7c72dddec14936b2f3465c48c6bc19fd18620620280c031506b844580ae5e229

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 00:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ae60e800052ea37a981e90ebc48e0200_NEIKI.exe
Size

1.7MB
MD5

ae60e800052ea37a981e90ebc48e0200
SHA1

297e26268fd8c4d4f2805c52895d57f4240c1077
SHA256

7c72dddec14936b2f3465c48c6bc19fd18620620280c031506b844580ae5e229
SHA512

555113367a9c08d833fb24b7d6f9bb95c87eaff5e9256874d6a5a51a9e4be3853afa07d4fc6e7d94847746c493f703430e4a4e473f48ba8109dd5a7e19eeea3c
SSDEEP

24576:udq5hL6X1q5h3q5hPPh2kkkkK4kXkkkkkkkkhLX3a20R0v50+YNpsKv2EvZHb:u+6BbazR0vKLXZb

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ae60e800052ea37a981e90ebc48e0200_NEIKI.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	ae60e800052ea37a981e90ebc48e0200_NEIKI.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe

Executes dropped EXE 10 IoCs

pid	Process
4456	Kkpnlm32.exe
3264	Kdhbec32.exe
4816	Lkdggmlj.exe
992	Laopdgcg.exe
3956	Mpkbebbf.exe
2132	Mgekbljc.exe
4956	Mkgmcjld.exe
4916	Nqfbaq32.exe
2272	Nnmopdep.exe
4756	Nkcmohbg.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Kdhbec32.exe	Kkpnlm32.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Kkpnlm32.exe	ae60e800052ea37a981e90ebc48e0200_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Qgejif32.dll	Kdhbec32.exe
File opened for modification	C:\Windows\SysWOW64\Laopdgcg.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Pellipfm.dll	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Ogdimilg.dll	Kkpnlm32.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Kkpnlm32.exe	ae60e800052ea37a981e90ebc48e0200_NEIKI.exe
File created	C:\Windows\SysWOW64\Eeecjqkd.dll	ae60e800052ea37a981e90ebc48e0200_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Laopdgcg.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Kdhbec32.exe	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Lkdggmlj.exe	Kdhbec32.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mgekbljc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1596	4756	WerFault.exe	91

Modifies registry class 33 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeecjqkd.dll"	ae60e800052ea37a981e90ebc48e0200_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	ae60e800052ea37a981e90ebc48e0200_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	ae60e800052ea37a981e90ebc48e0200_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	ae60e800052ea37a981e90ebc48e0200_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdimilg.dll"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejif32.dll"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	ae60e800052ea37a981e90ebc48e0200_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	ae60e800052ea37a981e90ebc48e0200_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pellipfm.dll"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nnmopdep.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4352 wrote to memory of 4456	4352	ae60e800052ea37a981e90ebc48e0200_NEIKI.exe	79
PID 4352 wrote to memory of 4456	4352	ae60e800052ea37a981e90ebc48e0200_NEIKI.exe	79
PID 4352 wrote to memory of 4456	4352	ae60e800052ea37a981e90ebc48e0200_NEIKI.exe	79
PID 4456 wrote to memory of 3264	4456	Kkpnlm32.exe	82
PID 4456 wrote to memory of 3264	4456	Kkpnlm32.exe	82
PID 4456 wrote to memory of 3264	4456	Kkpnlm32.exe	82
PID 3264 wrote to memory of 4816	3264	Kdhbec32.exe	84
PID 3264 wrote to memory of 4816	3264	Kdhbec32.exe	84
PID 3264 wrote to memory of 4816	3264	Kdhbec32.exe	84
PID 4816 wrote to memory of 992	4816	Lkdggmlj.exe	85
PID 4816 wrote to memory of 992	4816	Lkdggmlj.exe	85
PID 4816 wrote to memory of 992	4816	Lkdggmlj.exe	85
PID 992 wrote to memory of 3956	992	Laopdgcg.exe	86
PID 992 wrote to memory of 3956	992	Laopdgcg.exe	86
PID 992 wrote to memory of 3956	992	Laopdgcg.exe	86
PID 3956 wrote to memory of 2132	3956	Mpkbebbf.exe	87
PID 3956 wrote to memory of 2132	3956	Mpkbebbf.exe	87
PID 3956 wrote to memory of 2132	3956	Mpkbebbf.exe	87
PID 2132 wrote to memory of 4956	2132	Mgekbljc.exe	88
PID 2132 wrote to memory of 4956	2132	Mgekbljc.exe	88
PID 2132 wrote to memory of 4956	2132	Mgekbljc.exe	88
PID 4956 wrote to memory of 4916	4956	Mkgmcjld.exe	89
PID 4956 wrote to memory of 4916	4956	Mkgmcjld.exe	89
PID 4956 wrote to memory of 4916	4956	Mkgmcjld.exe	89
PID 4916 wrote to memory of 2272	4916	Nqfbaq32.exe	90
PID 4916 wrote to memory of 2272	4916	Nqfbaq32.exe	90
PID 4916 wrote to memory of 2272	4916	Nqfbaq32.exe	90
PID 2272 wrote to memory of 4756	2272	Nnmopdep.exe	91
PID 2272 wrote to memory of 4756	2272	Nnmopdep.exe	91
PID 2272 wrote to memory of 4756	2272	Nnmopdep.exe	91

C:\Users\Admin\AppData\Local\Temp\ae60e800052ea37a981e90ebc48e0200_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\ae60e800052ea37a981e90ebc48e0200_NEIKI.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4352
- C:\Windows\SysWOW64\Kkpnlm32.exe
  C:\Windows\system32\Kkpnlm32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4456
- - C:\Windows\SysWOW64\Kdhbec32.exe
    C:\Windows\system32\Kdhbec32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3264
  - - C:\Windows\SysWOW64\Lkdggmlj.exe
      C:\Windows\system32\Lkdggmlj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4816
    - - C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:992
      - C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        11⤵
        Executes dropped EXE
        
        PID:4756
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 400
        12⤵
        Program crash
        
        PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4756 -ip 4756
1⤵
PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
1.7MB

MD5
39dba7d007d6f36c4a59b6b231038d08

SHA1
34d06332bf47abc4d9e78b30883f904622752b13

SHA256
ceebca7ac386443334d5eda08c20b9cd3176a7adb8e25bfe4f8eb527b46930e3

SHA512
2b221c6ea16ff0f4df9b87357e73c55f115fa570eaff608fb79e103de69eff785c7bec23a53fb20934d3599892037cd4ad8127ddd110aee9b3c3a251260cea88

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
1.7MB

MD5
76aa62f610669fd5b6699b3e0738d834

SHA1
139fa7d45c874256797de6b13db9d714847b108f

SHA256
cdeed2517224de3f14bbfce68f016f8e979ef3f0ab715e13a30a9496c4f38709

SHA512
2548560c65771103b2814b8af5f24520bde9d5b3d86fafbb1e2bb6dad3776e13462b5e552cba6d4f730e558267951b5099f266e1b8a82d88c5cf3ec7cc764ebd

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
1.7MB

MD5
af45a6cd7175390c77f61450987de98c

SHA1
78cab2c347d48fa000cd45ec6e887ae46b199991

SHA256
2bdc93f5c73cc710f4a899cd939615d669590c975d61262549e9082e7d4dca48

SHA512
a3847886b10460444b2e3edc680ac5578939778344842002bf7ee4de471b13f0513c509f2ef6d10b9ae2329e318c3f2068f2355ca81fdb068f71b65dc921b8a1

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
1.7MB

MD5
da2c92eacdb41bf2cca71e06f62bf9f7

SHA1
80cd65ea4198165ed2d959d8a38f50006084628e

SHA256
af59ea13484516948150ccdde837e53cb27b041a13b670534851fa8042fef7a5

SHA512
97d3e14a11eece9591e567aec988bbb6316aa171b99389d987cc68b6f606820fa5911fe78f5e19a33dd87eac33227a29d28a911c04e1bb76a9995eeb2f0691f9

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
1.7MB

MD5
1f4f3aa34bb81b20e443a40cf4480c27

SHA1
44efdd040109a9a4fc949fa904efe1bdde853e8a

SHA256
ea94b8967e33bccf527bc537120fede4df6dd458b30de425808ee017e543bb1a

SHA512
3d1e8f74ef9e0fb5134e237dc3cfdefe141131462ef0e62decc819df1e88e7538b029759f8ca44fa2c2ec1e75c3be4d06d7ae3d627adf068aab0ba670c7133ce

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
1.7MB

MD5
d86a741f0e43171fa06d7470732bc5a7

SHA1
fd1bb9a86b350ef7ba90e37bf076886367fc4747

SHA256
0e196c02ec4ddff77bd71e8dd0735cfd8a6ab534e828c1179e42a93570742779

SHA512
6ad7cb6a906531a28a00eed6f065d176646adaeaf1f7b7a91095d322c8fcb9139a1a53c2d8953230c7169de67ac0a6a7867f695b38cda5f31097cbf31c8f4ca0

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
1.7MB

MD5
51eb6511724f48c15c8021c87cf0b26b

SHA1
58eb1a318b06d7e3c4763b4fccb6da2686911719

SHA256
8c792eb1e153f036efe1abc81bd8f1c67146bca07b32767e3287dbd80fd54ef8

SHA512
f707f8c8d5d374599ad9511bf17a83ad48e0ad3e3f7853062b5d06d58592f9e7eed863c36b210639d2ad9f28d4dd200fd6f1909cf4767a222ec8c3b6ad04f108

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
1.7MB

MD5
c25addab0185103bd6623c5b7dc5d33b

SHA1
afda500585c3491d203682016d8f250ca4be061f

SHA256
20c2b9e2c1330e5508dfe1350a5358d0607ca4412bdcd14d61e6d21873a39d73

SHA512
f56294584a498c9481131f070f6a1afa239bf2e6e680c9660390c5376c58ef877ea74d1e73b69d8724c0f2e44f3eb90309545ff9b5762cb0c682ca109c778632

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
1.7MB

MD5
46f57f6a0b81b6ec767ad23dc168bcbf

SHA1
02c22a73243b60183151191217dbbc6680c54c84

SHA256
ba6114022b42d076a2601bc57eb47d240d8f87ab9a39e14da4d001df04e8bd3a

SHA512
ba541fee490bd5117abd9c864146712714bb3e16b23176355fc0501d17bc60b58861a78d8585f293de96fa155a0f9ed14ea08640f8f16b4ebc86a68a666b51a2

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
1.7MB

MD5
a001284faadeb71604388765d6d986e3

SHA1
c703f7b4de24b0b77e07a26457f930576d7b6ca3

SHA256
86cc9f83f81956edd7796ce71a784039f249cd47f551b79d5a84d69844f95d4e

SHA512
d054dbbb4179e1da2cb3138d62990c174792e2b7faa8072ab175772e7c2a8494a73f9c9fb16a1f7696d0abd48b02a2bfc272e2c1b2fef88ba736c88a473cddc1

Download Submit
memory/992-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/992-95-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2132-91-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2132-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2272-85-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2272-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3264-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3264-98-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3956-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3956-93-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4352-102-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4352-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4352-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4456-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4456-100-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4756-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4756-84-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4816-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4916-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4916-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4956-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4956-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads