1cbd39f6dfd0503f79acbf2ca5c4b33457d4b22ef4fa8368f328c4cc6a5092be

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12/05/2024, 02:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f4e5253ed297876c054fd6c7acc98d0_NeikiAnalytics.exe
Size

99KB
MD5

5f4e5253ed297876c054fd6c7acc98d0
SHA1

7bbb8ac53b4f4442288f9b8692bc9603b2d51682
SHA256

1cbd39f6dfd0503f79acbf2ca5c4b33457d4b22ef4fa8368f328c4cc6a5092be
SHA512

b437213150b96991acf9c5bf8e19f98389437a1e8ad20ab6cbf812fa6b1730fd0c366bfc8c9ba0af03f9030aa56d4e3aed7c9edcfdb423517dfcab0b53bfa82e
SSDEEP

1536:A+Xu8dbuAqaZTSqNrYgmOtppbGcRQy7mRvwtycORTRQ6mRQQRRQjGmZrhAVK5:ANmbu0fppbGceyqpwoTRBmDRGGurhUI

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	5f4e5253ed297876c054fd6c7acc98d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	5f4e5253ed297876c054fd6c7acc98d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkbchk32.exe

Executes dropped EXE 35 IoCs

pid	Process
1384	Kdhbec32.exe
3648	Kgfoan32.exe
3044	Lmqgnhmp.exe
1820	Ldkojb32.exe
428	Lgikfn32.exe
3524	Lkdggmlj.exe
5008	Liggbi32.exe
1936	Laopdgcg.exe
1884	Lnepih32.exe
4828	Lpcmec32.exe
4704	Lcbiao32.exe
2032	Lkiqbl32.exe
1840	Lnhmng32.exe
2240	Ljnnch32.exe
3728	Lphfpbdi.exe
3892	Lgbnmm32.exe
1708	Mahbje32.exe
2036	Mdfofakp.exe
404	Mnocof32.exe
3388	Mcklgm32.exe
1564	Mkbchk32.exe
3788	Mcnhmm32.exe
4500	Mncmjfmk.exe
3548	Mdmegp32.exe
3740	Mnfipekh.exe
1872	Mdpalp32.exe
2472	Mgnnhk32.exe
4840	Nqfbaq32.exe
3836	Nklfoi32.exe
3380	Nafokcol.exe
4420	Ncgkcl32.exe
2308	Nbhkac32.exe
3956	Nkqpjidj.exe
1640	Ndidbn32.exe
2820	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lgikfn32.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Liggbi32.exe	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Lgikfn32.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Mglppmnd.dll	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Gcgqhjop.dll	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Laopdgcg.exe	Liggbi32.exe
File opened for modification	C:\Windows\SysWOW64\Lcbiao32.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Kdhbec32.exe	5f4e5253ed297876c054fd6c7acc98d0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Ldkojb32.exe	Lmqgnhmp.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Jifkeoll.dll	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Dnapla32.dll	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Pipagf32.dll	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Laopdgcg.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Ldkojb32.exe	Lmqgnhmp.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Ofdhdf32.dll	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Pellipfm.dll	Liggbi32.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Mnocof32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3520	2820	WerFault.exe	119

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	5f4e5253ed297876c054fd6c7acc98d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejif32.dll"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidmdfdo.dll"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pellipfm.dll"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	5f4e5253ed297876c054fd6c7acc98d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	5f4e5253ed297876c054fd6c7acc98d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jifkeoll.dll"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefncbmc.dll"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdmegp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 372 wrote to memory of 1384	372	5f4e5253ed297876c054fd6c7acc98d0_NeikiAnalytics.exe	82
PID 372 wrote to memory of 1384	372	5f4e5253ed297876c054fd6c7acc98d0_NeikiAnalytics.exe	82
PID 372 wrote to memory of 1384	372	5f4e5253ed297876c054fd6c7acc98d0_NeikiAnalytics.exe	82
PID 1384 wrote to memory of 3648	1384	Kdhbec32.exe	83
PID 1384 wrote to memory of 3648	1384	Kdhbec32.exe	83
PID 1384 wrote to memory of 3648	1384	Kdhbec32.exe	83
PID 3648 wrote to memory of 3044	3648	Kgfoan32.exe	84
PID 3648 wrote to memory of 3044	3648	Kgfoan32.exe	84
PID 3648 wrote to memory of 3044	3648	Kgfoan32.exe	84
PID 3044 wrote to memory of 1820	3044	Lmqgnhmp.exe	85
PID 3044 wrote to memory of 1820	3044	Lmqgnhmp.exe	85
PID 3044 wrote to memory of 1820	3044	Lmqgnhmp.exe	85
PID 1820 wrote to memory of 428	1820	Ldkojb32.exe	86
PID 1820 wrote to memory of 428	1820	Ldkojb32.exe	86
PID 1820 wrote to memory of 428	1820	Ldkojb32.exe	86
PID 428 wrote to memory of 3524	428	Lgikfn32.exe	87
PID 428 wrote to memory of 3524	428	Lgikfn32.exe	87
PID 428 wrote to memory of 3524	428	Lgikfn32.exe	87
PID 3524 wrote to memory of 5008	3524	Lkdggmlj.exe	88
PID 3524 wrote to memory of 5008	3524	Lkdggmlj.exe	88
PID 3524 wrote to memory of 5008	3524	Lkdggmlj.exe	88
PID 5008 wrote to memory of 1936	5008	Liggbi32.exe	89
PID 5008 wrote to memory of 1936	5008	Liggbi32.exe	89
PID 5008 wrote to memory of 1936	5008	Liggbi32.exe	89
PID 1936 wrote to memory of 1884	1936	Laopdgcg.exe	90
PID 1936 wrote to memory of 1884	1936	Laopdgcg.exe	90
PID 1936 wrote to memory of 1884	1936	Laopdgcg.exe	90
PID 1884 wrote to memory of 4828	1884	Lnepih32.exe	91
PID 1884 wrote to memory of 4828	1884	Lnepih32.exe	91
PID 1884 wrote to memory of 4828	1884	Lnepih32.exe	91
PID 4828 wrote to memory of 4704	4828	Lpcmec32.exe	92
PID 4828 wrote to memory of 4704	4828	Lpcmec32.exe	92
PID 4828 wrote to memory of 4704	4828	Lpcmec32.exe	92
PID 4704 wrote to memory of 2032	4704	Lcbiao32.exe	94
PID 4704 wrote to memory of 2032	4704	Lcbiao32.exe	94
PID 4704 wrote to memory of 2032	4704	Lcbiao32.exe	94
PID 2032 wrote to memory of 1840	2032	Lkiqbl32.exe	95
PID 2032 wrote to memory of 1840	2032	Lkiqbl32.exe	95
PID 2032 wrote to memory of 1840	2032	Lkiqbl32.exe	95
PID 1840 wrote to memory of 2240	1840	Lnhmng32.exe	96
PID 1840 wrote to memory of 2240	1840	Lnhmng32.exe	96
PID 1840 wrote to memory of 2240	1840	Lnhmng32.exe	96
PID 2240 wrote to memory of 3728	2240	Ljnnch32.exe	97
PID 2240 wrote to memory of 3728	2240	Ljnnch32.exe	97
PID 2240 wrote to memory of 3728	2240	Ljnnch32.exe	97
PID 3728 wrote to memory of 3892	3728	Lphfpbdi.exe	98
PID 3728 wrote to memory of 3892	3728	Lphfpbdi.exe	98
PID 3728 wrote to memory of 3892	3728	Lphfpbdi.exe	98
PID 3892 wrote to memory of 1708	3892	Lgbnmm32.exe	100
PID 3892 wrote to memory of 1708	3892	Lgbnmm32.exe	100
PID 3892 wrote to memory of 1708	3892	Lgbnmm32.exe	100
PID 1708 wrote to memory of 2036	1708	Mahbje32.exe	101
PID 1708 wrote to memory of 2036	1708	Mahbje32.exe	101
PID 1708 wrote to memory of 2036	1708	Mahbje32.exe	101
PID 2036 wrote to memory of 404	2036	Mdfofakp.exe	102
PID 2036 wrote to memory of 404	2036	Mdfofakp.exe	102
PID 2036 wrote to memory of 404	2036	Mdfofakp.exe	102
PID 404 wrote to memory of 3388	404	Mnocof32.exe	103
PID 404 wrote to memory of 3388	404	Mnocof32.exe	103
PID 404 wrote to memory of 3388	404	Mnocof32.exe	103
PID 3388 wrote to memory of 1564	3388	Mcklgm32.exe	104
PID 3388 wrote to memory of 1564	3388	Mcklgm32.exe	104
PID 3388 wrote to memory of 1564	3388	Mcklgm32.exe	104
PID 1564 wrote to memory of 3788	1564	Mkbchk32.exe	106

C:\Users\Admin\AppData\Local\Temp\5f4e5253ed297876c054fd6c7acc98d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5f4e5253ed297876c054fd6c7acc98d0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:372
- C:\Windows\SysWOW64\Kdhbec32.exe
  C:\Windows\system32\Kdhbec32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1384
- - C:\Windows\SysWOW64\Kgfoan32.exe
    C:\Windows\system32\Kgfoan32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3648
  - - C:\Windows\SysWOW64\Lmqgnhmp.exe
      C:\Windows\system32\Lmqgnhmp.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3044
    - - C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1820
      - C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:428
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3524
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4828
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3728
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3892
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3388
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3788
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3548
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3740
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1872
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2472
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4840
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3836
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3380
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2308
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3956
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        36⤵
        Executes dropped EXE
        
        PID:2820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 420
        37⤵
        Program crash
        
        PID:3520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 2820 -ip 2820
1⤵
PID:1940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dnkdikig.dll

Filesize
7KB

MD5
88e5d84f9e7928fd60a4bc098c29c508

SHA1
4c03a7ee97bb4d2ceced7d4f231c2a7a60513ea8

SHA256
f36409d3eabc018ffc7c6810d1231ec1c69f4a32a97dff046adfeadb9a15131c

SHA512
bd82a644fbf7e0f8ee5bb3a7155e5b9dd299fea958737d24f90971f3de16f290baae24dc6b41680304672c69b9135540d002e78682f7c7036c7f29edbad64e7a

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
99KB

MD5
b0beb2934e51a8edced3e3861c9a8ad4

SHA1
925497f76af2dca631bcc849e0719015521a9b82

SHA256
51e8e5969057939fab534940741cd22163761f76a9059b57accce8c5b503735d

SHA512
54a20c23bd171c39691cc6c4928d9501c559735c02f76830e472be7582b7842cae99c982b63fae40c57361c3780ec3e1e4bf604a6bd5547d33226e7ef3c1b548

Download Submit
C:\Windows\SysWOW64\Kgfoan32.exe

Filesize
99KB

MD5
a80c4c7f8996241f22a16671b340c017

SHA1
54184b29dd1f75181c1513c8124b86f4ff9e8464

SHA256
7a87325decf5c911cf537007865947ce37cf46117542ed3b858db9d90453273f

SHA512
a5fc52853b9b52219a401d88740c2fe17911ef9838dc12d84e47d152273eec56df06028bc8562ce46a17e2e06ce6a002fa4a0a6170067d0474c65487ff14707b

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
99KB

MD5
e0b9702142b6b1dbbf96fb7f72db6b7e

SHA1
bc0797d3a5af69deaa15167da64e4f7cbf8536d4

SHA256
b54341c581578a26e9ff094c44b159ff481e7c8c4c9dd5bec9e245001fbe2895

SHA512
6fc25f4ba8ad74a2cac58b253789251aa7a7c21cea46cf4a06d2cf93322cf3ca620929b9e26fc3bbacf9ad2b62f4d2b474558f6f94450577c174bb08bf9beb23

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
99KB

MD5
db1a3083f8199b7061488180223451c1

SHA1
806b492cdf5752416d2e2a8997e1e714c4f1a89a

SHA256
ba4655216db0f7bb1e442409a25217c0b4336b340987d79be18d112e3e5cedfa

SHA512
aaf7719db56033aeb8f1df8f182a59e4dec8d1516a6238b16216978ac55801bc2229deba5ba4e0678027cb3e6f6114272c72612899f973504c13b9908186a5b3

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
99KB

MD5
8e16283690788a26f26ac227246f93db

SHA1
ad8b274f2525b836755eec0ccd0825d4f6b7101f

SHA256
5f433fde588a9572d11e12bff56e2ce30dd7f2ce5f86d4dc195c24995cfe429f

SHA512
12a0fc4d906a8cac4944cf972f42e0f383d6366a76f5c6ca2c8b665c5dbdd6059e977573c96f85ff0e523b4f03a68844a35d593babf814dfb009094bc119c719

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
99KB

MD5
e171c27bc1196d3066bed09d976843c0

SHA1
ad3fc72e5806cbfbe937d0a6997fcfb4394d1786

SHA256
3c7372ab52d4b4cb84316ab8594fb682427ed3be493640e784853aad3c993d6a

SHA512
4f72e928c4219860369e85f49043e915ff677fe6b34efb00226c94aa14260fc87e91be915b33fdbccf85209852a89835d52392431066f636eabb5c5492316a68

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
99KB

MD5
d3366a0c8863122af5aca9a30e2da220

SHA1
2406f41ef76b50d5b598df6b7f2aec1359e2fc31

SHA256
387082362b55c218063f6aece342f6ec003e31087bf3c781b378f96b032d5966

SHA512
1d538fdc3031beab345602d97499ea045edf5c2892773c280a4c81b9176af348d4a3c2fa9619858e4643f57314b3b542871d07c0bcbe26f02d4f21a637efa16f

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
99KB

MD5
2aea70dbb3ff38f37e39be50d075b8d5

SHA1
df042fe1bad4b727469b581f433b421144ecb276

SHA256
34ba31e8f92526d1afe54f26d3c45d1a030db3bc6207f4ba596342b99e0750ed

SHA512
e2b2781049d374d877c592254d64814866a8bb49fe97a42cb3ea052cf7f2ed0d14cc027c66a5070abcc14c65ca60ffe7e8a7036ef3e47e70f6b8e3417a1e933b

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
99KB

MD5
5a0b01712b09895c5b987d15ee4e20e6

SHA1
0bb33cdec8573577174291f968cf82bad62ab8db

SHA256
6acc2927b7cfd99727c920873fb9d726f0de600804ea00a096708e4a5d14d449

SHA512
c2e8a2d11ac5886d114eda00deaa9e80dd77f835d791ebd17621f2a7166e0019cadf697a34a109d4fa058eb5c23247a65794b68282cc9685ada03177a6108c91

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
99KB

MD5
c4d7f15a49156f7fe689b746d32932bc

SHA1
cac77dd47d68956d78abc9f3b60cd1d82f309b10

SHA256
4a6db310db71aac8a5b018186e186a85cd07b9987107898f7978673344ac2efa

SHA512
d7ce8a8d10a421caf82b858409391a943e6203f97df158922e5fead23c53e1aa628195efb5e29589c7e96a6ba9bdcfc7d48df08ec8fc93b1614e453d7e587616

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
99KB

MD5
0d94897b946deef159e57b442bb26587

SHA1
e50a323eef3eee79391d4e8cccdba7191eb59260

SHA256
358e45c025bd62b7df5aca17ab1426e2c1768e52b16bf42c27a6f22658d7bd0f

SHA512
70e7d1dd4fa042fdb17eadef92c1ca5dcfe46210d97fe5ebf79d49a6c0e203b8337a878ec3cdb684a1160199c289179b04218af568349981d31b5622e983ac62

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
99KB

MD5
ac19f0b0c551357fa1d761d29c49c783

SHA1
e8210c22353a99683a95e066e2196185385cad67

SHA256
5b44c1936921a90fc1f57ee3834d51625ae665b6e79c5b72e277073e8a42a74d

SHA512
84f6c9918684f4870ec54107d4b7a0e0d16cf5347cca0d8410096a1748ece5c71f9516ce23891678412c0f73be2763419fb928e4adaeb2fc2678459d32b6e0d9

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
99KB

MD5
01842a985880c6454e026ba8e91d3707

SHA1
411826f25bab57c5bfc91d7591e50d8810ee919e

SHA256
3fa198fa2159574b983335b765752504457f87f62d64c923789087c7e74b6635

SHA512
a5d1c8fe05016978c789c0e9dd28ec4e890ac54464b53629030a1edfb2cc0e6f18734a23df171c7a87f4becb50fc5f51fd01ac17c9a17bc45091c83afc4d853f

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
99KB

MD5
45adacb7c545fc20fd120040bb613051

SHA1
3c990686b25ddb55badab6445d824c27cd1c8446

SHA256
f016b1891ff1b5fc80324dbf2335f15c7db50484d5c879317343a3e182007326

SHA512
7f60cb148203a7d2f159a524c88b69a88ec2bf2464d83073bb3186c9a5fe95451d10653a81eb8869a41d0bd83a517fd18a4eeecfc6b4b05d48c0e835e374bc03

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
99KB

MD5
45c48d94b8650b198bbb5b3d0d8879b1

SHA1
a4382e786e0cffcb7d90e7c8caa9403ab24708b4

SHA256
54ff9c2271127b6e5d71d9170b99d3d452f8ecdd655c38a01dd975ce0271429a

SHA512
d08719c0ac21ccb526feee72732f81b245e7265de68ff6f48cd23b13e54aba5eb802522cf1342280c472631b1292c1864f4ca498f224a5eb46d74a44d78d5d79

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
99KB

MD5
104218c82858835c11139d21f6e1ebdd

SHA1
17bd5db41b96286790bd935617f4273b4f8c5842

SHA256
a4b3b24278943a128d3cc876d68baa002f226ead1d36f3e409a0f23ca46843d3

SHA512
c119a4e98c0e30cbb0f74b1c72384aa97146f9265fc98102464bc2ce7a31ccf8002fb6d3b88982b7445c62ce2cf6ce6d58a28ae4a7ec0027d70e7ede35288bef

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
99KB

MD5
1c69ec368e006b7d890c46d64da1853b

SHA1
9b578de3b7d40f90ab523670ffcc35a0cbc573a2

SHA256
ea1ae78b71413209903851e637b161c46ae3d0b0eebe88b46428bfc3b53f2770

SHA512
7a843ea2a61a324ce00cef1c04885231b8023feac00cd2ea8a48f6eb603b9b34bf98d486448a75e8e4b552625373d9986454a03b0a4107f122121b80b30ba558

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
99KB

MD5
e2212121877fe8a8ff4ccd39bb446077

SHA1
a5c4b3a7e82ba815b48c710f1d623f4e74185536

SHA256
d2537309faf6b439c579f3e1a88862473ab35d661e28016afa2033e37bf3a14b

SHA512
0f062da83f27f6be2047c7f82af0bde913f8dd60fe18a483e0be35dfb98aea98000e9b4dbf21c6b44fbb189884c9c01b42f3cd4f7bf824d3ae43a0625ff98d68

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
99KB

MD5
77049302350d25993f1bf483c3e97197

SHA1
87f296813d8fa53b0f0d3cf7ccaee0eab89615a6

SHA256
c4395e4f031e09260dccfe7c9c4fd3619fcce6ffe6d880d1ef5e5ab643d51a8a

SHA512
57b20025d0103f2dab0ddb51884ff2905dcdf5fbf81151444133969b18cb5b8210efe96492514fd9a7ae5408f7f729dedb72c5459468be44d6bd58582cdf82d2

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
99KB

MD5
e5c65a0c3364974488d577636f366173

SHA1
42eb0797ad86910369ea3f5736edfca5e567a9bf

SHA256
ba6dca67ba6337a56a4bc1fc6eb3db8195b45af3cac7fcdfeeacc93367d06f69

SHA512
406b71cd7b7ad397493cf185bad205234178ee2c87ce4f18dbbca34bdcaac998424d1340b907e637cbfec83209f1a9d841e95731d95cd4f2f5b1c6e0576934d1

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
99KB

MD5
4120fde74c2a101ecfb50f2690bda91f

SHA1
845eb02b8b25357c9fd63906248b399954a364cd

SHA256
137a9fd7ade61d0f159d8aaef1b09d7f94629be3b4213b95153ac28bb5e4ffcc

SHA512
95a08324f2c8048519cb39919a546b8a573f87cb1e55512447c9d57d3201507fb26deeddce8228e194192a15aae3d15c32918266fe01fa917067f610adf3de4c

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
99KB

MD5
eedec8eb0d93b24117f2ef9e278a0449

SHA1
a3288c770bdd250316092deebab5250e176a3a0b

SHA256
278e21572a745adf34d2071fd3d907616e25dd9072bb963e503f117dd2c61fd0

SHA512
4068a3c7082aa7ba8db770297aedc05b5078da84e112b12ee71edd325937bc6b0872e15ba23020b8b52c111978442ca081f3206e0d98a844323314136d564ef6

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
99KB

MD5
0088756d5bcb9bd679d1185d3ddfc694

SHA1
6656806030ef1f907ea29399860c8fd6e777e248

SHA256
dc70e070c6500f42c7fcdcf0e975abb5fd95aaad0c39fb6ba0ae68ff9fcae109

SHA512
2f9690d1708a9d49930d7358234de5a2a6a3f0f17dbb2fcce9dc8d8e3f5dcdb845896e4e687d74e9fec1a531380f6dc39b1a01cec372bf3140753e24751e07ba

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
99KB

MD5
f729f90c243806e1c49c7ae614fc7e1a

SHA1
62b73c010257af16d634a5bff54d866d36f8d154

SHA256
1bdb1e5d053609c44c1e0e9dadae4ec06dc0027396c2dc19dc117bca3ff19f2f

SHA512
44a9a12384a869d94cc2b0dedfc4659b454750b16ab89333e2f92376f54a464fdafc001b009ff6504344d9608f4163174e3272e33baf0f3b840418b925c1c00d

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
99KB

MD5
f7d3db3c9ddf5f011ca6745ee83b1918

SHA1
b6ffe20f2ee5a081818fcf90d68e4bfe314f657a

SHA256
3bbd6d913f73e18276717d04b72eadcedb8957bf7f4c7e113b96b5cbf5372882

SHA512
6749afde0437b82a98e3720ef05f32c208d2cd6e650ec24b238b2f68614e4b6b6830fcc729ac940b1220ea6abbbad499d22312a40eb5aa22c5d53a30fe48300a

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
99KB

MD5
90f383abfd62c7b4d53be4739c59874e

SHA1
c63b1bcc420e408444b72705554ee6311bd9a2db

SHA256
495fff3659e32d19e308372a92c6ad87e30316236dc05122cf1d4b1521fc4e9f

SHA512
e21853239c4fe257cc8043232e8fdd5aee1fdb0eee3c896daa787f1cc8c18c4c4e9edf7b353af7d4ce03dec18330eeef728f35193b5a187deaf9dca882520b5e

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
99KB

MD5
920200f57b0e6774093c76dc2fda9c20

SHA1
9a881e8ae6a0ae78fd4d0bdc08cb21bbdb9a6654

SHA256
805d6bf8843d2f6519a722f8f54cb59794c4a3c84fadcf867bada656541515db

SHA512
28349c359327d97ed7ff3321f488ca6552fb74a0682790f03367e98a5c6be574e4df0cffcd9f8eae33b7b0f8551198be322b11f17d93f776f3d5f6b3b7fc7fa2

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
99KB

MD5
fa184be0b90d82b7ed6f8ebcae886bb9

SHA1
3e8b75cf6c69fa90eb14f762a39a041f86405d8a

SHA256
99176a04abb0117d792c7d116ab7466d6cb78ef2fa3854e0c5d20032d6891d14

SHA512
17170380639d1a8890eb9f26bc9e7577e6ec9b96d3b17fde5e447c63e222f8e9a3128ab1f5f5b1341693d50cb98f7f2c0de624850c3baa2c137b24624405deb3

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
99KB

MD5
387a5c3c8b4f9e58347cc595f2e7ac3f

SHA1
9119ad9033ad067e68584d13ef722b59fe3ed771

SHA256
ff4d2db1b8dbb7fa8b12c6140897a77d56b7da95645f2a81b64efcf243bd9827

SHA512
ec9146050dbfb117bbbb7459ec1e6c2b0eb02b43812371a55581ac5350acf7e82e454efd627abc9a512f88ee37212289f2a7385ca24d3e0c0109eff28b816ec2

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
99KB

MD5
6cf9360ee972ef44a444428c42072d3f

SHA1
dbb50f7858f470a82939c47fa7dda8ec49de638a

SHA256
b56e93969104833312894e85bdfec3e64d2f4355be45f51061f89cceaa6d076f

SHA512
d9b11e6c92698842a58033c296601679449fb3325b18866b7b9625cc19df90fd9167eb4287e853d5e47349fc65f806f92db68a2af3cef0b4922dbe7d796ee44c

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
99KB

MD5
4b7b7b4211e370254cbc399c4b32a9ec

SHA1
9ac955b8b0781892f43740374d5bc68151d82d40

SHA256
1835f949ed7a3ed284b1b916a697ac8d63bb1dc64945dc0673066350f458535d

SHA512
34f03744c81517af93d6793917d3de5db63ad6de50b08e22f02555c73ca416c22badea86b2fec2c26f5ca88cf7dd5f2c2acfa8dd418ab8949f4dcc4608f1a8e8

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
99KB

MD5
39a7d47f5aa8c501a4891398b59a38a6

SHA1
e0168d0fa0957db932463d9062f8359c97310cc6

SHA256
a0afcc080a4c3708a7c3d8b633acb7118436db5f3c49bead4999568b038c8985

SHA512
f8a8641923207ed2d671f314092ba426c383aa35e5b74ec0cd435dda37dc4ec2060ad265684517b46981a786e004fa5a9e9e1dab50b2eb93cfef2c2a74c5ca70

Download Submit
memory/372-80-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/372-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/404-246-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/404-157-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/428-51-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1384-89-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1384-7-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1564-180-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1564-263-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1640-296-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1640-288-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1708-228-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1708-144-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1820-36-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1840-193-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1840-108-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1872-304-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1872-220-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1884-156-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1884-76-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1936-64-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1936-148-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2032-184-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2032-99-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2036-236-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2036-149-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2240-201-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2240-115-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2308-298-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2308-273-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2472-303-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2472-229-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2820-295-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3044-28-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3044-107-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3380-300-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3380-256-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3388-168-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3388-255-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3524-52-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3548-203-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3548-287-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3648-98-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3648-15-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3728-128-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3740-211-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3740-294-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3788-185-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3788-272-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3836-247-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3836-301-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3892-132-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3892-219-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3956-297-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3956-281-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4420-264-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4420-299-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4500-280-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4500-194-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4704-97-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4704-167-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4828-81-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4828-166-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4840-302-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4840-237-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5008-60-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads