71934b6e67663357c0a45c5dc69e54848e0046628bedae49ed96aaae8fbad438

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 22:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

23b1ecb108cf27da0fd68b3276755030_NeikiAnalytics.exe
Size

121KB
MD5

23b1ecb108cf27da0fd68b3276755030
SHA1

8e91abca428bfb73fd344a1f6a201596e6cf091f
SHA256

71934b6e67663357c0a45c5dc69e54848e0046628bedae49ed96aaae8fbad438
SHA512

1c95105948235a40fa6311b5a7f38a646c7e6b0c8ccae772fed88d9c856869b3eeb9ab43ef18622b711e07a7672b0c296944c02e33e3a448b452e026165f2a7e
SSDEEP

3072:JLsUA6L91E5HKfDXInnnnnnJ/pO7AJnD5tvv:JL9A6Lro+XInnnnnnJ/pOarvv

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	23b1ecb108cf27da0fd68b3276755030_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	23b1ecb108cf27da0fd68b3276755030_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kipabjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipabjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe

Malware Dropper & Backdoor - Berbew 64 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/memory/5012-0-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x00060000000232a4-6.dat	family_berbew
behavioral2/memory/2880-8-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000700000002340f-14.dat	family_berbew
behavioral2/memory/2596-16-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023411-23.dat	family_berbew
behavioral2/memory/2028-28-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023413-31.dat	family_berbew
behavioral2/memory/3796-34-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023415-38.dat	family_berbew
behavioral2/memory/916-44-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023417-46.dat	family_berbew
behavioral2/memory/1424-52-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023419-54.dat	family_berbew
behavioral2/memory/4984-60-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000700000002341b-62.dat	family_berbew
behavioral2/memory/2552-63-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000700000002341d-70.dat	family_berbew
behavioral2/memory/4340-72-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000700000002341f-78.dat	family_berbew
behavioral2/memory/1116-80-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023421-86.dat	family_berbew
behavioral2/memory/4704-88-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023423-94.dat	family_berbew
behavioral2/memory/1928-96-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023425-97.dat	family_berbew
behavioral2/files/0x0007000000023427-109.dat	family_berbew
behavioral2/memory/1776-111-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/memory/924-116-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023429-118.dat	family_berbew
behavioral2/memory/2468-120-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000700000002342b-126.dat	family_berbew
behavioral2/memory/1224-128-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000700000002342d-134.dat	family_berbew
behavioral2/memory/1528-136-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000700000002342f-142.dat	family_berbew
behavioral2/memory/3240-144-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023431-150.dat	family_berbew
behavioral2/memory/2444-151-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023433-158.dat	family_berbew
behavioral2/memory/628-160-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023435-166.dat	family_berbew
behavioral2/memory/4840-168-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023437-174.dat	family_berbew
behavioral2/memory/3504-176-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023439-182.dat	family_berbew
behavioral2/memory/3424-184-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000800000002340c-190.dat	family_berbew
behavioral2/files/0x000700000002343c-197.dat	family_berbew
behavioral2/memory/3320-198-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/memory/2304-200-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000700000002343e-206.dat	family_berbew
behavioral2/memory/4708-208-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023440-214.dat	family_berbew
behavioral2/memory/4076-215-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023442-222.dat	family_berbew
behavioral2/memory/3172-224-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023444-230.dat	family_berbew
behavioral2/memory/2384-231-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023446-238.dat	family_berbew
behavioral2/memory/1564-240-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023448-246.dat	family_berbew
behavioral2/memory/2592-247-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000700000002344a-254.dat	family_berbew

Executes dropped EXE 43 IoCs

pid	Process
2880	Kipabjil.exe
2596	Kdffocib.exe
2028	Kgdbkohf.exe
3796	Kkpnlm32.exe
916	Kdhbec32.exe
1424	Kgfoan32.exe
4984	Kkbkamnl.exe
2552	Lpocjdld.exe
4340	Lkdggmlj.exe
1116	Laopdgcg.exe
4704	Lcpllo32.exe
1928	Lijdhiaa.exe
1776	Laalifad.exe
924	Lcbiao32.exe
2468	Lkiqbl32.exe
1224	Laciofpa.exe
1528	Lcdegnep.exe
3240	Ljnnch32.exe
2444	Lphfpbdi.exe
628	Lgbnmm32.exe
4840	Mnlfigcc.exe
3504	Mdfofakp.exe
3424	Mgekbljc.exe
3320	Majopeii.exe
2304	Mdiklqhm.exe
4708	Mkbchk32.exe
4076	Mgidml32.exe
3172	Mncmjfmk.exe
2384	Mcpebmkb.exe
1564	Mjjmog32.exe
2592	Mgnnhk32.exe
692	Nqfbaq32.exe
2872	Ngpjnkpf.exe
4304	Njogjfoj.exe
3128	Nafokcol.exe
3048	Nqiogp32.exe
2284	Nkncdifl.exe
1840	Nqklmpdd.exe
2804	Ndghmo32.exe
3536	Ngedij32.exe
1152	Njcpee32.exe
2184	Nbkhfc32.exe
1800	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kgdbkohf.exe	Kdffocib.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Laalifad.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Lcdegnep.exe	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Lpocjdld.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Kipabjil.exe	23b1ecb108cf27da0fd68b3276755030_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Laalifad.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Kipabjil.exe	23b1ecb108cf27da0fd68b3276755030_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Gjoceo32.dll	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Laopdgcg.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Mglppmnd.dll	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Kgfoan32.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Qgejif32.dll	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Pellipfm.dll	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Kgfoan32.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Lkdggmlj.exe	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Lcpllo32.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Kdhbec32.exe	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Lcdegnep.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Lcbiao32.exe	Laalifad.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Kbmfdgkm.dll	23b1ecb108cf27da0fd68b3276755030_NeikiAnalytics.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4472	1800	WerFault.exe	127

