0888a036fe75556db7f2982c17756d32d1bb7f38eccf5824bfc716d8873adea3

Analysis

max time kernel
136s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

367682d04104243b3af76bff772830b0_NeikiAnalytics.exe
Size

227KB
MD5

367682d04104243b3af76bff772830b0
SHA1

a42f45e65272228fbc2bbc37128b23c74f4964ce
SHA256

0888a036fe75556db7f2982c17756d32d1bb7f38eccf5824bfc716d8873adea3
SHA512

3d0dc5df40fca20a6f67ae2295eed023366eb0ba5f53d45d93fccbdee0b37e9683782e6bc3e4a2c75457dc09164b72a74b5de0f148ec57f155a17d4416833f8d
SSDEEP

3072:G2vhmXOANOcC4rZeyYpwoTRBmDRGGurhUXvBj2QE2HegPelTeIdI7jFHu:G0eCQsqm7U5j2QE2+g24Id2jFHu

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	367682d04104243b3af76bff772830b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	367682d04104243b3af76bff772830b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe

Malware Dropper & Backdoor - Berbew 37 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/files/0x000800000002327d-6.dat	family_berbew
behavioral2/files/0x0007000000023454-14.dat	family_berbew
behavioral2/files/0x0007000000023456-22.dat	family_berbew
behavioral2/files/0x0007000000023458-25.dat	family_berbew
behavioral2/files/0x0007000000023458-31.dat	family_berbew
behavioral2/files/0x000700000002345a-38.dat	family_berbew
behavioral2/files/0x000700000002345c-46.dat	family_berbew
behavioral2/files/0x000700000002345e-54.dat	family_berbew
behavioral2/files/0x0007000000023460-62.dat	family_berbew
behavioral2/files/0x0007000000023462-70.dat	family_berbew
behavioral2/files/0x0007000000023464-79.dat	family_berbew
behavioral2/files/0x0007000000023468-97.dat	family_berbew
behavioral2/files/0x000700000002346a-105.dat	family_berbew
behavioral2/files/0x000700000002346c-115.dat	family_berbew
behavioral2/files/0x000700000002346e-123.dat	family_berbew
behavioral2/files/0x0007000000023471-132.dat	family_berbew
behavioral2/files/0x0007000000023475-149.dat	family_berbew
behavioral2/files/0x0007000000023477-157.dat	family_berbew
behavioral2/files/0x000700000002347b-174.dat	family_berbew
behavioral2/files/0x000700000002347d-184.dat	family_berbew
behavioral2/files/0x000700000002347f-191.dat	family_berbew
behavioral2/files/0x0007000000023484-217.dat	family_berbew
behavioral2/files/0x0007000000023486-226.dat	family_berbew
behavioral2/files/0x000700000002348a-238.dat	family_berbew
behavioral2/files/0x000700000002348a-246.dat	family_berbew
behavioral2/files/0x0007000000023490-269.dat	family_berbew
behavioral2/files/0x000700000002348e-261.dat	family_berbew
behavioral2/files/0x000700000002348c-253.dat	family_berbew
behavioral2/files/0x0007000000023488-235.dat	family_berbew
behavioral2/files/0x0007000000023483-209.dat	family_berbew
behavioral2/files/0x0007000000023483-202.dat	family_berbew
behavioral2/files/0x0007000000023481-201.dat	family_berbew
behavioral2/files/0x0007000000023479-166.dat	family_berbew
behavioral2/files/0x0007000000023475-143.dat	family_berbew
behavioral2/files/0x0007000000023473-141.dat	family_berbew
behavioral2/files/0x0007000000023466-88.dat	family_berbew
behavioral2/files/0x0007000000023460-57.dat	family_berbew

Executes dropped EXE 36 IoCs

pid	Process
3192	Lcbiao32.exe
2236	Lkiqbl32.exe
4164	Lnhmng32.exe
4064	Lcdegnep.exe
416	Lklnhlfb.exe
3656	Laefdf32.exe
4908	Lphfpbdi.exe
2848	Lcgblncm.exe
1672	Lknjmkdo.exe
3948	Mjqjih32.exe
3408	Mahbje32.exe
1380	Mpkbebbf.exe
2184	Mkpgck32.exe
1540	Mpmokb32.exe
3712	Mgghhlhq.exe
1476	Mpolqa32.exe
1932	Mcnhmm32.exe
2552	Mjhqjg32.exe
3100	Mpaifalo.exe
3448	Mcpebmkb.exe
3796	Mkgmcjld.exe
2332	Mnfipekh.exe
1076	Mdpalp32.exe
1280	Njljefql.exe
4208	Ndbnboqb.exe
3576	Nklfoi32.exe
4744	Nnjbke32.exe
2876	Nqiogp32.exe
3104	Ncgkcl32.exe
2756	Nnmopdep.exe
4428	Nqklmpdd.exe
4468	Ngedij32.exe
4960	Njcpee32.exe
324	Nqmhbpba.exe
3628	Ncldnkae.exe
4152	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mahbje32.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Njljefql.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Mglppmnd.dll	Laefdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Eeandl32.dll	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	367682d04104243b3af76bff772830b0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Lcgblncm.exe	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	367682d04104243b3af76bff772830b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Mahbje32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Lcbiao32.exe	367682d04104243b3af76bff772830b0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1516	4152	WerFault.exe	121

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	367682d04104243b3af76bff772830b0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeandl32.dll"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidmdfdo.dll"	367682d04104243b3af76bff772830b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	367682d04104243b3af76bff772830b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	367682d04104243b3af76bff772830b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 3192	2648	367682d04104243b3af76bff772830b0_NeikiAnalytics.exe	83
PID 2648 wrote to memory of 3192	2648	367682d04104243b3af76bff772830b0_NeikiAnalytics.exe	83
PID 2648 wrote to memory of 3192	2648	367682d04104243b3af76bff772830b0_NeikiAnalytics.exe	83
PID 3192 wrote to memory of 2236	3192	Lcbiao32.exe	84
PID 3192 wrote to memory of 2236	3192	Lcbiao32.exe	84
PID 3192 wrote to memory of 2236	3192	Lcbiao32.exe	84
PID 2236 wrote to memory of 4164	2236	Lkiqbl32.exe	85
PID 2236 wrote to memory of 4164	2236	Lkiqbl32.exe	85
PID 2236 wrote to memory of 4164	2236	Lkiqbl32.exe	85
PID 4164 wrote to memory of 4064	4164	Lnhmng32.exe	86
PID 4164 wrote to memory of 4064	4164	Lnhmng32.exe	86
PID 4164 wrote to memory of 4064	4164	Lnhmng32.exe	86
PID 4064 wrote to memory of 416	4064	Lcdegnep.exe	87
PID 4064 wrote to memory of 416	4064	Lcdegnep.exe	87
PID 4064 wrote to memory of 416	4064	Lcdegnep.exe	87
PID 416 wrote to memory of 3656	416	Lklnhlfb.exe	88
PID 416 wrote to memory of 3656	416	Lklnhlfb.exe	88
PID 416 wrote to memory of 3656	416	Lklnhlfb.exe	88
PID 3656 wrote to memory of 4908	3656	Laefdf32.exe	89
PID 3656 wrote to memory of 4908	3656	Laefdf32.exe	89
PID 3656 wrote to memory of 4908	3656	Laefdf32.exe	89
PID 4908 wrote to memory of 2848	4908	Lphfpbdi.exe	90
PID 4908 wrote to memory of 2848	4908	Lphfpbdi.exe	90
PID 4908 wrote to memory of 2848	4908	Lphfpbdi.exe	90
PID 2848 wrote to memory of 1672	2848	Lcgblncm.exe	91
PID 2848 wrote to memory of 1672	2848	Lcgblncm.exe	91
PID 2848 wrote to memory of 1672	2848	Lcgblncm.exe	91
PID 1672 wrote to memory of 3948	1672	Lknjmkdo.exe	92
PID 1672 wrote to memory of 3948	1672	Lknjmkdo.exe	92
PID 1672 wrote to memory of 3948	1672	Lknjmkdo.exe	92
PID 3948 wrote to memory of 3408	3948	Mjqjih32.exe	93
PID 3948 wrote to memory of 3408	3948	Mjqjih32.exe	93
PID 3948 wrote to memory of 3408	3948	Mjqjih32.exe	93
PID 3408 wrote to memory of 1380	3408	Mahbje32.exe	94
PID 3408 wrote to memory of 1380	3408	Mahbje32.exe	94
PID 3408 wrote to memory of 1380	3408	Mahbje32.exe	94
PID 1380 wrote to memory of 2184	1380	Mpkbebbf.exe	95
PID 1380 wrote to memory of 2184	1380	Mpkbebbf.exe	95
PID 1380 wrote to memory of 2184	1380	Mpkbebbf.exe	95
PID 2184 wrote to memory of 1540	2184	Mkpgck32.exe	96
PID 2184 wrote to memory of 1540	2184	Mkpgck32.exe	96
PID 2184 wrote to memory of 1540	2184	Mkpgck32.exe	96
PID 1540 wrote to memory of 3712	1540	Mpmokb32.exe	97
PID 1540 wrote to memory of 3712	1540	Mpmokb32.exe	97
PID 1540 wrote to memory of 3712	1540	Mpmokb32.exe	97
PID 3712 wrote to memory of 1476	3712	Mgghhlhq.exe	99
PID 3712 wrote to memory of 1476	3712	Mgghhlhq.exe	99
PID 3712 wrote to memory of 1476	3712	Mgghhlhq.exe	99
PID 1476 wrote to memory of 1932	1476	Mpolqa32.exe	100
PID 1476 wrote to memory of 1932	1476	Mpolqa32.exe	100
PID 1476 wrote to memory of 1932	1476	Mpolqa32.exe	100
PID 1932 wrote to memory of 2552	1932	Mcnhmm32.exe	101
PID 1932 wrote to memory of 2552	1932	Mcnhmm32.exe	101
PID 1932 wrote to memory of 2552	1932	Mcnhmm32.exe	101
PID 2552 wrote to memory of 3100	2552	Mjhqjg32.exe	102
PID 2552 wrote to memory of 3100	2552	Mjhqjg32.exe	102
PID 2552 wrote to memory of 3100	2552	Mjhqjg32.exe	102
PID 3100 wrote to memory of 3448	3100	Mpaifalo.exe	103
PID 3100 wrote to memory of 3448	3100	Mpaifalo.exe	103
PID 3100 wrote to memory of 3448	3100	Mpaifalo.exe	103
PID 3448 wrote to memory of 3796	3448	Mcpebmkb.exe	104
PID 3448 wrote to memory of 3796	3448	Mcpebmkb.exe	104
PID 3448 wrote to memory of 3796	3448	Mcpebmkb.exe	104
PID 3796 wrote to memory of 2332	3796	Mkgmcjld.exe	105

C:\Users\Admin\AppData\Local\Temp\367682d04104243b3af76bff772830b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\367682d04104243b3af76bff772830b0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Windows\SysWOW64\Lcbiao32.exe
  C:\Windows\system32\Lcbiao32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3192
- - C:\Windows\SysWOW64\Lkiqbl32.exe
    C:\Windows\system32\Lkiqbl32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2236
  - - C:\Windows\SysWOW64\Lnhmng32.exe
      C:\Windows\system32\Lnhmng32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4164
    - - C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4064
      - C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:416
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3656
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3408
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3712
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3448
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3796
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1076
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1280
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4208
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3576
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4744
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2756
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4428
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4960
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:324
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3628
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        37⤵
        Executes dropped EXE
        
        PID:4152
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 420
        38⤵
        Program crash
        
        PID:1516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4152 -ip 4152
1⤵
PID:3636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bheenp32.dll

Filesize
7KB

MD5
653aa5978d310482891f3c4731611e72

SHA1
d99152c92dfda0e1c25ad74e3c03d3f5d5bcf1c8

SHA256
becb8003c2dd5b06eccb379338c6f667b7fab8a76f8379f5c4527bb56ee3d155

SHA512
7d174d53c00199164c057d6ff914363a5a10f339013525560c7d0f046e68e5e0ebb30a7413de873584f753d61738aa443a2aaab39bf123c2b42b53153796290d

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
227KB

MD5
3a8ff71be5bbeb27d3fd289d009d1f91

SHA1
204bab54f9c5d09dbdedd0dbf772c9ec7f260521

SHA256
1786c18dd925eb9e2121812f48cd8103ae6b9252041a014b00e4ad2ca11e4d18

SHA512
f2ca50005a1e240943f520ac5ec1d2fb8fff0439c14f42b7672a425574d4cdc39014720a250640963b0d2eef38ed059f69908ca5a08bed266e06653a48084528

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
227KB

MD5
7fa6f02d6f839f9261d72eb4376f02e3

SHA1
b005d436f0e06e59047a9cc1d7feb0f069fb62d3

SHA256
dfc2bcd166977e3e95505218af9a14e3bea5185edaf93fc95bd448c8a8e3c1c6

SHA512
05ba4824cbbd32ca4576abf89da075ccf725848ece42cbcab958f4d266aa11d6eee7db48c5cf49504c55661d9fec9a84166ae11168ec88432ad28e8ac553518e

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
227KB

MD5
f1906fbd167e5edda1bcdee67107cb79

SHA1
b989fc520b59fdde600c42be7028ac50910ce444

SHA256
1af2e4d22bfdac005981d8e95583e799a0766393442b2433baccb8c2f37298d5

SHA512
9aecb2d8dd501a6eb94d14cbfd7dbc9a76ca897cd482ad058bcfa151dfa26b3f76eb62268336156851be15b9c9af34f5a056995775813f324b373c8586ac9371

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
227KB

MD5
a331a574bd54fbf7f7ec4157ad6b3077

SHA1
0e9c24a85fc589b35df852b028bb1a518d6c2a0b

SHA256
6a1bb9228d621793734fa524c23d09a36895e00c8b82e4f04b7f3e4bfc0c122b

SHA512
d989031600c7b67a5338585fb7846d8be18f8c3c8c175159fba28aff26edef08a0f7a06cb22c1371946e8ed56d8e885d52553617c92513d4bc5c6fdf2ad2d2bf

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
227KB

MD5
02cfa433739cfc323421eb12a8f6c84b

SHA1
bdca54ec03b50eb0be3d6ad0a9fca340f70e7b72

SHA256
8c185a331ff3c7d8baa4b4f68c99e3f27dc91609b70e65255919ade39592c1a2

SHA512
7926bbaa9d42d98e733491cbf2bc519e4c2d62396542a520bc4100dd5c2afb274577fb9d3f1a9a8ad58b621c758645617fd42f6751cb12c123b79610276c2a07

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
227KB

MD5
d83c0a8bd648a2320e41f7765b4f22c4

SHA1
cfb9d8fa09142830111155aaf357025cf663c597

SHA256
c274aebeaaf3b6111ea110a4b0224522401750afd6bf200aff2bc9030fa7770c

SHA512
997841773770a292461b6795c85eea3635cc2c58323405ee0b0bb636ce375f32a45a8d53d49f39cb060be62ed46a86f434b1d7fbfd502feceba9b6de954a1da7

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
227KB

MD5
0cb9b33845dea15f5a5de1b8d3f7f20e

SHA1
6bbe09c16a2d77f26f9b447e32bc9148e26bfe8e

SHA256
1096b2f9aee9376e4a14b9de03485c7861397439314be20af87e394e5947421f

SHA512
eceadcfe41f549216979fdedc2c1e83fb90f88d4279e96820a9b892ca6535ee90b456888f3ab76f38c08139593d6f6b1ee0de5d6700aa565a76808238c191bd3

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
227KB

MD5
e8a26385d7cb0395c904f16678a9d183

SHA1
e7d309e10a2bfe6b875b182e5aec2c345ed5960b

SHA256
38ab4e801f9283505796c0fea0db0baed3fd6b7e0bfdeddee1ea216641c44db9

SHA512
2b8cccfd8dbd1f5f77a159395419d92ea99218f2d730cc49041f9e403edf3b30289d97d64a4f5c7f3736160b3e60b10811b139dd6ea295e6b2f922f631d16323

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
227KB

MD5
44befcaba4ad99aa4a8c8e14196e13ae

SHA1
a9e5cfd86aebb2e89cf7881c18b7335cad790a07

SHA256
8d71cfad51169d2ddb366389e31e2910c38c348f4a22f1bcef9d42412df80a70

SHA512
1fdcb97035559830d1f7ef5fcfd27c111c4fe7a49c30a038cd47a70b94d1a8f1e1055bce3c11f88164eaa132ce1c74d8f63e795ea2c5dfe9aa8d341444a1abd1

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
227KB

MD5
919bcf20dfc220ff01dc9586e43c17e3

SHA1
6dec7d6015a0ae20c21f35705dcac85ff0b876e0

SHA256
4c8a7aa980df38f329f566414c3835338d1ac3b2c14fe5dcfc8aea1a2fda2494

SHA512
dded2ae2fa4891b9e9fcc9f95e48cee42cf857dbe766c07310ceb74d8fa11a2e6b94b3ad9a286ded52b60116ccc45a3def18319fcb60e60bfd45b7d5603b259d

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
227KB

MD5
8508f96db0ed7809ac0e15f5ad648809

SHA1
bf93a149b80438f07ad331ccb4a03adb36ee59aa

SHA256
ee603ec6abd79a624dbec2e38b439da3a4fdc9e3ee804a7d88b70c935db9b4ff

SHA512
c50f7562e3bab794c50c94ecc118c2d58694eac90656c0cfa336dbc4fd71b909643ac84def018abbfa93e21f3040fa5c5ce35c82e78c366e1925f332ba6bd41c

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
227KB

MD5
ac1666554b71ad7bbb5ffe6cec4bd4d7

SHA1
91789d4eb473fb54f8ece6441e4d426cc26d8082

SHA256
050408ef5f555ffbd4208bfa9cb680d6bb6ba998c00527266a6889f8e17366c1

SHA512
95e147bd48fcfce0f614f7746659188d48dbf1efa9cd271295816eef2540134e75c5f11414a26a08299c0ca68171f6281ae34bf07408aac7986479db9e49a629

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
227KB

MD5
221071c69dc89fc82df596ef0bd89882

SHA1
6b2d9dd24e504109ce11c91656c3161faa0d65c2

SHA256
21b75a6c3407c865b4e4ff33d2b3d0c81a0a03003b17c28e7237b0f802cc9fc5

SHA512
d0e2fe12ec0021ba8a7ad9883edbc8fd55af7adf15390b161f7f70949315ece1327d09d6476f59b59590471ce74986585a2ed3eb19084cc0661f3fb3805c0c33

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
227KB

MD5
ff13e93b591a5be8ac5329590774b271

SHA1
cfe3174d395e3ee6beb458e0e8b068833cce41db

SHA256
8cbdc3ac452ce72789a928d0e73c7641ab9ea8d031a3cf8c43f88ddc057a6791

SHA512
8d6985ffcff4d06eafa8bbd014a9d58278667120dd0406a3450fe9de74383ef8a5a9d7ee8ef946d0f8b63a142113871695579877e0c96c35fcdea91a0c5e8e95

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
227KB

MD5
af0ac240fca44009de8868c9d1b96bee

SHA1
e7f4305c1566c26d6c3a353a43ad53e53da529b7

SHA256
6100493da13ce8ca9264145d65b4cc34f6a52f8000e6953437882e29730f35b5

SHA512
0f7acd8844e253b1683b05ef545e2f17da99d3ddb336dbaa3482213a5e01e74c2cc2ffbe48d63e361442766695168720ab1e73ab822c0e835894499b952165dc

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
227KB

MD5
2fc81eb10851a80082f05e422e971cc0

SHA1
1d703403fa37b209db8f8acb5b614c0c8b3ba53c

SHA256
eb787c8be8d76a466adfd58d8176b938c1676cdd48ff59277cdd618ef1c6b880

SHA512
8658af97ba9fdd74f88975435e57c72dfd41a06d134ec76a9540acd3876d5d89fb15a455da8ea6ed99214c0fb366d15a1195ac2665bcbe4fbe4e4020b0bcec0a

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
227KB

MD5
08a8dc686c38c53bae9c6f2856517686

SHA1
0afcc363db0cc809a3013c80a52d78d4253d7eda

SHA256
cfbb1fa0aa8575f3ad790c94574d5b27bd0b6e24c842c76e8b5c401b46a45b31

SHA512
bb35d3da0c124bece90c78f0c27a748b6f59f0f02c14bee6d6df2bbc449b2fb16ddaee57e1abe18f51aa4adcfa3bf281f5ce0b844a11191b9e557f31d1bbe9a7

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
227KB

MD5
07413e9c38164a1918f682479d0dbf5e

SHA1
0fc55829d9c73934c8411f20125f5a01f50c8daa

SHA256
f4ba8c3e7fc49c83ef0b2c7079b41b3567374beaccd98c0c79ba7b06b521e6f7

SHA512
137e607309f6f63e1b0b4e502a5d2f7f3b9514cded9dc5ec835cc1cc9aae404938bc5b7fddd3c2d28d5a1089d49d9932547ef9a4a2dc6e34ebeedb0da519b0ba

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
227KB

MD5
d792c304642b4e5caee96a327c9a0e8d

SHA1
90158da5d75a899572b75e7b606e21bd5cdd7c56

SHA256
f73d555c5963ea8b5cf26e92b969845ee0d0e314f8322060e4beb29624b5cb1c

SHA512
cb1a7539dc940f632f0b97fc23d332f4d90f674aed94bf448bb6d8d0c1127aceb5789f36e0ee13164f5c4931d9fbf187b2d1a455b8d6114af5768411482f2419

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
227KB

MD5
291ce68d3ef14cb7b9af178c97de0224

SHA1
8adbdb3bace745a9c25b45cc07a923ff3d10a989

SHA256
5c482d732973108ba4c67bae73b277ad0a9d1fe5f19083df0f8fed0a8fa066aa

SHA512
36d099c4007e63938a15879c6620f120cd5f1b586a19ae39506c5256d6137f97ea6e856a7fa3c1d79cc4e2de438bcf74f3064ae032c3fd07c9e474b1b0975bbf

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
227KB

MD5
66f014e7259158b30e5d4d88161866d5

SHA1
4f35145c53dd600a8b435a832c4c62075e5b5c42

SHA256
fb3e8c6e38ae08728f91f7b4e955eda17a1ce13bd8a42d620631e0fb59a4e5c1

SHA512
bacb1ece95de1e189cd97c23866e1444e1d6236198306bcebeceaa2f4d02e6ced4d642a09243ee2a7c047259844d5963925e5b060068f6b896afdb45e2879e89

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
227KB

MD5
d84d463955990caa8ba63298ce39d6e2

SHA1
3bf95b164fb10c37622fb02ece3e6f71b407e787

SHA256
f0855ab1fbb41e16260fafda6c55035f765dafc29d612ed5eb60418988ad2d0e

SHA512
2d4fa58f2f68e5e72712d623f67b09bffdf5c94c928515fac9a97384992104336d881e6941ee2643fa156f83261577f4b8f5c4a52f511e7a9ba31cb16b489fef

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
227KB

MD5
8fe07672507db8546e0be98567a72e07

SHA1
79d971927523929e956cf53ab82eca1c9cf7120a

SHA256
11f021c982b5b0e81fd5499c0dafd0ae8caefc4cb29a53fb0ceacbacd2e64fc0

SHA512
6ca014d208af4df056a4cd8529be3e18171fb42cbee211fcf1b5fadb1309c938d8920ec8471906efdfcdcabf7eb446bad42d16793b1d7f692de14fe07f94f4cf

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
227KB

MD5
313401a572dafef84977213048401f21

SHA1
8f08b0b0c593a934fe679a2f74456a037e29d6bd

SHA256
4a687c7b470e102362246078bf815d2383171adf184d5adcdf7df787a203ba33

SHA512
c912f1d103618a79158f6fc65c9ea2646d5ce62dd0a9e48f1ab89f3740f70e9323a9d6f212123f93b8a59f64b84f847be66aabe3a725ce0b99ecddbaf8361802

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
227KB

MD5
33949342ea59df0a774e6a209ba9b0b7

SHA1
bf4860fed0a83314f07d6e768f96d8b88509cb9b

SHA256
b1dab98be7903a7589e057e7efb7137feaca6fec9997f58dbc64147e4b082c81

SHA512
0141a924db967c91203e94cd39c3cadcfaf4cbf44c7ca0ae023dc02a3dcf1d659f55cb3fe9de42a96d2e95be6e0e399305f096237a5b97132afd67cba223e305

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
227KB

MD5
b2d660860af053d10e56d19898f375f8

SHA1
277d4b8fdff0c102d53b3c3cd214db84e78775d7

SHA256
8278be6d394293ae356a29bf7219df81b09314ac6fa2df76a8bc7eec6595e939

SHA512
917d8aa4051fa66c3fc58e3ec90aeed9a48c406bbf598f7c7e1883703c509d9668d1e98febffbb94848f24ba7b007a2cbc4e953b05e838af1451f265947e62f5

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
227KB

MD5
2b559895a2af87b4e1bea8acee72e5ba

SHA1
d2f813afde6454fe4dd2d99975ae6c95b24358c9

SHA256
05f5f3c270db4cd5dab02f487286c94ce65b62fc753fa9b20338cd702513dae8

SHA512
7ea8770fc3105b0ac4e03dc57be438bfe044beb61a023371808d491d5dab1f8143133ca01404fe275bea6f33509fe24398d19a387e1bd204ae1ab0034f5970c2

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
227KB

MD5
e6a15342a27052ae37ebc77315998134

SHA1
1c535ec95ce6aac2b02262c1dc8833a6b825508f

SHA256
0786d63b82e7d6d377a42fb36ed57f6e3486076f6f7a1d7fdfbc5ee77964e1b7

SHA512
c351ac3d3edbca4d2b6e634905a42f2e691f100e0f6ac9bfb6776021d6dc1f95d400b6cf128a79550bb9a972e2415c9e3a2842bfcc1550e55f3d67b45e393602

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
227KB

MD5
41b55b41603d6c5b1fe349cccc4ac29f

SHA1
d95027639c9b4f9003c980e0e021568351cddf74

SHA256
20d66ae5fd8a55aca4add14309d1ee352ae7db508f44fd3ebd1add45052841f0

SHA512
f4d1a3adf24e4ecf9814045c2ffa07c70e69816dd0340f9961de95524bcd1937bb51f7cbd6d1cfd592fd9dc998fddfbc646b952ded9c60b0f0a8aaf8a758ceec

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
227KB

MD5
d541cabf0607a18ceff1f24fc5eeece5

SHA1
5b567d6ba2fb2c2d727f7893007cc7b137556182

SHA256
c8a8c544149ec1b4866726358275ef2b56851fcfc102c17642e7bcb613c0df78

SHA512
e2ab13475302f57ab9b449dd8aad29c21f768466676f881f21fbaa6309e250e663af171ed7f70bf346e6f673c78c9e3879a60ab075613ac1f7d61cd71a26ab00

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
227KB

MD5
73020f9b41534e56491b5ef6e1bd258b

SHA1
725f2ca1f579bc0abf992a8530a54da9dcac3fdd

SHA256
bc30b31081b39f422154d8c219fe3f0999d381c085d1d1c7c4eaac6f74f2a320

SHA512
6b650fd61a839ddbe7807062c3898ce7d64c1106b8cb27509a2236f36299295ae8024bcc01f901702b899d98c1a98fceca397440abdd3219a61740e3bcfb1028

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
227KB

MD5
ebe669bce393fbfbfe07a0fe175bb9c6

SHA1
5cc8713016ca86052e9857484103fc73daa79594

SHA256
2f3638cc1636c9abf184995485cbf0eac7478d707ef8629bf6d531911f48f384

SHA512
504069c206cef97d4dee55d4f20fde883734beeca10182ffc1d188eed2825785f9758598c570d32cab57b3a730f4717e5f4704d6ad349aaaf619a1a72e296ab0

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
227KB

MD5
e45cd2e21e6e82ee9cfc85d3396c5bd6

SHA1
6b4bab3c869205b3047e28e43a07a12af4000487

SHA256
50c9d5374aedd045dead59f59fc21e9c9ba4a21d81cafb4ec97e31eab7985cc8

SHA512
e17ded19645b635eb73862354ec1756ee9ea5a3d279bb6b18774e4f42eaa744e2e2155f8812a21256842602aad8bac9dbd09097e4ef1649cfcf4a9f68ddc5cbb

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
227KB

MD5
ad33d093a9ffccd01ed18d2b5bb80bb1

SHA1
ba683b9aad26f7fe27a81afdc064101e29a2027b

SHA256
ae934ee79c25d2494a6877172da57fec465d66a20b15835f66958a0d338e9afd

SHA512
187bac1000bdbd4a29caeb4653208eb91185af1adc2ec2a1261a7f69112a9d909a9133763574e8314409a0120744bf5cfefcd393a9296d3bebd6a65b0b5cb6b9

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
227KB

MD5
a0fb9e90e9f947687adf38b470e70d72

SHA1
e74dea757e7d074d90a5e51411ebaf6756a34938

SHA256
38f8ad198684811ed847b219028bd2c62a51fc6c56049befe255a146e358d4a1

SHA512
fe0c24817310a1fd694cb847f26253ec16bf73405d15e6ec819c04371e6541a2d184f937ec6db11e884f393c5cd75e41b7d0f1efc181681ce19a13a5cdeee923

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
227KB

MD5
b202e051cc1c6a9032f367533f7f7b4b

SHA1
6f764215ad6970ce6972af129b42ab1f42d91218

SHA256
d9c365b9c7cc956d712ba43518713bba42382974cd588b2febe8b39fe93ce21d

SHA512
1645f04339ec937554d7b2b28357560282e705067c955eb42f7a24a1268914b654c7fec09721181de99b68b0a2fa82cb14f9b0ab4b6e0dd805b1d6979338c278

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
227KB

MD5
ea6312c6fedc4b4c922114ebc422c0cc

SHA1
abe649ff11b1250969b788211084142f45a4af42

SHA256
b6ad60e1bd85214ac9bdb2fe2e2bcc9fbacee97e7e894f55339d5363fdfa0b7f

SHA512
82effe3927a50a847681dfec9e4a1b6101b676917069dcf4e3fa92f6f3ac357f345de12c0b4442710996d1dbf5b8e469a95d78a792979188d68dfebb680ba0b7

Download Submit
memory/324-285-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/324-302-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/416-40-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/416-124-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1076-193-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1076-277-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1280-284-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1280-200-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1380-182-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1380-99-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1476-133-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1476-218-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1540-121-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1672-76-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1932-231-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1932-144-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2184-192-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2184-108-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2236-20-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2236-98-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2332-183-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2332-270-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2552-150-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2552-236-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2648-84-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2648-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2756-254-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2756-306-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2848-68-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2876-237-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2876-308-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3100-159-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3100-244-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3104-245-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3104-307-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3192-8-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3192-93-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3408-94-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3448-171-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3576-298-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3576-223-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3628-292-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3628-301-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3656-52-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3712-208-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3712-126-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3796-179-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3948-85-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4064-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4064-120-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4152-299-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4152-300-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4164-107-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4164-24-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4208-291-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4208-210-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4428-305-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4428-262-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4468-271-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4468-304-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4744-232-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4908-56-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4908-142-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4960-303-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4960-282-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads