b25a88154199b6b01610208c6e73430a484fdb47303b859dd4dd5d9cba5c39a3

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
27-05-2024 05:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2108434f5df6eb312dee968c9b9ef7b0_NeikiAnalytics.exe
Size

128KB
MD5

2108434f5df6eb312dee968c9b9ef7b0
SHA1

372397a751f3edfefd979849ad38c80b0254624a
SHA256

b25a88154199b6b01610208c6e73430a484fdb47303b859dd4dd5d9cba5c39a3
SHA512

e1e00d61f7b09d02b1d20bc562af1511fe33137e9e8ea45a878367c371531c24f92dbebe53d962701a3a0843a7b56d3821efc840eb6174d29191c20ecf869029
SSDEEP

1536:P4uGyMEo6pn93zcoOTYRZ5o1h902ekmx8kDAMRQD3DRfRa9HprmRfRJCLIXG:P6Ipp93VFvEQx8kcMeDz5wkpHxG

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 58 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Mdpalp32.exeNqfbaq32.exeMcpebmkb.exeNkjjij32.exeMkpgck32.exeNcgkcl32.exeNkqpjidj.exeNbkhfc32.exeMahbje32.exeMnfipekh.exeNceonl32.exeNgedij32.exeMncmjfmk.exeMgghhlhq.exeMjeddggd.exeMjqjih32.exe2108434f5df6eb312dee968c9b9ef7b0_NeikiAnalytics.exeNcldnkae.exeMciobn32.exeNbhkac32.exeLgbnmm32.exeNkncdifl.exeMdkhapfj.exeNnhfee32.exeNnjbke32.exeNddkgonp.exeMgekbljc.exeMpaifalo.exeMdfofakp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2108434f5df6eb312dee968c9b9ef7b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	2108434f5df6eb312dee968c9b9ef7b0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdfofakp.exe

Malware Dropper & Backdoor - Berbew 64 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
behavioral2/memory/4764-0-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Lgbnmm32.exe	family_berbew
behavioral2/memory/2972-12-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Mjqjih32.exe	family_berbew
behavioral2/memory/1692-20-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Mahbje32.exe	family_berbew
behavioral2/memory/2788-28-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Mdfofakp.exe	family_berbew
C:\Windows\SysWOW64\Mciobn32.exe	family_berbew
behavioral2/memory/1336-36-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Mgekbljc.exe	family_berbew
behavioral2/memory/4648-52-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/4788-51-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Mkpgck32.exe	family_berbew
behavioral2/memory/4536-56-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Mgghhlhq.exe	family_berbew
behavioral2/memory/1792-64-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Mjeddggd.exe	family_berbew
behavioral2/memory/1820-72-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Mdkhapfj.exe	family_berbew
behavioral2/memory/544-79-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Mncmjfmk.exe	family_berbew
behavioral2/memory/4296-88-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Mpaifalo.exe	family_berbew
behavioral2/memory/4112-95-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Mcpebmkb.exe	family_berbew
behavioral2/memory/4056-104-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Mnfipekh.exe	family_berbew
behavioral2/memory/3260-112-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Mdpalp32.exe	family_berbew
behavioral2/memory/1624-119-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Nkjjij32.exe	family_berbew
behavioral2/memory/936-132-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Nnhfee32.exe	family_berbew
behavioral2/memory/4812-136-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Nqfbaq32.exe	family_berbew
behavioral2/memory/2908-144-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Nceonl32.exe	family_berbew
behavioral2/memory/1544-151-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Nnjbke32.exe	family_berbew
behavioral2/memory/4944-160-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/1244-168-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Nddkgonp.exe	family_berbew
C:\Windows\SysWOW64\Ncgkcl32.exe	family_berbew
behavioral2/memory/3296-176-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Nkncdifl.exe	family_berbew
behavioral2/memory/4924-184-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Nbhkac32.exe	family_berbew
behavioral2/memory/2120-192-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Ngedij32.exe	family_berbew
behavioral2/memory/4548-204-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Nkqpjidj.exe	family_berbew
behavioral2/memory/4240-207-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Nbkhfc32.exe	family_berbew
behavioral2/memory/3580-215-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Ncldnkae.exe	family_berbew
behavioral2/memory/4888-224-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Nkcmohbg.exe	family_berbew
behavioral2/memory/4880-232-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/4888-234-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/4880-233-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/3580-235-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/2120-237-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/1244-240-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew

Executes dropped EXE 29 IoCs

Processes:

Lgbnmm32.exeMjqjih32.exeMahbje32.exeMdfofakp.exeMciobn32.exeMgekbljc.exeMkpgck32.exeMgghhlhq.exeMjeddggd.exeMdkhapfj.exeMncmjfmk.exeMpaifalo.exeMcpebmkb.exeMnfipekh.exeMdpalp32.exeNkjjij32.exeNnhfee32.exeNqfbaq32.exeNceonl32.exeNnjbke32.exeNddkgonp.exeNcgkcl32.exeNkncdifl.exeNbhkac32.exeNgedij32.exeNkqpjidj.exeNbkhfc32.exeNcldnkae.exeNkcmohbg.exe

pid	process
2972	Lgbnmm32.exe
1692	Mjqjih32.exe
2788	Mahbje32.exe
1336	Mdfofakp.exe
4788	Mciobn32.exe
4648	Mgekbljc.exe
4536	Mkpgck32.exe
1792	Mgghhlhq.exe
1820	Mjeddggd.exe
544	Mdkhapfj.exe
4296	Mncmjfmk.exe
4112	Mpaifalo.exe
4056	Mcpebmkb.exe
3260	Mnfipekh.exe
1624	Mdpalp32.exe
936	Nkjjij32.exe
4812	Nnhfee32.exe
2908	Nqfbaq32.exe
1544	Nceonl32.exe
4944	Nnjbke32.exe
1244	Nddkgonp.exe
3296	Ncgkcl32.exe
4924	Nkncdifl.exe
2120	Nbhkac32.exe
4548	Ngedij32.exe
4240	Nkqpjidj.exe
3580	Nbkhfc32.exe
4888	Ncldnkae.exe
4880	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

Processes:

Nkjjij32.exeNddkgonp.exeNbkhfc32.exe2108434f5df6eb312dee968c9b9ef7b0_NeikiAnalytics.exeMcpebmkb.exeLgbnmm32.exeMjeddggd.exeNnhfee32.exeNkncdifl.exeMdfofakp.exeMgghhlhq.exeMdkhapfj.exeMncmjfmk.exeMdpalp32.exeNbhkac32.exeMgekbljc.exeNcldnkae.exeNgedij32.exeMkpgck32.exeNcgkcl32.exeMjqjih32.exeMpaifalo.exeMciobn32.exeMnfipekh.exeNkqpjidj.exeNqfbaq32.exeNnjbke32.exeNceonl32.exeMahbje32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	2108434f5df6eb312dee968c9b9ef7b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Mjqjih32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	2108434f5df6eb312dee968c9b9ef7b0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Nceonl32.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mncmjfmk.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3188 4880 WerFault.exe Nkcmohbg.exe

pid	pid_target	process	target process
3188	4880	WerFault.exe	Nkcmohbg.exe

Modifies registry class 64 IoCs

Processes:

Mgghhlhq.exeMpaifalo.exeNqfbaq32.exeNnjbke32.exeMnfipekh.exeNnhfee32.exeNbhkac32.exeNgedij32.exeNcldnkae.exeMdfofakp.exeMncmjfmk.exeNkjjij32.exeNkqpjidj.exeMahbje32.exeNddkgonp.exeNbkhfc32.exeLgbnmm32.exeNceonl32.exeNcgkcl32.exe2108434f5df6eb312dee968c9b9ef7b0_NeikiAnalytics.exeMjqjih32.exeMjeddggd.exeMcpebmkb.exeMgekbljc.exeMdpalp32.exeMciobn32.exeMdkhapfj.exeMkpgck32.exeNkncdifl.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	2108434f5df6eb312dee968c9b9ef7b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	2108434f5df6eb312dee968c9b9ef7b0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	2108434f5df6eb312dee968c9b9ef7b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	2108434f5df6eb312dee968c9b9ef7b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mahbje32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2108434f5df6eb312dee968c9b9ef7b0_NeikiAnalytics.exeLgbnmm32.exeMjqjih32.exeMahbje32.exeMdfofakp.exeMciobn32.exeMgekbljc.exeMkpgck32.exeMgghhlhq.exeMjeddggd.exeMdkhapfj.exeMncmjfmk.exeMpaifalo.exeMcpebmkb.exeMnfipekh.exeMdpalp32.exeNkjjij32.exeNnhfee32.exeNqfbaq32.exeNceonl32.exeNnjbke32.exeNddkgonp.exe

description	pid	process	target process
PID 4764 wrote to memory of 2972	4764	2108434f5df6eb312dee968c9b9ef7b0_NeikiAnalytics.exe	Lgbnmm32.exe
PID 4764 wrote to memory of 2972	4764	2108434f5df6eb312dee968c9b9ef7b0_NeikiAnalytics.exe	Lgbnmm32.exe
PID 4764 wrote to memory of 2972	4764	2108434f5df6eb312dee968c9b9ef7b0_NeikiAnalytics.exe	Lgbnmm32.exe
PID 2972 wrote to memory of 1692	2972	Lgbnmm32.exe	Mjqjih32.exe
PID 2972 wrote to memory of 1692	2972	Lgbnmm32.exe	Mjqjih32.exe
PID 2972 wrote to memory of 1692	2972	Lgbnmm32.exe	Mjqjih32.exe
PID 1692 wrote to memory of 2788	1692	Mjqjih32.exe	Mahbje32.exe
PID 1692 wrote to memory of 2788	1692	Mjqjih32.exe	Mahbje32.exe
PID 1692 wrote to memory of 2788	1692	Mjqjih32.exe	Mahbje32.exe
PID 2788 wrote to memory of 1336	2788	Mahbje32.exe	Mdfofakp.exe
PID 2788 wrote to memory of 1336	2788	Mahbje32.exe	Mdfofakp.exe
PID 2788 wrote to memory of 1336	2788	Mahbje32.exe	Mdfofakp.exe
PID 1336 wrote to memory of 4788	1336	Mdfofakp.exe	Mciobn32.exe
PID 1336 wrote to memory of 4788	1336	Mdfofakp.exe	Mciobn32.exe
PID 1336 wrote to memory of 4788	1336	Mdfofakp.exe	Mciobn32.exe
PID 4788 wrote to memory of 4648	4788	Mciobn32.exe	Mgekbljc.exe
PID 4788 wrote to memory of 4648	4788	Mciobn32.exe	Mgekbljc.exe
PID 4788 wrote to memory of 4648	4788	Mciobn32.exe	Mgekbljc.exe
PID 4648 wrote to memory of 4536	4648	Mgekbljc.exe	Mkpgck32.exe
PID 4648 wrote to memory of 4536	4648	Mgekbljc.exe	Mkpgck32.exe
PID 4648 wrote to memory of 4536	4648	Mgekbljc.exe	Mkpgck32.exe
PID 4536 wrote to memory of 1792	4536	Mkpgck32.exe	Mgghhlhq.exe
PID 4536 wrote to memory of 1792	4536	Mkpgck32.exe	Mgghhlhq.exe
PID 4536 wrote to memory of 1792	4536	Mkpgck32.exe	Mgghhlhq.exe
PID 1792 wrote to memory of 1820	1792	Mgghhlhq.exe	Mjeddggd.exe
PID 1792 wrote to memory of 1820	1792	Mgghhlhq.exe	Mjeddggd.exe
PID 1792 wrote to memory of 1820	1792	Mgghhlhq.exe	Mjeddggd.exe
PID 1820 wrote to memory of 544	1820	Mjeddggd.exe	Mdkhapfj.exe
PID 1820 wrote to memory of 544	1820	Mjeddggd.exe	Mdkhapfj.exe
PID 1820 wrote to memory of 544	1820	Mjeddggd.exe	Mdkhapfj.exe
PID 544 wrote to memory of 4296	544	Mdkhapfj.exe	Mncmjfmk.exe
PID 544 wrote to memory of 4296	544	Mdkhapfj.exe	Mncmjfmk.exe
PID 544 wrote to memory of 4296	544	Mdkhapfj.exe	Mncmjfmk.exe
PID 4296 wrote to memory of 4112	4296	Mncmjfmk.exe	Mpaifalo.exe
PID 4296 wrote to memory of 4112	4296	Mncmjfmk.exe	Mpaifalo.exe
PID 4296 wrote to memory of 4112	4296	Mncmjfmk.exe	Mpaifalo.exe
PID 4112 wrote to memory of 4056	4112	Mpaifalo.exe	Mcpebmkb.exe
PID 4112 wrote to memory of 4056	4112	Mpaifalo.exe	Mcpebmkb.exe
PID 4112 wrote to memory of 4056	4112	Mpaifalo.exe	Mcpebmkb.exe
PID 4056 wrote to memory of 3260	4056	Mcpebmkb.exe	Mnfipekh.exe
PID 4056 wrote to memory of 3260	4056	Mcpebmkb.exe	Mnfipekh.exe
PID 4056 wrote to memory of 3260	4056	Mcpebmkb.exe	Mnfipekh.exe
PID 3260 wrote to memory of 1624	3260	Mnfipekh.exe	Mdpalp32.exe
PID 3260 wrote to memory of 1624	3260	Mnfipekh.exe	Mdpalp32.exe
PID 3260 wrote to memory of 1624	3260	Mnfipekh.exe	Mdpalp32.exe
PID 1624 wrote to memory of 936	1624	Mdpalp32.exe	Nkjjij32.exe
PID 1624 wrote to memory of 936	1624	Mdpalp32.exe	Nkjjij32.exe
PID 1624 wrote to memory of 936	1624	Mdpalp32.exe	Nkjjij32.exe
PID 936 wrote to memory of 4812	936	Nkjjij32.exe	Nnhfee32.exe
PID 936 wrote to memory of 4812	936	Nkjjij32.exe	Nnhfee32.exe
PID 936 wrote to memory of 4812	936	Nkjjij32.exe	Nnhfee32.exe
PID 4812 wrote to memory of 2908	4812	Nnhfee32.exe	Nqfbaq32.exe
PID 4812 wrote to memory of 2908	4812	Nnhfee32.exe	Nqfbaq32.exe
PID 4812 wrote to memory of 2908	4812	Nnhfee32.exe	Nqfbaq32.exe
PID 2908 wrote to memory of 1544	2908	Nqfbaq32.exe	Nceonl32.exe
PID 2908 wrote to memory of 1544	2908	Nqfbaq32.exe	Nceonl32.exe
PID 2908 wrote to memory of 1544	2908	Nqfbaq32.exe	Nceonl32.exe
PID 1544 wrote to memory of 4944	1544	Nceonl32.exe	Nnjbke32.exe
PID 1544 wrote to memory of 4944	1544	Nceonl32.exe	Nnjbke32.exe
PID 1544 wrote to memory of 4944	1544	Nceonl32.exe	Nnjbke32.exe
PID 4944 wrote to memory of 1244	4944	Nnjbke32.exe	Nddkgonp.exe
PID 4944 wrote to memory of 1244	4944	Nnjbke32.exe	Nddkgonp.exe
PID 4944 wrote to memory of 1244	4944	Nnjbke32.exe	Nddkgonp.exe
PID 1244 wrote to memory of 3296	1244	Nddkgonp.exe	Ncgkcl32.exe

C:\Users\Admin\AppData\Local\Temp\2108434f5df6eb312dee968c9b9ef7b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2108434f5df6eb312dee968c9b9ef7b0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4764

C:\Windows\SysWOW64\Lgbnmm32.exe
C:\Windows\system32\Lgbnmm32.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2972

C:\Windows\SysWOW64\Mjqjih32.exe
C:\Windows\system32\Mjqjih32.exe
3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\SysWOW64\Mahbje32.exe
C:\Windows\system32\Mahbje32.exe
4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2788

C:\Windows\SysWOW64\Mdfofakp.exe
C:\Windows\system32\Mdfofakp.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1336

C:\Windows\SysWOW64\Mciobn32.exe
C:\Windows\system32\Mciobn32.exe
6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4788

C:\Windows\SysWOW64\Mgekbljc.exe
C:\Windows\system32\Mgekbljc.exe
7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4648

C:\Windows\SysWOW64\Mkpgck32.exe
C:\Windows\system32\Mkpgck32.exe
8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4536

C:\Windows\SysWOW64\Mgghhlhq.exe
C:\Windows\system32\Mgghhlhq.exe
9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\SysWOW64\Mjeddggd.exe
C:\Windows\system32\Mjeddggd.exe
10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\SysWOW64\Mdkhapfj.exe
C:\Windows\system32\Mdkhapfj.exe
11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:544

C:\Windows\SysWOW64\Mncmjfmk.exe
C:\Windows\system32\Mncmjfmk.exe
12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4296

C:\Windows\SysWOW64\Mpaifalo.exe
C:\Windows\system32\Mpaifalo.exe
13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4112

C:\Windows\SysWOW64\Mcpebmkb.exe
C:\Windows\system32\Mcpebmkb.exe
14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4056

C:\Windows\SysWOW64\Mnfipekh.exe
C:\Windows\system32\Mnfipekh.exe
15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3260

C:\Windows\SysWOW64\Mdpalp32.exe
C:\Windows\system32\Mdpalp32.exe
16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\SysWOW64\Nkjjij32.exe
C:\Windows\system32\Nkjjij32.exe
17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:936

C:\Windows\SysWOW64\Nnhfee32.exe
C:\Windows\system32\Nnhfee32.exe
18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4812

C:\Windows\SysWOW64\Nqfbaq32.exe
C:\Windows\system32\Nqfbaq32.exe
19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2908

C:\Windows\SysWOW64\Nceonl32.exe
C:\Windows\system32\Nceonl32.exe
20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\SysWOW64\Nnjbke32.exe
C:\Windows\system32\Nnjbke32.exe
21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4944

C:\Windows\SysWOW64\Nddkgonp.exe
C:\Windows\system32\Nddkgonp.exe
22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1244

C:\Windows\SysWOW64\Ncgkcl32.exe
C:\Windows\system32\Ncgkcl32.exe
23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3296

C:\Windows\SysWOW64\Nkncdifl.exe
C:\Windows\system32\Nkncdifl.exe
24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4924

C:\Windows\SysWOW64\Nbhkac32.exe
C:\Windows\system32\Nbhkac32.exe
25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2120

C:\Windows\SysWOW64\Ngedij32.exe
C:\Windows\system32\Ngedij32.exe
26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4548

C:\Windows\SysWOW64\Nkqpjidj.exe
C:\Windows\system32\Nkqpjidj.exe
27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4240

C:\Windows\SysWOW64\Nbkhfc32.exe
C:\Windows\system32\Nbkhfc32.exe
28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3580

C:\Windows\SysWOW64\Ncldnkae.exe
C:\Windows\system32\Ncldnkae.exe
29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4888

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
30⤵
- Executes dropped EXE
PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 412
31⤵
- Program crash
PID:3188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4880 -ip 4880
1⤵
PID:3688

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Lgbnmm32.exe
Filesize
128KB

MD5
bdeb1a510267e833d1d7ca3f1bbff690

SHA1
9b0b731a554fcdc63b46d6231e24c9408511daa3

SHA256
605f855c9bff8e59447273104f0452b91bce90b6040c0cc907906df778409449

SHA512
eddee743e2d7ab95e72e705f0f312349ad44b1588ae884a692ed0bf7af2edc4c745ce84a152b5322eb063fed4321e55b3243bda10858ac5e3b590300f33982fe

Download Submit
C:\Windows\SysWOW64\Lifenaok.dll
Filesize
7KB

MD5
0f80818f743799a3aff589f52995477e

SHA1
08785f0884a8f3e58bad451fb776a80afcdeabb4

SHA256
f982c49372a05f2bcb841946751157ba08abe4e778bc572d499594d16e9420c1

SHA512
65792083d058441e67db29b5d346f940f2a30a4a0894b12f5d06463a0eb1868f40b1d30c62c948e4aecc38fcdff7deca28ae27326d9c4e4f6e6adbbda3b7cded

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe
Filesize
128KB

MD5
b289861926ad21792946022e67586cc9

SHA1
c9a3f2ce7f708485d123d262219d00cc78d0f731

SHA256
aad7cd20d36307938d48651249f0c9f4909e4452f9c4448afa074ed5604d93dc

SHA512
d08df7e2ec8e1250be4dd540e0af9469ba257a710a39aa5ac29ab994aac0b4ccbee7d61d2f09c27d3375b4815cce341866e929f19cd887910d8d29daf1bf59bd

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe
Filesize
128KB

MD5
d49d3461b24c3741b5e5c64d01a16156

SHA1
ddc91365a714ecc080b70070dc2af4a708e5cb99

SHA256
47a2853babeab97cc1e4c401fe85cf971d92418ac8042f419f2583c27eccdd1d

SHA512
bddfa25720bfb3aa4581d78344782d1ab4c9e619ce39ed5500c941afb55a153f874752893bfcc44327a8a6ff65aad24bd71a1475fb6b50d3aec171fae4ca9f8f

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe
Filesize
128KB

MD5
2caf32998aa51aab32e60fea734b730a

SHA1
0f8f51d6b83bbc367f821b9123e774fc1fdf72f0

SHA256
a8f17f0ed592a54b29dc9df829366ee18e5083c8adbaca6354d51b10b3641591

SHA512
26f324d8dceaafded0f7fb8e790e7923154c6b18b1b368ad48a0a1ea17771b7c4005abbab03586b4c0dea44368b03ed65d8b6ef7d2d9e7c7dcdf9fffb423aac0

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe
Filesize
128KB

MD5
68931708c1b280b665e0f1aac4392994

SHA1
89b86bf6ae8a0c6a171b45a5934f26f4f7541691

SHA256
78c7acc61688e007ccc7fb1ab9cfa33751aff9e99f5df1fd3efd7e2616f2fd1c

SHA512
9f1a57bf9c3216162eeed69bce7f270faeab12445fd72cc677e52d4a97c21eb79a8679c1aa3599b546cc58291d1d1e7d9b095cd73a970655dd7316eef25b0ca8

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe
Filesize
128KB

MD5
1030a2783723a510171d8a822cd5fb56

SHA1
87a9ddb159a27eabef91dffd6f157044872f3ac7

SHA256
3aa141f0b1dd046b3892395a223ec773ee5f8994b99ef291cb3b6fb78d13ecc0

SHA512
c18aa426de88541753bf8deac1252168a15d8c0eb948483f23c7342590e8b56b31d5d7036d77edb3bac1a32bc252db32a1fa9a34430d65d701cc8bfd34567d05

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe
Filesize
128KB

MD5
fa226ca1eee50bb7c42f383eb0bc37fc

SHA1
d7bea8d95a6bac354b2646fc36ad47b248391389

SHA256
c2ff1fc12863468c2cfa07367e4de89d0ff6aba91430c993a469adcca3ea4115

SHA512
b65655f55bbc74ab00ad721e27359e59273b6b1591d21913414ce88d3192dec789c08a3db8cd4e8a111fd9b6284e937315d9a5f10482262472ea89f4ad264713

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe
Filesize
128KB

MD5
ad2011f5300602b9a6f3b393e2a808bb

SHA1
95122b481c46f6f1c8299a03de2b0efcb9cd42a7

SHA256
b70d46b2672c580483acea649fb9ccd679ec40a1443a6632901fca92fc26e615

SHA512
4292d463936f3e4ba2781a47ad300bb9114824b23a91ad4da5a5a1d7dea7b629320e907bed9b5f1edc47e3d725e254365ef57c7649306d1d158e6d7929c11a3b

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe
Filesize
128KB

MD5
45e771dd272fbe7d4a368a4222a10b3c

SHA1
753280995bd1003bc000577eabf506893be21020

SHA256
1979852599ab9a7968b2856ade73068af7ce4b1bb195c40532913d888c317b90

SHA512
a02f52339c9061fe2e5b0d2dcd8c7898ba9798c17edb8b3e74a1ad3eb4d487568995bf38f12132d1b894ed82a2e5c977235758b5e9fc0e1d0cd92de9bdc5a3c1

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe
Filesize
128KB

MD5
6a898590187b9fc28bad407c9ca95895

SHA1
38ab68d4ac94ca6555fdae84e7f8f28012ac77d2

SHA256
b4d0b62a272155b468235eb33645126dbf1050012d05addee69ccaeed8b8ee76

SHA512
0bdcbfe028315d018452bcd525a19729a11012da2c3f40bd5e038bf5c853f140c22e015e949427714900c0854d913e14faa6a9851c692b671a7087d0f49758fe

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe
Filesize
128KB

MD5
433cf8e5d77092d0a9565c7d1579b4b6

SHA1
184a463b1bff496c001e7792eb28afda541afc80

SHA256
a6dd414d5a25e725aa5c8d408a528c8d5548784ab2fe9fde8d0285a78d7b73bd

SHA512
9f97cf11aef02d087fd3a02e24fc00727759315ef4408b2f0e06abba5eb97e10b8e66533032ecf48d247d791ca044f1abfd7e1b9dbb1169fbede719e86cc979c

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe
Filesize
128KB

MD5
d9f27a99ddb00646ed867df99a86aa09

SHA1
c77bbe38f53590243ac0c89ce237299f2f8e6288

SHA256
fe16a54a404169c8ee9ae09d2e540e5104f58196c7fd1388f0896dbf706d3502

SHA512
fe5a2f41a8613a5a2d9e73ebf56bb2a72e0a0966350beefb15760c7ac43e739db7293df9f19d5edb2254834cdb76b1aab1b5aa4ab77f5cbbf78d7daffd79c2f4

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe
Filesize
128KB

MD5
7e15a8f54d3aa0e5c31877224be72e2e

SHA1
4e371b443556a0705ebcbdc28f3729a8a39de850

SHA256
af945cf058789320191d8693328c8f72fce0af868a0626a8e568a55d04a761c8

SHA512
d538efbeba10fe81a0f281f067a4545e20e3c71b4a3115196d087b2f25ee2be8d8080f9be4fdca8ce2c9be59bc7b1df631faea24ea6b4b7bcea4c66f31908c1b

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe
Filesize
128KB

MD5
f5e45b12ff603a8804b0c3d74c475c7a

SHA1
7f27b591a6586c278081e933a29ee8bd92769c60

SHA256
8364a0fc99893d9b8c98a5e8f7ff03d6e64239445b3ff88d153cb42a743bd42a

SHA512
890d32f1a274ec2bcba6a0c66ff721fef890b85590c133fd0705e0172acbfed0a0b4da2740383ef47f7924e2edcfca5bd5922165a9b992431a24f35dde917014

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe
Filesize
128KB

MD5
fb295d82758be69eadfbb643c38b6324

SHA1
fd10e2e58c78edc2c3b4ed137bafcdb1a49e7b90

SHA256
24a61cfe3f6d4de0ff3a0d0b581bfefab5ca570817277746c0e0bf207591e8ac

SHA512
68787fb997cbecb30eac1eb6a9f2a85862bc7a7453a8fbe53f69622c1062a5a0ed8b2d3c3a9b907f3521eb107716a9742bfb40ea652543cfe557dd2766034805

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe
Filesize
128KB

MD5
200a8e29db3a1d6d3bab65d11d11bc9c

SHA1
65b04bcd523638d0e043969f8630ec3492fb5226

SHA256
ee295d6d1f76d4c8f1f103bdd2afa739f0f346c2e0da6490eacc534bb81af1cf

SHA512
d26fbe25adbe00aeb4f2751186916a99f4b7407b63e728e063d25f51ff039cb120f37c3b8054d5cfa65b88c4a25aa94f9208c10dd8b3d3619d3c909c954acd4f

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe
Filesize
128KB

MD5
d748b8aaad6d919a61997e3cccc91f58

SHA1
9616ccc6e34aa8d6cdba8ee40cde78a5706a1bce

SHA256
5f85dc9f6ce4ac1f58756a19f41b916ec7608b330ba58d792fa505291227df02

SHA512
a930c775ec46b87588dc0c7f2f1a5397fde81dec9fb77eeb44f0170515ff1d2dfc9b55a726d54b07ff46f9d70f0310a8c677e4a11211fdcd2178dcdff093bb0d

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe
Filesize
128KB

MD5
f00e6100409b19b5ce70c30e593f94c3

SHA1
4cc982fc8e6ffded35d77e75b70fb6844b6eb5ad

SHA256
913c35231e8292b3b4e60ef9ece760ee7b9fdac521048d8b85a363b5aa049d95

SHA512
54eacbc84675b1692827731c785d70811e3536c93b8ea0676c2919ca4b56993bf65729a631acea2f8fa4d93e59cf9e81a45c208555b266437b468e8f97acab8b

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe
Filesize
128KB

MD5
a5ded7998044332cca46789dcc53f300

SHA1
c95ceb8458a7c91b309add81359ddd8bb02db5a3

SHA256
8aa623f7bffe2dd1d648cea744daad83fc3b631c2040a6d18c77cfe5928b4a43

SHA512
ce97f7e7505a07bcfd457dedcfbc09e428993efc3aef6e74b8c908bf76b4a25e1b0783b302fc78fbf5ba7a3314217450ea79c1df317d2558acf8068bfa118bb4

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe
Filesize
128KB

MD5
16fa259dae4a28ce78f0975f55737738

SHA1
a968365e027f8613aa08a3017b682c5c7e17e3e1

SHA256
a4db61c0edc8c6de5760bba7e8328d8c04645acdfda93ff235180a659690de75

SHA512
968852c41a612deae6a385edd6d88dd74598fc6d0418decb660cee22536b602bf6bcc9dc39a4aba4b6e1f9360b6297015d6ebbd9172c77bd11ba9f2c9829348b

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe
Filesize
128KB

MD5
1c6434c191858721b626f3fa248abc0d

SHA1
b7b2f1cb3791b1969f9f4138e1e06ebb3e668e20

SHA256
4be0f85e2d330969af247695a77c78f3ad29a9bc9a46fd2f48f2c7c1dbfd2cbe

SHA512
9e2b83dc0025ffda7ed4b630aee2bb21ff536f6553621607828e0f53967522da0836b104ff24750b8b31af830e3d5b42fbba8a968655b6f46ba5695f3d200498

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe
Filesize
128KB

MD5
f977da707a1dc46f84c05ec1dc82d431

SHA1
4ced5c6270cbcb4864700a49ceed04760fe116f2

SHA256
c6990b219d8b219495bdbbb5c575e01ff95404f713a01b7d2b65f04023b35124

SHA512
2d99e80fd3ec9b94f337617f6eb6a1dea4e10fdbb9faf1ff701387846859eb94b002e8d2ffb6852c212777339e8c2e11e659e8c2b77ce955755190c4e6075e8a

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe
Filesize
128KB

MD5
ac95a2bf050150c0ca78540951138df6

SHA1
b5eef4e9398764323ae4929df50c2ea775f377a6

SHA256
aac1f5f852d4caaa2b00cb132eb837254dcacb6313c3635122970b8ce8c91f7c

SHA512
25708cf4e58bdee9734d974994a775db7ca643d76e78730ae0d858520ce335b58334111e12da8083d49ac7fab02992b3d00b0dcb4c4717f15058391742522384

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe
Filesize
128KB

MD5
747f0e42c24688371809f5c14fa163df

SHA1
2c14367ace42a80213b0a3d53b6f209415c41dfb

SHA256
ef0e81e12938986f07f46fef62a39ea6e51bad3a8e513e8ed887ac6bbfc403c1

SHA512
f65cc93003a53e8c48818f6b7f5761535c961da872ab468c4542adf9e1ebc0292a4eda11f939cb090ac1055d65c89e30769df9f4e16afc40bb175ffa55b3ddcc

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe
Filesize
128KB

MD5
620acfb24f13386cd8127d04d9b96b05

SHA1
0f9910f199006895a57d33b5a112d1c1f30764e7

SHA256
ba3505fa54297fc54eb596dfc8f3b54391770b6a803855b44f5993d18069d616

SHA512
9b54bb1c6239df7eab6a47c2b75a71df8c1235f02223f1f338521aa68996abf5548f5235c64d7d0a3a59ea64f75f919a5ea9cf68ab810c3fc72bf711c5944596

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe
Filesize
128KB

MD5
1c58662839185ea0dded7ed3415b9c4f

SHA1
714cabaf5983d938644109a51fdb39b63ce318b0

SHA256
92e6ec323cdcf58db1f5d7034b567c9c50b5dd59845678f12ac723ed80516e10

SHA512
586ae6eff0a585f9f56847551052cdddf6ae934fa9157469f73f2fbefb466f7a2ab0de0bee224b2a2898513db6e9daf411089187cf6f4e7357ecbc7e95bec8eb

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe
Filesize
128KB

MD5
d00386ba928ff18b6ae8941b62b04f15

SHA1
c7ecb80563fa8365362b4b0f152e703218c875eb

SHA256
af147a8b388345f2587e18c46c88b73ec09aa37be471f5959771a667025402fa

SHA512
e9dc04805d3b7103ffc192d85a771ee5d0daff08fb561cbf67103289e69f907b36f107aa76ba56a8e5f38e3ec8bb699716594e5e2117b9897e54567c342f8629

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe
Filesize
128KB

MD5
2ed3a43d3f03b5ac7b1b1c1eb06ccfbb

SHA1
41430290490bc98e19b5d91011bb61bbed9de403

SHA256
567e55ea560be6811855a88bd6fb5c4e45b2ff77dfb163403c54d547b0f17f32

SHA512
c9adf92a602e821e028c212a9405f248fafd55e20525cbbd7a04ec36d4b491cfa0407f5a58ebac00de39f1184aa17b5cd50069583f0f4ec94f11e1e5d21c835e

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe
Filesize
128KB

MD5
c9816a4e2574f1fbf9deb2015e49e178

SHA1
0f8c8e1394e5abb31d21027f586e08c82a11df2f

SHA256
1b3dd308707ebe3b73110541cd38d558655f5db2c4a77afa8ea8265a413607f4

SHA512
443a4819c6c777002a1e99614b6df169ff4e4782f3ffef3f3bdec91b80a599f820e71af1bbecdb315db29035184ef281bd1865b6292412569a3768972daffc1f

Download Submit
memory/544-79-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/544-250-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/936-245-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/936-132-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1244-168-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1244-240-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1336-36-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1544-242-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1544-151-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1624-256-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1624-119-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1692-20-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1792-252-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1792-64-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1820-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1820-251-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2120-237-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2120-192-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2788-28-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2908-243-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2908-144-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2972-254-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2972-12-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3260-246-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3260-112-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3296-176-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3296-239-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3580-235-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3580-215-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4056-247-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4056-104-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4112-248-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4112-95-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4240-236-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4240-207-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4296-88-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4296-249-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4536-56-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4536-253-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4548-204-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4648-52-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4764-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4764-255-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4788-51-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4812-244-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4812-136-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4880-232-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4880-233-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4888-234-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4888-224-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4924-184-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4924-238-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4944-241-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4944-160-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download