e843cfb4cd32ec25db5baf2a7f8574d810f92fdf3c628863a8d70260e34b7579

Analysis

max time kernel
141s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 12:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

513173a1cb9165d0c48968d5ed23cdd0_NeikiAnalytics.exe
Size

1.1MB
MD5

513173a1cb9165d0c48968d5ed23cdd0
SHA1

ccd9da01f7be66139c1d2b3cdeb908cdcf1ef321
SHA256

e843cfb4cd32ec25db5baf2a7f8574d810f92fdf3c628863a8d70260e34b7579
SHA512

566ca78772702ad8fdfd479b37a345b4569cc17599be8fc89594f9e04768911a8b59e7b284fa08dac0bf49f9366bd290c6bb29be38f735589e8bba78f83b2af1
SSDEEP

24576:Uwcxd3RcA9rQg5Wm0BmmvFimm0MTP7hm0BmmvFimm0HkEyDucEQX:Uwcxd3RcAxQg5SiLi0kEyDucEQX

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Lilanioo.exeMpkbebbf.exeMnocof32.exeMgghhlhq.exeMamleegg.exeKpepcedo.exeLpcmec32.exeMcnhmm32.exeMncmjfmk.exeNceonl32.exeKbdmpqcb.exeLdmlpbbj.exeNnhfee32.exeNklfoi32.exeNcldnkae.exeLnjjdgee.exeMdkhapfj.exeLkgdml32.exeLaciofpa.exeLcmofolg.exeMpdelajl.exeMaohkd32.exeMnfipekh.exeNcihikcg.exeLgpagm32.exeLdaeka32.exeMkpgck32.exeNqmhbpba.exeLmqgnhmp.exeLphfpbdi.exeLnepih32.exeLklnhlfb.exeKmgdgjek.exeLcgblncm.exeMpmokb32.exeLaopdgcg.exeMcbahlip.exeNnjbke32.exeMkepnjng.exeMjqjih32.exeMciobn32.exeNkjjij32.exeNqiogp32.exeNgcgcjnc.exeNnolfdcn.exeMdiklqhm.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe

Malware Dropper & Backdoor - Berbew 32 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
C:\Windows\SysWOW64\Kmgdgjek.exe	family_berbew
C:\Windows\SysWOW64\Kpepcedo.exe	family_berbew
C:\Windows\SysWOW64\Kbdmpqcb.exe	family_berbew
C:\Windows\SysWOW64\Kkbkamnl.exe	family_berbew
C:\Windows\SysWOW64\Lmqgnhmp.exe	family_berbew
C:\Windows\SysWOW64\Laopdgcg.exe	family_berbew
C:\Windows\SysWOW64\Lnepih32.exe	family_berbew
C:\Windows\SysWOW64\Ldaeka32.exe	family_berbew
C:\Windows\SysWOW64\Mjqjih32.exe	family_berbew
C:\Windows\SysWOW64\Mkpgck32.exe	family_berbew
C:\Windows\SysWOW64\Mdiklqhm.exe	family_berbew
C:\Windows\SysWOW64\Mdkhapfj.exe	family_berbew
C:\Windows\SysWOW64\Mamleegg.exe	family_berbew
C:\Windows\SysWOW64\Mgghhlhq.exe	family_berbew
C:\Windows\SysWOW64\Mpmokb32.exe	family_berbew
C:\Windows\SysWOW64\Mnocof32.exe	family_berbew
C:\Windows\SysWOW64\Mciobn32.exe	family_berbew
C:\Windows\SysWOW64\Mpkbebbf.exe	family_berbew
C:\Windows\SysWOW64\Lknjmkdo.exe	family_berbew
C:\Windows\SysWOW64\Lcgblncm.exe	family_berbew
C:\Windows\SysWOW64\Lphfpbdi.exe	family_berbew
C:\Windows\SysWOW64\Lnjjdgee.exe	family_berbew
C:\Windows\SysWOW64\Lklnhlfb.exe	family_berbew
C:\Windows\SysWOW64\Lgpagm32.exe	family_berbew
C:\Windows\SysWOW64\Laciofpa.exe	family_berbew
C:\Windows\SysWOW64\Lilanioo.exe	family_berbew
C:\Windows\SysWOW64\Lcbiao32.exe	family_berbew
C:\Windows\SysWOW64\Lpcmec32.exe	family_berbew
C:\Windows\SysWOW64\Lkgdml32.exe	family_berbew
C:\Windows\SysWOW64\Ldmlpbbj.exe	family_berbew
C:\Windows\SysWOW64\Liggbi32.exe	family_berbew
C:\Windows\SysWOW64\Lcmofolg.exe	family_berbew

Executes dropped EXE 57 IoCs

Processes:

Kmgdgjek.exeKpepcedo.exeKbdmpqcb.exeKkbkamnl.exeLmqgnhmp.exeLcmofolg.exeLiggbi32.exeLaopdgcg.exeLdmlpbbj.exeLkgdml32.exeLnepih32.exeLpcmec32.exeLcbiao32.exeLilanioo.exeLaciofpa.exeLdaeka32.exeLgpagm32.exeLklnhlfb.exeLnjjdgee.exeLphfpbdi.exeLcgblncm.exeLknjmkdo.exeMjqjih32.exeMpkbebbf.exeMciobn32.exeMkpgck32.exeMnocof32.exeMpmokb32.exeMdiklqhm.exeMgghhlhq.exeMamleegg.exeMdkhapfj.exeMcnhmm32.exeMkepnjng.exeMncmjfmk.exeMaohkd32.exeMdmegp32.exeMglack32.exeMnfipekh.exeMpdelajl.exeMcbahlip.exeNkjjij32.exeNnhfee32.exeNqfbaq32.exeNceonl32.exeNklfoi32.exeNnjbke32.exeNqiogp32.exeNgcgcjnc.exeNnmopdep.exeNqklmpdd.exeNcihikcg.exeNkqpjidj.exeNnolfdcn.exeNqmhbpba.exeNcldnkae.exeNkcmohbg.exe

pid	process
1056	Kmgdgjek.exe
1892	Kpepcedo.exe
2940	Kbdmpqcb.exe
2748	Kkbkamnl.exe
892	Lmqgnhmp.exe
4488	Lcmofolg.exe
4140	Liggbi32.exe
3636	Laopdgcg.exe
3996	Ldmlpbbj.exe
4588	Lkgdml32.exe
5012	Lnepih32.exe
4036	Lpcmec32.exe
3220	Lcbiao32.exe
4648	Lilanioo.exe
3464	Laciofpa.exe
4364	Ldaeka32.exe
1560	Lgpagm32.exe
3328	Lklnhlfb.exe
4680	Lnjjdgee.exe
1676	Lphfpbdi.exe
2164	Lcgblncm.exe
1664	Lknjmkdo.exe
2404	Mjqjih32.exe
2292	Mpkbebbf.exe
2012	Mciobn32.exe
1800	Mkpgck32.exe
3648	Mnocof32.exe
3432	Mpmokb32.exe
4220	Mdiklqhm.exe
3900	Mgghhlhq.exe
5004	Mamleegg.exe
1748	Mdkhapfj.exe
2376	Mcnhmm32.exe
2452	Mkepnjng.exe
744	Mncmjfmk.exe
4424	Maohkd32.exe
2872	Mdmegp32.exe
4300	Mglack32.exe
2956	Mnfipekh.exe
2776	Mpdelajl.exe
2560	Mcbahlip.exe
2024	Nkjjij32.exe
4048	Nnhfee32.exe
2964	Nqfbaq32.exe
1724	Nceonl32.exe
1104	Nklfoi32.exe
3008	Nnjbke32.exe
4388	Nqiogp32.exe
2352	Ngcgcjnc.exe
4824	Nnmopdep.exe
1120	Nqklmpdd.exe
1424	Ncihikcg.exe
4944	Nkqpjidj.exe
2832	Nnolfdcn.exe
3904	Nqmhbpba.exe
4604	Ncldnkae.exe
4472	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

Processes:

Nqmhbpba.exeKpepcedo.exeLphfpbdi.exeNkqpjidj.exeLilanioo.exeLgpagm32.exeMaohkd32.exeMdmegp32.exeNqfbaq32.exeKbdmpqcb.exeLaopdgcg.exeLcbiao32.exeNklfoi32.exeMcbahlip.exeKmgdgjek.exeLklnhlfb.exeMpmokb32.exeNnmopdep.exeMdkhapfj.exeMnfipekh.exeLaciofpa.exeMjqjih32.exeMnocof32.exeLdaeka32.exeMkepnjng.exeMncmjfmk.exeMciobn32.exeMamleegg.exeNceonl32.exeLpcmec32.exeLnjjdgee.exeMkpgck32.exeLcmofolg.exeLkgdml32.exeNgcgcjnc.exeNcldnkae.exeLmqgnhmp.exeNqiogp32.exeLcgblncm.exeMcnhmm32.exeLknjmkdo.exeNcihikcg.exeNnolfdcn.exe513173a1cb9165d0c48968d5ed23cdd0_NeikiAnalytics.exeLdmlpbbj.exeNnhfee32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Ojmmkpmf.dll	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Plilol32.dll	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Gcdihi32.dll	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Eqbmje32.dll	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Ldobbkdk.dll	Kmgdgjek.exe
File opened for modification	C:\Windows\SysWOW64\Lnjjdgee.exe	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mnocof32.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mamleegg.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kpepcedo.exe
File opened for modification	C:\Windows\SysWOW64\Liggbi32.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	Lkgdml32.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Lcmofolg.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Cqncfneo.dll	513173a1cb9165d0c48968d5ed23cdd0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Lkgdml32.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Liggbi32.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Laopdgcg.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nnhfee32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process

1624 4472 WerFault.exe

pid	pid_target	process
1624	4472	WerFault.exe

Modifies registry class 64 IoCs

Processes:

513173a1cb9165d0c48968d5ed23cdd0_NeikiAnalytics.exeLphfpbdi.exeMkepnjng.exeMdmegp32.exeNqklmpdd.exeLkgdml32.exeLaciofpa.exeLklnhlfb.exeMdiklqhm.exeLcmofolg.exeMamleegg.exeNkqpjidj.exeNcldnkae.exeLiggbi32.exeMciobn32.exeMdkhapfj.exeNqfbaq32.exeLaopdgcg.exeLpcmec32.exeLilanioo.exeMcnhmm32.exeKmgdgjek.exeKbdmpqcb.exeMnfipekh.exeMcbahlip.exeNnmopdep.exeLmqgnhmp.exeNnhfee32.exeLnepih32.exeLgpagm32.exeNcihikcg.exeMgghhlhq.exeMaohkd32.exeMpmokb32.exeLnjjdgee.exeMjqjih32.exeMglack32.exeLcbiao32.exeNnolfdcn.exeNqmhbpba.exeNgcgcjnc.exeLdmlpbbj.exeLknjmkdo.exeNceonl32.exeLdaeka32.exeMkpgck32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	513173a1cb9165d0c48968d5ed23cdd0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plilol32.dll"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	513173a1cb9165d0c48968d5ed23cdd0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pellipfm.dll"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	513173a1cb9165d0c48968d5ed23cdd0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldobbkdk.dll"	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baefid32.dll"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

513173a1cb9165d0c48968d5ed23cdd0_NeikiAnalytics.exeKmgdgjek.exeKpepcedo.exeKbdmpqcb.exeKkbkamnl.exeLmqgnhmp.exeLcmofolg.exeLiggbi32.exeLaopdgcg.exeLdmlpbbj.exeLkgdml32.exeLnepih32.exeLpcmec32.exeLcbiao32.exeLilanioo.exeLaciofpa.exeLdaeka32.exeLgpagm32.exeLklnhlfb.exeLnjjdgee.exeLphfpbdi.exeLcgblncm.exe

description	pid	process	target process
PID 5044 wrote to memory of 1056	5044	513173a1cb9165d0c48968d5ed23cdd0_NeikiAnalytics.exe	Kmgdgjek.exe
PID 5044 wrote to memory of 1056	5044	513173a1cb9165d0c48968d5ed23cdd0_NeikiAnalytics.exe	Kmgdgjek.exe
PID 5044 wrote to memory of 1056	5044	513173a1cb9165d0c48968d5ed23cdd0_NeikiAnalytics.exe	Kmgdgjek.exe
PID 1056 wrote to memory of 1892	1056	Kmgdgjek.exe	Kpepcedo.exe
PID 1056 wrote to memory of 1892	1056	Kmgdgjek.exe	Kpepcedo.exe
PID 1056 wrote to memory of 1892	1056	Kmgdgjek.exe	Kpepcedo.exe
PID 1892 wrote to memory of 2940	1892	Kpepcedo.exe	Kbdmpqcb.exe
PID 1892 wrote to memory of 2940	1892	Kpepcedo.exe	Kbdmpqcb.exe
PID 1892 wrote to memory of 2940	1892	Kpepcedo.exe	Kbdmpqcb.exe
PID 2940 wrote to memory of 2748	2940	Kbdmpqcb.exe	Kkbkamnl.exe
PID 2940 wrote to memory of 2748	2940	Kbdmpqcb.exe	Kkbkamnl.exe
PID 2940 wrote to memory of 2748	2940	Kbdmpqcb.exe	Kkbkamnl.exe
PID 2748 wrote to memory of 892	2748	Kkbkamnl.exe	Lmqgnhmp.exe
PID 2748 wrote to memory of 892	2748	Kkbkamnl.exe	Lmqgnhmp.exe
PID 2748 wrote to memory of 892	2748	Kkbkamnl.exe	Lmqgnhmp.exe
PID 892 wrote to memory of 4488	892	Lmqgnhmp.exe	Lcmofolg.exe
PID 892 wrote to memory of 4488	892	Lmqgnhmp.exe	Lcmofolg.exe
PID 892 wrote to memory of 4488	892	Lmqgnhmp.exe	Lcmofolg.exe
PID 4488 wrote to memory of 4140	4488	Lcmofolg.exe	Liggbi32.exe
PID 4488 wrote to memory of 4140	4488	Lcmofolg.exe	Liggbi32.exe
PID 4488 wrote to memory of 4140	4488	Lcmofolg.exe	Liggbi32.exe
PID 4140 wrote to memory of 3636	4140	Liggbi32.exe	Laopdgcg.exe
PID 4140 wrote to memory of 3636	4140	Liggbi32.exe	Laopdgcg.exe
PID 4140 wrote to memory of 3636	4140	Liggbi32.exe	Laopdgcg.exe
PID 3636 wrote to memory of 3996	3636	Laopdgcg.exe	Ldmlpbbj.exe
PID 3636 wrote to memory of 3996	3636	Laopdgcg.exe	Ldmlpbbj.exe
PID 3636 wrote to memory of 3996	3636	Laopdgcg.exe	Ldmlpbbj.exe
PID 3996 wrote to memory of 4588	3996	Ldmlpbbj.exe	Lkgdml32.exe
PID 3996 wrote to memory of 4588	3996	Ldmlpbbj.exe	Lkgdml32.exe
PID 3996 wrote to memory of 4588	3996	Ldmlpbbj.exe	Lkgdml32.exe
PID 4588 wrote to memory of 5012	4588	Lkgdml32.exe	Lnepih32.exe
PID 4588 wrote to memory of 5012	4588	Lkgdml32.exe	Lnepih32.exe
PID 4588 wrote to memory of 5012	4588	Lkgdml32.exe	Lnepih32.exe
PID 5012 wrote to memory of 4036	5012	Lnepih32.exe	Lpcmec32.exe
PID 5012 wrote to memory of 4036	5012	Lnepih32.exe	Lpcmec32.exe
PID 5012 wrote to memory of 4036	5012	Lnepih32.exe	Lpcmec32.exe
PID 4036 wrote to memory of 3220	4036	Lpcmec32.exe	Lcbiao32.exe
PID 4036 wrote to memory of 3220	4036	Lpcmec32.exe	Lcbiao32.exe
PID 4036 wrote to memory of 3220	4036	Lpcmec32.exe	Lcbiao32.exe
PID 3220 wrote to memory of 4648	3220	Lcbiao32.exe	Lilanioo.exe
PID 3220 wrote to memory of 4648	3220	Lcbiao32.exe	Lilanioo.exe
PID 3220 wrote to memory of 4648	3220	Lcbiao32.exe	Lilanioo.exe
PID 4648 wrote to memory of 3464	4648	Lilanioo.exe	Laciofpa.exe
PID 4648 wrote to memory of 3464	4648	Lilanioo.exe	Laciofpa.exe
PID 4648 wrote to memory of 3464	4648	Lilanioo.exe	Laciofpa.exe
PID 3464 wrote to memory of 4364	3464	Laciofpa.exe	Ldaeka32.exe
PID 3464 wrote to memory of 4364	3464	Laciofpa.exe	Ldaeka32.exe
PID 3464 wrote to memory of 4364	3464	Laciofpa.exe	Ldaeka32.exe
PID 4364 wrote to memory of 1560	4364	Ldaeka32.exe	Lgpagm32.exe
PID 4364 wrote to memory of 1560	4364	Ldaeka32.exe	Lgpagm32.exe
PID 4364 wrote to memory of 1560	4364	Ldaeka32.exe	Lgpagm32.exe
PID 1560 wrote to memory of 3328	1560	Lgpagm32.exe	Lklnhlfb.exe
PID 1560 wrote to memory of 3328	1560	Lgpagm32.exe	Lklnhlfb.exe
PID 1560 wrote to memory of 3328	1560	Lgpagm32.exe	Lklnhlfb.exe
PID 3328 wrote to memory of 4680	3328	Lklnhlfb.exe	Lnjjdgee.exe
PID 3328 wrote to memory of 4680	3328	Lklnhlfb.exe	Lnjjdgee.exe
PID 3328 wrote to memory of 4680	3328	Lklnhlfb.exe	Lnjjdgee.exe
PID 4680 wrote to memory of 1676	4680	Lnjjdgee.exe	Lphfpbdi.exe
PID 4680 wrote to memory of 1676	4680	Lnjjdgee.exe	Lphfpbdi.exe
PID 4680 wrote to memory of 1676	4680	Lnjjdgee.exe	Lphfpbdi.exe
PID 1676 wrote to memory of 2164	1676	Lphfpbdi.exe	Lcgblncm.exe
PID 1676 wrote to memory of 2164	1676	Lphfpbdi.exe	Lcgblncm.exe
PID 1676 wrote to memory of 2164	1676	Lphfpbdi.exe	Lcgblncm.exe
PID 2164 wrote to memory of 1664	2164	Lcgblncm.exe	Lknjmkdo.exe

C:\Users\Admin\AppData\Local\Temp\513173a1cb9165d0c48968d5ed23cdd0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\513173a1cb9165d0c48968d5ed23cdd0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5044

C:\Windows\SysWOW64\Kmgdgjek.exe
C:\Windows\system32\Kmgdgjek.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\SysWOW64\Kpepcedo.exe
C:\Windows\system32\Kpepcedo.exe
3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1892

C:\Windows\SysWOW64\Kbdmpqcb.exe
C:\Windows\system32\Kbdmpqcb.exe
4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2940

C:\Windows\SysWOW64\Kkbkamnl.exe
C:\Windows\system32\Kkbkamnl.exe
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748

C:\Windows\SysWOW64\Lmqgnhmp.exe
C:\Windows\system32\Lmqgnhmp.exe
6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:892

C:\Windows\SysWOW64\Lcmofolg.exe
C:\Windows\system32\Lcmofolg.exe
7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4488

C:\Windows\SysWOW64\Liggbi32.exe
C:\Windows\system32\Liggbi32.exe
8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4140

C:\Windows\SysWOW64\Laopdgcg.exe
C:\Windows\system32\Laopdgcg.exe
9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3636

C:\Windows\SysWOW64\Ldmlpbbj.exe
C:\Windows\system32\Ldmlpbbj.exe
10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3996

C:\Windows\SysWOW64\Lkgdml32.exe
C:\Windows\system32\Lkgdml32.exe
11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4588

C:\Windows\SysWOW64\Lnepih32.exe
C:\Windows\system32\Lnepih32.exe
12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5012

C:\Windows\SysWOW64\Lpcmec32.exe
C:\Windows\system32\Lpcmec32.exe
13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4036

C:\Windows\SysWOW64\Lcbiao32.exe
C:\Windows\system32\Lcbiao32.exe
14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3220

C:\Windows\SysWOW64\Lilanioo.exe
C:\Windows\system32\Lilanioo.exe
15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4648

C:\Windows\SysWOW64\Laciofpa.exe
C:\Windows\system32\Laciofpa.exe
16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3464

C:\Windows\SysWOW64\Ldaeka32.exe
C:\Windows\system32\Ldaeka32.exe
17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4364

C:\Windows\SysWOW64\Lgpagm32.exe
C:\Windows\system32\Lgpagm32.exe
18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\SysWOW64\Lklnhlfb.exe
C:\Windows\system32\Lklnhlfb.exe
19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3328

C:\Windows\SysWOW64\Lnjjdgee.exe
C:\Windows\system32\Lnjjdgee.exe
20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4680

C:\Windows\SysWOW64\Lphfpbdi.exe
C:\Windows\system32\Lphfpbdi.exe
21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\SysWOW64\Lcgblncm.exe
C:\Windows\system32\Lcgblncm.exe
22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2164

C:\Windows\SysWOW64\Lknjmkdo.exe
C:\Windows\system32\Lknjmkdo.exe
23⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1664

C:\Windows\SysWOW64\Mjqjih32.exe
C:\Windows\system32\Mjqjih32.exe
24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2404

C:\Windows\SysWOW64\Mpkbebbf.exe
C:\Windows\system32\Mpkbebbf.exe
25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2292

C:\Windows\SysWOW64\Mciobn32.exe
C:\Windows\system32\Mciobn32.exe
26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2012

C:\Windows\SysWOW64\Mkpgck32.exe
C:\Windows\system32\Mkpgck32.exe
27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1800

C:\Windows\SysWOW64\Mnocof32.exe
C:\Windows\system32\Mnocof32.exe
28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3648

C:\Windows\SysWOW64\Mpmokb32.exe
C:\Windows\system32\Mpmokb32.exe
29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3432

C:\Windows\SysWOW64\Mdiklqhm.exe
C:\Windows\system32\Mdiklqhm.exe
30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4220

C:\Windows\SysWOW64\Mgghhlhq.exe
C:\Windows\system32\Mgghhlhq.exe
31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3900

C:\Windows\SysWOW64\Mamleegg.exe
C:\Windows\system32\Mamleegg.exe
32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5004

C:\Windows\SysWOW64\Mdkhapfj.exe
C:\Windows\system32\Mdkhapfj.exe
33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1748

C:\Windows\SysWOW64\Mcnhmm32.exe
C:\Windows\system32\Mcnhmm32.exe
34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2376

C:\Windows\SysWOW64\Mkepnjng.exe
C:\Windows\system32\Mkepnjng.exe
35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2452

C:\Windows\SysWOW64\Mncmjfmk.exe
C:\Windows\system32\Mncmjfmk.exe
36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:744

C:\Windows\SysWOW64\Maohkd32.exe
C:\Windows\system32\Maohkd32.exe
37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4424

C:\Windows\SysWOW64\Mdmegp32.exe
C:\Windows\system32\Mdmegp32.exe
38⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2872

C:\Windows\SysWOW64\Mglack32.exe
C:\Windows\system32\Mglack32.exe
39⤵
- Executes dropped EXE
- Modifies registry class
PID:4300

C:\Windows\SysWOW64\Mnfipekh.exe
C:\Windows\system32\Mnfipekh.exe
40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2956

C:\Windows\SysWOW64\Mpdelajl.exe
C:\Windows\system32\Mpdelajl.exe
41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2776

C:\Windows\SysWOW64\Mcbahlip.exe
C:\Windows\system32\Mcbahlip.exe
42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2560

C:\Windows\SysWOW64\Nkjjij32.exe
C:\Windows\system32\Nkjjij32.exe
43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2024

C:\Windows\SysWOW64\Nnhfee32.exe
C:\Windows\system32\Nnhfee32.exe
44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4048

C:\Windows\SysWOW64\Nqfbaq32.exe
C:\Windows\system32\Nqfbaq32.exe
45⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2964

C:\Windows\SysWOW64\Nceonl32.exe
C:\Windows\system32\Nceonl32.exe
46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1724

C:\Windows\SysWOW64\Nklfoi32.exe
C:\Windows\system32\Nklfoi32.exe
47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1104

C:\Windows\SysWOW64\Nnjbke32.exe
C:\Windows\system32\Nnjbke32.exe
48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3008

C:\Windows\SysWOW64\Nqiogp32.exe
C:\Windows\system32\Nqiogp32.exe
49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4388

C:\Windows\SysWOW64\Ngcgcjnc.exe
C:\Windows\system32\Ngcgcjnc.exe
50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2352

C:\Windows\SysWOW64\Nnmopdep.exe
C:\Windows\system32\Nnmopdep.exe
51⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4824

C:\Windows\SysWOW64\Nqklmpdd.exe
C:\Windows\system32\Nqklmpdd.exe
52⤵
- Executes dropped EXE
- Modifies registry class
PID:1120

C:\Windows\SysWOW64\Ncihikcg.exe
C:\Windows\system32\Ncihikcg.exe
53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1424

C:\Windows\SysWOW64\Nkqpjidj.exe
C:\Windows\system32\Nkqpjidj.exe
54⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4944

C:\Windows\SysWOW64\Nnolfdcn.exe
C:\Windows\system32\Nnolfdcn.exe
55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2832

C:\Windows\SysWOW64\Nqmhbpba.exe
C:\Windows\system32\Nqmhbpba.exe
56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3904

C:\Windows\SysWOW64\Ncldnkae.exe
C:\Windows\system32\Ncldnkae.exe
57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4604

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
58⤵
- Executes dropped EXE
PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 412
59⤵
- Program crash
PID:1624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4472 -ip 4472
1⤵
PID:1192

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kbdmpqcb.exe
Filesize
1.1MB

MD5
182e36abc728241e63b7579c52585869

SHA1
62cf25167b12f77ed896131f074fd11c99b797e9

SHA256
a5fcf7fe73b233a7febece0e66a6189ae814d98663f05b7c8098040db1651fff

SHA512
a7d040fa675290b563e3cbacc598c4360408847d8681af1dcd5cd3f1eab7da3ef12f7a08f2ecfc33d2068c2834b07205f5c758cd7c046b1d792ef774237c464a

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe
Filesize
1.1MB

MD5
4d8672c6f5244e95cb80c72359009d25

SHA1
024f7b3c76757960f46f35d36ae1aa6552a9a988

SHA256
7c73aedcae0796d68717b4865e6dbdf57778aca3cf259edf945bed0e1035efaf

SHA512
d5f7c73af80281e16e99a6984b4335e44e86175df809ffa78d9df2fbd628a99139631f2f2744c85118eaafd8be8440181a495b3d0169d7549c132b8608408a67

Download Submit
C:\Windows\SysWOW64\Kmgdgjek.exe
Filesize
1.1MB

MD5
50a8307221bbacdde80b21ae37f9edc5

SHA1
dba0baea77b673cb057f94a3d4ff3818ded1bb87

SHA256
d4053e0b9fb9ba735966f3ddec787a02695837ac639fadbc20a47738b6a82970

SHA512
ca8885f3dce368c0eb909690709b30f5bcff2732ceb75f074e6d1ae1d0f50069bf440b0c1271be5a680fc47b718ea90422bc2080f8cc33bc27974c3b034cec28

Download Submit
C:\Windows\SysWOW64\Kpepcedo.exe
Filesize
1.1MB

MD5
3ebb44b3acfd5be2f7d45e524b9affe8

SHA1
8b6b3f117a7610b13a7beacd42636389bcbcbd6d

SHA256
e0217232f4439ff392abf4c31114d32acc8402cb25b9b3608d5856b19ffede5f

SHA512
e39acb941d8581c486a688486d8b948fba80001553201dcfeebbd70b5f692c54d483a21c2c628f51400e3c2ecae01395ef992a8366691140c3c255dd7abe4c44

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe
Filesize
1.1MB

MD5
e71ef02523ecb88ab8e207354c37579d

SHA1
835b6c2c045469ee3a56dbc5e42ed54f9899d697

SHA256
ca5dea3d8be5c71d017a765d2d4dddc4688568292d8a4cfafe9e9bf8dda58cae

SHA512
75fabe28171e91b01e8627a2c22e7bc6df2e5bb5cf85ab26c3cb90f2591b0f39f99956656ae745bc2faefe04de3b17f50c07fb73d138ab2b8e36fb8ae344080a

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe
Filesize
1.1MB

MD5
4906f2cde967c27f4588c1a8c919f331

SHA1
768c374f53da69c8168659c4c797ee26b06e93d6

SHA256
f4a6b58650317874097dc79df26a2aae765e801b031d8a1880bf68ff2120c257

SHA512
3bd163f8adfeac9998cec1702b7477ba32635893e6c3779879fdd7d4a5037bf40b439c97fe3b23673174d5d519bb53929b33d75215444f4e147c708665fe8f87

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe
Filesize
1.1MB

MD5
76d510f1326bb6b0fe125871e7e64155

SHA1
980a7ca8631f6c8b0a8a2cd86bd40aea2f547f76

SHA256
8fd34fcdd6e9e5f62acfb3d5de4b3f863065c72521ad78849df355a04e9be5c9

SHA512
a75ad62c2de8b50b708d53302afde88e34b6a9a82cbbaabb8d0afbb64c840a1fafc7c7b6b7eb6bb2eece83d335e3bafc2e0b914836cf7a25fe1d4dbd64fbff7e

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe
Filesize
1.1MB

MD5
abd8415d32d55e09120d6e030aee30ec

SHA1
48884100d44064bf29f42787e3bb6d8963ef1eb4

SHA256
ad044570e7a3e4175039c6878459482213309fd3a9dd12b4c4f604f4cf6779f1

SHA512
99963e8a470bc54286c19c0577089d9f840bac0932d68c71a533806269f7ad41a6d1cbdd1055e3019ab56fd950c720d198e3fd808562cbcf513234c45b83cf7a

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe
Filesize
1.1MB

MD5
e90649e220dffd457ce40b893a4dc474

SHA1
2519c4476447790c796838cb2c8072478ccaefa7

SHA256
340ada95210063de5477f437ecef18c94cda010fd90e1f79b5f132ffb37e5514

SHA512
8f546a96bc18817891194397f3ea25d0accc18bf69583db7f80e1c626a9596dcb7ce4a1e20b66b4bf72215b7c9bf04fbadf0cf0df106072dd0b5512698025ebe

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe
Filesize
1.1MB

MD5
ec70a4d9ce36dac99ec7a70451365a49

SHA1
621e5a6ff6d61319bacaef85bd45b4d07333903c

SHA256
2ccc51766558e3817869bac241f89ec62eaa0ca3638372718d957b92e23b7a51

SHA512
1c36ff07ada89ed2947618c8711b4eaf24e5e8d342b35de878c5eecc5d818c33925e8cd3e9825b37eb2ef2c87ff21bc6fc68bc3e4405f85f526b1200a96e1746

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe
Filesize
1.1MB

MD5
ef5f94e01ae5f840ddddad5aa0073eae

SHA1
79c9122894043fdf03347b2b5e6b7a272a2f7c1a

SHA256
e7ac86823b7fab166dd4a7b10c193c53067ff19deb6948d25a1a7d460d0945b6

SHA512
be212959a6d2c58c72652c09f57e594cc0f579fdc51d770aad624a7737e013cbbffdd1cd0aa9966f26c2addddc4486e0ed76ea9decee5234b643eb026d98ae31

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe
Filesize
1.1MB

MD5
7371670a2d66a29efb61f05a534d7386

SHA1
b5cf88fce3748b34ce390876a08314a412add432

SHA256
f2904566a6bf1a6305aaeb955d0b3e6f5d6da19dd30c4d0ae66b238c9b60dce9

SHA512
702cbace4d655c4b0bad77f4ddb74fe2c9b136344dcb0b914ef8cb002df41c1434a89f791e771c950492452c39b20491f203c8fc1ee92080a3c7f714597a0402

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe
Filesize
1.1MB

MD5
26902da08a1a9e222ec6362a9ee5013e

SHA1
dd3c76fe7e35633d7e1bcc81769805b222eee098

SHA256
6c1eb90e7a9ce04e32c10ba6612dd2f4ad27d2610a534eba57a751fc71267a5c

SHA512
aa5b100f08fd8e4a9511c1bfb6cde0bd1367353cd8e49a2ab286009076e11ac075734c701bc90545423616965f3cf5fb5d0841caa436d71963be286461e24cb7

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe
Filesize
1.1MB

MD5
88517e21834c1cdb3e0d27b09048139a

SHA1
ed1f49fbec6af6179ceb4da2224200341a34fc9c

SHA256
5ce0b8598032e152b781b1425e9600e08ce87f5288d5b500ba0b4e2168a1337d

SHA512
cfda728fd5b4e0b9c2b46453c4b2914512e6ff6f0b28191ecb4a38853d9ccfc38b69f661d72633ec1b160cb8d714089df4cc7b90e8c1f954a016392703c2bf87

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe
Filesize
1.1MB

MD5
47a2ad28c109c61f32f9bd5f8919580f

SHA1
cfe70be5643c0b6fb735722712da106272cb9499

SHA256
1f9dc36561f00f25c8c1b4d1c742a306a501df66f97a7b15cd0d5084c368063d

SHA512
fe0913b6e392dfab31bccb32acd4c9d9f5d6e32729a535e969e4cbfd4daf938b5464b3c0f95a10afea57acb99f95908804a855513765038f5173eb7e92fbfbd9

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe
Filesize
1.1MB

MD5
8bfa7cdfe892b43676f11b485c333cc2

SHA1
f924a71a7b635d20247494c1f651f336ed210458

SHA256
10e8935177b3749b45532ffa071400530b2b703838168ef377ed683ded61dd0a

SHA512
f9caa0a1dfa464e20291d00fee2ffb4eef2598d9042aaa9899cc7b367f84d3d50d265c2ba783e3227f0637d24a49c6e86b5b46f16225c1ed76dc439428fba950

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe
Filesize
1.1MB

MD5
7d2ed90dc30c8a0cf3bc8cfbf4e92e0e

SHA1
2978db0924b0cc88b62c546ca90f407034326ece

SHA256
75441518d4c949f591efdba44a5f926d5518d1f595df00972d37ef1ecd79dc65

SHA512
6061da5ac020e9ce4296828c5f066717219b16c399c086afa64793d85c2b6e398872feba4ea26313fd4cb78349a2e2c2fa9ef4c5a3982c82f3ad7f97599cd052

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe
Filesize
1.1MB

MD5
2b6d376a140fb9f9e2713a8b55060250

SHA1
2f74c13909b8d5c6006ab14c787457f1bbaa8bfe

SHA256
0245e6b0011f47ab3290c2934626a698b92bc54a58023b617549cd9d82e4e025

SHA512
2ff21c3b6d27ebce71a4a1b4070e2e091eb66f6f0b2c5976d8b724c7cd9a812103c6be989bfb642e522a3438bda7e831ce7c4862abdf18693833756f3fae55bb

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe
Filesize
1.1MB

MD5
117972977b86dc62bffa95d30a6a4ddd

SHA1
5fa891152ab512d992db2a677f0b038d6918d32e

SHA256
310a23d5b32b7daee2d04101532cfa8c8d3e234f12d78298cf8eeacbf27dd2d8

SHA512
4867f69f98f5bed04fc6fcb6e92579701047746d0e5e8f7812081f7fed987971aeaf1decb0e424a6cf303a6fe81decbd29daa7771ed0de61ca68e539dbea386a

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe
Filesize
1.1MB

MD5
349e2195d81e77f56bc5596f7f80132e

SHA1
a3e99a53e26a8bfffa62bcf79cb2bd29be58176d

SHA256
1d37ed4d37da437b0ac664502be8e5f22ab4a5e258ebe51c39d339e11a427e9a

SHA512
616fc424aab03be559585fca6f950a2b9cea78314b1dce20f9d8c4315939d15cdcc8b619fc034689092ea79dc84f6446396a62e01dc160ebb85709785978e92d

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe
Filesize
1.1MB

MD5
7d22cf67ed70a9cdfbeac85034422fe3

SHA1
22daac9113973b1178299ff9d1044cb5edd36316

SHA256
b99ebdb6de4158f9d730898262eccd184426b3c2283edf8a8c403975ad632f08

SHA512
1c34873474181b6a96a1e45d73a59c5625e54b8c3b6f564809be0fa6943e43d81d4d72f5681a440e0ebaef7bcc6bbbdd223d1c3c1c766384337d54e5fa596ad7

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe
Filesize
1.1MB

MD5
bad150f4bed95ce3a695a56dace49b5d

SHA1
fbb6ff9abf394a578a54128a7d2d54c9262f0467

SHA256
c5710d99f91ea650bde6fd3eb4d27f05ea48f8458797943fd2222de373de8584

SHA512
0afd9481d5903c9bf68ba687594c0af5f9d8ed1efe5093dea016e38f5c996e85d08cf762f2f4bed2b614e7e3ab9bd65484be9676357e9fdf65af684d74e78a6f

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe
Filesize
1.1MB

MD5
437ec2553cefb36b67fdc2c59d621165

SHA1
611760291ea3400a10be7a6c4dba9743e0a084d4

SHA256
c292246a5a7c6c78fde2c69f17fbdfcd2a2d97e3d092a92362692900031c6e92

SHA512
2fb52bdcd99213fe0bd4f878a20b2f36abe15ef1f7c1225e1e0073ff6f8ec4a4eada2eb8554c01004bffbe75b34d1702a9ae9dede14559cff2c761e21829102e

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe
Filesize
1.1MB

MD5
adf1776c1a716800ef4ea0886238ad27

SHA1
72867423fe0ed51d9ab2d32d871fd6873b992fbd

SHA256
ac3d0f5c7debeb40c30db3207a78036ed2194bda4c5d2fdf0aec6df961617af4

SHA512
bdcedd90c2a30fde754f4d202a422cb9ab91201eb6ee0635bcafad52c860d2573d798cec4740716c45fa221d573d25fe7fe89b9aa56d5c84cf68db1c028a9d20

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe
Filesize
1.1MB

MD5
3d2181f068052731f4b16b67f512c73b

SHA1
b24cc047c0a3a66816f3b449ef907b3b0dc03ad0

SHA256
f9fce4c623eb6f63671ff2fafc322ec8c2ab84b94277469af10d56ce2a2a9181

SHA512
3b57e43e6a7d0f4ca2113b4628b95f9748eec8bd34d50386ce3f6600a8e81095fcb100969b92f31ca757af7915d4b9b60e8fbc4976b87a53b570dc6b3242f18f

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe
Filesize
1.1MB

MD5
6476cce6d6050b325d679d797ed9e486

SHA1
9de8daa87bcc1f9b22718882d27a228041e49dac

SHA256
9c453028ff4c5bf86c8105b28e2b96cafe483a79bf17749827bc1c38a0b598bc

SHA512
5a293e22a256985b3edb791b5f4e85f877abc6b34194ccee3dcc5adaaf28b0e2f8e07bba6ede135aed9c1fd062683ec3d36702113c4cd20cf2d07d8c3366d4ff

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe
Filesize
1.1MB

MD5
556e909e11538b089b53d477bb72ffbb

SHA1
c115e66ea8d51b67914b7ac7bd70580e62ba77e5

SHA256
e3dbe609b34c3bcfbb89e21ae1902a1e40952fbaaa670b204f8c234db1b15f68

SHA512
f05fdd06adb601360f8d8ca0ab276d37f419955c3c0669e2ab0026010320654c94b747786d2bafdda057c7a7d65c6fcc9b4c85e8ae3762662963107183168a43

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe
Filesize
1.1MB

MD5
f6e4ee671fae0204d40f71a0c813cbb3

SHA1
739e60df7d74dc97ee17e3ab3bd004a4b0d18173

SHA256
e6039e569f7653feb7208cae2f5b8e18182ecaf6c7e95779b4b9449899126043

SHA512
5968d8c3d3baea9e54dfa0d18a4691b9fe4116a0a8462bcd4ee82a51021ecfd61dd0ef6a481a9db1c00c58a887999972f906b977dd03c73f35522812849af2a4

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe
Filesize
1.1MB

MD5
e5b02a19d66a52b23f42a5603641d18a

SHA1
997c23418032bc794815a7692d344ffd686e16bf

SHA256
fa0ba98dcd65990d08aff5b855cfd0095465b457d74b5d6afa7acde00ad0ae61

SHA512
48d45d311950345652576da09aae4476dbce6f5243bb8770ba389176fec94a048c4ea27bfd06f3c641f6ab3c0472925b981825a41374b8dfd7486d78b84b7328

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe
Filesize
1.1MB

MD5
395cff87b575dec4fa5fcef27eef1c62

SHA1
2c18ae2116c3b5cca83b5b9ee85f32b60ebef12e

SHA256
9f90a6e89937f3b796d76afbbee735b0cf5550eb470099a5b2b850923b4de9b3

SHA512
d3c66a130ac5baf94622c9083778421048ef9c00a7fd6f1178901401cb4f3a89ea8751a26f8d67a7d760b274fb154beae699d4283be208b534929042b2780446

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe
Filesize
1.1MB

MD5
58fea6c00452cb57a55b5466ecf4ae30

SHA1
34fae1d89cf460d1b3afba70b0035d111b628626

SHA256
0c715a38858fe04f7ca6273ba3353267c0e9ea57ce5f3abe05ff209b1f39c3a6

SHA512
975d07a62d638e1f61f183ecbfdffc17462edc57e1acff0b853b855f53d4fd299b54138416e1658c62d5ada66acd66b621d62e99b350ccef2ab21ef8ed91ceab

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe
Filesize
1.1MB

MD5
fb84c02b4232067ab2dd4cc99ebd3222

SHA1
36edf72b09e9305d092938e6d8265e691cea990b

SHA256
99dbd0c500f862c90e1aeeae302718471d31e2346cb47c8385debb05b4bc6923

SHA512
5ad979d1c769c4ec35d7b65af44866deb674f032ac25df7f28b16828afa55ae0b5468dedc9fea915b123d0feb6b835dc5611c2ae3b28fbc709f49b4be5f7341f

Download Submit
C:\Windows\SysWOW64\Ofdhdf32.dll
Filesize
7KB

MD5
447c4bedc2a0990ab0f57666eec15493

SHA1
5956dccb6f40f0f4d1209a5d231d14d0049f90f7

SHA256
6c79c0257d2ee6dd941c6f1cd76df040dfdbcd2179004fa4df46546d2f8a8945

SHA512
397a9d35f2a774e0babd1c8e1f7d436bb8f5b9aa4d92dd2e82b8f34874df5e8567b546d4f52c401fc43d6152a563ef6569fa69eb8d7fae7dc3ab8ac32b6b859d

Download Submit
memory/744-377-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/892-407-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/892-41-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1056-12-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1104-366-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1120-361-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1424-360-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1560-395-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1664-390-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1676-392-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1724-367-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1748-380-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1800-386-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1892-410-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1892-17-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2012-387-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2024-370-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2164-391-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2292-388-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2352-363-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2376-379-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2404-389-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2452-378-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2560-371-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2748-408-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2748-36-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2776-372-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2832-358-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2872-375-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2940-409-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2940-23-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2956-373-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2964-368-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3008-365-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3220-399-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3328-394-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3432-384-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3464-397-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3636-404-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3648-385-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3900-382-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3904-357-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3996-403-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4036-400-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4048-369-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4140-405-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4220-383-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4300-374-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4364-396-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4388-364-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4424-376-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4472-355-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4488-406-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4588-402-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4604-356-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4648-398-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4680-393-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4824-362-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4944-359-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5004-381-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5012-401-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5044-0-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5044-411-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download