e9ccf852a2d793ebaac3006e2aa84cabf36273e0607126e8d36d08ef65f486e9

Analysis

max time kernel
91s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12/05/2024, 14:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20d76869a5e99366807174a5aafb50d0_NeikiAnalytics.exe
Size

94KB
MD5

20d76869a5e99366807174a5aafb50d0
SHA1

351116b9a193dbc8b600c077b80b3c41cb1abe12
SHA256

e9ccf852a2d793ebaac3006e2aa84cabf36273e0607126e8d36d08ef65f486e9
SHA512

c4cc6cb8e9100e05e6ed2bfc39f0a9178308ab12095dc36c59643cb908413b39cd811e9ce44ed057830b637356e7746cf2764b70fd7d97c50979ac152e6bae1c
SSDEEP

1536:ZIgIuls1g/cBm5/SsXTfepzodksKaiV39LRQDn4RfRa9HprmRfRZ:k9cOm5/jeZoydai3LeD45wkpv

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	20d76869a5e99366807174a5aafb50d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	20d76869a5e99366807174a5aafb50d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe

Malware Dropper & Backdoor - Berbew 64 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/memory/2232-0-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x0006000000023276-6.dat	family_berbew
behavioral2/memory/2348-7-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x00070000000233cd-14.dat	family_berbew
behavioral2/memory/3292-24-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x00070000000233cf-23.dat	family_berbew
behavioral2/memory/956-19-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x00070000000233d1-30.dat	family_berbew
behavioral2/memory/3140-32-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x00070000000233d3-38.dat	family_berbew
behavioral2/memory/4948-44-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x00070000000233d5-46.dat	family_berbew
behavioral2/memory/4228-52-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x00070000000233d7-54.dat	family_berbew
behavioral2/memory/3740-60-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x00070000000233d9-62.dat	family_berbew
behavioral2/memory/2552-64-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x00070000000233db-70.dat	family_berbew
behavioral2/memory/3236-72-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x00070000000233dd-78.dat	family_berbew
behavioral2/memory/4920-80-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x00070000000233df-86.dat	family_berbew
behavioral2/files/0x00070000000233e1-89.dat	family_berbew
behavioral2/memory/1768-88-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/3696-95-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x00070000000233e3-102.dat	family_berbew
behavioral2/memory/1224-104-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x00070000000233e5-110.dat	family_berbew
behavioral2/memory/4688-112-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x00070000000233e7-118.dat	family_berbew
behavioral2/memory/2196-120-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x00070000000233e9-126.dat	family_berbew
behavioral2/memory/3492-133-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x00070000000233eb-134.dat	family_berbew
behavioral2/memory/1192-135-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x00070000000233ed-142.dat	family_berbew
behavioral2/memory/3620-143-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x00070000000233ef-150.dat	family_berbew
behavioral2/memory/3636-152-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x00070000000233f1-159.dat	family_berbew
behavioral2/memory/756-160-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x00070000000233f3-166.dat	family_berbew
behavioral2/memory/4056-168-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x00080000000233ca-174.dat	family_berbew
behavioral2/memory/2456-176-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x00070000000233f6-183.dat	family_berbew
behavioral2/memory/1076-184-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x00070000000233f8-190.dat	family_berbew
behavioral2/memory/3644-191-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x00070000000233fa-198.dat	family_berbew
behavioral2/memory/4748-200-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x00070000000233fc-206.dat	family_berbew
behavioral2/memory/1896-208-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x00070000000233fe-214.dat	family_berbew
behavioral2/memory/2156-216-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023400-222.dat	family_berbew
behavioral2/memory/4268-223-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023402-230.dat	family_berbew
behavioral2/memory/1232-232-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023404-239.dat	family_berbew
behavioral2/memory/4964-244-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x0005000000022970-246.dat	family_berbew
behavioral2/memory/2696-248-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023407-254.dat	family_berbew

Executes dropped EXE 46 IoCs

pid	Process
2348	Kinemkko.exe
956	Kphmie32.exe
3292	Kdcijcke.exe
3140	Kmlnbi32.exe
4948	Kpjjod32.exe
4228	Kgdbkohf.exe
3740	Kibnhjgj.exe
2552	Kpmfddnf.exe
3236	Kckbqpnj.exe
4920	Lmqgnhmp.exe
1768	Ldkojb32.exe
3696	Lkdggmlj.exe
1224	Laopdgcg.exe
4688	Ldmlpbbj.exe
2196	Lnepih32.exe
3492	Ldohebqh.exe
1192	Lgneampk.exe
3620	Ldaeka32.exe
3636	Ljnnch32.exe
756	Lphfpbdi.exe
4056	Lgbnmm32.exe
2456	Mnlfigcc.exe
1076	Mciobn32.exe
3644	Mgekbljc.exe
4748	Majopeii.exe
1896	Mdiklqhm.exe
2156	Mgghhlhq.exe
4268	Mamleegg.exe
1232	Mgidml32.exe
4964	Mjhqjg32.exe
2696	Maohkd32.exe
4340	Mglack32.exe
1492	Mnfipekh.exe
1576	Mcbahlip.exe
4880	Njljefql.exe
3676	Nqfbaq32.exe
2956	Nceonl32.exe
1300	Njogjfoj.exe
3088	Nafokcol.exe
4468	Ngcgcjnc.exe
3504	Njacpf32.exe
3616	Nbhkac32.exe
4692	Ncihikcg.exe
2880	Njcpee32.exe
2724	Ndidbn32.exe
4516	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kdcijcke.exe	Kphmie32.exe
File created	C:\Windows\SysWOW64\Jcpkbc32.dll	Kphmie32.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Lgneampk.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Kdcijcke.exe	Kphmie32.exe
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Ldkojb32.exe	Lmqgnhmp.exe
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Lgneampk.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Kpjjod32.exe	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Kgdbkohf.exe	Kpjjod32.exe
File opened for modification	C:\Windows\SysWOW64\Kckbqpnj.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Kphmie32.exe	Kinemkko.exe
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	Laopdgcg.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Bdiihjon.dll	20d76869a5e99366807174a5aafb50d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Kibnhjgj.exe	Kgdbkohf.exe
File opened for modification	C:\Windows\SysWOW64\Kibnhjgj.exe	Kgdbkohf.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Kgdbkohf.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Bnjdmn32.dll	Kibnhjgj.exe
File opened for modification	C:\Windows\SysWOW64\Laopdgcg.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Mglppmnd.dll	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mamleegg.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Bpcbnd32.dll	Kgdbkohf.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mglack32.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Kphmie32.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Mkeebhjc.dll	Kinemkko.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4960	4516	WerFault.exe	129

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdmn32.dll"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdiihjon.dll"	20d76869a5e99366807174a5aafb50d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkeebhjc.dll"	Kinemkko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcbnd32.dll"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jplifcqp.dll"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	20d76869a5e99366807174a5aafb50d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogjfmfe.dll"	Kpjjod32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2348	2232	20d76869a5e99366807174a5aafb50d0_NeikiAnalytics.exe	81
PID 2232 wrote to memory of 2348	2232	20d76869a5e99366807174a5aafb50d0_NeikiAnalytics.exe	81
PID 2232 wrote to memory of 2348	2232	20d76869a5e99366807174a5aafb50d0_NeikiAnalytics.exe	81
PID 2348 wrote to memory of 956	2348	Kinemkko.exe	82
PID 2348 wrote to memory of 956	2348	Kinemkko.exe	82
PID 2348 wrote to memory of 956	2348	Kinemkko.exe	82
PID 956 wrote to memory of 3292	956	Kphmie32.exe	83
PID 956 wrote to memory of 3292	956	Kphmie32.exe	83
PID 956 wrote to memory of 3292	956	Kphmie32.exe	83
PID 3292 wrote to memory of 3140	3292	Kdcijcke.exe	84
PID 3292 wrote to memory of 3140	3292	Kdcijcke.exe	84
PID 3292 wrote to memory of 3140	3292	Kdcijcke.exe	84
PID 3140 wrote to memory of 4948	3140	Kmlnbi32.exe	85
PID 3140 wrote to memory of 4948	3140	Kmlnbi32.exe	85
PID 3140 wrote to memory of 4948	3140	Kmlnbi32.exe	85
PID 4948 wrote to memory of 4228	4948	Kpjjod32.exe	86
PID 4948 wrote to memory of 4228	4948	Kpjjod32.exe	86
PID 4948 wrote to memory of 4228	4948	Kpjjod32.exe	86
PID 4228 wrote to memory of 3740	4228	Kgdbkohf.exe	88
PID 4228 wrote to memory of 3740	4228	Kgdbkohf.exe	88
PID 4228 wrote to memory of 3740	4228	Kgdbkohf.exe	88
PID 3740 wrote to memory of 2552	3740	Kibnhjgj.exe	89
PID 3740 wrote to memory of 2552	3740	Kibnhjgj.exe	89
PID 3740 wrote to memory of 2552	3740	Kibnhjgj.exe	89
PID 2552 wrote to memory of 3236	2552	Kpmfddnf.exe	90
PID 2552 wrote to memory of 3236	2552	Kpmfddnf.exe	90
PID 2552 wrote to memory of 3236	2552	Kpmfddnf.exe	90
PID 3236 wrote to memory of 4920	3236	Kckbqpnj.exe	91
PID 3236 wrote to memory of 4920	3236	Kckbqpnj.exe	91
PID 3236 wrote to memory of 4920	3236	Kckbqpnj.exe	91
PID 4920 wrote to memory of 1768	4920	Lmqgnhmp.exe	93
PID 4920 wrote to memory of 1768	4920	Lmqgnhmp.exe	93
PID 4920 wrote to memory of 1768	4920	Lmqgnhmp.exe	93
PID 1768 wrote to memory of 3696	1768	Ldkojb32.exe	94
PID 1768 wrote to memory of 3696	1768	Ldkojb32.exe	94
PID 1768 wrote to memory of 3696	1768	Ldkojb32.exe	94
PID 3696 wrote to memory of 1224	3696	Lkdggmlj.exe	95
PID 3696 wrote to memory of 1224	3696	Lkdggmlj.exe	95
PID 3696 wrote to memory of 1224	3696	Lkdggmlj.exe	95
PID 1224 wrote to memory of 4688	1224	Laopdgcg.exe	96
PID 1224 wrote to memory of 4688	1224	Laopdgcg.exe	96
PID 1224 wrote to memory of 4688	1224	Laopdgcg.exe	96
PID 4688 wrote to memory of 2196	4688	Ldmlpbbj.exe	97
PID 4688 wrote to memory of 2196	4688	Ldmlpbbj.exe	97
PID 4688 wrote to memory of 2196	4688	Ldmlpbbj.exe	97
PID 2196 wrote to memory of 3492	2196	Lnepih32.exe	99
PID 2196 wrote to memory of 3492	2196	Lnepih32.exe	99
PID 2196 wrote to memory of 3492	2196	Lnepih32.exe	99
PID 3492 wrote to memory of 1192	3492	Ldohebqh.exe	100
PID 3492 wrote to memory of 1192	3492	Ldohebqh.exe	100
PID 3492 wrote to memory of 1192	3492	Ldohebqh.exe	100
PID 1192 wrote to memory of 3620	1192	Lgneampk.exe	101
PID 1192 wrote to memory of 3620	1192	Lgneampk.exe	101
PID 1192 wrote to memory of 3620	1192	Lgneampk.exe	101
PID 3620 wrote to memory of 3636	3620	Ldaeka32.exe	102
PID 3620 wrote to memory of 3636	3620	Ldaeka32.exe	102
PID 3620 wrote to memory of 3636	3620	Ldaeka32.exe	102
PID 3636 wrote to memory of 756	3636	Ljnnch32.exe	103
PID 3636 wrote to memory of 756	3636	Ljnnch32.exe	103
PID 3636 wrote to memory of 756	3636	Ljnnch32.exe	103
PID 756 wrote to memory of 4056	756	Lphfpbdi.exe	104
PID 756 wrote to memory of 4056	756	Lphfpbdi.exe	104
PID 756 wrote to memory of 4056	756	Lphfpbdi.exe	104
PID 4056 wrote to memory of 2456	4056	Lgbnmm32.exe	105

C:\Users\Admin\AppData\Local\Temp\20d76869a5e99366807174a5aafb50d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\20d76869a5e99366807174a5aafb50d0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\SysWOW64\Kinemkko.exe
  C:\Windows\system32\Kinemkko.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\SysWOW64\Kphmie32.exe
    C:\Windows\system32\Kphmie32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:956
  - - C:\Windows\SysWOW64\Kdcijcke.exe
      C:\Windows\system32\Kdcijcke.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3292
    - - C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3140
      - C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4228
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3740
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3236
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3696
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4688
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3492
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1192
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3636
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:756
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4056
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2456
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1076
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3644
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4748
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1896
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4268
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1232
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4964
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4340
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1492
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1576
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4880
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3676
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1300
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3088
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3504
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3616
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4692
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2880
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2724
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        47⤵
        Executes dropped EXE
        
        PID:4516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 228
        48⤵
        Program crash
        
        PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4516 -ip 4516
1⤵
PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Joamagmq.dll

Filesize
7KB

MD5
0d618b5bb64a0dedda328537ff697e9e

SHA1
26db1115cfb596575dad519568e0a3e552ae4a65

SHA256
8134e78ec049a5971d22b9c3567c7b22cb91c27283f1283624fbfd3599c63f1c

SHA512
a7b7f9b8538f18f2593fa1a82da6ff0b476b22ad52e5b07b42267f673a79689dd5ff3d6112e3fff2b3475cf0dfe0705bd75f383fc6c1fec1608c1e9dd61ceda0

Download Submit
C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
94KB

MD5
a9d003d5cffff214ee8aefe2547e61b9

SHA1
6a4f2c62ae716f0ecb70b637c6696d12f6d6665b

SHA256
9c1b102b9d75f7c5eb3bc3cee3b3a89516d656ea10394da221d8bcf212348847

SHA512
c48519f4d92b11096ebc4cea84f8b2ac5574380ad43827e3549bb158a8c413ca2d0ad19340b8f17c0864a1334c8a827c1a43f4625e455e5b5a3aa9a12c138a9d

Download Submit
C:\Windows\SysWOW64\Kdcijcke.exe

Filesize
94KB

MD5
94ffd471fe50dbd89ecae42ca40acf65

SHA1
5669b69281061e2f6821fb241776b87990734d8e

SHA256
a81e8ef28eb46b37be0fbd07b961d2605458b4a05cb3a365540ee3a39019e98d

SHA512
3684c140580515c488f0260038d734ce2d4c44d2890ba9df60ebbd22afd9ab41213c80764a536b56f7080fcddc0cd598f9dafcc086913cd59ffa2c192b1e3a6b

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
94KB

MD5
9938c35aa6ab265cf3beb0b9bf5f3c6f

SHA1
5ce4ccdd4cec6564504fa13d992aa27d5613c23d

SHA256
827440867f75ad9a9df7d900b1ebd5b30f8bcf1a3fc26dadc45f3c9cb8341399

SHA512
7ea287a8d892a961a0bda22d4dbe14e73714ee93801ae271bbb685916843fcf26d695bbaeebd9b22ecdaa4bb5aa387e13a5389fe93c40e729c015996f3ca1c1e

Download Submit
C:\Windows\SysWOW64\Kibnhjgj.exe

Filesize
94KB

MD5
7b053a39c7dbb856a545fa582fefd44e

SHA1
a531466ee67bf12a0fc2cd917c948fa6dbf1e2c2

SHA256
143b2ebf18c4cea4816cf1b118ed016c6910f9e1a43f621cf24efa56821f2057

SHA512
547e75610cecb293dd355d91360dbfea49e878d3598a8bc4a75f30bba6107be6892a28983ed239f04f683592aa1fecb6e349cf8ebc1141b6efe2363ee0808e8d

Download Submit
C:\Windows\SysWOW64\Kinemkko.exe

Filesize
94KB

MD5
6710fd7e301ea2d78168437a300db05f

SHA1
03ccffcd575d769a6d5dc49405402a625ffc4be1

SHA256
880486e8271b9c0403f31b4e68d13c0e248e35e7b98c7663bdbd0788e07ac529

SHA512
41956f028143f0a3b29f6c67f84e0ee06a572a0de32f29dfbd2ec884fcd6f39f1837bf47461de1f39fb2a8de81189af84b4b71201ba6fc5953dd86f37d04ba11

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe

Filesize
94KB

MD5
fc96897edeec5e0758c7b1b47a0e471e

SHA1
138338194124b73725847335f08241cfb80d7b71

SHA256
2f54139c7a911c527fc7682a1e89b47d657cdf67a41106071b12ff1bc6c68195

SHA512
430c18f728ba49d55703ee98cca91d005d8ad4de8d17c03d6c4cc3796f74a2a754d90003ea80a5707be6598debc15ac60a935109a062808508639f0f8a637fad

Download Submit
C:\Windows\SysWOW64\Kphmie32.exe

Filesize
94KB

MD5
83b7103ebee39c74de7a8ba3d711e903

SHA1
f7d4266592458e1764130ab9a598fe91dd7cd0d4

SHA256
688f18c858d297858db7ed6d15b88cb669f5080f1c22862699b32df85bf89567

SHA512
c8a0fe2ed7c75b4ee22a22e1cf470614cf061a7a2b5e5e4f6ddc3b2399576d3b0d185f9ebc2091ea85dc59205b2e00fc0fc531f9e4f13128451b9daf3a818dd2

Download Submit
C:\Windows\SysWOW64\Kpjjod32.exe

Filesize
94KB

MD5
5f47e61966c9d97f9e107acc7b757c80

SHA1
966466cb5e281b39a75b34ff63f319a77a8b63c4

SHA256
5b43f53b9f49a67f67aa708fb81ee62b99c2b0996028967b1cd588cdf49c5164

SHA512
412f45572c9c1806332ddad8a4541dccbadf6e484e35e7ff3ab622497fc0f755a86d551db097e66829059fa68d3ed247be8f42b64c0c5ec40a81c0079c36a52d

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe

Filesize
94KB

MD5
f68c2f1c1347b3344224d8b8d1e0ba75

SHA1
1e3b5cd6c969f9133dd79017b6659cc12e055947

SHA256
d7cf851e2df611025a2a89c48d5d3ec5ec203b190788580424a0a7dd01681a1a

SHA512
9d639763cf6a7e68e182c25377b8595b8c40ceb558e1d90fe944820b96f6183821911570f0a1b973a1ed71d1f3fcb4fe81adc51926955bba3a355ab490eeb2f6

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
94KB

MD5
aeff107fa0e6d95e550f5f1102507998

SHA1
299042bc4d5b0a6722305d192ead0846155d696b

SHA256
3c9361f571c193db5dfe0184c3957ba1ca83b45263d1ee5788d5ae0b72d849b8

SHA512
bb974a04377db54f14d7ddd611273ef5cb57fa91a485b3a596ee07e729ac0136a4a607e0d42e4acc5e707f60271db9f5825ad0845a8a6248a06ebc3fc5d01b72

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
94KB

MD5
f912ca64573345295475c50f7c09999b

SHA1
864061b218f76a026a38abdf7b3163a4e1cfc68d

SHA256
041b91d57c19f8143bac3a4aaf43aaa9f6e27a9c455d373b7a1bd1b7205fea7f

SHA512
aa43dfcef777ca834218a6978360ac528e153972de5c981423439d81b8a270e95aef4b3cba80642aec634830cb935e4f2dcffcb4b381580873d51a10f472c51b

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
94KB

MD5
faed9d9420726053bfa74f4b9ad38f76

SHA1
745eda3542e04dc36feea62d0d5bcb2b46d57e16

SHA256
62a2899c1c7bfaf2c42056db609da6324b6a1de0f78a9ce3dbe0809140d8c218

SHA512
8169d753a12e3027c494a23ee4abb0074d011b840de9a47db7c548a5884cc08f290cb47ecc1bae8f35328e1e807a462c1f38c35773c987a3aea147ccd4443785

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
94KB

MD5
cb8fba4be8bbbf5208a1e2d2ee71d004

SHA1
7dc9bace22c22eb96e2fd6f0f0978e9d3b41af62

SHA256
f311bc1c54539c2a9b2d1a4bdb1acb10103b5f5cb0b24a01347a4c9ffc4d4a26

SHA512
950654d0d145b2c89b76c7ee970c142bb6a053fca6ac760fdc5e76794aa5af221573bc6e5efa5be423ffa7753e6379419429cefc8f2d5f0c69db553785d0c46b

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
94KB

MD5
bad97bc9225e976b49b0d129d0c5ce2e

SHA1
184fc377b47477324ed516de13b3be76101df0a3

SHA256
90010097d40a2b72eec73799c977f3c6423d7c9984f1915a2d0beb7c5909cb38

SHA512
82dc8f801a776b08ceec927f1543ed9cba87cc6ccd026837d0a98a9dc51abb9c6cc35b14ea1e3d03a63d79176431cb8a876aaa2992a6af2b4f7317603de39702

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
94KB

MD5
3e2a283c6f679f775fa138c0f860c95f

SHA1
444bb0d3598386f8dd4fdb5342c0283d329275d5

SHA256
6fc0fb0405963becb3c58f9d33e521d0d099fb35bddb263836325471fae584ba

SHA512
617da95a58d3f0198ac5c063e6f81bf62ab79f52eff499bff0ec6ae084f240464366a67b2e543b2e523e71dfbcdd197d431c03b3868b3ffdc927f35ddaa64a35

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
94KB

MD5
80b3cd2d8a83ffd65dd114e0da30d0e0

SHA1
361b1f8dd67d8ced2a6d0bb42d56a07281b40eac

SHA256
184a1a8adee8921e353ec711a10422e48434a6f0748921077d8d79276bf72358

SHA512
b44e29abdc8af65555f8105e545f30677c2debf9103f0bbddc3a36f8f1aebb11b593da6b47c52fbcbc3b54fecfd4a39863804d3b5c2ecd0e535f900adb97ae1f

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
94KB

MD5
a0bdec7a42726323fb3c0b7ee09fa643

SHA1
57a740714e90c78e71ae674ddceb15787b4b2390

SHA256
69fb35a911e200928f5d7de587b30573a55b8a244a0376363a2755aa72bab45d

SHA512
65f329be5b41205accc343d2d2a0722886feeab1c8af06104d4c41313f64ee0d09178cd1dd035ae1f7fe394d98c08106ef9496abff44bbf628ad2ef123e3428c

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
94KB

MD5
72fe1b3bf01163529522eec857652179

SHA1
0e1b7526727888cd75d9fdbecf7afb057cf40e73

SHA256
6f3fa8ceca97b0f17e26f689ba2b5ce537c1191172a3b29a2e8d6dffe8792456

SHA512
9519151ef037e58d3191453448d9ca3d9aea8f18be90731a5af90e94826b2ae6f693e82fb28425054cf267895f74d6077eb30b13a938a277f7b4e4709ba2de13

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
94KB

MD5
fc82ee663dfe4c5b71982ac45af69fe8

SHA1
ad3eb82f4a0b3daeb328001fd59cff8520918b6a

SHA256
b2cd5a3c1589a2872a07bf6cf79070924394805de14807071847e5cdfd1f4151

SHA512
01301110be5ac7d73360c6abce8afeb32a8c7baf4f7ca49d47a99c49cc025eb3013b8ba96319b5c4b20af9dfe2ebaa81e82983f1a8ec6989a40034a341ada434

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
94KB

MD5
1b3f9a9ea3edd53065e92d1ec7612642

SHA1
6765cdb41e4832acef91b86389fe6b77f07e14b7

SHA256
4ae96276a3d69a59523d7b9b679986bba7160c2998f6bf60fc50f88804bb9946

SHA512
75674e62b6d5691f47a46d0d67a0f7c72362c89be67db8f4a825ee51f0c66ece4a14718e85c6379e84472ced7e2c37b0333c753fe9c99fe866c3fb991b82f0b4

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
94KB

MD5
9afa80a09313433ae7930bbf39e96134

SHA1
37383915b4c160c9a5023a5103161a23a0bf4cfe

SHA256
2938569755e458e63f7954e90156511a3324e42fe52709a80398b157fa352361

SHA512
c064dae351c73ab47156158c97837e6156315ddce153e3a7c36db7bb4fda05098c633b200ec5cdd5cc119c60efc0847beb677c4caa603d031bc6ffe09edba0e5

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
94KB

MD5
51165db4e8a852e7fe85c5dfd4b47853

SHA1
b84f72ba27bf7da332a0a8cd03f3cb6bc1c45d08

SHA256
e69e2a4046e55f01486781b66c4cfecaf79fdb5689f89ca9404d752ad83a1fcd

SHA512
0f4f84b62980a5ef54e31a5d878b2b806382a6470da9fbbc8e500c52d0ab2515f600707ec58c31d40d85369146bf62ec56e87d75b9395c9c79ce550c85899e06

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
94KB

MD5
8e76d1e96f27f1f2c3e78d27bb5429c0

SHA1
80312e3ab608aaef8a91027108a73fceac3c4ba4

SHA256
cac9507193f32f290b7353d09ae41a27dd3325298777ab1b3abfa561b57cd6ef

SHA512
29d2271cead2d06798b2b017a0ef88538eb5a69660c9c239bf576f5f70e0d1c1ae3e788bfac13d6e4b93c62f6ae276c19d310c2b9d0e7ea40ecb8e0cf9e75fd6

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
94KB

MD5
ad1d6cc42f12a3d02c5624581a4c13e3

SHA1
95a5505158d0189d5922eec29a07c5bad2a7b39f

SHA256
5862f78c33c76087bc1d2f3e8c9d9677be0d64147ced643ae907efe1168699e8

SHA512
cdb0e3c3386117a049b8bcf10efd243310ec4f4c5b0085a569b7840bea52718b58b233e6442cee1514918ac8a51380cbed5b5f9ea7d4a4e8fee9819fb6b03dc9

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
94KB

MD5
6b06e9dc264480e0b4950e1cf0e6ee4e

SHA1
b378ee4a6b30d10f9cf38b7bb3bdf7d07a4b1103

SHA256
60fc1afbc3fbb8fff791a2ac9cfbb18933aa142a793a2d559a4ab573a8a768b0

SHA512
4c7a50cdb6f3946d9f00a401c2dd94c6f0f301eb528805d1c8f3dfc42039ad4f0bf912b9c388342dd41a7627c6a589cfe9568f64fd77a27ab727a54e63dcce7a

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
94KB

MD5
b0a5a75bbca3ab5f6aa98bd37aaffe37

SHA1
9736a63c01e7636546fd720fad9d91fd738f3e3b

SHA256
127a17de85dde4d66ffe8321dd52a2684af400703bde645e5cf1c809d9d6c658

SHA512
c25beeb05d99f8d2ac9b51a1024d5657b480505728b0aaeb779f2e3d6b1211c79cf24cd712e23d840d908d181e1db0d891ae74f45798b62ff2a35d4be5d33027

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
94KB

MD5
42a5af6508a649f4a9a9687fe2c7b0ae

SHA1
a986709d2a964e38f2c00d589627859477bb8607

SHA256
3615c1993c53ba3d226a415dcdedb8e86effef2aab74527b0e4d10b08418a552

SHA512
673fcdfe81dc78388d9f9f92664fdbce1ade3df306b855034ddc3b9ea531c2994c77887b42624c58a240d7b04394cf7621ead096281ac2ccf990beecfbf48718

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
94KB

MD5
040f2aecc0e890a4ce8c6e05de6c1e83

SHA1
ff5a5d722c42fd4d9fd91e72016d9bf62c5dfa9e

SHA256
e0d6543f66066f791fc979d6c4929ea96c1cb8411c7f5f6317453c9de875d7ad

SHA512
12436a3400b4b588d552259618a9d6c7b1b26cf5a1b1225de5de64807d22a5d86dfe7307948ad3b6f60f043517b164d898c583643d278dfec66bd80762e114d2

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
94KB

MD5
869a60a08be28a01c39a93b3130425ac

SHA1
9e02c46479ff827629ca0e1e894736cb95f09b54

SHA256
268a60cdf46525a2340f3ef35f36d015f44d33d8c879e327c06da0763f7b1f70

SHA512
23ed68daf90032cb62e9b78b85f40661665bef94eba83ab45964369ff8ee21555c3fc1d9f4348022c4f543214f39b32a3e9e659da3c37ae194b8d2a23418e768

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
94KB

MD5
97da7e8ec9024b48ba065385d7e65bfc

SHA1
65b1dc5664c50cdaf8675e1f64b8efa053c9da82

SHA256
ac3bcae889b49241bc26507880573259cdafadfa5d8374828b15d17fb3f68aaa

SHA512
33bcf36af0d1a4d7f76184e05b415ad53276b8abb3731ad606c1344485675fff62306421af8a1ed86454fe524d30c196cbf1aeda4c23f076d648ac7c61ad6190

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
94KB

MD5
1b04e6efb78bd51bf8aa9f6240f315f7

SHA1
f6b52b5cfcb3288dc8aa2d7d91556928e6476b0d

SHA256
0387027f58dac08ff778855f2bacc61a90f2aa2e6018d56bc0a8ae52a5221e55

SHA512
f703dadaf7080ec082a2e3ab950dff5fd8f1bd9c8e7584f69d0dfaf25dc9bd323b8f0aef4a66cdd7d763d88dae6e5def2cc776402e8f857711325b87abd69f8e

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
94KB

MD5
a96ae19f309ad278ec8e37287a8bae18

SHA1
f9b082445dbb6283eb73a2dca00bfcd93537fb82

SHA256
ae104e4c810724873b7294d998f0d02086c1ad9b8fc3deebef238c5a421c0abe

SHA512
2e0a4ebda32acd1e731350a6786229eb13d20fbc47ad1bfd5a8df6094cee1e24bb562b62087ceb65cb8faefecc8f99114b133dda5f65f5b1e59cb54b19d7c2e6

Download Submit
memory/756-365-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/756-160-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/956-19-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/956-380-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1076-184-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1076-362-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1192-135-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1192-368-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1224-371-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1224-104-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1232-356-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1232-232-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1300-348-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1300-292-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1492-353-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1492-262-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1576-268-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1576-352-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1768-373-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1768-88-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1896-359-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1896-208-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2156-358-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2156-216-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2196-120-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2196-369-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2232-382-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2232-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2348-381-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2348-7-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2456-176-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2456-363-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2552-376-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2552-64-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2696-355-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2696-248-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2724-334-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2724-342-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2880-343-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2880-328-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2956-286-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2956-349-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3088-298-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3088-347-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3140-378-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3140-32-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3236-375-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3236-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3292-379-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3292-24-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3492-133-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3504-310-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3504-345-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3616-316-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3616-344-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3620-143-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3620-367-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3636-152-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3636-366-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3644-191-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3644-361-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3676-283-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3676-350-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3696-95-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3696-372-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3740-60-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4056-364-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4056-168-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4228-52-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4228-377-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4268-223-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4268-357-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4340-354-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4340-255-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4468-304-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4468-346-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4516-340-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4516-341-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4688-112-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4688-370-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4692-326-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4748-360-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4748-200-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4880-274-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4880-351-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4920-374-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4920-80-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4948-44-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4964-244-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads