58d1a14af5d10c5b5e3ad3dbb3fed1fcb0ca15cc73602931ef867f36c9602985

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 04:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7f7264f3ed3a2546ea5724aa961e2f40_NeikiAnalytics.exe
Size

94KB
MD5

7f7264f3ed3a2546ea5724aa961e2f40
SHA1

443f56a61a318e85e7d1db8503389faeba1a91a1
SHA256

58d1a14af5d10c5b5e3ad3dbb3fed1fcb0ca15cc73602931ef867f36c9602985
SHA512

d46f1a0a36000e04dd41af819c014c61e243041ccdd74f1239e68e5179d6ced9a23958e2bd69bebcabc4ea45f306ea4c988f8dafcb25d9b11e7225cc8fd10fac
SSDEEP

1536:zAUEiz9xl+w8D9Fc4ahpvjFcZS+/LWmLPHq39KUIC0uGmVJHQj1BEsCOyiKbZ9rx:REiRnGbcvpvo/LWmjH6KU90uGimj1ieK

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 62 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	7f7264f3ed3a2546ea5724aa961e2f40_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	7f7264f3ed3a2546ea5724aa961e2f40_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe

Malware Dropper & Backdoor - Berbew 64 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/memory/3228-0-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023289-7.dat	family_berbew
behavioral2/memory/3948-13-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/memory/3200-21-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023433-16.dat	family_berbew
behavioral2/memory/5116-25-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023435-24.dat	family_berbew
behavioral2/files/0x0007000000023437-31.dat	family_berbew
behavioral2/memory/3284-33-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023439-39.dat	family_berbew
behavioral2/memory/2232-41-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x000700000002343b-47.dat	family_berbew
behavioral2/memory/4816-48-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x000700000002343d-55.dat	family_berbew
behavioral2/memory/2976-57-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x000700000002343f-63.dat	family_berbew
behavioral2/memory/436-65-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023441-71.dat	family_berbew
behavioral2/memory/1512-73-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023443-79.dat	family_berbew
behavioral2/memory/4984-81-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023445-87.dat	family_berbew
behavioral2/memory/4116-89-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023447-95.dat	family_berbew
behavioral2/memory/3020-101-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023449-103.dat	family_berbew
behavioral2/memory/3696-105-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x000700000002344b-111.dat	family_berbew
behavioral2/memory/4408-117-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x000700000002344d-119.dat	family_berbew
behavioral2/memory/972-121-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x000700000002344f-127.dat	family_berbew
behavioral2/memory/4012-128-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023451-135.dat	family_berbew
behavioral2/memory/4332-137-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023453-143.dat	family_berbew
behavioral2/memory/5104-145-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023455-151.dat	family_berbew
behavioral2/memory/2992-153-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023457-159.dat	family_berbew
behavioral2/memory/3476-160-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/memory/2680-168-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023459-167.dat	family_berbew
behavioral2/files/0x000700000002345b-175.dat	family_berbew
behavioral2/memory/3212-176-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x000700000002345d-183.dat	family_berbew
behavioral2/memory/2536-184-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x000700000002345f-191.dat	family_berbew
behavioral2/memory/3884-193-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023461-199.dat	family_berbew
behavioral2/memory/3052-201-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023463-207.dat	family_berbew
behavioral2/memory/3300-209-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023465-215.dat	family_berbew
behavioral2/memory/1044-216-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023467-223.dat	family_berbew
behavioral2/memory/2432-229-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023469-231.dat	family_berbew
behavioral2/memory/4324-233-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x000800000002342f-240.dat	family_berbew
behavioral2/memory/3188-241-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/files/0x000700000002346c-247.dat	family_berbew
behavioral2/memory/4516-249-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/memory/4324-252-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew

Executes dropped EXE 31 IoCs

pid	Process
3948	Mdfofakp.exe
3200	Mgekbljc.exe
5116	Mkpgck32.exe
3284	Majopeii.exe
2232	Mcklgm32.exe
4816	Mgghhlhq.exe
2976	Mamleegg.exe
436	Mcnhmm32.exe
1512	Mkepnjng.exe
4984	Mncmjfmk.exe
4116	Mdmegp32.exe
3020	Mglack32.exe
3696	Mnfipekh.exe
4408	Mpdelajl.exe
972	Mcbahlip.exe
4012	Nkjjij32.exe
4332	Nacbfdao.exe
5104	Ndbnboqb.exe
2992	Ngpjnkpf.exe
3476	Njogjfoj.exe
2680	Nafokcol.exe
3212	Nddkgonp.exe
2536	Nkncdifl.exe
3884	Nnmopdep.exe
3052	Nqklmpdd.exe
3300	Ncihikcg.exe
1044	Nkqpjidj.exe
2432	Nbkhfc32.exe
4324	Ndidbn32.exe
3188	Ncldnkae.exe
4516	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	7f7264f3ed3a2546ea5724aa961e2f40_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mkpgck32.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	7f7264f3ed3a2546ea5724aa961e2f40_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
224	4516	WerFault.exe	117

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	7f7264f3ed3a2546ea5724aa961e2f40_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	7f7264f3ed3a2546ea5724aa961e2f40_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	7f7264f3ed3a2546ea5724aa961e2f40_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	7f7264f3ed3a2546ea5724aa961e2f40_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3228 wrote to memory of 3948	3228	7f7264f3ed3a2546ea5724aa961e2f40_NeikiAnalytics.exe	83
PID 3228 wrote to memory of 3948	3228	7f7264f3ed3a2546ea5724aa961e2f40_NeikiAnalytics.exe	83
PID 3228 wrote to memory of 3948	3228	7f7264f3ed3a2546ea5724aa961e2f40_NeikiAnalytics.exe	83
PID 3948 wrote to memory of 3200	3948	Mdfofakp.exe	84
PID 3948 wrote to memory of 3200	3948	Mdfofakp.exe	84
PID 3948 wrote to memory of 3200	3948	Mdfofakp.exe	84
PID 3200 wrote to memory of 5116	3200	Mgekbljc.exe	85
PID 3200 wrote to memory of 5116	3200	Mgekbljc.exe	85
PID 3200 wrote to memory of 5116	3200	Mgekbljc.exe	85
PID 5116 wrote to memory of 3284	5116	Mkpgck32.exe	86
PID 5116 wrote to memory of 3284	5116	Mkpgck32.exe	86
PID 5116 wrote to memory of 3284	5116	Mkpgck32.exe	86
PID 3284 wrote to memory of 2232	3284	Majopeii.exe	87
PID 3284 wrote to memory of 2232	3284	Majopeii.exe	87
PID 3284 wrote to memory of 2232	3284	Majopeii.exe	87
PID 2232 wrote to memory of 4816	2232	Mcklgm32.exe	88
PID 2232 wrote to memory of 4816	2232	Mcklgm32.exe	88
PID 2232 wrote to memory of 4816	2232	Mcklgm32.exe	88
PID 4816 wrote to memory of 2976	4816	Mgghhlhq.exe	89
PID 4816 wrote to memory of 2976	4816	Mgghhlhq.exe	89
PID 4816 wrote to memory of 2976	4816	Mgghhlhq.exe	89
PID 2976 wrote to memory of 436	2976	Mamleegg.exe	90
PID 2976 wrote to memory of 436	2976	Mamleegg.exe	90
PID 2976 wrote to memory of 436	2976	Mamleegg.exe	90
PID 436 wrote to memory of 1512	436	Mcnhmm32.exe	91
PID 436 wrote to memory of 1512	436	Mcnhmm32.exe	91
PID 436 wrote to memory of 1512	436	Mcnhmm32.exe	91
PID 1512 wrote to memory of 4984	1512	Mkepnjng.exe	92
PID 1512 wrote to memory of 4984	1512	Mkepnjng.exe	92
PID 1512 wrote to memory of 4984	1512	Mkepnjng.exe	92
PID 4984 wrote to memory of 4116	4984	Mncmjfmk.exe	93
PID 4984 wrote to memory of 4116	4984	Mncmjfmk.exe	93
PID 4984 wrote to memory of 4116	4984	Mncmjfmk.exe	93
PID 4116 wrote to memory of 3020	4116	Mdmegp32.exe	94
PID 4116 wrote to memory of 3020	4116	Mdmegp32.exe	94
PID 4116 wrote to memory of 3020	4116	Mdmegp32.exe	94
PID 3020 wrote to memory of 3696	3020	Mglack32.exe	95
PID 3020 wrote to memory of 3696	3020	Mglack32.exe	95
PID 3020 wrote to memory of 3696	3020	Mglack32.exe	95
PID 3696 wrote to memory of 4408	3696	Mnfipekh.exe	96
PID 3696 wrote to memory of 4408	3696	Mnfipekh.exe	96
PID 3696 wrote to memory of 4408	3696	Mnfipekh.exe	96
PID 4408 wrote to memory of 972	4408	Mpdelajl.exe	97
PID 4408 wrote to memory of 972	4408	Mpdelajl.exe	97
PID 4408 wrote to memory of 972	4408	Mpdelajl.exe	97
PID 972 wrote to memory of 4012	972	Mcbahlip.exe	98
PID 972 wrote to memory of 4012	972	Mcbahlip.exe	98
PID 972 wrote to memory of 4012	972	Mcbahlip.exe	98
PID 4012 wrote to memory of 4332	4012	Nkjjij32.exe	99
PID 4012 wrote to memory of 4332	4012	Nkjjij32.exe	99
PID 4012 wrote to memory of 4332	4012	Nkjjij32.exe	99
PID 4332 wrote to memory of 5104	4332	Nacbfdao.exe	101
PID 4332 wrote to memory of 5104	4332	Nacbfdao.exe	101
PID 4332 wrote to memory of 5104	4332	Nacbfdao.exe	101
PID 5104 wrote to memory of 2992	5104	Ndbnboqb.exe	102
PID 5104 wrote to memory of 2992	5104	Ndbnboqb.exe	102
PID 5104 wrote to memory of 2992	5104	Ndbnboqb.exe	102
PID 2992 wrote to memory of 3476	2992	Ngpjnkpf.exe	103
PID 2992 wrote to memory of 3476	2992	Ngpjnkpf.exe	103
PID 2992 wrote to memory of 3476	2992	Ngpjnkpf.exe	103
PID 3476 wrote to memory of 2680	3476	Njogjfoj.exe	104
PID 3476 wrote to memory of 2680	3476	Njogjfoj.exe	104
PID 3476 wrote to memory of 2680	3476	Njogjfoj.exe	104
PID 2680 wrote to memory of 3212	2680	Nafokcol.exe	106

C:\Users\Admin\AppData\Local\Temp\7f7264f3ed3a2546ea5724aa961e2f40_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7f7264f3ed3a2546ea5724aa961e2f40_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3228
- C:\Windows\SysWOW64\Mdfofakp.exe
  C:\Windows\system32\Mdfofakp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3948
- - C:\Windows\SysWOW64\Mgekbljc.exe
    C:\Windows\system32\Mgekbljc.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3200
  - - C:\Windows\SysWOW64\Mkpgck32.exe
      C:\Windows\system32\Mkpgck32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5116
    - - C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3284
      - C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4116
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3696
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4408
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:972
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4012
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4332
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5104
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3476
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3212
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2536
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3884
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3300
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1044
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2432
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4324
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3188
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        32⤵
        Executes dropped EXE
        
        PID:4516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 400
        33⤵
        Program crash
        
        PID:224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4516 -ip 4516
1⤵
PID:364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Majopeii.exe

Filesize
94KB

MD5
ab15ca3c5a03f3e09479d23503808669

SHA1
37bffc978ed67bf88613b527f515f5359b9cb4e2

SHA256
adbbed71c89d19b6c36b3633a7152fa67e70542affd9038619f5fe71c64b849e

SHA512
50306ab1a9fb2de999058ab18448b27dadddc58819c3a5ef978565b76e977c41b622af9ce623654ae5236fea70c6950f5b7aafeaecd4f48b9d5f3b1f910ae91b

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
94KB

MD5
28cac73cec32eda628130dd34cc3fee8

SHA1
f936d3b9066eb73fcf35cfedf72c7ad7b1967d6b

SHA256
3dd495521cc63b853421e0825643b2fddabace1d1695d458cabf2275d1db4cec

SHA512
89e4731bfa4f49dd7b96bf445cd6f45c37a06d90d4363eeed2524c09a71b198b340ce13f2e89755a5e0242a19a4f5c70887eeebdca7e717f8b60fe80e1eee527

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
94KB

MD5
bfb8b9f882c42c34ff1b849dea50e05e

SHA1
7136be6a927c0175d67cd4059ebfc718a7ab3250

SHA256
0852f01360670a94c86a4e59d4467bde55ab3c5606bd37e328358207e825217c

SHA512
b4ddf34a755295a4e854791b20719edc1925bf4d6b8debaba9e8da5c8b2912f62cd22dc61bb896fe1f7fc0d845edaecf4b6b6bdcf17a33f34cca1f9fd1c050f6

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
94KB

MD5
a6b5bef9c2392be64353a02bd0a3065c

SHA1
5bfb98839efa62caaa7a64231ce7a800cb5d98d1

SHA256
9dee75cca8190415b87fb76554b38e5ebf3b492cf15f82f9a6afac77800e53f5

SHA512
cbc7aa0a5117b5648d74cfbab70190205b7d78d29ee576acee2f189940b168ccb26f511cce03853165f8c44b13b3ac5a0b18bffc1d40f9300f93b774cb852029

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
94KB

MD5
d42211aeaf5c521cb56b2ffd21a5aecd

SHA1
4229509060db67acfac9ccacfbb5b35062a5ba4d

SHA256
ba1a8e4b046056796837786b5d55f6c720fe9f4c2b4aaf5d673f73b1c9252084

SHA512
ce8fb6d29f3ceba60eea833ef2fecb105b457042e7cba419b0d7b8c5f4317189045082f1036f5d213c84dd9770d143993c1986ee4dc2fedd7395cca3d1da7419

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
94KB

MD5
1a35051f984558380ff788cff36ce199

SHA1
0073ffb4777f2f36cfab081fd64af509dacc7074

SHA256
78110eea50c32f65ee3f224705dae4baf95ffb6c41c355fe7e17fe5dbfd32192

SHA512
e74af40d7887b90f8f93dd07431eca6fe00af4a0db834b52c2abaad5b13d479d08713b5ce334461309a50061734025e90bd096b601534859ffd8ed9a4e2fb56e

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
94KB

MD5
b99fa32293d362b80a415319fbd36ae2

SHA1
918dc213176092290cbb11073c9c8d171a3321d5

SHA256
65ce7783cb0a62f8ec79d74fec4a609bf1d6394c807d8bb16266ec063dec339f

SHA512
3bd6513bbd8f4d4f7cd4883ce54f0f35d70171cb27899ad51e2a1420efdff24c0dd8d33eb17af23c7405ea108ae28d71aa58743e48dcb2f002f21a2f0b473f37

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
94KB

MD5
dae3fc3d9df0fde55e74a21e35237967

SHA1
d8f7f0bea9ea0af047da9a26b943ce9551bb84f0

SHA256
ad15a7fdba98a74fac2dc18d52b82fbc8bb6516263eadfc98cef99424dae2ad8

SHA512
5820bdd91064a56b7a85777b499d088f59f9ff9f30113d64b27b319ee1cdb3686c7b2a7643d481db1c3f97c67be1269bfcdf663a54a0d0e50d570e8c0744d607

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
94KB

MD5
106110eb074ce0e0cf9275fc353081f9

SHA1
a1811c5889524ab205bb79f229670495a105ecba

SHA256
105a2e74ee48f5032e6ed71f5a8e4a3db072204db97abaa38a29788a947e41a6

SHA512
ef0edf529093739d4fb6f7912433dcbbbfb3cdc560dd265fb2dbe32a1bd7b2dcf4a8dcb796309eb235726adf98ebd41922f52e916dfe2aaff6f185ca09e28d6f

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
94KB

MD5
d4c84ec191863ee202fb0243d26b5196

SHA1
f606288aefee5a424f000d23f985fd95b1ee8502

SHA256
bd0e4fe3122e3873acdcb85f66dd33cd18af261f4ae7cd63bd7307c7349dd26b

SHA512
d9d18861073ac6699fb5d8dcaac77868325698960f92a4bf4f2808bb219f24e6d67cbde1af007039e8ecd657c288551b06073022ae613769de2e3e7256a94882

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
94KB

MD5
2a04074f5a6f4140841f2d8116e17885

SHA1
a9096c5f889e22abb569a2fcff1112a6ce272733

SHA256
eae5327cbe075ee37ce3da703eb42851a1c62425961267a6152f54685afaaa59

SHA512
5f487a72e90e8bd8779158a5b559084a735481d60871360a31aaeaed6d68920f101cb3358d7a0cd92dfa3e7fb36cb00e51d29f510060f639720878cd1cb93ef1

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
94KB

MD5
f5bb5292b502edd1372aaaea6e72f83b

SHA1
886f892050dbb575c9d682e3205a9be532bcbd6e

SHA256
f1492ddb29562eed9511ede4e39653d72ba63bed251f1642c1fb7762e584408f

SHA512
9bc393288af895e046bfdef8e79619cddf8d799954294fc56a50246b2d08a18937832f9c3a1ac529d0cdf886afbf656c43779b99f546ef3916cae0cc4939df7b

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
94KB

MD5
916a99dd9254b4ceefb9d6970b2ef311

SHA1
1b711bf9472045f47de37ab987a16581e5208475

SHA256
d1b2b7918868201345bf142afb714a75b8d816951b2595cdcacd947dfe7d543d

SHA512
566feb4ca0e50a1243218d157dd193158e2c10b95c0f348523f25ccbc6d2d2ccea563644369490d13554de27368c1700d3d260a85d069ae26afc38c32624015f

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
94KB

MD5
d3d7331816fd2ab328ef95de3aae59d8

SHA1
682723b352a95bd258b492eecd779c76996e5352

SHA256
c4244c2fad9c989b2dfed859f203c8aacc0de08a40a31fef4254928fe89c7fa1

SHA512
73cbf46a8ca3706f8e86e6f65f1ac252462db4643b1856061a73b4b309df25b31644ab63c604d8b7a570f21ec1d2a2ae7d8ca8881bfa902872518a065b0094e4

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
94KB

MD5
a58ed10b0bc76127e5bacce1884de496

SHA1
f7491b8969d6ef9c6dbca3034c549f0c3999fbe8

SHA256
9c5fb9dfd59d127da6c8105ccef6716ca69fb9bf85e3cbba68d0c96253969a96

SHA512
a2aea23eabc19ac8776de2f172850312b80d56ebab6656f1e89e7d8f8e12124defd633e0178955d1815ac31cecb2f71fa07946dbbbc32638aa96b982882c6bec

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
94KB

MD5
ed1c9d361762498a80c0a40bc70a42a1

SHA1
b6c6edb2eff8ab4c66eae307bd5e2d2f3f68318a

SHA256
9c43c6c9f08a1bb44a0a425f023d618302ebc4af0758db442d598da6d94c29d0

SHA512
66720fdad3a402d8dd9b70ba5600fa693143544988dee121ad3085953a2f0bf795f874116e7ed8e3074a994ae82700b8a4fa96c98ac91101e427b1536c29c54c

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
94KB

MD5
883240ab1c80a5e3036c0bbe010314c0

SHA1
ade3ed910bb238cd46893d7b9dba8bfda5a5e28f

SHA256
4697f9362194ff434136bb5c1cf0f1767dcccfa34b0ec124637a307047163243

SHA512
0eca22c72d909f40fd2bbcb0706e7ce3787b8defb9084c8e167f8f929ecf23bdeef1207da9882d96b5cf154dbc42e0dfb5e6b59407eb5f315419c95892272f55

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
94KB

MD5
793f5b10e9f1a65370581d0841a6bb04

SHA1
4fa484616c19a5a3cf6d07ae708a20c2c6c577be

SHA256
2cc92dec1a7bb76c60a1031ad19da45ffbf79493ec47babecb593857165b6b69

SHA512
8f29866b2e8500b2bef3ce5a3cece72c7dcc0a0642f1644c45cef4dd35a5a337903f88b4a4ae7f3126aef2bc3ca4aad1c151ef7f018545580d2d4f093b65dec5

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
94KB

MD5
6d9a6bde64237244cf05cf26e7108276

SHA1
6d90ef592871d3341ed84985d60fec5ce73cc84b

SHA256
818f47f1f60f3697b7aa3cb85bbe20a2b805bce2cbcb96c049e15fd589dad3d3

SHA512
64f39113cf39876a672489725160bab99f05a8591cdcbd72acaed72579a34ca53932f3fdc709105b897b36fd822fedb24a8664c55bd7887d7ec241c86fdc776d

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
94KB

MD5
f9eef938f937cb3098da88e46e6718ba

SHA1
98b1b4bbc4c14e00b6e0297f547d160f493cea8b

SHA256
a890b5e832a5e029a9ea85fc9ba69aea736e88382ebce34de07387d476649e55

SHA512
45db9f3e3d46fbc793f8e9e80fd47f85ab79f18d54a6d51fec5fdaeb1a104316aedc2a4a0de5945177440a9807fc73a90507655f26e90a5779d53aff99edb6bb

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
94KB

MD5
690ac307528072000e06ee37d629fcaa

SHA1
5ee35281a2bb61e0f0c16a505cb43b96ce1f72b6

SHA256
f73417af960f98c74a5f01d3d979e7bf7883914b143a764c2c519bbf818c2ebd

SHA512
3e4d090c6a08f6b889dd8e3484435336acceb47de34d4ec52dea696c2facd0fe084b9e39ba4b18610827ba1cc0d316662297fe781243d3329e45b0cf1d898efc

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
94KB

MD5
5e07b625f4d880dad2b0adc2b028e05d

SHA1
a5ef80f98075b8a43c19f5d6816999cbb66b9951

SHA256
689093318fdd196f968b2f0fc3877dffb02295df4fe389a73703f5e16e6f8373

SHA512
840f208d01b031a32bf13b6c358b934edbf608e759c00296135118e9a92297fba16cff592c7681236ddd3eef052a636be751b21ddad600eba50c6a300c6e1d2a

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
94KB

MD5
e7a24c17130bbf05774b92226f578489

SHA1
901413f1606dcfe4b08759084fb16e335ed3fbbf

SHA256
75741b6fc33c8ad3054a6f463a9814ce6c21bf2c56feb01485eae1fd5e3dafe9

SHA512
6315ee6636bba4ca97e5a5098daa39c13f91d0882dcc9ec1a9710d3e18eaaa9574772d742c6af35650de1bd42e94dcd69702cf5dfee7e00e2e2a132e41d64b6b

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
94KB

MD5
df9de4cc5c352c8d33a9903bbbd2ffcf

SHA1
2cd3c5a9c7158e5cecea36d4269619b93df864c5

SHA256
b9e58e74525b9f774566fabcc18c66b5a49fa4d7a4ec0f679bf8d9dadfb4cb65

SHA512
12d2c4f85fc434fb5cfeabb05e99b5de203e1aa803596df4627e3321e1fb66e77aef049257707ff07172ed7c151db3359664baf485ec61314c3af90d4246e390

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
94KB

MD5
e43c32ce1839575e371cbdd49fbed602

SHA1
d89ff6bc8e8c30cf106f002a5c91b4a62ab25880

SHA256
975a4913a8e1ab6de0782e556ef7099a10278f3e10b4a6fa1f1092521d951bac

SHA512
01bfde088f21fd9b2a471baa630faeaa02a7914dd4a0cfba8cfd4c766f39527d0f6ff88fbcb6bfcdaabdecad67d1eab1a54a3005153e3f119cd7e3395e17db53

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
94KB

MD5
26a0b124b02af410b65ca96f0d2c5656

SHA1
70f5f31bedb16b410f3b566ccb9558db389715ce

SHA256
5431f1ee2dfffd9429a7b241d3782965a7d693761222b615ecb19d66f23bf17d

SHA512
a564e856e5d16e9833ebd50a1dd22fd90b349015a12e14bf9b324db564608dae292a384b280056ab84f7ce6153d4dcd470f1f4a3e20d03780a0bb22bae4c7aa6

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
94KB

MD5
8c7f0bb1d18acf51fb5a4dc2c77de5fb

SHA1
6e7ea26664d4158867426a730e44cb997aca3e5b

SHA256
e1509d72fdf7ee8f8921c2f48a57b2ccc881536e6b325ef84bae77c761f65984

SHA512
d164457d4573c62f2d837397459d916708d99e4547bb0dfd35356423089e483d919fb28ea3a1f689cde91162122355429118250c3aaa82134f6af7577b11e231

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
94KB

MD5
9da98b4300af7aeb29bef2a0e9a58350

SHA1
454472bf7a77dfd855c8546b52ffe695fa1ff3a6

SHA256
49e7725e7b1ae87c820a49c4a7edf2e11868c7239444ae01ca9da83689a31b1d

SHA512
6b4303ce520f96d1b6974695fabd5a3a422ceb8522368a0b348081c66fc516e197171d639e7e9f0e2e2493246ab4f881e5c76284e4a2830bd4ccc2e667ab66c3

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
94KB

MD5
af08e39ddd703dfa29a08c3812692aaa

SHA1
15ac32be06ae02d774a7f6bc00cb79b90b0b9444

SHA256
f788b656de5058f189c2b9b7b35357ceb912f57d707297db75e4d45bb96497e3

SHA512
7b167eae124f3f29aab4fdd1520ee18f372766e44d3d26eed486178b868cd3c19c520d650170f916dc34ede577f81fc755e94c0138fd8c4f67811721c325c751

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
94KB

MD5
381115623b40974bf3b8411532ace96e

SHA1
4c3836de23ca779895203d3a5e30d9c17b47fb7f

SHA256
849359652e7ca47e6b3a282f6bbb2fae3465ac858812424184e6814bb421c4f4

SHA512
144bf96d4726c40c8ca5a7c3283d0125131c8dbfdb9759cb94d332b3491c48ab9bb144d3b3fe687c1c54fe3378982d58fdcc46043264316ecf9e1fdc4f49e2d7

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
94KB

MD5
f8d186ec3d309f095df6a24f2d703614

SHA1
d40d5ebdbc808c44459c2245d52dc8791af0261a

SHA256
8a887d593a70caa273a2cef4d74037d13ee46e67bda9e4c75a2a77282d8bd17a

SHA512
5bc307625979bb759f0f80ef7cf4feadd466f01b6b7780ae8a7b431d839e3d9aa203f630d749267eebfe4e46918db74ad002f1f91b51724b9082be9c3171bbc1

Download Submit
memory/436-65-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/436-271-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/972-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/972-265-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1044-216-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1044-254-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1512-73-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1512-270-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2232-274-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2232-41-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2432-229-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2536-184-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2536-257-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2680-259-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2680-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2976-272-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2976-57-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2992-153-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2992-262-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3020-101-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3052-255-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3052-201-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3188-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3188-251-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3200-21-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3200-277-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3212-258-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3212-176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3228-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3228-278-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3228-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3284-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3284-33-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3300-209-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3300-253-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3476-260-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3476-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3696-105-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3696-267-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3884-256-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3884-193-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3948-13-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4012-128-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4012-264-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4116-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4116-268-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4324-233-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4324-252-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4332-137-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4332-263-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4408-117-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4408-266-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4516-250-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4516-249-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4816-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4816-273-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4984-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4984-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5104-261-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5104-145-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5116-276-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5116-25-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads