33a1779ff915f02eb08e6e3b01e19f94471bdca6e67ddde7fb13daea7d5541ff

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 03:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33a1779ff915f02eb08e6e3b01e19f94471bdca6e67ddde7fb13daea7d5541ff_NeikiAnalytics.exe
Size

145KB
MD5

cae867a6a367b6d681141949107407d0
SHA1

b9fe182872bae50ce29b1c93a7aee20d4607c954
SHA256

33a1779ff915f02eb08e6e3b01e19f94471bdca6e67ddde7fb13daea7d5541ff
SHA512

895d416f0869b59acef568b31461d96c89ed153fa1329b1ff5a08a8e398fbb653ebc4dde3508210e66aa9965ba34e8b624829c89bf96d4880683fd104ece97f2
SSDEEP

3072:M+i+kCsX/d4Gl2MUkLoXooFU6UK7q4+5DbGTO6GQd3JSZO5f7P:TifCs14GsMUk3oe6UK+42GTQMJSZO5fb

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Jfdida32.exeJpojcf32.exeKdffocib.exeMpkbebbf.exeMcklgm32.exeNcihikcg.exeNbkhfc32.exeJfhbppbc.exeJkdnpo32.exeKbapjafe.exeKkihknfg.exeLdkojb32.exeLddbqa32.exeMgekbljc.exeNdbnboqb.exeNqmhbpba.exeKaemnhla.exeLiekmj32.exeLpcmec32.exeMcbahlip.exeNnmopdep.exeJibeql32.exeLiggbi32.exeNkqpjidj.exeKdaldd32.exeJjbako32.exeJmpngk32.exeLgbnmm32.exeNjcpee32.exeLdmlpbbj.exeMdkhapfj.exeJbocea32.exeMnapdf32.exeKkpnlm32.exeLnepih32.exeNjogjfoj.exeLknjmkdo.exeMgidml32.exeIikopmkd.exeKmlnbi32.exeLkgdml32.exeKgfoan32.exeLaopdgcg.exeLdaeka32.exeMamleegg.exeJkfkfohj.exeKinemkko.exeMaaepd32.exeKmnjhioc.exeJaimbj32.exeMdiklqhm.exe33a1779ff915f02eb08e6e3b01e19f94471bdca6e67ddde7fb13daea7d5541ff_NeikiAnalytics.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfdida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfdida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbocea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	33a1779ff915f02eb08e6e3b01e19f94471bdca6e67ddde7fb13daea7d5541ff_NeikiAnalytics.exe

Executes dropped EXE 64 IoCs

Processes:

Iikopmkd.exeIabgaklg.exeIdacmfkj.exeIfopiajn.exeIinlemia.exeJaedgjjd.exeJbfpobpb.exeJjmhppqd.exeJmkdlkph.exeJdemhe32.exeJfdida32.exeJibeql32.exeJaimbj32.exeJdhine32.exeJfffjqdf.exeJjbako32.exeJmpngk32.exeJpojcf32.exeJfhbppbc.exeJkdnpo32.exeJangmibi.exeJbocea32.exeJkfkfohj.exeKaqcbi32.exeKbapjafe.exeKkihknfg.exeKacphh32.exeKdaldd32.exeKgphpo32.exeKinemkko.exeKaemnhla.exeKdcijcke.exeKmlnbi32.exeKagichjo.exeKdffocib.exeKgdbkohf.exeKkpnlm32.exeKmnjhioc.exeKpmfddnf.exeKdhbec32.exeKgfoan32.exeKkbkamnl.exeLiekmj32.exeLalcng32.exeLdkojb32.exeLgikfn32.exeLiggbi32.exeLmccchkn.exeLaopdgcg.exeLdmlpbbj.exeLgkhlnbn.exeLkgdml32.exeLnepih32.exeLpcmec32.exeLdohebqh.exeLgneampk.exeLilanioo.exeLaciofpa.exeLdaeka32.exeLcdegnep.exeLklnhlfb.exeLnjjdgee.exeLphfpbdi.exeLddbqa32.exe

pid	process
944	Iikopmkd.exe
2656	Iabgaklg.exe
1340	Idacmfkj.exe
696	Ifopiajn.exe
4140	Iinlemia.exe
1240	Jaedgjjd.exe
3008	Jbfpobpb.exe
972	Jjmhppqd.exe
1612	Jmkdlkph.exe
4104	Jdemhe32.exe
3004	Jfdida32.exe
2988	Jibeql32.exe
3208	Jaimbj32.exe
4108	Jdhine32.exe
1376	Jfffjqdf.exe
4184	Jjbako32.exe
4796	Jmpngk32.exe
2368	Jpojcf32.exe
3700	Jfhbppbc.exe
516	Jkdnpo32.exe
2104	Jangmibi.exe
3932	Jbocea32.exe
4448	Jkfkfohj.exe
2736	Kaqcbi32.exe
1276	Kbapjafe.exe
3656	Kkihknfg.exe
1836	Kacphh32.exe
2044	Kdaldd32.exe
4464	Kgphpo32.exe
1440	Kinemkko.exe
4732	Kaemnhla.exe
1764	Kdcijcke.exe
4160	Kmlnbi32.exe
3620	Kagichjo.exe
4832	Kdffocib.exe
1180	Kgdbkohf.exe
5048	Kkpnlm32.exe
2064	Kmnjhioc.exe
4396	Kpmfddnf.exe
1076	Kdhbec32.exe
5056	Kgfoan32.exe
2352	Kkbkamnl.exe
1268	Liekmj32.exe
1596	Lalcng32.exe
4520	Ldkojb32.exe
3476	Lgikfn32.exe
2436	Liggbi32.exe
4716	Lmccchkn.exe
1176	Laopdgcg.exe
4052	Ldmlpbbj.exe
548	Lgkhlnbn.exe
3396	Lkgdml32.exe
2872	Lnepih32.exe
3880	Lpcmec32.exe
3440	Ldohebqh.exe
4968	Lgneampk.exe
4656	Lilanioo.exe
1072	Laciofpa.exe
4972	Ldaeka32.exe
1700	Lcdegnep.exe
3356	Lklnhlfb.exe
1992	Lnjjdgee.exe
4488	Lphfpbdi.exe
4120	Lddbqa32.exe

Drops file in System32 directory 64 IoCs

Processes:

Liggbi32.exeLklnhlfb.exeJibeql32.exeKdhbec32.exeLgikfn32.exeKagichjo.exeLknjmkdo.exeMamleegg.exeNnhfee32.exeNjcpee32.exeIikopmkd.exeMjqjih32.exeMgidml32.exeNjljefql.exeNjogjfoj.exeJfffjqdf.exeJmpngk32.exeKaemnhla.exeLddbqa32.exeIabgaklg.exeKmlnbi32.exeMcklgm32.exeJaedgjjd.exeJjmhppqd.exeKgdbkohf.exeLdaeka32.exeLcdegnep.exeLnjjdgee.exeLphfpbdi.exeJdemhe32.exeLaciofpa.exeLpcmec32.exeMahbje32.exeLaopdgcg.exeLnepih32.exeMpkbebbf.exeJangmibi.exeKdaldd32.exeMcbahlip.exeNafokcol.exe33a1779ff915f02eb08e6e3b01e19f94471bdca6e67ddde7fb13daea7d5541ff_NeikiAnalytics.exeMjcgohig.exeMpaifalo.exeLdkojb32.exeKaqcbi32.exeIdacmfkj.exeLgkhlnbn.exeKdcijcke.exeKkbkamnl.exeMajopeii.exeMaaepd32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Lmccchkn.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Fldggfbc.dll	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Jaimbj32.exe	Jibeql32.exe
File created	C:\Windows\SysWOW64\Pipagf32.dll	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Liggbi32.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Akihmf32.dll	Kagichjo.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Impoan32.dll	Iikopmkd.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Mjqjih32.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Njljefql.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Jjbako32.exe	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Fbkmec32.dll	Jmpngk32.exe
File created	C:\Windows\SysWOW64\Jcpkbc32.dll	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Idacmfkj.exe	Iabgaklg.exe
File opened for modification	C:\Windows\SysWOW64\Jaimbj32.exe	Jibeql32.exe
File opened for modification	C:\Windows\SysWOW64\Kagichjo.exe	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Pckgbakk.dll	Jaedgjjd.exe
File created	C:\Windows\SysWOW64\Jmkdlkph.exe	Jjmhppqd.exe
File opened for modification	C:\Windows\SysWOW64\Kkpnlm32.exe	Kgdbkohf.exe
File opened for modification	C:\Windows\SysWOW64\Lcdegnep.exe	Ldaeka32.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Anjekdho.dll	Jdemhe32.exe
File created	C:\Windows\SysWOW64\Jpojcf32.exe	Jmpngk32.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mahbje32.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Kdffocib.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Cmafhe32.dll	Liggbi32.exe
File created	C:\Windows\SysWOW64\Eqbmje32.dll	Laopdgcg.exe
File opened for modification	C:\Windows\SysWOW64\Lpcmec32.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Qnoaog32.dll	Jjmhppqd.exe
File created	C:\Windows\SysWOW64\Jbocea32.exe	Jangmibi.exe
File created	C:\Windows\SysWOW64\Kgphpo32.exe	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Lihoogdd.dll	33a1779ff915f02eb08e6e3b01e19f94471bdca6e67ddde7fb13daea7d5541ff_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Lgikfn32.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Jjbako32.exe	Jfffjqdf.exe
File opened for modification	C:\Windows\SysWOW64\Jpojcf32.exe	Jmpngk32.exe
File created	C:\Windows\SysWOW64\Kbapjafe.exe	Kaqcbi32.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Ifopiajn.exe	Idacmfkj.exe
File opened for modification	C:\Windows\SysWOW64\Lkgdml32.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Kmlnbi32.exe	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Imppcc32.dll	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Maaepd32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3748 4088 WerFault.exe Nkcmohbg.exe

pid	pid_target	process	target process
3748	4088	WerFault.exe	Nkcmohbg.exe

Modifies registry class 64 IoCs

Processes:

Jdemhe32.exeJibeql32.exeJfhbppbc.exeJkdnpo32.exeKaqcbi32.exeLaciofpa.exeMajopeii.exeNddkgonp.exeIdacmfkj.exeJbfpobpb.exeJmpngk32.exeJbocea32.exeKmnjhioc.exeLdaeka32.exeMamleegg.exeNdbnboqb.exeKinemkko.exeLgikfn32.exeMahbje32.exeMgekbljc.exeNbkhfc32.exeJjmhppqd.exeKpmfddnf.exeLmccchkn.exe33a1779ff915f02eb08e6e3b01e19f94471bdca6e67ddde7fb13daea7d5541ff_NeikiAnalytics.exeIinlemia.exeKacphh32.exeKagichjo.exeKdffocib.exeMjcgohig.exeNcihikcg.exeLiekmj32.exeNgcgcjnc.exeIikopmkd.exeNkncdifl.exeLaopdgcg.exeLgneampk.exeLddbqa32.exeMjqjih32.exeMglack32.exeMcbahlip.exeNqklmpdd.exeJdhine32.exeKbapjafe.exeKgphpo32.exeLalcng32.exeLdkojb32.exeLknjmkdo.exeKaemnhla.exeLiggbi32.exeMdkhapfj.exeMaaepd32.exeKdcijcke.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anjekdho.dll"	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qknpkqim.dll"	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjobcj32.dll"	Jbfpobpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eilljncf.dll"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeandl32.dll"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kinemkko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdimilg.dll"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lihoogdd.dll"	33a1779ff915f02eb08e6e3b01e19f94471bdca6e67ddde7fb13daea7d5541ff_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iinlemia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kinemkko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pellipfm.dll"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jifkeoll.dll"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcpkbc32.dll"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnckcnhb.dll"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdcijcke.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

33a1779ff915f02eb08e6e3b01e19f94471bdca6e67ddde7fb13daea7d5541ff_NeikiAnalytics.exeIikopmkd.exeIabgaklg.exeIdacmfkj.exeIfopiajn.exeIinlemia.exeJaedgjjd.exeJbfpobpb.exeJjmhppqd.exeJmkdlkph.exeJdemhe32.exeJfdida32.exeJibeql32.exeJaimbj32.exeJdhine32.exeJfffjqdf.exeJjbako32.exeJmpngk32.exeJpojcf32.exeJfhbppbc.exeJkdnpo32.exeJangmibi.exe

description	pid	process	target process
PID 4368 wrote to memory of 944	4368	33a1779ff915f02eb08e6e3b01e19f94471bdca6e67ddde7fb13daea7d5541ff_NeikiAnalytics.exe	Iikopmkd.exe
PID 4368 wrote to memory of 944	4368	33a1779ff915f02eb08e6e3b01e19f94471bdca6e67ddde7fb13daea7d5541ff_NeikiAnalytics.exe	Iikopmkd.exe
PID 4368 wrote to memory of 944	4368	33a1779ff915f02eb08e6e3b01e19f94471bdca6e67ddde7fb13daea7d5541ff_NeikiAnalytics.exe	Iikopmkd.exe
PID 944 wrote to memory of 2656	944	Iikopmkd.exe	Iabgaklg.exe
PID 944 wrote to memory of 2656	944	Iikopmkd.exe	Iabgaklg.exe
PID 944 wrote to memory of 2656	944	Iikopmkd.exe	Iabgaklg.exe
PID 2656 wrote to memory of 1340	2656	Iabgaklg.exe	Idacmfkj.exe
PID 2656 wrote to memory of 1340	2656	Iabgaklg.exe	Idacmfkj.exe
PID 2656 wrote to memory of 1340	2656	Iabgaklg.exe	Idacmfkj.exe
PID 1340 wrote to memory of 696	1340	Idacmfkj.exe	Ifopiajn.exe
PID 1340 wrote to memory of 696	1340	Idacmfkj.exe	Ifopiajn.exe
PID 1340 wrote to memory of 696	1340	Idacmfkj.exe	Ifopiajn.exe
PID 696 wrote to memory of 4140	696	Ifopiajn.exe	Iinlemia.exe
PID 696 wrote to memory of 4140	696	Ifopiajn.exe	Iinlemia.exe
PID 696 wrote to memory of 4140	696	Ifopiajn.exe	Iinlemia.exe
PID 4140 wrote to memory of 1240	4140	Iinlemia.exe	Jaedgjjd.exe
PID 4140 wrote to memory of 1240	4140	Iinlemia.exe	Jaedgjjd.exe
PID 4140 wrote to memory of 1240	4140	Iinlemia.exe	Jaedgjjd.exe
PID 1240 wrote to memory of 3008	1240	Jaedgjjd.exe	Jbfpobpb.exe
PID 1240 wrote to memory of 3008	1240	Jaedgjjd.exe	Jbfpobpb.exe
PID 1240 wrote to memory of 3008	1240	Jaedgjjd.exe	Jbfpobpb.exe
PID 3008 wrote to memory of 972	3008	Jbfpobpb.exe	Jjmhppqd.exe
PID 3008 wrote to memory of 972	3008	Jbfpobpb.exe	Jjmhppqd.exe
PID 3008 wrote to memory of 972	3008	Jbfpobpb.exe	Jjmhppqd.exe
PID 972 wrote to memory of 1612	972	Jjmhppqd.exe	Jmkdlkph.exe
PID 972 wrote to memory of 1612	972	Jjmhppqd.exe	Jmkdlkph.exe
PID 972 wrote to memory of 1612	972	Jjmhppqd.exe	Jmkdlkph.exe
PID 1612 wrote to memory of 4104	1612	Jmkdlkph.exe	Jdemhe32.exe
PID 1612 wrote to memory of 4104	1612	Jmkdlkph.exe	Jdemhe32.exe
PID 1612 wrote to memory of 4104	1612	Jmkdlkph.exe	Jdemhe32.exe
PID 4104 wrote to memory of 3004	4104	Jdemhe32.exe	Jfdida32.exe
PID 4104 wrote to memory of 3004	4104	Jdemhe32.exe	Jfdida32.exe
PID 4104 wrote to memory of 3004	4104	Jdemhe32.exe	Jfdida32.exe
PID 3004 wrote to memory of 2988	3004	Jfdida32.exe	Jibeql32.exe
PID 3004 wrote to memory of 2988	3004	Jfdida32.exe	Jibeql32.exe
PID 3004 wrote to memory of 2988	3004	Jfdida32.exe	Jibeql32.exe
PID 2988 wrote to memory of 3208	2988	Jibeql32.exe	Jaimbj32.exe
PID 2988 wrote to memory of 3208	2988	Jibeql32.exe	Jaimbj32.exe
PID 2988 wrote to memory of 3208	2988	Jibeql32.exe	Jaimbj32.exe
PID 3208 wrote to memory of 4108	3208	Jaimbj32.exe	Jdhine32.exe
PID 3208 wrote to memory of 4108	3208	Jaimbj32.exe	Jdhine32.exe
PID 3208 wrote to memory of 4108	3208	Jaimbj32.exe	Jdhine32.exe
PID 4108 wrote to memory of 1376	4108	Jdhine32.exe	Jfffjqdf.exe
PID 4108 wrote to memory of 1376	4108	Jdhine32.exe	Jfffjqdf.exe
PID 4108 wrote to memory of 1376	4108	Jdhine32.exe	Jfffjqdf.exe
PID 1376 wrote to memory of 4184	1376	Jfffjqdf.exe	Jjbako32.exe
PID 1376 wrote to memory of 4184	1376	Jfffjqdf.exe	Jjbako32.exe
PID 1376 wrote to memory of 4184	1376	Jfffjqdf.exe	Jjbako32.exe
PID 4184 wrote to memory of 4796	4184	Jjbako32.exe	Jmpngk32.exe
PID 4184 wrote to memory of 4796	4184	Jjbako32.exe	Jmpngk32.exe
PID 4184 wrote to memory of 4796	4184	Jjbako32.exe	Jmpngk32.exe
PID 4796 wrote to memory of 2368	4796	Jmpngk32.exe	Jpojcf32.exe
PID 4796 wrote to memory of 2368	4796	Jmpngk32.exe	Jpojcf32.exe
PID 4796 wrote to memory of 2368	4796	Jmpngk32.exe	Jpojcf32.exe
PID 2368 wrote to memory of 3700	2368	Jpojcf32.exe	Jfhbppbc.exe
PID 2368 wrote to memory of 3700	2368	Jpojcf32.exe	Jfhbppbc.exe
PID 2368 wrote to memory of 3700	2368	Jpojcf32.exe	Jfhbppbc.exe
PID 3700 wrote to memory of 516	3700	Jfhbppbc.exe	Jkdnpo32.exe
PID 3700 wrote to memory of 516	3700	Jfhbppbc.exe	Jkdnpo32.exe
PID 3700 wrote to memory of 516	3700	Jfhbppbc.exe	Jkdnpo32.exe
PID 516 wrote to memory of 2104	516	Jkdnpo32.exe	Jangmibi.exe
PID 516 wrote to memory of 2104	516	Jkdnpo32.exe	Jangmibi.exe
PID 516 wrote to memory of 2104	516	Jkdnpo32.exe	Jangmibi.exe
PID 2104 wrote to memory of 3932	2104	Jangmibi.exe	Jbocea32.exe

C:\Users\Admin\AppData\Local\Temp\33a1779ff915f02eb08e6e3b01e19f94471bdca6e67ddde7fb13daea7d5541ff_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\33a1779ff915f02eb08e6e3b01e19f94471bdca6e67ddde7fb13daea7d5541ff_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4368

C:\Windows\SysWOW64\Iikopmkd.exe
C:\Windows\system32\Iikopmkd.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:944

C:\Windows\SysWOW64\Iabgaklg.exe
C:\Windows\system32\Iabgaklg.exe
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2656

C:\Windows\SysWOW64\Idacmfkj.exe
C:\Windows\system32\Idacmfkj.exe
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1340

C:\Windows\SysWOW64\Ifopiajn.exe
C:\Windows\system32\Ifopiajn.exe
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:696

C:\Windows\SysWOW64\Iinlemia.exe
C:\Windows\system32\Iinlemia.exe
6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4140

C:\Windows\SysWOW64\Jaedgjjd.exe
C:\Windows\system32\Jaedgjjd.exe
7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1240

C:\Windows\SysWOW64\Jbfpobpb.exe
C:\Windows\system32\Jbfpobpb.exe
8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3008

C:\Windows\SysWOW64\Jjmhppqd.exe
C:\Windows\system32\Jjmhppqd.exe
9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:972

C:\Windows\SysWOW64\Jmkdlkph.exe
C:\Windows\system32\Jmkdlkph.exe
10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\SysWOW64\Jdemhe32.exe
C:\Windows\system32\Jdemhe32.exe
11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4104

C:\Windows\SysWOW64\Jfdida32.exe
C:\Windows\system32\Jfdida32.exe
12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004

C:\Windows\SysWOW64\Jibeql32.exe
C:\Windows\system32\Jibeql32.exe
13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2988

C:\Windows\SysWOW64\Jaimbj32.exe
C:\Windows\system32\Jaimbj32.exe
14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3208

C:\Windows\SysWOW64\Jdhine32.exe
C:\Windows\system32\Jdhine32.exe
15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4108

C:\Windows\SysWOW64\Jfffjqdf.exe
C:\Windows\system32\Jfffjqdf.exe
16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\SysWOW64\Jjbako32.exe
C:\Windows\system32\Jjbako32.exe
17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4184

C:\Windows\SysWOW64\Jmpngk32.exe
C:\Windows\system32\Jmpngk32.exe
18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4796

C:\Windows\SysWOW64\Jpojcf32.exe
C:\Windows\system32\Jpojcf32.exe
19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368

C:\Windows\SysWOW64\Jfhbppbc.exe
C:\Windows\system32\Jfhbppbc.exe
20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3700

C:\Windows\SysWOW64\Jkdnpo32.exe
C:\Windows\system32\Jkdnpo32.exe
21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:516

C:\Windows\SysWOW64\Jangmibi.exe
C:\Windows\system32\Jangmibi.exe
22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2104

C:\Windows\SysWOW64\Jbocea32.exe
C:\Windows\system32\Jbocea32.exe
23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3932

C:\Windows\SysWOW64\Jkfkfohj.exe
C:\Windows\system32\Jkfkfohj.exe
24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4448

C:\Windows\SysWOW64\Kaqcbi32.exe
C:\Windows\system32\Kaqcbi32.exe
25⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2736

C:\Windows\SysWOW64\Kbapjafe.exe
C:\Windows\system32\Kbapjafe.exe
26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1276

C:\Windows\SysWOW64\Kkihknfg.exe
C:\Windows\system32\Kkihknfg.exe
27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3656

C:\Windows\SysWOW64\Kacphh32.exe
C:\Windows\system32\Kacphh32.exe
28⤵
- Executes dropped EXE
- Modifies registry class
PID:1836

C:\Windows\SysWOW64\Kdaldd32.exe
C:\Windows\system32\Kdaldd32.exe
29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2044

C:\Windows\SysWOW64\Kgphpo32.exe
C:\Windows\system32\Kgphpo32.exe
30⤵
- Executes dropped EXE
- Modifies registry class
PID:4464

C:\Windows\SysWOW64\Kinemkko.exe
C:\Windows\system32\Kinemkko.exe
31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1440

C:\Windows\SysWOW64\Kaemnhla.exe
C:\Windows\system32\Kaemnhla.exe
32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4732

C:\Windows\SysWOW64\Kdcijcke.exe
C:\Windows\system32\Kdcijcke.exe
33⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1764

C:\Windows\SysWOW64\Kmlnbi32.exe
C:\Windows\system32\Kmlnbi32.exe
34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4160

C:\Windows\SysWOW64\Kagichjo.exe
C:\Windows\system32\Kagichjo.exe
35⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3620

C:\Windows\SysWOW64\Kdffocib.exe
C:\Windows\system32\Kdffocib.exe
36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4832

C:\Windows\SysWOW64\Kgdbkohf.exe
C:\Windows\system32\Kgdbkohf.exe
37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1180

C:\Windows\SysWOW64\Kkpnlm32.exe
C:\Windows\system32\Kkpnlm32.exe
38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5048

C:\Windows\SysWOW64\Kmnjhioc.exe
C:\Windows\system32\Kmnjhioc.exe
39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2064

C:\Windows\SysWOW64\Kpmfddnf.exe
C:\Windows\system32\Kpmfddnf.exe
40⤵
- Executes dropped EXE
- Modifies registry class
PID:4396

C:\Windows\SysWOW64\Kdhbec32.exe
C:\Windows\system32\Kdhbec32.exe
41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1076

C:\Windows\SysWOW64\Kgfoan32.exe
C:\Windows\system32\Kgfoan32.exe
42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5056

C:\Windows\SysWOW64\Kkbkamnl.exe
C:\Windows\system32\Kkbkamnl.exe
43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2352

C:\Windows\SysWOW64\Liekmj32.exe
C:\Windows\system32\Liekmj32.exe
44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1268

C:\Windows\SysWOW64\Lalcng32.exe
C:\Windows\system32\Lalcng32.exe
45⤵
- Executes dropped EXE
- Modifies registry class
PID:1596

C:\Windows\SysWOW64\Ldkojb32.exe
C:\Windows\system32\Ldkojb32.exe
46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4520

C:\Windows\SysWOW64\Lgikfn32.exe
C:\Windows\system32\Lgikfn32.exe
47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3476

C:\Windows\SysWOW64\Liggbi32.exe
C:\Windows\system32\Liggbi32.exe
48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2436

C:\Windows\SysWOW64\Lmccchkn.exe
C:\Windows\system32\Lmccchkn.exe
49⤵
- Executes dropped EXE
- Modifies registry class
PID:4716

C:\Windows\SysWOW64\Laopdgcg.exe
C:\Windows\system32\Laopdgcg.exe
50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1176

C:\Windows\SysWOW64\Ldmlpbbj.exe
C:\Windows\system32\Ldmlpbbj.exe
51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4052

C:\Windows\SysWOW64\Lgkhlnbn.exe
C:\Windows\system32\Lgkhlnbn.exe
52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:548

C:\Windows\SysWOW64\Lkgdml32.exe
C:\Windows\system32\Lkgdml32.exe
53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3396

C:\Windows\SysWOW64\Lnepih32.exe
C:\Windows\system32\Lnepih32.exe
54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2872

C:\Windows\SysWOW64\Lpcmec32.exe
C:\Windows\system32\Lpcmec32.exe
55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3880

C:\Windows\SysWOW64\Ldohebqh.exe
C:\Windows\system32\Ldohebqh.exe
56⤵
- Executes dropped EXE
PID:3440

C:\Windows\SysWOW64\Lgneampk.exe
C:\Windows\system32\Lgneampk.exe
57⤵
- Executes dropped EXE
- Modifies registry class
PID:4968

C:\Windows\SysWOW64\Lilanioo.exe
C:\Windows\system32\Lilanioo.exe
58⤵
- Executes dropped EXE
PID:4656

C:\Windows\SysWOW64\Laciofpa.exe
C:\Windows\system32\Laciofpa.exe
59⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1072

C:\Windows\SysWOW64\Ldaeka32.exe
C:\Windows\system32\Ldaeka32.exe
60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4972

C:\Windows\SysWOW64\Lcdegnep.exe
C:\Windows\system32\Lcdegnep.exe
61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1700

C:\Windows\SysWOW64\Lklnhlfb.exe
C:\Windows\system32\Lklnhlfb.exe
62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3356

C:\Windows\SysWOW64\Lnjjdgee.exe
C:\Windows\system32\Lnjjdgee.exe
63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1992

C:\Windows\SysWOW64\Lphfpbdi.exe
C:\Windows\system32\Lphfpbdi.exe
64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4488

C:\Windows\SysWOW64\Lddbqa32.exe
C:\Windows\system32\Lddbqa32.exe
65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4120

C:\Windows\SysWOW64\Lgbnmm32.exe
C:\Windows\system32\Lgbnmm32.exe
66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2404

C:\Windows\SysWOW64\Lknjmkdo.exe
C:\Windows\system32\Lknjmkdo.exe
67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:4504

C:\Windows\SysWOW64\Mjqjih32.exe
C:\Windows\system32\Mjqjih32.exe
68⤵
- Drops file in System32 directory
- Modifies registry class
PID:5068

C:\Windows\SysWOW64\Mahbje32.exe
C:\Windows\system32\Mahbje32.exe
69⤵
- Drops file in System32 directory
- Modifies registry class
PID:1524

C:\Windows\SysWOW64\Mpkbebbf.exe
C:\Windows\system32\Mpkbebbf.exe
70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2740

C:\Windows\SysWOW64\Mciobn32.exe
C:\Windows\system32\Mciobn32.exe
71⤵
PID:1136

C:\Windows\SysWOW64\Mgekbljc.exe
C:\Windows\system32\Mgekbljc.exe
72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3804

C:\Windows\SysWOW64\Mjcgohig.exe
C:\Windows\system32\Mjcgohig.exe
73⤵
- Drops file in System32 directory
- Modifies registry class
PID:4056

C:\Windows\SysWOW64\Majopeii.exe
C:\Windows\system32\Majopeii.exe
74⤵
- Drops file in System32 directory
- Modifies registry class
PID:1388

C:\Windows\SysWOW64\Mdiklqhm.exe
C:\Windows\system32\Mdiklqhm.exe
75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1044

C:\Windows\SysWOW64\Mcklgm32.exe
C:\Windows\system32\Mcklgm32.exe
76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3060

C:\Windows\SysWOW64\Mkbchk32.exe
C:\Windows\system32\Mkbchk32.exe
77⤵
PID:2260

C:\Windows\SysWOW64\Mnapdf32.exe
C:\Windows\system32\Mnapdf32.exe
78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4136

C:\Windows\SysWOW64\Mamleegg.exe
C:\Windows\system32\Mamleegg.exe
79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1284

C:\Windows\SysWOW64\Mdkhapfj.exe
C:\Windows\system32\Mdkhapfj.exe
80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3336

C:\Windows\SysWOW64\Mgidml32.exe
C:\Windows\system32\Mgidml32.exe
81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1536

C:\Windows\SysWOW64\Mpaifalo.exe
C:\Windows\system32\Mpaifalo.exe
82⤵
- Drops file in System32 directory
PID:3160

C:\Windows\SysWOW64\Mglack32.exe
C:\Windows\system32\Mglack32.exe
83⤵
- Modifies registry class
PID:2052

C:\Windows\SysWOW64\Mjjmog32.exe
C:\Windows\system32\Mjjmog32.exe
84⤵
PID:3584

C:\Windows\SysWOW64\Maaepd32.exe
C:\Windows\system32\Maaepd32.exe
85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:4032

C:\Windows\SysWOW64\Mcbahlip.exe
C:\Windows\system32\Mcbahlip.exe
86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1216

C:\Windows\SysWOW64\Njljefql.exe
C:\Windows\system32\Njljefql.exe
87⤵
- Drops file in System32 directory
PID:5032

C:\Windows\SysWOW64\Nnhfee32.exe
C:\Windows\system32\Nnhfee32.exe
88⤵
- Drops file in System32 directory
PID:1672

C:\Windows\SysWOW64\Ndbnboqb.exe
C:\Windows\system32\Ndbnboqb.exe
89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:556

C:\Windows\SysWOW64\Ngpjnkpf.exe
C:\Windows\system32\Ngpjnkpf.exe
90⤵
PID:2152

C:\Windows\SysWOW64\Njogjfoj.exe
C:\Windows\system32\Njogjfoj.exe
91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4084

C:\Windows\SysWOW64\Nnjbke32.exe
C:\Windows\system32\Nnjbke32.exe
92⤵
PID:5060

C:\Windows\SysWOW64\Nafokcol.exe
C:\Windows\system32\Nafokcol.exe
93⤵
- Drops file in System32 directory
PID:3840

C:\Windows\SysWOW64\Nddkgonp.exe
C:\Windows\system32\Nddkgonp.exe
94⤵
- Modifies registry class
PID:4100

C:\Windows\SysWOW64\Ngcgcjnc.exe
C:\Windows\system32\Ngcgcjnc.exe
95⤵
- Modifies registry class
PID:768

C:\Windows\SysWOW64\Nkncdifl.exe
C:\Windows\system32\Nkncdifl.exe
96⤵
- Modifies registry class
PID:3876

C:\Windows\SysWOW64\Nnmopdep.exe
C:\Windows\system32\Nnmopdep.exe
97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2968

C:\Windows\SysWOW64\Nqklmpdd.exe
C:\Windows\system32\Nqklmpdd.exe
98⤵
- Modifies registry class
PID:3192

C:\Windows\SysWOW64\Ncihikcg.exe
C:\Windows\system32\Ncihikcg.exe
99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4688

C:\Windows\SysWOW64\Nkqpjidj.exe
C:\Windows\system32\Nkqpjidj.exe
100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2752

C:\Windows\SysWOW64\Njcpee32.exe
C:\Windows\system32\Njcpee32.exe
101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4348

C:\Windows\SysWOW64\Nbkhfc32.exe
C:\Windows\system32\Nbkhfc32.exe
102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1236

C:\Windows\SysWOW64\Nqmhbpba.exe
C:\Windows\system32\Nqmhbpba.exe
103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5016

C:\Windows\SysWOW64\Ncldnkae.exe
C:\Windows\system32\Ncldnkae.exe
104⤵
PID:4616

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
105⤵
PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 424
106⤵
- Program crash
PID:3748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4088 -ip 4088
1⤵
PID:1760

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Iabgaklg.exe
Filesize
145KB

MD5
198e86426f7394d4033a5cfb8ce708a2

SHA1
19d771d26b8a6c1db592c51878d1f22415d232e6

SHA256
bf7297ae3044290414eae70240d1e6cc599f6bb39bf89d69bed05e43d6eb0a92

SHA512
99627c1cec22e55063a7386e65f9077e08304b7efeeeec263163666822382204e677cd0fc216c59ab01465e1ef12fa7c1145efd5abff613bb012c0867d264851

Download Submit
C:\Windows\SysWOW64\Idacmfkj.exe
Filesize
145KB

MD5
9fda596bb95093fec31992b013edfdab

SHA1
2c8b9478f80a39bc0d62103591bce4a7a468ca95

SHA256
d85301c3d81d29211e59a0050b5ec1628d7ce08af34d691b190a5845f055b8db

SHA512
65aa954abfd148868d1db190dd25570c81e9f47b43013a483cbd0d110c3cb73125b2f1749ae778f3eb4251a581aa2e0a0f9473ebf98bec32398a658316484ac4

Download Submit
C:\Windows\SysWOW64\Ifopiajn.exe
Filesize
145KB

MD5
f455aac813cb0b8f36ced4771c107e83

SHA1
78aaac2e2e5ddd77df67938e9ec5377ef936076b

SHA256
f58ed4e7c6144eca5a84a2bcfd34d5abf7311497465398f262a7d85ebde2c6a7

SHA512
d896effc07a32632905e40d899bbc5d7177494fa62c5b10f968db7f11bb64c3ab846ddc4d954ef0a2eb8f657eee76c9dc2098255fe42203116f2a0d905390a91

Download Submit
C:\Windows\SysWOW64\Iikopmkd.exe
Filesize
145KB

MD5
d73bb025113d16f2dd3e44f5419bcde4

SHA1
b6fb176f0353dea0c39ca49be966cf565c111cfd

SHA256
9cae513b5fa2d25c35bc497d607e309426822acb54cd2e93933571e9d025f4ae

SHA512
99870258ff02f010ea29832a5bfae5292f12a4e3654a4cafaa0ae60f1c3fbd0aebcec7684123b1cffeb8bbcb5a6b97118b7af9f09bd2707367558a2c58c419e1

Download Submit
C:\Windows\SysWOW64\Iinlemia.exe
Filesize
145KB

MD5
3a83b3d1412fe0dadba35951e3a1e39f

SHA1
6528314022705dfbaf462ffa4178a41529a13a21

SHA256
51334a13772ed35694b7ee79bf97767c3a56d9fceaf732c45bdfce8e2b1b4ecd

SHA512
1329902ec5ab4379fc6d9a5c375a85f52e0cf4249fbc973e288002f3a18cefeac57ad672351150bf09e4a84861bb6e8c33f7e36a0b3f87ff6ba310355a844ab0

Download Submit
C:\Windows\SysWOW64\Jaedgjjd.exe
Filesize
145KB

MD5
e2b463107651b76152bcbd088c6aea9b

SHA1
7aee76773788f3d625676abf83186cb687dd1eda

SHA256
bb0dc35b4f772d99e58cc3608d5dc018f9e1debf25846f299166d52224b1f3e4

SHA512
8c3ac33ad8caec401f0414f42c7be6cbe567f32cb8c02ff6d8da3781c4cb5da8f353288679b6ca80c9c7051735b344161964368847a301eb32f44704519984ac

Download Submit
C:\Windows\SysWOW64\Jaimbj32.exe
Filesize
145KB

MD5
2652cb75922935a14a163b4d4e50a5e7

SHA1
5c5e678d83162331f6af788b78a8317336286356

SHA256
6c5bcba600484dfb1f4a17793b14afb25eb0a2db9f84ea05b76d8cc3effa2a3a

SHA512
d77de05434f5270fa0f725043741f349578a61589a3b77062536f87eb51e98b37108c9f9b1fc3f378b8c41f9104926905b2722442f3b1b83991f5e839122102f

Download Submit
C:\Windows\SysWOW64\Jaimbj32.exe
Filesize
145KB

MD5
4cb577ee3adb17edf261130c4a302524

SHA1
40624afcea6e0f940710b134831c43de7af10b2c

SHA256
96793a129cad4f7ff8e5ca485e876c4c54e0307ca79ff5c5ac544ea9e9602874

SHA512
716c7b8d2b7fd818277b2ba345dc037fff7d8119195cf540cc5816ab52dcc085a0e75fda1eca28f51672c1e467eb87a998f1161353d7b0e178c7bed0e918a496

Download Submit
C:\Windows\SysWOW64\Jangmibi.exe
Filesize
145KB

MD5
fabe8021a1929fe9c390468f95d2e1a8

SHA1
b9995f00c0dcefb7e924539312446a4e42046b07

SHA256
eb1b10d375a4a4a9073c066d5fb8095ef064301c7d2d001d740e0fc95b0457b1

SHA512
4a46db5ec525225f0215119735d22883a18839ac8f0e7d9819598470621470beea0fce5eeca0daef9c05f04252027646366b84343e45f79ce41f65c800ba5980

Download Submit
C:\Windows\SysWOW64\Jbfpobpb.exe
Filesize
145KB

MD5
3ecdf92f633e9a65b854c7d6f9361e23

SHA1
7548d5aa824f155678957023ba5563bb8cb9d150

SHA256
c93bbe1894e438b44e3ba6e51a96259118ad4eed44cbdfe23e8e3c1fbc947287

SHA512
88ef7064da79fa941c9e0d7df15c3797071d4547ad2a6de9f79d795cce03c69e39fa9e5f84e2c7ded905be5bc69e46b17a7cdf909f8b9e19f1197a91ad564271

Download Submit
C:\Windows\SysWOW64\Jbocea32.exe
Filesize
145KB

MD5
c97c996ae64f258394f83dadf2f3cd3a

SHA1
28aa76b3de3dacd0d33b0cba4ca43628b9f92fc6

SHA256
2bafcd832da0a0bcd2f90d70f339f65fdab68d1d09ad1aa6bbecdd3f7632b063

SHA512
e9d733bb3954ee0a0a74c83bad0aed4d59c0ceec400ef0e54a44eed5795a9cf5398ea6e49d008bc2c559d22019b0a0d18d7764eae4f73b5677fb1be1af86f517

Download Submit
C:\Windows\SysWOW64\Jdemhe32.exe
Filesize
145KB

MD5
0f2272609ff833f4b56e63d7781dcfbf

SHA1
8bd4b4dd90fe95bed346de47803169df703c0262

SHA256
b8bbec1f2ed4c539f1338455018cc60465584a86760857cb13aced1fbc9c780d

SHA512
80a7e8e82d4868201338467c98349c05a0c8679ca8b5dbfe26875106e8fefc29736e0a02a72a0bf4fb52ef87de3bde7c5dca8606bf2cf82d30d977b219f9d4e0

Download Submit
C:\Windows\SysWOW64\Jdhine32.exe
Filesize
145KB

MD5
5d44e70d2aed2f2c92720c6a466be3b4

SHA1
49ec4a31f262b5303487092b138224a8356ea328

SHA256
6a47a0bda6af350cc3f8a9a5f6e953a82ecec0556d9f9e0b82f0a7a347484087

SHA512
48841b88abfa7b8a2e24034e0e686108061632c760912b23212e5ad419a37d90c8af4714f121dbb0f489031a6f3b70c8d782b71616d6ade6f622b9c5200db196

Download Submit
C:\Windows\SysWOW64\Jfdida32.exe
Filesize
145KB

MD5
56d5012ac515de3f571c4d635f392c9c

SHA1
ee88c0c93c26cc1cd799247d06a398fc5a9c7584

SHA256
038e855a0eda67ee8a13d272498db7434583e09f45db63e42f673380aa02a1b1

SHA512
5d128e5c1ac53dc327a8657096a87717466017c9c134b0c55655d49e1776ff5b6caae058a6948d8090f0eaf53075d1a2ca3e4118c4377024c5308a3aa06b3f73

Download Submit
C:\Windows\SysWOW64\Jfffjqdf.exe
Filesize
145KB

MD5
cf99de0b12b61d11b58ff125098cfa3f

SHA1
9f58ea9bd79c9ef2a4a59dd1b3736753a3d64a5c

SHA256
b292393df4a101febb858a5339fe0bfc82f33eecccf8a080b1ef342fee1860e1

SHA512
58da02897f09a6b06a2d0bbe285e83d88c8d211aef537cce9ce743b957ca6f7dbe81eeb392e66d6c361cbf03e96980ec14024835c97155172cd0c6ee61d36845

Download Submit
C:\Windows\SysWOW64\Jfhbppbc.exe
Filesize
145KB

MD5
cc04b785dce6c63493ab058375535849

SHA1
4a917627488d80935f2bb3f901ef733260ad0e2e

SHA256
b26380854779cef7f2fd3cb121f7d9c9ac7d7ff2d1371c8a49616bef19dced8a

SHA512
bdd38924da22dec79df5850d293e9471b49d6d0e3db24dc7c41a8e25a156933ba3227f758289bae238e46eee0832b822eaf25438b5fc4e43db34427aaee5ecff

Download Submit
C:\Windows\SysWOW64\Jibeql32.exe
Filesize
145KB

MD5
7159274d81d74caeb73d734fa9d5529e

SHA1
0fb41816003bcd0a1d3d1b0698205b21d1f56ca2

SHA256
ac28f4f6efa75398ce059036135d9a0f5b2e0bdc7f9fd4c38380d4aacb181c01

SHA512
2e263f7b3cff8e53c0a24aba64d46137c83284d87be14f80500126b8456a305f18f67793d729cfff8250679d992eb72ccb7642b83081778cf6cc3cf723794ae0

Download Submit
C:\Windows\SysWOW64\Jjbako32.exe
Filesize
145KB

MD5
016d9ec82d4b22e59a9b3ee9029d13cb

SHA1
12e54827441b4713f82e1f0d9435f11e7b897667

SHA256
1b30c172e6d8c432fbd7b0e1d30a5963ea954dc125675700165f5ea165786629

SHA512
6f079e79a06ce9e2e8c2317c2dfa1fc1690fd69f5010515e839aa74830969c47929e334455082d5d1decf16f859aeaec3b9e9b60d0461329ef2b651ea5372116

Download Submit
C:\Windows\SysWOW64\Jjmhppqd.exe
Filesize
145KB

MD5
f161c963bbe2b1c54a00fa36046fcb12

SHA1
d66ff48348ff76025c4e10570cf64d3c002705a4

SHA256
62ba2f57e24d551bb272eec901bdef8d8b6d932209ef49244ee744c0f475542e

SHA512
1b868dd9418ed522fda9ae13ef2a747d7018ebb916df7836f2ca3a61d55f4a44b7942485461bb85e2613a73ba63893b5e71b4311632c1bfae22a3d6b0d53a473

Download Submit
C:\Windows\SysWOW64\Jkdnpo32.exe
Filesize
145KB

MD5
658a384a12a345e30c90049085583442

SHA1
3edb43d2b3cfa076eeb4fe510f0c3096e28b1081

SHA256
62bdfe65827a8e69cae6f091446af72118b3f1d1725318b6a3023acaf295c2c1

SHA512
174d71c24c8c18563de4a24aa60d93dd9a7e1f1d0fc8049df627ae74bbba0aa858f9e2a13794c27a5fa65c67a319940cefb745232d676faddaba79fcf61421d5

Download Submit
C:\Windows\SysWOW64\Jkfkfohj.exe
Filesize
145KB

MD5
ca39ac99b49398142847686dd43ccb6a

SHA1
c5abb47ee9b26af48f3c8785895362cdaaa2f7e7

SHA256
424672b3d83990b908af1f8403872c37c7da791ab2aaae1071f3f75582f87032

SHA512
ec85e208541f3ca0cbeb23625aa57fd0bcd7008178769968c8bd714a15dc49815a0eda80104d0498c00cf8520cb3056fd444df6d5bf733f7a35884a648208f6a

Download Submit
C:\Windows\SysWOW64\Jmkdlkph.exe
Filesize
145KB

MD5
99114159a3dd5ee1bab69a1aff03298b

SHA1
16e935f5291cec87d32bb5500480778fdf80e13b

SHA256
e60bcf2727e91f4d9c41008389fcbeb58ff8e04a7a9f8ce670ce744f55ab8b01

SHA512
344b16f0b49e2f81739f932c4de8d7f25b2aa256b12c05ecc376723b240d6aee60427c393526aade81eebc8a9c52e6e1a3bcfffcd59a84a2997daa055ce8de4c

Download Submit
C:\Windows\SysWOW64\Jmpngk32.exe
Filesize
145KB

MD5
f2031b11b1f87d2bf9909c2a68dccc27

SHA1
92ff966e7a8b6d6b4d43cbacd36d320797735c00

SHA256
3ad5513fd80d92ad14863daec7b3fb20d2012c26088999a151b6aa95cb101e8a

SHA512
b0c2a0380d6814e5cba1768090ba9a48d170fe2e6bb265045a854b1e0ace20363a18913072ff49f9b6f236e2bf27a46264e2af0a316919d2a3d1761cf40ab1fc

Download Submit
C:\Windows\SysWOW64\Jpojcf32.exe
Filesize
145KB

MD5
6827a83f6ca940e88d556f6fabe0c108

SHA1
5de3cea2233694ccd742605d28285fbf26d5de66

SHA256
8d4ecf57f164dc1295788cfa2667ef076ad9eace12627bf9e0116bcb729853c7

SHA512
2e59d38a62662247e5a69c1aad3e1a083efeb0ef7f6e5dc9478f9da83a1c2d729a6d3957c1817d0e49a8c84435c99db29256b8d3193c3295187c083796bcd418

Download Submit
C:\Windows\SysWOW64\Kacphh32.exe
Filesize
145KB

MD5
1facadf52594419b797835076337ed4c

SHA1
b24f0cc7a3e3e5089d0380fb6dd32b50fb5e3316

SHA256
6e0a9b1f1fecb6a276e98c65a4cf263d935799de7bab48a1bd55211cad8eb6a6

SHA512
f912517392eddae3de89e428530a22bd0ea3283b63a1e8ebe518886dd74a997c73777f2671cc0927c1e853736fc04537dd6365ccdec77207fd2037e65bb0d421

Download Submit
C:\Windows\SysWOW64\Kaemnhla.exe
Filesize
145KB

MD5
545fd382562ec24294290a59b2b1d514

SHA1
a5f6190cd04aa3d661ed021a8d4002ce024f8324

SHA256
48fff15a8bcadca24e630f51682ea7f6035c55ccb6fae3803f5808224c827119

SHA512
2deaf86848cd61f0be1aedd4f1e6d3fd3aea5a302b30f5f1315d41ab7005ca596b1d0f480812d45e971b8889655cd20853eb668261ec237860eafad2fa70cc1f

Download Submit
C:\Windows\SysWOW64\Kaqcbi32.exe
Filesize
145KB

MD5
3f21ed0449b847f2affd73913b519a2a

SHA1
91717aac745356df01f9e300331d5cbc940a825d

SHA256
6bfe07f2fa35650523619b159ea4ab069d25e178737fc5cde0703e459f15541e

SHA512
107e4f50206e04b1b25bbe8d436308f87e2fa9e778b0b3fd29824dc00e74460d39fe18f5c22c997b34932569e0c4fd2faf5be9fc1182e657c4dfe4cdb2779dd8

Download Submit
C:\Windows\SysWOW64\Kbapjafe.exe
Filesize
145KB

MD5
f374ebedc1fa3a5ade9cdf63bd95ef7e

SHA1
2fcd41ff29f169eac592d274f7a12725ce143ac3

SHA256
659b35be501d4ed6efd83b07c3d7c20b088d05b173fac9877600978288d9c162

SHA512
f6f848e41a41af8cfb9b87fd17ae3d07471f446c28788158213f4ac3b4dd9523902184d56ac857bfefdaa8283bb5f426d986bc571cfd0cc61aaf936589b4a0fe

Download Submit
C:\Windows\SysWOW64\Kdaldd32.exe
Filesize
145KB

MD5
786ff1d72535d390eb3cbaafd3da70be

SHA1
348a7a8fcda7b06431db62fdcd56a4e281d09e0e

SHA256
21144818a6c47f0356c4c832fee23663046b6d3b4fa3db9616458af33f175a49

SHA512
006fb8db0622e5bb8a6eb68f4b4382c2bf4d73d929b4c68e553dd682cceff9131e5fb959620582b4ed26f171b57bfd2a319f85e118510b2dabf33fec59c0454b

Download Submit
C:\Windows\SysWOW64\Kdcijcke.exe
Filesize
145KB

MD5
188231624037949e73b34211e8081cea

SHA1
5d3e40054b8fa84eb3ed604833c8989752748927

SHA256
694161df6714a3fcb17698383614bd340193b8b8f3418b3f1612b75747e2c865

SHA512
0311633768f25b6f4292cf9f6ce33417b56184df7730b20fec22ca89a1e0054e69fbe9fc904041148b131f6f2eae7a108709c607ecc518c5d3b699539466bc86

Download Submit
C:\Windows\SysWOW64\Kdcijcke.exe
Filesize
145KB

MD5
db3a92fa302fbd9dffaad2bef7968d9d

SHA1
45cb5650e08a9f2ae5f0a92e526ba02cd4a88b98

SHA256
6ea4aa670073b63a9772ec486fdc9e9d09a77340019e22c1c0f56c7e136482b0

SHA512
c786eb37910b94e03ccbc46b5189a481acc25f5b84f51200726542c4795bd72a006a26b1ec4f06d73c7a9c5c48ce5d02f7a3af443c4aaa57c4a4eec5d4005131

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe
Filesize
145KB

MD5
cbd344db0892c069fa2d9182d4c136f4

SHA1
23de4b43ad25909c42b6a9a40a9120a4ca37505d

SHA256
3d53a4e15f71523d625a03f28915131dca98f1bcc67add02ba93b76102e82941

SHA512
9023a00bad9eb1a44afd0d07f231c4a13c70c7f9bd6c0c9884cae7420b956b14d29b08e2c06409bed6bc389f2763248b101afea1aa77d0b02a9ac790338a660d

Download Submit
C:\Windows\SysWOW64\Kgphpo32.exe
Filesize
145KB

MD5
9c49693c2c09025e29589737f66eb310

SHA1
a1f1e894a82dce31d643aae9826c4ca9023d05d0

SHA256
74c861f5538e9c05f7b7ebc47efde17f1a593ed96c7e6c997439b2fb6c1af6a6

SHA512
73008a4e50cb92728979c4d4a3de6e0c43c3bac77aa42b7772ca7e31ba04e2c37f6e8b1e0094f95da5e7d4c0bfecd1a043e04e8c67be1d3bc78c369b448b1469

Download Submit
C:\Windows\SysWOW64\Kinemkko.exe
Filesize
145KB

MD5
ed0b5fa028593a61156f18d1fe56b7a5

SHA1
bd0d59cdf6272cc35ed4d64284590d8365a40891

SHA256
7606723422c63732166e07b251de8693e26606cc38f3dff04b56456e387856fd

SHA512
f7f22f0537dbf37519d32ab4ad2927246218ee71a870c3a056dec29f42cdbfaa703f2f1e35a39c8e7ae67ebdd78a0c58290fc629c43ada2d0d82df76c2ff5180

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe
Filesize
145KB

MD5
b694014040095293e4def9fc40d94d1d

SHA1
5d35099fec1fcd910c7ad40268196427b03e5409

SHA256
8828807f415f90859e566234966e8bea207ce6820f6fa4e7748dab63cbf4b036

SHA512
991485f99b483c8a910ae445e42effca02c84705c5bfc4b9d2357004c1461f4b843f57ad5acdd5d8e0e6cbcf13ba6cf80cc74612361d57b1e7977de12d9420a5

Download Submit
C:\Windows\SysWOW64\Kkihknfg.exe
Filesize
145KB

MD5
c9fa634571b1ddd3c0d167d59d4048ad

SHA1
a0bb9b7670d83722820f2291662f7de119e6bc54

SHA256
cdfdc0f5f09621b7033c368b9f691661a1728f468d167aeea64a2fa6ac28aa63

SHA512
8249596460dbe5376198d1c3eae4af3f9d956e647094d7047fc1045911dac74190542abaff399c8fb886490a13395cc156dfa7a131a0e05ccbba862e1084b3fb

Download Submit
C:\Windows\SysWOW64\Kkihknfg.exe
Filesize
145KB

MD5
249482e2762bb4f7d16ca0e71d1ac9e7

SHA1
983d822dbac19282b122dd93e48e46798ac7262b

SHA256
6eea9a125b8c2146504b85ce22d039c61a9ea6a4ddf0fa3af3a4bbdbdef2a47f

SHA512
afcc05fbe0325f2af2ce929a9b5f0440ea4f02aa4a77157756a9aa5cd724492290159620c2c4b218e4cc3d4e995fed7a68c73ccd331a45c01e0153bd1b06115a

Download Submit
C:\Windows\SysWOW64\Kmnjhioc.exe
Filesize
145KB

MD5
e5c23db6634931b0139444cfd76bf05b

SHA1
b69f1fd07d79c42509b27d537fee1f4916f3b2a5

SHA256
15df73a1b25b7d9335cd3ba41b06e323da46532c8a05e03b411242d9f9041b12

SHA512
b70ecbd7df61585a2403da68f8af1e135b176bc4dae95931674db723ece8b4946e6171c4f69fc17191c554df749f6fba3dc76f8293bace21d7f35fa62ebc8fc6

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe
Filesize
145KB

MD5
723120d4e89fcde8f21c1bde369a2a87

SHA1
a2fc40f26d573482052b871ee13025dab10b3f7f

SHA256
f2d786afde33d3baeaa26b0f9449a954bb3881ca8e50066246b8058f7f8ef7e6

SHA512
3ccda9b6babbbc3ae788f170711ec750164a8ecc69ee502cf7da85bf92d365863e154158deb94bb8df2a75c99fd7244054e64015f4abfcc1ac0d8275ca47b7aa

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe
Filesize
145KB

MD5
c937239d489e1578bb8d305c6a228547

SHA1
b67aedf0e012f77fb7e043d497690a4a8b0c8e80

SHA256
049ef607fcd4933f011ea1474381fd7b4078f687a08d697ccfb27c0c405f271f

SHA512
d68b1d6ea0f2ad3b199303f4ee75d4f257794d58abc9cebab8ddef82b019e000d8bbe9d2541fda92551519b42fe0fe1328d124bbfa8f1b69d1e108565e0bdc26

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe
Filesize
145KB

MD5
64c242773c8ff1aba4c116910a51c482

SHA1
327c1f7c714d37b711ad3930391eb6b7acc4e7ec

SHA256
8d8c254d8d154e136d7646a15fcdacea6ee45648e2a300399c7ade71c9d18781

SHA512
ceccf5f5b0a8e76d9d2d1636373b45bbe2fe800946326c3ff50028bc27beedc36fbc834dc32abd9ad14b109279aee8bef45631c0c57f0c5270fdeebf771359f0

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe
Filesize
145KB

MD5
9c9b158687929ee1ce8a87f170569bbd

SHA1
c7839eae4ec3e27282b7dcf294b928911dc1b766

SHA256
5033aa61a05e6c3c334ced40e32b3bb33725534e4e29af532830d6e7004ca8bf

SHA512
0bead5104edac176f64cd5b64413dbcc79a1fd1619840d361eb16ac3099d87d53a33e61fd9b28688abb26950261ea822e495447ef15d2ad686c25d08948ae391

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe
Filesize
145KB

MD5
39d74ec074a6ebb74a7a7883f7135dc0

SHA1
30417cf5cff7a113ba2cc3314c742c06048b8d76

SHA256
f8acd359e281a54b293356e3aeb1e83c92c5ab773f667ad575458a1c94f599ef

SHA512
f849fa908af1030c52686023880fa6f0c4cf35cb0a802a28ca652c219d7034d33aae13805e1d0e417bb8cddde28a8cebc12e6cd3715781561d275c1df8909592

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe
Filesize
145KB

MD5
01fbcdf272fa1c7aac3db871a8345361

SHA1
f23d440d10f383d042792fbe520fde4ca78a071e

SHA256
98d12f75a0a071ea27f74067b7eaaf530dd2e97c2f18042dee728b3978c50c57

SHA512
ed06333376229ec5061d8158c224b4840936d8eb4e4b38cdb920dd7ab50a810d98496381608e596b35af371057891255b850dbb60f2bd85cccbbc14c9f87f4bc

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe
Filesize
145KB

MD5
2f1e7974ac787bdfaf703fc9e366c79b

SHA1
48fd0f3050151e88814ae261bbfc8aa86ed0084c

SHA256
abf6fd77657ee5e65b4b41b48e8a383187312ca691f38c305a2587a225f98337

SHA512
1d44ae483b87f54c434d221d8aa0ef99b14133439f145a8eef115b76d159f1fa1a4dda0b412a6673e871b29de0367c441920ce2bcb125a7fe29befbc212418e4

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe
Filesize
145KB

MD5
afb5793f268d008cb0151bc182bfd02c

SHA1
1c2eb5196dc02d3ab0b511c2416e3d754f23fb43

SHA256
e6715db51b64f2d29fda4fe1c38237542fe06cdb610be1acd1d12005d2dcf898

SHA512
e67e310e05dee59c7338324fd086c8f653350ffa9d2222426ee77b4959ac9da511027db998b111aebd824e22140e9709ffdbdee71d6e79786f1ae9a66c9c95e8

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe
Filesize
145KB

MD5
15598dbd450ad875b2f5adfb1ea03dd3

SHA1
b2deb199a06ae248adfc0ca6b9d016def1f8598f

SHA256
85eb78ace7da12f0ad07cb24287ed8b25f045fc4689cc60d2c576c1ab02e3376

SHA512
d1bc12589cbd6fb9dd59f6a9db3b7fa10d76f908b3e1f72aa89e7a784b6ad925468445af18ccf75768b63695952df6be2b1d024a10ac82138fc040b83915d81f

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe
Filesize
145KB

MD5
801d7297cb0d5760fdefd5ed4c3375ab

SHA1
ed860dac6f769b29e39f0817a64ad07fac964876

SHA256
06276c6c26c6d1b5380d9c433309cd676407fbdee578c0ab6e64331d7b134762

SHA512
5f81fda16ef6bd3bdb44df6d0fe6ddd6317134b6c73f05a78a0b5e9f15589bce4756edfece25988feeda6bac1ed3d7b8b2cfef557fd04f97816cc281c2422dcb

Download Submit
C:\Windows\SysWOW64\Ncldlbah.dll
Filesize
7KB

MD5
6a49c01e7dd6e7c09c70a134aa5a38bd

SHA1
cf7ea2f5f64fa45b42d80281123cb462701d4e2a

SHA256
ddb803c55399c6b4f2b9468a4c7bca4a5ed16a12ed11cfd980ec8f136c446945

SHA512
e628be58c410bfbeef981e1007cb1d20d09d329a4049e165b8e35eec32cb20e903e8e28b24811b20f168b6d564573c56a2def4797ea478e97debcfb61e7402f7

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe
Filesize
145KB

MD5
0d5920e4a71bd79b855c282bf7d238f3

SHA1
82be8dd27d63b854c2f5ad2ec8a60ebfedf720aa

SHA256
f29df4741e5ffe7e18675d1a987ffd900fba6da501dece3f765f6bc755755ca9

SHA512
b9ec201974ca6577db04d734e0d53b033f11c3579d853f78ab44113fedc1edf0b6b218ae5edf4759afaff42c66cd069d8c192d2d2fb527127d60302377c9bb37

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe
Filesize
145KB

MD5
104fcca3e5a7c4801d5b8e3d0fbcb521

SHA1
bb8265cc814ca7d6d2cd0853b9a301924269dcb2

SHA256
dbd6a53c36e2572e476ef23b4ab2b42682df79ccb8832e5c5491eb548f179aa3

SHA512
6c2d3b8c9c2ac9b21a4dd7aa0706ba44bf49bc3519eea17b9cbbb618f4f0674d20a15482886d317254c26f8e8e25d69e36ed6c4cd7309221ba509794ea5791fd

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe
Filesize
145KB

MD5
156f25e17de7a1eaae6807c23735d25d

SHA1
87e9915a71e7ee0ef5d6e7803226322dc8e19ea2

SHA256
28986e5ce7e98673d8a7bda616efc6bbf18d4774ed77a2aff62c726f22da4ab6

SHA512
5c7d0fb7fc344c9163159953e416627ee601285c1fa0a9bed3d3b4448101c09d8a21b3d114d7be715a0297e091b398fc65983f01a78e7e0453aa80e468aafce4

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe
Filesize
145KB

MD5
922d4fde529ad508350a175569d1955a

SHA1
65b42027cb2a48eda5cfe616aa14f610b0c3809f

SHA256
e279252b23e37e56ed255d3caf1f1aba3df8e93417af290f1ed349a7306e62ab

SHA512
2bdb56211c684b0065e2dfa81e9bbc5163c90462d0f15d6ef82c8b4802d6b0182b03cd73b90a1db33c40e62991d65ad4645d69e54c1d5230547b076c5455f42d

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe
Filesize
145KB

MD5
2993154df78d189231bad460bd03ca5b

SHA1
b1c2410bb4244bd03cc50db39836a9ddf4962b4b

SHA256
bd9fa1a58d6a9e1a4f6e79238010a6d0a5b81cb2d7d20315f6e7a116b1eca462

SHA512
a0f71703c72a0639bd5e3a03a05113fcd27ef11170984de61f7f2f0e861e9f7ec6a1359275d67e4131f4f4281460f856cae0884244799193b385a1eb1f20b927

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe
Filesize
145KB

MD5
8b013a3b41f34eb9a6143a7d4568333a

SHA1
68ff5033352e84ba3dfb3aef3dbb03a4b73e414b

SHA256
5aaac41c4ca81b648a0dffb71e83615edd49861a1fd5c1a55066e936ac861dbf

SHA512
355888f382c8666a0882d22156a01a164fe81a241c5ae19d9b5758b536555ad1035167f400be8c77c52373c7c2818404240ff5f7fc7a2a00d3112f437a8c00f0

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe
Filesize
145KB

MD5
e0685f484c0d794468080725f84d089a

SHA1
bc3a2babe5a3f73e489133b91b85ffc3d099bc57

SHA256
783e2ffbd8d45925b36995776d4aae211d3c085c4a2c3fb058ccd6afd387f399

SHA512
1f49b49490e55b03db04b865fd820aaabc7d4a0f6e965708bdc64e706d97cfd69db5219ecd7f5f6422589c3ecc7d53ac3512bbec41571a02e4f36d02674f63e9

Download Submit
memory/516-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/548-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/696-578-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/696-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/944-557-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/944-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/972-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1044-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1072-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1076-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1136-488-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1176-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1180-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1216-583-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1240-592-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1240-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1268-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1276-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1284-536-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1340-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1340-571-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1376-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1388-504-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1440-244-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1524-477-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1536-751-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1536-544-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1596-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1612-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1672-593-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1700-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1764-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1836-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1992-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2044-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2052-558-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2064-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2104-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2260-757-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2260-520-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2352-320-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2368-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2404-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2436-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2656-564-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2656-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2736-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2740-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2872-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2988-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3004-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3008-599-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3008-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3060-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3160-551-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3208-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3336-538-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3356-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3396-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3440-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3476-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3584-569-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3620-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3656-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3700-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3804-494-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3880-392-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3932-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4032-572-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4052-367-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4056-500-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4084-734-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4104-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4108-115-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4120-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4136-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4140-585-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4140-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4160-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4184-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4368-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4368-550-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4396-302-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4448-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4464-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4488-446-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4504-464-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4520-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4656-411-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4716-356-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4732-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4796-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4832-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4968-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4972-423-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5032-586-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5048-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5056-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5068-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download