6ebe0dc67eb9ea0bedba32d4a70cf11176f2a313a1d9c59a2306f604093bcf49

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 19:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd84ca2092ebf726970fb4f37e22a270_NeikiAnalytics.exe
Size

340KB
MD5

dd84ca2092ebf726970fb4f37e22a270
SHA1

762738a2eeb89b04a9b3d8c59287db7eafcc8f23
SHA256

6ebe0dc67eb9ea0bedba32d4a70cf11176f2a313a1d9c59a2306f604093bcf49
SHA512

0123347811821edf178d0ec139f3adaabc89ec3522f7a88cc00e12bfad8c179deb3bfe110306c71dd7bade309ca0dc4108daee5d570246e2ce27a1edcae3df40
SSDEEP

6144:3ccHa2qTm91Y1NEUIyedZwlNPjLs+H8rtMsQBJyJyymeH:3ccHVqTm8/kyGZwlNPjLYRMsXJvmeH

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	dd84ca2092ebf726970fb4f37e22a270_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	dd84ca2092ebf726970fb4f37e22a270_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe

Malware Dropper & Backdoor - Berbew 32 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/files/0x00090000000233dd-7.dat	family_berbew
behavioral2/files/0x000700000002342a-15.dat	family_berbew
behavioral2/files/0x000700000002342c-23.dat	family_berbew
behavioral2/files/0x000700000002342e-33.dat	family_berbew
behavioral2/files/0x0007000000023434-55.dat	family_berbew
behavioral2/files/0x000700000002343a-76.dat	family_berbew
behavioral2/files/0x0007000000023442-104.dat	family_berbew
behavioral2/files/0x000700000002344a-133.dat	family_berbew
behavioral2/files/0x0007000000023450-154.dat	family_berbew
behavioral2/files/0x0007000000023456-175.dat	family_berbew
behavioral2/files/0x0007000000023466-231.dat	family_berbew
behavioral2/files/0x0007000000023464-224.dat	family_berbew
behavioral2/files/0x0007000000023462-217.dat	family_berbew
behavioral2/files/0x0007000000023460-210.dat	family_berbew
behavioral2/files/0x000700000002345e-203.dat	family_berbew
behavioral2/files/0x000700000002345c-196.dat	family_berbew
behavioral2/files/0x000700000002345a-189.dat	family_berbew
behavioral2/files/0x0007000000023458-182.dat	family_berbew
behavioral2/files/0x0007000000023454-168.dat	family_berbew
behavioral2/files/0x0007000000023452-161.dat	family_berbew
behavioral2/files/0x000700000002344e-147.dat	family_berbew
behavioral2/files/0x000700000002344c-140.dat	family_berbew
behavioral2/files/0x0007000000023448-126.dat	family_berbew
behavioral2/files/0x0007000000023446-119.dat	family_berbew
behavioral2/files/0x0007000000023444-112.dat	family_berbew
behavioral2/files/0x0007000000023440-98.dat	family_berbew
behavioral2/files/0x000700000002343e-91.dat	family_berbew
behavioral2/files/0x000700000002343c-84.dat	family_berbew
behavioral2/files/0x0007000000023438-70.dat	family_berbew
behavioral2/files/0x0007000000023436-63.dat	family_berbew
behavioral2/files/0x0007000000023432-48.dat	family_berbew
behavioral2/files/0x0007000000023430-40.dat	family_berbew

Executes dropped EXE 53 IoCs

pid	Process
3376	Lddbqa32.exe
3772	Mjqjih32.exe
552	Mciobn32.exe
3536	Mjcgohig.exe
3000	Majopeii.exe
3740	Mdiklqhm.exe
1440	Mcklgm32.exe
3264	Mgghhlhq.exe
3020	Mkbchk32.exe
4064	Mjeddggd.exe
2444	Mnapdf32.exe
2372	Mamleegg.exe
2988	Mdkhapfj.exe
876	Mcnhmm32.exe
5024	Mgidml32.exe
4472	Mkepnjng.exe
3304	Mjhqjg32.exe
540	Mncmjfmk.exe
1852	Maohkd32.exe
4240	Mdmegp32.exe
4352	Mcpebmkb.exe
1692	Mglack32.exe
2216	Mkgmcjld.exe
4988	Mjjmog32.exe
1668	Mnfipekh.exe
4164	Mpdelajl.exe
4048	Mdpalp32.exe
4972	Mgnnhk32.exe
5072	Nkjjij32.exe
3104	Nnhfee32.exe
1248	Nacbfdao.exe
764	Nqfbaq32.exe
4968	Ndbnboqb.exe
2788	Ngpjnkpf.exe
392	Nklfoi32.exe
1592	Njogjfoj.exe
640	Nnjbke32.exe
2508	Nqiogp32.exe
2068	Nddkgonp.exe
4412	Ncgkcl32.exe
1488	Ngcgcjnc.exe
1864	Nkncdifl.exe
3544	Nnmopdep.exe
3344	Nbhkac32.exe
2892	Nqklmpdd.exe
636	Ndghmo32.exe
2180	Ngedij32.exe
5088	Nkqpjidj.exe
5068	Njcpee32.exe
1704	Nbkhfc32.exe
1636	Ndidbn32.exe
4680	Nggqoj32.exe
3356	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nggqoj32.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Mnapdf32.exe	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Addjcmqn.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Nggqoj32.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	dd84ca2092ebf726970fb4f37e22a270_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mglack32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4000	3356	WerFault.exe	136

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	dd84ca2092ebf726970fb4f37e22a270_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	dd84ca2092ebf726970fb4f37e22a270_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	dd84ca2092ebf726970fb4f37e22a270_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Ngpjnkpf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3776 wrote to memory of 3376	3776	dd84ca2092ebf726970fb4f37e22a270_NeikiAnalytics.exe	82
PID 3776 wrote to memory of 3376	3776	dd84ca2092ebf726970fb4f37e22a270_NeikiAnalytics.exe	82
PID 3776 wrote to memory of 3376	3776	dd84ca2092ebf726970fb4f37e22a270_NeikiAnalytics.exe	82
PID 3376 wrote to memory of 3772	3376	Lddbqa32.exe	83
PID 3376 wrote to memory of 3772	3376	Lddbqa32.exe	83
PID 3376 wrote to memory of 3772	3376	Lddbqa32.exe	83
PID 3772 wrote to memory of 552	3772	Mjqjih32.exe	84
PID 3772 wrote to memory of 552	3772	Mjqjih32.exe	84
PID 3772 wrote to memory of 552	3772	Mjqjih32.exe	84
PID 552 wrote to memory of 3536	552	Mciobn32.exe	85
PID 552 wrote to memory of 3536	552	Mciobn32.exe	85
PID 552 wrote to memory of 3536	552	Mciobn32.exe	85
PID 3536 wrote to memory of 3000	3536	Mjcgohig.exe	86
PID 3536 wrote to memory of 3000	3536	Mjcgohig.exe	86
PID 3536 wrote to memory of 3000	3536	Mjcgohig.exe	86
PID 3000 wrote to memory of 3740	3000	Majopeii.exe	88
PID 3000 wrote to memory of 3740	3000	Majopeii.exe	88
PID 3000 wrote to memory of 3740	3000	Majopeii.exe	88
PID 3740 wrote to memory of 1440	3740	Mdiklqhm.exe	89
PID 3740 wrote to memory of 1440	3740	Mdiklqhm.exe	89
PID 3740 wrote to memory of 1440	3740	Mdiklqhm.exe	89
PID 1440 wrote to memory of 3264	1440	Mcklgm32.exe	90
PID 1440 wrote to memory of 3264	1440	Mcklgm32.exe	90
PID 1440 wrote to memory of 3264	1440	Mcklgm32.exe	90
PID 3264 wrote to memory of 3020	3264	Mgghhlhq.exe	91
PID 3264 wrote to memory of 3020	3264	Mgghhlhq.exe	91
PID 3264 wrote to memory of 3020	3264	Mgghhlhq.exe	91
PID 3020 wrote to memory of 4064	3020	Mkbchk32.exe	92
PID 3020 wrote to memory of 4064	3020	Mkbchk32.exe	92
PID 3020 wrote to memory of 4064	3020	Mkbchk32.exe	92
PID 4064 wrote to memory of 2444	4064	Mjeddggd.exe	93
PID 4064 wrote to memory of 2444	4064	Mjeddggd.exe	93
PID 4064 wrote to memory of 2444	4064	Mjeddggd.exe	93
PID 2444 wrote to memory of 2372	2444	Mnapdf32.exe	94
PID 2444 wrote to memory of 2372	2444	Mnapdf32.exe	94
PID 2444 wrote to memory of 2372	2444	Mnapdf32.exe	94
PID 2372 wrote to memory of 2988	2372	Mamleegg.exe	95
PID 2372 wrote to memory of 2988	2372	Mamleegg.exe	95
PID 2372 wrote to memory of 2988	2372	Mamleegg.exe	95
PID 2988 wrote to memory of 876	2988	Mdkhapfj.exe	96
PID 2988 wrote to memory of 876	2988	Mdkhapfj.exe	96
PID 2988 wrote to memory of 876	2988	Mdkhapfj.exe	96
PID 876 wrote to memory of 5024	876	Mcnhmm32.exe	97
PID 876 wrote to memory of 5024	876	Mcnhmm32.exe	97
PID 876 wrote to memory of 5024	876	Mcnhmm32.exe	97
PID 5024 wrote to memory of 4472	5024	Mgidml32.exe	98
PID 5024 wrote to memory of 4472	5024	Mgidml32.exe	98
PID 5024 wrote to memory of 4472	5024	Mgidml32.exe	98
PID 4472 wrote to memory of 3304	4472	Mkepnjng.exe	99
PID 4472 wrote to memory of 3304	4472	Mkepnjng.exe	99
PID 4472 wrote to memory of 3304	4472	Mkepnjng.exe	99
PID 3304 wrote to memory of 540	3304	Mjhqjg32.exe	100
PID 3304 wrote to memory of 540	3304	Mjhqjg32.exe	100
PID 3304 wrote to memory of 540	3304	Mjhqjg32.exe	100
PID 540 wrote to memory of 1852	540	Mncmjfmk.exe	101
PID 540 wrote to memory of 1852	540	Mncmjfmk.exe	101
PID 540 wrote to memory of 1852	540	Mncmjfmk.exe	101
PID 1852 wrote to memory of 4240	1852	Maohkd32.exe	102
PID 1852 wrote to memory of 4240	1852	Maohkd32.exe	102
PID 1852 wrote to memory of 4240	1852	Maohkd32.exe	102
PID 4240 wrote to memory of 4352	4240	Mdmegp32.exe	103
PID 4240 wrote to memory of 4352	4240	Mdmegp32.exe	103
PID 4240 wrote to memory of 4352	4240	Mdmegp32.exe	103
PID 4352 wrote to memory of 1692	4352	Mcpebmkb.exe	104

C:\Users\Admin\AppData\Local\Temp\dd84ca2092ebf726970fb4f37e22a270_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\dd84ca2092ebf726970fb4f37e22a270_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3776
- C:\Windows\SysWOW64\Lddbqa32.exe
  C:\Windows\system32\Lddbqa32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3376
- - C:\Windows\SysWOW64\Mjqjih32.exe
    C:\Windows\system32\Mjqjih32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3772
  - - C:\Windows\SysWOW64\Mciobn32.exe
      C:\Windows\system32\Mciobn32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:552
    - - C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3536
      - C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3740
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3264
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3304
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1852
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4240
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1692
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4988
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1668
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4164
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4048
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4972
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5072
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1248
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:764
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4968
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:392
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2508
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2068
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1488
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1864
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3544
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3344
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2892
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:636
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5068
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1704
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1636
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4680
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        54⤵
        Executes dropped EXE
        
        PID:3356
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 400
        55⤵
        Program crash
        
        PID:4000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3356 -ip 3356
1⤵
PID:4812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
340KB

MD5
25909d348ea06b17bb847f7bcb286707

SHA1
f3f50077799e139f6db9479053c1025b41058868

SHA256
5eca77f03fa8b3b636e6358883bd55767cdd85b6fb67914c61ce856878a2ff75

SHA512
e945de7cc4248a431ab6574f289a0b76bfe721a157cdeaf1566cbcebdf91556cf63b7a0fce4b6c2bb91e269df828b6a82727a46e8f538495b795fdd03274b484

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
340KB

MD5
da3d2f2637e5ca51d5245749689f4adb

SHA1
8618fb35a41038d405993815c120d0756340141d

SHA256
b15f18ebe880862ed7fb949ebb3b41e598b2d4dfe522365e00de0ecfe4fbd497

SHA512
ae0728abfa6d96adc651594b0ce4b24bcfb0d06a756bee0d59ae9d715c3a1ce9ff0f5d27feb6e4a8e0a656bd73cab21b765bdc0f5f244468d611aaba971eafc7

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
340KB

MD5
5ff9b5bae86037f4c2d8111355659719

SHA1
1ad9eff036f566b9aaf6340f1c8c771c4682dec2

SHA256
fad6343ae180828158a0fe4f139cc766848f180ebc18f1b0f7f74009ddd26470

SHA512
50dbb1fc37a62eb5ee21f5b9f1d9a36e8cd9bae67bf4bf3db01af274b3187bc81b23c188c3766b6dd47cec4486136122a3c94c72aa9950d9255ee35d54618ed4

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
340KB

MD5
f6cea359ce1ee4b05676482927cd7d8e

SHA1
18e94a60db50c08b4e0aed1f54d2778015e1ae1e

SHA256
e121afb509c13e36374d460c747a24972f36349db2502bd50bc8c6ad6ea06675

SHA512
87cfa23cd1099440e1b1a9adfd30ba477228cb9811cf9a0273329263bab760852b92bf3830be8734a7bba8802519e15ff7324e5ae0c209adce7d5ef89295f175

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
340KB

MD5
c0d3464553a45748d31d0ea19b23f455

SHA1
82df271d54236ecfb043ebf8afa97f8b24d0bd40

SHA256
052f491be8a3e23d620a135d374e9bcc93c50d6049897a4b59676432f07440ea

SHA512
31c456cef847c97fe8c8995c6665313101feb7f4388f14d17f016aa4e47c04730b0c55658ef68d093def9bd145f08903a41f88ff78f051e65cdab2a5b3f540ba

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
340KB

MD5
2ff08fc8da0f2a08ff965ec32196c361

SHA1
29540affc58d0e86f0a2c906d336c0f6b67ddf1c

SHA256
a0f9c383727a0f84057445875df95fd75e40f2983bf5347517fe3a665a286268

SHA512
000357264112ed194f107ab317a7aab81ffd035fc64f48f28ec5a5364f044a1ec7d05838993e0acd5bb231775e132a48e75bdab645ec9f242d2bf9e6e9540ec3

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
340KB

MD5
b6cd9ef8f9a3725ff59007e85fc9b7e4

SHA1
b14534ce27e2ae51ccf3723d27d1201ce5e9b7c5

SHA256
4bdaaa2e6bec0692e062b455cbd70533cad9f0555df67fbe5f3497e503b091fc

SHA512
8bd0f9d95b503722b0f09102ebce87d5a419d55911b028fab2a58c5d867af9d19d7146c15b4c0928abb072559b0af6055485fd0107761b2f119b784f0268efa9

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
340KB

MD5
8e0f3678712d9c09b39683e2636f86d6

SHA1
a0d68b70880f7f1e6cbc5e6ff51a7189480d826a

SHA256
db1d0d3b008c925163f06af4d13049bdc7b4b5c7f97dbebef39be0c26c690d94

SHA512
d18492e32ff502c0fe1add423bda211a8bec84eab5bce575f4e26813c09c5733edbfbc914e1d243ae25440f478fdd5a3b6b2cd0b73b151b8b34d3689d5ab9730

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
340KB

MD5
060900164c0e86d345544c44038e5236

SHA1
07125df5f6c18823fb00ed0ce5010024e7af7827

SHA256
e1aad7bb2fb5ec0440085c7ed92dc253c553980e33177023f1d511b481c1ce82

SHA512
a4dc6234b45447a4337feeeb341386e225e03ebdbf433945dcdbbb82cb2c1e4a9fdb0c838ac9eabfe5aa78eb48159a20a42013ddaf3d3aa096f5179b0988d2e5

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
340KB

MD5
ad71c6c1e9ba34c4e027ceb09a5a5f58

SHA1
404b340f2e96f0b922669fbdbfe5c3d214e05144

SHA256
d43fb8b1cbe5f57048e633028f31138f1f8290c34995ec0ac64cdfdfc4a49459

SHA512
91e530fff1b5b5b7644cc26b53bb9346e3f3ead6398dcce9a531f11b29242e124c1592d954abf16f8d7c65c2740e9d9e6081f6c5a775cda5ec5d1a8a6ce99aa4

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
340KB

MD5
cbf1f180905425f85959b859b996087b

SHA1
be21ea3eef41881c85dee1b8d4faa0e2be6b4aba

SHA256
56bcdf7d8d772606c2d4f0908ec92efb5d222cba3deaa7163c41770b4d6c747e

SHA512
8932ab748b3ae9e0811293c02040978d7bc5c12297fcd7e9bcb70bd80828ab618f82bf82915477bca2351fb9d64d994defcb6e9129bbb54abba7908ddc24f9da

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
340KB

MD5
335ce194aed3570243a3d36040021e50

SHA1
073433008017d3f9cba9712ca7df791ba12ceacd

SHA256
68dd14efb4ed97bed78a116107a3431322a75ee31a5439afcf5b5882aa349a52

SHA512
119d7d515eb1702bf9d1c188e66154b83701d20300333b76afac80e0e3378dffd7ed976600034d38a506e8966b7145e384b1d40fb7653f22862f7ffe5c4fb869

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
340KB

MD5
9a4b8067333f7c07b13c4cbd77936676

SHA1
608dae6e5f9fa13c84a11c3e7fb558294fc11e39

SHA256
970f427744ddadc19ccbc93f122ef099f738a73227997fa8900c9664131f3216

SHA512
c00d5bc86419408eff9024c7a7cea5f33d606f58da419ea1765802fcc2d881eda5620cfca783d6a0ef0c413ee0627ee1444e143948cee7965a236729e2218361

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
340KB

MD5
080e1ecfbc97dcd0e9069b13d584547e

SHA1
57fc4a82c8017d619799e2c89a8ea1ebc81ad737

SHA256
562c9f3a8af4fd82f805223f5f9c282c9921c0daa4567e2afcdda1e8cf882d28

SHA512
9ec37ecdddf70de721461df6de1fb5a4514af987444b1e73e108f74bdd174efe8cd72f067319f9b6bc0a50fa3de1caed60c65ee18b010447bcd9250c7b7b9a14

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
340KB

MD5
312c5b2c21ddea90450d5fb9752065db

SHA1
ffe4762110ee2c8a1c7de39285d8b0c9e4432792

SHA256
5c12b337dc9686b7c384dafee0013d75f26a902ba0c3d45225f5d38ee587ae48

SHA512
c6930a0ee8f4c0c2123e747885e0d77cfa48c825b6a49e5212c9554a89aac1a3d6b438b179d674a270d8e9ffc48b15b4718ac43ad5e044f7bc8f8b147bc0b288

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
340KB

MD5
0d0144fb12b7a9e5d1a244ad3438493c

SHA1
cbcc276ba4f44200b61befa5fcac801487e960d4

SHA256
033f2ff2fa9e412eb8fa6c5f98a161235714e0356fdd8daf97dd8b802f4f2850

SHA512
07aaac1131fb7abc8672b45b9f960ccb5a170c2c02c4ae29cf4535f870b61a91ca3b1b141df2fcaa197c5313a66b4f53385b8d2530183b4f4a9bff9196bfa81a

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
340KB

MD5
5ba7f9224a8fb100da9151cb546122c1

SHA1
e051c2d5ef225c571d339cfea04a5e8456c644de

SHA256
e3d5c9c68057e7929fd8594af1c072e20366b7f49b05237963511033ad7b0722

SHA512
4361eef180cfd222c24ea5e52d13d64b162fc15733b756a97ee67bc625b47a96bfbbeb136a093c3298eeb6b8857e356eb727f413796a95ac59ddc6ac8c7fcc5e

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
340KB

MD5
445348ba6373afc1d5d37c2dd22cc1b8

SHA1
3b3b69fefb14601a1f16431216a5289d080b846f

SHA256
8e63d96b5d10bb6c9d4f77897ef06dd73b438f1d90583edcf4d8cd4ed21482a9

SHA512
2fb6cc20e7966652178ce9523c62bad737fe002169562960f22a35a0ff5eb5946757aee44933269d106b06afbb265f63789e56f1165b8fcee659cc27730479bc

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
340KB

MD5
6337d473d131ba2bd2b7232b9c7cc719

SHA1
06bf0ca73e89cbe31b6f84c2fce7c53904c02f3a

SHA256
345f1efba5b5204a66cd2f318152778cc4ff4753d74d79e756eb08ab234eb0eb

SHA512
0b47b39d7885e008f3fd4640324397f08b51e4cd3523e58f0669fda6671771e768f661ddbd64f72f28c0362d6b43ef2ced0c16780f63c61786e70016c3b74ac4

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
340KB

MD5
e8dd32ccf025db8591d101e96f5f6220

SHA1
78c58481068397dd371afaaa269f6f3af3e031ae

SHA256
864ecc82c50949febbc2b0b95ba8d3843f5b26932cc1126c6f739b4ed0d944d9

SHA512
f2a44fc533ec1324eb0415f40e7012e76afc8cdd35da035fc0e55ec84950eee6cac9da4b6ed3df1ece7adc43d1d6a9e1ef648766cfeb5292ec731565d8c96dbf

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
340KB

MD5
82eedde08b0f93125e85165c32390f0a

SHA1
ec1d74e7fbb7fbd733e24da55c02ba64449d640e

SHA256
0ff3e0cd41cf765e21f42be7d3a2437e5a61b9428c63d9030035d3ee92840719

SHA512
b56989ecdefae9167bd866d8d4d1515a2c4460ea40d9977babfa9af00d089f2390f35809ff204fe98f6758b97c6a960614b2b7f388264acc58fe5b17a07123d0

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
340KB

MD5
0004894f948863e75c394c9601379779

SHA1
4de6c1306b7d12acf231cd9947cf047e8946425f

SHA256
c67c1c1b9ffadef764bb418d398aecc81ca39bd95a9648e8840ad1361ce01977

SHA512
079d114ca51aa473e40a55b30e43f2b8aa87d1a4ca61b62c0f9bf218fc9e5cbb974c4cf32773d3fd91929bc7cfcc76509282c6618e0e5b862457eea168c29e0e

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
340KB

MD5
b4c08f99577127bcd5117f2b6718019e

SHA1
af40ff46e8414877f40c79abd9eeb943965cff51

SHA256
046533957d381b21a1caa29a79c4bb783bbeb399eb341cd13993cca3ca295b84

SHA512
c84348593240fdee79aa6c84c778335aa55c6cc37c6f1c130478888818de5dd0ae8b3cf5d4b32e12ff80f7764b98cc7a5fb0373187faccfffbad0e51fe71bf0e

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
340KB

MD5
315d210b0d5353c598a3ffa812a64e30

SHA1
03812a14cbd9e97c8b8a08bb93b5c6d920876ce7

SHA256
bbe43991dd7e91f8dd62b7d7b3f77472b73c9bc872374693a3bafb6237c8135f

SHA512
bd0d5e3cbd592e16183b038aad5298e61b8fd6922e8f56089940a16dff54601fc8f99a36b3c0a0341e8f89f6dfa55c5efd52493327545c16ee7acc77e2686d14

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
340KB

MD5
d42740590216225a3bd9b34a58bd6b09

SHA1
49ba0e065852e161bc0df737c7b32253a49f466d

SHA256
896ee3d7e3229eca4fee1eb771c66b8813974ed585a1fca473c3d2c3b9ee091c

SHA512
4b477b5f7226ce957422537b99c7c60654478a12c57916e283d34b8288cade825a30d9490180de9a4b4b97c8c12f0757ba4bcd406d88d3e2cf06ac53cb6e0b32

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
340KB

MD5
30737a78f5f7e515ec7af8b54dd8eb05

SHA1
8df9f0ce1591ba7e504f4ab1c8d6d0506996ade3

SHA256
fef4603d3fb25747be291bc0c88c0ff1877031d4a23787e621d6a145550e1b7b

SHA512
84496e76004882972afef3aa5f9449aeae6efd241b7c4d137c4461213929d03315c478f3a72282dd8b30b0bdeda5dd74dcff9dfd59c63d2d41eab212cc3723c6

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
340KB

MD5
556b7bcd485f5fd2066383acd0507ab2

SHA1
46fb64b426832e8e4e5abb545a08481233c0f3ab

SHA256
c533bea91704d85aef18cca8f0c82dcdef90b5b8f4e47662324ba3708d42f51e

SHA512
9f2b7cea97a2c509a5a962c2ffaa8ecccd25f54b956519a252b3f9d43d3c588ba9339cfcf93435f3419be9dbe76b7f2a5247f48e4ee3e24a9747281074e48c23

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
340KB

MD5
eb832f599c9c87341367a1ca1a598bb5

SHA1
c8d72fe65f77a32eb9960833fd80b1fce2f078c6

SHA256
5cd46c54192a38209c12918a5aa81565851153eefd7f536efd00257c2bf089ea

SHA512
b9e847c4dac4c2f2ebf19069325d80246d23691ca22402866a906963f669f2d789db17ed34eb395cadcc4b384757a8d5f924fb6e37f94a25aaa645c1ebc6eca9

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
340KB

MD5
7c05d65b0ec01cd6f2075a8ada214027

SHA1
f4de3b1c118d56dc2801f953d7fc4fbda7af73c0

SHA256
b67d89e31a08b4ad1ff81d6f35937f46f1626523e52203476595f7f04ae2b4ff

SHA512
0b86a343e19ffc53572e1479afd09528b7e73b8ffbf560c5f8ddbbc3282bf37b47d52d4cbedc6d7bd96b3afb4ae06198e5b82998e6035fab5caa66321e28559e

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
340KB

MD5
c7421654446f964d76c40fa5255fba80

SHA1
82c66914a3919abe76d4c71ad0b16a686d02574d

SHA256
fcafb16eac757ff9ede90fa4058ca6085fae2b855ec230b1a78be149eee10204

SHA512
670ff1fedabedea844da6bc012298c6bdfa73df1bcbf14634cd291228706151e7ed7a5e06a1690932dcb180eb049ef9ebdf4a94ceb899c3f143745ce317c59fd

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
340KB

MD5
10ec162314da58b839549bbcca7f0e07

SHA1
568e4f60be785c3313a3140d49c75e9ce68df4c1

SHA256
56e24ff398b707f27d5b5ae96fcf58fc1cde6bf3aa463ad7f76d8d0f78ff6edb

SHA512
332c3cde49c8b875d2fe37eb3a89a2242ef7bb732aceb8c75a4a6715d2c840dccb4f8ac40c79d7d8ce2741f743f9c2a4057d0f4788b089d2cb1dfc812a5eedd9

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
340KB

MD5
63f7e184d4a3792bc89a98888b3f14f8

SHA1
56baec362d3bce19ea9f7328d6eb89f1570a8408

SHA256
dd9556fdf91433310d16174dcc94b941913b874bce8804a348045bbeadf49aa9

SHA512
3f0aba61c645dca2a1d80a12dc0c93f00e92bdf176445f8422b228c812582df27caa8461c1536c7dcb8ab0343d2cbabbf7f35dcefc8a4d636987220eee878a90

Download Submit
memory/392-365-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/540-348-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/552-24-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/552-385-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/636-376-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/640-367-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/764-362-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/876-344-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1248-361-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1440-337-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1488-381-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1592-366-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1636-371-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1668-355-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1692-352-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1704-372-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1852-349-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1864-380-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2068-383-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2180-375-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2216-353-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2372-342-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2444-341-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2508-368-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2788-364-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2892-377-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2988-343-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3000-45-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3020-339-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3104-360-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3264-338-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3304-347-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3344-378-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3356-369-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3376-12-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3376-387-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3536-384-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3536-32-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3544-379-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3740-53-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3772-17-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3772-386-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3776-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3776-388-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3776-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4048-357-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4064-340-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4164-356-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4240-350-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4352-351-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4412-382-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4472-346-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4680-370-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4968-363-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4972-358-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4988-354-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5024-345-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5068-373-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5072-359-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5088-374-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads