02034f3f8db9b70c58c68002eaf2eb5f999b17f2dabb33f6beb5b10cc1196d46

Analysis

max time kernel
130s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 00:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3df44b64bf9e150376012dddb7c42740_NeikiAnalytics.exe
Size

1000KB
MD5

3df44b64bf9e150376012dddb7c42740
SHA1

f3afa958eeb48d1454cc14536f7d8a7ff1217e98
SHA256

02034f3f8db9b70c58c68002eaf2eb5f999b17f2dabb33f6beb5b10cc1196d46
SHA512

9e61f40b47df9a8bed426253fd10aa5fe0739e3db050423b76fd9c847a629d745425aae29c1ca888edd4f625234e7fe8ec0e645dc9fac6d62524abfea15b637f
SSDEEP

12288:0x/Ndv1AtHBFLPj3TmLnWrOxNuxC97hFq9o7:0RFAtHBFLPj368MoC9Dq9o7

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Nkncdifl.exeNcldnkae.exeJmpngk32.exeKaqcbi32.exeNqfbaq32.exeNqmhbpba.exeMciobn32.exeNnmopdep.exeNdghmo32.exeMdpalp32.exeMkpgck32.exeMncmjfmk.exe3df44b64bf9e150376012dddb7c42740_NeikiAnalytics.exeLpocjdld.exeMpaifalo.exeMkgmcjld.exeKbdmpqcb.exeMjjmog32.exeNceonl32.exeNgcgcjnc.exeMjeddggd.exeMkepnjng.exeNjljefql.exeKdcijcke.exeKajfig32.exeNnhfee32.exeNklfoi32.exeNqiogp32.exeJdjfcecp.exeLdmlpbbj.exeMdkhapfj.exeNnjbke32.exeNgedij32.exeNjcpee32.exeMgnnhk32.exeLmccchkn.exeMaaepd32.exeKacphh32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	3df44b64bf9e150376012dddb7c42740_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kacphh32.exe

Malware Dropper & Backdoor - Berbew 32 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
C:\Windows\SysWOW64\Jmpngk32.exe	family_berbew
C:\Windows\SysWOW64\Jdjfcecp.exe	family_berbew
C:\Windows\SysWOW64\Kaqcbi32.exe	family_berbew
C:\Windows\SysWOW64\Kacphh32.exe	family_berbew
C:\Windows\SysWOW64\Kbdmpqcb.exe	family_berbew
C:\Windows\SysWOW64\Kdcijcke.exe	family_berbew
C:\Windows\SysWOW64\Kajfig32.exe	family_berbew
C:\Windows\SysWOW64\Lpocjdld.exe	family_berbew
C:\Windows\SysWOW64\Lmccchkn.exe	family_berbew
C:\Windows\SysWOW64\Ldmlpbbj.exe	family_berbew
C:\Windows\SysWOW64\Mciobn32.exe	family_berbew
C:\Windows\SysWOW64\Mkpgck32.exe	family_berbew
C:\Windows\SysWOW64\Mjeddggd.exe	family_berbew
C:\Windows\SysWOW64\Mdkhapfj.exe	family_berbew
C:\Windows\SysWOW64\Mkepnjng.exe	family_berbew
C:\Windows\SysWOW64\Mncmjfmk.exe	family_berbew
C:\Windows\SysWOW64\Mpaifalo.exe	family_berbew
C:\Windows\SysWOW64\Njljefql.exe	family_berbew
C:\Windows\SysWOW64\Nnmopdep.exe	family_berbew
C:\Windows\SysWOW64\Nkncdifl.exe	family_berbew
C:\Windows\SysWOW64\Ngcgcjnc.exe	family_berbew
C:\Windows\SysWOW64\Nqiogp32.exe	family_berbew
C:\Windows\SysWOW64\Nnjbke32.exe	family_berbew
C:\Windows\SysWOW64\Nklfoi32.exe	family_berbew
C:\Windows\SysWOW64\Nceonl32.exe	family_berbew
C:\Windows\SysWOW64\Nqfbaq32.exe	family_berbew
C:\Windows\SysWOW64\Nnhfee32.exe	family_berbew
C:\Windows\SysWOW64\Mgnnhk32.exe	family_berbew
C:\Windows\SysWOW64\Mdpalp32.exe	family_berbew
C:\Windows\SysWOW64\Maaepd32.exe	family_berbew
C:\Windows\SysWOW64\Mjjmog32.exe	family_berbew
C:\Windows\SysWOW64\Mkgmcjld.exe	family_berbew

Executes dropped EXE 38 IoCs

Processes:

Jmpngk32.exeJdjfcecp.exeKaqcbi32.exeKacphh32.exeKbdmpqcb.exeKdcijcke.exeKajfig32.exeLpocjdld.exeLmccchkn.exeLdmlpbbj.exeMciobn32.exeMkpgck32.exeMjeddggd.exeMdkhapfj.exeMkepnjng.exeMncmjfmk.exeMpaifalo.exeMkgmcjld.exeMjjmog32.exeMaaepd32.exeMdpalp32.exeMgnnhk32.exeNjljefql.exeNnhfee32.exeNqfbaq32.exeNceonl32.exeNklfoi32.exeNnjbke32.exeNqiogp32.exeNgcgcjnc.exeNkncdifl.exeNnmopdep.exeNdghmo32.exeNgedij32.exeNjcpee32.exeNqmhbpba.exeNcldnkae.exeNkcmohbg.exe

pid	process
4416	Jmpngk32.exe
3900	Jdjfcecp.exe
4408	Kaqcbi32.exe
1492	Kacphh32.exe
5428	Kbdmpqcb.exe
4988	Kdcijcke.exe
4104	Kajfig32.exe
1984	Lpocjdld.exe
4452	Lmccchkn.exe
3112	Ldmlpbbj.exe
5940	Mciobn32.exe
5032	Mkpgck32.exe
3196	Mjeddggd.exe
4052	Mdkhapfj.exe
5064	Mkepnjng.exe
5668	Mncmjfmk.exe
4980	Mpaifalo.exe
1260	Mkgmcjld.exe
2024	Mjjmog32.exe
1324	Maaepd32.exe
1096	Mdpalp32.exe
2696	Mgnnhk32.exe
5556	Njljefql.exe
2420	Nnhfee32.exe
948	Nqfbaq32.exe
3616	Nceonl32.exe
3700	Nklfoi32.exe
5540	Nnjbke32.exe
748	Nqiogp32.exe
1084	Ngcgcjnc.exe
5768	Nkncdifl.exe
3336	Nnmopdep.exe
752	Ndghmo32.exe
4600	Ngedij32.exe
1944	Njcpee32.exe
4388	Nqmhbpba.exe
2812	Ncldnkae.exe
4696	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

Processes:

Jdjfcecp.exeMjjmog32.exeMkepnjng.exeNnjbke32.exeNqiogp32.exeNgcgcjnc.exeNdghmo32.exeNjljefql.exeNgedij32.exeKaqcbi32.exeKajfig32.exeNqmhbpba.exeKbdmpqcb.exeMciobn32.exeMpaifalo.exeNqfbaq32.exe3df44b64bf9e150376012dddb7c42740_NeikiAnalytics.exeNkncdifl.exeLpocjdld.exeMjeddggd.exeNklfoi32.exeMncmjfmk.exeNjcpee32.exeKdcijcke.exeNnmopdep.exeLmccchkn.exeNnhfee32.exeNceonl32.exeKacphh32.exeLdmlpbbj.exeMaaepd32.exeMdpalp32.exeJmpngk32.exeMkgmcjld.exeMgnnhk32.exeMdkhapfj.exeNcldnkae.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Ichhhi32.dll	Jdjfcecp.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Kacphh32.exe	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Lpocjdld.exe	Kajfig32.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Jcpkbc32.dll	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Anmklllo.dll	3df44b64bf9e150376012dddb7c42740_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Lpocjdld.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Jmpngk32.exe	3df44b64bf9e150376012dddb7c42740_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Kdcijcke.exe	Kbdmpqcb.exe
File opened for modification	C:\Windows\SysWOW64\Kajfig32.exe	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Kaqcbi32.exe	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Cmafhe32.dll	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Eqbmje32.dll	Lmccchkn.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Kacphh32.exe	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Jjblgaie.dll	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kacphh32.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Ldmlpbbj.exe
File opened for modification	C:\Windows\SysWOW64\Lpocjdld.exe	Kajfig32.exe
File opened for modification	C:\Windows\SysWOW64\Lmccchkn.exe	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Maaepd32.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Jmpngk32.exe	3df44b64bf9e150376012dddb7c42740_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Ehifigof.dll	Jmpngk32.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Ldmlpbbj.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mciobn32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process

1632 4696 WerFault.exe

pid	pid_target	process
1632	4696	WerFault.exe

Modifies registry class 64 IoCs

Processes:

Kaqcbi32.exeLdmlpbbj.exeMjeddggd.exeMpaifalo.exeMgnnhk32.exeNdghmo32.exeMdpalp32.exeNjcpee32.exeJmpngk32.exeLpocjdld.exeMdkhapfj.exeMkepnjng.exeMaaepd32.exeNjljefql.exeMkpgck32.exeMncmjfmk.exeMkgmcjld.exeMjjmog32.exeNqfbaq32.exeNgedij32.exeNnjbke32.exeNqmhbpba.exe3df44b64bf9e150376012dddb7c42740_NeikiAnalytics.exeNceonl32.exeNklfoi32.exeNqiogp32.exeKacphh32.exeNgcgcjnc.exeJdjfcecp.exeKajfig32.exeNcldnkae.exeLmccchkn.exeKdcijcke.exeMciobn32.exeKbdmpqcb.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblgaie.dll"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	3df44b64bf9e150376012dddb7c42740_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kacphh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichhhi32.dll"	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbak32.dll"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	3df44b64bf9e150376012dddb7c42740_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehifigof.dll"	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kajfig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3df44b64bf9e150376012dddb7c42740_NeikiAnalytics.exeJmpngk32.exeJdjfcecp.exeKaqcbi32.exeKacphh32.exeKbdmpqcb.exeKdcijcke.exeKajfig32.exeLpocjdld.exeLmccchkn.exeLdmlpbbj.exeMciobn32.exeMkpgck32.exeMjeddggd.exeMdkhapfj.exeMkepnjng.exeMncmjfmk.exeMpaifalo.exeMkgmcjld.exeMjjmog32.exeMaaepd32.exeMdpalp32.exe

description	pid	process	target process
PID 5796 wrote to memory of 4416	5796	3df44b64bf9e150376012dddb7c42740_NeikiAnalytics.exe	Jmpngk32.exe
PID 5796 wrote to memory of 4416	5796	3df44b64bf9e150376012dddb7c42740_NeikiAnalytics.exe	Jmpngk32.exe
PID 5796 wrote to memory of 4416	5796	3df44b64bf9e150376012dddb7c42740_NeikiAnalytics.exe	Jmpngk32.exe
PID 4416 wrote to memory of 3900	4416	Jmpngk32.exe	Jdjfcecp.exe
PID 4416 wrote to memory of 3900	4416	Jmpngk32.exe	Jdjfcecp.exe
PID 4416 wrote to memory of 3900	4416	Jmpngk32.exe	Jdjfcecp.exe
PID 3900 wrote to memory of 4408	3900	Jdjfcecp.exe	Kaqcbi32.exe
PID 3900 wrote to memory of 4408	3900	Jdjfcecp.exe	Kaqcbi32.exe
PID 3900 wrote to memory of 4408	3900	Jdjfcecp.exe	Kaqcbi32.exe
PID 4408 wrote to memory of 1492	4408	Kaqcbi32.exe	Kacphh32.exe
PID 4408 wrote to memory of 1492	4408	Kaqcbi32.exe	Kacphh32.exe
PID 4408 wrote to memory of 1492	4408	Kaqcbi32.exe	Kacphh32.exe
PID 1492 wrote to memory of 5428	1492	Kacphh32.exe	Kbdmpqcb.exe
PID 1492 wrote to memory of 5428	1492	Kacphh32.exe	Kbdmpqcb.exe
PID 1492 wrote to memory of 5428	1492	Kacphh32.exe	Kbdmpqcb.exe
PID 5428 wrote to memory of 4988	5428	Kbdmpqcb.exe	Kdcijcke.exe
PID 5428 wrote to memory of 4988	5428	Kbdmpqcb.exe	Kdcijcke.exe
PID 5428 wrote to memory of 4988	5428	Kbdmpqcb.exe	Kdcijcke.exe
PID 4988 wrote to memory of 4104	4988	Kdcijcke.exe	Kajfig32.exe
PID 4988 wrote to memory of 4104	4988	Kdcijcke.exe	Kajfig32.exe
PID 4988 wrote to memory of 4104	4988	Kdcijcke.exe	Kajfig32.exe
PID 4104 wrote to memory of 1984	4104	Kajfig32.exe	Lpocjdld.exe
PID 4104 wrote to memory of 1984	4104	Kajfig32.exe	Lpocjdld.exe
PID 4104 wrote to memory of 1984	4104	Kajfig32.exe	Lpocjdld.exe
PID 1984 wrote to memory of 4452	1984	Lpocjdld.exe	Lmccchkn.exe
PID 1984 wrote to memory of 4452	1984	Lpocjdld.exe	Lmccchkn.exe
PID 1984 wrote to memory of 4452	1984	Lpocjdld.exe	Lmccchkn.exe
PID 4452 wrote to memory of 3112	4452	Lmccchkn.exe	Ldmlpbbj.exe
PID 4452 wrote to memory of 3112	4452	Lmccchkn.exe	Ldmlpbbj.exe
PID 4452 wrote to memory of 3112	4452	Lmccchkn.exe	Ldmlpbbj.exe
PID 3112 wrote to memory of 5940	3112	Ldmlpbbj.exe	Mciobn32.exe
PID 3112 wrote to memory of 5940	3112	Ldmlpbbj.exe	Mciobn32.exe
PID 3112 wrote to memory of 5940	3112	Ldmlpbbj.exe	Mciobn32.exe
PID 5940 wrote to memory of 5032	5940	Mciobn32.exe	Mkpgck32.exe
PID 5940 wrote to memory of 5032	5940	Mciobn32.exe	Mkpgck32.exe
PID 5940 wrote to memory of 5032	5940	Mciobn32.exe	Mkpgck32.exe
PID 5032 wrote to memory of 3196	5032	Mkpgck32.exe	Mjeddggd.exe
PID 5032 wrote to memory of 3196	5032	Mkpgck32.exe	Mjeddggd.exe
PID 5032 wrote to memory of 3196	5032	Mkpgck32.exe	Mjeddggd.exe
PID 3196 wrote to memory of 4052	3196	Mjeddggd.exe	Mdkhapfj.exe
PID 3196 wrote to memory of 4052	3196	Mjeddggd.exe	Mdkhapfj.exe
PID 3196 wrote to memory of 4052	3196	Mjeddggd.exe	Mdkhapfj.exe
PID 4052 wrote to memory of 5064	4052	Mdkhapfj.exe	Mkepnjng.exe
PID 4052 wrote to memory of 5064	4052	Mdkhapfj.exe	Mkepnjng.exe
PID 4052 wrote to memory of 5064	4052	Mdkhapfj.exe	Mkepnjng.exe
PID 5064 wrote to memory of 5668	5064	Mkepnjng.exe	Mncmjfmk.exe
PID 5064 wrote to memory of 5668	5064	Mkepnjng.exe	Mncmjfmk.exe
PID 5064 wrote to memory of 5668	5064	Mkepnjng.exe	Mncmjfmk.exe
PID 5668 wrote to memory of 4980	5668	Mncmjfmk.exe	Mpaifalo.exe
PID 5668 wrote to memory of 4980	5668	Mncmjfmk.exe	Mpaifalo.exe
PID 5668 wrote to memory of 4980	5668	Mncmjfmk.exe	Mpaifalo.exe
PID 4980 wrote to memory of 1260	4980	Mpaifalo.exe	Mkgmcjld.exe
PID 4980 wrote to memory of 1260	4980	Mpaifalo.exe	Mkgmcjld.exe
PID 4980 wrote to memory of 1260	4980	Mpaifalo.exe	Mkgmcjld.exe
PID 1260 wrote to memory of 2024	1260	Mkgmcjld.exe	Mjjmog32.exe
PID 1260 wrote to memory of 2024	1260	Mkgmcjld.exe	Mjjmog32.exe
PID 1260 wrote to memory of 2024	1260	Mkgmcjld.exe	Mjjmog32.exe
PID 2024 wrote to memory of 1324	2024	Mjjmog32.exe	Maaepd32.exe
PID 2024 wrote to memory of 1324	2024	Mjjmog32.exe	Maaepd32.exe
PID 2024 wrote to memory of 1324	2024	Mjjmog32.exe	Maaepd32.exe
PID 1324 wrote to memory of 1096	1324	Maaepd32.exe	Mdpalp32.exe
PID 1324 wrote to memory of 1096	1324	Maaepd32.exe	Mdpalp32.exe
PID 1324 wrote to memory of 1096	1324	Maaepd32.exe	Mdpalp32.exe
PID 1096 wrote to memory of 2696	1096	Mdpalp32.exe	Mgnnhk32.exe

C:\Users\Admin\AppData\Local\Temp\3df44b64bf9e150376012dddb7c42740_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3df44b64bf9e150376012dddb7c42740_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5796

C:\Windows\SysWOW64\Jmpngk32.exe
C:\Windows\system32\Jmpngk32.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4416

C:\Windows\SysWOW64\Jdjfcecp.exe
C:\Windows\system32\Jdjfcecp.exe
3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3900

C:\Windows\SysWOW64\Kaqcbi32.exe
C:\Windows\system32\Kaqcbi32.exe
4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4408

C:\Windows\SysWOW64\Kacphh32.exe
C:\Windows\system32\Kacphh32.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\SysWOW64\Kbdmpqcb.exe
C:\Windows\system32\Kbdmpqcb.exe
6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5428

C:\Windows\SysWOW64\Kdcijcke.exe
C:\Windows\system32\Kdcijcke.exe
7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4988

C:\Windows\SysWOW64\Kajfig32.exe
C:\Windows\system32\Kajfig32.exe
8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4104

C:\Windows\SysWOW64\Lpocjdld.exe
C:\Windows\system32\Lpocjdld.exe
9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\SysWOW64\Lmccchkn.exe
C:\Windows\system32\Lmccchkn.exe
10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4452

C:\Windows\SysWOW64\Ldmlpbbj.exe
C:\Windows\system32\Ldmlpbbj.exe
11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3112

C:\Windows\SysWOW64\Mciobn32.exe
C:\Windows\system32\Mciobn32.exe
12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5940

C:\Windows\SysWOW64\Mkpgck32.exe
C:\Windows\system32\Mkpgck32.exe
13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5032

C:\Windows\SysWOW64\Mjeddggd.exe
C:\Windows\system32\Mjeddggd.exe
14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3196

C:\Windows\SysWOW64\Mdkhapfj.exe
C:\Windows\system32\Mdkhapfj.exe
15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4052

C:\Windows\SysWOW64\Mkepnjng.exe
C:\Windows\system32\Mkepnjng.exe
16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5064

C:\Windows\SysWOW64\Mncmjfmk.exe
C:\Windows\system32\Mncmjfmk.exe
17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5668

C:\Windows\SysWOW64\Mpaifalo.exe
C:\Windows\system32\Mpaifalo.exe
18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4980

C:\Windows\SysWOW64\Mkgmcjld.exe
C:\Windows\system32\Mkgmcjld.exe
19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1260

C:\Windows\SysWOW64\Mjjmog32.exe
C:\Windows\system32\Mjjmog32.exe
20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\Maaepd32.exe
C:\Windows\system32\Maaepd32.exe
21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\SysWOW64\Mdpalp32.exe
C:\Windows\system32\Mdpalp32.exe
22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\SysWOW64\Mgnnhk32.exe
C:\Windows\system32\Mgnnhk32.exe
23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2696

C:\Windows\SysWOW64\Njljefql.exe
C:\Windows\system32\Njljefql.exe
24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5556

C:\Windows\SysWOW64\Nnhfee32.exe
C:\Windows\system32\Nnhfee32.exe
25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2420

C:\Windows\SysWOW64\Nqfbaq32.exe
C:\Windows\system32\Nqfbaq32.exe
26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:948

C:\Windows\SysWOW64\Nceonl32.exe
C:\Windows\system32\Nceonl32.exe
27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3616

C:\Windows\SysWOW64\Nklfoi32.exe
C:\Windows\system32\Nklfoi32.exe
28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3700

C:\Windows\SysWOW64\Nnjbke32.exe
C:\Windows\system32\Nnjbke32.exe
29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5540

C:\Windows\SysWOW64\Nqiogp32.exe
C:\Windows\system32\Nqiogp32.exe
30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:748

C:\Windows\SysWOW64\Ngcgcjnc.exe
C:\Windows\system32\Ngcgcjnc.exe
31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1084

C:\Windows\SysWOW64\Nkncdifl.exe
C:\Windows\system32\Nkncdifl.exe
32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:5768

C:\Windows\SysWOW64\Nnmopdep.exe
C:\Windows\system32\Nnmopdep.exe
33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3336

C:\Windows\SysWOW64\Ndghmo32.exe
C:\Windows\system32\Ndghmo32.exe
34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:752

C:\Windows\SysWOW64\Ngedij32.exe
C:\Windows\system32\Ngedij32.exe
35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4600

C:\Windows\SysWOW64\Njcpee32.exe
C:\Windows\system32\Njcpee32.exe
36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1944

C:\Windows\SysWOW64\Nqmhbpba.exe
C:\Windows\system32\Nqmhbpba.exe
37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4388

C:\Windows\SysWOW64\Ncldnkae.exe
C:\Windows\system32\Ncldnkae.exe
38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2812

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
39⤵
- Executes dropped EXE
PID:4696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 412
40⤵
- Program crash
PID:1632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4696 -ip 4696
1⤵
PID:3636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jdjfcecp.exe
Filesize
1000KB

MD5
6224e7efe24b83bb2a631b9056e094c9

SHA1
42915f41e644aecb515e9517fe9c0712db525d56

SHA256
9cad3cb38bf330e6544298f4bb700f9763ba0b713641aee12390e3319215c5ec

SHA512
5c40a217005f63b945f1051231fdb1c147c98e98283babb3c7feb7373fca967331fc1e3c8487a83759d4af1a6f4d4dcc99006c05a8e55096e677deaf7b587988

Download Submit
C:\Windows\SysWOW64\Jmpngk32.exe
Filesize
1000KB

MD5
f15c5e75c55a6d615f4dfb4c7a6be7b8

SHA1
4aeb8db5050506ddb43deea47f257d6d9c7b02c5

SHA256
6b57e8e0de25386ebbca3ff783837b96458cc6fd8cb8f99c279eb9a005d990ff

SHA512
df2e2af6f48d284695f2b755e70cd0dcdb4834ce4f1134cf485e33ffd8d912d8f41d5be3e674308b1abf7411cd89eebfdf5e620c7878ba304c0ced8d5a0c564b

Download Submit
C:\Windows\SysWOW64\Kacphh32.exe
Filesize
1000KB

MD5
cf75a6d533f51b1e4d0a7d30db3e290e

SHA1
3d284c3c83844a9faf9a0e700feefa62c44b6f7f

SHA256
13ca0bbe9452a69b5a86db29a59d7a7601617dca7d8998abb4e618fbf87227d8

SHA512
6c0133420e951536195674a44a14b6408273a17a1ca0a7cfd674907525b6b706961af589e16b2ebb6bbced9a87dbf041451c722d323598809be093c68e48278f

Download Submit
C:\Windows\SysWOW64\Kajfig32.exe
Filesize
1000KB

MD5
39c3d2da3a602c06afa7fa324740cde6

SHA1
9f04c0a1243c274c2ebe34797c9437383fff5fcf

SHA256
dd5ed259bb9f97791f2718546fa6e8e8c0855cb2950971d790f20939640ad2ac

SHA512
45fca182c404f8fc8b1995a4ff1e19b37dbe32cd1a0e73dd429b387414dde662acb6e23e57902c5dccf5b2de63eae58012032b09f07832e598340d6ddb7ce9ff

Download Submit
C:\Windows\SysWOW64\Kaqcbi32.exe
Filesize
1000KB

MD5
40bcc00e2b8eaf8ba7093108c3ea0977

SHA1
6449599c16f44ed86548f7db762c3be235fa198a

SHA256
101fc8b005306bb2af96675b85ef868678e338232217e2189e23cc2a36daa1bc

SHA512
ffad9bae818a789344871f007602b79b4a4a8e953fd83834a4963b16153e70a509ac1ab2a3d835d80eb3863de28ab92856792965efe9cd3ea5fd766e9e97ff3f

Download Submit
C:\Windows\SysWOW64\Kbdmpqcb.exe
Filesize
1000KB

MD5
48974d9c84ff7d24ba887d985dafd9cf

SHA1
7b4a4557a45633c42a1d0fed9d2031da580e5678

SHA256
6641852aca0ff55e9018e424a73a90c306e51696850a70315e50f8baba5b7ef9

SHA512
2a7aeab75d6861048c723a4fe21769e7889bfd82da942e069cf98b08e6d77e6a8eeb98381300df05ffb58239db374d10f7c3eefff508130d48e5f94d08fd9f7d

Download Submit
C:\Windows\SysWOW64\Kdcijcke.exe
Filesize
1000KB

MD5
aac2c81d3b6b5c60d05c853c527bb33a

SHA1
655fbdb1691fd1137ce62fd4cdc1c35883f7bbcd

SHA256
04a9b836ca7d4670d606c24aee82c9cd2be1badcb14f81b5674dc34319a89d5c

SHA512
768f01dd676e656e92170e5557dba2e887696f74449f39d45bef061d28ef56059478c6e3d9adcd706039456e0c20b8f91f8a48ac32dc256ef3db77a3e6e6144b

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe
Filesize
1000KB

MD5
7559e5c5c00d5eb80d79490689a481f8

SHA1
877fbc10cefe7f78ba28d4c32053004eeca6415c

SHA256
327dee9c7790f33e751aa70f14b86a68b2d10c0d04f5c8ff5b77988f7a18a047

SHA512
2614147c41e5906fc7156b2ceaf40824007b1d273c3c9079d4f7be9781c3c59e55d2af2bb97216c4082ab66f28935ea03d35bed5b98506698477d8bac0308b8c

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe
Filesize
1000KB

MD5
99c78c8c7afacb0147b03a95e4313ac0

SHA1
b60fd66ab625f47f2985341e993aa24f9b56883d

SHA256
8f8abdd52eee144833b61aae0f6dc48c9407d86815546f2a12c32c66593a825c

SHA512
249d7d433d0b4eec90146f1fda9398085edd947d6635a63cfb0eae6605e66272f6048cbe646899f2c008fbe4f34b63eda28f105fc35f36b899440b2fbd973d53

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe
Filesize
1000KB

MD5
4ea35092d0aa0b3f24c32b4aabf2464e

SHA1
5b7870a6dde8a421019965538d695904a74718fd

SHA256
4aeabdfcfc21319c1d6c843139cfbc761db5deb6cb942850a9b3bc327da11378

SHA512
8ec4068675959e10819da50a11c26ea50f1afff6ee9c1a2f2fa1aefc81f3cb4a4787ea1124eb33ea21369a19d995d82363d9c313aee7bc10bf7a6e92b573fbe4

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe
Filesize
1000KB

MD5
d84ad5f437d1b0225c7ccef6abf30d79

SHA1
f1dc888a5c68264f104e15f353ed8711d83451c7

SHA256
3544a8d69fdc2258bc451a7038025a35436d7842104adb12e37672d72699bbb1

SHA512
1a8d388ba59fd980f584a91cc83a8b807be45dd43f57c422cb9a79146af7afc07c79d2bf27904cc8e7c5f03956a7ad54cba984512b95db9a60a079a5dd3249b9

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe
Filesize
1000KB

MD5
c39e5f81f90b508046784df908def408

SHA1
c7575f0b7dc012121d301614e490a77c47a4f45a

SHA256
e0796a5d5de122dd4a234c7eca72701c7f70e06d7cacc874a83688df08c8eb26

SHA512
68867389068ec3e38dcd5103884e747adb026f42069eda685df885e90f28173c3e74d74bd10e1c57a884648f8f41c41d143b2904b563e32a8ac640770e856141

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe
Filesize
1000KB

MD5
15561156c6ffd713fa2cb43292e3da20

SHA1
cce17936d1a4e35d80d4f32f6cb3af9c6feb5bbf

SHA256
875b1b3bd8090880eef3a144b28664b2a0e4e539696375d5160df408ffb3a804

SHA512
561cf77e24fb2ac0cf91de623ee8b21a3974bf02c636c392806d2018cef72b966b580adc79ab90ecfb6f0fe83d4af811f842cf10341208caddccd65d9f0b0c3e

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe
Filesize
1000KB

MD5
bda77eb1e913a929ebef55675e33cae6

SHA1
c762e41eb372d659315a5dcc0e68b879daafbb00

SHA256
31f90112950644b9def81fc6baec24118c9183bd84cf01ea1cd101287d185778

SHA512
65b0b68e5b268f4d3cd43a72e7f02062a08d676dcd66d8d7cf1a847bd99c31f3ef20630a13b0b54afbb4d655572b4d3c3c115a5fccf5bb42a7443720696e0cad

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe
Filesize
1000KB

MD5
b4d6693d2ca9182b8e65c8f3ce873364

SHA1
3f5ad77bf6c75853f8d887f897f377c2e965d42c

SHA256
f288a6752ad2c28c3c550bd0c2ef8364be3936b455a0720661374c39fbc63057

SHA512
760255c5a92013ef00bed213e2469cd3aacefee29c30edd5f6820738e3802f680bac17ab9d0b7b06fed033bbef2631933375d803b510924712dc73ea9f1157cc

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe
Filesize
1000KB

MD5
e9ce8c49b4cb4010dee8109f4c64d0a3

SHA1
e0b2d115c1df5d72710e4167d2b5c1f916ef05d5

SHA256
f9c97587f259fab97da8b41dcdb90208073e9f3b7a8edbb803e7a28fde294b9b

SHA512
1c075a43020f0a83bb8098120717c780bce584fac2d3a4e420e732a388e555676d2de4070b14b293328433479190ed5384649d8e095896c9b7144c0d3522135a

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe
Filesize
1000KB

MD5
03dd001233d0c5f51ab93697912288e3

SHA1
f2f9608ad6c535c92c6a90b2821e99301b84de88

SHA256
ddfcba14c0b54160686fd215bce89649bc5646e83cabb1d159be0c1a97d024ab

SHA512
e9510e5d033d20d347c2f0ff4b3fd8883376ace5d3fc906d945d4d3be28f571b9db2ce2999d059fde2a46f5d0fbf3605b8c6eba704cf3da1b896d188f96737db

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe
Filesize
1000KB

MD5
b1fc1b6e233c9d6fbfac9cd672ff356d

SHA1
7099e129a16c9ec9cfc06ac962b70ddd2e73e310

SHA256
f0d5de7e5c93cd2d81e83579ab61aade6c5c51edb8029915fb4aec802453313e

SHA512
cd4e4270d182aaadd2a97f4a952fdd8e10f82ae1a0ef6814947e445f8d2e33db0ee7a09fcb3376bcd425ae03e6c15e181f409db66ec78f29cb1395c90a45de5c

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe
Filesize
1000KB

MD5
fb626328ffc05e8f88143200a6a70744

SHA1
313735254f12c2b19d458d6ff15f4359763b845b

SHA256
80c101366a0d0a197f0cb008e3ccb31811e04b3dacc820f7f2df78878b148c6f

SHA512
5e7571444c7031fad7f03d13df7f08f1dceb06a18d2577e4df0a29dc9cf20af64b72d2fd3d3db748b40d87cec12584829193f3b59007428e4be9f31b3b47e2f2

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe
Filesize
1000KB

MD5
7c72bbdac9752653eee276cf50c3f150

SHA1
7fc1e4ec5c38c4d0cc63b08b957380eb22559a35

SHA256
54a1e6844150a1735a506d6e83b32dfdf31b3bb345e6f1abc6aa98fa01639747

SHA512
6591849a1bae7b1c5464e45569cab7a0c90373441255ae13db608240faa1ddaa5a2fe778a7ef9c73d69f30747b6ad8c3ad008add2b5593198c899b36022bb52b

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe
Filesize
1000KB

MD5
76904b959d980982824d08e16a2925c3

SHA1
8d021848a82e38f5715ae4bc16052dfc7beb4cb9

SHA256
d1abfbffa61420114b9e822f65250f8a56952350a7820ee9b3c0331c9a371941

SHA512
75ac6d72e32336e3616967dfabfee7f127e7a973617c0ed689f5974869c3e045ef7fe980aef32b46dad8555e9dbf69bc5e1ca17a9d346f67f48c5337cb79ce48

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe
Filesize
1000KB

MD5
6ee70f26744fe105687cbb2d15cd4e64

SHA1
060346b9bed586f69cdd0414b362c72c37baac94

SHA256
db62a716a3237017d52d291b0a9678b68ebafb0b9b0a3b1c8a4681f73c0ba782

SHA512
e85020b5238c1255c286365672595141e47269e1f2e90c2f64a949c4d20d28eddc7549f7177bd453d7dd8699e3e8408cde8a1909e291cd8da3fa5662f8f41451

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe
Filesize
1000KB

MD5
b4ae40c36d788a91315de1d4fb1d73e8

SHA1
7db56a1887e3012bb8a9690eac4e15da2bebd0d7

SHA256
59fea1e03e39acb8de782f24eaab3e6dbb879e71aa3029439fbd984d0b113f74

SHA512
a651edd332b73f0c474852a7ddf16f410b7a11f35bbbc46e560908ce8a4cf3a41236ff28b44a4352f32509167a5d4c839ee6a524d323c8e8e1809fe48f85bb43

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe
Filesize
1000KB

MD5
298820a8cf3a04a9753a3c3e512bd3ce

SHA1
e4429ea422f9a80241bef095a3a2885e96fa8e6b

SHA256
9d665f365d95dfe4c80acd1ddcf0d7c94ee73b51030d54595cebb0e78ca13bd4

SHA512
7ed666505d3a630494f4802666bd0e12c014a85c343d9fb7d32ea042d7d99d2fd8a505d10938dfeb73d7ab7a17ea6c0d39eec67f317902b56408e348241a2297

Download Submit
C:\Windows\SysWOW64\Njljefql.exe
Filesize
1000KB

MD5
cc5e522d5bb721ec1c12fcf129164109

SHA1
668fa384a43afd1d24e223ab977e771c485df623

SHA256
aa20585477ef02cf21a14599e253c5c310e72ee0561a80886101c0e33b1df77b

SHA512
e9a0142a49ea4385d89ce0fb305a127534d4b613674d140125756d636b6deb4bbc093d574dbc80d7d5f0bb8745dd0865f88ead6f827e4e6835c3003c2d0d6330

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe
Filesize
1000KB

MD5
dbb14da5ad987049b3dd48feafe0952f

SHA1
cf0ad88d3a376ee451e044afeef25e416a6f6771

SHA256
2fc18faebe429d62c0cefb633539e8f86def5c825a106e3069423bd1c2cf3756

SHA512
ba8b2bb85d517c301482fbb956e2805eec9b5dd361a8c4144e1535d5966686d86a84e97f8e28da8e735a6678a75a7adfdeb9b3512cd4177586c31426f28ebaea

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe
Filesize
1000KB

MD5
cd0353dab393879617d6e2effe1326ae

SHA1
24a6eb9356f94a7bebe4c06ad264ae4b97fd14eb

SHA256
eb0d6cd595b137843508bb3654c64b0dc63dca0422b21a4b96085a43088fb32f

SHA512
f83132c5d14c053a9a456cdc3c5f9fbd70b218e66ea20d45ad68781e12539c54202480e426a539a1b932d436d4cb479c3af3f92c592cfc29433fa4fbd33105c2

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe
Filesize
1000KB

MD5
5ff6dfadfd1072b312ccf4a3124f6284

SHA1
85541e6a8aaac7211ea93c6bb7c6dd2ac403da7e

SHA256
d0a1c46708cd901accbec0d05f2e38127f046beb80fe786da3e8471130d6349c

SHA512
242563485548d347816da6f1a2d9d617a7b699b842bf0452d21553870984e1796b44289955a073c62c7941a92b9da7486b40b15be87baeff57a6449475cf2984

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe
Filesize
1000KB

MD5
978ca49c16cfb38496ba003a0a4a8c13

SHA1
b9d6f5d9dcac24ae9524c43fd308f804fd2aa82a

SHA256
4761515fc2caf2f9423adc9b9babc803749bd3ba4e9e85fe7b3500cfc2c9c999

SHA512
fffddd7c446affff06ce799d7d21edc5f7b229c22f3e8bac4f6f984560cc4eb2a9b8013ab0d1561cb9ae63dee71bdb5b135df2a757b8a4bac851347fdca652c9

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe
Filesize
1000KB

MD5
65b53352320112bd070fd100e274c427

SHA1
001f777ba81eb5f8b02319a9cf94f1476823d812

SHA256
74d703b023f1a1ebeff2bcbe919317390dcc8d973d29785e1f86094ef671084b

SHA512
cb9af6f3849d4a62f5e683043c0586cc8e2747d144413d6b7c056f9ff8af7ea4208426adfbcaf6517dc4ff797cdef36725cbdec51c801b05760d2664025ceba6

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe
Filesize
1000KB

MD5
602123dbb8abf1adbd793e3574c25a61

SHA1
4535553099b5cf2de2d7502776916a786da34ac1

SHA256
e07f14fa30f6786d951dae1c25f27bd1003f2c7e915efac003e03627f8ee7b22

SHA512
8206f81d59a878a0021ee29ce7a06cf45f8173212517808ab7ee16741996f668d5677ae6840dbc2b481a8af8dd3d69cd613b9fa2e20f308d6f19857ca88906ff

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe
Filesize
1000KB

MD5
088a46527a749489f94f1538ef866173

SHA1
fdc4fea0821b7c9707978369ecfb858f91d9ebd9

SHA256
1ca1f392ec44339907d67861b22d0e2a2defe738e48aa70cf18e1cfc5e50e5f1

SHA512
a6747ded47d225ad0221a732b806fdb14300438724e68a90576e89ba92ff2d71e8e2793453b837ed8b80d7297209eda88317c01befa2b2e4fa7d1490524d47b9

Download Submit
C:\Windows\SysWOW64\Ojmmkpmf.dll
Filesize
7KB

MD5
013f4ccb5e3ccaf925b4b3d7707b3206

SHA1
ebad5f869ee413a8c060bb65ddb4461d51953e7f

SHA256
edba80d99fc6f522521ccdf70a380e79cb678d21f1f92c89ea7392273484381d

SHA512
56903738c79d4b45b34ad9e7e2692dec5154d36c33fe295f0391eb0f904d50c87260a092830bbc92f9f276c9c606247f6c5d78414f8e0cf7f7f160b800002972

Download Submit
memory/748-280-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/752-276-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/948-284-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1084-279-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1096-288-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1260-291-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1324-289-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1492-303-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1492-33-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1944-274-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1984-299-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1984-63-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2024-290-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2420-285-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2696-287-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2812-272-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3112-297-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3112-79-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3196-294-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3196-108-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3336-277-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3616-283-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3700-282-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3900-19-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4052-293-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4052-112-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4104-56-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4104-300-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4388-273-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4408-24-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4408-304-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4416-8-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4416-305-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4452-72-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4452-298-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4600-275-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4696-271-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4980-292-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4988-301-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4988-48-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5032-96-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5032-295-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5064-124-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5428-302-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5428-40-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5540-281-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5556-286-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5668-132-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5768-278-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5796-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5796-306-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5940-296-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5940-88-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download