gozi | a5a99920ec4f446e758b8304497290cb0ce666b9464fad9d622584f0d7553e8e

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
19-05-2024 07:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6fa34d71988888b39e756da1d04c2d0_NeikiAnalytics.exe
Size

163KB
MD5

a6fa34d71988888b39e756da1d04c2d0
SHA1

36e6b84300d04f9d81fc384a719122feb5fc7130
SHA256

a5a99920ec4f446e758b8304497290cb0ce666b9464fad9d622584f0d7553e8e
SHA512

d7543b6b71af704a8c06e8de6360bac5436effa15b3261443419f94087aef593cfa14be29169f0ce33021e44431f399f0c81202721ecccf18b2f9a9bd160b2d3
SSDEEP

1536:PVeMQtzqWT3xghkmipcbyKe0dQlProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:QXzqWTyhkRwQltOrWKDBr+yJb

Score

10^/10

gozi banker isfb persistence trojan

Malware Config

Extracted

Family

gozi

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Kmegbjgn.exeLnepih32.exeNjogjfoj.exeNggqoj32.exeMcnhmm32.exeNnhfee32.exeNgpjnkpf.exeNqiogp32.exeNjacpf32.exeLiekmj32.exeLilanioo.exeMgekbljc.exeMcpebmkb.exeKcifkp32.exeNacbfdao.exeNgcgcjnc.exeKbapjafe.exeLcpllo32.exeLdaeka32.exeMgnnhk32.exeNbhkac32.exeKpccnefa.exeKgfoan32.exeMamleegg.exeMjjmog32.exeKgmlkp32.exeLnhmng32.exeLgbnmm32.exeLpappc32.exeMnfipekh.exeNqklmpdd.exeKilhgk32.exeMnapdf32.exeNnolfdcn.exea6fa34d71988888b39e756da1d04c2d0_NeikiAnalytics.exeKacphh32.exeKibnhjgj.exeMglack32.exeNafokcol.exeMpdelajl.exeLddbqa32.exeLpcmec32.exeMnocof32.exeMkepnjng.exeKdcijcke.exeLmccchkn.exeMpkbebbf.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a6fa34d71988888b39e756da1d04c2d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Executes dropped EXE 60 IoCs

Processes:

Kmegbjgn.exeKpccnefa.exeKbapjafe.exeKgmlkp32.exeKilhgk32.exeKacphh32.exeKdcijcke.exeKknafn32.exeKmlnbi32.exeKcifkp32.exeKibnhjgj.exeKpmfddnf.exeKgfoan32.exeLiekmj32.exeLalcng32.exeLgikfn32.exeLmccchkn.exeLpappc32.exeLcpllo32.exeLnepih32.exeLpcmec32.exeLilanioo.exeLnhmng32.exeLdaeka32.exeLklnhlfb.exeLddbqa32.exeLgbnmm32.exeMjqjih32.exeMpkbebbf.exeMgekbljc.exeMnocof32.exeMdiklqhm.exeMkbchk32.exeMnapdf32.exeMamleegg.exeMcnhmm32.exeMkepnjng.exeMcpebmkb.exeMglack32.exeMjjmog32.exeMnfipekh.exeMpdelajl.exeMgnnhk32.exeNkjjij32.exeNnhfee32.exeNacbfdao.exeNgpjnkpf.exeNjogjfoj.exeNafokcol.exeNqiogp32.exeNgcgcjnc.exeNjacpf32.exeNbhkac32.exeNqklmpdd.exeNcihikcg.exeNkqpjidj.exeNnolfdcn.exeNqmhbpba.exeNggqoj32.exeNkcmohbg.exe

pid	process
2072	Kmegbjgn.exe
1064	Kpccnefa.exe
1576	Kbapjafe.exe
3312	Kgmlkp32.exe
5044	Kilhgk32.exe
1368	Kacphh32.exe
1556	Kdcijcke.exe
736	Kknafn32.exe
2008	Kmlnbi32.exe
1664	Kcifkp32.exe
900	Kibnhjgj.exe
2620	Kpmfddnf.exe
628	Kgfoan32.exe
3928	Liekmj32.exe
4468	Lalcng32.exe
1216	Lgikfn32.exe
888	Lmccchkn.exe
1920	Lpappc32.exe
224	Lcpllo32.exe
1192	Lnepih32.exe
4664	Lpcmec32.exe
3716	Lilanioo.exe
3708	Lnhmng32.exe
3632	Ldaeka32.exe
808	Lklnhlfb.exe
4008	Lddbqa32.exe
1420	Lgbnmm32.exe
1004	Mjqjih32.exe
4000	Mpkbebbf.exe
3496	Mgekbljc.exe
3140	Mnocof32.exe
4344	Mdiklqhm.exe
1540	Mkbchk32.exe
872	Mnapdf32.exe
2064	Mamleegg.exe
1212	Mcnhmm32.exe
4652	Mkepnjng.exe
1792	Mcpebmkb.exe
3036	Mglack32.exe
448	Mjjmog32.exe
4808	Mnfipekh.exe
1276	Mpdelajl.exe
1048	Mgnnhk32.exe
3268	Nkjjij32.exe
4156	Nnhfee32.exe
2436	Nacbfdao.exe
2464	Ngpjnkpf.exe
1112	Njogjfoj.exe
2416	Nafokcol.exe
4424	Nqiogp32.exe
4200	Ngcgcjnc.exe
4932	Njacpf32.exe
3492	Nbhkac32.exe
5072	Nqklmpdd.exe
2368	Ncihikcg.exe
3944	Nkqpjidj.exe
2356	Nnolfdcn.exe
1084	Nqmhbpba.exe
2476	Nggqoj32.exe
4728	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

Processes:

Kcifkp32.exeLiekmj32.exeLalcng32.exeLmccchkn.exeMglack32.exeMjjmog32.exeMnfipekh.exeNnhfee32.exeNbhkac32.exeKacphh32.exeMkbchk32.exeMgnnhk32.exeLdaeka32.exeNafokcol.exeLcpllo32.exeLilanioo.exeNqiogp32.exeNqklmpdd.exeKibnhjgj.exeMamleegg.exeMcnhmm32.exeNcihikcg.exeKbapjafe.exeKdcijcke.exeLgikfn32.exeMgekbljc.exeMkepnjng.exeNacbfdao.exeNnolfdcn.exeKknafn32.exeLddbqa32.exeMnapdf32.exea6fa34d71988888b39e756da1d04c2d0_NeikiAnalytics.exeKpccnefa.exeLgbnmm32.exeMpkbebbf.exeKmegbjgn.exeKilhgk32.exeLnhmng32.exeMcpebmkb.exeNkjjij32.exeNjacpf32.exeNqmhbpba.exeKgmlkp32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Bpcbnd32.dll	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Efhikhod.dll	Liekmj32.exe
File created	C:\Windows\SysWOW64\Lgikfn32.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Lalcng32.exe
File created	C:\Windows\SysWOW64\Lpappc32.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mglack32.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Kdcijcke.exe	Kacphh32.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lcpllo32.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Bnjdmn32.dll	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Ogndib32.dll	Lmccchkn.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Hehifldd.dll	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Ihaoimoh.dll	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Dnapla32.dll	Lilanioo.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mamleegg.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Akanejnd.dll	Kknafn32.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Kmegbjgn.exe	a6fa34d71988888b39e756da1d04c2d0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Lmmcfa32.dll	Kpccnefa.exe
File opened for modification	C:\Windows\SysWOW64\Kgmlkp32.exe	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Kpccnefa.exe	Kmegbjgn.exe
File created	C:\Windows\SysWOW64\Jjblgaie.dll	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Kgmlkp32.exe	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Kpmfddnf.exe	Kibnhjgj.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Addjcmqn.dll	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Kpccnefa.exe	Kmegbjgn.exe
File created	C:\Windows\SysWOW64\Kkdeek32.dll	Kgmlkp32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4188 4728 WerFault.exe Nkcmohbg.exe

pid	pid_target	process	target process
4188	4728	WerFault.exe	Nkcmohbg.exe

Modifies registry class 64 IoCs

Processes:

a6fa34d71988888b39e756da1d04c2d0_NeikiAnalytics.exeKbapjafe.exeKmlnbi32.exeLgbnmm32.exeMgekbljc.exeMjjmog32.exeMgnnhk32.exeNbhkac32.exeKilhgk32.exeLmccchkn.exeMdiklqhm.exeMnapdf32.exeMcnhmm32.exeLilanioo.exeMpkbebbf.exeMnocof32.exeNjogjfoj.exeNggqoj32.exeKpmfddnf.exeLiekmj32.exeMglack32.exeNnhfee32.exeNacbfdao.exeNgpjnkpf.exeNqmhbpba.exeKacphh32.exeKgfoan32.exeMjqjih32.exeNkqpjidj.exeKmegbjgn.exeKibnhjgj.exeLalcng32.exeLddbqa32.exeNqklmpdd.exeKpccnefa.exeLnepih32.exeMkbchk32.exeMcpebmkb.exeMpdelajl.exeNnolfdcn.exeLpappc32.exeMkepnjng.exeMnfipekh.exeKcifkp32.exeNkjjij32.exeNcihikcg.exeLcpllo32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	a6fa34d71988888b39e756da1d04c2d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	a6fa34d71988888b39e756da1d04c2d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblgaie.dll"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipagf32.dll"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghiqbiae.dll"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmcfa32.dll"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baefid32.dll"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imppcc32.dll"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgbnmm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a6fa34d71988888b39e756da1d04c2d0_NeikiAnalytics.exeKmegbjgn.exeKpccnefa.exeKbapjafe.exeKgmlkp32.exeKilhgk32.exeKacphh32.exeKdcijcke.exeKknafn32.exeKmlnbi32.exeKcifkp32.exeKibnhjgj.exeKpmfddnf.exeKgfoan32.exeLiekmj32.exeLalcng32.exeLgikfn32.exeLmccchkn.exeLpappc32.exeLcpllo32.exeLnepih32.exeLpcmec32.exe

description	pid	process	target process
PID 1984 wrote to memory of 2072	1984	a6fa34d71988888b39e756da1d04c2d0_NeikiAnalytics.exe	Kmegbjgn.exe
PID 1984 wrote to memory of 2072	1984	a6fa34d71988888b39e756da1d04c2d0_NeikiAnalytics.exe	Kmegbjgn.exe
PID 1984 wrote to memory of 2072	1984	a6fa34d71988888b39e756da1d04c2d0_NeikiAnalytics.exe	Kmegbjgn.exe
PID 2072 wrote to memory of 1064	2072	Kmegbjgn.exe	Kpccnefa.exe
PID 2072 wrote to memory of 1064	2072	Kmegbjgn.exe	Kpccnefa.exe
PID 2072 wrote to memory of 1064	2072	Kmegbjgn.exe	Kpccnefa.exe
PID 1064 wrote to memory of 1576	1064	Kpccnefa.exe	Kbapjafe.exe
PID 1064 wrote to memory of 1576	1064	Kpccnefa.exe	Kbapjafe.exe
PID 1064 wrote to memory of 1576	1064	Kpccnefa.exe	Kbapjafe.exe
PID 1576 wrote to memory of 3312	1576	Kbapjafe.exe	Kgmlkp32.exe
PID 1576 wrote to memory of 3312	1576	Kbapjafe.exe	Kgmlkp32.exe
PID 1576 wrote to memory of 3312	1576	Kbapjafe.exe	Kgmlkp32.exe
PID 3312 wrote to memory of 5044	3312	Kgmlkp32.exe	Kilhgk32.exe
PID 3312 wrote to memory of 5044	3312	Kgmlkp32.exe	Kilhgk32.exe
PID 3312 wrote to memory of 5044	3312	Kgmlkp32.exe	Kilhgk32.exe
PID 5044 wrote to memory of 1368	5044	Kilhgk32.exe	Kacphh32.exe
PID 5044 wrote to memory of 1368	5044	Kilhgk32.exe	Kacphh32.exe
PID 5044 wrote to memory of 1368	5044	Kilhgk32.exe	Kacphh32.exe
PID 1368 wrote to memory of 1556	1368	Kacphh32.exe	Kdcijcke.exe
PID 1368 wrote to memory of 1556	1368	Kacphh32.exe	Kdcijcke.exe
PID 1368 wrote to memory of 1556	1368	Kacphh32.exe	Kdcijcke.exe
PID 1556 wrote to memory of 736	1556	Kdcijcke.exe	Kknafn32.exe
PID 1556 wrote to memory of 736	1556	Kdcijcke.exe	Kknafn32.exe
PID 1556 wrote to memory of 736	1556	Kdcijcke.exe	Kknafn32.exe
PID 736 wrote to memory of 2008	736	Kknafn32.exe	Kmlnbi32.exe
PID 736 wrote to memory of 2008	736	Kknafn32.exe	Kmlnbi32.exe
PID 736 wrote to memory of 2008	736	Kknafn32.exe	Kmlnbi32.exe
PID 2008 wrote to memory of 1664	2008	Kmlnbi32.exe	Kcifkp32.exe
PID 2008 wrote to memory of 1664	2008	Kmlnbi32.exe	Kcifkp32.exe
PID 2008 wrote to memory of 1664	2008	Kmlnbi32.exe	Kcifkp32.exe
PID 1664 wrote to memory of 900	1664	Kcifkp32.exe	Kibnhjgj.exe
PID 1664 wrote to memory of 900	1664	Kcifkp32.exe	Kibnhjgj.exe
PID 1664 wrote to memory of 900	1664	Kcifkp32.exe	Kibnhjgj.exe
PID 900 wrote to memory of 2620	900	Kibnhjgj.exe	Kpmfddnf.exe
PID 900 wrote to memory of 2620	900	Kibnhjgj.exe	Kpmfddnf.exe
PID 900 wrote to memory of 2620	900	Kibnhjgj.exe	Kpmfddnf.exe
PID 2620 wrote to memory of 628	2620	Kpmfddnf.exe	Kgfoan32.exe
PID 2620 wrote to memory of 628	2620	Kpmfddnf.exe	Kgfoan32.exe
PID 2620 wrote to memory of 628	2620	Kpmfddnf.exe	Kgfoan32.exe
PID 628 wrote to memory of 3928	628	Kgfoan32.exe	Liekmj32.exe
PID 628 wrote to memory of 3928	628	Kgfoan32.exe	Liekmj32.exe
PID 628 wrote to memory of 3928	628	Kgfoan32.exe	Liekmj32.exe
PID 3928 wrote to memory of 4468	3928	Liekmj32.exe	Lalcng32.exe
PID 3928 wrote to memory of 4468	3928	Liekmj32.exe	Lalcng32.exe
PID 3928 wrote to memory of 4468	3928	Liekmj32.exe	Lalcng32.exe
PID 4468 wrote to memory of 1216	4468	Lalcng32.exe	Lgikfn32.exe
PID 4468 wrote to memory of 1216	4468	Lalcng32.exe	Lgikfn32.exe
PID 4468 wrote to memory of 1216	4468	Lalcng32.exe	Lgikfn32.exe
PID 1216 wrote to memory of 888	1216	Lgikfn32.exe	Lmccchkn.exe
PID 1216 wrote to memory of 888	1216	Lgikfn32.exe	Lmccchkn.exe
PID 1216 wrote to memory of 888	1216	Lgikfn32.exe	Lmccchkn.exe
PID 888 wrote to memory of 1920	888	Lmccchkn.exe	Lpappc32.exe
PID 888 wrote to memory of 1920	888	Lmccchkn.exe	Lpappc32.exe
PID 888 wrote to memory of 1920	888	Lmccchkn.exe	Lpappc32.exe
PID 1920 wrote to memory of 224	1920	Lpappc32.exe	Lcpllo32.exe
PID 1920 wrote to memory of 224	1920	Lpappc32.exe	Lcpllo32.exe
PID 1920 wrote to memory of 224	1920	Lpappc32.exe	Lcpllo32.exe
PID 224 wrote to memory of 1192	224	Lcpllo32.exe	Lnepih32.exe
PID 224 wrote to memory of 1192	224	Lcpllo32.exe	Lnepih32.exe
PID 224 wrote to memory of 1192	224	Lcpllo32.exe	Lnepih32.exe
PID 1192 wrote to memory of 4664	1192	Lnepih32.exe	Lpcmec32.exe
PID 1192 wrote to memory of 4664	1192	Lnepih32.exe	Lpcmec32.exe
PID 1192 wrote to memory of 4664	1192	Lnepih32.exe	Lpcmec32.exe
PID 4664 wrote to memory of 3716	4664	Lpcmec32.exe	Lilanioo.exe

C:\Users\Admin\AppData\Local\Temp\a6fa34d71988888b39e756da1d04c2d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a6fa34d71988888b39e756da1d04c2d0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\SysWOW64\Kmegbjgn.exe
C:\Windows\system32\Kmegbjgn.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2072

C:\Windows\SysWOW64\Kpccnefa.exe
C:\Windows\system32\Kpccnefa.exe
3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\SysWOW64\Kbapjafe.exe
C:\Windows\system32\Kbapjafe.exe
4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1576

C:\Windows\SysWOW64\Kgmlkp32.exe
C:\Windows\system32\Kgmlkp32.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3312

C:\Windows\SysWOW64\Kilhgk32.exe
C:\Windows\system32\Kilhgk32.exe
6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5044

C:\Windows\SysWOW64\Kacphh32.exe
C:\Windows\system32\Kacphh32.exe
7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\SysWOW64\Kdcijcke.exe
C:\Windows\system32\Kdcijcke.exe
8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\SysWOW64\Kknafn32.exe
C:\Windows\system32\Kknafn32.exe
9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:736

C:\Windows\SysWOW64\Kmlnbi32.exe
C:\Windows\system32\Kmlnbi32.exe
10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\SysWOW64\Kcifkp32.exe
C:\Windows\system32\Kcifkp32.exe
11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\SysWOW64\Kibnhjgj.exe
C:\Windows\system32\Kibnhjgj.exe
12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:900

C:\Windows\SysWOW64\Kpmfddnf.exe
C:\Windows\system32\Kpmfddnf.exe
13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2620

C:\Windows\SysWOW64\Kgfoan32.exe
C:\Windows\system32\Kgfoan32.exe
14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:628

C:\Windows\SysWOW64\Liekmj32.exe
C:\Windows\system32\Liekmj32.exe
15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3928

C:\Windows\SysWOW64\Lalcng32.exe
C:\Windows\system32\Lalcng32.exe
16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4468

C:\Windows\SysWOW64\Lgikfn32.exe
C:\Windows\system32\Lgikfn32.exe
17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1216

C:\Windows\SysWOW64\Lmccchkn.exe
C:\Windows\system32\Lmccchkn.exe
18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:888

C:\Windows\SysWOW64\Lpappc32.exe
C:\Windows\system32\Lpappc32.exe
19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\SysWOW64\Lcpllo32.exe
C:\Windows\system32\Lcpllo32.exe
20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:224

C:\Windows\SysWOW64\Lnepih32.exe
C:\Windows\system32\Lnepih32.exe
21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1192

C:\Windows\SysWOW64\Lpcmec32.exe
C:\Windows\system32\Lpcmec32.exe
22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4664

C:\Windows\SysWOW64\Lilanioo.exe
C:\Windows\system32\Lilanioo.exe
23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3716

C:\Windows\SysWOW64\Lnhmng32.exe
C:\Windows\system32\Lnhmng32.exe
24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3708

C:\Windows\SysWOW64\Ldaeka32.exe
C:\Windows\system32\Ldaeka32.exe
25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3632

C:\Windows\SysWOW64\Lklnhlfb.exe
C:\Windows\system32\Lklnhlfb.exe
26⤵
- Executes dropped EXE
PID:808

C:\Windows\SysWOW64\Lddbqa32.exe
C:\Windows\system32\Lddbqa32.exe
27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4008

C:\Windows\SysWOW64\Lgbnmm32.exe
C:\Windows\system32\Lgbnmm32.exe
28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1420

C:\Windows\SysWOW64\Mjqjih32.exe
C:\Windows\system32\Mjqjih32.exe
29⤵
- Executes dropped EXE
- Modifies registry class
PID:1004

C:\Windows\SysWOW64\Mpkbebbf.exe
C:\Windows\system32\Mpkbebbf.exe
30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4000

C:\Windows\SysWOW64\Mgekbljc.exe
C:\Windows\system32\Mgekbljc.exe
31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3496

C:\Windows\SysWOW64\Mnocof32.exe
C:\Windows\system32\Mnocof32.exe
32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3140

C:\Windows\SysWOW64\Mdiklqhm.exe
C:\Windows\system32\Mdiklqhm.exe
33⤵
- Executes dropped EXE
- Modifies registry class
PID:4344

C:\Windows\SysWOW64\Mkbchk32.exe
C:\Windows\system32\Mkbchk32.exe
34⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1540

C:\Windows\SysWOW64\Mnapdf32.exe
C:\Windows\system32\Mnapdf32.exe
35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:872

C:\Windows\SysWOW64\Mamleegg.exe
C:\Windows\system32\Mamleegg.exe
36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2064

C:\Windows\SysWOW64\Mcnhmm32.exe
C:\Windows\system32\Mcnhmm32.exe
37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1212

C:\Windows\SysWOW64\Mkepnjng.exe
C:\Windows\system32\Mkepnjng.exe
38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4652

C:\Windows\SysWOW64\Mcpebmkb.exe
C:\Windows\system32\Mcpebmkb.exe
39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1792

C:\Windows\SysWOW64\Mglack32.exe
C:\Windows\system32\Mglack32.exe
40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3036

C:\Windows\SysWOW64\Mjjmog32.exe
C:\Windows\system32\Mjjmog32.exe
41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:448

C:\Windows\SysWOW64\Mnfipekh.exe
C:\Windows\system32\Mnfipekh.exe
42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4808

C:\Windows\SysWOW64\Mpdelajl.exe
C:\Windows\system32\Mpdelajl.exe
43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1276

C:\Windows\SysWOW64\Mgnnhk32.exe
C:\Windows\system32\Mgnnhk32.exe
44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1048

C:\Windows\SysWOW64\Nkjjij32.exe
C:\Windows\system32\Nkjjij32.exe
45⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3268

C:\Windows\SysWOW64\Nnhfee32.exe
C:\Windows\system32\Nnhfee32.exe
46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4156

C:\Windows\SysWOW64\Nacbfdao.exe
C:\Windows\system32\Nacbfdao.exe
47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2436

C:\Windows\SysWOW64\Ngpjnkpf.exe
C:\Windows\system32\Ngpjnkpf.exe
48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2464

C:\Windows\SysWOW64\Njogjfoj.exe
C:\Windows\system32\Njogjfoj.exe
49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1112

C:\Windows\SysWOW64\Nafokcol.exe
C:\Windows\system32\Nafokcol.exe
50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2416

C:\Windows\SysWOW64\Nqiogp32.exe
C:\Windows\system32\Nqiogp32.exe
51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4424

C:\Windows\SysWOW64\Ngcgcjnc.exe
C:\Windows\system32\Ngcgcjnc.exe
52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4200

C:\Windows\SysWOW64\Njacpf32.exe
C:\Windows\system32\Njacpf32.exe
53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4932

C:\Windows\SysWOW64\Nbhkac32.exe
C:\Windows\system32\Nbhkac32.exe
54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3492

C:\Windows\SysWOW64\Nqklmpdd.exe
C:\Windows\system32\Nqklmpdd.exe
55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5072

C:\Windows\SysWOW64\Ncihikcg.exe
C:\Windows\system32\Ncihikcg.exe
56⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2368

C:\Windows\SysWOW64\Nkqpjidj.exe
C:\Windows\system32\Nkqpjidj.exe
57⤵
- Executes dropped EXE
- Modifies registry class
PID:3944

C:\Windows\SysWOW64\Nnolfdcn.exe
C:\Windows\system32\Nnolfdcn.exe
58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2356

C:\Windows\SysWOW64\Nqmhbpba.exe
C:\Windows\system32\Nqmhbpba.exe
59⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1084

C:\Windows\SysWOW64\Nggqoj32.exe
C:\Windows\system32\Nggqoj32.exe
60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2476

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
61⤵
- Executes dropped EXE
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 400
62⤵
- Program crash
PID:4188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4728 -ip 4728
1⤵
PID:2780

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kacphh32.exe
Filesize
163KB

MD5
c0eb2278045d5106d988b086faf34c78

SHA1
df70623a3904a281b385a695cf5ddf0f108a632b

SHA256
ba9014bb9ec370776a98d569e9cecbb1d3fcc3bac703267843ccb3ab9fdf2edd

SHA512
52c66074f34975bc808e7ffa5e8a1de0f9fed37ee6a9805dea7e8618ee86473612e19f7e5350505e1f137f052aea815ef0da033d5f8cece86d0f38541ba38b68

Download Submit
C:\Windows\SysWOW64\Kbapjafe.exe
Filesize
163KB

MD5
17beb33a76b7d2517ec2677971c3972d

SHA1
fcc11a538bad66dedcfff41c95df61308e2b12fa

SHA256
8b40fa0418390b2d60a9f8ed59f971747387de4cf7989dd5d39c5559b029a8d9

SHA512
283afd694b926da437b3fd1799eb6ace3458fcf1269d5c0e2d5ea3ae3b651ed3cc1397e21e8cd9a80476912c5245c0cb7f608475ba35bdc03e3ecccf3f0d11a0

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe
Filesize
163KB

MD5
4a50b9493c9f0eebe029262259f5d442

SHA1
91ccd0c6d99cde81e68a1945df6745b4a0e9b56f

SHA256
3b5b4e01bbea778bae88c57b2bcbc463e7a11f7e07b120d0aba577b04755666f

SHA512
73dff43119bfba93adca45cb9533f200ba59618468f7240320017be80cf591159b6c3ac7b672523b3ef51a59e5f18d50771dcc69bf00d0e33d00bb2241e3685f

Download Submit
C:\Windows\SysWOW64\Kdcijcke.exe
Filesize
163KB

MD5
1b5f6137cfd07f7ae9594f1b12433e41

SHA1
ccaa46df642e000dc98feb5ab5217a5c9ef78c11

SHA256
bea49e7988e43e60bea36013a06a4833231fd8325d99078bba805196bd1e20d1

SHA512
755a4a30dc073b024872f283ae78d7372067da7619f5ce1530effdefc59df168c6a8afbe8bb811a911671cf1d5b3991c002853ed1f0f145cb4033425782ae601

Download Submit
C:\Windows\SysWOW64\Kgfoan32.exe
Filesize
163KB

MD5
99a362e97e10c11e5ab470c9a76d2ba8

SHA1
46818f200dcf5535fcce21c7bc751c4ee19ac271

SHA256
ca173776015f6dfb2412a3e86d4afe3f48d2d20ecbdae232c1f9108000a8f923

SHA512
55f12f3d981340371503b2b22b398d05960ce07c06378833c86408aabf755ac5cb226e98b3963d464abb04fe7eab1bb199ad2888ca207bd64e4ffebb06cd8c14

Download Submit
C:\Windows\SysWOW64\Kgmlkp32.exe
Filesize
163KB

MD5
588ddca9d65a415222e9b543e8b03328

SHA1
df8715c715c6a476e260351c6846840ee9022b6a

SHA256
1ffc0647dd52aa6e57fa3e2e6051b08903629a265e10944e128eb7c289f156f8

SHA512
5f8222ac76fa4faf909db70059486aff0ef33defa798465682740e8a4b89c56cff69cf8281ee13c9792aab8ba29f20555f298b317f2e65c28ff9243bebccef2f

Download Submit
C:\Windows\SysWOW64\Kibnhjgj.exe
Filesize
163KB

MD5
8994313164ce9ffc09e372d836b1159c

SHA1
7374e5be620a87d05d24eb1a7728790ae61adfa7

SHA256
d5cd966e5b4d004c577302284c2c1b631c1b6b28585b3b4a674400260bd7ef9f

SHA512
3c6b6d71a5b856896b51ecef43063b018c22627ac1054cfa8ed591398cd71f8e17ec9205e50f083aca8b43643daa2583fcada4e6ccb63f11fb0aca267056bb17

Download Submit
C:\Windows\SysWOW64\Kilhgk32.exe
Filesize
163KB

MD5
dc4984be6dcefcf1b3a201623bbef4cb

SHA1
d086310a3e9dda610869fecd26dfd2193a0d7b65

SHA256
556228e16266cb7d30c16d5655c1b36e77e6f04bfd94f8e3787add700142def9

SHA512
b1a5b20a5bfcb8ea4ab1c619727c596c4f1020fa11ebe57f023b9955ecfcf251e1037553c6d36c4844d29b4089022fe339ae3175f14d5b177d7f690cbe91e3fe

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe
Filesize
163KB

MD5
ecc461a394868e874acb7ac601c23f76

SHA1
fd18aa3262096fa955725cf221b3ba492eefbb55

SHA256
513fcf1a47b9f0d726a0e57bfe3e86f8a69ba7dcbbd01313d33f9eb804bb3d94

SHA512
25a4fab7591c75516a0e8df9b59d7159c25e6ae0d8df62b2933ac17136252c2a837c81fa1302351e08728122b5f5d463d1f59289e2d24f116d6be0c84c3981c7

Download Submit
C:\Windows\SysWOW64\Kmegbjgn.exe
Filesize
163KB

MD5
404c7e14f75d0ce60d0cecaef2a4751d

SHA1
9882ff48ed8893f37d1ec00a026e493cc0c4b21b

SHA256
15848ba4d351a313f8c9acd47f6fa4322b0697ea0f0b9bea60d876e2c16b9315

SHA512
b8b5ff5f4d354d4f37add91663c43b52c22834944d7f2c874cfb0d9757dff1f49386c869b2658bbbb7065c5c8a39d972061c33883c8875a1df727ae5a4f86311

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe
Filesize
163KB

MD5
22ca64a6b495486110ba11aa34e28606

SHA1
6aba4c2e39cc9973a5efc02b6183a71695951143

SHA256
ed8b5f118afe6dc5e0123a239869f386a51e3e4d423a4e700dfcf5c69d29be63

SHA512
688875d3c10f5ebf80177c077518d6f9faaaa5e7cf00af5626d9c292dbc0e7b0a272d676351bc34841c98d864bafa2354a84791cdcca9b52fe9c879a72341177

Download Submit
C:\Windows\SysWOW64\Kpccnefa.exe
Filesize
163KB

MD5
c6cdeaedf29cd2ca068c9cf1758c218e

SHA1
b47c0bb135647af9a158c93987f66e974a83b826

SHA256
144d0a5c43c4c90b3f8d6a4594070688578ad953135ce00e38efdea37ab8e11a

SHA512
a903a7c104d6704ff6e5efd9614598727557746afd3dbc4cb4e35768b45816fc271d8800ef9571700a3ccfa0dba6add6ef357af378e3cdb06fd57fadb2ef05cb

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe
Filesize
163KB

MD5
785b09bcf7820bba974586abc9123655

SHA1
8e0a8ae41a8d7e3d021ee6c4d6c4c3d9e81a8492

SHA256
4c882aa6a4892b258fd4a9c581350f4e2708a4c7c55b9b40c7218783828c08dc

SHA512
416ec1992210fd2b0446084c8f0af5bbf2b9771e2d3e50d22b082fcdc704a097f248a2b5a540b11d7bc9cc097d8468ffae42672922c6cbfaefa86be43b057c9d

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe
Filesize
163KB

MD5
a84e0cc4da1cf41ea01cfbda603e0b2f

SHA1
c59c880f1bdcaea395ac2c9da5b48af79a8f1585

SHA256
a3061fa062d63c3279fc2810d7e7c3f1a26d25d569011636c3e0aa8d2b141c3b

SHA512
83e22d395e02aad0d4c7c856ebb2e8c03d13deaaed320167f8be0f01bb1d2fd67c26924e64f7e5348a463009e878bee3c2279b000f853ea0fcaf84d6cfda265d

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe
Filesize
163KB

MD5
52014c21c3603ec6a1cc33d2b1102cf7

SHA1
bdba845eab88a4b46a3612c1e5d7b8eb3355359e

SHA256
bdd42cca2a602700f04b5458a1964cff908e5339c7ec23e06a3c105b31602915

SHA512
d9034db4a883be41338aaf78f12cb0e94ae4835b22fc47d12b1010e9c5c8bda4b6583298c1a3e2f845db7595125b92de40ca0bcb5a106c87f1917eac88094684

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe
Filesize
163KB

MD5
af85e4cb0322a5b5d4a476da64d47eff

SHA1
bbf6f6417efbe333b3fff7a4d0946d8825803be4

SHA256
a497677842b955600e7a8e5cc8a7e2bde4d82c690bb4c1240c848ce204eb54d6

SHA512
080ebeb3ab65c11462b67959b0fa00e30af1ab25b2c347c399e2c0a248b3c902f53556ca82f142c1d996d23f40e41eae475bfd571a2647702bfce14d71f162e7

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe
Filesize
163KB

MD5
12edc9c456393db1948687c5e23b788e

SHA1
02096fae5daa315ffba1d24003fbf3cc7692dd62

SHA256
31e0a9d4af121a71280f10c50b568376cd33d58b35917eb038987bc9d5f84349

SHA512
1e019b52d278a72c7a5ce716767d346dbf8c91b7a3605603728d570b6a937aa5aaa7c9b34c8431048a8765b73e206140bc32aea276ec1b6d7c212fea42a8ba5a

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe
Filesize
163KB

MD5
aed1afaf488671e5872b00c4d5783cd9

SHA1
4ffd99344d83daf2ec29aba0edd43108b836dfc3

SHA256
478011deb43df297c7a5845ba6d0b30c48255db88af2a39443e6791cf9961c69

SHA512
6ed384670cd79ef12a5bdc11452df7ff79749636f7f84712702477ce4a31211b77e0acfefc51bede98c649b1edc11a4eda412aeb48b7044ac4ac0310221b195b

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe
Filesize
163KB

MD5
cd8d83d2bc67e1ef79bc22df60ef6f5d

SHA1
66ce7922cd0191facb06784f8869f7d3a724e566

SHA256
d61c4f39a39f0f0d9bfbfc987f65b2b228291474f68f29d750e876d7416ff88b

SHA512
1859077a5efdadbc222da1b285033a2dbbcb04994489a4a0acad923442c201089aa7c3d2eee4a13b91ba24a94167eb89e079b539077ef77a89b3f0cc337ebc5f

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe
Filesize
163KB

MD5
49966d948fb641152fff9de0fd7141e6

SHA1
3206ba486e392c92ff7fce71ff8b7709ee2b79b4

SHA256
95aa8b5cf27f359f124174f9909a49f6be0bb261158a8ac6239b9bad58ea04c0

SHA512
fa54d369369875871f03c8e7154f6cd076f3c5be2fb0af0d8abfcf99402dfd7d663c12e9ce816b6d5a1cfaafa5f43e96252a0a6c291c8ff47ad394773a770ba0

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe
Filesize
163KB

MD5
917ba7abac68c66129435f47f9746d6d

SHA1
16d7f382083b7c18592097278fdf5a022256cff2

SHA256
3139b71391cecc5cfdf43cc3324aaa4ec0efe2f2547b53456e757326253fd50f

SHA512
57ff1d28e07c8513ec8b205eb539c306098b9fd6a0529ba56e0df8b9d8df9f0593d19d3e4c74ea35f74427f08d98a45412d561952e28551c0e7fd247b9c27ddf

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe
Filesize
163KB

MD5
9d8cb8ec9cebb4ecf149307b681e1c09

SHA1
b699f2cf18d6cedc98fd2f11b4adb1fffe08eedb

SHA256
dbd7947c852dcb0984ae6ee24eef012cf9ae7e01f7bc0428d1de1d37db4184bc

SHA512
014ec89d7720e2916c9d058cc5fba31e5ca138c4dceec17e75f861b6865e70bd6a303490402a9e3e56a959d616721f64b00bf8088a035b05a2264ee5feadff4b

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe
Filesize
163KB

MD5
97fe1f0b6fba6c6ded1b09eb2f8316fc

SHA1
41357593d6a8c491dec0b7ae8e3527ad801439af

SHA256
f2e660ca74dd9d78184bc05d32a56d1cc196101df9139efca3e8b787f5320991

SHA512
96364579ea25b9d0d03de9ae65aadfc71bf32536c6af31cf48e2eb907e8aa0ca2fee9ac735304b6a7aa49dfaf23b63f32738546628059e313a9f97195675f787

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe
Filesize
163KB

MD5
70ab24fb6829d4dae2b6750040505204

SHA1
adfd244da9ba79be7364b3064d038ca29b7d545f

SHA256
46653985ee2b1faac5c53387ffa3ebd3a91b3eafb928071ee8047091f777f9a0

SHA512
dc2f6118c1da4ba46d27d39b6fd62ceb9c0e1e0e48d2f4b363b6d6ab7c445504938c7d671402de3ebda9cec037f0020eabb9ae35bcd3f032017662f5994baee7

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe
Filesize
163KB

MD5
0e80a509ced0c07746e6dfbb0a778f1e

SHA1
a3d576dc49262797d01045d27b1ef49985f27787

SHA256
0b9a1f86369208f442d8f3f5f9f6cdef429b081dd43a90a2f0aef742adc1015d

SHA512
82c9e86887c49c610b913b77d91b290ccfde89600ee979347317fc9f6eb3ba1c0036f86670312a7027875aa5c13dfc499d63a1d8c2049089dd9aa9e320cc44ab

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe
Filesize
163KB

MD5
425f29c1ad773593a806a13f3b52e428

SHA1
4cac78b042ee8383d5572dd98e25108c99b250c6

SHA256
85a1c2305f3cbeedafdd0c2faebfab11a7d07aa68bd25b070f6f2ae2f78af565

SHA512
59b7ad61266055840922bc5f7bac3af272dcdddb62d7700f1f3c008b840cc07de4f78a69503f96307cbf93119c095708f74eaa09ade57b477e85f11589e1445e

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe
Filesize
163KB

MD5
26a611de47eebaddc892ec95d2b87194

SHA1
2b05b57d34c0e7389b270659f19280adda37e32d

SHA256
5bed1ab64d7e364fe2786199157d96f9f63f5b412ed096fed73e464502bf0d01

SHA512
56f274e3b0b7d06684da0760fa4e0e59b05b7f520129246745bfdd45cbfabbe66449b8e5b91677c829de760b627f5777d4edab20481b76bf7d8f2b4a1ad6e2ea

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe
Filesize
163KB

MD5
f327cb1be3d3432a61a79ea79265dde8

SHA1
74aa41d7420e1b58fb2d4be53fda033c1bbc76f7

SHA256
7cfb91b2d431fa5cc468e43c1199d77b97e4a57e234114c405b6fe48ea1cf866

SHA512
eb9521487836dc1a0d021b68d89a9c660fb565ad56a69eb85107e985cdff8e1879419d1c4aa863a0cf0a38eaaf950facc2627ed1fa544c93e096cd9d546b9181

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe
Filesize
163KB

MD5
f40cac85f22fb26147870a79b6a542ec

SHA1
c3e9943fa9ef4a8a259e6c347e7678be16f06ed3

SHA256
65ae8af0fb774a9f0af96800be040785f094a7bbcce301159ef10bb826b1cfcb

SHA512
c827bdedc6fd8124536370732d94d13308592c3bbbd92b17ead025b47d67676f77dc1544a8f887eb124ab585a3667968f1258b72238160a57ec436283c49bfe0

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe
Filesize
163KB

MD5
b3f3038c96e509e1994fe34998e8ba7c

SHA1
9291b77910d439f2928588feacd70254e4355f97

SHA256
19e2e22db3c8cbfe550c538b849c191c109d15227fd9a57d2113013a1d307ce9

SHA512
cce61c2927a827a585b59765dcadbe5d7c673383c29ab0ba6a9bbd4ef57b86d1a3a23f11ed9030962c3ecca79eadb523d3bb1d303c1dfa52639fdc7a225e62e0

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe
Filesize
163KB

MD5
91c6c9f5e6cfda169a675749d31610ad

SHA1
d6c0c749faac630b8b028ff5194f6ebc4edb334b

SHA256
bad641e0d72cf8e63dcb2ae7f3b814b37c05ae1c9ba07a1fb293c6ea836f4894

SHA512
40648995976c2ec43146ffbe6905eb0aba250b41a1b7c6fe5b9b75459b59816b4484bbbc42d0f68f739390cbf9a0b8b90afb6234e0ceb294f2f8442a57342aec

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe
Filesize
163KB

MD5
bc71cbf30cb9204624001243e0f4a2d7

SHA1
92d79c733b82704768d3a69745112851b5e34468

SHA256
1ab2949eefdda27c7f0352f74bcab5f5d91fec40e5c747b0f49ec10af11a62c6

SHA512
fca20d91f88ce27a69b00bc317a275a4f076c71098d70e086ed3cb6c546c1b6dac8f07bdfb6231ff71b7e533f7524f3930631e9fa9fd1b0582a5858c31b803f6

Download Submit
memory/224-152-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/448-309-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/448-463-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/628-105-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/736-65-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/808-201-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/808-493-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/872-269-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/872-475-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/888-137-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/900-88-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1004-487-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1004-225-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1048-457-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1064-28-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1084-410-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1084-429-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1112-447-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1112-351-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1192-160-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1212-286-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1212-471-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1216-129-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1276-316-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1276-459-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1368-49-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1420-489-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1420-217-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1540-267-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1540-477-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1556-57-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1576-29-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1664-80-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1792-293-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1792-467-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1920-145-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1984-5-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/1984-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2008-73-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2064-275-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2064-473-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2072-13-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2356-404-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2356-430-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2368-392-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2368-433-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2416-445-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2416-361-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2436-339-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2436-451-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2464-449-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2464-345-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2476-426-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2476-421-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2620-97-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3036-465-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3140-248-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3140-481-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3268-327-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3268-455-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3312-37-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3492-437-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3492-380-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3496-241-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3496-483-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3632-197-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3632-495-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3708-497-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3708-185-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3716-177-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3928-113-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3944-402-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4000-485-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4000-233-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4008-491-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4008-209-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4156-453-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4156-337-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4200-441-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4200-369-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4344-479-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4344-257-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4424-363-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4424-443-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4468-121-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4652-469-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4652-287-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4664-169-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4728-422-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4728-425-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4808-461-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4808-314-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4932-439-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5044-43-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5072-386-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5072-435-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download