55ae0f102ce2544bbf007a55e06b88cad62be40e89c726494478922198e87978

Analysis

max time kernel
142s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16/05/2024, 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

140549cfa8703b51a0df50e512f5f7c0_NeikiAnalytics.exe
Size

128KB
MD5

140549cfa8703b51a0df50e512f5f7c0
SHA1

34f7f61217d608fab36f55cafec5ca532dc37371
SHA256

55ae0f102ce2544bbf007a55e06b88cad62be40e89c726494478922198e87978
SHA512

a9829b1ed914f89f89acbdccb0721969984d70c8b83a3ba199645c7ee199f283e8a0d6ff01298ca6aceadd8b066445802242c0a8bc4d66269624a150d2a90f88
SSDEEP

3072:Lzum0PZbwtlK2hM/fz3XrmW2wS7IrHrYj:fxeInuXT7mHwMOHm

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 62 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	140549cfa8703b51a0df50e512f5f7c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	140549cfa8703b51a0df50e512f5f7c0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe

Malware Dropper & Backdoor - Berbew 31 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/files/0x0006000000023278-6.dat	family_berbew
behavioral2/files/0x00070000000233f0-14.dat	family_berbew
behavioral2/files/0x00070000000233f2-23.dat	family_berbew
behavioral2/files/0x00070000000233f4-30.dat	family_berbew
behavioral2/files/0x00070000000233f7-38.dat	family_berbew
behavioral2/files/0x00070000000233f9-46.dat	family_berbew
behavioral2/files/0x00070000000233fb-54.dat	family_berbew
behavioral2/files/0x00070000000233fd-62.dat	family_berbew
behavioral2/files/0x00070000000233ff-70.dat	family_berbew
behavioral2/files/0x0007000000023401-78.dat	family_berbew
behavioral2/files/0x0007000000023403-86.dat	family_berbew
behavioral2/files/0x0007000000023405-94.dat	family_berbew
behavioral2/files/0x0007000000023407-102.dat	family_berbew
behavioral2/files/0x0007000000023409-110.dat	family_berbew
behavioral2/files/0x000700000002340b-113.dat	family_berbew
behavioral2/files/0x000700000002340d-126.dat	family_berbew
behavioral2/files/0x000700000002340f-134.dat	family_berbew
behavioral2/files/0x0007000000023411-142.dat	family_berbew
behavioral2/files/0x0007000000023413-150.dat	family_berbew
behavioral2/files/0x0007000000023415-158.dat	family_berbew
behavioral2/files/0x0007000000023417-166.dat	family_berbew
behavioral2/files/0x00080000000233ed-174.dat	family_berbew
behavioral2/files/0x000700000002341a-182.dat	family_berbew
behavioral2/files/0x000700000002341c-190.dat	family_berbew
behavioral2/files/0x000700000002341e-199.dat	family_berbew
behavioral2/files/0x0007000000023420-206.dat	family_berbew
behavioral2/files/0x0007000000023422-214.dat	family_berbew
behavioral2/files/0x0007000000023424-222.dat	family_berbew
behavioral2/files/0x0007000000023426-230.dat	family_berbew
behavioral2/files/0x0007000000023428-238.dat	family_berbew
behavioral2/files/0x000700000002342b-246.dat	family_berbew

Executes dropped EXE 31 IoCs

pid	Process
4944	Lcbiao32.exe
1484	Lilanioo.exe
4012	Laciofpa.exe
3736	Ldaeka32.exe
2576	Ljnnch32.exe
1700	Laefdf32.exe
2032	Lddbqa32.exe
1096	Lknjmkdo.exe
1052	Mpkbebbf.exe
4560	Mciobn32.exe
1752	Mnocof32.exe
4308	Mdiklqhm.exe
4796	Mjeddggd.exe
1964	Mpolqa32.exe
2152	Mgidml32.exe
4908	Maohkd32.exe
1360	Mcpebmkb.exe
1648	Mjjmog32.exe
1292	Mpdelajl.exe
1764	Mgnnhk32.exe
2736	Nnhfee32.exe
4824	Nceonl32.exe
4708	Nklfoi32.exe
540	Nqiogp32.exe
4636	Ncgkcl32.exe
4028	Njacpf32.exe
4880	Nbhkac32.exe
1680	Ngedij32.exe
4036	Njcpee32.exe
4116	Nqmhbpba.exe
2280	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	140549cfa8703b51a0df50e512f5f7c0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Maohkd32.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Nceonl32.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Laefdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Laefdf32.exe	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Laciofpa.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Lcbiao32.exe	140549cfa8703b51a0df50e512f5f7c0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mciobn32.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ncgkcl32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5028	2280	WerFault.exe	115

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	140549cfa8703b51a0df50e512f5f7c0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	140549cfa8703b51a0df50e512f5f7c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidmdfdo.dll"	140549cfa8703b51a0df50e512f5f7c0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	140549cfa8703b51a0df50e512f5f7c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefncbmc.dll"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	140549cfa8703b51a0df50e512f5f7c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	140549cfa8703b51a0df50e512f5f7c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Mgnnhk32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3584 wrote to memory of 4944	3584	140549cfa8703b51a0df50e512f5f7c0_NeikiAnalytics.exe	82
PID 3584 wrote to memory of 4944	3584	140549cfa8703b51a0df50e512f5f7c0_NeikiAnalytics.exe	82
PID 3584 wrote to memory of 4944	3584	140549cfa8703b51a0df50e512f5f7c0_NeikiAnalytics.exe	82
PID 4944 wrote to memory of 1484	4944	Lcbiao32.exe	83
PID 4944 wrote to memory of 1484	4944	Lcbiao32.exe	83
PID 4944 wrote to memory of 1484	4944	Lcbiao32.exe	83
PID 1484 wrote to memory of 4012	1484	Lilanioo.exe	84
PID 1484 wrote to memory of 4012	1484	Lilanioo.exe	84
PID 1484 wrote to memory of 4012	1484	Lilanioo.exe	84
PID 4012 wrote to memory of 3736	4012	Laciofpa.exe	85
PID 4012 wrote to memory of 3736	4012	Laciofpa.exe	85
PID 4012 wrote to memory of 3736	4012	Laciofpa.exe	85
PID 3736 wrote to memory of 2576	3736	Ldaeka32.exe	86
PID 3736 wrote to memory of 2576	3736	Ldaeka32.exe	86
PID 3736 wrote to memory of 2576	3736	Ldaeka32.exe	86
PID 2576 wrote to memory of 1700	2576	Ljnnch32.exe	87
PID 2576 wrote to memory of 1700	2576	Ljnnch32.exe	87
PID 2576 wrote to memory of 1700	2576	Ljnnch32.exe	87
PID 1700 wrote to memory of 2032	1700	Laefdf32.exe	88
PID 1700 wrote to memory of 2032	1700	Laefdf32.exe	88
PID 1700 wrote to memory of 2032	1700	Laefdf32.exe	88
PID 2032 wrote to memory of 1096	2032	Lddbqa32.exe	89
PID 2032 wrote to memory of 1096	2032	Lddbqa32.exe	89
PID 2032 wrote to memory of 1096	2032	Lddbqa32.exe	89
PID 1096 wrote to memory of 1052	1096	Lknjmkdo.exe	90
PID 1096 wrote to memory of 1052	1096	Lknjmkdo.exe	90
PID 1096 wrote to memory of 1052	1096	Lknjmkdo.exe	90
PID 1052 wrote to memory of 4560	1052	Mpkbebbf.exe	91
PID 1052 wrote to memory of 4560	1052	Mpkbebbf.exe	91
PID 1052 wrote to memory of 4560	1052	Mpkbebbf.exe	91
PID 4560 wrote to memory of 1752	4560	Mciobn32.exe	92
PID 4560 wrote to memory of 1752	4560	Mciobn32.exe	92
PID 4560 wrote to memory of 1752	4560	Mciobn32.exe	92
PID 1752 wrote to memory of 4308	1752	Mnocof32.exe	93
PID 1752 wrote to memory of 4308	1752	Mnocof32.exe	93
PID 1752 wrote to memory of 4308	1752	Mnocof32.exe	93
PID 4308 wrote to memory of 4796	4308	Mdiklqhm.exe	94
PID 4308 wrote to memory of 4796	4308	Mdiklqhm.exe	94
PID 4308 wrote to memory of 4796	4308	Mdiklqhm.exe	94
PID 4796 wrote to memory of 1964	4796	Mjeddggd.exe	96
PID 4796 wrote to memory of 1964	4796	Mjeddggd.exe	96
PID 4796 wrote to memory of 1964	4796	Mjeddggd.exe	96
PID 1964 wrote to memory of 2152	1964	Mpolqa32.exe	97
PID 1964 wrote to memory of 2152	1964	Mpolqa32.exe	97
PID 1964 wrote to memory of 2152	1964	Mpolqa32.exe	97
PID 2152 wrote to memory of 4908	2152	Mgidml32.exe	98
PID 2152 wrote to memory of 4908	2152	Mgidml32.exe	98
PID 2152 wrote to memory of 4908	2152	Mgidml32.exe	98
PID 4908 wrote to memory of 1360	4908	Maohkd32.exe	99
PID 4908 wrote to memory of 1360	4908	Maohkd32.exe	99
PID 4908 wrote to memory of 1360	4908	Maohkd32.exe	99
PID 1360 wrote to memory of 1648	1360	Mcpebmkb.exe	101
PID 1360 wrote to memory of 1648	1360	Mcpebmkb.exe	101
PID 1360 wrote to memory of 1648	1360	Mcpebmkb.exe	101
PID 1648 wrote to memory of 1292	1648	Mjjmog32.exe	102
PID 1648 wrote to memory of 1292	1648	Mjjmog32.exe	102
PID 1648 wrote to memory of 1292	1648	Mjjmog32.exe	102
PID 1292 wrote to memory of 1764	1292	Mpdelajl.exe	103
PID 1292 wrote to memory of 1764	1292	Mpdelajl.exe	103
PID 1292 wrote to memory of 1764	1292	Mpdelajl.exe	103
PID 1764 wrote to memory of 2736	1764	Mgnnhk32.exe	104
PID 1764 wrote to memory of 2736	1764	Mgnnhk32.exe	104
PID 1764 wrote to memory of 2736	1764	Mgnnhk32.exe	104
PID 2736 wrote to memory of 4824	2736	Nnhfee32.exe	106

C:\Users\Admin\AppData\Local\Temp\140549cfa8703b51a0df50e512f5f7c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\140549cfa8703b51a0df50e512f5f7c0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3584
- C:\Windows\SysWOW64\Lcbiao32.exe
  C:\Windows\system32\Lcbiao32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4944
- - C:\Windows\SysWOW64\Lilanioo.exe
    C:\Windows\system32\Lilanioo.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1484
  - - C:\Windows\SysWOW64\Laciofpa.exe
      C:\Windows\system32\Laciofpa.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4012
    - - C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3736
      - C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1096
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4308
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4824
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4708
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4636
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4028
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4880
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4036
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4116
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        32⤵
        Executes dropped EXE
        
        PID:2280
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 420
        33⤵
        Program crash
        
        PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2280 -ip 2280
1⤵
PID:992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gefncbmc.dll

Filesize
7KB

MD5
560938cb14909d37828b655a3387dcf6

SHA1
f82cc091591c9c0476258afe59d83c3babd9807d

SHA256
77033ddcef8a328345bddd8ff3b4c218e3dd367d222f6db87340ac40621ba986

SHA512
b2c7179d96f4aeb433cdf6e3b5fb5bcf142e1da5904a153a2be5afe072eafc3c90b79af87dfcb998031a297814983f55b00f22b275ab604175a4161044192e5e

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
128KB

MD5
be78d7dfb1255c86c539e4733b659624

SHA1
2f7a6e815079f13d065c8d99e241ed1389286ff7

SHA256
80eac5ce451b1019c5bc89606d99d49a06f19a638997cc5bef9834211d258b88

SHA512
8afeb09842c6133952d77f9c4d77df53cb0d46ca03beaa91fee8dfeb8ff007bea96996e5fcfd46e6b5b06b9802a14cbd92c300c08b57cbfef872504004cac2dc

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
128KB

MD5
ccd217e411b81a7392ceec5f89239e31

SHA1
103922051722f1f1c2ade53fb2ad9057dad44e60

SHA256
18e7196797ca19a809915bde15fc9921a19e14aba6bc625e9e6da0fd10eac308

SHA512
787f759e1d77752788a4f8061a8311aed3999af4e5888250a65446cc9a7098746051ea2efe86fab6d0e09747e05ede1853442c07003984a391857e1498593495

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
128KB

MD5
50cfef14f2e6cd6a1af083b8c0389a60

SHA1
9e9b468fddf69bd9bcd92319c838afb50cb4bd6b

SHA256
b11c6471919e0f767ac43090ba2c3c7cab1e9a606a9db726ee495afdee14907e

SHA512
395c6fb1a6378917475a9476568de0d17d8d756f320a8f4e18e345f39029b269b99781f4beaef4762b0d12749f14883a2cc677099d146d42e9c2689775b54839

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
128KB

MD5
f6f1d21b7051f26aecc675dba8fe125c

SHA1
fe6174e76c6dba4d493b30c087f458f0d94f9466

SHA256
8d978d59d1e3ea39b279b75c05725d80290327f8d3de5307fabb346cfd6bef2f

SHA512
35eb7c87370f8cfe335f7af648727cdc4b62a740d9a237ca1c04f7bda875dd3f892f28335319822f1c9bceefe0d20fdda1c4c11fa81aed0bee19cf23dafa33cd

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
128KB

MD5
92f65a26ce489c1e72b85f2f58cdbaaf

SHA1
2acffdb000925b52b309016664637fcbe52d64fd

SHA256
f7fb9e6ae6815666a29109f61a54dd9c9a65cf83dd18da84775d4822a77cfb77

SHA512
9d3e51ee96db6cf55ef2d674d75ce5f1383edd813b2f076575204471eb64341d76cca9b9463d8b22036b15f626faa591328ca48153760603bb661934dd4525bf

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
128KB

MD5
cc1ca6b1b7d043c7aa195b3b6b01234e

SHA1
2442b65e9da4253603273282674fa1b72214ac7b

SHA256
81e264c0e26796ebcf98616b4a50c0afbc35bb96ffa74db57d2058d13cc29aee

SHA512
33d01605631ce605f8c144a854876710d6dbb1a7c7a178fe3b37fc214bef32781399713cd9e9037d5cc705f1e342a44927df37ee36e16d07b773db492b86a7c3

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
128KB

MD5
21db0a5fc70847bc1b4e9872580df828

SHA1
c6c7bf921cc7a176d59f560b29d94ff9449b4a46

SHA256
e472f0ee07c63e401f0897581f5dbe50d056b7f2e5cae9117ff2301a57721f14

SHA512
7d1b5ecff83de2edbc50060148d86b4c4640a45fed0125a2f5c3122abf75346804bd973648e5c321a125d35a0b57e7576b4769c14d0dfad0122d673f5cf8f1c1

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
128KB

MD5
be1089c48337200cc1871d66622b7768

SHA1
6d29ffd6d4fe15d4857d76d6859c888d88a29840

SHA256
0be7befec1b724a26c4c4d53185ec3955a611f93b683044ea3337c519587cdc9

SHA512
e2d803d582efbeb1b2d1f244cd16a4a322ca79ed5c9002377df914f7e5013e5377ca4284b42f11cbec010da8d92be17402e447f877b4d3bf70bdbb7fd90fddeb

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
128KB

MD5
41bc77359ee39a8df6d77f43a2002cd1

SHA1
8f47b9c196f328e96e1cc56920907fd20bc758a9

SHA256
47ef211638f64ea1c885675ec1db300d36becc78ff3bff0d7bb6f72a634d350c

SHA512
882c1f45ff34df287cf29c2c19a32358ac29a14ac186bd38c67e5fc005097403858943d3728b02022a4368af963bc2f85016ab8b3f918aa84cbf54ca4d0dc85f

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
128KB

MD5
e24b9bd3302b1068f9d2e0ab5ceb424c

SHA1
fc73dcc401988e2314b4775f71c4a1a733f3e683

SHA256
7c3e3a8c81f59fb68dc290b0931c9f600384b48473c9a33485e721fb337ba188

SHA512
643631ef81152c737fe2355631d4a8fbd81f8725b0663cd26be38f23c8016ae76353cc949bd500ef7a5c7fa06905710311325ba4c4e9a80288be3727f800d3be

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
128KB

MD5
721665dff14ce7bb729bb1c5c4a38131

SHA1
3213a0769469415b76148b379f85ee3cf2272055

SHA256
0b01c6ead42c81f130dea12bac58b5810b89429c3d0a52264e9ddf3c3526c7dd

SHA512
e984cf803c2abb85c71f4a4bb78580734f6635d423d9cc0aa074339829b68b89f5d2b2678ca869434f4b175d6a8e4c2bbf3786bbc0e0e1d8625ae3cb1507d69c

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
128KB

MD5
c6247b011b77c2f1169d93155503f0ce

SHA1
6b200f04e1010e3bff07979225b868642ebeee21

SHA256
d2a9e6cd0812c5b32ca2ea9c243507ab3132f3f1874fe1c800b28c8559ddc17b

SHA512
647482150168f2210d84b7feb4f142983b810c855ef7f6324fa1b156d03386c0a38dca2790d328eb9ff15f16b57c08d8823a901a81a6b3983d1daafa891e9e1e

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
128KB

MD5
dcddd703d89602a878127ddf6fda0280

SHA1
2c88beeb39250c7fc9fad84fdf24e4d5c478dc79

SHA256
078f25687ec8b771e96ad033a4a31def6cc9de67ab739de343e561c6d6470141

SHA512
99eccca5ea641ded766b6ffeb882221c244fd93296eb0c19f1235840505bf059378b7dd10c0a3ba4d36e64791590da363a2d606231a84e0d66aefe497a37d6b6

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
128KB

MD5
925d2135f7e2a2f2cd26cf27130656e6

SHA1
57aa2c82f9cc40db02841c78535f9c970b36b822

SHA256
d5074fcccebe76c8bccd94f2bc03dd888754735b435904a596d13a9ec06ed376

SHA512
be73d9aca870bfa19c76edf8421ee70f9d3ab4d4e0281f94da2556a50d449e363acc95fb41a7f1e5cefc3856b478e118e562f4f894efcf9c742b5ffe90827cc6

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
128KB

MD5
0505bd2c81ec34f7c6a0b04c28e34fd2

SHA1
b96a390654e3340bce23ad9385fb68f3b750d1a7

SHA256
3a69ef94aaf916e38647cd226de44d8b838e893a155fe81133b67a20c6837695

SHA512
c24e1213d521f8ff2ec64a16f364bc9feaea19250509f1d7edc9d3e561165b0af15768c6654a6e2a02d46102cb45f1d1046e1dbaa5670a44d6152a59fde96a55

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
128KB

MD5
28fbd3e10bd767b9b571b2c1bb7b41a6

SHA1
ed3826e72e06bfd3da7a8ab8aaabd7f5b391a149

SHA256
637adc766d1f6c7bc87c5d28055d428d197313fa827be590bfa58db84f79b8c2

SHA512
bc14e78865c45c1b38432b41bbb0a87e9c0052229c7d158957e9855329143658fa17b0e63d021977cecb22c0b81dc20d79d717af96996b8be339e2ebe53105f7

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
128KB

MD5
23563264af4afecb3826e2c2d9774198

SHA1
c737ff9c220909c46c1741757a10af6d239d91da

SHA256
664e6ac250e50a3a1950c4497517e1dc170c62cb74ed97db1695a7d985206563

SHA512
f61bf13b7fde65cfb1901cd694166757558a8b8318df29e3a9c6a5f3b4193207c42c2fdf3ad58ab72846475b8e48ba925cd024e7ee853df339243a80d0c8dbe3

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
128KB

MD5
d5f03f597f87972e6f15b5ebb5e9c63c

SHA1
de69adaa8f8e5f3340714910eea9ae1a298c1aae

SHA256
b54725cc0aa909ec795df7a2167023ca5548ae530bb46ddf0626478139372df8

SHA512
5a244ce9c94c1e085b6e91bfa5e723548e61afba5af2ff39ad9b7811f54e560281cd764155885bb60e032644ed65c9ec93974214c97baf22f63a6272686485a0

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
128KB

MD5
5737031e3ac4edf6b4f55983d1a821c1

SHA1
28934b87d8de90adbf47d59d2bafc3264524397b

SHA256
8b567c93b5a64f6f022c9651521bf722d0bbd61719bd4058f16874b63e31e644

SHA512
c34ab03128dec17e90bee602097c2c7fc825c5b07af9b3f33912fa1640923191bb586b8e10bb22b240653e198ecb42dc81764edcc34eb978b4aafc75fbe0aacf

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
128KB

MD5
0897b014cfa6f1be1e15c2734ccfc8e8

SHA1
d458ebacf6cc3bd9c327b21f365409af1b607ec3

SHA256
73dc5be1d4d7b9b5e616d7f4ae1bbb81f9f263be318121cc90ccca6e3e0f30b2

SHA512
1c480aa12216d63e7b9ca5dc283f245ca4d471adc5175742a8a1e1bc6d16db69fc56d302604683e97670b7b13a5a2ad84f6592d2c7b43b33e605c4d9865d86fe

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
128KB

MD5
fa9f8dedaa793b601b38b90da4aee600

SHA1
4dde3e7c266c37f8c66e63cbcc8c44df88224bba

SHA256
07a6c4f09f1337e40376081410bd042ad9eabe81999c426908aa9e5b416156c1

SHA512
2d3328f5f0c99ff413550b0e0b5e9d516028957e0bda48bc7da93d727c88fe1bb57d3ad3e03f116c1bd44b31afafdeb97fc42cf3191ddbfc682904496247723c

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
128KB

MD5
6ae42a8da04e51ec655e37a0f32d1395

SHA1
a374825e1be1231ef89c50d41f6cfcd58bf8e4cc

SHA256
231687963c78feaad4dcedd58aadb864a49ca0953f690e01d66e4dcbcadedc95

SHA512
418c5811c90db39841851a14656315a615c78540093913283e8280508aa664a13c9d916326b4bf2f827941256c92d5429f76ec768838665415c1c1c91015316c

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
128KB

MD5
928624c86e4aecfa8836791bf79579c2

SHA1
9b8522ed6cbf1b891517fbbaadff8926ad570414

SHA256
f72b9b225e860ad6fb42b604c3600e5f0fcd1c5548fe1e849a267fdae2403c6c

SHA512
e72cd5ac83a2f60d25e1806ba393b2eca592f98c076c6630008f42bcc1b80e954e91c24dd7e721bc0ebeafbccd46cda30acb288a2bc823c85f982ef1cad9af4f

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
128KB

MD5
393d99737f49be119f70a26128868c01

SHA1
860d95827027f64442156b793f8e732624bbae3a

SHA256
71b30c4d16e7b3fe9926a3d761636a3895a3c87572f445aac6d92fe72d9019d5

SHA512
6c9df8c32f0dd82fa923878d76a3656a84f438b23da85f7268819c9c275c32794cf4f64ba827a7b031e04c6d92f55c6ee5ea358d7a8e4b56990a7fce1dfcd91d

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
128KB

MD5
a9b5f169af967e555a0a40c10e9bc15e

SHA1
9490e821c20c42bbe0f843653cea6b10f4d44a47

SHA256
20d0b383d47c1e537030a663148608df4772582e6ae5787e84f9769f0ff04ecd

SHA512
9e7c39d9070966f7408912adf6f663cef43bc4c59abbceefa70828630d49de79b8a32a2df4e4fcbc9c43db2f795df41bb5737091a2db686871e994f7e5e7604d

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
128KB

MD5
845ce54c0e257d469e5e09b99c9b258c

SHA1
da0400ba56419a7dc9b1cf6b91243bbe7a2e5b37

SHA256
42c2dd322b8e7fc9e96a07d70b6b80f0e9a1d77d803f6a9727e64e1cc47b0ab0

SHA512
9a1686219ae6807487c31a07f677d250eb210e574bfd0478d2c1ef19531efcf49bb03f784634019ebc745f52bc24c473c28425eecbb1decfecfcbb0354a250ca

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
128KB

MD5
42b68b600ac03bfb9e03b001709cf844

SHA1
f1c9f65678731bf9e80e88f8ab10309e9b59887c

SHA256
198dcbc1030c4a48bf5b4ae60b308d92caa00b2d557f37bf96c17f903bc3e90e

SHA512
fd2734eb98868092fdbf4f052c1ab20fccd0e99c64098b4a592eb2792f285c278e79a14deb17ed8a98b6e2406442f8ebc8e96169e7b5fb16a1a19ddeee51fec0

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
128KB

MD5
934d03b39e0243c1e2803fd7c8a4b57e

SHA1
8f0648038cf6f1a0864b107a1de2c411010347c0

SHA256
5e621fe4c9d6b18c2c213cc7e8e4daed118c03333071634c317f457994fef8b3

SHA512
720ce5b29b73522daa44bade201ca45c6f2d4f2babda094e506f373ecb75577c0cdf62756306f7380c39a869bc1dad39782f78cdd745c2eaf3b99ca04e45b33f

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
128KB

MD5
38d926c7689d158848902a8c735b1b1b

SHA1
09520da0458d1824870ed47704fe991d65bc5a3d

SHA256
e9fb24ce02a61267e16286259ff84399016622a47a601cfd29e87f670b65f3ef

SHA512
ec11fdc581d8a493f0e0c1f5213b16b52c7afcdb997fa876c2d2fc2520e3f8c63aac107431edd987fc9f53e03f91edaa171f2c8ba2c48dd94f0e98128d938813

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
128KB

MD5
7e6637bf434d65ae14759730988dc232

SHA1
61256574d2303655c4042f22c78f009fb9457697

SHA256
9169786f6bfaec9a240dc0fd1bdf6bec66fa56500bc78a4eef11e228748fec69

SHA512
942a954b3232cc1ca63614ef3b123543f07d8ce19177b31d5be06e4f0cb99ad84315ad0f4e2410a1a485deb5ba4317811de25f67dee0b39e0c864928de1c8db6

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
128KB

MD5
04ec5726c2d7fbbf28ddb5ad5ab3cbb8

SHA1
af3c706d2ec0e26698130058402e997ec242c359

SHA256
e780297f89e80b3ecce5656abe9f24fdaac6f4d5391a59cb13f6b685d11c88b6

SHA512
3cd8f23eedba1e3a64a0a7d8b876c63a61240912f668b775629fc107d430caf1eb34fea52a95ec1b0d4b9b5cb2e8d565f5ea3fb250aee7316317e89f80497fa8

Download Submit
memory/540-196-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1052-267-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1052-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1096-268-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1096-63-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1292-257-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1292-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1360-135-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1360-259-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1484-20-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1648-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1648-258-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1680-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1680-252-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1700-270-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1700-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1752-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1752-265-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1764-276-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1764-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1964-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1964-262-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2032-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2032-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2152-261-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2152-119-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2280-249-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2280-247-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2576-39-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2576-271-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2736-167-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2736-256-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3584-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3584-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3736-31-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3736-272-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4012-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4012-273-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4028-212-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4036-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4036-251-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4116-250-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4116-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4308-95-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4308-264-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4560-266-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4560-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4636-204-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4708-183-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4708-254-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4796-103-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4796-263-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4824-176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4824-255-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4880-216-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4880-253-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4908-260-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4908-128-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4944-7-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4944-274-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads