c7c61bc0b1f18aa5333f7f512d63a6f9de08f3ad9bdee907183c4dca99fe7b5d

Analysis

max time kernel
148s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13/05/2024, 21:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1981a2a9e0c867a962ebae60c780bd30_NeikiAnalytics.exe
Size

704KB
MD5

1981a2a9e0c867a962ebae60c780bd30
SHA1

daee0463817cc42c13938234f2d07fc335dc4acb
SHA256

c7c61bc0b1f18aa5333f7f512d63a6f9de08f3ad9bdee907183c4dca99fe7b5d
SHA512

242ecb82b01c97eaa0fff11c7a9f65bf688aa3aa2d0287ae6bed59cc0e779d79a8613c88e3cffc9b3fc940c730431a524e11f199f232f62a6108ae068b8cdf7d
SSDEEP

12288:vyUVrQg5W/+zrWAI5KFum/+zrWAIAqWim/+zrWAI5KFHTP7rXFr/+zrWAI5KW:vVrQg5Wm0BmmvFimm0MTP7hm0b

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 36 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	1981a2a9e0c867a962ebae60c780bd30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	1981a2a9e0c867a962ebae60c780bd30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe

Executes dropped EXE 18 IoCs

pid	Process
4612	Kbdmpqcb.exe
3728	Kmjqmi32.exe
4420	Kphmie32.exe
536	Kpmfddnf.exe
3156	Lalcng32.exe
4584	Liggbi32.exe
3540	Lkgdml32.exe
4076	Lgneampk.exe
2412	Lcdegnep.exe
696	Laefdf32.exe
4064	Mpkbebbf.exe
4900	Mjeddggd.exe
1276	Mncmjfmk.exe
2392	Mpdelajl.exe
4820	Ndbnboqb.exe
5068	Nddkgonp.exe
3340	Ndghmo32.exe
4352	Nkcmohbg.exe

Drops file in System32 directory 54 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Efhikhod.dll	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Gcgqhjop.dll	Lalcng32.exe
File created	C:\Windows\SysWOW64\Mkeebhjc.dll	Kmjqmi32.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Lkgdml32.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Ojmmkpmf.dll	1981a2a9e0c867a962ebae60c780bd30_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Lalcng32.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Lkgdml32.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Eeandl32.dll	Lgneampk.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Ajgblndm.dll	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Lcdegnep.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Lkgdml32.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Kbdmpqcb.exe	1981a2a9e0c867a962ebae60c780bd30_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Liggbi32.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Dngdgf32.dll	Liggbi32.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Kmjqmi32.exe	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Kpmfddnf.exe	Kphmie32.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Kpmfddnf.exe	Kphmie32.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Kbdmpqcb.exe	1981a2a9e0c867a962ebae60c780bd30_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Lalcng32.exe	Kpmfddnf.exe
File opened for modification	C:\Windows\SysWOW64\Lgneampk.exe	Lkgdml32.exe
File opened for modification	C:\Windows\SysWOW64\Liggbi32.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Lkgdml32.exe	Liggbi32.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Kphmie32.exe	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Bnjdmn32.dll	Kphmie32.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Kmjqmi32.exe	Kbdmpqcb.exe
File opened for modification	C:\Windows\SysWOW64\Lcdegnep.exe	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Laefdf32.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Laefdf32.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Kphmie32.exe	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mjeddggd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4832	4352	WerFault.exe	98

