4ea249501ef8d45f01d5b079cbcb216a40da45171946803bed34bce50708f308

Analysis

max time kernel
136s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16-05-2024 11:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd39151174e890300759a48ed9cd30d0_NeikiAnalytics.exe
Size

121KB
MD5

dd39151174e890300759a48ed9cd30d0
SHA1

b6972761eb513cc256d848e2dc6d370a62d0559a
SHA256

4ea249501ef8d45f01d5b079cbcb216a40da45171946803bed34bce50708f308
SHA512

8e7286106851e3d067541fd94f63d847b9d754c4f336a34aa83dcfc9f1eeb1437031e277bf41e344da51f2c5b73339cfb34b0e9d0e04ce68c5c45e3710bf135b
SSDEEP

1536:bd3OeULUciWNVKJhrmNK8jeO2gHJ50F7RCf3l0w1cP5eCV19zQYOd5ijJnD5ir3k:bYbMPmFfpU7RCSw1cPlO7AJnD5tvv

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	dd39151174e890300759a48ed9cd30d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	dd39151174e890300759a48ed9cd30d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbfiep32.exe

Malware Dropper & Backdoor - Berbew 64 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/memory/640-0-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023400-6.dat	family_berbew
behavioral2/memory/2060-7-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000700000002341b-14.dat	family_berbew
behavioral2/memory/576-20-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000700000002341d-23.dat	family_berbew
behavioral2/files/0x000700000002341f-30.dat	family_berbew
behavioral2/memory/4356-36-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/memory/1492-29-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023421-38.dat	family_berbew
behavioral2/memory/1532-40-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023424-46.dat	family_berbew
behavioral2/memory/1888-48-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023426-55.dat	family_berbew
behavioral2/memory/3692-56-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023428-62.dat	family_berbew
behavioral2/memory/3492-63-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000700000002342a-70.dat	family_berbew
behavioral2/memory/4036-72-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000700000002342c-78.dat	family_berbew
behavioral2/memory/1864-79-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000700000002342e-86.dat	family_berbew
behavioral2/memory/2740-89-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023430-94.dat	family_berbew
behavioral2/memory/2420-103-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023432-102.dat	family_berbew
behavioral2/files/0x0007000000023434-109.dat	family_berbew
behavioral2/memory/384-112-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023436-118.dat	family_berbew
behavioral2/memory/2952-119-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/memory/3200-111-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023438-126.dat	family_berbew
behavioral2/memory/1916-128-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000700000002343a-134.dat	family_berbew
behavioral2/memory/1816-136-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000700000002343c-142.dat	family_berbew
behavioral2/memory/4448-144-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0008000000023418-150.dat	family_berbew
behavioral2/memory/4256-152-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000700000002343f-158.dat	family_berbew
behavioral2/memory/3180-160-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023441-166.dat	family_berbew
behavioral2/memory/5000-168-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/memory/1968-175-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023443-174.dat	family_berbew
behavioral2/files/0x0007000000023446-182.dat	family_berbew
behavioral2/memory/5036-183-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023448-190.dat	family_berbew
behavioral2/memory/3700-196-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000700000002344a-198.dat	family_berbew
behavioral2/memory/3136-203-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000700000002344c-207.dat	family_berbew
behavioral2/memory/1812-213-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000700000002344e-214.dat	family_berbew
behavioral2/memory/4892-221-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023450-223.dat	family_berbew
behavioral2/memory/1040-224-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023452-230.dat	family_berbew
behavioral2/memory/512-232-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023454-238.dat	family_berbew
behavioral2/memory/4628-241-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023456-246.dat	family_berbew
behavioral2/files/0x0007000000023458-254.dat	family_berbew
behavioral2/memory/2756-251-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew

Executes dropped EXE 42 IoCs

pid	Process
2060	Kmegbjgn.exe
576	Kdopod32.exe
1492	Kgmlkp32.exe
4356	Kilhgk32.exe
1532	Kacphh32.exe
1888	Kaemnhla.exe
3692	Kbfiep32.exe
3492	Kmlnbi32.exe
4036	Kdffocib.exe
1864	Kibnhjgj.exe
2740	Kdhbec32.exe
2420	Kgfoan32.exe
3200	Kkbkamnl.exe
384	Lalcng32.exe
2952	Ldkojb32.exe
1916	Ldmlpbbj.exe
1816	Lijdhiaa.exe
4448	Ldohebqh.exe
4256	Lnhmng32.exe
3180	Ldaeka32.exe
5000	Ljnnch32.exe
1968	Lphfpbdi.exe
5036	Mnlfigcc.exe
3700	Mkpgck32.exe
3136	Majopeii.exe
1812	Mgghhlhq.exe
4892	Mnapdf32.exe
1040	Mkepnjng.exe
512	Mncmjfmk.exe
4628	Mglack32.exe
2756	Mnfipekh.exe
960	Mdpalp32.exe
1112	Nkjjij32.exe
940	Nacbfdao.exe
1520	Ndbnboqb.exe
1512	Njogjfoj.exe
1460	Nddkgonp.exe
1696	Nkncdifl.exe
4408	Ndghmo32.exe
2180	Nkqpjidj.exe
2240	Ndidbn32.exe
4624	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Kgfoan32.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Efhikhod.dll	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Kilhgk32.exe	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Ljnnch32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Mglppmnd.dll	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Kdhbec32.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Ldkojb32.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mglack32.exe
File created	C:\Windows\SysWOW64\Eplmgmol.dll	Kmegbjgn.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Kgmlkp32.exe	Kdopod32.exe
File opened for modification	C:\Windows\SysWOW64\Lijdhiaa.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Jjblgaie.dll	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Kaemnhla.exe	Kacphh32.exe
File created	C:\Windows\SysWOW64\Pipagf32.dll	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Kkbkamnl.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Kmlnbi32.exe	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Gcdihi32.dll	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mkpgck32.exe
File opened for modification	C:\Windows\SysWOW64\Kmegbjgn.exe	dd39151174e890300759a48ed9cd30d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Kmlnbi32.exe	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Kibnhjgj.exe	Kdffocib.exe
File created	C:\Windows\SysWOW64\Eqbmje32.dll	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Lijdhiaa.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Kkdeek32.dll	Kgmlkp32.exe
File opened for modification	C:\Windows\SysWOW64\Kacphh32.exe	Kilhgk32.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Ldohebqh.exe
File opened for modification	C:\Windows\SysWOW64\Ldkojb32.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Gncoccha.dll	Kacphh32.exe
File created	C:\Windows\SysWOW64\Kdffocib.exe	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Ldkojb32.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Kmegbjgn.exe	dd39151174e890300759a48ed9cd30d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Kdffocib.exe	Kmlnbi32.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Lalcng32.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Bpcbnd32.dll	Kdffocib.exe
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Mnapdf32.exe	Mgghhlhq.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1120	4624	WerFault.exe	127

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplmgmol.dll"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	dd39151174e890300759a48ed9cd30d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	dd39151174e890300759a48ed9cd30d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhikhod.dll"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdimilg.dll"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	dd39151174e890300759a48ed9cd30d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblgaie.dll"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogijli32.dll"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	dd39151174e890300759a48ed9cd30d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcbnd32.dll"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akanejnd.dll"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdihi32.dll"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gncoccha.dll"	Kacphh32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 640 wrote to memory of 2060	640	dd39151174e890300759a48ed9cd30d0_NeikiAnalytics.exe	83
PID 640 wrote to memory of 2060	640	dd39151174e890300759a48ed9cd30d0_NeikiAnalytics.exe	83
PID 640 wrote to memory of 2060	640	dd39151174e890300759a48ed9cd30d0_NeikiAnalytics.exe	83
PID 2060 wrote to memory of 576	2060	Kmegbjgn.exe	84
PID 2060 wrote to memory of 576	2060	Kmegbjgn.exe	84
PID 2060 wrote to memory of 576	2060	Kmegbjgn.exe	84
PID 576 wrote to memory of 1492	576	Kdopod32.exe	85
PID 576 wrote to memory of 1492	576	Kdopod32.exe	85
PID 576 wrote to memory of 1492	576	Kdopod32.exe	85
PID 1492 wrote to memory of 4356	1492	Kgmlkp32.exe	86
PID 1492 wrote to memory of 4356	1492	Kgmlkp32.exe	86
PID 1492 wrote to memory of 4356	1492	Kgmlkp32.exe	86
PID 4356 wrote to memory of 1532	4356	Kilhgk32.exe	87
PID 4356 wrote to memory of 1532	4356	Kilhgk32.exe	87
PID 4356 wrote to memory of 1532	4356	Kilhgk32.exe	87
PID 1532 wrote to memory of 1888	1532	Kacphh32.exe	88
PID 1532 wrote to memory of 1888	1532	Kacphh32.exe	88
PID 1532 wrote to memory of 1888	1532	Kacphh32.exe	88
PID 1888 wrote to memory of 3692	1888	Kaemnhla.exe	89
PID 1888 wrote to memory of 3692	1888	Kaemnhla.exe	89
PID 1888 wrote to memory of 3692	1888	Kaemnhla.exe	89
PID 3692 wrote to memory of 3492	3692	Kbfiep32.exe	90
PID 3692 wrote to memory of 3492	3692	Kbfiep32.exe	90
PID 3692 wrote to memory of 3492	3692	Kbfiep32.exe	90
PID 3492 wrote to memory of 4036	3492	Kmlnbi32.exe	91
PID 3492 wrote to memory of 4036	3492	Kmlnbi32.exe	91
PID 3492 wrote to memory of 4036	3492	Kmlnbi32.exe	91
PID 4036 wrote to memory of 1864	4036	Kdffocib.exe	92
PID 4036 wrote to memory of 1864	4036	Kdffocib.exe	92
PID 4036 wrote to memory of 1864	4036	Kdffocib.exe	92
PID 1864 wrote to memory of 2740	1864	Kibnhjgj.exe	93
PID 1864 wrote to memory of 2740	1864	Kibnhjgj.exe	93
PID 1864 wrote to memory of 2740	1864	Kibnhjgj.exe	93
PID 2740 wrote to memory of 2420	2740	Kdhbec32.exe	94
PID 2740 wrote to memory of 2420	2740	Kdhbec32.exe	94
PID 2740 wrote to memory of 2420	2740	Kdhbec32.exe	94
PID 2420 wrote to memory of 3200	2420	Kgfoan32.exe	95
PID 2420 wrote to memory of 3200	2420	Kgfoan32.exe	95
PID 2420 wrote to memory of 3200	2420	Kgfoan32.exe	95
PID 3200 wrote to memory of 384	3200	Kkbkamnl.exe	97
PID 3200 wrote to memory of 384	3200	Kkbkamnl.exe	97
PID 3200 wrote to memory of 384	3200	Kkbkamnl.exe	97
PID 384 wrote to memory of 2952	384	Lalcng32.exe	98
PID 384 wrote to memory of 2952	384	Lalcng32.exe	98
PID 384 wrote to memory of 2952	384	Lalcng32.exe	98
PID 2952 wrote to memory of 1916	2952	Ldkojb32.exe	99
PID 2952 wrote to memory of 1916	2952	Ldkojb32.exe	99
PID 2952 wrote to memory of 1916	2952	Ldkojb32.exe	99
PID 1916 wrote to memory of 1816	1916	Ldmlpbbj.exe	100
PID 1916 wrote to memory of 1816	1916	Ldmlpbbj.exe	100
PID 1916 wrote to memory of 1816	1916	Ldmlpbbj.exe	100
PID 1816 wrote to memory of 4448	1816	Lijdhiaa.exe	101
PID 1816 wrote to memory of 4448	1816	Lijdhiaa.exe	101
PID 1816 wrote to memory of 4448	1816	Lijdhiaa.exe	101
PID 4448 wrote to memory of 4256	4448	Ldohebqh.exe	102
PID 4448 wrote to memory of 4256	4448	Ldohebqh.exe	102
PID 4448 wrote to memory of 4256	4448	Ldohebqh.exe	102
PID 4256 wrote to memory of 3180	4256	Lnhmng32.exe	104
PID 4256 wrote to memory of 3180	4256	Lnhmng32.exe	104
PID 4256 wrote to memory of 3180	4256	Lnhmng32.exe	104
PID 3180 wrote to memory of 5000	3180	Ldaeka32.exe	105
PID 3180 wrote to memory of 5000	3180	Ldaeka32.exe	105
PID 3180 wrote to memory of 5000	3180	Ldaeka32.exe	105
PID 5000 wrote to memory of 1968	5000	Ljnnch32.exe	106

C:\Users\Admin\AppData\Local\Temp\dd39151174e890300759a48ed9cd30d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\dd39151174e890300759a48ed9cd30d0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:640
- C:\Windows\SysWOW64\Kmegbjgn.exe
  C:\Windows\system32\Kmegbjgn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Windows\SysWOW64\Kdopod32.exe
    C:\Windows\system32\Kdopod32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:576
  - - C:\Windows\SysWOW64\Kgmlkp32.exe
      C:\Windows\system32\Kgmlkp32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1492
    - - C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4356
      - C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3692
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3492
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4036
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3200
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:384
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4256
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3180
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1968
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5036
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3700
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3136
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1812
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4892
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1040
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:512
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4628
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2756
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:960
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1112
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:940
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1520
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1512
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1460
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1696
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4408
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        43⤵
        Executes dropped EXE
        
        PID:4624
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 420
        44⤵
        Program crash
        
        PID:1120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4624 -ip 4624
1⤵
PID:3240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jjblgaie.dll

Filesize
7KB

MD5
98c06aee4abfe477f38e0495739a15f3

SHA1
1fa20a16ef8b2c233123bd719ce56cac51b1daf1

SHA256
373f91d4dec0c07860fe72c2de1766e210fbe85704a10256ce906c3ab053240c

SHA512
42f4d0d9cabd9c40483479c356fb59cdbb05708c312c0958eb31d29148007349c84cc526a3db03396b55199d4ce7d3c7295c6a68c06d8237c09526a5950be003

Download Submit
C:\Windows\SysWOW64\Kacphh32.exe

Filesize
121KB

MD5
37aaea4c48761a2e2742718dde498659

SHA1
cbdd1df6da26030a81e1cf9226dd8d05c1a7636a

SHA256
439acb2784388e048c9936eaf5863c785969a3e5a418c40e8e38a03d661e0eff

SHA512
a86a4748bc91c0f71102502371dbb08645f93e266d23c84ef537814e31ee9956ceb1047990d1239c36e4042a8f19bf460656e3890063067ffb4c1eb30e7477dc

Download Submit
C:\Windows\SysWOW64\Kaemnhla.exe

Filesize
121KB

MD5
28a553c479f10fe752ca4f1602d6b819

SHA1
66c64a614c0f028aae0f8f970f4d79bbb4c6a30d

SHA256
c16c07b1fc596dc011ceaabf22501e4b4f77218260b97e810f39cc629853d7d3

SHA512
720043e4dcdcd531077fbd6bcde876fa46ae06e3c84633a957fd4b5c87dcaae053fd9da28d56c57750e3792fb9b59194931d6b626c80bae0a8550e3e270177b9

Download Submit
C:\Windows\SysWOW64\Kbfiep32.exe

Filesize
121KB

MD5
3642ded19224ecad1ce0b8e417876abe

SHA1
3b3e6869e5a12e8371dda01512d8f326b885f89b

SHA256
97e40048c190968abf907a45eedacb503219a1713fb1c4d2d67dab7a0290235f

SHA512
4c9f7d6c76694360027e65b59eee9c1281b5a4c3a03d90e167d8b3f030c3b363faa500ecf2a7c36ca4530b8973beefa719038b4406699e581b09809b003afe73

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
121KB

MD5
a2e78cc624d06354e3d48fca032fa9a6

SHA1
a6de8097c6edb9dfd3ea8a05ba2f69164cfa444e

SHA256
3d93c7a5dad2155aaf08fa2b33345abc67b1ec1f39d2f527aa405234334b4b23

SHA512
1ee0d1bdc599ad775456ecf0fc7052db768fa1b97c4ba0086937e962a42b3158e721c9a7770094b7bc7770801df5679f845fb1969494c6e0f49b5fda23149cc7

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
121KB

MD5
2110e042298ddca8b2414df729948922

SHA1
ec37b629650a5d12de53a19aabee85feab35eb19

SHA256
6761221f62eeb242dd6ef8485a362be5c6278c626f33e4ace6b750fdbec3c353

SHA512
e0ca79d4f887233ac7fb9b943346632d6e047352f48aab1aba201fd70cabe598b806afea3232312d732a371f354cd63bcb2d3a80b9aa5a00f2d5e73e4d6b40d5

Download Submit
C:\Windows\SysWOW64\Kdopod32.exe

Filesize
121KB

MD5
6c230446dc83cf9a3240702a38bbc4cc

SHA1
1117d073a16955eb85a45e940ab93372288da0c9

SHA256
2ff66093c63f7416fb4740551bf2af0738ab79e27b6e26a7795e919719053902

SHA512
20e3fae5a70b1597c89d46560870d7e387330d63af137e15a4010986d56dd12071ba5aaa558762e767a4088f3753812ed227d2b5c6237734a740330e23db1a87

Download Submit
C:\Windows\SysWOW64\Kgfoan32.exe

Filesize
121KB

MD5
b86fe176fed3975ccfad7465b01e6c7f

SHA1
b85ceb2320e180a4caeb11d062a11fc05a329f66

SHA256
133a5d53a2b2cc93995b0106cd3e153343fbd2a0f9de4293d2521cc7361613c7

SHA512
d4b36cfab9d0dec11782fcaef5e7beff852985707fef5699a20c96c1a70416a6adddc1497e19e99e1eaef664fc36c3f02d6d8da991eb38b978124b7c5e3cf50a

Download Submit
C:\Windows\SysWOW64\Kgmlkp32.exe

Filesize
121KB

MD5
8d70938a1ee1456bb2c6656501e26163

SHA1
4151038ccf14de389a555e7d0f84c2bdd3e7cdd7

SHA256
5018f7e03181ced56704af10ac78308bc0aad0a618d35a2a512b2c7ee9efb1e0

SHA512
cee0ae5561f2d0bdc153af3b12e881d4236e5bb8118e4bc8f935b35f96dce5b15eae921013b7b6c9a1eb8857a69836f7803aeaa337661196fc46626e1790436a

Download Submit
C:\Windows\SysWOW64\Kibnhjgj.exe

Filesize
121KB

MD5
3c211dbf8e70e48a12a297f3356d0cfc

SHA1
8b84ac55e4b33e53ec75832d5411a6703af52dda

SHA256
16f746d71ba2c46c41750651d9514e111f2d461f66c1b4bef3445376e1905307

SHA512
8bb58cc3d49ca95c4db797838b73f415d5397ad6531f23f5ac5c31aab1c7d35a57a7a23583687a015aeb11355f7d74748cdb076d59d8959cc5b18f5cf6f3d9d1

Download Submit
C:\Windows\SysWOW64\Kilhgk32.exe

Filesize
121KB

MD5
d6e4c2885d60250a2926698848f20b44

SHA1
e1e3a710a491760d626fea3abc5a040505dc9725

SHA256
641d1f070e5e4f5c710fa68ba28f87535847c28a76838ff041cd9d8459708042

SHA512
ef9432836d2e98ce18ce58f6edf3a508b07e7db1cd9552ee97103431e68ce4d66219392553ce5914ea66de1f12ab8d3829b4d7cc5a47c4c11d8001d3809d5a1a

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
121KB

MD5
108b46312bf8bce326e0e94fe049280a

SHA1
1d9b7fc821d5c7988d37e1afd0cadb6ea4931c03

SHA256
9451bfc126428353a33ce2125220994202589d21b85fe3ef0c09f2b75a04bd86

SHA512
70f395154e8cf97c782e693ea68d5a16a0d3602b042e157a7537f50405eda960eb20fc6adc6b4111bd5a870617666aefaf051b2b3c893eb75e8bd350af0722f0

Download Submit
C:\Windows\SysWOW64\Kmegbjgn.exe

Filesize
121KB

MD5
c2119c88317249ab69dbe5561b88df61

SHA1
ea778f9ed453ef927e789a0ee89a2a2d5516d151

SHA256
a3f4f4d271ebe80ba0d1ad1eeebdfda9d83657ba123aea8bd222eb63bab30a90

SHA512
a6d9ec49e163dc9616cad7f410dd2e54b7ac4ebe6248353fe8fc90cb389dc3ec63bebd3475b75131a3d5097f3c2d9933603e04386b742c50bac88b34e65ad4af

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe

Filesize
121KB

MD5
ef465efeb8866ce0f1917ffd678dab9e

SHA1
d6301b0ff654a9019b53e484168eca4cc4702b20

SHA256
9a87f05b8d9348f220140f9efb495e0041c0906ca6e7b9fc8802ff9dfb26d9f4

SHA512
eeec5d01f798343fc14e9d29b69db47cb53a34c265e99cea4fa880a356c55cbbfa72a297c969f2c841a667eb5314ca15be875f84e03737ab430a7424b6292733

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
121KB

MD5
9547ff3ff5bc1278a2141cab77cfe75c

SHA1
f2329b44c327f1c2fe7d1bab7627ef5824a66b69

SHA256
c570bb494bf6b8a15f8e0236bc5018c61769df6df668a9ba70eb34379367c317

SHA512
cd2e1094e72ddc1ca62591c1f8d62bfad4e07ba66f42107cc233e37e946ac82073f2baf1c5255d9af4c4c7ed13fac6dfbbc1a82a62d7173b91f5301aff9d63e4

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
121KB

MD5
e560fa94f9c39c9da58a3f5a9bcb454e

SHA1
41c48127d871db3792e990aa7a71ac725462e602

SHA256
157b2a05bf3700c801d4b7182b5a5590d87a520e6209adfef924bbfbcb8d8ec3

SHA512
d2185382c9367b0aa348cd605ee7d5831863df6e502e93aaf1ca712b79fd4353e4b37553e6df6748dd411a1abcaffdcbb63140bcd6d7b1a9cecfb6a42c4d767f

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
121KB

MD5
fbd1acfc5354c10dbe9361f5ac559507

SHA1
f7022106fe52c8bb680c40ba21f818df40976b04

SHA256
e62e1e6a749d46efdec165c334ad347eb1d0420712118734f2a34288d7717a9f

SHA512
113f2604a4843bc4974f327ef12161e3e5af06bed24cc5f79c535f195d4f36ce598d6e082d6908566636881747d2c79156cd95c4facbc1bb053cdf71d86e95d6

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
121KB

MD5
801638d3bee6a9a9f5f94fbab20c690e

SHA1
eb7abe504575fcae8e41b447a1cfa0fc23b69271

SHA256
cc260cfb642ee6b93283ef3cedbd892936c38389d901e4b1e9bd7ddd37940055

SHA512
f49497b8787d0b09e8df5217f906e8590910af5e43188314f2f4e897283ee7a2ac68cc696fd1194b3258abdbd3260654a0154d13716638397ccd57425bf0eded

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
121KB

MD5
f734b504bc2a2832e3fe29ae18d3eb51

SHA1
a0e1a3d25cf405508778d1fa203a74cda11e0797

SHA256
973db035f24db4a16f600e938aad561b4ca163a55049cf528d487ebed4e31178

SHA512
88ceeab265959ecaf29147e4084d9875d7fdfcf64050cfa4dd1b6c2be93cebe60951ee130c75441ce7386956266c2e7b9cb288696868fe46543746823a1d37bb

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
121KB

MD5
4cfa26844f4b1c795515f95cd3918459

SHA1
5a34fa339881586ca2e3d773ca4e2bfc55521f70

SHA256
74fe3c24a8cb4d29e022870ba0b0b8d7868307ecb2170d7bb180c6fabfe48c1b

SHA512
f8d58c5061ca639fce61cfce74f71683b3637c9ed577392595900e62a4151cf0310a6714a3c35cc2ba3aaf39fef237921dd96c772572cf048e8cffe4d558244d

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
121KB

MD5
9715e1c1f510e07e75ad74577e005787

SHA1
75ddf9d7eb25ca23b3b59d41de67d53af535a74a

SHA256
38cb9c211ed4eeaa6050df4944b652c583b36954ff417f6719825e0210c47d8e

SHA512
1cd6066495ae4b931f09f391a120d04fe9a33c8f4f09371acb5463b3082a97f8a6b3f7518b4fe4a8ad795d7f80f0ab0bc7d449f9842bd545d2b6e9e21db326c8

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
121KB

MD5
212fdb88abc5a1bf7ac6778710e18abd

SHA1
36c02c0c4d28a221ed2df38acdbc749868584f1b

SHA256
130241e140ab85dda04516560675f4a37f2a4e9a9996d141663e171ee4d2c4a8

SHA512
260427ef86e6011a4f5b6fdc8dc12bca67ccae7928a017fdaba94a5521e14d89a3de59b7fc3d8259bc3ae8cc4c62ea60c13763c3a11986c95ca011552eb4edf3

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
121KB

MD5
b82ef9a0635481a06da85b6fbc99df76

SHA1
b6602d9fb9ee6aeeb3377e52f0258f39fd7721b3

SHA256
ddce5b2d6a4ff561160741a46d1f79046d4971c7d55e33e8e2aae962d6e912b4

SHA512
4521867f88c486523eda0e1a6af918534f155a10f48f42fed1405d34880a50c916642eb414fa7f756d006cfe587d784239eb0ec844448e96697581a6a2b0a921

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
121KB

MD5
f41bd4c85c6bb4cd1db039fdeb196141

SHA1
bdc5d3ae3817a79c64961b48a9a44cb6d14ada52

SHA256
6a492b8b06691886604a5e0bab8dd8d1eb6f082f8bb890cc97fe7ea02dc73511

SHA512
96fccbc31ab212601170778c9634daf968d203fac7290dabad845d7276515e96b40092e6d837fa9fd04821d3a15d2800d8218791bb00565a751e1c58d8b5515f

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
121KB

MD5
d2b3fea3b29a907d4ab08f2a9059d19a

SHA1
2455003a54686c1b15cd24ebe595ce5c0d813bf8

SHA256
00cddc00dcab3422c11255c5181f70a44730e9841eddab771eeb68c37e08e0c2

SHA512
7cd40498791e3be6dde3e2b73e167ed5a928f7995b309cf18aa20cdaab547ce09fb2419a927a92841af12edd208f7d6579c06dbf73a8ea990dc3220deec1c27b

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
121KB

MD5
8ff4dc41e70e541c673f4b8e00d33ab6

SHA1
95a0851f610dedb3a75b6c8649ef7f29da970dc1

SHA256
a166530a0d6ea6f8ba01ad5beb72e2b748f2685ae6d2fe08fa1c949fa1b65998

SHA512
1348ef1b7afd3c311e1ab01a180ca3d4ee245c9ae60fa69c71b84d2c7cdc1f76e12d00ec8c9b55106aec302f54c1986b69e3794bbdced4841577faa91846309a

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
121KB

MD5
ebe801bdad3521e29c22c56e7570fcdf

SHA1
a0e097cf8a16421e9d6e4f917b4a3dfe1d7219cf

SHA256
ee2b926e6cf770136395b1f7b1c5a8198bc4ba425dd945273a99fd7f5e7b507c

SHA512
81d03897b7ce7e564594ad6a92ec3688f5c4f49030fe6941fa973d96eb46842c9aa4538f3ecc7ee4ebf1bba4130cf2525c9de627ec9ab753a2078612c226a664

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
121KB

MD5
4ef204ba6adddad72055e8fddae3962c

SHA1
607b8b24ffd2f0c9e554d75ed7a83d971b968738

SHA256
0e924cf3c4156694fe6d73395b54009ff8ab857d3b7c7352840989c45b44c652

SHA512
2fa10aa7c7df40b30ef54056195c674510c0f36b6ffa0d53e88c335d3dac4668b6e5b06204ec8f07a4d296ef9bbf43de22b09276e836eabdf08aa05d5e735786

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
121KB

MD5
dacca288d9c949ecd6e4763952c23f70

SHA1
cb4f85696279a3cc6c0dad9145fea293eb188e03

SHA256
cbba886fb24b8f0736e89cffe44449614d2debfa2752363167e6a10aa3f7a629

SHA512
f5c6c820734118c354c1f9cd48c99deeb2084da89d29bbeb97c4c21ac9a51fba3ab4b8085e1dffa1befebb2e16c1d496d2530bff843a991baa77ded2eae9f116

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
121KB

MD5
258914e44b92b5ffe3fb882cdd00e72e

SHA1
215b7270cd3d5a00488b9a2d7ad81b81e37e1ae7

SHA256
ea62aebc2db40c60072ee35c225c345ef8b67d2be963e93ca6f13811ef22325c

SHA512
ef483e35fc0c037fe39306158f555b75f6f2a0b8a8dee55a4c2bbb0443d449b9956d04d0416dab1100e3dd7146f113bf7010005fa6cbe48ca78987b9bf653948

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
121KB

MD5
4a202e2af68f09e1d35f9e11e481b4ba

SHA1
6145fc9bdc0f4857e40001c958aaa58e8161434c

SHA256
530a6f7ea3c523237a279129432bcc7db2b29f5ead999d0b7aec0042dfc005bf

SHA512
294a8abae84716fcf55b4fec9f6345a5f4fd7e9a6224dedf097e957315a16f3ec6f318bc235300b237933b3ad7217ad821408b2d0635a076065d384f3dd592d6

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
121KB

MD5
1eb49e2164ef8242dc115386fda23dba

SHA1
901568ce97c53f5492324acd8f6ebb06e3f1bf1e

SHA256
83a070b181ad7b7792cb6150fb49ab1b295002d47749dd8d70e181bafe935976

SHA512
5845de514d72d679f61e32fc314c74f0cc0e14ef2e0ee301289d3efa0de337d8748d6c0d0d14c561302d6f96fc6f84ace40072bcf1900f7b3ab13ec5da3d916e

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
121KB

MD5
bfd874055f1adf075576b9d4de344c3e

SHA1
3ef335c7cac0d71995e573954490daccda1c9c32

SHA256
d24ade492271ca8a603e0fdf46a8ddcdb37f73e62fee61bca2fff27163d02f06

SHA512
322b076f968c0ca8b59088edc856a53f84e21355a989f2dc70c7330a92b643281fa4764fb3ed1fcd1cf9e865e0ac4430a23b87017fa1d2ac9d99f74374ce4d78

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
64KB

MD5
6f96542260f67b3133a7b6e42227b284

SHA1
e58b4e00bb959da3173b336a5237bfb69edc6d21

SHA256
132f1ec1ec778a2b89e1fef5c99b8ce00bc225feb5da81625913b9c9c42b15c0

SHA512
f1f2feec8e58b79aeac680aa8e2524df7b7b756cdfdeab173225bd9db6a915dd8e6be9dd6d40156e3e6ee73572ac83fc8627aba6d4df0f2bdc83341cd9d49eb0

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
121KB

MD5
08a6a6838fce1f53deb2043d8379797a

SHA1
451340d2854daf2fbdf7cf293b6668d93fa6a87a

SHA256
28116a9213296b4f46fc90c6ca9befa14c4be18c487369cdda4e5f066fb3ef24

SHA512
a2c88d65b0f5ba34876d5b6539654f8841ec414bb33aed074d6d4a51db68fb6942dc97486acf42b19b954f919ce898c195ca543792e6ff0568ec734bd4292a18

Download Submit
memory/384-112-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/384-337-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/512-328-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/512-232-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/576-346-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/576-20-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/640-352-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/640-0-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/940-272-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/960-256-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/960-327-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1040-224-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1040-348-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1112-325-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1112-266-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1460-321-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1460-286-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1492-29-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1512-323-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1512-280-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1520-324-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1520-274-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1532-40-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1532-345-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1696-292-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1696-320-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1812-213-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1816-341-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1816-136-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1864-333-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1864-79-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1888-48-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1888-343-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1916-339-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1916-128-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1968-342-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1968-175-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2060-347-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2060-7-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2180-319-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2180-304-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2240-318-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2240-310-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2420-103-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2740-334-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2740-89-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2756-326-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2756-251-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2952-338-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2952-119-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3136-344-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3136-203-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3180-160-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3180-349-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3200-111-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3200-336-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3492-331-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3492-63-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3692-56-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3692-335-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3700-196-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4036-332-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4036-72-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4256-351-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4256-152-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4356-36-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4408-322-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4408-298-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4448-340-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4448-144-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4624-317-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4624-316-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4628-241-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4628-329-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4892-221-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5000-168-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5000-350-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5036-330-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5036-183-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads