gozi | 20444cfc1039b896e062e9b1397a882f4acd9e9d8c0887f335a5c4c4862ec595

Analysis

max time kernel
120s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13-05-2024 20:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18e0e88d608cf4603349500ecdd59420_NeikiAnalytics.exe
Size

163KB
MD5

18e0e88d608cf4603349500ecdd59420
SHA1

fe775897b7f136a8d48309b1b55b3e6dc19adfc5
SHA256

20444cfc1039b896e062e9b1397a882f4acd9e9d8c0887f335a5c4c4862ec595
SHA512

3a645cefb778bb9c4d95f39d2bba34337f94621f7fdd405f24a3bccdc7418e32f820110789f565d8e198c31f9b45118feed4dda7a787f046f1d02b03d1b740bd
SSDEEP

1536:PTnPVh24RSdMIMtlv1IhmkuYuviv3KSzVx5YBPnQwvYrclProNVU4qNVUrk/9QbH:bn8dkV+Fpv3hofQeYQltOrWKDBr+yJb

Score

10^/10

gozi banker isfb persistence trojan

Malware Config

Extracted

Family

gozi

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Mahbje32.exeMdfofakp.exeMkpgck32.exeNjljefql.exe18e0e88d608cf4603349500ecdd59420_NeikiAnalytics.exeMnapdf32.exeNcihikcg.exeMjhqjg32.exeNceonl32.exeLphfpbdi.exeMdiklqhm.exeNklfoi32.exeLknjmkdo.exeMpolqa32.exeNqmhbpba.exeLnhmng32.exeLjnnch32.exeMjjmog32.exeNgcgcjnc.exeNnmopdep.exeMnocof32.exeMgghhlhq.exeMgidml32.exeMglack32.exeLaciofpa.exeNqfbaq32.exeLilanioo.exeMdmegp32.exeNqiogp32.exeLcbiao32.exeLddbqa32.exeMcbahlip.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	18e0e88d608cf4603349500ecdd59420_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	18e0e88d608cf4603349500ecdd59420_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Executes dropped EXE 32 IoCs

Processes:

Lcbiao32.exeLilanioo.exeLnhmng32.exeLaciofpa.exeLjnnch32.exeLphfpbdi.exeLddbqa32.exeLknjmkdo.exeMahbje32.exeMdfofakp.exeMkpgck32.exeMnocof32.exeMdiklqhm.exeMgghhlhq.exeMnapdf32.exeMpolqa32.exeMgidml32.exeMjhqjg32.exeMdmegp32.exeMglack32.exeMjjmog32.exeMcbahlip.exeNjljefql.exeNqfbaq32.exeNceonl32.exeNklfoi32.exeNqiogp32.exeNgcgcjnc.exeNnmopdep.exeNcihikcg.exeNqmhbpba.exeNkcmohbg.exe

pid	process
1192	Lcbiao32.exe
4528	Lilanioo.exe
4036	Lnhmng32.exe
4216	Laciofpa.exe
4472	Ljnnch32.exe
2980	Lphfpbdi.exe
5060	Lddbqa32.exe
2868	Lknjmkdo.exe
2716	Mahbje32.exe
3772	Mdfofakp.exe
4000	Mkpgck32.exe
3232	Mnocof32.exe
3844	Mdiklqhm.exe
1672	Mgghhlhq.exe
1184	Mnapdf32.exe
4428	Mpolqa32.exe
1976	Mgidml32.exe
3008	Mjhqjg32.exe
3244	Mdmegp32.exe
4292	Mglack32.exe
756	Mjjmog32.exe
2652	Mcbahlip.exe
912	Njljefql.exe
2936	Nqfbaq32.exe
3536	Nceonl32.exe
1436	Nklfoi32.exe
2500	Nqiogp32.exe
4540	Ngcgcjnc.exe
4984	Nnmopdep.exe
4368	Ncihikcg.exe
4552	Nqmhbpba.exe
1428	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

Processes:

Mkpgck32.exeMjhqjg32.exeMdmegp32.exeLcbiao32.exeLddbqa32.exeMdfofakp.exeMcbahlip.exeNqiogp32.exeNgcgcjnc.exeLilanioo.exeMnapdf32.exeMgidml32.exeNqfbaq32.exeMdiklqhm.exeLknjmkdo.exeMgghhlhq.exeNqmhbpba.exeLnhmng32.exeLphfpbdi.exeNnmopdep.exeMpolqa32.exeNjljefql.exeNceonl32.exeMahbje32.exeMnocof32.exeLjnnch32.exeNcihikcg.exeNklfoi32.exeLaciofpa.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Dnapla32.dll	Lilanioo.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mgidml32.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Njljefql.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Nceonl32.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Mnocof32.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Mglppmnd.dll	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mdiklqhm.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1180 1428 WerFault.exe Nkcmohbg.exe

pid	pid_target	process	target process
1180	1428	WerFault.exe	Nkcmohbg.exe

Modifies registry class 64 IoCs

Processes:

Lilanioo.exeMgidml32.exeMglack32.exe18e0e88d608cf4603349500ecdd59420_NeikiAnalytics.exeMcbahlip.exeLknjmkdo.exeMgghhlhq.exeMjjmog32.exeNklfoi32.exeMjhqjg32.exeNqiogp32.exeLddbqa32.exeNqfbaq32.exeNcihikcg.exeMahbje32.exeLphfpbdi.exeMnocof32.exeMnapdf32.exeLjnnch32.exeMkpgck32.exeNjljefql.exeNqmhbpba.exeLnhmng32.exeMdmegp32.exeNceonl32.exeNgcgcjnc.exeLaciofpa.exeNnmopdep.exeMpolqa32.exeLcbiao32.exeMdiklqhm.exeMdfofakp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	18e0e88d608cf4603349500ecdd59420_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	18e0e88d608cf4603349500ecdd59420_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidmdfdo.dll"	18e0e88d608cf4603349500ecdd59420_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefncbmc.dll"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	18e0e88d608cf4603349500ecdd59420_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnapdf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

18e0e88d608cf4603349500ecdd59420_NeikiAnalytics.exeLcbiao32.exeLilanioo.exeLnhmng32.exeLaciofpa.exeLjnnch32.exeLphfpbdi.exeLddbqa32.exeLknjmkdo.exeMahbje32.exeMdfofakp.exeMkpgck32.exeMnocof32.exeMdiklqhm.exeMgghhlhq.exeMnapdf32.exeMpolqa32.exeMgidml32.exeMjhqjg32.exeMdmegp32.exeMglack32.exeMjjmog32.exe

description	pid	process	target process
PID 4372 wrote to memory of 1192	4372	18e0e88d608cf4603349500ecdd59420_NeikiAnalytics.exe	Lcbiao32.exe
PID 4372 wrote to memory of 1192	4372	18e0e88d608cf4603349500ecdd59420_NeikiAnalytics.exe	Lcbiao32.exe
PID 4372 wrote to memory of 1192	4372	18e0e88d608cf4603349500ecdd59420_NeikiAnalytics.exe	Lcbiao32.exe
PID 1192 wrote to memory of 4528	1192	Lcbiao32.exe	Lilanioo.exe
PID 1192 wrote to memory of 4528	1192	Lcbiao32.exe	Lilanioo.exe
PID 1192 wrote to memory of 4528	1192	Lcbiao32.exe	Lilanioo.exe
PID 4528 wrote to memory of 4036	4528	Lilanioo.exe	Lnhmng32.exe
PID 4528 wrote to memory of 4036	4528	Lilanioo.exe	Lnhmng32.exe
PID 4528 wrote to memory of 4036	4528	Lilanioo.exe	Lnhmng32.exe
PID 4036 wrote to memory of 4216	4036	Lnhmng32.exe	Laciofpa.exe
PID 4036 wrote to memory of 4216	4036	Lnhmng32.exe	Laciofpa.exe
PID 4036 wrote to memory of 4216	4036	Lnhmng32.exe	Laciofpa.exe
PID 4216 wrote to memory of 4472	4216	Laciofpa.exe	Ljnnch32.exe
PID 4216 wrote to memory of 4472	4216	Laciofpa.exe	Ljnnch32.exe
PID 4216 wrote to memory of 4472	4216	Laciofpa.exe	Ljnnch32.exe
PID 4472 wrote to memory of 2980	4472	Ljnnch32.exe	Lphfpbdi.exe
PID 4472 wrote to memory of 2980	4472	Ljnnch32.exe	Lphfpbdi.exe
PID 4472 wrote to memory of 2980	4472	Ljnnch32.exe	Lphfpbdi.exe
PID 2980 wrote to memory of 5060	2980	Lphfpbdi.exe	Lddbqa32.exe
PID 2980 wrote to memory of 5060	2980	Lphfpbdi.exe	Lddbqa32.exe
PID 2980 wrote to memory of 5060	2980	Lphfpbdi.exe	Lddbqa32.exe
PID 5060 wrote to memory of 2868	5060	Lddbqa32.exe	Lknjmkdo.exe
PID 5060 wrote to memory of 2868	5060	Lddbqa32.exe	Lknjmkdo.exe
PID 5060 wrote to memory of 2868	5060	Lddbqa32.exe	Lknjmkdo.exe
PID 2868 wrote to memory of 2716	2868	Lknjmkdo.exe	Mahbje32.exe
PID 2868 wrote to memory of 2716	2868	Lknjmkdo.exe	Mahbje32.exe
PID 2868 wrote to memory of 2716	2868	Lknjmkdo.exe	Mahbje32.exe
PID 2716 wrote to memory of 3772	2716	Mahbje32.exe	Mdfofakp.exe
PID 2716 wrote to memory of 3772	2716	Mahbje32.exe	Mdfofakp.exe
PID 2716 wrote to memory of 3772	2716	Mahbje32.exe	Mdfofakp.exe
PID 3772 wrote to memory of 4000	3772	Mdfofakp.exe	Mkpgck32.exe
PID 3772 wrote to memory of 4000	3772	Mdfofakp.exe	Mkpgck32.exe
PID 3772 wrote to memory of 4000	3772	Mdfofakp.exe	Mkpgck32.exe
PID 4000 wrote to memory of 3232	4000	Mkpgck32.exe	Mnocof32.exe
PID 4000 wrote to memory of 3232	4000	Mkpgck32.exe	Mnocof32.exe
PID 4000 wrote to memory of 3232	4000	Mkpgck32.exe	Mnocof32.exe
PID 3232 wrote to memory of 3844	3232	Mnocof32.exe	Mdiklqhm.exe
PID 3232 wrote to memory of 3844	3232	Mnocof32.exe	Mdiklqhm.exe
PID 3232 wrote to memory of 3844	3232	Mnocof32.exe	Mdiklqhm.exe
PID 3844 wrote to memory of 1672	3844	Mdiklqhm.exe	Mgghhlhq.exe
PID 3844 wrote to memory of 1672	3844	Mdiklqhm.exe	Mgghhlhq.exe
PID 3844 wrote to memory of 1672	3844	Mdiklqhm.exe	Mgghhlhq.exe
PID 1672 wrote to memory of 1184	1672	Mgghhlhq.exe	Mnapdf32.exe
PID 1672 wrote to memory of 1184	1672	Mgghhlhq.exe	Mnapdf32.exe
PID 1672 wrote to memory of 1184	1672	Mgghhlhq.exe	Mnapdf32.exe
PID 1184 wrote to memory of 4428	1184	Mnapdf32.exe	Mpolqa32.exe
PID 1184 wrote to memory of 4428	1184	Mnapdf32.exe	Mpolqa32.exe
PID 1184 wrote to memory of 4428	1184	Mnapdf32.exe	Mpolqa32.exe
PID 4428 wrote to memory of 1976	4428	Mpolqa32.exe	Mgidml32.exe
PID 4428 wrote to memory of 1976	4428	Mpolqa32.exe	Mgidml32.exe
PID 4428 wrote to memory of 1976	4428	Mpolqa32.exe	Mgidml32.exe
PID 1976 wrote to memory of 3008	1976	Mgidml32.exe	Mjhqjg32.exe
PID 1976 wrote to memory of 3008	1976	Mgidml32.exe	Mjhqjg32.exe
PID 1976 wrote to memory of 3008	1976	Mgidml32.exe	Mjhqjg32.exe
PID 3008 wrote to memory of 3244	3008	Mjhqjg32.exe	Mdmegp32.exe
PID 3008 wrote to memory of 3244	3008	Mjhqjg32.exe	Mdmegp32.exe
PID 3008 wrote to memory of 3244	3008	Mjhqjg32.exe	Mdmegp32.exe
PID 3244 wrote to memory of 4292	3244	Mdmegp32.exe	Mglack32.exe
PID 3244 wrote to memory of 4292	3244	Mdmegp32.exe	Mglack32.exe
PID 3244 wrote to memory of 4292	3244	Mdmegp32.exe	Mglack32.exe
PID 4292 wrote to memory of 756	4292	Mglack32.exe	Mjjmog32.exe
PID 4292 wrote to memory of 756	4292	Mglack32.exe	Mjjmog32.exe
PID 4292 wrote to memory of 756	4292	Mglack32.exe	Mjjmog32.exe
PID 756 wrote to memory of 2652	756	Mjjmog32.exe	Mcbahlip.exe

C:\Users\Admin\AppData\Local\Temp\18e0e88d608cf4603349500ecdd59420_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\18e0e88d608cf4603349500ecdd59420_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4372

C:\Windows\SysWOW64\Lcbiao32.exe
C:\Windows\system32\Lcbiao32.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1192

C:\Windows\SysWOW64\Lilanioo.exe
C:\Windows\system32\Lilanioo.exe
3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4528

C:\Windows\SysWOW64\Lnhmng32.exe
C:\Windows\system32\Lnhmng32.exe
4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4036

C:\Windows\SysWOW64\Laciofpa.exe
C:\Windows\system32\Laciofpa.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4216

C:\Windows\SysWOW64\Ljnnch32.exe
C:\Windows\system32\Ljnnch32.exe
6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4472

C:\Windows\SysWOW64\Lphfpbdi.exe
C:\Windows\system32\Lphfpbdi.exe
7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2980

C:\Windows\SysWOW64\Lddbqa32.exe
C:\Windows\system32\Lddbqa32.exe
8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5060

C:\Windows\SysWOW64\Lknjmkdo.exe
C:\Windows\system32\Lknjmkdo.exe
9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2868

C:\Windows\SysWOW64\Mahbje32.exe
C:\Windows\system32\Mahbje32.exe
10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2716

C:\Windows\SysWOW64\Mdfofakp.exe
C:\Windows\system32\Mdfofakp.exe
11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3772

C:\Windows\SysWOW64\Mkpgck32.exe
C:\Windows\system32\Mkpgck32.exe
12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4000

C:\Windows\SysWOW64\Mnocof32.exe
C:\Windows\system32\Mnocof32.exe
13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3232

C:\Windows\SysWOW64\Mdiklqhm.exe
C:\Windows\system32\Mdiklqhm.exe
14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3844

C:\Windows\SysWOW64\Mgghhlhq.exe
C:\Windows\system32\Mgghhlhq.exe
15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\SysWOW64\Mnapdf32.exe
C:\Windows\system32\Mnapdf32.exe
16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1184

C:\Windows\SysWOW64\Mpolqa32.exe
C:\Windows\system32\Mpolqa32.exe
17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4428

C:\Windows\SysWOW64\Mgidml32.exe
C:\Windows\system32\Mgidml32.exe
18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\SysWOW64\Mjhqjg32.exe
C:\Windows\system32\Mjhqjg32.exe
19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3008

C:\Windows\SysWOW64\Mdmegp32.exe
C:\Windows\system32\Mdmegp32.exe
20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3244

C:\Windows\SysWOW64\Mglack32.exe
C:\Windows\system32\Mglack32.exe
21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4292

C:\Windows\SysWOW64\Mjjmog32.exe
C:\Windows\system32\Mjjmog32.exe
22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\SysWOW64\Mcbahlip.exe
C:\Windows\system32\Mcbahlip.exe
23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2652

C:\Windows\SysWOW64\Njljefql.exe
C:\Windows\system32\Njljefql.exe
24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:912

C:\Windows\SysWOW64\Nqfbaq32.exe
C:\Windows\system32\Nqfbaq32.exe
25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2936

C:\Windows\SysWOW64\Nceonl32.exe
C:\Windows\system32\Nceonl32.exe
26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3536

C:\Windows\SysWOW64\Nklfoi32.exe
C:\Windows\system32\Nklfoi32.exe
27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1436

C:\Windows\SysWOW64\Nqiogp32.exe
C:\Windows\system32\Nqiogp32.exe
28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2500

C:\Windows\SysWOW64\Ngcgcjnc.exe
C:\Windows\system32\Ngcgcjnc.exe
29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4540

C:\Windows\SysWOW64\Nnmopdep.exe
C:\Windows\system32\Nnmopdep.exe
30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4984

C:\Windows\SysWOW64\Ncihikcg.exe
C:\Windows\system32\Ncihikcg.exe
31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4368

C:\Windows\SysWOW64\Nqmhbpba.exe
C:\Windows\system32\Nqmhbpba.exe
32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4552

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
33⤵
- Executes dropped EXE
PID:1428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 400
34⤵
- Program crash
PID:1180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1428 -ip 1428
1⤵
PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Laciofpa.exe

Filesize
163KB

MD5
715aca30928b566b2fb8deb1ebb9b6dd

SHA1
6090c2f7f1f5a598dc173dcb74e1ae30bd964baf

SHA256
dc43738357c942fb57ddf185a696f3070f8baf06a65a71085e8300e969073a36

SHA512
51c597867c4862a0900dfbbde03acc54686ae0f20dcc2f8fdc2bb689ee9548b88430a4d76d63d4ffa0c37b930e6721fb1c721854ed5f5c07f37f198c350aad92

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
163KB

MD5
ea0312f23f8d5d93d2e80aecaae86fd0

SHA1
d5cf16abc451d2cb792c2dccd637dc7a3834a58a

SHA256
15a015555a954c310b803bf7f8bb66d076440eeb9f56c58eedef3ff42038168a

SHA512
55f5ddce8af10f39ce685149623a85bb4073e2197fb1e9178e7c2aabf94342dee2b75ac38bd2622a904d5ea8a649fc1b2c67942d81f42e88a040bf1a4533942b

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
163KB

MD5
9b3f13185d7baa21c27e6f74484019e1

SHA1
6742fb90abacd356559d94e69cc7ebe6d3bbf594

SHA256
f9e7b5d07ca1396cb2bb64e09c4b68c482d7dbf2d34e3913c1646ec0c27e9357

SHA512
c937a6168dcb160b0b0f4755668817d9b9b3256a56fcc9dc71e890b74365b7f3c42e847ca70b5ced680f9d40a388cd764ac491a5a99aaacc255dedaaa5666586

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
163KB

MD5
143ba85beb4692911eaeefd53bb41137

SHA1
fb674a0cdcac59f61d2ae5ae74d2d5259ec7b442

SHA256
e8ee5a0873fcee26c992830d6839630e779f4f13537587c671939d8d381c76b5

SHA512
6db5052756f549e6778aa651afd00e76da1f9ee8eff2f2484db1734ee9aef1ae4668cdd3da0df342de1fe3434c55c2fe313b5b63f658fb3cd17290b43f495b14

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
163KB

MD5
18b8ffc04e6c2036c60b5dd66d781de2

SHA1
47f12efd26872325bb7a1951e1a2bb756e951e95

SHA256
16367ee5a81829dd76ba1a71b95657c4472ef5c992f5ae35c3fd7e6ce427445b

SHA512
bb3be53148ce9bbbe93914f49feab8ebef62601cb807a443d5679b44166ffd27e50f01b100213e83a8f035b4cc469a327d5024d0cf5e097fbed8ecb237aeddc8

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
163KB

MD5
38d46d34ffd52a2b76531485352db380

SHA1
8cec8debce8702f977880efe42bce4c4a5b1de2f

SHA256
f355e9a0ca67316a02556b68db9d7d5400f1b99e15b3f7a198547260ff75a314

SHA512
eaf323990b060168c6b3c568a17dd42c6a8370266876e5d70a948139492ef72f354945c954a856440b7a97e2e2141e7dc1d5857431b50a27cd05773220ff858b

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
163KB

MD5
2642fa350fc05dbdebc5f79d16c564e4

SHA1
fd41927768ba606f59e2b5be78b5eb404f55958b

SHA256
397a0fe70777e909318a9da0673550564ac09803ead43436f7931b88b74ef0e7

SHA512
2cea6c3a942c5a744982e1c36cb2dbac1508dd3d529e8df60cc10e2c34f6b5cccb10061e60ece26449c4d00aca8e430ebe01f97c52f3d50d5c32387be5ceb92d

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
163KB

MD5
730c97f1578c0c5def8a928c50132ae6

SHA1
c34e459ff1c586e742d109a2dd9ffc4184411836

SHA256
985d1fb353684c6c0d70504fcbe7e9219d288a3f48f507ab25f81a9e33e9b17a

SHA512
9e3f8f54bc760225c7839786d0066fa1bd9e18e433dae9c4d6ca50c5725a0b137fdae70fd4432fb5d6c2b89ad2fabeb6102f877de71af2060a996a9c74892ffa

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
163KB

MD5
48749013b7dc2fca5a5dc58d03113c1d

SHA1
08fb923131393058dc9619d761cba2249b45632d

SHA256
ba59eeeaaefcef10d77b8b26653255954471219ba5c4b3381343986cf8291592

SHA512
33d876bd8e83d4f10c8e27233b6bde614a6bb5c0a1a5a4a6a7a7f61cf36cfb91e4ac4d3bb1d9df73b555281bee4649780e04a0623853b769067c6d5cd4708e34

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
163KB

MD5
bb23e2466aba0616da50abd835bb95c3

SHA1
903f776db0e30893f2970a23e3371a5aff1fa161

SHA256
8351241e1a382830a9233f1db474e6ed48239adb0df2e7dbb6fd950354717ec2

SHA512
a2851cfe08eead5f3e9ed41b4c743715250abd9c705dcc341857287a40107e466d67faf528ad8a7d401b24f6d7a4560284415e1695e8b1982da91da8bcf846bb

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
163KB

MD5
19e607f1c88b6154eeebb34e23e58faa

SHA1
8eb596ed651934553a5ea90935fa02aa91e70a58

SHA256
24b2d739983ddd384ab696e56ec6a34b000d53fce77df5fcf63c58b559472c07

SHA512
c3904819b228a2fb3aec8acdec92f733dc39ae0031af93eb9bf0dfac75af5b55494c59e0263f9aac4109b0ea5a4e4997f33d34395a4deb946db6aabe387e0099

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
163KB

MD5
ca6bb53bca96d2221f952f48196fa4f3

SHA1
746739efdd13f0854f03bbdea6973ce1bcdeb129

SHA256
012451529901ada487afee7acb9f51ea015b2df51452440a0c14acccd0be837b

SHA512
0e90cd371beeb6122188e0b103e48ade5c7189ffad29eb2a1ad7e9e80c4a7630ab097d72ac35eb20d225290b5fb1df48cd6b99ce09fba52706eaa9c96202da96

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
163KB

MD5
6f187b83a70a45acff8061315d7a88a2

SHA1
0a5458c790a8c629ffaf48c70173b95206ce78e2

SHA256
1ed0a591f9214b52c8a827e498449976f0cde3e8ca2d084e713e5e91e561f518

SHA512
ba8c9ad9ee9fd28c88da80e213caa7b669d896eec635790bc18ac177265d31c981933398d438815c6c261f21ad98aca2b54d2dc7989b32113bf3c724c25a4ee0

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
163KB

MD5
5a32a9b58b293855cf0767faf94ff24f

SHA1
2f5d0517bdadb564ba82e2a9e4953153a65432b4

SHA256
186fad2a20395db4858ffb112410511f25afd9113290e623184e74adc1cf73f9

SHA512
1f4554cb4983731443f9c345c6299f0f37bf5434c4b5e4cea16830c8cc10d3381d3f4d2dadd704a61ddf5f504d9a46dd158a035c18dcab6c84be6cce4f656259

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
163KB

MD5
9eb4efd95cd504ea57be59d129faca3d

SHA1
f1061bc4a513076ccfc5e2115e4602b763219b27

SHA256
355ad3faa9b9bc15907d05794ad4a8ec9e7a495e7158b5c05065b3ecdde6bb87

SHA512
81a3e7dc15bcb08d9b0c86a4883e08e694871de67483223d7fcc87b2eaa991a19f7548836e99153c34fdf3e799e78a39492efe93ddfd75e48662367446a4483e

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
163KB

MD5
506af4cddbe618a589061769dadaecc1

SHA1
e78ea18a0a324dfc8b23cbb33ce5743c8cb339d1

SHA256
c4c0c766da7ddab0c8a2a05a6ef603b677801dd80482beb1ffdd49f5514a112c

SHA512
3f25072fafc239e5ef732456cc0a789b6f34cf20035dafb9e02dd72d89907da020a7d60f33f4321d4bfc9b5171e6b50dd11bf42fc11f69c6056fa81a4702387c

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
163KB

MD5
7d0d9a4349fe779b361e45b513378819

SHA1
cc6dab3c198a912677b0f98fbe7d773f1b674fe3

SHA256
3a41900f0570c85aabfcbbc0b7361b3b04231469e828526279b66046091f3dff

SHA512
767978fff071d3cac48f19d8fe259727c4d0709a7d6b0f3a0db3f26b6ebe8b2d121aa0489674540521c31585f94ac4db9d1fb7d4a87fba292715a5062882aaa4

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
163KB

MD5
b4d9c6608f77320c00991decceec9511

SHA1
666e32b7b8b158b9bf45a93f99ef73bc2d5b2d75

SHA256
79806456cfe4f73ff24b5c0a5491a5e69375ec10f34018e71f91fdc555b7f7dd

SHA512
8f34b84ff2e95e7eca4e902dce3bd4813995a20cb75b5a97bab6a658e0e6925262906a0534ee8f477246d1fcce4943d2dcab4286d5776b745bab9427e5ae624d

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
163KB

MD5
ddd23e4812e69097441979cd9f5ab3af

SHA1
2053e6c88aeab6c7dd600af848094f37b15e9f62

SHA256
f50d2c7514321c64c4d4ea209fdcc2bf9c40822996ce33ceee93ba697a245d1a

SHA512
217886c103ceee6cafdd7c4f2e86f19ae757beb2f16ef59c6242865054963ba84e8a7423c49912f7b5807725013d6d41ace01db1269324ee3e1f09500fa8841f

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
163KB

MD5
5a965da5528e25b78a1a94ff453473a6

SHA1
d1d70194011f31aefca37427badd74aa814e11df

SHA256
810a94990a66c32f866045fef13141b83b35a815aa9ddcd7a4a6838c11e05ec7

SHA512
792760845b9f63dc5dd72eb709cac50fc40d00330ac8484e28fdc4d428ea51377ecd9ec8356b928a7358317b2e20b8b21a5b248dca83ac6686020a3bf207db3c

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
163KB

MD5
1b87ccfae719af8a8acbc5d0054265cc

SHA1
2896bf0fe56b6bb72bbb27e170bce5ce846586ab

SHA256
aefdacc8b3f2b0b61a6ee3a9bdd1b3b8a583c19df869d52c3b4badbd5d09e2f2

SHA512
5b4abde89c800ea93d720dfeb3be2619c7b0af3f90e5d4b783fbd54067e674dff3c89a8221897be9cae2783598c2788c8c3d47de7cbe758ca3337dd37534db9e

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
163KB

MD5
0f4691eb0414d714cafb19d78837d793

SHA1
9ca6054d1d105c5c0647dbf1c2284401d5bff1d0

SHA256
118e2c0aba02b0d75a9bdeb6a98bca5c5d741b5188d70f91a85024dfd0ae440f

SHA512
2536796115c5d09bcb97260dc4b493ee920334eeaf441f5116101404eacb62f316867aa74554f0860bc5b3176c05829e2aa398add28574079187b633d8628709

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
163KB

MD5
85e3fd6f3812748ad5a6f482f96b1bc5

SHA1
620552d304c277666a13d44b4e9504c0bcc8b3bc

SHA256
6b0d643c5435c4dd58e4e177a5826c91b99f9524b7fac147ea540a2316a36ba2

SHA512
a0a806255f35129eb7c95209d3546c9fcb26f2aa0c1d052a6fa6105712cf2d1a80b56bd4c837f37f822f57bb77a4cbe05cfea54ea6d5baaac314b3e76eeef731

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
163KB

MD5
c5c02cf79fc1b04a5b709aaa112eb797

SHA1
f51930d4a9e7e0c84165c1b474f44c109050c1aa

SHA256
daf12baceb4cb47a95e8ee6f92a4355d0369210b8350f8bf145c05debbe43784

SHA512
3d53e859db207dce1dd862902abef8c9b1b14306caeb04d9aa2263faf259e9f7935c06c71ca0e7e09a119a61ddf7e85928aab4a505e2b94e9128fe0d85bb26b9

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
163KB

MD5
0634a4521743cba8b1f66d890d992d14

SHA1
62eaa506eee6f70ddb59051a5710755ec4b60629

SHA256
3a398881880ed5be7b640d5fbc9d5acef26a3ef08d33b047a8a7d4bf5c42b09b

SHA512
92bf9bafb7e8e130b82aaeef9e4e4c9e191f34be3be030c8731f3d5d42f573b11f02ae0b65bbc54ed2d419417521803e1f65981bab6e0bf3950133cbea72add3

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
163KB

MD5
db94d9cc3a357494392a957cf13f4aaf

SHA1
59dab10f33616ef37f87446191eacf43ee73d115

SHA256
97dc40c91bd290256c62078bba1080173e469ddf9e9df3328a20c2a265977f27

SHA512
531e9d061e368cb466e2bb4fc5ca12546290936297113cfc24a3c05248dba18b707218bd974f5a4e642302597a5c47d982ee6ef0f7b333f3bfa620ce11fee7c1

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
163KB

MD5
ca997a3cdb5cf3975eb0afb6c2bab3d4

SHA1
04b02bf6e34cc20fbf9041b51d9567ab19fd65b2

SHA256
9a1f592694e20450f7be250207148d2f72751ead0350662c5d7dd7cef0b329cf

SHA512
2ba0d93854c7abccdc8e074d5c5fb9820646536b2ba2fa1dc821d4be906255349ff173f2f9bb1d0426ce5e8dbf4e20108177ddc6ab14a09ada05956f8e536319

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
163KB

MD5
f050e0504ef8fbee240bbccb9d6bfce9

SHA1
e43f24fecd506a0e48778e42ebc75ad77fbd91c1

SHA256
aa9a039e0d2aec7c89cd2f705d00db93aa169c86f5e56fe0f75403c3d08ef140

SHA512
b2461bb0fb9bff67de479abb91901288ec9adde6bc59260a9da7928492dfcf7eb5cc43fe5e4e31f8f0d3ad86305399a00d2bba968040df45c305970704ce6793

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
163KB

MD5
e5d0405a6029e26f647371803b0c01ea

SHA1
f45b7568e03040edd449fd045eb5f3ce55921a37

SHA256
19151a8056cad46d6be7614151903f7e6ac35490d69d14ed8c77c6405661d70b

SHA512
ba1d0b996e27c1862d067645b1a0cf961918c0fec4cf3395192d15364af91fb449a935178914ff72100c4f93e78177673ca6dafa3ceb1fb7f3c4f65634972b4b

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
163KB

MD5
ac02d12113b2079e80dfdc0da511a708

SHA1
5b5867279a040477b8afdd4f3c791e6f50e9c81e

SHA256
4c43c326a27e39ea13cf9036b5c134db0bbdb99f5fcff6fe065efad7cdf1fc65

SHA512
33774fe075e745412a0b581ad1eb4344077f3021ca24e8b26ee590a4365236694aae61765ea818dbb02f8dc7639056f5da23f202a5be30718040b6cf4bce700c

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
163KB

MD5
9c3b22a84ba684cb8f6cdfb193da0f3d

SHA1
be8ad3d7ccdfc2659a84bd4468b32394a7d4c630

SHA256
4e8173619cab022f808874880a2b741348699eb3a06b4d7a437b642001acdbd5

SHA512
a142c764203c51203a1196be43c56c7bff80c652363fb9438edecac192759aef7b6f9f449dabd039fd2accd35facc94acf5c1cb5bebb811c6b5aef6b2b990d7d

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
163KB

MD5
1238947e884b85a185080e6ad71cbe71

SHA1
12a848b15b6cae846650107f5f1f37dffa660a53

SHA256
a6253e33765e2d82add4c548f0b5afca282eedd88d7bbd5c879eb48d99898ab0

SHA512
a7da4e18b8c60518bd38eaeb72c3a84d83d678095253b686249ab4044e158a651940c180e4dc1e4b822a84200b86c44e0e2c05fe620cb22a050e2f7280e44683

Download Submit
memory/756-279-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/756-167-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/912-183-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/912-275-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1184-291-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1184-119-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1192-13-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1192-319-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1428-255-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1428-258-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1436-269-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1436-207-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1672-293-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1976-135-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1976-287-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2500-267-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2500-215-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2652-175-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2652-277-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2716-303-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2716-80-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2868-305-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2868-69-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2936-273-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2936-191-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2980-309-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2980-49-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3008-285-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3008-143-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3232-100-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3232-297-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3244-283-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3244-151-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3536-199-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3536-271-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3772-81-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3772-301-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3844-295-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4000-93-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4000-299-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4036-315-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4036-29-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4216-313-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4216-33-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4292-159-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4292-281-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4368-261-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4368-239-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4372-321-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4372-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4372-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4428-127-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4428-289-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4472-311-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4472-41-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4528-28-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4528-317-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4540-223-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4540-265-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4552-259-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4552-247-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4984-231-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4984-263-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4984-262-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5060-57-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5060-307-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download