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdimilg.dll"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	23b1ecb108cf27da0fd68b3276755030_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejif32.dll"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipagf32.dll"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogijli32.dll"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeandl32.dll"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmfdgkm.dll"	23b1ecb108cf27da0fd68b3276755030_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5012 wrote to memory of 2880	5012	23b1ecb108cf27da0fd68b3276755030_NeikiAnalytics.exe	82
PID 5012 wrote to memory of 2880	5012	23b1ecb108cf27da0fd68b3276755030_NeikiAnalytics.exe	82
PID 5012 wrote to memory of 2880	5012	23b1ecb108cf27da0fd68b3276755030_NeikiAnalytics.exe	82
PID 2880 wrote to memory of 2596	2880	Kipabjil.exe	83
PID 2880 wrote to memory of 2596	2880	Kipabjil.exe	83
PID 2880 wrote to memory of 2596	2880	Kipabjil.exe	83
PID 2596 wrote to memory of 2028	2596	Kdffocib.exe	84
PID 2596 wrote to memory of 2028	2596	Kdffocib.exe	84
PID 2596 wrote to memory of 2028	2596	Kdffocib.exe	84
PID 2028 wrote to memory of 3796	2028	Kgdbkohf.exe	85
PID 2028 wrote to memory of 3796	2028	Kgdbkohf.exe	85
PID 2028 wrote to memory of 3796	2028	Kgdbkohf.exe	85
PID 3796 wrote to memory of 916	3796	Kkpnlm32.exe	86
PID 3796 wrote to memory of 916	3796	Kkpnlm32.exe	86
PID 3796 wrote to memory of 916	3796	Kkpnlm32.exe	86
PID 916 wrote to memory of 1424	916	Kdhbec32.exe	87
PID 916 wrote to memory of 1424	916	Kdhbec32.exe	87
PID 916 wrote to memory of 1424	916	Kdhbec32.exe	87
PID 1424 wrote to memory of 4984	1424	Kgfoan32.exe	89
PID 1424 wrote to memory of 4984	1424	Kgfoan32.exe	89
PID 1424 wrote to memory of 4984	1424	Kgfoan32.exe	89
PID 4984 wrote to memory of 2552	4984	Kkbkamnl.exe	90
PID 4984 wrote to memory of 2552	4984	Kkbkamnl.exe	90
PID 4984 wrote to memory of 2552	4984	Kkbkamnl.exe	90
PID 2552 wrote to memory of 4340	2552	Lpocjdld.exe	92
PID 2552 wrote to memory of 4340	2552	Lpocjdld.exe	92
PID 2552 wrote to memory of 4340	2552	Lpocjdld.exe	92
PID 4340 wrote to memory of 1116	4340	Lkdggmlj.exe	93
PID 4340 wrote to memory of 1116	4340	Lkdggmlj.exe	93
PID 4340 wrote to memory of 1116	4340	Lkdggmlj.exe	93
PID 1116 wrote to memory of 4704	1116	Laopdgcg.exe	94
PID 1116 wrote to memory of 4704	1116	Laopdgcg.exe	94
PID 1116 wrote to memory of 4704	1116	Laopdgcg.exe	94
PID 4704 wrote to memory of 1928	4704	Lcpllo32.exe	95
PID 4704 wrote to memory of 1928	4704	Lcpllo32.exe	95
PID 4704 wrote to memory of 1928	4704	Lcpllo32.exe	95
PID 1928 wrote to memory of 1776	1928	Lijdhiaa.exe	97
PID 1928 wrote to memory of 1776	1928	Lijdhiaa.exe	97
PID 1928 wrote to memory of 1776	1928	Lijdhiaa.exe	97
PID 1776 wrote to memory of 924	1776	Laalifad.exe	98
PID 1776 wrote to memory of 924	1776	Laalifad.exe	98
PID 1776 wrote to memory of 924	1776	Laalifad.exe	98
PID 924 wrote to memory of 2468	924	Lcbiao32.exe	99
PID 924 wrote to memory of 2468	924	Lcbiao32.exe	99
PID 924 wrote to memory of 2468	924	Lcbiao32.exe	99
PID 2468 wrote to memory of 1224	2468	Lkiqbl32.exe	100
PID 2468 wrote to memory of 1224	2468	Lkiqbl32.exe	100
PID 2468 wrote to memory of 1224	2468	Lkiqbl32.exe	100
PID 1224 wrote to memory of 1528	1224	Laciofpa.exe	101
PID 1224 wrote to memory of 1528	1224	Laciofpa.exe	101
PID 1224 wrote to memory of 1528	1224	Laciofpa.exe	101
PID 1528 wrote to memory of 3240	1528	Lcdegnep.exe	102
PID 1528 wrote to memory of 3240	1528	Lcdegnep.exe	102
PID 1528 wrote to memory of 3240	1528	Lcdegnep.exe	102
PID 3240 wrote to memory of 2444	3240	Ljnnch32.exe	103
PID 3240 wrote to memory of 2444	3240	Ljnnch32.exe	103
PID 3240 wrote to memory of 2444	3240	Ljnnch32.exe	103
PID 2444 wrote to memory of 628	2444	Lphfpbdi.exe	104
PID 2444 wrote to memory of 628	2444	Lphfpbdi.exe	104
PID 2444 wrote to memory of 628	2444	Lphfpbdi.exe	104
PID 628 wrote to memory of 4840	628	Lgbnmm32.exe	105
PID 628 wrote to memory of 4840	628	Lgbnmm32.exe	105
PID 628 wrote to memory of 4840	628	Lgbnmm32.exe	105
PID 4840 wrote to memory of 3504	4840	Mnlfigcc.exe	106

C:\Users\Admin\AppData\Local\Temp\23b1ecb108cf27da0fd68b3276755030_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\23b1ecb108cf27da0fd68b3276755030_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5012
- C:\Windows\SysWOW64\Kipabjil.exe
  C:\Windows\system32\Kipabjil.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\SysWOW64\Kdffocib.exe
    C:\Windows\system32\Kdffocib.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Windows\SysWOW64\Kgdbkohf.exe
      C:\Windows\system32\Kgdbkohf.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2028
    - - C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3796
      - C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4340
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1116
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:924
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3240
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3504
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3424
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3320
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2304
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4708
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4076
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3172
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:692
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2872
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4304
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3128
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1840
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2804
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3536
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1152
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2184
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        44⤵
        Executes dropped EXE
        
        PID:1800
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 412
        45⤵
        Program crash
        
        PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1800 -ip 1800
1⤵
PID:540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kdffocib.exe

Filesize
121KB

MD5
a2e78cc624d06354e3d48fca032fa9a6

SHA1
a6de8097c6edb9dfd3ea8a05ba2f69164cfa444e

SHA256
3d93c7a5dad2155aaf08fa2b33345abc67b1ec1f39d2f527aa405234334b4b23

SHA512
1ee0d1bdc599ad775456ecf0fc7052db768fa1b97c4ba0086937e962a42b3158e721c9a7770094b7bc7770801df5679f845fb1969494c6e0f49b5fda23149cc7

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
121KB

MD5
9c1ba05a27faf10826fff38d1e07bb59

SHA1
6575345b123686f140d0bdfdea3b4ab1ddf25123

SHA256
140a5377c2d34a2b1ee5bd77703b35f7a535db17cd523bd9f4b9f24a4d0d9f02

SHA512
1b4b569992de67f4ea7b6498c7be6848bb01adb3c46c1fd2cf7b12d9ba6474a1700003a9f018519116984a952d5fbeaacd064ad9199b6274ed8380c3034eb8cf

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
121KB

MD5
a6308feac7314678bafb0782593fef02

SHA1
eff1a65916bcf92572f9803cbebc2db160e7f6d0

SHA256
58d168e306a2edd349312e633b08020b11efe5e7f441f1bf701f3b128889a1a7

SHA512
f7739ab2bff091e88fc7cb48d8261aeb798496ea8778241307dd2df946e7d87aa75845ae76c77e9c68021d56a2192706b6fcd307d0d44fce014fdbf3d3555543

Download Submit
C:\Windows\SysWOW64\Kgfoan32.exe

Filesize
121KB

MD5
7b420cbb42fea3efcf8230f6fb110dc5

SHA1
246d082c6d3720ff3be6a2a0251588b3af0ad1b5

SHA256
c236226cfa2f97279b4c5df8ae6aecc8307f03776e9b01738ae9656e835cebf8

SHA512
200f9767b8e8dad7e60bcf889d19829e2be4632c981f65312e60650d04227de28978244545ba3113a0006e0861c1b43a04aebd69d28a9322dc18989d92b30815

Download Submit
C:\Windows\SysWOW64\Kipabjil.exe

Filesize
121KB

MD5
8a7c817a9161dcfab5ea83d7b5824319

SHA1
c013bae4335b2c8f48baef650482ead0d94a3006

SHA256
36c270e0f2c7056d0b6755108b1b3e6c0d322c3f62fbf8f825dbc12db50d7d88

SHA512
cbcc1c350aa58dcc8e2ce1060adf2f25b8b8f6e785023f35b9cb323b9d3e03ee77aacc3aefbc278f263c6555590f354a5219602a73d4e23bc616dedd683517e4

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
121KB

MD5
7ef8149bf9ca64c31557b19aa37f30d4

SHA1
1afd81229bff7f00b6fc4f085a402e7f8d082ef0

SHA256
65ec7f3ad43c8ba48f9cface7bc092453d8a3b6c7519acef5525b02d64737028

SHA512
9b8569df08724cb66efc9840747e64433eb90232ecdea705651e49e418c158a4ad01fc916e457ce031e4af77394c762029e03ccf26cfd0dc433892b6a9b4eda7

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
121KB

MD5
61074b19b9015a416a250e5625d68092

SHA1
d52cb17dd226517aa02fb0c409f474a49457cc5a

SHA256
9ae578c369c9b8a23c56196af38f9dd0ef7afcc854396aa7bb59bae31cb81c2b

SHA512
fbc204cbb42a6f8b922eac1299e7d5d37dc7b7cacddb94c8b200a7fb73b364ddf89c3dc32ffb1926fc1de0b88f1fbba2d53c2f9e70da8b3dedf457fcf080351a

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
121KB

MD5
b5996d0646dce4384f6d8f917f6b2f47

SHA1
dc9fb351b589c60ef3cb91e70730e78412b4ee0a

SHA256
dab2ff0c3f915495c68c587e7aed82ea3d9552d59ef68ebbd8dc9f1357afdcc9

SHA512
0c0f6099ad9f7ba49d027d5aa007eed583d07132615b3f3fca986d5e1fd590e3887d89e4ad94dea3127c3dac67a19353ab31753ed1682895aaabbff592f151eb

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
121KB

MD5
e1a4de3f5d8bc9658e575113cb2f5d25

SHA1
fc2e3bf54b44f9329ceb4a829fa00a2b38981046

SHA256
42ddc3e845d0302ccb17db3e2b96818bd16752884309e0bc3f39e6ffac51dc32

SHA512
ecded165073ad84637b3af87cdd6efe20ba6d1fdfd2427904e4d3ffbb9341cf30712cb4aeec848d3206b454a77ef34e37a42389a1668094d282f4dac5cbf6a57

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
121KB

MD5
8dbc5fae9b8b82fc9e270afffef03fcc

SHA1
fdb330d177ed3bd3288526ff654d4c174eb640c0

SHA256
8b1855971a585277827e089c39c77bfe7f5a653118f1c1a9281bc263d7d45e3b

SHA512
8f67a9390f1cf9d8533555b7c649c9079751987228d3088df696bbb3a8d89818ac8c0269ccbccf13d9f7df19641a558dd884d1c0324d9ff71310f2ffbfbd6c71

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
121KB

MD5
03fdac023c19dbe4a77c9d99dc89faab

SHA1
440a4229f12076521114824019a04374bfa610d6

SHA256
af51425a4498bceea590e870a91f76c9574cf48f16251a43e054448b4969df27

SHA512
b5f7cc0d46e1531b8fd493360de406b3acddb9a490aed9ee69226e7b4bbfe3f0f858583cfa293ee66d2692a53c9d7d22a3da5a171fa96872093de585ecd4a29d

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
121KB

MD5
21e8a544de6b864a7cb74f8bff333d2a

SHA1
ea2d8cac6554ddec03c14dd4b05898fb56b01746

SHA256
39136f7a918c88539ce785f728926a27db6cfbb2c51da03aad83c5fb3ef143cb

SHA512
cf7331548236c91e16ba06eeac062713515886a36ff2461452f759f925dd9c30060847c3f3c9dca67519824a1978bb9fbe1d235603344130b96aeb88a6e51488

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
121KB

MD5
1f36ca634c3c8485e5b7ffa401a49926

SHA1
6909c968a427f8284c68e1a9d4a63c0257395a92

SHA256
88f255745c3a8a2b0306320733f4cc1e26ba3180cb7bd24bccc754a930ebe610

SHA512
56c6287980bc61367d70d31235a9e68cc06d40a79e24e6a35082151c27b2dbae4159bf9e3b29d519c1cf24186f05e834fb0f7d4cc8abe994e5f0f60d1bf1e246

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
121KB

MD5
3c2e38872262aeaca3b57024edb511f0

SHA1
01afad1630ef95eeb1df1b30ced9fe31013fe843

SHA256
787134dc2edeaa9660a8305854ccbcf3783056c245dc1eea50c9834fda64b4be

SHA512
27fd04eb8152cfb99da3575e03b1605b297eb9b1f390b35e68c7cae698ba3dff2d2924d8ec6be5ab1b50eea67a1df71ec4572a5b3340e8e8c0bd96fd0307746c

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
121KB

MD5
4cfa26844f4b1c795515f95cd3918459

SHA1
5a34fa339881586ca2e3d773ca4e2bfc55521f70

SHA256
74fe3c24a8cb4d29e022870ba0b0b8d7868307ecb2170d7bb180c6fabfe48c1b

SHA512
f8d58c5061ca639fce61cfce74f71683b3637c9ed577392595900e62a4151cf0310a6714a3c35cc2ba3aaf39fef237921dd96c772572cf048e8cffe4d558244d

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
121KB

MD5
9715e1c1f510e07e75ad74577e005787

SHA1
75ddf9d7eb25ca23b3b59d41de67d53af535a74a

SHA256
38cb9c211ed4eeaa6050df4944b652c583b36954ff417f6719825e0210c47d8e

SHA512
1cd6066495ae4b931f09f391a120d04fe9a33c8f4f09371acb5463b3082a97f8a6b3f7518b4fe4a8ad795d7f80f0ab0bc7d449f9842bd545d2b6e9e21db326c8

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
121KB

MD5
8d0326cb85f9dedb330c1c15f28f11fc

SHA1
828cb002b1517fc2cb35d505b1af66b4ba805f7d

SHA256
ee269eda0c54ce5b20a979f1c949f96d7f53b92511b37594ac14ea3bc1589629

SHA512
dac4a9a70c5884a753d07e8376223a9ee109b913aee409da79fcf1559892152a072156aa6f629a49488feb2f5ce99592ad25cf4ef845b21798110a98de25554e

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
121KB

MD5
2f907ac94fe4cc955f1d42d467afa196

SHA1
1191d88ec0f667a2a1d09b858a45abb3735a4116

SHA256
2dd604170eb23e9c83b213ba04dfb7cc5abd811af87062df22b91e7ac3a576bc

SHA512
10f0a2af4b8a6b18e0c2d109e32ec3200bd6bc9a42c5e81d6657ffe142d84118f2d50c891aabdd8e7ad305bc47e469dfdff95e8886adf000ac1200d1f253176c

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
121KB

MD5
b82ef9a0635481a06da85b6fbc99df76

SHA1
b6602d9fb9ee6aeeb3377e52f0258f39fd7721b3

SHA256
ddce5b2d6a4ff561160741a46d1f79046d4971c7d55e33e8e2aae962d6e912b4

SHA512
4521867f88c486523eda0e1a6af918534f155a10f48f42fed1405d34880a50c916642eb414fa7f756d006cfe587d784239eb0ec844448e96697581a6a2b0a921

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
121KB

MD5
03c536a0a0763997c1b5fbc6d6af2ee2

SHA1
bdea5b728fb3e5c8325646de58c827bcba285ede

SHA256
77c85f9afbd05ea2266005262ea86286f41e088a66099239b103e3120e3db19d

SHA512
e43e6e4103811e70b767104e3c28e32960db46ee0994a7c3d4291d2a10dd65b080ca0e9ccab8abec8918cbf654f01506ab32ca09c94d6feab697b3e9bbd9dde1

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
121KB

MD5
2ffce8682e04cb1910debb66b809dac5

SHA1
d9ee0208cdcb9b3d263f4959e4c586eb88252eb9

SHA256
a4b71d7d2cc9d5a829b7449ed88fc481646cbdcb07c370c05740c8b3e0c1aa6b

SHA512
6f455cd43b1eaed443221ddb309ff78bce390f34ad23e33dcb67a169ea053b0de31063ffa3fa921311c7c32864a9d63e6f57e32f5998c46e860b3a388d450f01

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
121KB

MD5
3cd7ba877d75a401a38fe574dfee5af3

SHA1
969d680a1f2451e0dc163ac4f6f5bf524d206b11

SHA256
aa9ea6c87547a95e3b5e404e6c390de257e844d1ef9d6c11176c08b14e4333b1

SHA512
cb7992e8dbc2c54c212b94eb37e05e557fe2c1f9cb99e6999cc4edfcc1dfc7a78aa8b25030a25380ffbc4927f29c6d8f26eedb5014241c2cbc9e2aed6f6efd85

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
121KB

MD5
2255fc5e71e2463d2d725bb22fa944cc

SHA1
f862dac1ff59ab2af6a9a3995d5e96033a64407d

SHA256
990a24e4c38854944dd89ae3ca2c4f1a09e5631c0f689b713409e09a2e60795a

SHA512
a851de301c756c83a2d3dbe2e0a056a256f8ca9e09a50209b56d84c9227a215ff710c3a9c740464a2316c4189e264fd049f045896d9f13fc7397bd6e18404e3e

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
121KB

MD5
be9ad8a8d1a21e1288a80ead10cf84f6

SHA1
d1cc73300d2e8d042499e22c08b8abfd85943c70

SHA256
475614dfd087e6d89cd46c1d00169e18067ed56ea5d06ad18a8738c87d77399f

SHA512
b1b98f7b8589df70b7d4f8d43ea0b08b40520ad93d3949a90cf01d05ca0dc555940c0f8843668284649769bf243c9612ff79e13ee05441e63b7235fbd3fdebeb

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
121KB

MD5
6f25923d8d81836fc53a4c39568dd686

SHA1
c310f103173b61a366f8988b8da3fa07f83274b8

SHA256
87b8e7679c2c17bf13b14d5271b577ddfb37e12c6df8be56eb73f323c96d6561

SHA512
baeb4460ccf137565f53a5520dd65f9fe167cf450ce76e245fa984b8aa7b64f75bb157b7f6ffd387e619e72a9cf2097ed85d814b05db2cc6a420000202f55252

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
121KB

MD5
3381e2a1a5504e22ee63a92daa274b84

SHA1
73b9f65ff5341852503d1c4f00132f8788aa95ea

SHA256
dfb2271d6729063a798b818264efa322a47c9b8d2b974841280d651474ec35c2

SHA512
225e4bb2dd22abe91a72a1e74498ed4094c3695dc3b3ac5bebfd982d6de78a36b75e5b9040c6f9b6cb8a0cb99f2e7a68ede00bd7fd6bc001a91edcea2f282148

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
121KB

MD5
c127b8371ceb74b837b5dc97bf20854d

SHA1
51d06b27627e373a5b619a3c49fce5399e865dbd

SHA256
51569629c74f6f79ca1b124b103fb2315ea11e6d46d7411b7debad1fca40054c

SHA512
7131856f75aa1a858afc3745abab38df7e4cd245a6e1753b1e7745156444e58e6dfb0d874196466c23ed08c40b4247e084b09afc7f8824920a5ec9e78e4dbfa6

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
121KB

MD5
a3f22ed0ae517c22cc14c63fe63deba2

SHA1
8e692e8aa3bf55f8ba460695c90fc5d14569652f

SHA256
1c7ce96734cd6ca76d8db19c548b4a099537cf01f4b48c1a721e9898563b9f17

SHA512
65509c982ea0e3048b89179cf2e40ccebd2aa52fc61225994469bfd95fbb3dbe46981f868871505201e2b2b83084bdaa960ea500e4b5d5bc5dfa6414623f7425

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
121KB

MD5
9f7e0112eed5507f6b09d44434fd4af0

SHA1
39c709ee5d874ebaa0224e55ece2064008e74bbb

SHA256
b3aaf6e4ef6e078229786e4bc87cd99eeb467cafa4cd15b69b5e6e9c792bca11

SHA512
2c82f09a04c1323c1ede9557bea38db1251c5681bb6a884e6c99594de79e50e99508b09f82fa14ff72b5ab44c889e02744a8966126cca441d9d2c01a50c745da

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
121KB

MD5
d84ce39d4b84b6813f30438022db07c9

SHA1
c123d9de87d5d5da2e1edd03ec34b03ce3f6e405

SHA256
0446ce28b19e0c526eba110dcfea0e0cce4d9186d2462f9662f766e08059035c

SHA512
1ce15344b3a0a4cb4ffd758bf9baae4211bd1bed8bc3ef0be1bf7bc1377263de21f76c731883586a59c04f32ca1cfa5bb8ed4b1e4e65dbb687f9c41a126931e8

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
121KB

MD5
bfd874055f1adf075576b9d4de344c3e

SHA1
3ef335c7cac0d71995e573954490daccda1c9c32

SHA256
d24ade492271ca8a603e0fdf46a8ddcdb37f73e62fee61bca2fff27163d02f06

SHA512
322b076f968c0ca8b59088edc856a53f84e21355a989f2dc70c7330a92b643281fa4764fb3ed1fcd1cf9e865e0ac4430a23b87017fa1d2ac9d99f74374ce4d78

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
121KB

MD5
596891a3af789d39c82fe050ae7edbc2

SHA1
c777421757a1d2a1d50ec94b492bf094d9557f55

SHA256
c4f48e6eb9f6a7b3b7e986a2a954fd0542fd74afa356a8494018b51c881468dd

SHA512
b96ed730faa18ddf59217d89335e344a0ab6c9d150f7c32ef0ecede1b73de33db510949e0257dad6752c190c3b8262a1c7e8d2a052ad87ee293042fb4d6a9dc9

Download Submit
C:\Windows\SysWOW64\Ogdimilg.dll

Filesize
7KB

MD5
adf010c57198d8b2787524611dbb737d

SHA1
02c5e443dbb67422384f6da3b18ce07ea8f01db5

SHA256
fc2b81650689fec266aa517d408625105eff84bfc02344b8b19f4d1523a956f9

SHA512
769d9884785007f5cce93aefa4900edc57dadcae639f2665c9902214050717a1b54ae1a57983c2e223b3035184bf5fd8575d72fda4798ed5bd31c1c48422e575

Download Submit
memory/628-343-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/628-160-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/692-332-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/692-256-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/916-44-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/924-349-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/924-116-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1116-80-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1116-352-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1152-312-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1152-325-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1224-128-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1224-347-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1424-52-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1424-356-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1528-346-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1528-136-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1564-334-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1564-240-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1776-111-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1800-323-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1800-322-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1840-292-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1840-326-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1928-96-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1928-350-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2028-28-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2184-324-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2184-316-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2284-327-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2284-286-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2304-200-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2304-339-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2384-231-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2384-335-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2444-151-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2444-344-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2468-348-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2468-120-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2552-354-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2552-63-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2592-333-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2592-247-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2596-358-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2596-16-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2804-302-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2872-262-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2872-331-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2880-359-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2880-8-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3048-361-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3048-280-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3128-329-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3128-278-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3172-224-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3172-336-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3240-144-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3240-345-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3320-198-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3424-184-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3424-340-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3504-341-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3504-176-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3536-304-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3536-328-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3796-357-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3796-34-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4076-215-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4076-337-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4304-330-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4304-268-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4340-72-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4340-353-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4704-351-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4704-88-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4708-338-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4708-208-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4840-342-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4840-168-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4984-60-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4984-355-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5012-360-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5012-0-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads