52093dc654ad9ef5edf7deda55e6dbc728a186310fd63a27a3ba3e4792a8b8cc

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16-05-2024 17:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02f806c1fbadb2970873e9abc725ad50_NeikiAnalytics.exe
Size

320KB
MD5

02f806c1fbadb2970873e9abc725ad50
SHA1

52a2b14de2432222bf6576169ff397fcda4a5987
SHA256

52093dc654ad9ef5edf7deda55e6dbc728a186310fd63a27a3ba3e4792a8b8cc
SHA512

8bf0d0bc8040bb06f40d3df8046138a9ad543fbe34c41ecbac8de0e2b6bb6065b81577b4f11d1a462a782f124f8dcf9f598a706d9ea7e95b29a010b289202fc2
SSDEEP

6144:X9xWabjhJ9vKpO6c8TCndOGeKTame6UK+42GTQMJSZO5f7M0rx7/hP66qve6UK+I:NptnKOsedOGeKTaPkY660fIaDZkY66+

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 56 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	02f806c1fbadb2970873e9abc725ad50_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	02f806c1fbadb2970873e9abc725ad50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe

Malware Dropper & Backdoor - Berbew 64 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/memory/4916-0-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000c000000023370-6.dat	family_berbew
behavioral2/memory/1256-8-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x00070000000233f5-14.dat	family_berbew
behavioral2/memory/4548-20-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x00070000000233f7-22.dat	family_berbew
behavioral2/files/0x00070000000233f9-30.dat	family_berbew
behavioral2/memory/4560-29-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/memory/3900-31-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x00070000000233fc-39.dat	family_berbew
behavioral2/memory/4708-40-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x00070000000233fe-46.dat	family_berbew
behavioral2/memory/1920-47-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023400-49.dat	family_berbew
behavioral2/files/0x0007000000023400-55.dat	family_berbew
behavioral2/memory/4664-56-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023402-63.dat	family_berbew
behavioral2/memory/436-64-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023404-70.dat	family_berbew
behavioral2/memory/1620-71-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023406-78.dat	family_berbew
behavioral2/memory/1892-79-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/memory/4180-88-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023408-87.dat	family_berbew
behavioral2/files/0x000700000002340a-94.dat	family_berbew
behavioral2/memory/1452-96-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/memory/4692-103-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000700000002340c-102.dat	family_berbew
behavioral2/files/0x000700000002340e-110.dat	family_berbew
behavioral2/memory/5072-116-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023410-118.dat	family_berbew
behavioral2/memory/756-119-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023412-127.dat	family_berbew
behavioral2/memory/5060-128-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023414-134.dat	family_berbew
behavioral2/memory/384-136-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023416-142.dat	family_berbew
behavioral2/memory/432-143-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x00090000000233f2-150.dat	family_berbew
behavioral2/memory/1808-152-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023419-158.dat	family_berbew
behavioral2/memory/4372-160-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000700000002341b-167.dat	family_berbew
behavioral2/memory/3380-168-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000700000002341d-174.dat	family_berbew
behavioral2/memory/3476-176-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000700000002341f-182.dat	family_berbew
behavioral2/memory/3848-184-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023421-190.dat	family_berbew
behavioral2/memory/2052-192-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023423-198.dat	family_berbew
behavioral2/memory/3624-200-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023425-206.dat	family_berbew
behavioral2/memory/4036-208-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023427-214.dat	family_berbew
behavioral2/memory/532-216-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000700000002342a-222.dat	family_berbew
behavioral2/memory/880-224-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/memory/532-225-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/memory/3476-230-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/memory/1892-241-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/memory/1920-245-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/memory/4916-249-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/memory/1256-248-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew

Executes dropped EXE 28 IoCs

pid	Process
1256	Lmccchkn.exe
4548	Lpappc32.exe
4560	Lcpllo32.exe
3900	Lgkhlnbn.exe
4708	Lilanioo.exe
1920	Lgpagm32.exe
4664	Lnjjdgee.exe
436	Lcgblncm.exe
1620	Mnlfigcc.exe
1892	Mciobn32.exe
4180	Mkpgck32.exe
1452	Mnocof32.exe
4692	Mkbchk32.exe
5072	Mdkhapfj.exe
756	Mkepnjng.exe
5060	Mncmjfmk.exe
384	Mdmegp32.exe
432	Mjjmog32.exe
1808	Mgnnhk32.exe
4372	Njljefql.exe
3380	Ndbnboqb.exe
3476	Nklfoi32.exe
3848	Ncgkcl32.exe
2052	Nbhkac32.exe
3624	Ngedij32.exe
4036	Nbkhfc32.exe
532	Ndidbn32.exe
880	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Lpappc32.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Lilanioo.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Lgpagm32.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Gjoceo32.dll	Lpappc32.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Lcgblncm.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mciobn32.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Plilol32.dll	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Lgkhlnbn.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Njljefql.exe
File created	C:\Windows\SysWOW64\Cmafhe32.dll	02f806c1fbadb2970873e9abc725ad50_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Lcpllo32.exe	Lpappc32.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Lpappc32.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Lcpllo32.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lgkhlnbn.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	02f806c1fbadb2970873e9abc725ad50_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Lmccchkn.exe	02f806c1fbadb2970873e9abc725ad50_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Fldggfbc.dll	Lgpagm32.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lgkhlnbn.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2300	880	WerFault.exe	112

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	02f806c1fbadb2970873e9abc725ad50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	02f806c1fbadb2970873e9abc725ad50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	02f806c1fbadb2970873e9abc725ad50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogndib32.dll"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lilanioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldggfbc.dll"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plilol32.dll"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	02f806c1fbadb2970873e9abc725ad50_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4916 wrote to memory of 1256	4916	02f806c1fbadb2970873e9abc725ad50_NeikiAnalytics.exe	82
PID 4916 wrote to memory of 1256	4916	02f806c1fbadb2970873e9abc725ad50_NeikiAnalytics.exe	82
PID 4916 wrote to memory of 1256	4916	02f806c1fbadb2970873e9abc725ad50_NeikiAnalytics.exe	82
PID 1256 wrote to memory of 4548	1256	Lmccchkn.exe	83
PID 1256 wrote to memory of 4548	1256	Lmccchkn.exe	83
PID 1256 wrote to memory of 4548	1256	Lmccchkn.exe	83
PID 4548 wrote to memory of 4560	4548	Lpappc32.exe	84
PID 4548 wrote to memory of 4560	4548	Lpappc32.exe	84
PID 4548 wrote to memory of 4560	4548	Lpappc32.exe	84
PID 4560 wrote to memory of 3900	4560	Lcpllo32.exe	85
PID 4560 wrote to memory of 3900	4560	Lcpllo32.exe	85
PID 4560 wrote to memory of 3900	4560	Lcpllo32.exe	85
PID 3900 wrote to memory of 4708	3900	Lgkhlnbn.exe	86
PID 3900 wrote to memory of 4708	3900	Lgkhlnbn.exe	86
PID 3900 wrote to memory of 4708	3900	Lgkhlnbn.exe	86
PID 4708 wrote to memory of 1920	4708	Lilanioo.exe	87
PID 4708 wrote to memory of 1920	4708	Lilanioo.exe	87
PID 4708 wrote to memory of 1920	4708	Lilanioo.exe	87
PID 1920 wrote to memory of 4664	1920	Lgpagm32.exe	88
PID 1920 wrote to memory of 4664	1920	Lgpagm32.exe	88
PID 1920 wrote to memory of 4664	1920	Lgpagm32.exe	88
PID 4664 wrote to memory of 436	4664	Lnjjdgee.exe	90
PID 4664 wrote to memory of 436	4664	Lnjjdgee.exe	90
PID 4664 wrote to memory of 436	4664	Lnjjdgee.exe	90
PID 436 wrote to memory of 1620	436	Lcgblncm.exe	91
PID 436 wrote to memory of 1620	436	Lcgblncm.exe	91
PID 436 wrote to memory of 1620	436	Lcgblncm.exe	91
PID 1620 wrote to memory of 1892	1620	Mnlfigcc.exe	93
PID 1620 wrote to memory of 1892	1620	Mnlfigcc.exe	93
PID 1620 wrote to memory of 1892	1620	Mnlfigcc.exe	93
PID 1892 wrote to memory of 4180	1892	Mciobn32.exe	94
PID 1892 wrote to memory of 4180	1892	Mciobn32.exe	94
PID 1892 wrote to memory of 4180	1892	Mciobn32.exe	94
PID 4180 wrote to memory of 1452	4180	Mkpgck32.exe	95
PID 4180 wrote to memory of 1452	4180	Mkpgck32.exe	95
PID 4180 wrote to memory of 1452	4180	Mkpgck32.exe	95
PID 1452 wrote to memory of 4692	1452	Mnocof32.exe	96
PID 1452 wrote to memory of 4692	1452	Mnocof32.exe	96
PID 1452 wrote to memory of 4692	1452	Mnocof32.exe	96
PID 4692 wrote to memory of 5072	4692	Mkbchk32.exe	98
PID 4692 wrote to memory of 5072	4692	Mkbchk32.exe	98
PID 4692 wrote to memory of 5072	4692	Mkbchk32.exe	98
PID 5072 wrote to memory of 756	5072	Mdkhapfj.exe	99
PID 5072 wrote to memory of 756	5072	Mdkhapfj.exe	99
PID 5072 wrote to memory of 756	5072	Mdkhapfj.exe	99
PID 756 wrote to memory of 5060	756	Mkepnjng.exe	100
PID 756 wrote to memory of 5060	756	Mkepnjng.exe	100
PID 756 wrote to memory of 5060	756	Mkepnjng.exe	100
PID 5060 wrote to memory of 384	5060	Mncmjfmk.exe	101
PID 5060 wrote to memory of 384	5060	Mncmjfmk.exe	101
PID 5060 wrote to memory of 384	5060	Mncmjfmk.exe	101
PID 384 wrote to memory of 432	384	Mdmegp32.exe	102
PID 384 wrote to memory of 432	384	Mdmegp32.exe	102
PID 384 wrote to memory of 432	384	Mdmegp32.exe	102
PID 432 wrote to memory of 1808	432	Mjjmog32.exe	103
PID 432 wrote to memory of 1808	432	Mjjmog32.exe	103
PID 432 wrote to memory of 1808	432	Mjjmog32.exe	103
PID 1808 wrote to memory of 4372	1808	Mgnnhk32.exe	104
PID 1808 wrote to memory of 4372	1808	Mgnnhk32.exe	104
PID 1808 wrote to memory of 4372	1808	Mgnnhk32.exe	104
PID 4372 wrote to memory of 3380	4372	Njljefql.exe	105
PID 4372 wrote to memory of 3380	4372	Njljefql.exe	105
PID 4372 wrote to memory of 3380	4372	Njljefql.exe	105
PID 3380 wrote to memory of 3476	3380	Ndbnboqb.exe	106

C:\Users\Admin\AppData\Local\Temp\02f806c1fbadb2970873e9abc725ad50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\02f806c1fbadb2970873e9abc725ad50_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4916
- C:\Windows\SysWOW64\Lmccchkn.exe
  C:\Windows\system32\Lmccchkn.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1256
- - C:\Windows\SysWOW64\Lpappc32.exe
    C:\Windows\system32\Lpappc32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4548
  - - C:\Windows\SysWOW64\Lcpllo32.exe
      C:\Windows\system32\Lcpllo32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4560
    - - C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3900
      - C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4664
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4180
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1452
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:756
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:384
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:432
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3380
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3476
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3848
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2052
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3624
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4036
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:532
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        29⤵
        Executes dropped EXE
        
        PID:880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 412
        30⤵
        Program crash
        
        PID:2300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 880 -ip 880
1⤵
PID:3192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kgkocp32.dll

Filesize
7KB

MD5
557967b442efb4981059fc99435f1363

SHA1
71cf4e981123b070d2a4beff2b8f2249d23e1243

SHA256
130c9779f9c1729534e8a868c3d8e23ea1b218eafbd8bba76398e23c0e562c6a

SHA512
094bb0bcba5e52fc207beb646716fff5826526ad2f343a98fd8c8ee3d1b2ce73aa696fe432d06b95f84422d2e27af913be7eeb8bba223bbf0d8b85c4739a1c20

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
320KB

MD5
5f06e9a933d29b96f656a5c4089bc4d1

SHA1
abaed3ca147756a5faa3792834de7aac5ba31633

SHA256
51855de5640fb33736c6722c1c1c1694dbcce8f103f30b54d6b2557fa2ee1c0f

SHA512
77e3ad559049f43f95a4ff945f8182f09a4e357f988fc4f744b8f36fe9683ba3e3f33cd5dab66bee25241ae360e2095e71cc5481abdaa31591b06be1bfffffca

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
320KB

MD5
5bc60d96221789ca707621cbbb0f4e75

SHA1
e6fbfda2877ecd41e0f998db30bcf25142d8e3da

SHA256
85bde0376d64979ab728771bc3085c958ee1be4e7d373a2de853c39657efb7b8

SHA512
08d6ac20419e657220b0d9e2b29cd279bf80ba5498427887bde3df54e23f34dc43522ac4d77c855c29a38d41eac079d3d2ce752b181bd7745cbeb9e0a6151d5c

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
320KB

MD5
ea17f9120a4b2968e6fdc7f7621ed72f

SHA1
c5ff221ed3778e530a09f7eb5c9a55fa1acd3e24

SHA256
ce532e1869ed75025be239e4255a7a453b4ac956522c89821a1cbed7d49618bc

SHA512
ee9c2d48aa4740bf3d8be25137ec5f34454bdcf8b074e05e4eb41b390f09b60917c8459b274b259ba10d545116c052d558e7caf3da0a99a50469a9539dc2ab75

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
320KB

MD5
7c3c815cedb503999e9e956f015b4e57

SHA1
90fd1d07f512bb27ef616bfbd59f50de35170188

SHA256
07b2b1ab5c3612620c83028de20a8a1948ff74d3abee277098eff56efe021536

SHA512
eeac75432c4ca6130cc3452532aaf58d2acdf31cfe2cbd0232d935192dd66007ea1b09b2231394d19c2bad34e3d0023a702a97ee7b7d1ef949bc8dea69a0b244

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
320KB

MD5
9c88965f6f75484cbf90a68c54cc5b0c

SHA1
c92a526f6e5582fb694fe6da5f1b6aa8e0efe6dd

SHA256
d7c134c6d71d854c95e8f3b9547d51b671c38de102d78cb9f7ac2d31fb8be0d9

SHA512
29e9c430498e47a229475dc5343628da39be4c284283a3143f67b9d5f257b1f83780c788af73380e4d7671adee8870450954df72d46268be41aef5afb614cef4

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
320KB

MD5
1539d513fe96be37a1adf134888bc617

SHA1
d9dcdb55e3a0a3bd4256e4e9567b9da5bbd5f756

SHA256
f146244774000b7b288f813afbe7205969dd0ab4f798962bacd100aa7ff86960

SHA512
31f8a6086c16fafb2ccba7855261f1543cc73bd327898b0f8ffc28405094df01fe3b05156f5ed43442b0a3332e3a8a1abb4ea1cbe09d562bd054fe6ea0bec768

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
320KB

MD5
7d305f400c7b48957c33f62939b5132d

SHA1
0ae9fbdac084da27ff9469e261fc3cb797c2c215

SHA256
af29faa98a7284041a14bd7a3499e2fb5474aa0d3058385c03d0e512b1d4f9b4

SHA512
1213f4c8c4151f7e5088044cef3ae01d93018634f4533e8adf42afc027f005289c35924a8904afb7f42c0d421935464988c077776f864e4ee61df1fabb2250f6

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
320KB

MD5
b31298908c99ac4da8f29518641ee731

SHA1
8e9fff0206585311399d78048559edbc95d8e909

SHA256
556e3393ccacaf7838d2f8b758e81a6d432d84436febe0857ea293fbcaaccc31

SHA512
2aaa21cd9378bbf71be717461ee04e91f62adaea62b79caa7c18fe0a0fa5b72b5b92e97d038dbc86311782fb483892513954b17064025b1a8ddc7c63d7df89a3

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
320KB

MD5
2a1c286c2aaaa96071a41558d7c6f167

SHA1
3ee9aecea4b361a5c7f49d70b0d11d47dffd2e03

SHA256
d6c00403cf29249e8d841e6be3fa35efbec1d2a971c7802f351269094b9e0cc4

SHA512
21be1896a83919cb8d41170366c8b93a3a53c07eda7f087d932fffeb57cac1d6712f04edbc194e98d226ed552be2497b40cc0aefef5e03d1a4467683b1fd521d

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
320KB

MD5
8bc23e745cce123c3a948de79c8248ad

SHA1
37d85c30db802a6bbb4a25929bf0cebd1cab5809

SHA256
e77a89ae86c0a3de95d1ac18f591f50b68daebdb7482a126fc5d18543801151a

SHA512
2766163374bcb7654b158b4a4e3dea70a6cc1582b7d021a70b32321fa66af054c60714748382aa45d97964b59ab0a846426c31fe4a552cd38d548a47e076396b

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
320KB

MD5
c79ec36263e4684d1dd8f796519295eb

SHA1
df794c4c840644afb668b4a6b0b710d4251367cf

SHA256
7ecbc104ded7e1a5c8443760aa1052d9eca7fcc080762275c28f632e5006c8e0

SHA512
f2afa3c60538c00b894a917fa03ee916a1d6b01f5d9b4566933daa9498c9faa983fabc8aed316fe0084f1c6dc4b9b174dabad72625413cb3ed5c81dc148b5903

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
320KB

MD5
97bb6adc150ad6f0ad163c8025caf693

SHA1
dc1fa9fbe862bdd215bc7de8bd77e6c4056220ad

SHA256
80387e517e798f53ccccd7ffbd93e46256357cfe4e74ad01b8dae28a37323186

SHA512
b56ba163268b7edb8c45606e05e7d387dadd71b32ed03112d5ff90861e4a14e2285e740795512779fc555ceaabbf9be879de299c5f8bace49186fbb27e418448

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
320KB

MD5
f8b73ce67b6bfe17e434a1dba83595d5

SHA1
089898cbcf97eecd5ec7e9a184dd13886dc446ad

SHA256
31be0d21334d1b90ca4e44798823b1e6a4a1de3721c5a323641ae16a5179e291

SHA512
546e1cebdc3b755015401c1beb89a0f18d494e6768e065f879519d42a43ba0c58171b86b06c000731ff237aa239de549cab9091a5994c6429ece1d5f92db9e52

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
320KB

MD5
3861faeaae2d3efa58fee4e1123ffb3a

SHA1
867fe13d01b1a98cf39949f39016baef53e8fcde

SHA256
ba8e8f4d3b518f8ebee49be07456b474d60c6664a0d1372d46d6da188f7f1fac

SHA512
2c6a14974589eff65c1cbdf3b2c1b8f6a1657d4681789ecab982bce3528073f9f81a9790cbb7c1d496d1f7600a22eb1b6dc8d211244bb5eafa2e215b63a2be9b

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
320KB

MD5
94a7bc0afd4095e02988e35696873bb1

SHA1
6b9a529f57fa67670fddf3d4fe164983ac7e427f

SHA256
18cb6bf597461ad322fd2a213eb5c3c9efbcd8854e87355f36e2b754e4981e12

SHA512
6436f91dfe1a931676a9d28bff8f2ea6d9b872f93c9fda00976f537d56afee87573b656eded723b32fa67deaf206a3d9f78d33f847727349488a0efd5e11b3c8

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
320KB

MD5
2802fd8acce13d16a2fe2b8e9718d7f2

SHA1
856134707e3f7a0bcb1de24b88221633af1d9d75

SHA256
057b98403bebfbac7c4694b7e35f6350de1640894ae95958e9ef15ac107840af

SHA512
8e0f62b7f4c7cf901f42d3b8f78cfc8930d07ccc1a764bf1a57a70016a763e395f4d54a04cb3d3f1f021eb77d7541debd380ecb21b326f25f56fc775b9c21c89

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
320KB

MD5
7000cd10d8df5b5c3384082184388198

SHA1
396bb8ff3d80405f52000333ec3e368db2177693

SHA256
339ef9e440fc75260e35a6eabe5b84c6274323cbb0d45ba4a223bb72940a1cbf

SHA512
58ac95d7897fbb88fd4a3bfdb9fa6f361a1845a7789ab2080d2a2a8e207cb217a86242f5815c91867bdeadd82082f7412c0e26e3834982737a2166a9b03ae1c6

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
320KB

MD5
5b277d07fd23813ea09805d89590c2ec

SHA1
29c32a2c15b46c147ba5597e4dc8fbcd419faa5c

SHA256
8d27d714d8780fb0a86506048ab7e17da50fcabd1fdfc887267b205038a63a0c

SHA512
346f01d78e65e05852ceab4091738ace8b902681577c1b52d0384c5d5cbe4895622daca0b19709d397777901067a9fea8394cbee876f6a33c5494dc2145902b5

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
320KB

MD5
21b90c5d2385d9c2ba36e559979ebbbc

SHA1
2d714272e97ce4317781052b6c8ad666850cd3db

SHA256
98278ddad3f1f6f8c7ce8cb2d1afe050c8a0126d07d25561ac9c96f9642efcae

SHA512
a1468e90f39853ae485ca525ee15e15635d4d5af590296cb0f811f79a94af819e7c7a07efefa2ad756dd13b852b771e143a02d6fc5abb16c559035d99e142b48

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
320KB

MD5
bf2a625574a53629b2ed8dd818e4769d

SHA1
bcb0211955bbe0b950aa9241a8634c3881a952a1

SHA256
cc0abaed10d7880f858b66e85f61462e3c2dcf84f3f7f64b6cdab5dcaaee9527

SHA512
13e8eff5e3939497f2270928678bac6720ffe438d6222ce7c5e9c2948e8f1fed94069ade24148a10e818a464bc6c7ceb09c517db153b133f0540a8dab4b6c5d1

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
320KB

MD5
d5f9463f2d3105004bf3e60539d38612

SHA1
b7295a00339b7e4e985ad195692fea68ed12167e

SHA256
2274ffe80374879cf630b0581688cbf271bf2e756a074539473eea23bc3528b4

SHA512
69b0d2e05278251ae7b31265e6914d4943fd6657641048a5eaf2858c5ec1a163120f248f2b0c69507366bd0f955c8be0c318f807163954c534c2423e4d002758

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
320KB

MD5
11a0c9b06732e3e78af6eeef56419d00

SHA1
8a6378788417b1be749b11a48dbe72a1b3e7cc99

SHA256
156d717ff3dca8a86498229702619298184b9bf86b2afba50c1f6af6b53af8e0

SHA512
5292ed471ced7be2f7a3a1ca350224c630c3ce5e6a41916d813cfa8da70baabf905e8b25719f1bd8e1f68d792056296608132b4241983f9164c25bd1248af588

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
320KB

MD5
93c6809f92f543ff555424d72a7a85a1

SHA1
f4342bfb4757e9f5ba6baba277d7a6439b11ad07

SHA256
6b3f0f6aa4920b51d6bd42c4653a8c73285c55058af0e131df36cb3bbd9b206b

SHA512
91dd223f6e4295007551bfc620d2ef1df987c3eabf21cfc084cedd38f943f8992490d575400a2957137ad484f8e204b34d743fb8a0177133107390111dc2e7ff

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
320KB

MD5
cfadd87e3d93dbf0f989bb7bd92b77ba

SHA1
702321d880153c0a40afc90cf0bb7479e1d85980

SHA256
6d0d22f8a0ff2d8202952af4825c638f29f4f884999c624758835a2f2a083264

SHA512
0f561922dbf056b55d35c6977429ae5ee9607be1eb9c94e485b6de621fa379046624f3ccc09034b4e08b387e09be8cdd2d75f77a0737906527266661191efd6f

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
320KB

MD5
da37ec8f97c1417aa38559fe0a0a847e

SHA1
50aad6261c3eecfe1557b872cd4bc69ba14a573c

SHA256
9971f0b940694d0fe51b41b7ba145b339cb53fef47d3df34a2171c52788b450d

SHA512
889e088c44aa67d284f9b84dc9e3c7e31130d65ad1ff16e31f33abd75725b0e32966e694933d25d5a1e2f5de081db4c0605511afe39d413357f60a9cc0ce00f4

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
320KB

MD5
8adcea59b504895d23cd99f22ae55c45

SHA1
558ab18bc23eb001d20c22d6e75a7cc863a8e4fe

SHA256
b4bc5e7266affb9f2875a7d276d63d410ccf251a0fac030e7d9cf5722f36cfbe

SHA512
9bf5ba16fdd890bf755dc3a5c5c1a6055b00ad726a2420336e34bc13ed020041bc69a50f3a867ed5100817c14b2726ca947351531ac9be05e31db5d75174a529

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
320KB

MD5
949a249e7d6a6e9f6d0e90262249f2fc

SHA1
155339ce3abcda4cb514270bb2707bcc72d63ff5

SHA256
37928a5b155a946437f898a7da5217c54a0157bb80e0cbc5fe730d7a063dc93d

SHA512
19c512e74416a84b3d1ef8e82dd9a6c6d45a885782b563ea421d4ff0f72f243874eda9bcceb4c19cee709bd6de8292e7f5fa54951b5b3a772ebdf7b8fef4cd4c

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
320KB

MD5
e5e1db392d57207b33222d7d283e1e87

SHA1
b27e486eff555019e3f49976009c02ca9f3cb08f

SHA256
f72addd675b3766da77447859713f061b62b9eea9b8e658eceeb6ae89e76fb6e

SHA512
4427447590bb6bf353ebf32cba3a8ff317afc363463e869f015063188159963d3df78b7d8890bf6291466e3670e04981e93a5630a8755327ae6b9911e45174d8

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
320KB

MD5
b92fa8615a706f843ae50d0f72e6cdc0

SHA1
a9670134d9969198ddce9f06774646798f0f3922

SHA256
7223c73f6d9823f73b902866bf3b799e11fa73f950a4f110da9edab156038f84

SHA512
709ef6dabc26184ef46e318382d169cdd5af329c16a72a0ee41bb7b5cb466f998e429a70bac513addc4346068238ba0693e69b7950bf48678678f5c01e833fac

Download Submit
memory/384-136-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/384-235-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/432-234-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/432-143-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/436-243-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/436-64-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/532-225-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/532-216-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/756-119-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/756-237-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/880-224-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1256-248-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1256-8-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1452-96-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1452-239-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1620-71-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1620-242-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1808-152-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1808-233-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1892-241-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1892-79-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1920-47-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1920-245-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2052-228-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2052-192-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3380-168-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3380-231-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3476-230-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3476-176-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3624-227-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3624-200-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3848-229-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3848-184-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3900-31-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3900-247-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4036-226-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4036-208-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4180-240-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4180-88-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4372-160-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4372-232-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4548-20-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4560-29-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4664-56-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4664-244-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4692-103-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4692-238-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4708-246-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4708-40-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4916-249-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4916-0-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5060-236-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5060-128-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5072-116-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads