7a4512e399fe22cb81a740886d2701a0c9b8862c556a4e21e635c08c89a743a5

Analysis

max time kernel
91s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 02:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66e985d1403e1d02b6733952a33a47d0_NeikiAnalytics.exe
Size

115KB
MD5

66e985d1403e1d02b6733952a33a47d0
SHA1

c79b671f43373a775d87b27ecb0ff43a777767e8
SHA256

7a4512e399fe22cb81a740886d2701a0c9b8862c556a4e21e635c08c89a743a5
SHA512

aff41a2c7e22a451c6c423b46dbc2e047c7006eff9e61a7caa231622fc2f0163e0608723eacfd2cb43687f10768bbdbc5ceae7ab076dced5f5c4a3a20457faea
SSDEEP

3072:2fP85vvELXMjsLztdbrIR/SoQUP5u30KqTKr4:KE5E4j+zthrIooQUPoDqTKE

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	66e985d1403e1d02b6733952a33a47d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	66e985d1403e1d02b6733952a33a47d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe

Malware Dropper & Backdoor - Berbew 32 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/files/0x000a000000021677-7.dat	family_berbew
behavioral2/files/0x00070000000233fd-15.dat	family_berbew
behavioral2/files/0x00070000000233ff-23.dat	family_berbew
behavioral2/files/0x0007000000023401-31.dat	family_berbew
behavioral2/files/0x0007000000023403-40.dat	family_berbew
behavioral2/files/0x0007000000023405-47.dat	family_berbew
behavioral2/files/0x0007000000023407-55.dat	family_berbew
behavioral2/files/0x0007000000023409-63.dat	family_berbew
behavioral2/files/0x000700000002340b-71.dat	family_berbew
behavioral2/files/0x000700000002340d-79.dat	family_berbew
behavioral2/files/0x000700000002340f-87.dat	family_berbew
behavioral2/files/0x0007000000023411-95.dat	family_berbew
behavioral2/files/0x0007000000023413-103.dat	family_berbew
behavioral2/files/0x0007000000023415-111.dat	family_berbew
behavioral2/files/0x0007000000023417-119.dat	family_berbew
behavioral2/files/0x0007000000023419-122.dat	family_berbew
behavioral2/files/0x000700000002341b-135.dat	family_berbew
behavioral2/files/0x000700000002341d-143.dat	family_berbew
behavioral2/files/0x000700000002341f-151.dat	family_berbew
behavioral2/files/0x0007000000023421-159.dat	family_berbew
behavioral2/files/0x0007000000023423-167.dat	family_berbew
behavioral2/files/0x0007000000023425-175.dat	family_berbew
behavioral2/files/0x0007000000023427-183.dat	family_berbew
behavioral2/files/0x0007000000023429-191.dat	family_berbew
behavioral2/files/0x00080000000233fa-199.dat	family_berbew
behavioral2/files/0x000700000002342c-207.dat	family_berbew
behavioral2/files/0x000700000002342e-215.dat	family_berbew
behavioral2/files/0x0007000000023430-223.dat	family_berbew
behavioral2/files/0x0007000000023432-231.dat	family_berbew
behavioral2/files/0x0007000000023434-239.dat	family_berbew
behavioral2/files/0x0007000000023436-247.dat	family_berbew
behavioral2/files/0x0007000000023438-250.dat	family_berbew

Executes dropped EXE 35 IoCs

pid	Process
1280	Lnepih32.exe
4596	Ldohebqh.exe
1924	Lgneampk.exe
4444	Lilanioo.exe
2112	Laciofpa.exe
3448	Ldaeka32.exe
4152	Lgpagm32.exe
4888	Lnjjdgee.exe
2040	Lddbqa32.exe
1972	Lknjmkdo.exe
4228	Mahbje32.exe
3264	Mciobn32.exe
1204	Mkpgck32.exe
736	Mpmokb32.exe
2668	Mkbchk32.exe
4820	Mamleegg.exe
5108	Mdkhapfj.exe
1032	Mkepnjng.exe
3304	Mncmjfmk.exe
3836	Mcpebmkb.exe
4348	Mkgmcjld.exe
2556	Mnfipekh.exe
2508	Mcbahlip.exe
4892	Nkjjij32.exe
4020	Nnhfee32.exe
3952	Nqfbaq32.exe
1572	Nklfoi32.exe
1568	Nnjbke32.exe
2712	Nddkgonp.exe
1692	Nkncdifl.exe
2496	Nqklmpdd.exe
4940	Ngedij32.exe
4408	Nnolfdcn.exe
4564	Ncldnkae.exe
652	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Codhke32.dll	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Lnepih32.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	66e985d1403e1d02b6733952a33a47d0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mamleegg.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Fldggfbc.dll	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Ldohebqh.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Lnjjdgee.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	66e985d1403e1d02b6733952a33a47d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mahbje32.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Laciofpa.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mahbje32.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mpmokb32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4452	652	WerFault.exe	119

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	66e985d1403e1d02b6733952a33a47d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	66e985d1403e1d02b6733952a33a47d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mciobn32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 1280	2444	66e985d1403e1d02b6733952a33a47d0_NeikiAnalytics.exe	82
PID 2444 wrote to memory of 1280	2444	66e985d1403e1d02b6733952a33a47d0_NeikiAnalytics.exe	82
PID 2444 wrote to memory of 1280	2444	66e985d1403e1d02b6733952a33a47d0_NeikiAnalytics.exe	82
PID 1280 wrote to memory of 4596	1280	Lnepih32.exe	83
PID 1280 wrote to memory of 4596	1280	Lnepih32.exe	83
PID 1280 wrote to memory of 4596	1280	Lnepih32.exe	83
PID 4596 wrote to memory of 1924	4596	Ldohebqh.exe	84
PID 4596 wrote to memory of 1924	4596	Ldohebqh.exe	84
PID 4596 wrote to memory of 1924	4596	Ldohebqh.exe	84
PID 1924 wrote to memory of 4444	1924	Lgneampk.exe	85
PID 1924 wrote to memory of 4444	1924	Lgneampk.exe	85
PID 1924 wrote to memory of 4444	1924	Lgneampk.exe	85
PID 4444 wrote to memory of 2112	4444	Lilanioo.exe	86
PID 4444 wrote to memory of 2112	4444	Lilanioo.exe	86
PID 4444 wrote to memory of 2112	4444	Lilanioo.exe	86
PID 2112 wrote to memory of 3448	2112	Laciofpa.exe	88
PID 2112 wrote to memory of 3448	2112	Laciofpa.exe	88
PID 2112 wrote to memory of 3448	2112	Laciofpa.exe	88
PID 3448 wrote to memory of 4152	3448	Ldaeka32.exe	89
PID 3448 wrote to memory of 4152	3448	Ldaeka32.exe	89
PID 3448 wrote to memory of 4152	3448	Ldaeka32.exe	89
PID 4152 wrote to memory of 4888	4152	Lgpagm32.exe	90
PID 4152 wrote to memory of 4888	4152	Lgpagm32.exe	90
PID 4152 wrote to memory of 4888	4152	Lgpagm32.exe	90
PID 4888 wrote to memory of 2040	4888	Lnjjdgee.exe	91
PID 4888 wrote to memory of 2040	4888	Lnjjdgee.exe	91
PID 4888 wrote to memory of 2040	4888	Lnjjdgee.exe	91
PID 2040 wrote to memory of 1972	2040	Lddbqa32.exe	93
PID 2040 wrote to memory of 1972	2040	Lddbqa32.exe	93
PID 2040 wrote to memory of 1972	2040	Lddbqa32.exe	93
PID 1972 wrote to memory of 4228	1972	Lknjmkdo.exe	94
PID 1972 wrote to memory of 4228	1972	Lknjmkdo.exe	94
PID 1972 wrote to memory of 4228	1972	Lknjmkdo.exe	94
PID 4228 wrote to memory of 3264	4228	Mahbje32.exe	95
PID 4228 wrote to memory of 3264	4228	Mahbje32.exe	95
PID 4228 wrote to memory of 3264	4228	Mahbje32.exe	95
PID 3264 wrote to memory of 1204	3264	Mciobn32.exe	96
PID 3264 wrote to memory of 1204	3264	Mciobn32.exe	96
PID 3264 wrote to memory of 1204	3264	Mciobn32.exe	96
PID 1204 wrote to memory of 736	1204	Mkpgck32.exe	97
PID 1204 wrote to memory of 736	1204	Mkpgck32.exe	97
PID 1204 wrote to memory of 736	1204	Mkpgck32.exe	97
PID 736 wrote to memory of 2668	736	Mpmokb32.exe	98
PID 736 wrote to memory of 2668	736	Mpmokb32.exe	98
PID 736 wrote to memory of 2668	736	Mpmokb32.exe	98
PID 2668 wrote to memory of 4820	2668	Mkbchk32.exe	99
PID 2668 wrote to memory of 4820	2668	Mkbchk32.exe	99
PID 2668 wrote to memory of 4820	2668	Mkbchk32.exe	99
PID 4820 wrote to memory of 5108	4820	Mamleegg.exe	101
PID 4820 wrote to memory of 5108	4820	Mamleegg.exe	101
PID 4820 wrote to memory of 5108	4820	Mamleegg.exe	101
PID 5108 wrote to memory of 1032	5108	Mdkhapfj.exe	102
PID 5108 wrote to memory of 1032	5108	Mdkhapfj.exe	102
PID 5108 wrote to memory of 1032	5108	Mdkhapfj.exe	102
PID 1032 wrote to memory of 3304	1032	Mkepnjng.exe	103
PID 1032 wrote to memory of 3304	1032	Mkepnjng.exe	103
PID 1032 wrote to memory of 3304	1032	Mkepnjng.exe	103
PID 3304 wrote to memory of 3836	3304	Mncmjfmk.exe	104
PID 3304 wrote to memory of 3836	3304	Mncmjfmk.exe	104
PID 3304 wrote to memory of 3836	3304	Mncmjfmk.exe	104
PID 3836 wrote to memory of 4348	3836	Mcpebmkb.exe	105
PID 3836 wrote to memory of 4348	3836	Mcpebmkb.exe	105
PID 3836 wrote to memory of 4348	3836	Mcpebmkb.exe	105
PID 4348 wrote to memory of 2556	4348	Mkgmcjld.exe	106

C:\Users\Admin\AppData\Local\Temp\66e985d1403e1d02b6733952a33a47d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\66e985d1403e1d02b6733952a33a47d0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Windows\SysWOW64\Lnepih32.exe
  C:\Windows\system32\Lnepih32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1280
- - C:\Windows\SysWOW64\Ldohebqh.exe
    C:\Windows\system32\Ldohebqh.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4596
  - - C:\Windows\SysWOW64\Lgneampk.exe
      C:\Windows\system32\Lgneampk.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1924
    - - C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4444
      - C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3448
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4152
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4228
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3264
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:736
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3304
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3836
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4348
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2556
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2508
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4892
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4020
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3952
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1572
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2712
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1692
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2496
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4940
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4408
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        36⤵
        Executes dropped EXE
        
        PID:652
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 652 -s 400
        37⤵
        Program crash
        
        PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 652 -ip 652
1⤵
PID:112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Laciofpa.exe

Filesize
115KB

MD5
60cd7d407fd1003361252a4e678f5d07

SHA1
d025b7062533c3d3822569501ca2f3eab486119e

SHA256
08bfd4cf3c98945524555db4fb06d24665a7060fc1c6699e40f980e87714987b

SHA512
2b40458d14053364a5ae108197d2c4a143c040df9885b05917ca1abafd54ec69a747fb2f2c0de7487cb486f1f67f82902a691b9505c04cf706c7e20b4a658c0a

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
115KB

MD5
c8225d59a4190b7fd2c89430d814d597

SHA1
7b199b8328b64f886fbbebe7c37f58ccb8f83ed3

SHA256
2e1e012477195519d1708791d7e953ee5d16f003cb3c10fd8fc8ecc6e21e5efc

SHA512
2eb6655a0c5385d5ce362a30042c268adbbfb83ab6d8ad7f1b3ba58a759277a2aeb2404de59284669ac4bf9dc59e1c7d5a263087d26e4e7c4d7a8976b69a4c2a

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
115KB

MD5
9a0e7f14c7fd3186a0bbdb60c97ead73

SHA1
314ece8061b1aa4ac9fa75ffd13d5b6689090122

SHA256
29056f3f4aba129f7089df1f4c74a88c3de8406dd8bcef610d44cbcc1fc300aa

SHA512
d4fadfbd2c40a8d84f189933737ccfac3fa80ce74e95c4ef3f793ee07e45c0fda528dea287f635eac4ea0747a472b72dd02a1d9bb79ee39196c13efa1be6b257

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
115KB

MD5
fff27426045bcbb2a2947a3b4577d39b

SHA1
47c61295cd96c16486962da27864361c85a73406

SHA256
53aa5f302e4bc3a7f84eb2638f9067bd95e4c68f0da4add0b5f988e1ec16948a

SHA512
7d528ec6c6bf17f7e603b1dd92d18ffd2462c0e765b9521fafb94b879211e0b27a680f7173bfda1fe889b9a686b937d32fef0f6d51c4dbee005840857c071030

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
115KB

MD5
9cbe88cd5477666c7b3ebaa38f43c4d7

SHA1
f98f692f22d0e47647d91a69e4f4f1288c5b986a

SHA256
d4f379efb05fac9c0a2c4f439291a691e88aa96c4d318826f6e3cb32e5e3afaf

SHA512
12ff5512d3641ac26cbd6abcb062fecff54757f2c5961712adff21d3fb6772d36431df375b58264a187d1ac93808b56db2c6dc289d0fcff445fc41594a5e875d

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
115KB

MD5
f0bb4b53e6a8da22a8b091dd3acdd816

SHA1
737c31f0e8166e893e50736a87a8c6b3ebbad36d

SHA256
64a651225c612f0dc453d24d24e8cd3ecf8af825dd2cf25ecaa1460944a8b89e

SHA512
c39886c40a1964000baebfaebb603a7704f719bf3546f6a89582e0455c0135b64a4f2390d3c504c0f017930bd68a13903e65de9f3776ac7c38979551f8d3b7df

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
115KB

MD5
aeb93ffbe4261fab39ac0d809dacbfbd

SHA1
1ccffa2cdde88acb84956414551ac3603beadd1b

SHA256
fa81d97f9e02d953c6864b1ae654e0a4e5b97994dfe0d6f9cf5cd81fc8fad257

SHA512
7de95808095d46d16e909e5bc57e4ac544e7bdfb2f33605662a39287bb344fde5bce9369bd5b7aee9afa69124a073a2c312aa6a574c30307bacc201a12db56eb

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
115KB

MD5
7f25893d949d0e8ae780d0ed99a7c7fa

SHA1
c32fd49c8e12c5281e3f51c033b990c8008b4f61

SHA256
3d14127ef4cfbeebc561e26dc8c23181a3a3b023a1a12897fec60b34df5d2b91

SHA512
08c1933941d2179b838f904b58ee98c616f837105febf1bef349c5319a65114a1461b2f188fb94444c093f2a6447f3b7e8b7d3d51f5cf7e180644a912a3661ee

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
115KB

MD5
b42b9386141ba39b96c138fb4994487a

SHA1
4ec5f65fe9dd1629e7c2894e2a1a0281a8e5c62a

SHA256
71205a544bdb348aba41ba04cbf10f7c52b7c9e8a59a4f06489a9cb51c106b90

SHA512
2c683e4e6e856a40f6ce344e87afb878d6a228239293b8e5e0441b92d4207885ae155eb3b535f92901b1265c68429e1404de774a75d2edad956885140460444d

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
115KB

MD5
1a9ac38611c3468276bf55ce2fe7af06

SHA1
6e4094e8d2029f69bc4af455bbb98c8101988989

SHA256
7195c217d979f76485a8f57b636c64173ac843ec8f333a27ea71685302b7ad74

SHA512
9c623fc7324884a04cda50364ccd2d0a1d132902514f9d740b72bc85c6c2262dfb14d447c1816820075734e62283a7949d93279c30d640914dbf46d8f14046f3

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
115KB

MD5
2560aa667c4951ef70042524333c3633

SHA1
206673a8255cfbe87c8cdf5692e9c6d2c3d4acd0

SHA256
18c87208a0d7267f13ecf078b9da076f62a7b4270b94b2523f06b5b61088414d

SHA512
afba062796c9d1ef498341a5ab328cdedfab723cab4d55bfd2ee5e33555cb00f5a839847cf7d6bef0d720684fadd0efe4007d9ad9cd4bc0fc65bed02029a9bed

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
115KB

MD5
c52fd2b5cb6331d40dcda6eae2ccd4c5

SHA1
2afca2129e2c7ff3877f258369926e67def542b2

SHA256
638894f446ac0c1de795f7d8f412daa4fa340b419b421309bd3cb6fd7d487f4c

SHA512
ef5786702a2d5d33d3267450717563dde573b56bf7daa701eb6a5457b0cbe5f61552c56bbaf15091a4c6e3af589b438416c5335fe5f8cd13b5de37caf9449974

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
115KB

MD5
f584166466287599d6becfa0623b80b2

SHA1
71b32139f3f698c3ec9c6da3d561f1a254685996

SHA256
59dfe82d57f7889a8d399163da9520d25c4f4d1008166f32b2430bf068f65e04

SHA512
97eacbbfc4944117024725614310c8a0333c69c4000a413569ee6051ca4ef919370d2248aadef30d6a7012ce23d0991a123fcd0d046396de227658619d5113d7

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
115KB

MD5
89eacd666a9b5b6372a4eb11adce7e1a

SHA1
85f23ee3f0913d069ef0f83e4e35edc123a71846

SHA256
03ae5bfefc71b11ca0092a2e00d57a7746152cf3f5374312beb1f1c394d35ce6

SHA512
733f63a8740d5b0f1fe3ce4c52ba7648ef89abd1ad8dffbce0509b3e11fe21a0812054af441919d912b66b692873e2b16d7f394e91f9cb7c4f4346a067ae2610

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
115KB

MD5
74d943c7d5be79745fa399dc19597bd7

SHA1
ba584a1d85110029dc9709c89b242044da545c86

SHA256
ffef80265b01465fe99b7deda8ef6e02e2ad3b96aacb5441bbb6fc908617cdd4

SHA512
22dab419add96ce046e1b1b6fb8d0fa8a671b7fc8a977d849e3b94905617cdf0d2a686f50a12bc9355e5c9208b92f6ee2a4661094c5bd94ca6b2d970f260fc71

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
115KB

MD5
d46bdf13f1c9cc64d65f2ebb5762e5a4

SHA1
7e638662d42cec94b6f6cfee48e1ecb963c5ce8b

SHA256
03fa3a253dced923c8543a84cc08ade1e5b5ff0ff6af4b8f371905b3d5f413c3

SHA512
be5f78a7dc85ab95699093e49f3f5fcbd26b9bd09b2e0da4f977f10b227e26491813420341346523da6b86187221750d23c24fdc6f89ca3b3a7c9c763742df3e

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
115KB

MD5
93c973a1e5be834ecb3ad37aa6cc6bac

SHA1
bd31571bb255b3a91574f6a249d10a1bb089453f

SHA256
e9ba4a6aae66453a051bfce5a700125154008172a2a936be8866ca75721532ff

SHA512
3284099cb9a5e7d476313d923998444140ccdde9df304eb8994968375927acbffe6f92da9783c93d096b0c7c9bdb4a4ef689e10842825373b4a543fbc42c6198

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
115KB

MD5
46fef254bf611766c5c028381c9775c7

SHA1
44989d3a597b1c4c0fb32f1e8878041cac6ff5e7

SHA256
dda85ca217c53437bb96f8c25b394f5c5f7f39e4d5b9d1d7142c11b3e822cc5b

SHA512
d3a9cae68a0380f2474d6b3d427d63e8d71abfa91207d93ab4d55e7bcdf72dc0ff14bf33aac4d2fe59265142925d63f7720d71eaa3ffb10e7a66a4e7da3fdb39

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
115KB

MD5
80360022701b77553c56287f86061260

SHA1
697f48259248821293df4b0b566714f91aaa7d5c

SHA256
617594e5b83034bd60618ab2c33f1dddb1b454f425cd7714f776f60dfd0238fd

SHA512
550c828debed011bee6bd87cd72bfe71eddb729517f206e923d537f62646bf37802e590b47fe3b9cc47b83400c89e924ad6403fb1df03f75a153ebc790bd8000

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
115KB

MD5
6932709089231ae9fd41ca4c2602e32a

SHA1
8fee31dab033ad073e6ad6f9360cbd2555ae1230

SHA256
ce2c4bf668d31e52d5319255e7245e865820f3d907e7fbf972b22bc52230d60f

SHA512
cb4d63f61d6b6ab4d34d9d63a8389c10f26500c8ad65604b55d30d98d20d13c1cfd0ef88aded06848227fadcf9cd6e9e81468484e17fe83dcd6604bd32cb1ee8

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
115KB

MD5
c369108ed2c46d3b06a29bb2b38dbf61

SHA1
25f978537ebe624c5719c92a0dacad8cc176e143

SHA256
6b95bdb910f292b7ce824861f58f50678ece7c0512854a43e748df9d5dc42540

SHA512
6533f3ed99d5bda4ab116f0bd25adce8719d08e18cb576006682daf11a0e5555222d13fdfecb6685558795f3cd15e67a7c75d53c642018e5757e0d866fa88fcb

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
115KB

MD5
269cdf5440e6b8fea8b06763356d8b33

SHA1
6f09f8dbf9542ec6e0965e95468a4b3959a3290e

SHA256
e7672d57d0c420ba2e7477596bc8bfc65d2d7a8f7c42c2ea6ac6e5a481b287e7

SHA512
3d7732118cc6cf7ca88ed42046a08ad4648501a92313cd38fc312cda8bc43919ea950cda314799f29c2100e7fd4be5d74a72d29edd862c8294d3ce550cc2097e

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
115KB

MD5
d18c5ea9c366818ce8928f9c9ce3c81b

SHA1
8479081d7e17af0ef7dd10c189dc881329420964

SHA256
3c8005ea0eec167d73cf9006a3a4b3739803f7bfdee922c9c7906566e4fab3f7

SHA512
8392c1ea03b6a5964ef96ec5aa43e6d2724095967c1947589592130be4f4a6d3287678ca46b96eac56d2fabb46d88e417f06b1a144a6218fb3f29f5aa5148508

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
115KB

MD5
56f9d2785f8e3dfefbafea8ee0f5e039

SHA1
252da1fd49ae609780e3b4855028399f3c0e8452

SHA256
1f840a250ca12bc8ead6beeeb02304f767830a048ade434cbcb7ff21ca8f451c

SHA512
4079da2409efcd98659058cbdf21f790050a23da96d6994f57ddde02b9b9028cfbf2e78020e8f27f59d8a07475e05df08da46cdcd420621da2fe51af9153a0e9

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
115KB

MD5
44d9fbcac4584e4e2eba6400a085ea54

SHA1
f8c838849a32f368472bf77b21c729cb0a9c477f

SHA256
1fd2ee67306403a81666d71177c8ef5e877bfccd8933f46da93ef967a7f73015

SHA512
5de34240f50554369ba91fe80849f3f7f45cb857ed1bb29905be2876ea4f9d602d0bb5344e7758df40aa1a7593befaad3f65f0aae106d9ff2a2042ba5de071ef

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
115KB

MD5
481d7710c89a93c94cdb8bf8934597fc

SHA1
06fc70e375f2e703ca9d4a82b10dd92123532ccc

SHA256
d0bb09623da2b958ef898b4063d13c00034687f5300713e65b70a01761f4d9e7

SHA512
5ca4c6452077280f10e47a450c86135b6dc0f251a3fe1f2039d407c89106f017127f7894ed5e54bcae5156e68fc0de615d9eaf50dcb3155b54049d7485d0e78f

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
115KB

MD5
260a9a6ec3e6a9aff54c5dee748bacc1

SHA1
f2bf360b32c6419e9d6010b4fe66837467cd795a

SHA256
7e00193d1f53de0ed9c957d5ab0003f1fee7d1a4ced409ae368e30bace82c020

SHA512
578ce479bb730ce48f661dc812dbe75e1f67dd865405af6f060a92ced56d82fe7ea46f6fd5f8eced82045be71b615858decaa1b16dcf0006e0b54f561ababd86

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
115KB

MD5
b05eb9853478918511b93b1ca7a53571

SHA1
382fde7c1d28f00db2b8220eda899331d3348b9b

SHA256
e7ac966a9d567c3197f5454cc28b65604e2d3a9d53ad107ff9f2a60b167d5903

SHA512
4229fa7d26307a42809c16c9c6d8514f9a7a13438e0bdcd712809f0b618927251a437f482e3cb1f49f8511de66dcba0471125a22120b3b7b6aa56aa937a13a71

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
115KB

MD5
c81b69053023aee4d0e2c152703775bc

SHA1
b366e241daacebda257b90e301520ccd179d9714

SHA256
da6336109065346a6bb2a45e5ebd14e811be84b6905526ed6e27535f62b70266

SHA512
48ae1934ac6d69ac910b188e52e46d4066c95bdef2ae49b7e082fc3cc35b60fcbf1df6d546051100bfa5cef5bb69a76738845f5b11f4226402c31638c6cc9fbe

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
115KB

MD5
19d48691f3ebfc14f64e58a47527a04a

SHA1
01056202adff13f4516a3c8e67c27a184693f088

SHA256
af2a0551612552fbd5e3045095f3a5d3e9656af97b5517b4877a1a58fa51ce24

SHA512
ad0468d58f6898f972368cfb71b8c5302aced95d9d10bd644aedeaef3ce4d9c6b698e25539d12b314f0c2d592986bd828334f42e75fc5b2af4d31f3bd993a498

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
115KB

MD5
66aaed40f4458ad4c24ba8b489207259

SHA1
58723c42e09bf61fd5f3d7c34069f0e085ec6542

SHA256
74672a9308fcf0bbb85ef06ed5bb33475c7d733b485be476aec437e62777d193

SHA512
4aaa29b6025f42e3e52916eeecae8baf08d0198bfad166ce0bbeb23ee06b1db30df581d7f1687771620ceb96068175328bb151da1b2ec79d802f00e5ab82bf9a

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
115KB

MD5
e78cb7e36e730947ed4a62068d816ed9

SHA1
b1b0d73f67c445743ffa45ff08d92c32914377d9

SHA256
c9bfea66e7e91e4a81e3ba7ef85dab290d218d91d7a263234a3ae76211a98a9f

SHA512
a4816073b2c4f474a330b04a5af4e56e37e16bc2bd70cbfc85b826b586d032662b18b33ce23b86583f8568054a7a48eb58dd910ebb7658d819089462afa1958e

Download Submit
memory/652-276-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/652-275-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/736-112-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/736-293-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1032-291-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1032-145-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1204-294-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1204-104-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1280-304-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1280-9-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1568-225-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1568-282-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1572-283-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1572-216-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1692-240-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1692-281-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1924-303-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1924-24-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1972-80-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1972-297-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2040-298-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2040-73-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2112-301-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2112-45-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2444-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2444-305-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2444-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2496-280-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2496-248-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2508-184-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2508-287-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2556-181-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2668-292-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2668-121-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2712-233-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2712-306-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3264-97-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3264-295-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3304-290-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3304-153-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3448-54-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3836-160-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3836-289-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3952-208-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3952-284-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4020-285-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4020-201-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4152-300-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4152-57-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4228-89-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4228-296-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4348-288-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4348-169-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4408-263-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4408-278-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4444-32-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4444-302-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4564-269-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4564-277-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4596-21-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4820-133-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4888-65-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4888-299-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4892-286-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4892-193-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4940-257-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4940-279-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5108-141-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads