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3584-236-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3704-330-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3720-168-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3732-366-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3744-376-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3780-5-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/3780-529-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3780-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3916-436-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3948-312-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3972-425-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3992-423-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4112-1232-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4132-483-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4192-323-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4332-595-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4440-240-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4464-255-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4488-395-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4532-120-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4532-633-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4660-348-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4696-561-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4696-32-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4748-442-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4776-336-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4820-360-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4820-1286-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4860-580-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4860-61-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4924-176-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4940-378-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4952-394-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4952-1276-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4956-279-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5000-291-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5044-585-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5096-151-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5096-1348-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5112-542-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5112-9-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5156-1114-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5188-608-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5232-1202-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5312-627-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5452-1154-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5520-1131-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5732-1120-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5924-1169-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5988-1168-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/6088-1164-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/6188-1100-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download