b8f88c84657a05e7bb99c1fa0038b1dc2f516f57e69d6f6012bab77eb8b39ba2

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 13:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d37cb66a46d1a39651f71053d9e0da70_NeikiAnalytics.exe
Size

163KB
MD5

d37cb66a46d1a39651f71053d9e0da70
SHA1

8ac3283b53e9712127695709ee9a50249faf1bcd
SHA256

b8f88c84657a05e7bb99c1fa0038b1dc2f516f57e69d6f6012bab77eb8b39ba2
SHA512

71e84880ec23408b7ec8eecf59f6738cfbfa3f65d8bcbed6aff6600703dee69f334068231bbad5dfc54652fe6e0c07ff45fe6b6ecf6c27ee8175b023219a4732
SSDEEP

1536:PNkLkUrpjRZd6weru5HvgCYbXs1lNilProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:lkLksl+FK4elEltOrWKDBr+yJb

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

d37cb66a46d1a39651f71053d9e0da70_NeikiAnalytics.exeLiggbi32.exeLdohebqh.exeNgcgcjnc.exeLpappc32.exeMahbje32.exeMpaifalo.exeMkgmcjld.exeNjljefql.exeNjcpee32.exeLgpagm32.exeLjnnch32.exeMgekbljc.exeNnjbke32.exeNbhkac32.exeNcihikcg.exeLpcmec32.exeMdiklqhm.exeNdidbn32.exeLaciofpa.exeMkbchk32.exeMcpebmkb.exeNklfoi32.exeLknjmkdo.exeNdbnboqb.exeLkiqbl32.exeMjhqjg32.exeNddkgonp.exeMdkhapfj.exeMpdelajl.exeLijdhiaa.exeMajopeii.exeMamleegg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	d37cb66a46d1a39651f71053d9e0da70_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d37cb66a46d1a39651f71053d9e0da70_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe

Executes dropped EXE 34 IoCs

Processes:

Liggbi32.exeLpappc32.exeLijdhiaa.exeLpcmec32.exeLdohebqh.exeLkiqbl32.exeLaciofpa.exeLgpagm32.exeLjnnch32.exeLknjmkdo.exeMahbje32.exeMgekbljc.exeMajopeii.exeMdiklqhm.exeMkbchk32.exeMamleegg.exeMdkhapfj.exeMjhqjg32.exeMpaifalo.exeMcpebmkb.exeMkgmcjld.exeMpdelajl.exeMgnnhk32.exeNjljefql.exeNdbnboqb.exeNklfoi32.exeNnjbke32.exeNddkgonp.exeNgcgcjnc.exeNbhkac32.exeNcihikcg.exeNjcpee32.exeNdidbn32.exeNkcmohbg.exe

pid	process
3860	Liggbi32.exe
1156	Lpappc32.exe
764	Lijdhiaa.exe
1552	Lpcmec32.exe
3540	Ldohebqh.exe
3152	Lkiqbl32.exe
1624	Laciofpa.exe
1512	Lgpagm32.exe
4324	Ljnnch32.exe
2272	Lknjmkdo.exe
2240	Mahbje32.exe
1072	Mgekbljc.exe
2988	Majopeii.exe
3236	Mdiklqhm.exe
4572	Mkbchk32.exe
2708	Mamleegg.exe
4160	Mdkhapfj.exe
1756	Mjhqjg32.exe
216	Mpaifalo.exe
2164	Mcpebmkb.exe
2644	Mkgmcjld.exe
4792	Mpdelajl.exe
3208	Mgnnhk32.exe
2816	Njljefql.exe
4288	Ndbnboqb.exe
3740	Nklfoi32.exe
984	Nnjbke32.exe
1124	Nddkgonp.exe
5048	Ngcgcjnc.exe
4084	Nbhkac32.exe
660	Ncihikcg.exe
2044	Njcpee32.exe
4448	Ndidbn32.exe
1860	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

Processes:

Mamleegg.exeMdkhapfj.exeNcihikcg.exeNddkgonp.exeNjcpee32.exeLpcmec32.exeLdohebqh.exeMkbchk32.exeMjhqjg32.exeLijdhiaa.exeMajopeii.exeLiggbi32.exeLjnnch32.exeNjljefql.exeNklfoi32.exeMpaifalo.exeNgcgcjnc.exeNbhkac32.exeLaciofpa.exeLknjmkdo.exeMpdelajl.exeMcpebmkb.exeLpappc32.exeMgekbljc.exeNdbnboqb.exeNdidbn32.exed37cb66a46d1a39651f71053d9e0da70_NeikiAnalytics.exeLkiqbl32.exeMkgmcjld.exeMahbje32.exeMgnnhk32.exeMdiklqhm.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Ldohebqh.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Lpappc32.exe	Liggbi32.exe
File opened for modification	C:\Windows\SysWOW64\Lpappc32.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Njljefql.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Laciofpa.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Ogijli32.dll	Lpappc32.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Liggbi32.exe	d37cb66a46d1a39651f71053d9e0da70_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mahbje32.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Lpcmec32.exe	Lijdhiaa.exe
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2304 1860 WerFault.exe Nkcmohbg.exe

pid	pid_target	process	target process
2304	1860	WerFault.exe	Nkcmohbg.exe

Modifies registry class 64 IoCs

Processes:

Ndbnboqb.exeNgcgcjnc.exeLiggbi32.exeLpcmec32.exeMajopeii.exeMdkhapfj.exed37cb66a46d1a39651f71053d9e0da70_NeikiAnalytics.exeNnjbke32.exeNcihikcg.exeNjcpee32.exeLknjmkdo.exeMcpebmkb.exeNklfoi32.exeMdiklqhm.exeMamleegg.exeLijdhiaa.exeNbhkac32.exeMpaifalo.exeMgnnhk32.exeNddkgonp.exeLpappc32.exeLgpagm32.exeMahbje32.exeMkbchk32.exeMgekbljc.exeNdidbn32.exeMkgmcjld.exeNjljefql.exeLjnnch32.exeLkiqbl32.exeLdohebqh.exeMjhqjg32.exeMpdelajl.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogndib32.dll"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	d37cb66a46d1a39651f71053d9e0da70_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	d37cb66a46d1a39651f71053d9e0da70_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baefid32.dll"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	d37cb66a46d1a39651f71053d9e0da70_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	d37cb66a46d1a39651f71053d9e0da70_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liggbi32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d37cb66a46d1a39651f71053d9e0da70_NeikiAnalytics.exeLiggbi32.exeLpappc32.exeLijdhiaa.exeLpcmec32.exeLdohebqh.exeLkiqbl32.exeLaciofpa.exeLgpagm32.exeLjnnch32.exeLknjmkdo.exeMahbje32.exeMgekbljc.exeMajopeii.exeMdiklqhm.exeMkbchk32.exeMamleegg.exeMdkhapfj.exeMjhqjg32.exeMpaifalo.exeMcpebmkb.exeMkgmcjld.exe

description	pid	process	target process
PID 4556 wrote to memory of 3860	4556	d37cb66a46d1a39651f71053d9e0da70_NeikiAnalytics.exe	Liggbi32.exe
PID 4556 wrote to memory of 3860	4556	d37cb66a46d1a39651f71053d9e0da70_NeikiAnalytics.exe	Liggbi32.exe
PID 4556 wrote to memory of 3860	4556	d37cb66a46d1a39651f71053d9e0da70_NeikiAnalytics.exe	Liggbi32.exe
PID 3860 wrote to memory of 1156	3860	Liggbi32.exe	Lpappc32.exe
PID 3860 wrote to memory of 1156	3860	Liggbi32.exe	Lpappc32.exe
PID 3860 wrote to memory of 1156	3860	Liggbi32.exe	Lpappc32.exe
PID 1156 wrote to memory of 764	1156	Lpappc32.exe	Lijdhiaa.exe
PID 1156 wrote to memory of 764	1156	Lpappc32.exe	Lijdhiaa.exe
PID 1156 wrote to memory of 764	1156	Lpappc32.exe	Lijdhiaa.exe
PID 764 wrote to memory of 1552	764	Lijdhiaa.exe	Lpcmec32.exe
PID 764 wrote to memory of 1552	764	Lijdhiaa.exe	Lpcmec32.exe
PID 764 wrote to memory of 1552	764	Lijdhiaa.exe	Lpcmec32.exe
PID 1552 wrote to memory of 3540	1552	Lpcmec32.exe	Ldohebqh.exe
PID 1552 wrote to memory of 3540	1552	Lpcmec32.exe	Ldohebqh.exe
PID 1552 wrote to memory of 3540	1552	Lpcmec32.exe	Ldohebqh.exe
PID 3540 wrote to memory of 3152	3540	Ldohebqh.exe	Lkiqbl32.exe
PID 3540 wrote to memory of 3152	3540	Ldohebqh.exe	Lkiqbl32.exe
PID 3540 wrote to memory of 3152	3540	Ldohebqh.exe	Lkiqbl32.exe
PID 3152 wrote to memory of 1624	3152	Lkiqbl32.exe	Laciofpa.exe
PID 3152 wrote to memory of 1624	3152	Lkiqbl32.exe	Laciofpa.exe
PID 3152 wrote to memory of 1624	3152	Lkiqbl32.exe	Laciofpa.exe
PID 1624 wrote to memory of 1512	1624	Laciofpa.exe	Lgpagm32.exe
PID 1624 wrote to memory of 1512	1624	Laciofpa.exe	Lgpagm32.exe
PID 1624 wrote to memory of 1512	1624	Laciofpa.exe	Lgpagm32.exe
PID 1512 wrote to memory of 4324	1512	Lgpagm32.exe	Ljnnch32.exe
PID 1512 wrote to memory of 4324	1512	Lgpagm32.exe	Ljnnch32.exe
PID 1512 wrote to memory of 4324	1512	Lgpagm32.exe	Ljnnch32.exe
PID 4324 wrote to memory of 2272	4324	Ljnnch32.exe	Lknjmkdo.exe
PID 4324 wrote to memory of 2272	4324	Ljnnch32.exe	Lknjmkdo.exe
PID 4324 wrote to memory of 2272	4324	Ljnnch32.exe	Lknjmkdo.exe
PID 2272 wrote to memory of 2240	2272	Lknjmkdo.exe	Mahbje32.exe
PID 2272 wrote to memory of 2240	2272	Lknjmkdo.exe	Mahbje32.exe
PID 2272 wrote to memory of 2240	2272	Lknjmkdo.exe	Mahbje32.exe
PID 2240 wrote to memory of 1072	2240	Mahbje32.exe	Mgekbljc.exe
PID 2240 wrote to memory of 1072	2240	Mahbje32.exe	Mgekbljc.exe
PID 2240 wrote to memory of 1072	2240	Mahbje32.exe	Mgekbljc.exe
PID 1072 wrote to memory of 2988	1072	Mgekbljc.exe	Majopeii.exe
PID 1072 wrote to memory of 2988	1072	Mgekbljc.exe	Majopeii.exe
PID 1072 wrote to memory of 2988	1072	Mgekbljc.exe	Majopeii.exe
PID 2988 wrote to memory of 3236	2988	Majopeii.exe	Mdiklqhm.exe
PID 2988 wrote to memory of 3236	2988	Majopeii.exe	Mdiklqhm.exe
PID 2988 wrote to memory of 3236	2988	Majopeii.exe	Mdiklqhm.exe
PID 3236 wrote to memory of 4572	3236	Mdiklqhm.exe	Mkbchk32.exe
PID 3236 wrote to memory of 4572	3236	Mdiklqhm.exe	Mkbchk32.exe
PID 3236 wrote to memory of 4572	3236	Mdiklqhm.exe	Mkbchk32.exe
PID 4572 wrote to memory of 2708	4572	Mkbchk32.exe	Mamleegg.exe
PID 4572 wrote to memory of 2708	4572	Mkbchk32.exe	Mamleegg.exe
PID 4572 wrote to memory of 2708	4572	Mkbchk32.exe	Mamleegg.exe
PID 2708 wrote to memory of 4160	2708	Mamleegg.exe	Mdkhapfj.exe
PID 2708 wrote to memory of 4160	2708	Mamleegg.exe	Mdkhapfj.exe
PID 2708 wrote to memory of 4160	2708	Mamleegg.exe	Mdkhapfj.exe
PID 4160 wrote to memory of 1756	4160	Mdkhapfj.exe	Mjhqjg32.exe
PID 4160 wrote to memory of 1756	4160	Mdkhapfj.exe	Mjhqjg32.exe
PID 4160 wrote to memory of 1756	4160	Mdkhapfj.exe	Mjhqjg32.exe
PID 1756 wrote to memory of 216	1756	Mjhqjg32.exe	Mpaifalo.exe
PID 1756 wrote to memory of 216	1756	Mjhqjg32.exe	Mpaifalo.exe
PID 1756 wrote to memory of 216	1756	Mjhqjg32.exe	Mpaifalo.exe
PID 216 wrote to memory of 2164	216	Mpaifalo.exe	Mcpebmkb.exe
PID 216 wrote to memory of 2164	216	Mpaifalo.exe	Mcpebmkb.exe
PID 216 wrote to memory of 2164	216	Mpaifalo.exe	Mcpebmkb.exe
PID 2164 wrote to memory of 2644	2164	Mcpebmkb.exe	Mkgmcjld.exe
PID 2164 wrote to memory of 2644	2164	Mcpebmkb.exe	Mkgmcjld.exe
PID 2164 wrote to memory of 2644	2164	Mcpebmkb.exe	Mkgmcjld.exe
PID 2644 wrote to memory of 4792	2644	Mkgmcjld.exe	Mpdelajl.exe

C:\Users\Admin\AppData\Local\Temp\d37cb66a46d1a39651f71053d9e0da70_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d37cb66a46d1a39651f71053d9e0da70_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4556

C:\Windows\SysWOW64\Liggbi32.exe
C:\Windows\system32\Liggbi32.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3860

C:\Windows\SysWOW64\Lpappc32.exe
C:\Windows\system32\Lpappc32.exe
3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1156

C:\Windows\SysWOW64\Lijdhiaa.exe
C:\Windows\system32\Lijdhiaa.exe
4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:764

C:\Windows\SysWOW64\Lpcmec32.exe
C:\Windows\system32\Lpcmec32.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\SysWOW64\Ldohebqh.exe
C:\Windows\system32\Ldohebqh.exe
6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3540

C:\Windows\SysWOW64\Lkiqbl32.exe
C:\Windows\system32\Lkiqbl32.exe
7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3152

C:\Windows\SysWOW64\Laciofpa.exe
C:\Windows\system32\Laciofpa.exe
8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\SysWOW64\Lgpagm32.exe
C:\Windows\system32\Lgpagm32.exe
9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\SysWOW64\Ljnnch32.exe
C:\Windows\system32\Ljnnch32.exe
10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4324

C:\Windows\SysWOW64\Lknjmkdo.exe
C:\Windows\system32\Lknjmkdo.exe
11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2272

C:\Windows\SysWOW64\Mahbje32.exe
C:\Windows\system32\Mahbje32.exe
12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2240

C:\Windows\SysWOW64\Mgekbljc.exe
C:\Windows\system32\Mgekbljc.exe
13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\SysWOW64\Majopeii.exe
C:\Windows\system32\Majopeii.exe
14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2988

C:\Windows\SysWOW64\Mdiklqhm.exe
C:\Windows\system32\Mdiklqhm.exe
15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3236

C:\Windows\SysWOW64\Mkbchk32.exe
C:\Windows\system32\Mkbchk32.exe
16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4572

C:\Windows\SysWOW64\Mamleegg.exe
C:\Windows\system32\Mamleegg.exe
17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2708

C:\Windows\SysWOW64\Mdkhapfj.exe
C:\Windows\system32\Mdkhapfj.exe
18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4160

C:\Windows\SysWOW64\Mjhqjg32.exe
C:\Windows\system32\Mjhqjg32.exe
19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\SysWOW64\Mpaifalo.exe
C:\Windows\system32\Mpaifalo.exe
20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:216

C:\Windows\SysWOW64\Mcpebmkb.exe
C:\Windows\system32\Mcpebmkb.exe
21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2164

C:\Windows\SysWOW64\Mkgmcjld.exe
C:\Windows\system32\Mkgmcjld.exe
22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2644

C:\Windows\SysWOW64\Mpdelajl.exe
C:\Windows\system32\Mpdelajl.exe
23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4792

C:\Windows\SysWOW64\Mgnnhk32.exe
C:\Windows\system32\Mgnnhk32.exe
24⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3208

C:\Windows\SysWOW64\Njljefql.exe
C:\Windows\system32\Njljefql.exe
25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2816

C:\Windows\SysWOW64\Ndbnboqb.exe
C:\Windows\system32\Ndbnboqb.exe
26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4288

C:\Windows\SysWOW64\Nklfoi32.exe
C:\Windows\system32\Nklfoi32.exe
27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3740

C:\Windows\SysWOW64\Nnjbke32.exe
C:\Windows\system32\Nnjbke32.exe
28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:984

C:\Windows\SysWOW64\Nddkgonp.exe
C:\Windows\system32\Nddkgonp.exe
29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1124

C:\Windows\SysWOW64\Ngcgcjnc.exe
C:\Windows\system32\Ngcgcjnc.exe
30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5048

C:\Windows\SysWOW64\Nbhkac32.exe
C:\Windows\system32\Nbhkac32.exe
31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4084

C:\Windows\SysWOW64\Ncihikcg.exe
C:\Windows\system32\Ncihikcg.exe
32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:660

C:\Windows\SysWOW64\Njcpee32.exe
C:\Windows\system32\Njcpee32.exe
33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2044

C:\Windows\SysWOW64\Ndidbn32.exe
C:\Windows\system32\Ndidbn32.exe
34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4448

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
35⤵
- Executes dropped EXE
PID:1860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 400
36⤵
- Program crash
PID:2304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1860 -ip 1860
1⤵
PID:992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Laciofpa.exe

Filesize
163KB

MD5
7a43c0fff144a7d292816c96590fe91e

SHA1
d6ae66da1c21b6efe506124e37e31f97a1523439

SHA256
8acd5842ea99e38608c7bebff3b8f5d2594807c0a6988b4242990c224be3ba01

SHA512
a44a6ea78962eff3d09f9756bf866a062e27c242a353f84f1074c17bfba7ce0f9d2c8d04f3014b89af96275d9920b5162ea3b1f806a4f993bef7adbeeb793b9c

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
163KB

MD5
20d2bab0d2f8cd4cef8bca1a8a417045

SHA1
5114212e7dd3aa71aa2f91718710248f05e29077

SHA256
433a2c785a5025f52f56bbf097282f79afcebbf890a002d1f8b01d5af3eeee73

SHA512
3685cffaa8ffc8b82ebcc53fab46252745614482e497067730786dac4cc1a0118d2e212f4ea10dddf45a1e6ef802ebd48f2fe87fc5b6665d8c99d8c957ab9db6

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
163KB

MD5
40c946b3e88363c3f565b569f8ef9bb0

SHA1
221afd00de96e6e3b3f060120cd93caf46aed557

SHA256
940d4a30a6b58b54a22a44e8e264e1cb13d4dd7e2c13589eba539a4f2b165972

SHA512
058c2ef8d56d84ea32ade8b15657d716c378c49302d6605cddef690ffbfb871958d60bcf11a2b97db66ba3f3f65693feff121a84679c25abd14517d299555c8d

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
163KB

MD5
27e540dcf1f36c53a268caa94debcc5c

SHA1
71e8f40a364d3b7a749e0dc183b08fda4985836d

SHA256
659cfa24a5e36524dfe959051f5fa476ce01f9660d3e97325afe724732a742e7

SHA512
4d5b2f3b5661940ec0ad7bec040c178003a4e2ac5be3ae04ef4780141b32b38853cc4dbbaf2e603f32201ab375ac3c7e85a374b87cfdefd559862c02715263bc

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
163KB

MD5
e9ce11ef967109f89c53a709a4cc9e00

SHA1
bca90a0f5ef0c69a5e047b4a299997f582ed3f51

SHA256
6c173ee22269113c11429c1e0c5f4743c87f91fb51e445c467ea49a7ca94c7fb

SHA512
61d57eeb4ec7f8526cdc831605702cf1425eaa864dc002af88e59e29e5d6c77ea5ebfffabec89c3d67643412f489781639d14e15a71dee56b6dc2c8f39a9cd43

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
163KB

MD5
18b8ffc04e6c2036c60b5dd66d781de2

SHA1
47f12efd26872325bb7a1951e1a2bb756e951e95

SHA256
16367ee5a81829dd76ba1a71b95657c4472ef5c992f5ae35c3fd7e6ce427445b

SHA512
bb3be53148ce9bbbe93914f49feab8ebef62601cb807a443d5679b44166ffd27e50f01b100213e83a8f035b4cc469a327d5024d0cf5e097fbed8ecb237aeddc8

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
163KB

MD5
77a5c262f91472b12ceffca41d14e00c

SHA1
90b06686c81ffd268bbd9ef8224933f46253901f

SHA256
c44b2ab2071056a74f74827536588ac28f712fa09d5898fe9ee6e9f670af5394

SHA512
0b15b4577ab3c6cc734c9fe56ef381208091f98265c9db28b9efbb9859ce67498cb5e58c65b835a55fe8ba59d5cc9834ec0303c74369ba795bd9b4a08ea1cd13

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
163KB

MD5
38d46d34ffd52a2b76531485352db380

SHA1
8cec8debce8702f977880efe42bce4c4a5b1de2f

SHA256
f355e9a0ca67316a02556b68db9d7d5400f1b99e15b3f7a198547260ff75a314

SHA512
eaf323990b060168c6b3c568a17dd42c6a8370266876e5d70a948139492ef72f354945c954a856440b7a97e2e2141e7dc1d5857431b50a27cd05773220ff858b

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
163KB

MD5
1aceb3400e285bd61198f16e5742054d

SHA1
e6dc17b87fee89dfc83c7df18cc9091514aad320

SHA256
2f53cad4e988b7ed8e25d9fe82ce56e8b128a88546655b2752805863b7fea296

SHA512
9631881d50d671904df7ae85d4e1405bebce83fc15ba77ede20d816a8ce1c19d6c3eceeb1804300542c41f9398d84f6247ec36f3b75fdd13ef53fa4b086116d6

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
163KB

MD5
26a611de47eebaddc892ec95d2b87194

SHA1
2b05b57d34c0e7389b270659f19280adda37e32d

SHA256
5bed1ab64d7e364fe2786199157d96f9f63f5b412ed096fed73e464502bf0d01

SHA512
56f274e3b0b7d06684da0760fa4e0e59b05b7f520129246745bfdd45cbfabbe66449b8e5b91677c829de760b627f5777d4edab20481b76bf7d8f2b4a1ad6e2ea

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
163KB

MD5
48749013b7dc2fca5a5dc58d03113c1d

SHA1
08fb923131393058dc9619d761cba2249b45632d

SHA256
ba59eeeaaefcef10d77b8b26653255954471219ba5c4b3381343986cf8291592

SHA512
33d876bd8e83d4f10c8e27233b6bde614a6bb5c0a1a5a4a6a7a7f61cf36cfb91e4ac4d3bb1d9df73b555281bee4649780e04a0623853b769067c6d5cd4708e34

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
163KB

MD5
4f1a45a0e1fb7cbe7e85f11c72ab51ae

SHA1
f173adb71e8ed6f4a13cfdf80bf3821e3ee8ec53

SHA256
6f5beda0b1737541a85ecf0f6ba32f95fcad873b2e1d2e21318846c5417dd1ad

SHA512
b18a75f39dd177675777b5ec33f2f37f67826918d7c3088fac5604fcda8dd844c99b66bf67ac9eec77de0842adf9eaf7b30c6dbdb9ed80ede07e613ad1b74f5a

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
163KB

MD5
cea39e7efcd072cf441748c1804acd15

SHA1
8edc7ef04be3b6fdf6120d506048f9810f39b8a8

SHA256
61d27b7229049f7fc444138cd4d9c13236a241bf7abe2326d832eb9c9c1aaae4

SHA512
08718e4c7f46817c5912cdd332dfed1ea1e937f93a4b9ee36fb7313aa842fd98efad7a3bcae780db633158822f96cbd255edbb243a47c6810cccaf1037f83634

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
163KB

MD5
465c2e59c1b7321f68e097d8f0007199

SHA1
50d42d2abacd693666b4fe12f8744eb84d4c48f3

SHA256
dabe486023009e417ac64de54d144cfc404f510bbe7a2f6ac282bfd06a8daab5

SHA512
a0f40394727ead709e0e4d34b35370eeb680f11b08aa1cac127d9def43c6087072a6043fd06994607af239853e1ef776043a234e387d06bc341e2a02f702d351

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
163KB

MD5
f327cb1be3d3432a61a79ea79265dde8

SHA1
74aa41d7420e1b58fb2d4be53fda033c1bbc76f7

SHA256
7cfb91b2d431fa5cc468e43c1199d77b97e4a57e234114c405b6fe48ea1cf866

SHA512
eb9521487836dc1a0d021b68d89a9c660fb565ad56a69eb85107e985cdff8e1879419d1c4aa863a0cf0a38eaaf950facc2627ed1fa544c93e096cd9d546b9181

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
163KB

MD5
8b9fe54a773a439dcdde09c15a1905f9

SHA1
82d02711113ca823a41d36db2d0e6f679f1d9425

SHA256
344f071ba7dc76cca44c4aebde5ce9894f64551fb2356972807c85dfe694cfab

SHA512
0d0b015ad084d900d7e0907fec4655f8d0e2d9e96435851a824186aea7cfaa944668636e7b131dc87ca3d2cda9d5fa69ce144d7ed87011c169848036848d4176

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
163KB

MD5
f40cac85f22fb26147870a79b6a542ec

SHA1
c3e9943fa9ef4a8a259e6c347e7678be16f06ed3

SHA256
65ae8af0fb774a9f0af96800be040785f094a7bbcce301159ef10bb826b1cfcb

SHA512
c827bdedc6fd8124536370732d94d13308592c3bbbd92b17ead025b47d67676f77dc1544a8f887eb124ab585a3667968f1258b72238160a57ec436283c49bfe0

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
163KB

MD5
6b9b2e879d74bc71a05905e6b0ab51e5

SHA1
20b9625ffc2fdb477827b3c1f999bc3f3e3eae89

SHA256
2184343ca89497eb9af1d502d790846a713ab6f72ac5af865087a7fbb720186e

SHA512
2e63cd5a4078ff72a30af5dca6e5eec2e79c60f2803ed2ef52a8084a0390bfc0f453990a0377b9fa42fd39b10504fccd0283ee929eb968b3106acf74403362ea

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
163KB

MD5
1629cc8207f482076fe36879c6d2432c

SHA1
2a1800a37236761d27e2b45706cea4da5623987e

SHA256
8c8c6b5ce3581eb18d973bebdb0efae196e96c3d0f928b6e52f737281c82cbe9

SHA512
c06920aac9f76dfb7de0235151da061ef1ffa12409800847d9d0e00424f97c38848946c5a347bae89a0e2623715c72eab28c6c3599bfe7a476820a5223412b9a

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
163KB

MD5
a41e5fd376228113510e88c2f45ecfd4

SHA1
0092051d85109696f3515aa1193dc3327004abfd

SHA256
a596a28aef0385faba53427daf4a286f84499c3ddf15249dd71cc1c11783c468

SHA512
258e1433568ec5a262bcce5a37d5c6fdf61c1db562a12fc3fdf6f35edd7fc84753c4459e0bf8909d3890bf35e6873c68a400431fade6ff5d6e24a000ebf6c0c5

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
163KB

MD5
45786b0a6d25d11102e0aea60822282c

SHA1
7c611804aeb3b5c9b63e70b7b294d070dacb7e50

SHA256
d257843bc1281c6dae3f0159525239f7ba5af7410f1e944d6b5edb45dba791a6

SHA512
9e0214346c62cd1bfb422ae28f8ca060b0c4adbebe76af0ca59e4e2c9178bb6afe2119307c6570e06304c0af60cef10a97501a05b611d94a6f2f136cca9a5ba3

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
163KB

MD5
d1501b0f69efccb2c4f751ca80b87c16

SHA1
be4eb5d085edf139e06617fc8e8534f88fc9bf09

SHA256
358c08893f027bed48a48061e0cea6bb22d64e41e4757355e363f0bf0452ffe1

SHA512
874fc35070d5d356fd86f15b495605eb0d7e20bb00b1c723bed18fee77ff27cf7dce848d858662d3faef28e7b23dd8f2467898f7b16fc46ea2ade26c573bd856

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
163KB

MD5
e9b3d5ad54c4cc95e0d9f361eb5f868c

SHA1
033ed9d07a504ed8f793c30f6ecfb9019c13df13

SHA256
38e60f6b477d8e8e14d97ac7b80f48f2e3d703e1a2faea7bdddd7d3f61955939

SHA512
5d10208cbe4be74c83c8baa937eb85c9970639918b2dbb03ec1b41e1c841d39ecebc407b9a3fe2f33f56a61310de296b48e5ab06b58700dfe186b310724b1b08

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
163KB

MD5
8334a2a5c5404bc27cb041f26f894e48

SHA1
28c24f0b540ddb02081704890899bc705e05998b

SHA256
255ec5070253343dfdf63eff5c346e068e72ce09bb083fecc44be31b0600a726

SHA512
3b2b108740954d930e34cb5d982e56ebd244cd1b147939c291eafc46d8eff24359a8866c078d9b0887f6b2184847576dd08b43a2ca5319132515f908393ce1bb

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
163KB

MD5
c5c02cf79fc1b04a5b709aaa112eb797

SHA1
f51930d4a9e7e0c84165c1b474f44c109050c1aa

SHA256
daf12baceb4cb47a95e8ee6f92a4355d0369210b8350f8bf145c05debbe43784

SHA512
3d53e859db207dce1dd862902abef8c9b1b14306caeb04d9aa2263faf259e9f7935c06c71ca0e7e09a119a61ddf7e85928aab4a505e2b94e9128fe0d85bb26b9

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
163KB

MD5
58627a239b59b2cc21c29500e152167c

SHA1
294b05e1d8f288fb9ae640a965ef7262b4a9b4e7

SHA256
fe0d1e6727da058296b09fc284f69a0ec57698cac4c61a0493ee41e209058f03

SHA512
b88800d47833360c53003cef3aa4b08edc6265c657348ad8d1236ab3e337dde4a034d2403625613a77422210f97656a795dd87e553a12ec9674643df456f37c6

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
163KB

MD5
b081575cadbb8b93118ce675c846ae0d

SHA1
cf8ead21f426691c8dbaa5f502c6d531e56930a3

SHA256
9f3ce50846b8ef8305603f9848793734c7f193c53b48e47774e8e8853f1ab16d

SHA512
19f0143f6dac3a28a4b005d1ca0f3596244d14b90c27f84c2cdc7cb7cf8f3ac10a5a677efec68e62a96ff6e69d3345e11614736cb9196d4e08ddba74bbb29edb

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
163KB

MD5
cb320c6b465f3cbe682c7615781f4e11

SHA1
525cc7c7a326494891d72406d80014841b9dc159

SHA256
00458a6343239fb96d89da00b1224ef3cf20903056d8eb303bbeae87ae64b824

SHA512
5dbb6338de6babec5623fb054cc645f199ea08e5904df709c2312cf62f8a04529c24574485d8f16e21df39e79d8f9affc04e90335570d41b447b77738c50c667

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
163KB

MD5
c7de2d6f079690b0b1023c24861a332f

SHA1
92832d7693ddc2d64dba534a300d4944eaa7f6a0

SHA256
da531d88766fcb7730e4f4f3b6c433bad584fe8560cfb5333fda4ddabf917085

SHA512
e27f2bb055661cf21de65b6b6d375c628d81ec40d756d5038690e37829d9a3f85ed13a22d2ed3197a068438735cdba24a72bf140e1c476bd82dbc7bd5dffbb8e

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
163KB

MD5
6ec05ffaa921b37796fdc1eb62d75595

SHA1
8a8ffa1e2c72b517acdddfdcc71fcf563f631ee0

SHA256
29daa3262643c5566b2697525dd17cfecb9cdb789472264e8570e0125cac8827

SHA512
cc175cbc7c5e6c8637791fa3f222e21fbb5578a3d24df6c1aceb90e37ddbda54cbadb0d0c165858dd19abcaef1dd3c87668a6c09b5e01a00da006a014cc157cd

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
163KB

MD5
f050e0504ef8fbee240bbccb9d6bfce9

SHA1
e43f24fecd506a0e48778e42ebc75ad77fbd91c1

SHA256
aa9a039e0d2aec7c89cd2f705d00db93aa169c86f5e56fe0f75403c3d08ef140

SHA512
b2461bb0fb9bff67de479abb91901288ec9adde6bc59260a9da7928492dfcf7eb5cc43fe5e4e31f8f0d3ad86305399a00d2bba968040df45c305970704ce6793

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
163KB

MD5
38edca8f59fc0dfed47f969a80aeb376

SHA1
e3c0a1e96ab9a5893f0ec195def83a0809984f80

SHA256
408dc294cc0f1297cfd2c9f6bd7713366194a469794cdb20478d2e8b615cec78

SHA512
7651ad2c6ce239b58e759f58b144e06a548a3743b4b18937a354376e98266d941dd87181225631d5f3343c11315ab0d01a1c523ce650325b41895df344fffaec

Download Submit
memory/216-300-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/216-155-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/660-248-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/660-276-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/764-25-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/764-332-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/984-220-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/984-284-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1072-96-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1072-314-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1124-224-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1124-282-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1156-17-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1156-334-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1512-65-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1512-322-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1552-33-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1552-330-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1624-324-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1624-56-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1756-145-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1756-302-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1860-268-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1860-275-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2044-271-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2044-273-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2044-256-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2164-298-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2164-161-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2240-316-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2240-89-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2272-318-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2272-81-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2644-296-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2644-169-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2708-306-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2708-133-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2816-191-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2816-290-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2988-105-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2988-312-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3152-49-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3152-326-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3208-292-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3236-310-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3236-112-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3540-45-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3540-328-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3740-286-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3740-208-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3860-336-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3860-13-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4084-279-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4084-240-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4160-304-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4160-136-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4288-199-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4288-288-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4324-72-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4324-320-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4448-262-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4448-272-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4556-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4556-338-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4556-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4572-121-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4572-308-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4792-294-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4792-177-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5048-232-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5048-278-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5048-280-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download