gozi | a397c4879d40acfbf70dec516d57860c2d12608ad64427996fa7a16bb6c41534

Analysis

max time kernel
92s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
08-05-2024 13:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be6daa9bc47555213dc261b364118e90_NEIKI.exe
Size

163KB
MD5

be6daa9bc47555213dc261b364118e90
SHA1

171f8d19b703d07121f830153a5b95b0040bb6a1
SHA256

a397c4879d40acfbf70dec516d57860c2d12608ad64427996fa7a16bb6c41534
SHA512

f4e64e936dc2aa3ac72e655d95ea35803b275daa623a9480fd3ff65e7fdb06b14dda7e7e91e260d258c8c6b629161974e1b893f3d6e829b877bdee84af812d03
SSDEEP

1536:Pg3MwGGu3Y/rCHUR2/ObWlU8m9dlProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:pwGfY/rQUR1bWSl9dltOrWKDBr+yJb

Score

10^/10

gozi banker isfb persistence trojan

Malware Config

Extracted

Family

gozi

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Kacphh32.exeLgbnmm32.exeMjeddggd.exeLaalifad.exeNdidbn32.exeMjcgohig.exebe6daa9bc47555213dc261b364118e90_NEIKI.exeKgbefoji.exeKmlnbi32.exeKpmfddnf.exeLmqgnhmp.exeLpfijcfl.exeNjogjfoj.exeKgfoan32.exeMjjmog32.exeMdpalp32.exeNjacpf32.exeNqklmpdd.exeNnolfdcn.exeKipabjil.exeKcifkp32.exeMdkhapfj.exeKmjqmi32.exeLiggbi32.exeNdbnboqb.exeLcmofolg.exeLgkhlnbn.exeMpmokb32.exeLnjjdgee.exeMjhqjg32.exeNcihikcg.exeKkkdan32.exeMpdelajl.exeNcgkcl32.exeMglack32.exeLgneampk.exeLklnhlfb.exeMpkbebbf.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	be6daa9bc47555213dc261b364118e90_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	be6daa9bc47555213dc261b364118e90_NEIKI.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laalifad.exe

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Executes dropped EXE 39 IoCs

Processes:

Kacphh32.exeKkkdan32.exeKmjqmi32.exeKgbefoji.exeKipabjil.exeKmlnbi32.exeKcifkp32.exeKpmfddnf.exeKgfoan32.exeLmqgnhmp.exeLcmofolg.exeLiggbi32.exeLgkhlnbn.exeLaalifad.exeLgneampk.exeLpfijcfl.exeLklnhlfb.exeLnjjdgee.exeLgbnmm32.exeMpkbebbf.exeMjcgohig.exeMpmokb32.exeMjeddggd.exeMdkhapfj.exeMjhqjg32.exeMdmegp32.exeMglack32.exeMjjmog32.exeMpdelajl.exeMdpalp32.exeNdbnboqb.exeNjogjfoj.exeNcgkcl32.exeNjacpf32.exeNqklmpdd.exeNcihikcg.exeNnolfdcn.exeNdidbn32.exeNkcmohbg.exe

pid	process
2724	Kacphh32.exe
2120	Kkkdan32.exe
956	Kmjqmi32.exe
4436	Kgbefoji.exe
4612	Kipabjil.exe
3668	Kmlnbi32.exe
2264	Kcifkp32.exe
4428	Kpmfddnf.exe
1500	Kgfoan32.exe
4072	Lmqgnhmp.exe
2648	Lcmofolg.exe
5012	Liggbi32.exe
2852	Lgkhlnbn.exe
3652	Laalifad.exe
436	Lgneampk.exe
3664	Lpfijcfl.exe
4716	Lklnhlfb.exe
2476	Lnjjdgee.exe
4268	Lgbnmm32.exe
4772	Mpkbebbf.exe
4620	Mjcgohig.exe
3276	Mpmokb32.exe
2880	Mjeddggd.exe
1800	Mdkhapfj.exe
3444	Mjhqjg32.exe
3456	Mdmegp32.exe
3976	Mglack32.exe
1248	Mjjmog32.exe
1748	Mpdelajl.exe
5036	Mdpalp32.exe
3948	Ndbnboqb.exe
4420	Njogjfoj.exe
3080	Ncgkcl32.exe
2872	Njacpf32.exe
2400	Nqklmpdd.exe
2672	Ncihikcg.exe
3500	Nnolfdcn.exe
1852	Ndidbn32.exe
5028	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

Processes:

Kcifkp32.exeLnjjdgee.exeMpkbebbf.exeNjacpf32.exeKacphh32.exeLaalifad.exeLklnhlfb.exeLgbnmm32.exeLpfijcfl.exeMjeddggd.exeMdmegp32.exeNcgkcl32.exeLmqgnhmp.exeMjjmog32.exeNnolfdcn.exeNdidbn32.exeLcmofolg.exeMdpalp32.exeNjogjfoj.exeNqklmpdd.exeLiggbi32.exeMpdelajl.exeKmjqmi32.exeMpmokb32.exeMglack32.exeKipabjil.exeKmlnbi32.exeKpmfddnf.exeMjcgohig.exeLgkhlnbn.exebe6daa9bc47555213dc261b364118e90_NEIKI.exeKgfoan32.exeNdbnboqb.exeKgbefoji.exeMdkhapfj.exeLgneampk.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Bnjdmn32.dll	Kcifkp32.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Kkkdan32.exe	Kacphh32.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Laalifad.exe
File created	C:\Windows\SysWOW64\Fldggfbc.dll	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Offdjb32.dll	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Liggbi32.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Lcmofolg.exe	Lmqgnhmp.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Kgbefoji.exe	Kmjqmi32.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Kmlnbi32.exe	Kipabjil.exe
File created	C:\Windows\SysWOW64\Ghiqbiae.dll	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Kgfoan32.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Kmlnbi32.exe	Kipabjil.exe
File created	C:\Windows\SysWOW64\Mdemcacc.dll	Lgkhlnbn.exe
File opened for modification	C:\Windows\SysWOW64\Lnjjdgee.exe	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Kacphh32.exe	be6daa9bc47555213dc261b364118e90_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Kgbefoji.exe	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Kipabjil.exe	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Akanejnd.dll	Kipabjil.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Liggbi32.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Laalifad.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Liggbi32.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Gcgqhjop.dll	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Jjblgaie.dll	be6daa9bc47555213dc261b364118e90_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\Kgfoan32.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Lgneampk.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3996 5028 WerFault.exe Nkcmohbg.exe

pid	pid_target	process	target process
3996	5028	WerFault.exe	Nkcmohbg.exe

Modifies registry class 64 IoCs

Processes:

Mjcgohig.exeMpmokb32.exeMjeddggd.exeMjhqjg32.exeMdmegp32.exeNdbnboqb.exeLklnhlfb.exeLnjjdgee.exeMdkhapfj.exeNjogjfoj.exeKgbefoji.exeMpkbebbf.exeNcihikcg.exeLaalifad.exeNqklmpdd.exeNnolfdcn.exeKkkdan32.exeLgneampk.exeMdpalp32.exeKpmfddnf.exeLmqgnhmp.exeNcgkcl32.exeKmlnbi32.exeLgkhlnbn.exeKcifkp32.exeMpdelajl.exeLcmofolg.exeKgfoan32.exeNdidbn32.exeKacphh32.exeMjjmog32.exebe6daa9bc47555213dc261b364118e90_NEIKI.exeLgbnmm32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipagf32.dll"	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghiqbiae.dll"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdemcacc.dll"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghpbg32.dll"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdmn32.dll"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	be6daa9bc47555213dc261b364118e90_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	be6daa9bc47555213dc261b364118e90_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmfdgkm.dll"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

be6daa9bc47555213dc261b364118e90_NEIKI.exeKacphh32.exeKkkdan32.exeKmjqmi32.exeKgbefoji.exeKipabjil.exeKmlnbi32.exeKcifkp32.exeKpmfddnf.exeKgfoan32.exeLmqgnhmp.exeLcmofolg.exeLiggbi32.exeLgkhlnbn.exeLaalifad.exeLgneampk.exeLpfijcfl.exeLklnhlfb.exeLnjjdgee.exeLgbnmm32.exeMpkbebbf.exeMjcgohig.exe

description	pid	process	target process
PID 4472 wrote to memory of 2724	4472	be6daa9bc47555213dc261b364118e90_NEIKI.exe	Kacphh32.exe
PID 4472 wrote to memory of 2724	4472	be6daa9bc47555213dc261b364118e90_NEIKI.exe	Kacphh32.exe
PID 4472 wrote to memory of 2724	4472	be6daa9bc47555213dc261b364118e90_NEIKI.exe	Kacphh32.exe
PID 2724 wrote to memory of 2120	2724	Kacphh32.exe	Kkkdan32.exe
PID 2724 wrote to memory of 2120	2724	Kacphh32.exe	Kkkdan32.exe
PID 2724 wrote to memory of 2120	2724	Kacphh32.exe	Kkkdan32.exe
PID 2120 wrote to memory of 956	2120	Kkkdan32.exe	Kmjqmi32.exe
PID 2120 wrote to memory of 956	2120	Kkkdan32.exe	Kmjqmi32.exe
PID 2120 wrote to memory of 956	2120	Kkkdan32.exe	Kmjqmi32.exe
PID 956 wrote to memory of 4436	956	Kmjqmi32.exe	Kgbefoji.exe
PID 956 wrote to memory of 4436	956	Kmjqmi32.exe	Kgbefoji.exe
PID 956 wrote to memory of 4436	956	Kmjqmi32.exe	Kgbefoji.exe
PID 4436 wrote to memory of 4612	4436	Kgbefoji.exe	Kipabjil.exe
PID 4436 wrote to memory of 4612	4436	Kgbefoji.exe	Kipabjil.exe
PID 4436 wrote to memory of 4612	4436	Kgbefoji.exe	Kipabjil.exe
PID 4612 wrote to memory of 3668	4612	Kipabjil.exe	Kmlnbi32.exe
PID 4612 wrote to memory of 3668	4612	Kipabjil.exe	Kmlnbi32.exe
PID 4612 wrote to memory of 3668	4612	Kipabjil.exe	Kmlnbi32.exe
PID 3668 wrote to memory of 2264	3668	Kmlnbi32.exe	Kcifkp32.exe
PID 3668 wrote to memory of 2264	3668	Kmlnbi32.exe	Kcifkp32.exe
PID 3668 wrote to memory of 2264	3668	Kmlnbi32.exe	Kcifkp32.exe
PID 2264 wrote to memory of 4428	2264	Kcifkp32.exe	Kpmfddnf.exe
PID 2264 wrote to memory of 4428	2264	Kcifkp32.exe	Kpmfddnf.exe
PID 2264 wrote to memory of 4428	2264	Kcifkp32.exe	Kpmfddnf.exe
PID 4428 wrote to memory of 1500	4428	Kpmfddnf.exe	Kgfoan32.exe
PID 4428 wrote to memory of 1500	4428	Kpmfddnf.exe	Kgfoan32.exe
PID 4428 wrote to memory of 1500	4428	Kpmfddnf.exe	Kgfoan32.exe
PID 1500 wrote to memory of 4072	1500	Kgfoan32.exe	Lmqgnhmp.exe
PID 1500 wrote to memory of 4072	1500	Kgfoan32.exe	Lmqgnhmp.exe
PID 1500 wrote to memory of 4072	1500	Kgfoan32.exe	Lmqgnhmp.exe
PID 4072 wrote to memory of 2648	4072	Lmqgnhmp.exe	Lcmofolg.exe
PID 4072 wrote to memory of 2648	4072	Lmqgnhmp.exe	Lcmofolg.exe
PID 4072 wrote to memory of 2648	4072	Lmqgnhmp.exe	Lcmofolg.exe
PID 2648 wrote to memory of 5012	2648	Lcmofolg.exe	Liggbi32.exe
PID 2648 wrote to memory of 5012	2648	Lcmofolg.exe	Liggbi32.exe
PID 2648 wrote to memory of 5012	2648	Lcmofolg.exe	Liggbi32.exe
PID 5012 wrote to memory of 2852	5012	Liggbi32.exe	Lgkhlnbn.exe
PID 5012 wrote to memory of 2852	5012	Liggbi32.exe	Lgkhlnbn.exe
PID 5012 wrote to memory of 2852	5012	Liggbi32.exe	Lgkhlnbn.exe
PID 2852 wrote to memory of 3652	2852	Lgkhlnbn.exe	Laalifad.exe
PID 2852 wrote to memory of 3652	2852	Lgkhlnbn.exe	Laalifad.exe
PID 2852 wrote to memory of 3652	2852	Lgkhlnbn.exe	Laalifad.exe
PID 3652 wrote to memory of 436	3652	Laalifad.exe	Lgneampk.exe
PID 3652 wrote to memory of 436	3652	Laalifad.exe	Lgneampk.exe
PID 3652 wrote to memory of 436	3652	Laalifad.exe	Lgneampk.exe
PID 436 wrote to memory of 3664	436	Lgneampk.exe	Lpfijcfl.exe
PID 436 wrote to memory of 3664	436	Lgneampk.exe	Lpfijcfl.exe
PID 436 wrote to memory of 3664	436	Lgneampk.exe	Lpfijcfl.exe
PID 3664 wrote to memory of 4716	3664	Lpfijcfl.exe	Lklnhlfb.exe
PID 3664 wrote to memory of 4716	3664	Lpfijcfl.exe	Lklnhlfb.exe
PID 3664 wrote to memory of 4716	3664	Lpfijcfl.exe	Lklnhlfb.exe
PID 4716 wrote to memory of 2476	4716	Lklnhlfb.exe	Lnjjdgee.exe
PID 4716 wrote to memory of 2476	4716	Lklnhlfb.exe	Lnjjdgee.exe
PID 4716 wrote to memory of 2476	4716	Lklnhlfb.exe	Lnjjdgee.exe
PID 2476 wrote to memory of 4268	2476	Lnjjdgee.exe	Lgbnmm32.exe
PID 2476 wrote to memory of 4268	2476	Lnjjdgee.exe	Lgbnmm32.exe
PID 2476 wrote to memory of 4268	2476	Lnjjdgee.exe	Lgbnmm32.exe
PID 4268 wrote to memory of 4772	4268	Lgbnmm32.exe	Mpkbebbf.exe
PID 4268 wrote to memory of 4772	4268	Lgbnmm32.exe	Mpkbebbf.exe
PID 4268 wrote to memory of 4772	4268	Lgbnmm32.exe	Mpkbebbf.exe
PID 4772 wrote to memory of 4620	4772	Mpkbebbf.exe	Mjcgohig.exe
PID 4772 wrote to memory of 4620	4772	Mpkbebbf.exe	Mjcgohig.exe
PID 4772 wrote to memory of 4620	4772	Mpkbebbf.exe	Mjcgohig.exe
PID 4620 wrote to memory of 3276	4620	Mjcgohig.exe	Mpmokb32.exe

C:\Users\Admin\AppData\Local\Temp\be6daa9bc47555213dc261b364118e90_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\be6daa9bc47555213dc261b364118e90_NEIKI.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4472

C:\Windows\SysWOW64\Kacphh32.exe
C:\Windows\system32\Kacphh32.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2724

C:\Windows\SysWOW64\Kkkdan32.exe
C:\Windows\system32\Kkkdan32.exe
3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2120

C:\Windows\SysWOW64\Kmjqmi32.exe
C:\Windows\system32\Kmjqmi32.exe
4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\SysWOW64\Kgbefoji.exe
C:\Windows\system32\Kgbefoji.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4436

C:\Windows\SysWOW64\Kipabjil.exe
C:\Windows\system32\Kipabjil.exe
6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4612

C:\Windows\SysWOW64\Kmlnbi32.exe
C:\Windows\system32\Kmlnbi32.exe
7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3668

C:\Windows\SysWOW64\Kcifkp32.exe
C:\Windows\system32\Kcifkp32.exe
8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2264

C:\Windows\SysWOW64\Kpmfddnf.exe
C:\Windows\system32\Kpmfddnf.exe
9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4428

C:\Windows\SysWOW64\Kgfoan32.exe
C:\Windows\system32\Kgfoan32.exe
10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1500

C:\Windows\SysWOW64\Lmqgnhmp.exe
C:\Windows\system32\Lmqgnhmp.exe
11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4072

C:\Windows\SysWOW64\Lcmofolg.exe
C:\Windows\system32\Lcmofolg.exe
12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2648

C:\Windows\SysWOW64\Liggbi32.exe
C:\Windows\system32\Liggbi32.exe
13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5012

C:\Windows\SysWOW64\Lgkhlnbn.exe
C:\Windows\system32\Lgkhlnbn.exe
14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2852

C:\Windows\SysWOW64\Laalifad.exe
C:\Windows\system32\Laalifad.exe
15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3652

C:\Windows\SysWOW64\Lgneampk.exe
C:\Windows\system32\Lgneampk.exe
16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:436

C:\Windows\SysWOW64\Lpfijcfl.exe
C:\Windows\system32\Lpfijcfl.exe
17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3664

C:\Windows\SysWOW64\Lklnhlfb.exe
C:\Windows\system32\Lklnhlfb.exe
18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4716

C:\Windows\SysWOW64\Lnjjdgee.exe
C:\Windows\system32\Lnjjdgee.exe
19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2476

C:\Windows\SysWOW64\Lgbnmm32.exe
C:\Windows\system32\Lgbnmm32.exe
20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4268

C:\Windows\SysWOW64\Mpkbebbf.exe
C:\Windows\system32\Mpkbebbf.exe
21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4772

C:\Windows\SysWOW64\Mjcgohig.exe
C:\Windows\system32\Mjcgohig.exe
22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4620

C:\Windows\SysWOW64\Mpmokb32.exe
C:\Windows\system32\Mpmokb32.exe
23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3276

C:\Windows\SysWOW64\Mjeddggd.exe
C:\Windows\system32\Mjeddggd.exe
24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2880

C:\Windows\SysWOW64\Mdkhapfj.exe
C:\Windows\system32\Mdkhapfj.exe
25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1800

C:\Windows\SysWOW64\Mjhqjg32.exe
C:\Windows\system32\Mjhqjg32.exe
26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3444

C:\Windows\SysWOW64\Mdmegp32.exe
C:\Windows\system32\Mdmegp32.exe
27⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3456

C:\Windows\SysWOW64\Mglack32.exe
C:\Windows\system32\Mglack32.exe
28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3976

C:\Windows\SysWOW64\Mjjmog32.exe
C:\Windows\system32\Mjjmog32.exe
29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1248

C:\Windows\SysWOW64\Mpdelajl.exe
C:\Windows\system32\Mpdelajl.exe
30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1748

C:\Windows\SysWOW64\Mdpalp32.exe
C:\Windows\system32\Mdpalp32.exe
31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5036

C:\Windows\SysWOW64\Ndbnboqb.exe
C:\Windows\system32\Ndbnboqb.exe
32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3948

C:\Windows\SysWOW64\Njogjfoj.exe
C:\Windows\system32\Njogjfoj.exe
33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4420

C:\Windows\SysWOW64\Ncgkcl32.exe
C:\Windows\system32\Ncgkcl32.exe
34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3080

C:\Windows\SysWOW64\Njacpf32.exe
C:\Windows\system32\Njacpf32.exe
35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2872

C:\Windows\SysWOW64\Nqklmpdd.exe
C:\Windows\system32\Nqklmpdd.exe
36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2400

C:\Windows\SysWOW64\Ncihikcg.exe
C:\Windows\system32\Ncihikcg.exe
37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2672

C:\Windows\SysWOW64\Nnolfdcn.exe
C:\Windows\system32\Nnolfdcn.exe
38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3500

C:\Windows\SysWOW64\Ndidbn32.exe
C:\Windows\system32\Ndidbn32.exe
39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1852

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
40⤵
- Executes dropped EXE
PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 228
41⤵
- Program crash
PID:3996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5028 -ip 5028
1⤵
PID:4672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kacphh32.exe

Filesize
163KB

MD5
b4fe3e2f868cbc3b49a4642da63aa1fb

SHA1
351f1c1a7bcd1f31ef14d88f4bb689b016310bb5

SHA256
360a7fb034578134484df232d45e5a3eb81710cb28ec6cfcd01a2ef3a4af4593

SHA512
ee84a81c17182ba347a9c5b5233eaf93333fad5c32a576336e1a430b4ea7405b4d7b0ae267f91efd09f27e61d9a59c21b72b1cd27d452edd8f85b3bc1b9209a6

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
163KB

MD5
105be363310c5e71b496a0af660d545a

SHA1
f69e4dbb209556fe77ce6ed660b1d25aaa97bbbb

SHA256
547f7a98cab4f77ed81230bea0557e84f66db8c76be5035e74f500c9cc759a84

SHA512
ca464c2f0c4f7fdbb2b44bfd4ad1263f2448e72c58351e4e153438d8a689b9bd182029e070af79b33cd2e7b77def48c414fea460bce0092bd12ba592a854b614

Download Submit
C:\Windows\SysWOW64\Kgbefoji.exe

Filesize
163KB

MD5
b77112c0b76295a5318be98a7cf8de0a

SHA1
128b2dc70e0b5e29c3c9d3371bbf497b6908711a

SHA256
319be828f249f0fac13fdf8a2e39b79b9e790a2bd31599a22c14251d357119df

SHA512
e87a106db6751718f4582b05ebfa05db4b5edb89367938a98527923b7e0f9535d92aef9f5fb6dd6336bcb8547db0fe64ef9ad1d76c1088f8705d3006e9a89ea8

Download Submit
C:\Windows\SysWOW64\Kgfoan32.exe

Filesize
163KB

MD5
751f026f30ffb0f64ad764b8e62c0064

SHA1
6cdaa23713c96c409111057e73f2a3fe1cade12a

SHA256
2b244949e30d30872f91808bee30c9c4abd65df0d4aa2277121b21bf05f00f04

SHA512
6436149934ffc9255ed781d6a2baefc902e9e5031927201ffc5f62919b0fb688f06754ea4be0d06963e045621e86cf1daaa53b0981d32d9a53760105a7397000

Download Submit
C:\Windows\SysWOW64\Kipabjil.exe

Filesize
163KB

MD5
eac5c17d3488ba5e63261a693a9a8b90

SHA1
fa5d9d8e979bd22aada808d4e363e7ee6a024d33

SHA256
afaa9c1165f8595f1ce1cdab63e5031fcba8c271be58c8e89d1f93dde4e0ce48

SHA512
a98565b17db81c91c5155d42a4a9c6c7468925955f9de46bd70a6988277b24e46ae6f7c7cb05bf334e24e8ca7b718ad144eed16ee04c50a629d6d3074168a0c7

Download Submit
C:\Windows\SysWOW64\Kkkdan32.exe

Filesize
163KB

MD5
3cae9ef5e91846a317ddbd0f97d38a09

SHA1
add4a1618d0c4a030a9e6310370ee1c3ccfcae56

SHA256
97fcc599fa86c5338b0a53a3cc37535e6938dde2d9dbf6da8b36ac08ef25e886

SHA512
2b7f6f1328ab31c7e76c405b028dcd3241a23dc6e086835b5a1325f978fcb0027eb2d2022222fba792dc7dcb211ea2fad250c7a505844f72ea1f80f150ed3b7d

Download Submit
C:\Windows\SysWOW64\Kmjqmi32.exe

Filesize
163KB

MD5
c932a6c20606e4254003b896cda1e8a4

SHA1
5bd2f6a661e9b23221efcf49361a0615632bba1f

SHA256
1cb4223873371a48bd66a541f8b2de8bebc1e0ebcd9a43bda6c36d4e8f5c7b54

SHA512
b7e5466ab355cd99182daf3b12da726c46022e90af33819d12a23c0603e3a38b97368df54d70bedc55be66585884ed9e27d5f58dac52e0a1e16a0ced28929954

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe

Filesize
163KB

MD5
03269cfb44a2e5a686cd85242ff4074f

SHA1
b2ae60ba049cf78ff6736751f16e809bdd4b0048

SHA256
e27bed24eb1ab179bf0a5abd067c48189cdfdfd9eeed8e24e7cae543549de633

SHA512
25e97cb187546e38ad43b3fe6359b2b93a899227c17cafe77578862b41c4167189e97c3f603e453738597133e751fcd1b271e9866b50b8c5b73137f13f93cd6e

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe

Filesize
163KB

MD5
a62750baa4d6680760a21cea45ded25e

SHA1
c19de44e7dee244661d13ac0734ef45e7a797ee8

SHA256
91adc2d68ab9a1e7601763669159e92008dbc3b7a70d0bedc9cd910c5a7bc1bf

SHA512
a70b98175fe76493ebdfce87e0f92dd0dc5d3a1a4ea7db2d803440ed43e22173bfb79b955206501c697af71b3e82f0d3f568d32a859a52ee44084039a07428c5

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
163KB

MD5
62cbeafab03de423889509b4d0546546

SHA1
1edbc74dc8db3b424caa14bf4637944ca36e1cec

SHA256
87a66d4fc9922e6f07be643db5417b5b37750659b8087ab1569859bab3908024

SHA512
2ee5c625018741a4e56a98b20e9054e5c2fff99cac5986c923a57896a7e4bb14d4c6cf8bdf16379c28a1f52b5ea4eeaef7aa98ac1ac0ffb76ca653122180fc79

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
163KB

MD5
f2c892d1fc7ebbe3b677bceda1f49747

SHA1
55f8369a3934a3a434bb8d471e4ec99aeaee8dd1

SHA256
09ac21de008f514eb2f06ae482f9e0e66605e12167f15ba6293542e7a354a523

SHA512
0d83f47ec32a2b19741c21e6e330444fe8798bda995de8cd3e1d396483a7e57cc8daad739bde55054a707d932cd30ba158ba5a0c638a51d1b9b8e60bb7305726

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
163KB

MD5
4db950df1ddaf373e582fc99e530460b

SHA1
f9897f02cb4a7765cb2c11b2b1b59b1914025a51

SHA256
fab89a4c4bda3ced3ecab34c93a42eab594eabefed4442d98cb4cb36ab2628d2

SHA512
57a99c37efe260347a14255e035c1b793a969f714e88cf8c7e488f50848f896d00afd5f220ad8fe1e011cf5e7fdf2e507998a90ef73380195df8afcd506adc2a

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
163KB

MD5
91e9598967c023630178f1f133372786

SHA1
d6ba0debf3b16d0a22bf4d01c3046d401326fbfc

SHA256
f71d027ea3b53fd107761e47d0349fd016bc04c8a90d01ee7d70fef8baf5c63f

SHA512
8cba29b1bb6592cd4f47fdaf8c1e341dfe2b5516a24aeed40597af8b9631c788dd9ec80bef04e048a8a26e142d03e7ef240ef6961f3bccf63aa8e0b3959b40db

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
163KB

MD5
cc005962593f0decb25916c7ffa21f90

SHA1
ad2b446755236a6fa47f34c37f3f870ee0d0099c

SHA256
fdc75a3ada2297ce2351aa58bcd29c4538821bdf1059dc74ab8d62d3f83ac87b

SHA512
756de4e61f2a08ed05734d852aef5b430c910ff22a3f5e22fbf08d8f58ea5734e57282c9b13b014cd2319620b803129be275d12555202c78df15cd7f8a5bc7a3

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
163KB

MD5
d71f5b635acced3453a8f47e01476d6e

SHA1
1cca9d310ff03f8ce13b2149c1e3d50cdb9a52a0

SHA256
7926d634f812b1ec5067b9876e2e50717cdaaeb6ab926dbd6b3d139464c652c9

SHA512
b834a61136ce068d7c53b5db653b6f17cad097a86ac0d11c7419380316efcdd7421118b2b1ef93501fa72dc251086116134b0a9961a35ff0aafdc92fc6935e78

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
163KB

MD5
5fc7753b9a71da11c0ce0abaa9708ed0

SHA1
f815cf40fb9f4e4f42e4721c66d58110b29e80d8

SHA256
99d8d9fd4f24ee434be1297da5bd2f871b6fab74712d0a7b7bdc795e7455a268

SHA512
00c91b2ef10f762f77ca636af112f66d5c525e1b0537b943f7721d6acc7345af7bbdefb161c54269bedfd9ba46b2f73f5a5ac14e215824ab1b5996014a8c6638

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
163KB

MD5
e28e1e1ec459c5b4f4d153f9eb39c29c

SHA1
cce2e3a9ce9b0783e3ad572f13c9b3358cc1b5ad

SHA256
da4f5887d0d28fd33594a621cc79fa8174f3df4036f0c4ff13982fe8c7162f81

SHA512
733241a372669a93ee0146e5efc88b154efd36ae1adb74f8969bc3ff3d366762f608b2b6a7f37d5094cc0c9554d49891ba695cc4a874e2527c4c71077f8e4abd

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
163KB

MD5
77e0a11e0791ab8f8c4d9dc23feaa753

SHA1
2c97687ffe471af55d14377bdbbab6ff2b131ea4

SHA256
2e388ba3af28a66e03eaa22849e6a514633636c8c4f9bd401d0988ae31099e05

SHA512
cca52ca1d0b426d412081984c97ef0fa14e109c5248eb59c620159cbc2fb2d8874f35c9143dd9708c4a51ffedf1e880e30c616d2a1215a4165cd2ccc8d2467f5

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
163KB

MD5
247f770217a502cf433ce58da43acf9d

SHA1
d439f161f5df232708408ccbfd19008a3ca270d5

SHA256
c43c0439f9301bc9a3a0ccb3e4d66160af0479ec52cfe0c60e5b9564d2b47cb6

SHA512
c685c24abc34dd951fbd261f9e739ad0c6ced2d246c03d560458f47ac2960be57052885927e2c21424be93be5e5d6b7c930694e4e4f6a09f046ece1773d13267

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
163KB

MD5
3d1865b25489bfc71ef751c3c0ce89b9

SHA1
9b5314f298179374c258025d02dcf9fecccaaf4d

SHA256
f000c640236ac0cc69b1ea6932d7788a7dc2b83738a6341daa0a39ed756845f4

SHA512
14b015924185e15cf60ba26e7ed9cb6bdd16f88ccde8c36aaa538c237147481d3427522c05b4ccf9acc5993015f64f4b349cfa6f5aee5c870939a28a07fce83e

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
163KB

MD5
536674d7f8bc5ff181e21eae6ad6d61e

SHA1
a8ef1266d92dc7c52e2ebfc95a79584afb68d092

SHA256
fa2991e0a98b60cc1b098e7d281b6a4efaad604591657d6ff9833eb5ccd389c1

SHA512
be5071653e35b530222ff729208c135146dc434865d1f9ad79afe8768ee160c74171a50b0914ed0e8fc0a9383f702819efbf03bd13755e2dcd8a086bd0387759

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
163KB

MD5
3dab2c4a01b84a44b68fd6c498eb3b81

SHA1
76400e586a4862f426db8f0734da48fe4ff8c912

SHA256
4ee22fa36aaff516d05d01e8aefb64aac3521e727603b174f1e450f1f40a3c11

SHA512
0f1513e1fdc31629d681908621b3b09cdcf2c59dc195f5073efb3e683fcc3af537d5ffaa9b7f67f65c817f7e9a0c4681dd2b67cadc30beb1210aaa468546643a

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
163KB

MD5
0d7b893776c8deee0c2b743a3b7d0542

SHA1
e5ce2d171fe16f9ae4f4b09701cbc4495b316993

SHA256
8fe4d417e82e756003ece70e815a5add8644a36fe98b18ea9cda0e4753c971ff

SHA512
850ebc2aaae91511df556c633e4268076f3a9148874824664944097c3505c2fd2f166ac3794162e10e189a1bf156aa8d1686148f5ef77bfb1566bd193229dfb9

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
163KB

MD5
5900d9091a0b5734aa9006d852b10bc1

SHA1
5411fd786537f111114948ac0e9f53d4c8b3115b

SHA256
b892235e814d20e91d441d27aff1376e72ed42dda36f2268227ceec05aa75a3a

SHA512
7e0d13d231da482c2274f1f873c446b3c14a1e2a523e23fb80d7da8c089850b8a0f24fe0e7bafc06b3b6e726703fd5f175e70f40003f83b04527641111c83695

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
163KB

MD5
afe1f6a9656262e276edbb10924e66fc

SHA1
ca869d0a04e52b40ff8625f0005f2640c0a6a1a1

SHA256
7f0873dca1adf4cb655b58156cfc32bfb6f49697f3d34307559d5780a808b69b

SHA512
a3b0aa1a2cdcd96ab840eeb23df45fff0e89cabfff4354a80e9ff2b38c8fbcac97f7edeb726e6163a0945cbbfe3f229cf4a0006bcf0e6e20cb5ea60636b16614

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
163KB

MD5
0a1a53d32243619b12218bf8d4d1eb62

SHA1
ddec0360e91717c0acea3f32cf80ed9091efec69

SHA256
597d7367da285c0a65af433f19df66863b4f351d8765971adc9fb21458ff68ea

SHA512
573fb1c0d8ed6690e7fe31abee3ede3c28062cc5b4cc875c1ee3908930eb9d3a4abebbc4ae25ed44ded3d43a41f956c35a29e95dbe28fb9d7ceecef7670a5261

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
163KB

MD5
6c3ef6dbe56c92506f3814ad83f59bf1

SHA1
cbf6daf3d62af70187f3958853243721d063490b

SHA256
76f285e1e548e43e6a87a85849c9770737b1b44488887e30e63a7cfcf25814b3

SHA512
ba759c50ce60b35cec72c173d6017d63ca7b2fb27344d164b0723f0163befb4e9ea03a47098ab28810af9a4d7546f98defccd6c734a68109b90f07e0a99f6f3d

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
163KB

MD5
f990f2048192f32425f0fa27ab2d87e6

SHA1
2a6e66f9078110fed0bd0d951c2088348446e84d

SHA256
9f5a91db506553c07860d722414092f7e48c0ddecdd699d0a6c411cf6f0e557f

SHA512
4244b5a5139cbaead3f89b7d3c5e9970dbe6c92e1b6dc878afc725c76033f54aa8b1447eecdd6b9b9c884a1ccb75f2dddd4ac648ebe716cee83bba287daeef93

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
163KB

MD5
70642112091025eab01e344635c69424

SHA1
4095bdc2cd5cdba402c84ab20e2ea468b9636ad9

SHA256
647d877a1779d480e6f113c71569af62880ce7d68fcf54426eef860dcf0d8fc2

SHA512
73d3f103e30b364b30734873a589a028ee28bad942a36069e145291903d9b2bead4e896fd0632681db34878819c43af5f064da61e70921a3dea445cf5a336b31

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
163KB

MD5
198e6c99f4fd582f40fd7d726685eb60

SHA1
3b46c8f4c81d05450cb565ec201f42c74617ca4f

SHA256
8f7943752b6b9863b8a79bb0e636ab3866b69b72e704e8bfac762e07fa8278c2

SHA512
579aa20cb41e465946d5af33faea1d9d44319ee60a1847e50080d40ea3553d9e66b0632ffb7fb57d6e3f219bc659d19fbcbd2c1ae70484c183959320d1f606da

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
163KB

MD5
14d8ec5fd622c89221f2e17338310539

SHA1
a574292451f0f0259d2fde626221fc4a1f3a2c75

SHA256
a0b8717fde9bee75a19fb937f4813dfa57572b0b9bf0a591b524e2bde10ab345

SHA512
6b780d03bf69419d592f5d9ebfbcf962f5c1b8dcb44d2c49875e8154ae991453e39e86ce47d2d44ee20659fea7b34227a1684c11c6861f70fdfc1284770202a6

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
163KB

MD5
cbb878feb95fc52f4a0d13b4f2a234a1

SHA1
b96750ee70601e583e83565452ad54cbf5f994a4

SHA256
68794863e85b5396524b11d84e10646a1c558374afa3d6b05a1199b8b75b25e4

SHA512
a9f48a778f4ccaf9cac57ad0e031108c20caa6e73a2fc47fe55c5958569d8a6c19ac5350e54bea708afeb616a4d87a49d44c403ba84a5042bdd2e73ef543db52

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
163KB

MD5
7b3b87b320c80df886abb8caea4f1fed

SHA1
b89e52cb68a5d2bd2297a1719b49be20de7d3909

SHA256
a51d7acc5d6cc1f60ee393a64011bf79104d413abfdff7e45b47045c534045fa

SHA512
4e161a747edf96c8ff05b1ec9a9e4f37bd41baaa5e9cf3c3bd0ec843f4c86d011c8ca4e17f2e80c49e521c5653c74f7dc9f71ccbd5b5c2174a4b413d8a806fbe

Download Submit
memory/436-121-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/436-347-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/956-371-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/956-29-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1248-236-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1248-321-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1500-73-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1500-359-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1748-237-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1748-319-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1800-329-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1800-193-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1852-301-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1852-292-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2120-22-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2120-373-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2264-57-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2264-363-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2400-275-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2400-309-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2476-144-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2476-341-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2648-89-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2648-355-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2672-281-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2672-306-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2724-375-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2724-9-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2852-104-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2852-351-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2872-310-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2872-269-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2880-331-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2880-185-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3080-378-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3080-263-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3276-177-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3276-333-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3444-327-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3444-200-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3456-325-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3456-213-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3500-304-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3652-349-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3652-113-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3664-345-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3664-129-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3668-49-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3668-365-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3948-249-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3948-314-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3976-222-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3976-323-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4072-357-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4072-86-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4268-153-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4268-339-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4420-257-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4420-312-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4428-361-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4428-65-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4436-33-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4436-369-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4472-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4472-377-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4472-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4612-367-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4612-45-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4620-335-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4620-169-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4716-343-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4716-137-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4772-337-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4772-161-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5012-353-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5012-97-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5028-302-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5028-298-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5036-316-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5036-241-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download