Modifies registry class 57 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojmmkpmf.dll"	1981a2a9e0c867a962ebae60c780bd30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkeebhjc.dll"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	1981a2a9e0c867a962ebae60c780bd30_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	1981a2a9e0c867a962ebae60c780bd30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgblndm.dll"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeandl32.dll"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhikhod.dll"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	1981a2a9e0c867a962ebae60c780bd30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdmn32.dll"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kphmie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	1981a2a9e0c867a962ebae60c780bd30_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	1981a2a9e0c867a962ebae60c780bd30_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 4612	5072	1981a2a9e0c867a962ebae60c780bd30_NeikiAnalytics.exe	81
PID 5072 wrote to memory of 4612	5072	1981a2a9e0c867a962ebae60c780bd30_NeikiAnalytics.exe	81
PID 5072 wrote to memory of 4612	5072	1981a2a9e0c867a962ebae60c780bd30_NeikiAnalytics.exe	81
PID 4612 wrote to memory of 3728	4612	Kbdmpqcb.exe	82
PID 4612 wrote to memory of 3728	4612	Kbdmpqcb.exe	82
PID 4612 wrote to memory of 3728	4612	Kbdmpqcb.exe	82
PID 3728 wrote to memory of 4420	3728	Kmjqmi32.exe	83
PID 3728 wrote to memory of 4420	3728	Kmjqmi32.exe	83
PID 3728 wrote to memory of 4420	3728	Kmjqmi32.exe	83
PID 4420 wrote to memory of 536	4420	Kphmie32.exe	84
PID 4420 wrote to memory of 536	4420	Kphmie32.exe	84
PID 4420 wrote to memory of 536	4420	Kphmie32.exe	84
PID 536 wrote to memory of 3156	536	Kpmfddnf.exe	85
PID 536 wrote to memory of 3156	536	Kpmfddnf.exe	85
PID 536 wrote to memory of 3156	536	Kpmfddnf.exe	85
PID 3156 wrote to memory of 4584	3156	Lalcng32.exe	86
PID 3156 wrote to memory of 4584	3156	Lalcng32.exe	86
PID 3156 wrote to memory of 4584	3156	Lalcng32.exe	86
PID 4584 wrote to memory of 3540	4584	Liggbi32.exe	87
PID 4584 wrote to memory of 3540	4584	Liggbi32.exe	87
PID 4584 wrote to memory of 3540	4584	Liggbi32.exe	87
PID 3540 wrote to memory of 4076	3540	Lkgdml32.exe	88
PID 3540 wrote to memory of 4076	3540	Lkgdml32.exe	88
PID 3540 wrote to memory of 4076	3540	Lkgdml32.exe	88
PID 4076 wrote to memory of 2412	4076	Lgneampk.exe	89
PID 4076 wrote to memory of 2412	4076	Lgneampk.exe	89
PID 4076 wrote to memory of 2412	4076	Lgneampk.exe	89
PID 2412 wrote to memory of 696	2412	Lcdegnep.exe	90
PID 2412 wrote to memory of 696	2412	Lcdegnep.exe	90
PID 2412 wrote to memory of 696	2412	Lcdegnep.exe	90
PID 696 wrote to memory of 4064	696	Laefdf32.exe	91
PID 696 wrote to memory of 4064	696	Laefdf32.exe	91
PID 696 wrote to memory of 4064	696	Laefdf32.exe	91
PID 4064 wrote to memory of 4900	4064	Mpkbebbf.exe	92
PID 4064 wrote to memory of 4900	4064	Mpkbebbf.exe	92
PID 4064 wrote to memory of 4900	4064	Mpkbebbf.exe	92
PID 4900 wrote to memory of 1276	4900	Mjeddggd.exe	93
PID 4900 wrote to memory of 1276	4900	Mjeddggd.exe	93
PID 4900 wrote to memory of 1276	4900	Mjeddggd.exe	93
PID 1276 wrote to memory of 2392	1276	Mncmjfmk.exe	94
PID 1276 wrote to memory of 2392	1276	Mncmjfmk.exe	94
PID 1276 wrote to memory of 2392	1276	Mncmjfmk.exe	94
PID 2392 wrote to memory of 4820	2392	Mpdelajl.exe	95
PID 2392 wrote to memory of 4820	2392	Mpdelajl.exe	95
PID 2392 wrote to memory of 4820	2392	Mpdelajl.exe	95
PID 4820 wrote to memory of 5068	4820	Ndbnboqb.exe	96
PID 4820 wrote to memory of 5068	4820	Ndbnboqb.exe	96
PID 4820 wrote to memory of 5068	4820	Ndbnboqb.exe	96
PID 5068 wrote to memory of 3340	5068	Nddkgonp.exe	97
PID 5068 wrote to memory of 3340	5068	Nddkgonp.exe	97
PID 5068 wrote to memory of 3340	5068	Nddkgonp.exe	97
PID 3340 wrote to memory of 4352	3340	Ndghmo32.exe	98
PID 3340 wrote to memory of 4352	3340	Ndghmo32.exe	98
PID 3340 wrote to memory of 4352	3340	Ndghmo32.exe	98

C:\Users\Admin\AppData\Local\Temp\1981a2a9e0c867a962ebae60c780bd30_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1981a2a9e0c867a962ebae60c780bd30_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Windows\SysWOW64\Kbdmpqcb.exe
  C:\Windows\system32\Kbdmpqcb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4612
- - C:\Windows\SysWOW64\Kmjqmi32.exe
    C:\Windows\system32\Kmjqmi32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3728
  - - C:\Windows\SysWOW64\Kphmie32.exe
      C:\Windows\system32\Kphmie32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4420
    - - C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:536
      - C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3156
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3540
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:696
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4900
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1276
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3340
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        19⤵
        Executes dropped EXE
        
        PID:4352
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 432
        20⤵
        Program crash
        
        PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4352 -ip 4352
1⤵
PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Efhikhod.dll

Filesize
7KB

MD5
3a83e94c6f6f2c48827ca8af44954337

SHA1
b5f85f4404fcdfc9bf9d7ce940546a322dbd39f3

SHA256
7390e4311395a079604c7f0f91f2690daf780d37e1252832c97d324b30539d1d

SHA512
36de744e512e8beb6b398edc9f2871059de9cdc431c30bd440605d60cc7b2b3ee42dcb9881661daec5d39821e9a2648a648d1531eaaae43910c3f622ea612e5f

Download Submit
C:\Windows\SysWOW64\Kbdmpqcb.exe

Filesize
704KB

MD5
ac0b148b1d4769a5e8324ee321e887e2

SHA1
26f343755e1ae9994ae901e30415f129a48423fc

SHA256
c21dad85cb225751d2295ac980708d650a11ac56cb02b9181ddaae5736064879

SHA512
8d6afde25df48704c8be5e2cef5ab3bdf67328560d4bf58c3cdefd7eff674b0180c8a0a19a80b60c27e4ece1b74add3cc4550b7aa8fb06c84fa3ecaa13171949

Download Submit
C:\Windows\SysWOW64\Kmjqmi32.exe

Filesize
704KB

MD5
1d51c9e9eb95987d217ab5d3e9dd4014

SHA1
7bd2dcc0f771c4e1be5bf2c19cfcc3c09d7ec950

SHA256
42a9019f7617e0ca52049094131a791caaf8d6f12c81a998948a2907cd5474bd

SHA512
2c6bad264ed8b5b96748c99167d9b80e835d0c5da6a82a97af3642f19e12848a685a119ef8d0ed045ef5bff65c6c5d915f2379f661ce000805244a40f77140f0

Download Submit
C:\Windows\SysWOW64\Kphmie32.exe

Filesize
704KB

MD5
3e65e756a57f1d96d80ccda1c6ecccf5

SHA1
876629d225000b173ab53301cdaf495d65f9a5a4

SHA256
8a262d038b3ccc6c5785bb7a9ebcb024b9a003f3c9db664d3cbc609816634c68

SHA512
aef85af305640143369d6abdbd36e1c0fd4e2569390c2ce512c938fdeb86c0c74c35db7b91e3ec7b1b0b11311c84f7387e73c11be70b6f9c3c361943f7e14846

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe

Filesize
704KB

MD5
cbe3fc0a83e50b08c7207dd21721371e

SHA1
33822a0c49e1dda44e3ea24e8fdac61a452c2ffd

SHA256
1704ddeb0868fb52f948a07de1b92732f07885df0e6a7824684d6c19bdab3b39

SHA512
2dd5259bd11d37dfbab40dd5487af35532667a9d04d6b44495e6f3f8e86007b91b7b1c5aac0c45e88369c2cc2cb392f714034030f32c9974bde45f54741212c2

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
704KB

MD5
fe12b7a82bae926bff6f30cfaef41147

SHA1
4ac8cc5c8bbe30582a7d0553c044fc1e2eb7c54a

SHA256
5b1e8ef8599ae8a57c7fd07fdc7e17860f2363c5862adc73c1506fafbce23056

SHA512
0f026ef59c421cdac305a8e8db4fcfea32d775467bcd4ba092eb2813fd1557f1fd99e8deebe6725132312c4adee4dea103939578856159f262ab489e706efc88

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
704KB

MD5
ebdd8876e9232a3e211bebdb833f740d

SHA1
09fba4f31628653730093878635838d2b9e46913

SHA256
48b5f4ceffa13ae1c3d6508f19ca504e368c74ab92ba0f93831a1e9032f0908d

SHA512
c01326b815cba82aa9f4a12c036b32fadfe85555621adadb2495c385d9317074a5c876b593a6bc8794744c01e091262bcd5f38635ae2a359ef711d9368d6497a

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
704KB

MD5
18fa1baf5543bf73d90fbae7d3f78e67

SHA1
e05c468dd9496810833658f6ac47220a96aadf8c

SHA256
ec7cab6d08b99002918f327dcc58b790dbd9e90e44e414a3737902bc0cd68dad

SHA512
75cd3aa2b08c1f65c81801ca4c74fff24bd6fa096d80266cc1373098e39f0fe9deb8fb85995c6cc65b416b55b30702780e6e1ff32b5d863f36fba087633fd1dc

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
704KB

MD5
629a2aa536a14f6a564747ad163aa182

SHA1
30cee223fec25de5ae6c84b802da4eeb9f06fa16

SHA256
eb0e30bbc78b7c3961ea97614d87f339d604205ec94d384f8d61cea4f0ceeb34

SHA512
1bbf53cafa00292d1295acf4bb5a7f3e339216551628b095340f886c5a27e2217a60586189d3ac2625a476e92e755006838f9e84832f868ed111d41e88dae76a

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
704KB

MD5
3108f776f3fa1f139ae55ad5745fafe2

SHA1
4a6dc16e1702cebc0e757f88b59c96d10d816e14

SHA256
0caee1381fcfe80bf25a4fed2bec3f305fc7b6a9530740677e2c688a2e6fc58f

SHA512
f9e78aefc9bbbbbe224d6895d1974377ccf365ea0ed4228c0ec4c18160eddab46af2db1ca592edc81addfd0d7ea2777dd592c325ee5e8e2b850ea3a4f822877a

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
704KB

MD5
cac635598076c2e5a321e403d822d74e

SHA1
755c04bfb16abd55253b45d7dba5f92662910130

SHA256
709dea8da0b53c47944d5547b4a96911c30314c1e578b6ca3ff49914a8ced777

SHA512
6b83f5ed936bb08f01117ff24877d31bd1788d81047c70eb550fa99be4113033c81ade7a6f3273b6a1a726b38ac682806caf683fe9efac221e0c266334444758

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
704KB

MD5
88ff575480947959547fad034782ccee

SHA1
8df67f16c69120b2aedcdd181da6a8467be5f412

SHA256
1f66c89d61557d70327c6a7277b1a52a293fba23c943c197807b021ed448274f

SHA512
2cf3b81428c71bec02c0ecd7eb122e98b68b7585cbaae706bcc49b77035b35c009b06c7af9d5c4e984c70e75dd3283fdefdece5458ffa8a0c052fe9ba466093e

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
704KB

MD5
e7db24f89f1dc710e94834a67a1f76c6

SHA1
0816693f29f8e4da49d4cfa6327cb5d82e83caca

SHA256
8a656d9892ab55c5ab09bd6092efb561f0e9c98af7e0dbc72a427c7835d6ba03

SHA512
2d95c5622dd7149726ff66f71cbb89af12689fd899678f267dae55d496b8911e355e9300e90a2a387a4579445a63122920c449052a461628f8c9f789f0c00e78

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
704KB

MD5
f632a6cc4ccc949c022709a769a8af90

SHA1
655397b9589298b2702a739937e7d3164868156c

SHA256
65865dabb0a8463be3550f88484a623a9f6df7d17de1b78bf3a553798cb50b4c

SHA512
6a71a596d10cc0173351f44c430288f083b50e7bfbb2f9a98b261cc53f2cea69208be31a0755054b1f7e823f5b94008bd8d12ba66437a434e7328c06edf6566a

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
704KB

MD5
1c0a329600f1dacbfc8cda06ac99cbb5

SHA1
eb32704e3d56fad9756c17b456727a0d690bccae

SHA256
a251245885335918e3cf9829b3e3e5a6a200a8b7f3182d833023a6c83885f052

SHA512
b5626b94b627cf3cf90fc5893299b35a6a121f5e06aad681ef71370cbebbc3327a5f91502f307123b9c6056f048f99638dad4b77d048ee22139442c84ac4c3eb

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
704KB

MD5
dabd893eeaf9289119ac35bd0dca7bec

SHA1
bafaf9cb5db88e8caba663eebdb61daed69ab4e9

SHA256
77f263de818c45ab5c70808e64d429702be1d793b6666b7018ee6cfc72ce8390

SHA512
4c0bc923a55d9dc582b39b7c05d82d9496a13382d720a55948fd3b1030c76ca9ebaec40ba8bd4a3b26cc489741e62cf1dbab225790910c74b8375fbb1a51a947

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
704KB

MD5
439992dbf118f1e80231d6bc1eb10677

SHA1
03eb587eb98d08766632204b90739d523c8b08da

SHA256
57235f909273e973ccc96f990c9b61227c7046c2abe46944cadcad5e6275c2ea

SHA512
3db2ae1befe7e26f01811ae832949ac1db8c0ba12ec9eef68e8df6d6610a97e8db87bcf64547d38d0bd14bf45a8647e540200f326c51552aee47b7eb6cf775e2

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
704KB

MD5
a72e8148bb6c4861b6fd113579735752

SHA1
33b82175eea3fdc721af3d948b5929515e8cd344

SHA256
1978db02db2cd31f1ba7ce18609c9eeca98185f45cc811593c329637f098f811

SHA512
68c7fc05fe04e64a10861725320af202329d2c3d493882ab5627d9057540546d5fbfd91fae0959140757c1b0ade0b34aad476eb3e70eeb5f1d8f94be436a3c52

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
704KB

MD5
642b3c55c72b3534e64cfd3461352a65

SHA1
b28f8489c14801608fdb45d1a16611adc6bc5264

SHA256
6df87f0d81f7b20dab119b5db6dd32c5675c39eefbc4feac508b959d28cd1854

SHA512
83ae33cb7b85bbb65d609a436e9a21b788a648a2861aa4042bf92206ba9d0c08e036ffc1ddb7ba6bebd8255ad71ad118fe3853c3b7a9e864d5254c7ac9274fde

Download Submit
memory/536-31-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/536-114-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/696-81-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/696-160-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1276-158-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1276-106-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2392-115-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2392-157-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2412-72-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2412-161-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3156-39-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3156-123-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3340-143-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3340-154-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3540-55-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3540-142-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3728-20-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4064-159-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4064-89-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4076-150-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4076-63-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4352-153-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4352-151-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4420-23-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4420-105-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4584-48-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4584-132-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4612-8-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4612-88-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4820-125-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4820-156-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4900-97-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4900-162-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5068-155-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5068-133-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5072-80-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5072-0-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads