addf85b736a775796e8832e7af693838df93c3c2a68e59a843305b444480f27d

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 22:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4376220d8a21201ab192baea040e89b0_NeikiAnalytics.exe
Size

768KB
MD5

4376220d8a21201ab192baea040e89b0
SHA1

9c27204244432476b31d5c33b32b719a706ed3da
SHA256

addf85b736a775796e8832e7af693838df93c3c2a68e59a843305b444480f27d
SHA512

48e63ae6ab4b025fc3fa117272f73554851155e1c96cc662f7c09b676b34594f65ac0054bb4568d321723166bf4c9da54da86487f5f1023c3ad9db28313a06f0
SSDEEP

12288:rLrcNvj6IveDVqvQ6IvYvc6IveDVqvQ6IvBaSHaMaZRBEYyqmaf2qwiHPKgRC4g2:3rcJq5h3q5htaSHFaZRBEYyqmaf2qwiv

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Maohkd32.exeNjljefql.exeNdbnboqb.exeNkqpjidj.exeNggqoj32.exeLcbiao32.exeMnapdf32.exeMjhqjg32.exeNklfoi32.exeNnolfdcn.exeMdiklqhm.exeMcnhmm32.exeNjcpee32.exeMcklgm32.exeNcihikcg.exeMcpebmkb.exeMkgmcjld.exeMdpalp32.exeNkjjij32.exeNnjbke32.exeNkncdifl.exeLddbqa32.exeNdidbn32.exeMjcgohig.exeMjeddggd.exeNgcgcjnc.exeNddkgonp.exeMgidml32.exeMpaifalo.exeNacbfdao.exeLilanioo.exeMnfipekh.exeLknjmkdo.exeNqmhbpba.exeNgpjnkpf.exeNnmopdep.exeMpolqa32.exeMaaepd32.exeMcbahlip.exeNqiogp32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcbiao32.exe

Malware Dropper & Backdoor - Berbew 32 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
C:\Windows\SysWOW64\Lcbiao32.exe	family_berbew
C:\Windows\SysWOW64\Lilanioo.exe	family_berbew
C:\Windows\SysWOW64\Lddbqa32.exe	family_berbew
C:\Windows\SysWOW64\Lknjmkdo.exe	family_berbew
C:\Windows\SysWOW64\Mjcgohig.exe	family_berbew
C:\Windows\SysWOW64\Mcklgm32.exe	family_berbew
C:\Windows\SysWOW64\Mnapdf32.exe	family_berbew
C:\Windows\SysWOW64\Mjhqjg32.exe	family_berbew
C:\Windows\SysWOW64\Maohkd32.exe	family_berbew
C:\Windows\SysWOW64\Mcpebmkb.exe	family_berbew
C:\Windows\SysWOW64\Mnfipekh.exe	family_berbew
C:\Windows\SysWOW64\Nkncdifl.exe	family_berbew
C:\Windows\SysWOW64\Ngcgcjnc.exe	family_berbew
C:\Windows\SysWOW64\Nddkgonp.exe	family_berbew
C:\Windows\SysWOW64\Nqiogp32.exe	family_berbew
C:\Windows\SysWOW64\Nnjbke32.exe	family_berbew
C:\Windows\SysWOW64\Nklfoi32.exe	family_berbew
C:\Windows\SysWOW64\Ngpjnkpf.exe	family_berbew
C:\Windows\SysWOW64\Ndbnboqb.exe	family_berbew
C:\Windows\SysWOW64\Nacbfdao.exe	family_berbew
C:\Windows\SysWOW64\Njljefql.exe	family_berbew
C:\Windows\SysWOW64\Nkjjij32.exe	family_berbew
C:\Windows\SysWOW64\Mcbahlip.exe	family_berbew
C:\Windows\SysWOW64\Mdpalp32.exe	family_berbew
C:\Windows\SysWOW64\Maaepd32.exe	family_berbew
C:\Windows\SysWOW64\Mkgmcjld.exe	family_berbew
C:\Windows\SysWOW64\Mpaifalo.exe	family_berbew
C:\Windows\SysWOW64\Mgidml32.exe	family_berbew
C:\Windows\SysWOW64\Mcnhmm32.exe	family_berbew
C:\Windows\SysWOW64\Mpolqa32.exe	family_berbew
C:\Windows\SysWOW64\Mjeddggd.exe	family_berbew
C:\Windows\SysWOW64\Mdiklqhm.exe	family_berbew

Executes dropped EXE 41 IoCs

Processes:

Lcbiao32.exeLilanioo.exeLddbqa32.exeLknjmkdo.exeMjcgohig.exeMdiklqhm.exeMcklgm32.exeMjeddggd.exeMnapdf32.exeMpolqa32.exeMcnhmm32.exeMgidml32.exeMjhqjg32.exeMaohkd32.exeMpaifalo.exeMcpebmkb.exeMkgmcjld.exeMnfipekh.exeMaaepd32.exeMdpalp32.exeMcbahlip.exeNkjjij32.exeNjljefql.exeNacbfdao.exeNdbnboqb.exeNgpjnkpf.exeNklfoi32.exeNnjbke32.exeNqiogp32.exeNddkgonp.exeNgcgcjnc.exeNkncdifl.exeNnmopdep.exeNcihikcg.exeNkqpjidj.exeNjcpee32.exeNnolfdcn.exeNqmhbpba.exeNdidbn32.exeNggqoj32.exeNkcmohbg.exe

pid	process
932	Lcbiao32.exe
4776	Lilanioo.exe
760	Lddbqa32.exe
2216	Lknjmkdo.exe
1272	Mjcgohig.exe
1920	Mdiklqhm.exe
1412	Mcklgm32.exe
3868	Mjeddggd.exe
4236	Mnapdf32.exe
1396	Mpolqa32.exe
4308	Mcnhmm32.exe
3368	Mgidml32.exe
3676	Mjhqjg32.exe
1452	Maohkd32.exe
4896	Mpaifalo.exe
1716	Mcpebmkb.exe
1088	Mkgmcjld.exe
4472	Mnfipekh.exe
3344	Maaepd32.exe
1212	Mdpalp32.exe
1096	Mcbahlip.exe
432	Nkjjij32.exe
1380	Njljefql.exe
1132	Nacbfdao.exe
4220	Ndbnboqb.exe
3140	Ngpjnkpf.exe
3476	Nklfoi32.exe
4156	Nnjbke32.exe
2164	Nqiogp32.exe
4108	Nddkgonp.exe
728	Ngcgcjnc.exe
4112	Nkncdifl.exe
3552	Nnmopdep.exe
464	Ncihikcg.exe
4824	Nkqpjidj.exe
620	Njcpee32.exe
3980	Nnolfdcn.exe
1736	Nqmhbpba.exe
2996	Ndidbn32.exe
4448	Nggqoj32.exe
4432	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

Processes:

Maohkd32.exeNkjjij32.exeNnjbke32.exe4376220d8a21201ab192baea040e89b0_NeikiAnalytics.exeLilanioo.exeMcpebmkb.exeNqiogp32.exeNnmopdep.exeLknjmkdo.exeNgpjnkpf.exeNdidbn32.exeMnapdf32.exeNdbnboqb.exeNddkgonp.exeNkncdifl.exeNjcpee32.exeNnolfdcn.exeMjcgohig.exeMcnhmm32.exeNacbfdao.exeNcihikcg.exeNgcgcjnc.exeNggqoj32.exeLcbiao32.exeMpolqa32.exeNklfoi32.exeMcklgm32.exeNkqpjidj.exeMnfipekh.exeMdiklqhm.exeMdpalp32.exeMcbahlip.exeMaaepd32.exeNqmhbpba.exeMgidml32.exeLddbqa32.exeMjhqjg32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Lcbiao32.exe	4376220d8a21201ab192baea040e89b0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Nggqoj32.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Lilanioo.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Nggqoj32.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Maohkd32.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	4376220d8a21201ab192baea040e89b0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Maaepd32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mpolqa32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process

1740 4432 WerFault.exe

pid	pid_target	process
1740	4432	WerFault.exe

Modifies registry class 64 IoCs

Processes:

Mjeddggd.exeMaaepd32.exeLcbiao32.exeMdpalp32.exeNddkgonp.exeNkqpjidj.exeNacbfdao.exeNcihikcg.exeMnfipekh.exeMcbahlip.exeMcklgm32.exeNnolfdcn.exeNggqoj32.exeMjcgohig.exeMnapdf32.exeMcnhmm32.exeMpaifalo.exeNklfoi32.exeNqmhbpba.exeLddbqa32.exeMdiklqhm.exeNgpjnkpf.exeNjcpee32.exeNnmopdep.exeNkjjij32.exeNqiogp32.exeNnjbke32.exeNkncdifl.exeLknjmkdo.exeMaohkd32.exeMkgmcjld.exeMcpebmkb.exeLilanioo.exeMjhqjg32.exeNdidbn32.exeNdbnboqb.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Nkqpjidj.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4376220d8a21201ab192baea040e89b0_NeikiAnalytics.exeLcbiao32.exeLilanioo.exeLddbqa32.exeLknjmkdo.exeMjcgohig.exeMdiklqhm.exeMcklgm32.exeMjeddggd.exeMnapdf32.exeMpolqa32.exeMcnhmm32.exeMgidml32.exeMjhqjg32.exeMaohkd32.exeMpaifalo.exeMcpebmkb.exeMkgmcjld.exeMnfipekh.exeMaaepd32.exeMdpalp32.exeMcbahlip.exe

description	pid	process	target process
PID 4468 wrote to memory of 932	4468	4376220d8a21201ab192baea040e89b0_NeikiAnalytics.exe	Lcbiao32.exe
PID 4468 wrote to memory of 932	4468	4376220d8a21201ab192baea040e89b0_NeikiAnalytics.exe	Lcbiao32.exe
PID 4468 wrote to memory of 932	4468	4376220d8a21201ab192baea040e89b0_NeikiAnalytics.exe	Lcbiao32.exe
PID 932 wrote to memory of 4776	932	Lcbiao32.exe	Lilanioo.exe
PID 932 wrote to memory of 4776	932	Lcbiao32.exe	Lilanioo.exe
PID 932 wrote to memory of 4776	932	Lcbiao32.exe	Lilanioo.exe
PID 4776 wrote to memory of 760	4776	Lilanioo.exe	Lddbqa32.exe
PID 4776 wrote to memory of 760	4776	Lilanioo.exe	Lddbqa32.exe
PID 4776 wrote to memory of 760	4776	Lilanioo.exe	Lddbqa32.exe
PID 760 wrote to memory of 2216	760	Lddbqa32.exe	Lknjmkdo.exe
PID 760 wrote to memory of 2216	760	Lddbqa32.exe	Lknjmkdo.exe
PID 760 wrote to memory of 2216	760	Lddbqa32.exe	Lknjmkdo.exe
PID 2216 wrote to memory of 1272	2216	Lknjmkdo.exe	Mjcgohig.exe
PID 2216 wrote to memory of 1272	2216	Lknjmkdo.exe	Mjcgohig.exe
PID 2216 wrote to memory of 1272	2216	Lknjmkdo.exe	Mjcgohig.exe
PID 1272 wrote to memory of 1920	1272	Mjcgohig.exe	Mdiklqhm.exe
PID 1272 wrote to memory of 1920	1272	Mjcgohig.exe	Mdiklqhm.exe
PID 1272 wrote to memory of 1920	1272	Mjcgohig.exe	Mdiklqhm.exe
PID 1920 wrote to memory of 1412	1920	Mdiklqhm.exe	Mcklgm32.exe
PID 1920 wrote to memory of 1412	1920	Mdiklqhm.exe	Mcklgm32.exe
PID 1920 wrote to memory of 1412	1920	Mdiklqhm.exe	Mcklgm32.exe
PID 1412 wrote to memory of 3868	1412	Mcklgm32.exe	Mjeddggd.exe
PID 1412 wrote to memory of 3868	1412	Mcklgm32.exe	Mjeddggd.exe
PID 1412 wrote to memory of 3868	1412	Mcklgm32.exe	Mjeddggd.exe
PID 3868 wrote to memory of 4236	3868	Mjeddggd.exe	Mnapdf32.exe
PID 3868 wrote to memory of 4236	3868	Mjeddggd.exe	Mnapdf32.exe
PID 3868 wrote to memory of 4236	3868	Mjeddggd.exe	Mnapdf32.exe
PID 4236 wrote to memory of 1396	4236	Mnapdf32.exe	Mpolqa32.exe
PID 4236 wrote to memory of 1396	4236	Mnapdf32.exe	Mpolqa32.exe
PID 4236 wrote to memory of 1396	4236	Mnapdf32.exe	Mpolqa32.exe
PID 1396 wrote to memory of 4308	1396	Mpolqa32.exe	Mcnhmm32.exe
PID 1396 wrote to memory of 4308	1396	Mpolqa32.exe	Mcnhmm32.exe
PID 1396 wrote to memory of 4308	1396	Mpolqa32.exe	Mcnhmm32.exe
PID 4308 wrote to memory of 3368	4308	Mcnhmm32.exe	Mgidml32.exe
PID 4308 wrote to memory of 3368	4308	Mcnhmm32.exe	Mgidml32.exe
PID 4308 wrote to memory of 3368	4308	Mcnhmm32.exe	Mgidml32.exe
PID 3368 wrote to memory of 3676	3368	Mgidml32.exe	Mjhqjg32.exe
PID 3368 wrote to memory of 3676	3368	Mgidml32.exe	Mjhqjg32.exe
PID 3368 wrote to memory of 3676	3368	Mgidml32.exe	Mjhqjg32.exe
PID 3676 wrote to memory of 1452	3676	Mjhqjg32.exe	Maohkd32.exe
PID 3676 wrote to memory of 1452	3676	Mjhqjg32.exe	Maohkd32.exe
PID 3676 wrote to memory of 1452	3676	Mjhqjg32.exe	Maohkd32.exe
PID 1452 wrote to memory of 4896	1452	Maohkd32.exe	Mpaifalo.exe
PID 1452 wrote to memory of 4896	1452	Maohkd32.exe	Mpaifalo.exe
PID 1452 wrote to memory of 4896	1452	Maohkd32.exe	Mpaifalo.exe
PID 4896 wrote to memory of 1716	4896	Mpaifalo.exe	Mcpebmkb.exe
PID 4896 wrote to memory of 1716	4896	Mpaifalo.exe	Mcpebmkb.exe
PID 4896 wrote to memory of 1716	4896	Mpaifalo.exe	Mcpebmkb.exe
PID 1716 wrote to memory of 1088	1716	Mcpebmkb.exe	Mkgmcjld.exe
PID 1716 wrote to memory of 1088	1716	Mcpebmkb.exe	Mkgmcjld.exe
PID 1716 wrote to memory of 1088	1716	Mcpebmkb.exe	Mkgmcjld.exe
PID 1088 wrote to memory of 4472	1088	Mkgmcjld.exe	Mnfipekh.exe
PID 1088 wrote to memory of 4472	1088	Mkgmcjld.exe	Mnfipekh.exe
PID 1088 wrote to memory of 4472	1088	Mkgmcjld.exe	Mnfipekh.exe
PID 4472 wrote to memory of 3344	4472	Mnfipekh.exe	Maaepd32.exe
PID 4472 wrote to memory of 3344	4472	Mnfipekh.exe	Maaepd32.exe
PID 4472 wrote to memory of 3344	4472	Mnfipekh.exe	Maaepd32.exe
PID 3344 wrote to memory of 1212	3344	Maaepd32.exe	Mdpalp32.exe
PID 3344 wrote to memory of 1212	3344	Maaepd32.exe	Mdpalp32.exe
PID 3344 wrote to memory of 1212	3344	Maaepd32.exe	Mdpalp32.exe
PID 1212 wrote to memory of 1096	1212	Mdpalp32.exe	Mcbahlip.exe
PID 1212 wrote to memory of 1096	1212	Mdpalp32.exe	Mcbahlip.exe
PID 1212 wrote to memory of 1096	1212	Mdpalp32.exe	Mcbahlip.exe
PID 1096 wrote to memory of 432	1096	Mcbahlip.exe	Nkjjij32.exe

C:\Users\Admin\AppData\Local\Temp\4376220d8a21201ab192baea040e89b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4376220d8a21201ab192baea040e89b0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4468

C:\Windows\SysWOW64\Lcbiao32.exe
C:\Windows\system32\Lcbiao32.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:932

C:\Windows\SysWOW64\Lilanioo.exe
C:\Windows\system32\Lilanioo.exe
3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4776

C:\Windows\SysWOW64\Lddbqa32.exe
C:\Windows\system32\Lddbqa32.exe
4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\SysWOW64\Lknjmkdo.exe
C:\Windows\system32\Lknjmkdo.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2216

C:\Windows\SysWOW64\Mjcgohig.exe
C:\Windows\system32\Mjcgohig.exe
6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1272

C:\Windows\SysWOW64\Mdiklqhm.exe
C:\Windows\system32\Mdiklqhm.exe
7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\SysWOW64\Mcklgm32.exe
C:\Windows\system32\Mcklgm32.exe
8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1412

C:\Windows\SysWOW64\Mjeddggd.exe
C:\Windows\system32\Mjeddggd.exe
9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3868

C:\Windows\SysWOW64\Mnapdf32.exe
C:\Windows\system32\Mnapdf32.exe
10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4236

C:\Windows\SysWOW64\Mpolqa32.exe
C:\Windows\system32\Mpolqa32.exe
11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1396

C:\Windows\SysWOW64\Mcnhmm32.exe
C:\Windows\system32\Mcnhmm32.exe
12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4308

C:\Windows\SysWOW64\Mgidml32.exe
C:\Windows\system32\Mgidml32.exe
13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3368

C:\Windows\SysWOW64\Mjhqjg32.exe
C:\Windows\system32\Mjhqjg32.exe
14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3676

C:\Windows\SysWOW64\Maohkd32.exe
C:\Windows\system32\Maohkd32.exe
15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1452

C:\Windows\SysWOW64\Mpaifalo.exe
C:\Windows\system32\Mpaifalo.exe
16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4896

C:\Windows\SysWOW64\Mcpebmkb.exe
C:\Windows\system32\Mcpebmkb.exe
17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\SysWOW64\Mkgmcjld.exe
C:\Windows\system32\Mkgmcjld.exe
18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\SysWOW64\Mnfipekh.exe
C:\Windows\system32\Mnfipekh.exe
19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4472

C:\Windows\SysWOW64\Maaepd32.exe
C:\Windows\system32\Maaepd32.exe
20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3344

C:\Windows\SysWOW64\Mdpalp32.exe
C:\Windows\system32\Mdpalp32.exe
21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1212

C:\Windows\SysWOW64\Mcbahlip.exe
C:\Windows\system32\Mcbahlip.exe
22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\SysWOW64\Nkjjij32.exe
C:\Windows\system32\Nkjjij32.exe
23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:432

C:\Windows\SysWOW64\Njljefql.exe
C:\Windows\system32\Njljefql.exe
24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1380

C:\Windows\SysWOW64\Nacbfdao.exe
C:\Windows\system32\Nacbfdao.exe
25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1132

C:\Windows\SysWOW64\Ndbnboqb.exe
C:\Windows\system32\Ndbnboqb.exe
26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4220

C:\Windows\SysWOW64\Ngpjnkpf.exe
C:\Windows\system32\Ngpjnkpf.exe
27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3140

C:\Windows\SysWOW64\Nklfoi32.exe
C:\Windows\system32\Nklfoi32.exe
28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3476

C:\Windows\SysWOW64\Nnjbke32.exe
C:\Windows\system32\Nnjbke32.exe
29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4156

C:\Windows\SysWOW64\Nqiogp32.exe
C:\Windows\system32\Nqiogp32.exe
30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2164

C:\Windows\SysWOW64\Nddkgonp.exe
C:\Windows\system32\Nddkgonp.exe
31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4108

C:\Windows\SysWOW64\Ngcgcjnc.exe
C:\Windows\system32\Ngcgcjnc.exe
32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:728

C:\Windows\SysWOW64\Nkncdifl.exe
C:\Windows\system32\Nkncdifl.exe
33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4112

C:\Windows\SysWOW64\Nnmopdep.exe
C:\Windows\system32\Nnmopdep.exe
34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3552

C:\Windows\SysWOW64\Ncihikcg.exe
C:\Windows\system32\Ncihikcg.exe
35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:464

C:\Windows\SysWOW64\Nkqpjidj.exe
C:\Windows\system32\Nkqpjidj.exe
36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4824

C:\Windows\SysWOW64\Njcpee32.exe
C:\Windows\system32\Njcpee32.exe
37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:620

C:\Windows\SysWOW64\Nnolfdcn.exe
C:\Windows\system32\Nnolfdcn.exe
38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3980

C:\Windows\SysWOW64\Nqmhbpba.exe
C:\Windows\system32\Nqmhbpba.exe
39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1736

C:\Windows\SysWOW64\Ndidbn32.exe
C:\Windows\system32\Ndidbn32.exe
40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2996

C:\Windows\SysWOW64\Nggqoj32.exe
C:\Windows\system32\Nggqoj32.exe
41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4448

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
42⤵
- Executes dropped EXE
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 400
43⤵
- Program crash
PID:1740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4432 -ip 4432
1⤵
PID:4624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
768KB

MD5
56df3c25e00bcdcde25e6474bfd52e8c

SHA1
934c0234738b7bb3ef19d57ced6c64abaf438225

SHA256
568a4850a448fb297d46d6ef4267f77ea2cc632829816e3314a6a9c3e6fa272f

SHA512
a1e70768039aa1afcc750de597bedd7aa368860d4574fa2e857f03cbf989e1986c531d627f66d874067192cdbc4f28a1d6da7d7e603e7e00095d14e7819f99cd

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
768KB

MD5
bd8c60494502c3e4de735aedfbbb1456

SHA1
925de0d41af437a039ce08c1aefa6c2820dfd67e

SHA256
c28bf42c3f87ce56178b70f4cff52cfbb95ecd4c2603c996fda43e557e1e9988

SHA512
af89be4b4ccccefe76bc3bead5df7a09f960d8643a39f3c442b7668b2c0678d33cdcc386489978a7e4ba1e99b0146f0f728e44b4a7329ea5a21a92002c3c4ac9

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
768KB

MD5
15e2670eb1d3f1d2e33d264fd8a882c3

SHA1
142554c52c0dd2a3495aa93aed8803184fbf9aa6

SHA256
aeaa13309c32a90a3aaf79ed0ba96dd0b766437d9d604246478963a6b4e90840

SHA512
e6595a3b651376a41fce95725de5e422bfcf8352f971241350ab2f87f93041578ab2f204e7b4894e4d9599eff1b68a8123c52cc8a32d350ae207a461fa174ba1

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
768KB

MD5
542f39d38aa55bdca9d401e48b4f32de

SHA1
9fc525b2bc4200a9862d5a8a6f7fbbce0eb097db

SHA256
fb051bab6a4bc921135b5c3c6c9a288698f1d36435ab96e2a085a43cc71645c4

SHA512
469f769d5311ab7342310ec1f7d71b302f72f780bfd854efbe89d88a403996e61edb921fb87c4a8494c2397ba3f0ad6d1bc09cde3248c277283efb9e4a59b949

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe

Filesize
768KB

MD5
abc6ec6a54a6795592456c4712088d3d

SHA1
7eee99725271498744e18778b0aac46917268eae

SHA256
83acca12db880fe7bb0c0b673c657961264b171d540e749d1eca9a80f8d5d168

SHA512
90de0e383f172e92d45a145c475621fcfb2ad5d8257f929df0ff21660a56fa0b6f70acad26625a9bce5766304c1a79205edaca7e3b1b7a6cca41f815f9fb9e18

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
768KB

MD5
4022fb7e55d61b1d486bcd4ce412c21c

SHA1
aa9383d1c830cb525df994d2bad8c54efb9d6a38

SHA256
d50a1013e4b36bfeff50db2dfbd281850cb370bc55574ef103592ee4a65319dc

SHA512
62c6d32deb37ab87670733e6f0fd4d042b29391c753f6e30e3a772a9d97e782d97d0b7697f132708af340d73f579535fdcc919fd2fe6bb022d4cae3d194fb20f

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
768KB

MD5
9e9e2c6a58ccde557e0e6ccf355c0e50

SHA1
5ac3d74a9b6fdb1894262a7e6dcbba5ee98e42e2

SHA256
8323387282e266019b28c0f766c46a41789bc4b870ea263ef877b7399555df53

SHA512
5a189d315b0b09e3fdf6974b320bcbab37a157ef2985a5e1354adc7c8dbe91295dcd471b3118467e2941af28af7bb098fbe6525f0a997a186ea1e8ac0950b43f

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
768KB

MD5
9b51c46589ef8afa55a928775fdab3ed

SHA1
51429efd3f6fc71a60e7b8bb79f507a9ddc6e249

SHA256
9782aafe51419dd7e6cc59a528a6c733b84a8a2a0eca12171239489cdc13f091

SHA512
cfbd0f7a562830487a95507c76b01a11cfff92db826d0c44c3a577c1f969a29f02e8f618cd5040516686058453dfc178afa09ac0931618284a569d4c7d66625c

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
768KB

MD5
8273545400a022a90b00dac9ca090900

SHA1
b5c2b1eeb27f1a37cc32c2ac2e442adb973cdfef

SHA256
805be6c7c15c3f0aca01f001351b4d4686c31f52bb850954b1816782ca65619e

SHA512
3006e6db7313701aae3f385317f460a17f45b90a2713b91e340bff6cdb7b0ea6effb6e96c76c8f84d05ff50d44d94b68ba761cba85c23085dd382806e0642bb2

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
768KB

MD5
8387f8d0cd6d935fa01c8325518d37f4

SHA1
99f93f62d6282aedf941d5693f870e7cda9fd3bb

SHA256
934cfbf5c0b279561e02308538b08a9deaa684333b33d9bbcae3edf503006d77

SHA512
8a0f42128cb3b9faae93693d7b202b6981298f2319a3370aa73b675a3e25aea018b26387e88480d0051d05eabece97f3a34fedde671ca60c63548a1a5c666762

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
768KB

MD5
a9d31e1e7124bcaae7ab8bae6187c7fc

SHA1
5a72af74bc726482c89330afd29da9df04bbb973

SHA256
1dee477e590db44e8ef0d201889126193f876ec0aba4a8d9271386af41a3e6f4

SHA512
df0d022a6991c42fd6792c8ed9d6a30365268c8d1e0cf8339a6ae400862d4b779b2ae5afe3263534724b771fa4dee70faa5067a308c0eda23c7a134970cf5c3e

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
768KB

MD5
e5dba6ee8ecaeef263fc303076974fbc

SHA1
64e03dfdb721e3a69a7ea790a1096d1e5ab72256

SHA256
7391fdee2b6ecdfb255680e368d0101134e4145cf9f8fbca182b41aa65099f9d

SHA512
3306cd52f1159c4d8cb7b14f627459de9c30349026219e2cf2a54081ee00ead6abd33bb439019289e8e86c02df2de64b5fd3d675b7059cd94ca66239f955b9ad

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
768KB

MD5
d949dbab71820c7a870babda7ebdea9d

SHA1
689fe5ee65cebee5643c97f5722d7ebdcb2ac200

SHA256
2e1dcaa97cd0a9604b20039dcfe856781d430c36697459b8dece6ff18b1074f5

SHA512
4f1250bf2f30db650a2bfb03942dc1565e893f7a07030ae18381e61490b239d034d808f452247850f708880a528bc6d243912015ef6b494c29e9160a78ba0ae6

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
768KB

MD5
9af8bb841ba002463c9c226799d143b0

SHA1
50bdbe0761f120f1c450b1c409bd93b85d043b4f

SHA256
bb211da10547fb93c1d74c721cc5cfd8021cf4c24d27fdc99d4d9fa4ddf42c5b

SHA512
fccef3adcd71e6c83f8dcb1fa713e384722c90679626da6c262086e19886ae850b38fe7d0992f05bd4e1e2aebcbba7321b626f9529666d088bc637492444bcdc

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
768KB

MD5
3fa1a6fcebd3c77ab92c02a8aaf7e854

SHA1
1c507136ff97a146ab54d1794ddbc8557341f06c

SHA256
67c76aa2e1258ad9322b3c2d093ddbea08933cd994f6a177bf9e9a03d585babb

SHA512
79201ed8526525b3916354015d3cb387d917b57409e888872dc480139a70f7903a3f769371b6722161ee03a0b55917865fb4a16d97fb41657bbf69171dffb908

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
768KB

MD5
d30021c6553401e18835c2f7153e6679

SHA1
9a9fca28337c59d92a156bf860c1957beee9053d

SHA256
7fa32b4c9597f42ce52cb75f13f67db06f1154d169d0de1922f8e0e388683aa6

SHA512
ec24278aaf79e9608cc168da8292d3a4d6b86c8411fae5b3f8fb29153ce9c7364a8c3348395c386357f9c9c5527836c8fb96afb1b887cdd2205316e4b6c0dc9b

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
768KB

MD5
b26d0343dacb26682144e6cd695fc5a1

SHA1
95c3782e8c8c62a8af396bd520812942cdec10e9

SHA256
4864b1f320fe9a20eab9aefa3e63459d9450a95f02390d0327896a89296e08f6

SHA512
eb80cca118ef11ad0a9ba81e4c67cfdd5c9f3990e3a1a47559e92b8a3d851e9926039196d119c819bf751fe50b383dcf3bdd188d64dc4f69774a0a62a19842d2

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
768KB

MD5
1f2ea8a91b739fc535d5fe370a180001

SHA1
6619acf222af248833fd6343b152b67674430115

SHA256
a547a62f7393be8a512bb42e81fbdc5a997f990f2958f80b50e342f109019a4e

SHA512
dce1d66accdf4198ef6eaca591a613d58ff9be3d87868cc66e9537435445af7617df4e9425a8c05ee39dd9e32697eaf4938705502f07df6e3cff8ba5990f0703

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
768KB

MD5
859dd0f01f0e851f1954e6631ff05cf7

SHA1
9196de459f863596171dfc3e131dda3f3e62caf7

SHA256
61e2cf6f0752ec9aa555fb997d0ede2484cdba8fcadd8bc040bce75be92d530f

SHA512
2a33e887dc41759f7e1b92bdfe7884d8cc483768decd1d50e94c980224c9e3e3ec8b587092cf051df165abe8b1da909b15a5ae5ba327d7d2fe73e43196a1a603

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
768KB

MD5
83cb907614b37a31a4e4ea9db25f22b8

SHA1
e4be5652a2d60681b2815a10ed4455911f5ea13e

SHA256
330986b0fd8847bf06cb6b0231f296b6fc38fed718ec17a07224647efdfd505c

SHA512
9e820abbc5420e9e8547b50158b6f6f2ab7267d0ef4bd97f534c29fb12747767e303a954f9ec8e8cb46524b5fd7423734b7e6f42bfa7d03a4b9f4e6ca195e130

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
768KB

MD5
5c28bb2ef390face4ba89a0b30329b67

SHA1
bf8e68fa2a186a578fe82a3eb009b853216b851b

SHA256
82cee350d734d5d8d8a039bd05b89e460a88a52122364fb17aa24577ae3e7464

SHA512
b627e04ae3e8ca13ecd97721abbe46ce8b84392dec21bc514b9f62c27b8c27eb233b2aa014b2614b44ef39644d133146ea342f830969f618ddccd437233ceab4

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
768KB

MD5
3540c297b92bd7a9ce7618d503a757fd

SHA1
3843656b5323fa42b5f1d882d99c3554f006f573

SHA256
1e3492c3bc6a3526411040a75c439e20282645633211905005aca023ee5485dc

SHA512
22a7b0f1f06b20891a4a59c40091076f5a0e0dc4d82bc58fa75ded278157b419effbff123f915935410e67631bc68793d12ae3c125ff793c3a9be8e7d9fe140a

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
768KB

MD5
572c44c38cfab2f113588420142cc871

SHA1
dab67877d5abb40c5ba72a027ad59301aa9b4108

SHA256
e36e4766577e0f47e9ce0ce42be5120f7d9ad3d306fdade40b5f60ce71ac75cc

SHA512
45a5d7da34414c10e8c56e6719e7f75bb7efe35bd626fcca7347353f0d4784d465041cddf91b90289e6cbed96905be2b1bdc11a136a7816fb0ef8bf9f7c50c57

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
768KB

MD5
37f694128eaaa001f2e92a90259adcac

SHA1
fbf5c6fcddb5dcecdfea242daca87ab347dda4de

SHA256
8211fd37485b2a8587410c1109fa032afb0dda81d162b8e4e53490c1383d9fde

SHA512
e7caf8771de063116a57204effa30f7904748e379c74e3bc3a3cf4b0e3012cf2c34f152f74d03f23bb4006a0b26c5f54a9e50b951dd278556f7a4a9836c91380

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
768KB

MD5
def0ebb9426df262952bbffd7c64ae0f

SHA1
8b8a9f2928c3c8d6b545ce69906e44d46ccf4612

SHA256
1a4accc34627b39b5a8ab553c5fb868cfec980992dd43723323050b19ba09c98

SHA512
7881a68df9f31e7a5e5518557370f41c1fd0fd6858b8be21d97310a43b17d65eeb0430ea29ab79e24699e1c9e1609f2a7337a370880cc2df7434568e24701802

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
768KB

MD5
478109e69031756b208043e1fc259dbc

SHA1
af9fd36837d2a0733e245e8e1d3b08afd9b44b09

SHA256
e877ecdf26194372748814399527c006c4b1aa9f75212eb08904ddf4fe74506c

SHA512
dd8cbf9c236102500fcdae0c34ca982032e5c83cc93aaa5bf35e213a39e622ffc3d2200895e17368bcbed273376f9ec80460df925b305e0120352b5ed5fcccd8

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
768KB

MD5
9bc41952352f79595f3c1ef4fb3c09df

SHA1
886f0864ef805b233452fe1740dc23a16568c42f

SHA256
4798912bd747bfb9ec4e4737ee62347a31428fa54cc3bab6b69ef08c64054b7a

SHA512
73f557edbcb34f68c7b279811a2da2e88d4299463b4b7f185c7f1d7a1748e5a70c3818b5713ba1c26e0b6e8ffeb08b1f2b145bdde899c55508cc25d6b3eeaffd

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
768KB

MD5
c25362e65932a954032b5a3e2c19c522

SHA1
f8e5386c814a5534947b6b16ba5eb82a8f8d92b2

SHA256
31c18569f59083ef426615cbee09d15b9f2dbf0bbf6d67f1e3b8248fa4b0cbc1

SHA512
541a9fac01692cde450b8b821ad3d0c888cbaa251ed5954a4b919f49ef9c197da03113c7a8789831ab1fde9cc8d1accd48f43f5c077f7d6eba482f3de3d60874

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
768KB

MD5
e24ffc7aa59e00dc34328dc88bc60c1f

SHA1
9dea0c0e3ad21ea9773cd23b9118f48ed067544f

SHA256
87c548cf3d48a5ccb1d6ce990e6a02efd22ee2a4e37939f0cae7e52b26a6b22c

SHA512
6eae6c473ad25b79c422bb5b2b497fbcec8f16dc06a65fcddcfa1cd6fd08593b8724bac46aed6dd10436186b8b24ee87357233ad74bf10eb79af5aed3e8a0759

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
768KB

MD5
f879c257b9e05782703cccbe50f08cc7

SHA1
f83fd2415c56eaffc3f8241ba08769a62a1eb119

SHA256
f346d8ee4e4a3898e828228891afb532b96deb04d54f3f7d5e56e4620649b7ac

SHA512
f9cd3ec067c10711fa98681f28b80d6ecbb857094550d0c6476057aaf8cb06c9b1931c1a0c2e9b376c534384a16a77478568e0d586121f7fab1a77d742bea4bd

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
768KB

MD5
3f6a423eb06a187e88836b75af4bf5f9

SHA1
aa9067e56a8bf3e16eab0be72ace8bfd296a2aa9

SHA256
86949dd0022e55047fb54d331c8717a2809fb76085f23e90bdf0f04c83085dac

SHA512
8f07f049f9a1f3e1d9534aa6c93ab7bc92e568f40a343c63da5c8926a7e0a4a293e84eb8b87fc4472c07da7cf3822b072fb676afab3e9d37ec1311814cbe0b86

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
768KB

MD5
6e7efd8cae2efcbd178aa1b6a11bc554

SHA1
8e1d20cf62121142259ea28bf13c02824a69cbc8

SHA256
d4f7568b69409dec44ef6cf84834d1b6e12e821f27a2c3f513084ef300228480

SHA512
0330ab5a9399e7d216cac4ef16bbabd87331ce6b44ef6d05720495e35ae1b65383664949fc264432b9911891250023be0ba8977060ee43f758527a3a8b0cb92a

Download Submit
memory/432-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/464-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/620-290-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/728-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/760-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/760-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/932-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/932-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1088-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1096-320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1132-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1212-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1272-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1272-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1380-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1396-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1412-60-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1412-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1452-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1716-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1736-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1920-53-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2164-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2216-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2216-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2996-284-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3140-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3344-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3368-338-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3476-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3552-296-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3676-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3868-68-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3868-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3980-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4108-302-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4112-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4156-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4220-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4236-344-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4308-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4432-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4448-282-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4468-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4468-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4468-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4472-326-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4776-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4824-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4896-332-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download